SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Fred Long

Saved on

compared with

New Version Current

changes.mady.by.user Valery

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The following 19 specific conversions on primitive types are called the widening primitive conversions:

  • byte to short, int, long, float, or double
  • short to int, long, float, or double
  • char to int, long, float, or double
  • int to long, float, or double
  • long to float or double
  • float to double

...

Conversion from int or long to float, or from long to double can lead to loss of precision (loss of least significant bits). No runtime exception occurs despite the loss.

Conversion rules:

...

From

...

To

...

Description

In these cases, the resulting floating-point value is a rounded version of the integer value, using IEEE 754 round-to-nearest mode. Despite this loss of precision, The Java Language Specification (JLS) requires that the conversion and rounding occur silently, that is, without any runtime exception (see the JLS, §5.1.2, "Widening Primitive Conversion" [JLS 2015], for more information). Conversions from integral types smaller than int to a floating-point type and conversions from int to double can never result in a loss of precision. Consequently, programs must ensure that conversions from an int or long to a floating-point type or from long to double do not result in a loss of required precision.

Note that conversions from float to double can also lose information about the overall magnitude of the converted value (see NUM53-J. Use the strictfp modifier for floating-point calculation consistency across platforms for additional information).

...

int or long

...

integral type T

...

Sign extend corresponding 2's complement form

...

char

...

integral type T

...

Noncompliant Code Example

In this noncompliant code example, an int is converted to float. Since a floating point number cannot be precise to 9 digits, the result of subtracting the original from this value is non-zerotwo identical large integer literals are passed as arguments to the subFloatFromInt() method. The second argument is coerced to float, cast back to int, and subtracted from a value of type int. The result is returned as a value of type int.

This method could have unexpected results because of the loss of precision. In FP-strict mode, values of type float have 23 mantissa bits, a sign bit, and an 8-bit exponent (see NUM53-J. Use the strictfp modifier for floating-point calculation consistency across platforms for more information about FP-strict mode). The exponent allows type float to represent a larger range than that of type int. However, the 23-bit mantissa means that float supports exact representation only of integers whose representation fits within 23 bits; float supports only approximate representation of integers outside that range.

Code Block
bgColor#FFcccc

strictfp class WideSample {
  public static int subFloatFromInt(int op1, float op2) {
    return op1 - (int)op2;
  }

  public static void main(String[] args) {
    int bigresult = subFloatFromInt(1234567890, 1234567890);
    // This prints -46, not 0, floatas approxmay =be big;expected
    System.out.println(big - (int)approx)result);  //ideally this should be zero but it prints -46
  }
}

Note that conversions from long to either float or double can lead to similar loss of precision.

Compliant Solution

...

(ArithmeticException)

This compliant solution range checks the argument of the integer argument (op1) to ensure it can be represented as a value of type float without a loss of precision:The significand part of a floating point number can hold at most 23 bit values. Anything above this threshold is discarded due to precision loss, as is demonstrated in this compliant solution.

Code Block
bgColor#ccccff

strictfp class WideSample {
  public static voidint main(String[] args) {
subFloatFromInt(int op1, float op2)
        int big = 1234567890;
         throws ArithmeticException {

    // 
The significand can store floatat approxmost =23 big;bits
    if (Integer.highestOneBit(big) <= Math.pow(2, 23)) { //the significand can store at most 23 bits
      (op2 > 0x007fffff) || (op2 < -0x800000)) { 
      throw new ArithmeticException("Insufficient precision");
    }

    return op1 - (int)op2;
  }

  public static void main(String[] args) {
    int result = subFloatFromInt(1234567890, 1234567890);
    System.out.println(big - (int)approx);  //always prints zero now
    }
    else {
      //handle error   //precision error
    }
  }
}

Risk Assessment

result);  
  }
}

In this example, the subFloatFromInt() method throws ArithmeticException. This general approach, with appropriate range checks, can be used for conversions from long to either float or double.

Compliant Solution (Wider Type)

This compliant solution accepts an argument of type double instead of an argument of type float. In FP-strict mode, values of type double have 52 mantissa bits, a sign bit, and an 11-bit exponent. Integer values of type int and narrower can be converted to double without a loss of precision.

Code Block
bgColor#ccccff
strictfp class WideSample {
  public static int subDoubleFromInt(int op1, double op2) {
    return op1 - (int)op2;
  }

  public static void main(String[] args) {
    int result = subDoubleFromInt(1234567890, 1234567890);
    // Works as expected
    System.out.println(result);  
  }

}

Note that this compliant solution cannot be used when the primitive integers are of type long because Java lacks a primitive floating-point type whose mantissa can represent the full range of a long.

Exceptions

NUM13-J-EX0: Conversion from integral types to floating-point types without a range check is permitted when suitable numerical analysis demonstrates that the loss of the least significant bits of precision is acceptable.

Risk Assessment

Converting integer values to floating-point types whose mantissa has fewer bits than the original integer value can result in a rounding errorCasting numeric types to wider floating-point types may lose information.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT33

NUM13-J

low

Low

unlikely

Unlikely

medium

Medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[JLS 05|AA. Java References#JLS 05]\] [Section 5.1.2, Widening Primitive Conversion|http://java.sun.com/docs/books/jls/third_edition/html/conversions.html#5.1.2]

Automatic detection of casts that can lose precision is straightforward. Sound determination of whether those casts correctly reflect the intent of the programmer is infeasible in the general case. Heuristic warnings could be useful.

ToolVersionCheckerDescription
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.CAST.FTRUNC

Cast: Integer to Floating Point (Java)

Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.NUM13.AICAvoid implicit casts from integer data types to floating point data types
PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V6011

Related Guidelines

SEI CERT C Coding Standard

FLP36-C. Preserve precision when converting integral values to floating-point type

Bibliography

[JLS 2015]

§5.1.2, "Widening Primitive Conversion"

[Seacord 2015]
Image result for video iconImage Added NUM13-J. Avoid loss of precision when converting primitive integers to floating-point LiveLesson


...

Image Added Image Added Image AddedINT32-J. Perform conversion from BigInteger to String and back properly      04. Integers (INT)      05. Floating Point (FLP)