Page History

...

String representations of floating-point numbers shall not be compared or inspected. When the value of a float variable must be represented exactly using the double type, an explicit assignment is more appropriate than first converting the floating-point value to a String and then to a double.

Noncompliant Code Example (String Comparison)

This noncompliant code example attempts a string-based comparison of a floating-point number.

...

However s actually contains the string "0.0010". Consequently, the comparison unexpectedly fails.

Noncompliant Code Example (Regex)

This noncompliant code example attempts to mitigate the extra trailing zero by using a regular expression on the string before comparing it.

...

int i = 1;
String s = Double.valueOf(i / 10000.0).toString();
s = s.replaceFirst("[.0]*$", "");
if (s.equals("0.0001")) {
  // ...
}

Compliant Solution (String Comparison)

This compliant solution uses the BigDecimal class to avoid precision loss. It then performs a numeric comparison, which passes as expected.

int i = 1;
BigDecimal d = new BigDecimal(Double.valueOf(i / 1000.0).toString())
if (d.compareTo(new BigDecimal("0.001")) == 0) {
  // ...
}

Risk Assessment

Relying on the string representation of floating-point types can result in imprecise values.

Automated Detection

TODO

Related Vulnerabilities

HV-192

Bibliography

...