Main Content

CERT C: Rule FLP34-C

Ensure that floating-point conversions are within range of the new type

Description

Rule Definition

Ensure that floating-point conversions are within range of the new type.1

Polyspace Implementation

This checker checks for:

  • Float conversion overflow

  • Floating point to integer conversion overflow

Extend Checker

A default Bug Finder analysis might not raise a violation of this rule when the input values are unknown and only a subset of inputs can cause an issue. To check for violations caused by specific system input values, run a stricter Bug Finder analysis. See Extend Bug Finder Checkers to Find Defects from Specific System Input Values.

Examples

expand all

Issue

Float conversion overflow occurs when converting a floating point value to a smaller floating point data type. If the variable does not have enough memory to represent the original value, the conversion overflows.

The exact storage allocation for different floating point types depends on your processor. See Target processor type (-target).

Risk

Overflows can result in unpredictable values from computations. The result can be infinity or the maximum finite value depending on the rounding mode used in the implementation. If you use the result of an overflowing conversion in subsequent computations and do not account for the overflow, you can see unexpected results.

Fix

The fix depends on the root cause of the defect. Often the result details show a sequence of events that led to the defect. Use this event list to determine how the variable being converted acquires its current value You can implement the fix on any event in the sequence. If the result details do not show the event history, you can trace back using right-click options in the source code and see previous related events. See also Interpret Bug Finder Results in Polyspace Desktop User Interface.

You can fix the defect by:

  • Using a bigger data type for the result of the conversion so that all values can be accommodated.

  • Checking for values that lead to the overflow and performing appropriate error handling.

In general, avoid conversions to smaller floating point types.

See examples of fixes below.

If you do not want to fix the issue, add comments to your result or code to avoid another review. See:

By default, a Bug Finder analysis does not recognize infinities and NaNs. Operations that results in infinities and NaNs might be flagged as defects. To handle infinities and NaN values in your code, use the option Consider non finite floats (-allow-non-finite-floats).

Example - Converting from double to float
float convert(void) {

    double diam = 1e100;
    return (float)diam; //Noncompliant
}

In the return statement, the variable diam of type double (64 bits) is converted to a variable of type float (32 bits). However, the value 1^100 requires more than 32 bits to be precisely represented.

Issue

Floating point to integer conversion overflow occurs when converting a floating-point value to an integer data type. If the integer part of the value cannot be represented within the storage available for the integer data type, the conversion overflows.

Risk

When converting from floating point to integer types, if the floating point value is outside the range that can be represented by the integer type, the behavior is undefined (C Standard 6.3.14 and 6.3.15).

Fix

You can fix the defect by:

  • Using a bigger data type for the result of the conversion so that all values can be accommodated.

  • Checking for values that lead to the overflow and performing appropriate error handling.

    A check for overflowing values on a float variable var can be like this:

    if  isnan(var) 
        || popcount(INT_MAX) < log2f(fabsf(var)) 
        || (var != 0.0F && fabsf(var) < FLT_MIN)){
        // Handle error
    }
    else {
        // Perform operations on var
    }
    
    The check determines if the floating point value is representable within an integer type:

    • The value is not NaN.

    • The number of bits required to store the value is less than the number of bits in INT_MAX (the largest integer that the int type can represent). The popcount function (not defined here) counts the number of 1's (or set bits) in a number.

    • The floating point value is not lower than the smallest representable floating-point value.

Example – Floating Point Value Converted to Integer Without Handling Overflows
void func(float fVar) {
  int iVar;  
  iVar = fVar; //Noncompliant //Noncompliant
}

In this example, the floating point value of fVar is not checked for overflows before converting to an integer type. Since the argument fVar can contain values that are not representable within the int data type, the analysis flags a potential overflow.

Note that func is not called in this example, and the overflow is only a possibility. To see issues of these types, add the analysis option Run stricter checks considering all values of system inputs (-checks-using-system-input-values).

Check Information

Group: Rule 05. Floating Point (FLP)

Version History

Introduced in R2019a


1 This software has been created by MathWorks incorporating portions of: the “SEI CERT-C Website,” © 2017 Carnegie Mellon University, the SEI CERT-C++ Web site © 2017 Carnegie Mellon University, ”SEI CERT C Coding Standard – Rules for Developing safe, Reliable and Secure systems – 2016 Edition,” © 2016 Carnegie Mellon University, and “SEI CERT C++ Coding Standard – Rules for Developing safe, Reliable and Secure systems in C++ – 2016 Edition” © 2016 Carnegie Mellon University, with special permission from its Software Engineering Institute.

ANY MATERIAL OF CARNEGIE MELLON UNIVERSITY AND/OR ITS SOFTWARE ENGINEERING INSTITUTE CONTAINED HEREIN IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This software and associated documentation has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute.