Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: exception for intention

Narrower primitive arithmetic types can be cast to wider types without any effect on the magnitude of numeric values. However, whereas integers integer types represent exact values, floating-point numbers types have limited precision. Section The C Standard, 6.3.1.4 of the C Standard paragraph 3 [ISO/IEC 9899:20112024], states:

When a value of integer type is converted to a real standard floating type, if the value being converted can be represented exactly in the new type, it is unchanged. If the value being converted is in the range of values that can be represented but cannot be represented exactly, the result is either the nearest higher or nearest lower representable value, chosen in an implementation-defined manner. If the value being converted is outside the range of values that can be represented, the behavior is undefined.is undefined. Results of some implicit conversions may be represented in greater range and precision than that required by the new type (see 6.3.1.8 and 6.8.7.5). 

Conversion from integral types to floating-point types without sufficient precision can lead to loss of precision (loss of least significant bits). No runtime exception occurs despite the loss.

Noncompliant Code Example

In this noncompliant example, an a large value of type long int is converted to a value of type float without ensuring it is representable in the type:

Code Block
bgColor#FFcccc
langc
#include <stdio.h>

int main(void) {
  long int big = 12345678901234567890L;
  float approx = big;
  printf("%d%ld\n", (big - (long int)approx));
  return 0;
}

When compiled with GCC 4.3.2 on LinuxFor most floating-point hardware, the value closest to 1234567890 that is representable in type float is 1234567844; consequently, this program prints the value -46.

Compliant Solution

This compliant solution replaces the type float with a double. Furthermore, it uses a static an assertion to guarantee that the double type can represent any long int without loss of precision. (See DCL03INT35-C. Use a static assertion to test the value of a constant expressioncorrect integer precisions and MSC11-C. Incorporate diagnostic tests using assertions.)

Code Block
bgColor#ccccff
langc
#include <stdio<assert.h>
#include <float.h>

/* define or include a definition of static_assert */

static_assert(sizeof(int) * 8#include <limits.h>
#include <math.h>
#include <stdint.h>
#include <stdio.h>

extern size_t popcount(uintmax_t); /* See INT35-C */
#define PRECISION(umax_value) popcount(umax_value) 

int main(void) {
  assert(PRECISION(LONG_MAX) <= DBL_MANT_DIG); // 8 = bits / char

int main() {
 * log2(FLT_RADIX));
  long int big = 12345678901234567890L;
  double approx = big;
  printf("%d%ld\n", (big - (long int)approx));
  return 0;
}

On the same platformimplementation, this program prints 0, implying that the integer value 1234567890 is representable in type double without change.

Exceptions

FLP36-C-EX1: Loss of precision can be acceptable when necessary for the proper execution of the program. It is recommended that the conversion be clearly commented as permitting loss of precision.

Risk Assessment

Casting numeric Conversion from integral types to floating-point types can lose informationwithout sufficient precision can lead to loss of precision (loss of least significant bits).

Rule

Severity

Likelihood

Remediation Cost

Detectable

Repairable

Priority

Level

FLP36-C

Low

low

Unlikely

unlikely

Yes

medium

No

P2

L3

Automated Detection

...

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported: Astrée keeps track of all floating point rounding errors and loss of precision and reports code defects resulting from those.
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.TYPE.IAT

Inappropriate Assignment Type

Coverity
Include Page
Coverity_V
Coverity_V

MISRA C 2004 Rule 10.x (needs investigation)

Needs investigation
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-flp36-c
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C1260, C1263, C1298, C1299, C1800, C1802, C1803, C1804, C4117, C4435, C4437, C4445

C++3011


Klocwork

Include Page
Klocwork_V
Klocwork_V

PORTING.CAST.FLTPNT


LDRA tool suite
Include Page
LDRA_V
LDRA_V
435 SFully implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-FLP36-a
CERT_C-FLP36-b

Implicit conversions from integral to floating type which may result in a loss of information shall not be used
Implicit conversions from integral constant to floating type which may result in a loss of information shall not be used

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

915, 922

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT-C: Rule FLP36-CChecks for precision loss in integer to float conversion (rule fully covered)
PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V674

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C
++
Secure Coding Standard
FLP36
DCL03-
CPP. Beware of precision loss when converting integral types to floating point
C. Use a static assertion to test the value of a constant expressionPrior to 2018-01-12: CERT: Unspecified Relationship
CERT Oracle Secure Coding Standard for JavaNUM13-J. Avoid loss of precision when converting primitive integers to floating-pointPrior to 2018-01-12: CERT: Unspecified Relationship

Bibliography

[ISO/IEC 9899:
2011
2024]
Section
Subclause 6.3.1.4, "Real Floating and Integer"

...


...

Image Modified Image Modified Image Modified