SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 44

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version 45

changes.mady.by.user Dean Sutherland

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Strict behavior cannot be inherited by a subclass that extends a strictfp superclass. An overriding method can independently choose to be strictfp when the overridden method is not or vice versa.

Noncompliant Code Example

This noncompliant code example does not mandate strictfp computation. Double.MAX_VALUE is multiplied by 1.1 and reduced back by dividing by 1.1, according to the evaluation order. If Double.MAX_VALUE is the maximum value permissible by the platform, the calculation will yield the result infinity.

...

Code Block
bgColor#FFcccc
class Example {
  public static void main(String[] args) {
    double d = Double.MAX_VALUE;
    System.out.println("This value \"" + ((d * 1.1) / 1.1) + "\" cannot be represented as double.");
  }
}

Compliant Solution

For maximum portability, use the strictfp modifier within an expression (class, method, or interface) to guarantee that intermediate results do not vary because of implementation-defined compiler optimizations or by design. The calculation in this compliant solution is guaranteed to produce infinity because of the intermediate overflow condition, regardless of what floating-point support is provided by the platform.

Code Block
bgColor#ccccff
strictfp class Example {
  public static void main(String[] args) {
    double d = Double.MAX_VALUE;
    System.out.println("This value \"" + ((d * 1.1) / 1.1) + "\" cannot be represented as double.");
  }
}

Noncompliant Code Example

On platforms whose native floating point hardware provides greater precision than double, the JIT is permitted to use floating point registers to hold values of type float or type double (in the absence of the strictfp modifier), even though the registers support values with greater exponent range than that of the primitive types. Consequently, conversion from float to double can cause an effective loss of magnitude.

...

The lost magnitude would also have been lost if the value were stored to memory, for example to a field of type float.

Compliant Solution

This compliant solution uses the strictfp keyword to require exact conformance with standard Java floating point. Consequently, the intermediate value of both computations of f * g will be identical to the value stored in this.d, even on platforms that support extended range exponents.

Code Block
bgColor#ccccff
strictfp class Example {
  double d = 0.0;

  public void example() {
    float f = Float.MAX_VALUE;
    float g = Float.MAX_VALUE;
    this.d = f * g;
    System.out.println("d (" + this.d ") might not be equal to " + (f * g));
  }

  public static void main(String[] args) {
    Example ex = new Example();
    ex.example();
  }
}

Exceptions

NUM09-EX1: This guideline applies only to calculations that require consistent floating point results on all platforms. Applications that lack this requirement need not comply.

NUM09-EX2: The strictfp modifier may be omitted when competent numerical analysis demonstrates that the computed values will meet all accuracy and behavioral requirements that are appropriate to the application. Note that "competent numerical analysis" generally requires a specialized professional numerical analyst; lesser levels of rigor fail to qualify for this exception.

Risk Assessment

Failure to use the strictfp modifier can result in implementation-defined behavior with respect to the behavior of floating point operations.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

NUM09-J

low

unlikely

high

P1

L3

Automated Detection

Sound automated detection of violations of this guideline are not feasible in the general case.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

C Secure Coding Standard FLP00-C. Understand the limitations of floating point numbers

Bibliography

Wiki Markup
\[[Darwin 2004|AA. Bibliography#Darwin 04]\] Ensuring the Accuracy of Floating-Point Numbers
\[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 15.4|http://java.sun.com/docs/books/jls/third_edition/html/expressions.html#15.4], "FP-strict Expressions"
\[[JPL 2006|AA. Bibliography#JPL 06]\] 9.1.3. Strict and Non-Strict Floating-Point Arithmetic
\[[McCluskey 2001|AA. Bibliography#McCluskey 01]\] Making Deep Copies of Objects, Using strictfp, and Optimizing String Performance

...