...
When a value of real floating type is converted to a real floating type, if the value being converted can be represented exactly in the new type, it is unchanged.
When a value of real floating type is converted to a standard floating type, if the value being converted is in the range of values that can be represented but cannot be represented exactly, the result is either the nearest higher or nearest lower representable value, chosen in an implementation-defined manner. If the value being converted is outside the range of values that can be represented, the behavior is undefined.
See undefined behaviors 16 and 17 and 18.
This rule does not apply to demotions of floating-point types on implementations that support signed infinity, such as IEEE 754, as all values are within range.
...
This noncompliant code example leads to to undefined behavior if 16 if the integral part of f_a cannot be represented as an integer:
...
As a result of these conversions, it is possible that d_a is outside the range of values that can be represented by a float or that big_d is outside the range of values that can be represented as either a float or a double. If this is the case, the result is is undefined on behavior 17 on implementations that do not support Annex F, "IEC 60559 Floating-Point Arithmetic."
...
Converting a floating-point value to a floating-point value of a smaller range and precision or to an integer type, or converting an integer type to a floating-point type, can result in a value that is not representable in the destination type and is undefined behavior on implementations that do not support Annex F.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
FLP34-C | Low | Unlikely | Yes | LowYes | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported Astrée reports all potential overflows resulting from floating-point conversions. | |||||||
| Compass/ROSE | Can detect some violations of this rule. However, it does not flag implicit casts, only explicit ones | ||||||||
| CodeSonar |
| LANG.TYPE.IAT | Inappropriate Assignment Type | ||||||
| MISRA_CAST (needs verification) | Can detect instances where implicit float conversion is involved: implicitly converting a complex expression with integer type to floating type, implicitly converting a double expression to narrower float type (may lose precision), implicitly converting a complex expression from | |||||||
| Cppcheck |
| floatConversionOverflow suspiciousFloatingPointCast | |||||||
| Cppcheck Premium |
| floatConversionOverflow suspiciousFloatingPointCast | |||||||
| Helix QAC |
| C4450, C4451, C4452, C4453, C4454, C4462, C4465 C++3011 | |||||||
| Klocwork |
| MISRA.CAST.FLOAT.WIDER | |||||||
| LDRA tool suite |
| 435 S, 93 S | Partially implemented | ||||||
| Parasoft C/C++test |
| CERT_C-FLP34-a CERT_C-FLP34-b | Avoid implicit conversions from wider to narrower floating type | ||||||
| PC-lint Plus |
| 735, 736, | Partially supported | ||||||
| Polyspace Bug Finder |
| Checks for float conversion overflow (rule partially covered) | |||||||
| PVS-Studio |
| V615, V2003, V2004 | |||||||
| Security Reviewer - Static Reviewer |
| C88 | Fully implemented | ||||||
| TrustInSoft Analyzer |
| float_to_int | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...