SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 50 Next »

Narrower primitive types can be cast to wider types without any effect on the magnitude of numeric values. However, whereas integer types represent exact values, floating-point types have limited precision. Subclause 6.3.1.4 paragraph 2 of the C Standard [ISO/IEC 9899:2011] states:

When a value of integer type is converted to a real floating type, if the value being converted can be represented exactly in the new type, it is unchanged. If the value being converted is in the range of values that can be represented but cannot be represented exactly, the result is either the nearest higher or nearest lower representable value, chosen in an implementation-defined manner. If the value being converted is outside the range of values that can be represented, the behavior is undefined. Results of some implicit conversions may be represented in greater range and precision than that required by the new type (see 6.3.1.8 and 6.8.6.4).

Conversion from integral types to floating-point types without sufficient precision can lead to loss of precision (loss of least significant bits). No runtime exception occurs despite the loss.

Noncompliant Code Example

In this noncompliant example, a value of type int is converted to a value of type float:

#include <stdio.h>

int main(void) {
  int big = 1234567890;
  float approx = big;
  printf("%d\n", (big - (int)approx));
  return 0;
}

When compiled with GCC 4.8.1 on Linux, this program prints the value -46.

Compliant Solution

This compliant solution replaces the float with a double. Furthermore, it uses an assertion to guarantee that the double type can represent any int without loss of precision for implementations. (See INT35-C. Use correct integer precisions for the definition and rationale of the PRECISION() macro):

#include <assert.h>
#include <stdio.h>
#include <float.h>
#include <limits.h>

extern size_t popcount(uintmax_t);
#define PRECISION(umax_value) popcount(umax_value) 

int main(void) {
  assert(PRECISION(INT_MAX) <= DBL_MANT_DIG * log2(DBL_MANT_DIG));
  int big = 1234567890;
  double approx = big;
  printf("%d\n", (big - (int)approx));
  return 0;
}

On the same platform, this program prints 0.

Risk Assessment

Conversion from integral types to floating-point types without sufficient precision can lead to loss of precision (loss of least significant bits).

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FLP36-C

Low

Unlikely

Medium

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C Secure Coding StandardDCL03-C. Use a static assertion to test the value of a constant expression
CERT C++ Secure Coding StandardFLP36-CPP. Beware of precision loss when converting integral types to floating point
CERT Oracle Secure Coding Standard for JavaNUM13-J. Avoid loss of precision when converting primitive integers to floating-point

Bibliography

[ISO/IEC 9899:2011]Subclause 6.3.1.4, "Real Floating and Integer"

 

  • No labels