SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 38

changes.mady.by.user Dean Sutherland

Saved on

compared with

New Version 39

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Java Language Specification, Section 15.17.3, "Remainder Operator %" states:

The remainder operation for operands that are integers after binary numeric promotion (§5.6.2) produces a result value such that (a/b)*b+(a%b) is equal to a. This identity holds even in the special case that the dividend is the negative integer of largest possible magnitude for its type and the divisor is -1 (the remainder is 0). It follows from this rule that the result of the remainder operation can be negative only if the dividend is negative, and can be positive only if the dividend is positive; moreover, the magnitude of the result is always less than the magnitude of the divisor.

...

Code Block
5 % 3 produces 2
5 % (-3) produces 2
(-5) % 3 produces -2
(-5) % (-3) produces  -2

Programmers may could incorrectly assume that the remainder operation always returns a positive result , and may code accordinglybased on that assumption.

Noncompliant Code Example

This noncompliant code example uses the integer hashKey as an index into the hash array. The hash key input may could be negative, producing a negative result from the remainder operator. Consequently, the lookup function will throw a java.lang.ArrayIndexOutOfBoundsException.

...

Automated detection of uses of the % operator is straightforward. Sound determination of whether those uses correctly reflect the intent of the programmer is infeasible in the general case. Heuristic warnings may could be useful.

Other Languages

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

This guideline appears in the C Secure Coding Standard as : INT10-C. Do not assume a positive remainder when using the % operator.This guideline

appears in the C++ Secure Coding Standard as : INT10-CPP. Do not assume a positive remainder when using the % operator,

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

Wiki Markup
\[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 15.17.3|http://java.sun.com/docs/books/jls/third_edition/html/expressions.html#15.17.3] "Remainder Operators"

...