View Source

Conversions of numeric types to narrower types can result in lost or misinterpreted data if the value of the wider type is outside the range of values of the narrower type.

There are 22 possible narrowing primitive conversions in Java. According to the JLS, Section 5.1.3, "Narrowing Primitive Conversions"

short to byte or char
char to byte or short
int to byte, short, or char
long to byte, short, char, or int
float to byte, short, char, int, or long
double to byte, short, char, int, long, or float

Narrowing primitive conversions are allowed in cases where the value of the wider type is within the range of the narrower type.

Integer Narrowing

Integer type ranges are defined by the Java Language Specification, Section 4.2.1, "Integral Types and Values" [JLS 2005] and are also described in NUM00-J. Detect or prevent integer overflow.

The table below presents the rules for narrowing primitive conversions of integer types. In the table, for an integer type T, n represents the number of bits used to represent the resulting type T (precision).

From	To	Description	Possible Resulting Errors
signed integer	integral type `T`	Keeps only `n` lower order bits	Lost or misinterpreted data
char	integral type `T`	Keeps only `n` lower order bits	Magnitude error; negative number even though `char` is 16-bit unsigned

When integers are cast to narrow data types, the magnitude of the numeric value and the corresponding sign can be affected. Consequently, data can be lost or misinterpreted.

Floating-point to Integer Conversion

Floating-point conversion to an integral type T is a two step procedure:

1. When converting a floating-point value to an int or long and the value is a NaN, an int or long, a zero value is produced. Otherwise, if the value is not infinity, it is rounded towards zero to an integer value V:

if T is long, and V can be represented as a long, the long value V is produced,
or if V can be represented as an int then the int value V is produced.

Otherwise:

the value is negative infinity or a value too negative to be represented, and Integer.MIN_VALUE or Long.MIN_VALUE is produced,
or the value is positive infinity or a value too positive to be represented, Integer.MAX_VALUE or Long.MAX_VALUE is produced.

2. If T is byte, char, or short, the result of the conversion is the result of a narrowing conversion to type T of the result of the first step

See JLS, Section 5.1.3, "Narrowing Primitive Conversions" for more information.

Other Conversions

Narrower primitive types may be cast to wider types without affecting the magnitude of numeric values. See JLS, Section 5.1.2, "Widening Primitive Conversion" for more information. Conversion from int or long to float, or long to double may lead to loss of precision (loss of least significant bits). No runtime exception occurs despite this loss.

Note that conversions from float to double or double to float can also lose information about the overall magnitude of the converted value. See guideline NUM09-J. Use the strictfp modifier for floating point calculation consistency across platforms for additional information.

Noncompliant Code Example (Integer Narrowing)

In this noncompliant code example, a value of type int is converted to a value of type byte without range checking.

class CastAway {
  public static void main(String[] args) {
    int i = 128;
    workWith(i);
  }

  public static void workWith(int i)
    byte b = (byte) i;  // b has value -128
    // work with b
  }
}

The resulting value may be unexpected because the initial value (128) is outside of the range of the resulting type.

Compliant Solution (Integer Narrowing)

This compliant solution validates that the value stored in the wider integer type is within the range of the narrower type before converting to the narrower type.

class CastAway {
  public static void workWith(int i)
    //check if i is within byte range
    if ((i < Byte.MIN_VALUE) || (i > Byte.MAX_VALUE)) { 
      throw new ArithmeticException("Value is out of range");
    }

    byte b = (byte) i;
    // work with b
  } 
}

Noncompliant Code Example (Floating-point Conversion to Integer)

The narrowing primitive conversions in this noncompliant code example suffers from loss in the magnitude of the numeric value, as well as a loss of precision.

float i = Float.MIN_VALUE;
float j = Float.MAX_VALUE;
short b = (short) i;
short c = (short) j;

The minimum and maximum float values are converted to minimum and maximum int values (0x80000000 and 0x7fffffff) respectively. The resulting short values are the lower 16 bits of these values (0x0000 and 0xffff. The resulting final values (0 and -1) might be unexpected.

Compliant Solution (Floating-point to Integer Conversion)

This compliant solution range checks both the i and j variables before converting to the resulting integer type.

float i = Float.MIN_VALUE;
float j = Float.MAX_VALUE;
if ((i < Short.MIN_VALUE) || (i > Short.MAX_VALUE) ||
    (j < Short.MIN_VALUE) || (j > Short.MAX_VALUE)) {
  throw new ArithmeticException ("Value is out of range");    
}

short b = (short) i;
short c = (short) j;
//other operations

Noncompliant Code Example (`double` to `float` Conversion)

The narrowing primitive conversions in this noncompliant code example suffer from a loss in the magnitude of the numeric value, as well as a loss of precision. Because Double.MAX_VALUE is larger than Float.MAX_VALUE, c receives the value infinity and because Double.MIN_VALUE is smaller than Float.MIN_VALUE, d receives the value 0.

double i = Double.MIN_VALUE;
double j = Double.MAX_VALUE;
float b = (float) i;
float c = (float) j;

Compliant Solution (`double` to `float` Conversion)

Perform range checks on both i and j variables before proceeding with the conversions.

double i = Double.MIN_VALUE;
double j = Double.MAX_VALUE;
if ((i < Float.MIN_VALUE) || (i > Float.MAX_VALUE) ||
    (j < Float.MIN_VALUE) || (j > Float.MAX_VALUE)) {
  throw new ArithmeticException ("Value is out of range");    
}

float b = (float) i;
float c = (float) j;
//other operations

Exceptions

NUM??-EX0: Java's narrowing conversions are both well-defined and portable; knowledgeable programmers can intentionally apply such conversions in contexts where their output is both expected and reasonable. Consequently, narrowing conversions are permitted when the code contains comments that document both the use of narrowing conversions and that the potential for truncation has been anticipated. A suitable comment might read: "// Deliberate narrowing cast of i; possible truncation OK"

Risk Assessment

Casting a numeric value to a narrower type can result in information loss related to the sign and magnitude of the numeric value. Consequently, data can be misrepresented or interpreted incorrectly.

Guideline	Severity	Likelihood	Remediation Cost	Priority	Level
NUM15-J	low	unlikely	medium	P2	L3

Automated Detection

Automated detection of narrowing conversions on integral types is straightforward. Determining whether such conversions correctly reflect the intent of the programmer is infeasible in the general case. Heuristic warnings could be useful.

Related Guidelines

C Secure Coding Standard: INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data
C Secure Coding Standard: FLP34-C. Ensure that floating point conversions are within range of the new type
C++ Secure Coding Standard: INT31-CPP. Ensure that integer conversions do not result in lost or misinterpreted data
C++ Secure Coding Standard: FLP34-CPP. Ensure that floating point conversions are within range of the new type
MITRE CWE: CWE-681 "Incorrect Conversion between Numeric Types"
MITRE CWE: CWE-197 "Numeric Truncation Error"

Bibliography

[Harold 1999]
[JLS 2005] Section 5.1.3, "Narrowing Primitive Conversions"

NUM14-J. Do not rely on the default string representation of floating point values 03. Numeric Types and Operations (NUM) NUM16-J. Convert integers to floating point for floating point operations