SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 78

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version Current

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

String representations of floating-point numbers must should not be compared or inspected. If they are used, significant care needs to be taken to ensure expected behavior.

Noncompliant Code Example (String Comparison)

This noncompliant code example incorrectly compares the string representations of two floating-point values:

Code Block
bgColor#FFCCCC
int i = 1;
String s = Double.valueOf(i / 1000.0).toString();
if (s.equals("0.001")) {
  // ...
}

The comparison unexpectedly fails because s contains the string "0.0010", which is not equal to "0.001".

Noncompliant Code Example (Regex)

This noncompliant code example attempts to mitigate the extra trailing zero by using a regular expression on the string before comparing it:

Code Block
bgColor#FFCCCC
int i = 1;
String s = Double.valueOf(i / 1000.0).toString();
s = s.replaceFirst("[.0]*$", "");
if (s.equals("0.001")) {
  // ...
}

Although the comparison succeeds on the preceding code, it fails on the following similar code, which uses 1/10000.0 instead of 1/1000decimal string literal generated by 1/10000.0. The string produced is not 0.00010 but 0001 but rather 1.0E-4.

Code Block
bgColor#FFCCCC
int i = 1;
String s = Double.valueOf(i / 10000.0).toString();
s = s.replaceFirst("[.0]*$", "");
if (s.equals("0.0001")) {
  // ...
}

...

This compliant solution uses the BigDecimal class to avoid precision lossthe conversion into scientific notation. It then performs a numeric comparison, which passes as expected.

Code Block
bgColor#ccccff
int i = 1;
BigDecimal d = new BigDecimal(Double.valueOf(i / 100010000.0).toString());
if (d.compareTo(new BigDecimal("0.0010001")) == 0) {
  // ...
}

Risk Assessment

Comparing or inspecting the string representation of floating-point values may have unexpected results.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

NUM11-J

Low

Likely

Medium

P6

L2

Related Vulnerabilities

...


Android Implementation Details

Comparing or inspecting the string representation of floating-point values may have unexpected results on Android.

Bibliography

[API 2006]

 

[JLS

2005

2015]

 

[Seacord 2015]
Image result for video iconImage Modified NUM11-J. Do not compare or inspect the string representation of floating-point values LiveLesson

...


...