Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM Cost Reform

Using integer arithmetic to calculate a value for assignment to a floating-point variable may lead to loss of information. This problem can be avoided by converting one of the integers in the expression to a floating type.

When converting integers to floating-point values, and vice versa, it is important to carry out proper range checks to avoid undefined behavior (see FLP34-C. Ensure that floating-point conversions are within range of the new type).

Noncompliant Code Example

In this noncompliant code example, the division and multiplication operations take place on integers and are then converted to floating point. This causes  Consequently, floating-point variables d, e, and f to  are not be initialized correctly because the operations take place before the values are converted to floating-point values. The results are truncated to the nearest integer or may overflow.

Code Block
bgColor#FFCCCC
langc
void func(void) {
  short a = 533;
  int b = 6789;
  long c = 466438237;

  float d = a / 7; /* d is 76.0 */
  double e = b / 30; /* e is 226.0 */
  double f = c * 789; /*  f may be negative due to overflow */
}

Compliant Solution (Floating-Point Literal)

In this compliant solution, the decimal error in initialization is eliminated by ensuring that at least one of the operands to the division operation is floating point.:

Code Block
bgColor#CCCCFF
langc
void func(void) {
  short a = 533;
  int b = 6789;
  long c = 466438237;

  float d = a / 7.0f; /* d is 76.14286 */
  double e = b / 30.; /* e is 226.3 */
  double f = (double)c * 789; /* f is 368019768993.0 */
}

Compliant Solution (Conversion)

In this compliant solution, the decimal error in initialization is eliminated by first storing the integer in the floating-point variable and then performing the arithmetic operation. This practice ensures that at least one of the operands is a floating-point number and that the subsequent arithmetic operation is performed on floating-point operands.

Code Block
bgColor#CCCCFF
langc
void func(void) {
  short a = 533;
  int b = 6789;
  long c = 466438237;

  float d = a;
  double e = b;
  double f = c;

  d /= 7; /* d is 76.14286 */
  e /= 30; /* e is 226.3 */
  f *= 789; /* f is 368019768993.0 */
}

Exceptions

FLP33FLP06-C-EX1EX0: It may be desirable to have the operation take place as integers before the conversion (obviating the need for a call to trunc(), for example). If this is the programmer's intention, it should be clearly documented to help future maintainers understand that this behavior is intentional.

Risk Assessment

Improper conversions between integers and floating-point values may yield unexpected results, especially loss of precision. Additionally, these unexpected results may actually involve overflow, or undefined behavior.

Rule

Recommendation

Severity

Likelihood

Detectable

Remediation Cost

Repairable

Priority

Level

FLP33

FLP06-C

low

Low

Probable

probable

No

low

No

P6

P2

L2

L3

Automated Detection

...

The LDRA tool suite V 7.6.0 can detect violations of this rule.

Splint Version 3.1.1 can detect violations of this rule.

...

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported: This rule aims to prevent truncations and overflows. All possible overflows are reported by Astrée.
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-FLP06
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
LANG.TYPE.MOTMismatched operand types
Compass/ROSE



Can detect violations of this rule. Any assignment operation where the type of the assigned-to value is float or double, but all the expressions to the right of the assignment are integral, is a violation of this rule

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C4117, C4118
LDRA tool suite
Include Page
LDRA_V
LDRA_V

435 S

Enhanced enforcement

Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-FLP06-a
CERT_C-FLP06-b

Implicit conversions from integral to floating type which may result in a loss of information shall not be used
Implicit conversions from integral constant to floating type which may result in a loss of information shall not be used

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

653, 790, 942

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. FLP06-C


Checks for float overflow (rec. partially covered)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V636
Splint
Include Page
Splint_V
Splint_V



Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

...

Related Guidelines

...

...

...

...

References

...

Convert integers to floating point for floating-point operations
MITRE CWECWE-681, Incorrect conversion between numeric types
CWE-682, Incorrect calculation

Bibliography

[Hatton 1995]Section 2.7.3, "Floating-Point Misbehavior"


...

Image Added Image Added Image Added "Floating-point misbehavior" \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 5.2.4.2.2, "Characteristics of floating types <{{float.h}}>" \[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 681|http://cwe.mitre.org/data/definitions/681.html], "Incorrect Conversion between Numeric Types," and [CWE ID 682|http://cwe.mitre.org/data/definitions/682.html], "Incorrect Calculation"Image Removed      05. Floating Point (FLP)       FLP34-C. Ensure that floating point conversions are within range of the new type