SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 6

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 7

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fixed remaining comments

The operation of the remainder modulo operator in Java is defined in the Java Language Specification [[JLS 05]], Section 15.17.3:

The remainder modulo operation for operands that are integers after binary numeric promotion (§5.6.2) produces a result value such that (a/b)*b+(a%b) is equal to a. This identity holds even in the special case that the dividend is the negative integer of largest possible magnitude for its type and the divisor is -1 (the remainder modulo is 0). It follows from this rule that the result of the remainder modulo operation can be negative only if the dividend is negative, and can be positive only if the dividend is positive; moreover, the magnitude of the result is always less than the magnitude of the divisor.

Although clearly defined in the Java specification, the behavior is undefined in several early C implementations and it is represented by the same symbol as the modulus operator, which always returns a positive value. Therefore, it is possible to have unintended behavior from use of this operator.

The result of the remainder modulo operator implies the following behavior:

...

In this noncompliant example, the integer hash hashKey references an element of the hash table array. However, since the hash key is not guaranteed to be positive, the lookup function may fail, producing a java.lang.ArrayIndexOutOfBoundsException on all negative inputs.

Code Block
bgColorFFCCCC
private int SIZE = 16;	
public int[] hashTablehash = new int[SIZE];
	
public int lookup(int hashhashKey) {
  return hashTablehash[hashhashKey % sizeSIZE];
}

Compliant Solution

One compliant implementation is to call a function that returns a true (always positive) modulus.

Code Block
bgColorCCCCFF
/* modulo function giving non-negative result */
private int SIZE = 16;
public int[] hashTablehash = new int[SIZE];

private int imod(int i, int j) {
  return (i < 0) ? ((-i) % j) : (i % j);
}
	
public int lookup(int hashhashKey) {
  return hashTablehash[imod(hashhashKey, size)];
}

Alternatively, an explicit range check must be performed on the numerator at every susceptible point.

Code Block
bgColorCCCCFF
public int lookup(int hashhashKey) {
  if (hashhashKey < 0)
    return hashTablehash[(-hashhashKey) % size];
  return hashTablehash[hashhashKey % size];
}

Note that providing a well documented imod method is a better choice as it improves readability and makes it clear that its sole purpose is to return positive values when required and not to "fix" the unintuitive behavior of the remainder modulo operator, as defined by the specification.

...

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT02-J

low

unlikely

high

P1

L3

Automated Detection

...

Other Languages

This rule appears in the C Secure Coding Standard as INT10-C. Do not assume a positive remainder when using the % operator, and .

This rule appears in the C++ Secure Coding Standard as INT10-CPP. Do not assume a positive remainder when using the % operator,

...