CERT C++: FLP34-C

Ensure that floating-point conversions are within range of the new type

expand all in page

Description

Rule Definition

Ensure that floating-point conversions are within range of the new type.¹

Polyspace Implementation

This checker checks for:

Float conversion overflow
Floating point to integer conversion overflow

Extend Checker

When the input values are unknown and only a subset of inputs cause an issue, Bug Finder might not detect a Float conversion overflow or Floating point to integer conversion overflow. To check for violations caused by specific system input values, run a stricter Bug Finder analysis. See Extend Bug Finder Checkers to Find Defects from Specific System Input Values.

Examples

expand all

Float conversion overflow

Issue

Float conversion overflow occurs when converting a floating point number to a smaller floating point data type. If the variable does not have enough memory to represent the original number, the conversion overflows.

The exact storage allocation for different floating point types depends on your processor. See Target processor type (-target).

Risk

Overflows can result in unpredictable values from computations. The result can be infinity or the maximum finite value depending on the rounding mode used in the implementation. If you use the result of an overflowing conversion in subsequent computations and do not account for the overflow, you can see unexpected results.

Fix

The fix depends on the root cause of the defect. Often the result details show a sequence of events that led to the defect. Use this event list to determine how the variable being converted acquires its current value You can implement the fix on any event in the sequence. If the result details do not show the event history, you can trace back using right-click options in the source code and see previous related events. See also Interpret Bug Finder Results in Polyspace Desktop User Interface.

You can fix the defect by:

Using a bigger data type for the result of the conversion so that all values can be accommodated.
Checking for values that lead to the overflow and performing appropriate error handling.

In general, avoid conversions to smaller floating point types.

See examples of fixes below.

If you do not want to fix the issue, add comments to your result or code to avoid another review. See:

Address Results in Polyspace User Interface Through Bug Fixes or Justifications if you review results in the Polyspace user interface.
Address Results in Polyspace Access Through Bug Fixes or Justifications (Polyspace Access) if you review results in a web browser.
Annotate Code and Hide Known or Acceptable Results if you review results in an IDE.

By default, a Bug Finder analysis does not recognize infinities and NaNs. Operations that results in infinities and NaNs might be flagged as defects. To handle infinities and NaN values in your code, use the option Consider non finite floats (-allow-non-finite-floats).

Example - Converting from double to float

float convert(void) {

    double diam = 1e100;
    return (float)diam; //Noncompliant
}

In the return statement, the variable diam of type double (64 bits) is converted to a variable of type float (32 bits). However, the value 1^100 requires more than 32 bits to be precisely represented.

Floating point to integer conversion overflow

Issue

Floating point to integer conversion overflow occurs when converting a floating-point value to an integer data type. If the integer part of the value cannot be represented within the storage available for the integer data type, the conversion overflows.

Risk

When converting from floating point to integer types, if the floating point value is outside the range that can be represented by the integer type, the behavior is undefined.

Fix

You can fix the defect by:

Using a bigger data type for the result of the conversion so that all values can be accommodated.
Checking for values that lead to the overflow and performing appropriate error handling.
A check for overflowing values on a float variable var can be like this:
```
if  isnan(var) 
    || popcount(INT_MAX) < log2f(fabsf(var)) 
    || (var != 0.0F && fabsf(var) < FLT_MIN)){
    // Handle error
}
else {
    // Perform operations on var
}
```
The check determines if the floating point value is representable within an integer type:
- The value is not NaN.
- The number of bits required to store the value is less than the number of bits in INT_MAX (the largest integer that the int type can represent). The popcount function (not defined here) counts the number of 1's (or set bits) in a number.
- The floating point value is not lower than the smallest representable value.

Example – Floating Point Value Converted to Integer Without Handling Overflows

void func(float fVar) {
  int iVar;  
  iVar = fVar; //Noncompliant
}

In this example, the floating point value of fVar is not checked for overflows before converting to an integer type. Since the argument fVar can contain values that are not representable within the int data type, the analysis flags a potential overflow.

Note that func is not called in this example, and the overflow is only a possibility. To see issues of these types, add the analysis option Run stricter checks considering all values of system inputs (-checks-using-system-input-values).

Check Information

Group: 49. Miscellaneous (MSC)

Version History

Introduced in R2019a

expand all

R2021b: Checker detects overflows in conversions from floating point to integer types

The checker now detects overflows in conversions from floating point to integer types.

In addition, if the same variable causes multiple conversion overflows, all overflows are flagged. Previously, only the first overflow in a block was flagged.