Fix panic on lossy decimal to float casting: round to saturation for overflows #7887
Conversation
… conversion process and error handling
… detailed context in error messages, such as failing element index and input value.
|
Is it possible that the issue is that the float conversion is fallible, I wouldn't have expected the conversion to be fallible? Can we fix this? Changing to try_unary will significantly regress performance and may be the wrong fix? |
… include detailed context in error messages, such as failing element index and input value." This reverts commit cf9268d.
…d Float64 conversions
|
Thanks @tustvold for the quick feedback ✅ What we’re doing now (safe, slow):
🛠 Alternative approaches (fast, risky or complex):
|
|
I would expect us to follow standard floating point overflow behaviour. Ultimately if you're opting for floating point numbers you are opting for this behaviour. Floating point in general is not appropriate for financial data as it is lossy by design. |
…ion failures" This reverts commit f25ec6b3ba8561f8a66b276d9d7869f8636ce48c.
…f error on overflow - Changed decimal-to-float casts to use lossy conversion consistent with IEEE semantics, saturating to ±INFINITY instead of returning an error on overflow or out-of-range values. - Updated `cast_decimal_to_float` to use infallible conversion function signature. - Added `decimal256_to_f64` helper for Decimal256 to f64 conversion with saturation. - Adjusted casting logic in `cast_with_options` accordingly. - Removed tests that expected errors on decimal-to-float overflow since now conversion saturates. - Clarified documentation to specify that decimal to float casts are lossy and saturate on overflow.
kosiew
changed the title
| ); | ||
| } | ||
| #[test] | ||
| fn test_cast_decimal256_to_f64_overflow() { |
There was a problem hiding this comment.
Does this need to cover negative infinity?
There was a problem hiding this comment.
Good catch.
I amended the test.
There was a problem hiding this comment.
Could you also please either add or ensure there is an existing test for casting Decimal128 (i128::MIN and i128::MAX to f64)
There was a problem hiding this comment.
Update, I didn't notice that @kosiew added a follow on ticket to track this work:
… casting Decimal256 to Float64
alamb
changed the title
| from_type, | ||
| to_type, | ||
| |x: i256| x.to_f64().unwrap(), | ||
| |x: i256| decimal256_to_f64(x), |
There was a problem hiding this comment.
Do we need to do something similar for Decimal128 above?
There was a problem hiding this comment.
I'm having a hard time understanding the semantics of i256::to_64, but it seems to be a provided method of impl ToPrimitive for i256, which
tries to convert through
to_i64(), and failing that throughto_u64()
In contrast, the Decimal128 case above is doing a rust cast x as f64, which I would assume already handles this case Just Fine (and probably doesn't even need to resort to +/- INF, because f64 has a dynamic range of ~2048 powers of two (from 2**-1023 to 2**1023) -- far more than enough to handle even Decimal256 (which has dynamic range of only 512 powers of two (from 2**-255 to 2**255)
If we're anyway trying to convert the value to f64, it seems like we should fix this bug by following the advice from the docs for ToPrimitive::to_f64:
Types implementing this trait should override this method if they can represent a greater range.
This shouldn't actually be very difficult. Assuming the two i128 parts together form the halves of one giant two's complement value, something like this should do the trick, and would always return a finite value.
There was a problem hiding this comment.
(just be careful -- the least-significant leading zero is the sign bit, and mustn't be shifted out; I'm not 100% certain my code above handles that correctly, could be off-by-one)
There was a problem hiding this comment.
- I Filed Consider updating
i256::to_f64to handle overflow #7980 to track this idea
| } | ||
|
|
||
| /// Convert a [`i256`] to `f64` saturating to infinity on overflow. | ||
| fn decimal256_to_f64(v: i256) -> f64 { |
There was a problem hiding this comment.
Saturating to INF seems a better solution than panic'ing
| ); | ||
| } | ||
| #[test] | ||
| fn test_cast_decimal256_to_f64_overflow() { |
There was a problem hiding this comment.
Could you also please either add or ensure there is an existing test for casting Decimal128 (i128::MIN and i128::MAX to f64)
| from_type, | ||
| to_type, | ||
| |x: i256| x.to_f64().unwrap(), | ||
| |x: i256| decimal256_to_f64(x), |
There was a problem hiding this comment.
- I Filed Consider updating
i256::to_f64to handle overflow #7980 to track this idea
…cimal256 → Float64 casts (#7986) # Which issue does this PR close? Closes #7985 --- # Rationale for this change The existing Decimal256 → Float64 conversion was changed to **saturate** out-of-range values to `±INFINITY` (PR #7887) in order to avoid panics. However, every 256-bit signed integer actually fits within the exponent range of an IEEE-754 `f64` (±2¹⁰²³), so we can always produce a **finite** `f64`, only sacrificing mantissa precision. By overriding `i256::to_f64` to split the full 256-bit magnitude into high/low 128-bit halves, recombine as ```text (high as f64) * 2^128 + (low as f64) ``` and reapply the sign (special-casing i256::MIN), we: - Eliminate both panics and infinite results - Match Rust’s built-in (i128) as f64 rounding (ties-to-even) - Simplify casting logic—no saturating helpers or extra flags required # What changes are included in this PR? - Added full-range fn to_f64(&self) -> Option<f64> for i256, using checked_abs() + to_parts() + recombination - Removed fallback through 64-bit to_i64()/to_u64() and .unwrap() - Replaced the old decimal256_to_f64 saturating helper with a thin wrapper around the new i256::to_f64() (always returns Some) - Updated Decimal256 → Float64 cast sites to call the new helper ## Tests - Reworked “overflow” tests to assert finite & correctly signed results for i256::MAX and i256::MIN - Added typical-value tests; removed expectations of ∞/-∞ # Are there any user-facing changes? Behavior change: - Very large or small Decimal256 values no longer become +∞/-∞. - They now map to very large—but finite—f64 values (rounded to nearest mantissa). ## API impact: No public API signatures changed. Conversion remains lossy by design; users relying on saturation-to-infinity will observe different (more faithful) behavior. --------- Co-authored-by: Ryan Johnson <[email protected]>
Which issue does this PR close?
Closes #7886.
Rationale for this change
Casting large
Decimal256values toFloat64can exceed the representable range of floating point numbers. Previously, this could result in a panic due to unwrapping a failed conversion.This PR introduces a safe conversion that saturates overflowing values to
INFINITYor-INFINITY, following standard floating point semantics. This ensures stable, predictable behavior without runtime crashes.What changes are included in this PR?
decimal256_to_f64that convertsi256tof64, returningINFINITYor-INFINITYwhen the value is out of range.Decimal256→Float64to use the new safe conversion.test_cast_decimal256_to_f64_overflowto validate overflow behavior.Are there any user-facing changes?
Yes.
Decimal256values that exceed thef64range, users now receiveINFINITYor-INFINITYinstead of a panic.