Page History

...

Subclause 6.8.6.4, paragraph 23, of the C Standard [ISO/IEC 9899:2011] states:

...

float f(float x) {
  return x * 0.1f;
}

float g(float x) {
  return x * 0.1;
}

Function f() is allowed to return a value wider than float, but function g() (which uses the wider constant) is not.

Although the current text standard does not require narrowing return expressions of the same type as the function, it does not clearly state what is allowed. Is it allowed to narrow the result? Is it allowed to narrow the result sometimes but not always? Is it allowed to partially narrow the result (for example, if the application binary interface [ABI] returns floats in double format, but a float function has a float return expression evaluated to wider than double)? An aggressive implementation could argue yes€ to all these questions, though the resulting behavior would complicate debugging and error analysis.

Footnote 160 in the C Standard says a cast may be used to remove extra range and precision from the return expression. This means that a predictable program must have casts on all floatingfunction calls that return floating-point function calls values (except where the function directly feeds an operator-like assignment that implies the conversion). With type-generic math (tgmath.h), the programmer has to reason through the tgmath.h resolution rules to determine which casts to apply. These are significant obstacles to writing predictable code.

NOTE: WG14 voted to include the following text in the The C Standard, subclause F.6 [ISO/IEC 9899:2011]. It impacts only implementations that implement the optional Annex F, "IEC 60559 Floating-Point Arithmetic."

Require return expressions to be converted as if by assignment to the type of the function, but only in Annex F. This is a compromise that addresses the problems for Annex F implementations while not impacting non-Annex F implementations that exercise the license for wide returns.

Insert the following new subclause after F.5 (and increment subsequent subclause numbers):

...

, states:

If the return expression is evaluated in a floating-point format different from the return type, then the expression is converted as if by assignment³⁶² to the return type of the function and the resulting value is returned to the caller.

362) Assignment removes any extra range and precision.

This applies only to implementations that conforms to the optional Annex F, "IEC 60559 Floating-Point Arithmetic."  The macro __STDC_IEC_559__ can be used to determine whether an implementation conforms to Annex F.

Noncompliant Code Example

This noncompliant code example fails to cast the result of the expression in the return statement and thereby guarantee that the range or precision is no wider than expected. The uncertainty in this example is introduced by the constant 0.1f. This constant may be stored with a range or precision that is greater than that of float. Consequently, the result of x * 0.1f may also have a range or precision greater than that of float. As described previously, this range or precision may not be reduced to that of a float, so the caller of calcPercentage() may receive a value that is more precise than expected. This may lead to inconsistent program execution across different platforms.

float calcPercentagecalc_percentage(float value) {
  return value * 0.1f;
}

void floatRoutinefloat_routine(void) {
  float value = 99.0f;
  long double percentage;

  percentage = calcPercentagecalc_percentage(value);
}

Compliant Solution (within the Function)

This compliant solution casts the value of the expression in the return statement. It forces the return value to have the expected range and precision, as described in subclause 5.2.4.2.2, paragraph 89, of the C Standard [ISO/IEC 9899:2011].

float calcPercentagecalc_percentage(float value) {
  return (float)(value * 0.1f);
}

void floatRoutinefloat_routine(void) {
  float value = 99.0f;
  long double percentage;

  percentage = calcPercentage(value);
}

Compliant Code Example (Alternate)

Unfortunately, not all compilers honor casts. In this case, the range and precision must be forced by assignment to a variable of the correct type. This compliant solution forces the assignment by type-qualifying result as volatile and assigning the result of the floating point operation to result before returning it:

float calcPercentage(float value) {
  volatile float result;

  result = value * 0.1f;

  return result;
}

void floatRoutine(void) {
  float value = 99.0f;
  long double percentage;

  percentage = calcPercentagecalc_percentage(value);
}

...

Forcing the range and precision inside the calcPercentage() function is a good way to fix the problem once without having to apply fixes in multiple locations (every time calcPercentage() is called). However, access   

Compliant Solution (Outside the Function)

Source code to the called function may not always be available. This compliant solution shows one way casts the return value of the calcPercentage() function to float to force the correct range and precision in a situation in which when the source of the called function cannot be modified. This behavior is accomplished by casting the return value of the calcPercentage() function to float.

void floatRoutinefloat_routine(void) {
  float value = 99.0f;
  long double percentage;

  percentage = (float)calcPercentage(value);
}

Compliant Solution (Outside the Function 2)

This compliant solution shows another way to force the correct range and precision. In this case, a temporary variable is used as the forcing mechanism.

void floatRoutine(void) {
  float value = 99.0f;
  long double percentage;
  float temp;

  percentage = temp = calcPercentage) calc_percentage(value);
}

Risk Assessment

Failure to follow this guideline can lead to inconsistent results across different platforms.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

...

...

Image Modified Image Modified Image Modified