Because floating-point numbers can represent fractions, programmers often mistakenly assume that they can represent any simple fraction exactly. In fact, floating-point numbers are subject to range limitations just as integers are. Furthermore, limited-precision binary floating-point numbers cannot represent all decimals precisely, even when the decimals can be represented in a small number of digits.
In addition, because floating-point numbers can represent large values, programmers often mistakenly assume that they can represent all digits of those values. To gain a large dynamic range, floating-point numbers maintain a fixed number of bits of precision and an exponent. Incrementing a large floating-point value might not change that value within the available precision.
As a result, floating-point variables must not be used as loop counters.
Noncompliant Code Example
This noncompliant code example uses a floating-point variable as a loop counter. The decimal number 0.1 cannot be precisely represented as a float or even as a double.
for (float x = 0.1f; x <= 1.0f; x += 0.1f) {
System.out.println(x);
}
Because 0.1f is rounded to the nearest value that can be represented in the value set of the float type, the actual quantity added to x on each iteration is somewhat larger than 0.1; consequently, the loop executes only nine times and fails to produce the expected output.
Compliant Solution
This compliant solution uses an integer loop counter from which the desired floating-point value is derived.
for (int count = 1; count <= 10; count += 1) {
float x = count/10.0f;
System.out.println(x);
}
Noncompliant Code Example
This noncompliant code example uses a floating-point loop counter that is incremented by an amount that is too small to change its value given the precision.
for (float x = 100000001.0f; x <= 100000010.0f; x += 1.0f) {
/* ... */
}
The code loops forever on execution.
Compliant Solution
This compliant solution uses an integer loop counter from which the floating-point value is derived. Additionally, it uses a double to ensure that the available precision suffices to represent the desired values.
for (int count = 1; count <= 10; count += 1) {
double x = 100000000.0 + count;
/* ... */
}
Risk Assessment
Using floating-point loop counters can lead to unexpected behavior.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
NUM09-J |
low |
probable |
low |
P6 |
L2 |
Automated Detection
Automated detection of floating-point loop counters is straightforward.
Related Guidelines
C Secure Coding Standard |
"FLP30-C. Do not use floating point variables as loop counters" |
|||
C++ Secure Coding Standard |
"FLP30-CPP. Do not use floating point variables as loop counters" |
|||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="dba29b9a-faa5-49b7-8c5b-637fd3907ff6"><ac:plain-text-body><![CDATA[ |
[ISO/IEC TR 24772:2010 |
http://www.aitcnet.org/isai/] |
"Floating?point Arithmetic [PLF]" |
]]></ac:plain-text-body></ac:structured-macro> |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5c864630-6644-465e-961c-877bb16435fa"><ac:plain-text-body><![CDATA[ |
[[Bloch 2005 |
AA. Bibliography#Bloch 05]] |
Puzzle 34: Down for the Count |
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="8879766e-371e-45d2-8f7a-a547268fb95a"><ac:plain-text-body><![CDATA[ |
[[JLS 2005 |
AA. Bibliography#JLS 05]] |
[§4.2.3, "Floating-Point Types, Formats, and Values" |
http://java.sun.com/docs/books/jls/third_edition/html/typesValues.html#4.2.3] |
]]></ac:plain-text-body></ac:structured-macro> |