Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

When precise computation is necessary, use alternative representations that can accurately represent the values. For example, if you are performing arithmetic on decimal values and need an exact decimal rounding, represent the values in binary-coded decimal instead of using floating-point values. Another option is decimal floating-point arithmetic, as specified by ANSI/IEEE 754-2007. ISO/IEC WG14 has drafted a proposal to add support for decimal floating-point arithmetic to the C language [ISO/IEC DTR 24732].

When precise computation is necessary, carefully and methodically estimate the maximum cumulative error of the computations, regardless of whether decimal or binary is used, to ensure that the resulting error is within tolerances. Consider using numerical analysis to properly understand the problem. An introduction can be found in David Goldberg's "What Every Computer Scientist Should Know about Floating-Point Arithmetic" [Goldberg 1991].

Noncompliant Code Example

This noncompliant code example takes the mean of 10 identical numbers and checks to see if the mean matches this number. It should match because the ten 10 numbers are all 10.1. Yet, because of the imprecision of floating-point arithmetic, the computed mean does not match this number.

Code Block
bgColor#ffcccc
langc
#include <stdio.h>

/* Returns the mean value of the array */
float mean(float array[], int size) {
  float total = 0.0;
  size_t i;
  for (i = 0; i < size; i++) {
    total += array[i];
    printf("array[%d%zu] = %f and total is %f\n", i, array[i], total);
  }
  if (size != 0)
    return total / size;
  else
    return 0.0;
}

enum { array_size = 10 };
float array_value = 10.1;

int main(void) {
  float array[array_size];
  float avg;
  size_t i;
  for (i = 0; i < array_size; i++) {
    array[i] = array_value;
  }

  avg = mean( array, array_size);
  printf("mean is %f\n", avg);
  if (avg == array[0]) {
    printf("array[0] is the mean\n");
  } else {
    printf("array[0] is not the mean\n");
  }
  return 0;
}

...

Code Block
array[0] = 10.100000 and total is 10.100000
array[1] = 10.100000 and total is 20.200001
array[2] = 10.100000 and total is 30.300001
array[3] = 10.100000 and total is 40.400002
array[4] = 10.100000 and total is 50.500000
array[5] = 10.100000 and total is 60.599998
array[6] = 10.100000 and total is 70.699997
array[7] = 10.100000 and total is 80.799995
array[8] = 10.100000 and total is 90.899994
array[9] = 10.100000 and total is 100.999992
mean is 10.099999
array[0] is not the mean

Compliant Solution

This The noncompliant code may can be fixed by replacing the floating-point numbers with integers for the internal additions. Floats are used only when printing results and when doing the division to compute the mean.

Code Block
bgColor#ccccff
langc
#include <stdio.h>

/* Returns the mean value of the array */
float mean(int array[], int size) {
  int total = 0;
  size_t i;
  for (i = 0; i < size; i++) {
    total += array[i];
    printf("array[%d%zu] = %f and total is %f\n", i, array[i] / 100.0, total / 100.0);
  }
  if (size != 0)
    return ((float) total) / size;
  else
    return 0.0;
}

enum {array_size = 10};
int array_value = 1010;

int main(void) {
  int array[array_size];
  float avg;
  size_t i;
  for (i = 0; i < array_size; i++) {
    array[i] = array_value;
  }

  avg = mean(array, array_size);
  printf("mean is %f\n", avg / 100.0);
  if (avg == array[0]) {
    printf("array[0] is the mean\n");
  } else {
    printf("array[0] is not the mean\n");
  }
  return 0;
}

...

Using a representation other than floating point may allow for more accurate results.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FLP02-C

low

Low

probable

Probable

high

High

P2

L3

Automated Detection

Checks for floating

Tool

Version

Checker

Description

section Sectioncan
Astrée
Include Page
Astrée_V
Astrée_V
float-comparisonPartially checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-FLP02
Compass/ROSE

 

 



Can detect violations of this recommendation. In particular, it checks to see if the arguments to an equality operator are of a floating-point type

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0790
LDRA tool suite
Include Page
LDRA_V
LDRA_V
56 SPartially implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-FLP02-a

Floating-point expressions shall not be tested for equality or inequality
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

777, 9252

Partially supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. FLP02-C

Checks for floating point comparison with equality operators (rec. partially covered)

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V550
RuleChecker
Include Page
RuleChecker_V
RuleChecker_V
float-comparisonPartially checked

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this recommendation on the CERT website.

Related Guidelines

...

...

...

...

...

...

:2013Floating-point Arithmetic [PLF]

ISO/IEC DTR 24732

Bibliography


...

Image Modified Image Modified Image Modified