...
A less portable but potentially more secure solution is to use the capabilities provided by the underlying implementation. If this approach is taken, the caveats of that system must be well understood. The following table provides a starting point for some common operating systems:
Operating System | How to Handle Floating-Point Errors |
---|---|
Linux | Use the C floating-point exception functions |
Windows | Use either the C floating-point exception functions or structured exception handling through |
Noncompliant Code Example
...
Undetected floating-point errors may result in lower program efficiency, inaccurate results, or software vulnerabilities. Most processors stall for a significant duration (sometimes up to a second or even more on 32-bit desktop processors) when an operation incurs a NaN (not a number) value.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
FLP03-C | Low | Probable | High | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| float-division-by-zero | Partially checked | ||||||
Compass/ROSE |
Could detect violations of this rule by ensuring that floating-point operations are surrounded by |
LDRA tool suite |
|
|
|
4123
4124
4125
4126
4127
4128
43 D | Partially implemented | ||||||||
Parasoft C/C++test |
| CERT_C-FLP03-a | Avoid division by zero | ||||||
Parasoft Insure++ | Runtime analysis | ||||||||
PC-lint Plus |
| 736, 9120, 9227 | Assistance provided | ||||||
Polyspace Bug Finder |
| Checks for:
Rec. partially covered. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this recommendation on the CERT website.
Related Guidelines
SEI CERT C++ |
Coding Standard | VOID FLP03-CPP. Detect and handle floating point errors |
MITRE CWE | CWE-369, Divide by zero |
Bibliography
[IEEE |
Std 1003.1:2013] |
XBD, Headers, <fenv.h> |
[Intel 2001] |
[ISO/IEC 9899:2011] | Subclause 7.6.2, "Floating-Point Exceptions" |
[Keil 2008] |
[MSDN] | "fpieee_flt (CRT) |
fenv.h
- Floating-point environment" |
[SecurityFocus 2007] |
...
...