Because floating-point numbers represent real numbers, it is often mistakenly assumed that they can represent any simple fraction exactly. Floating-point numbers are subject to representational limitations just as integers are, and binary floating-point numbers cannot represent all real numbers exactly, even if they can be represented in a small number of decimal digits.
In addition, because floating-point numbers can represent large values, it is often mistakenly assumed that they can represent all significant digits of those values. To gain a large dynamic range, floating-point numbers maintain a fixed number of precision bits (also called the significand) and an exponent, which limit the number of significant digits they can represent.
Different implementations have different precision limitations, and to keep code portable, floating-point variables must not be used as the loop induction variable. See Goldberg's work for an introduction to this topic [Goldberg 1991].
For the purpose of this rule, a loop counter is an induction variable that is used as an operand of a comparison expression that is used as the controlling expression of a
for loop. An induction variable is a variable that gets increased or decreased by a fixed amount on every iteration of a loop [Aho 1986]. Furthermore, the change to the variable must occur directly in the loop body (rather than inside a function executed within the loop).
Noncompliant Code Example
In this noncompliant code example, a floating-point variable is used as a loop counter. The decimal number
0.1 is a repeating fraction in binary and cannot be exactly represented as a binary floating-point number. Depending on the implementation, the loop may iterate 9 or 10 times.
For example, when compiled with GCC or Microsoft Visual Studio 2013 and executed on an x86 processor, the loop is evaluated only nine times.
In this compliant solution, the loop counter is an integer from which the floating-point value is derived:
Noncompliant Code Example
In this noncompliant code example, a floating-point loop counter is incremented by an amount that is too small to change its value given its precision:
On many implementations, this produces an infinite loop.
In this compliant solution, the loop counter is an integer from which the floating-point value is derived. The variable
x is assigned a computed value to reduce compounded rounding errors that are present in the noncompliant code example.
|Clang||3.9||Checked by |
|CodeSonar||4.4||LANG.STRUCT.LOOP.FPC||Float-typed loop counter|
MISRA C 2004 Rule 13.4
MISRA C 2012 Rule 14.1
|LDRA tool suite||9.5.6|
|Parasoft C/C++test||9.5||MISRA-065||Fully implemented|
|Polyspace Bug Finder||R2016a||MISRA2012-RULE-14_1, MISRA2012-DIR-1_1||Fully implemented|
|PRQA QA-C||9.3||3340, 3342||Partially implemented|
|SonarQube C/C++ Plugin||3.11||S2193||Fully implemented|
|SEI CERT C++ Coding Standard||FLP30-CPP. Do not use floating-point variables as loop counters|
|CERT Oracle Secure Coding Standard for Java||NUM09-J. Do not use floating-point variables as loop counters|
|ISO/IEC TR 24772:2013||Floating-Point Arithmetic [PLF]|
|MISRA C:2012||Directive 1.1 (required)|
Rule 14.1 (required)