Page History

String representations of floating-point numbers must should not be compared or inspected. If they are used, significant care needs to be taken to ensure expected behavior.

Noncompliant Code Example (String Comparison)

This noncompliant code example incorrectly compares the string representations of two floating-point values.

int i = 1;
String s = Double.valueOf(i / 1000.0).toString();
if (s.equals("0.001")) {
  // ...
}

The comparison unexpectedly fails because s contains the string "0.0010".

Noncompliant Code Example (Regex)

This noncompliant code example attempts to mitigate the extra trailing zero by using a regular expression on the string before comparing it.

int i = 1;
String s = Double.valueOf(i / 1000.0).toString();
s = s.replaceFirst("[.0]*$", "");
if (s.equals("0.001")) {
  // ...
}

While the comparison does succeed on the code above, it fails on the similar code below, which uses 1/10000.0 instead of 1/1000.0. decimal string literal generated by 1/10000.0. The string produced is not 0.00010 but 0001 but rather 1.0E-4.

int i = 1;
String s = Double.valueOf(i / 10000.0).toString();
s = s.replaceFirst("[.0]*$", "");
if (s.equals("0.0001")) {
  // ...
}

...

This compliant solution uses the BigDecimal class to avoid precision lossthe conversion into scientific notation. It then performs a numeric comparison, which passes as expected.

int i = 1;
BigDecimal d = new BigDecimal(Double.valueOf(i / 100010000.0).toString());
if (d.compareTo(new BigDecimal("0.0010001")) == 0) {
  // ...
}

Risk Assessment

Comparing or inspecting the string representation of floating-point values may have unexpected results.

Related Vulnerabilities

...

Android Implementation Details

Comparing or inspecting the string representation of floating-point values may have unexpected results on Android.

Bibliography

[API 2006]
[JLS

2005

2015]
[Seacord 2015]	Image Added NUM11-J. Do not compare or inspect the string representation of floating-point values LiveLesson

...