SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 80

changes.mady.by.user Pranjal Jumde

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Java language allows platforms to use available floating-point hardware that can provide extended floating-point support with exponents that contain more bits than the standard Java primitive type double (in the absence of the strictfp modifier). Consequently, these platforms can represent a superset of the values that can be represented by the standard floating-point types. Floating-point computations on such platforms can produce different results than would be obtained if the floating-point computations were restricted to the standard representations of float and double. According to the JLS, �����‚�š�š§15§15.4, "FP-strict Expressions" [JLS 2005]:

The net effect [of non-fp-strict evaluation], roughly speaking, is that a calculation might produce "the correct answer" in situations where exclusive use of the float value set or double value set might result in overflow or underflow.

...

Strict behavior is not inherited by a subclass that extends a FP-strict superclass. An overriding method can independently choose to be FP-strict when the overridden method is not, or vice versa.

Noncompliant Code Example

This noncompliant code example does not mandate FP-strict computation. Double.MAX_VALUE is multiplied by 1.1 and reduced back by dividing by 1.1, according to the evaluation order. If Double.MAX_VALUE is the maximum value permissible by the platform, the calculation will yield the result infinity.

...

The JVM may choose to treat this case as FP-strict; if it does so, overflow occurs. Because the expression is not FP-strict, an implementation may use an extended exponent range to represent intermediate results.

Code Block
bgColor#FFcccc

class Example {
  public static void main(String[] args) {
    double d = Double.MAX_VALUE;
    System.out.println("This value \"" + ((d * 1.1) / 1.1) + "\" cannot be represented as double.");
  }
}

Compliant Solution

For maximum portability, use the strictfp modifier within an expression (class, method, or interface) to guarantee that intermediate results do not vary because of implementation-defined behavior. The calculation in this compliant solution is guaranteed to produce infinity because of the intermediate overflow condition, regardless of what floating-point support is provided by the platform.

Code Block
bgColor#ccccff

strictfp class Example {
  public static void main(String[] args) {
    double d = Double.MAX_VALUE;
    System.out.println("This value \"" + ((d * 1.1) / 1.1) + "\" cannot be represented as double.");
  }
}

Noncompliant Code Example

Native floating-point hardware provides greater range than double. On these platforms, the JIT is permitted to use floating-point registers to hold values of type float or type double (in the absence of the strictfp modifier), even though the registers support values with greater exponent range than that of the primitive types. Consequently, conversion from float to double can cause an effective loss of magnitude.

Code Block
bgColor#FFcccc

class Example {
  double d = 0.0;

  public void example() {
    float f = Float.MAX_VALUE;
    float g = Float.MAX_VALUE;
    this.d = f * g;
    System.out.println("d (" + this.d + ") might not be equal to " +
                       (f * g));
  }

  public static void main(String[] args) {
    Example ex = new Example();
    ex.example();
  }
}

Magnitude loss would also occur if the value were stored to memory �����€š�š�����‚�š����‚��“ for example, to a field of type float.

Compliant Solution

This compliant solution uses the strictfp keyword to require exact conformance with standard Java floating-point. Consequently, the intermediate value of both computations of f * g is identical to the value stored in this.d, even on platforms that support extended range exponents.

Code Block
bgColor#ccccff

strictfp class Example {
  double d = 0.0;

  public void example() {
    float f = Float.MAX_VALUE;
    float g = Float.MAX_VALUE;
    this.d = f * g;
    System.out.println("d (" + this.d + ") might not be equal to " +
                       (f * g));
  }

  public static void main(String[] args) {
    Example ex = new Example();
    ex.example();
  }
}

Exceptions

NUM06-J-EX0: This rule applies only to calculations that require consistent floating-point results on all platforms. Applications that lack this requirement need not comply.

NUM06-EX1: The strictfp modifier may be omitted when suitable numerical analysis demonstrates that the computed values meet all accuracy and behavioral requirements appropriate to the application.

Risk Assessment

Failure to use the strictfp modifier can result in nonportable, implementation-defined behavior with respect to the behavior of floating-point operations.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

NUM06-J

low

unlikely

high

P1

L3

Automated Detection

...

Related Guidelines

The CERT C Secure Coding Standard

FLP00-C. Understand the limitations of floating-point numbers

SEI CERT C++ Secure Coding Standard

VOID FLP00-CPP. Understand the limitations of floating-point numbers

Bibliography

[Darwin 2004]

Ensuring the Accuracy of Floating-Point Numbers

[JLS 2005]

�����‚�š�š§15§15.4, FP-strict Expressions

[JPL 2006]

9.1.3, Strict and Non-Strict Floating-Point Arithmetic

[McCluskey 2001]

Making Deep Copies of Objects, Using strictfp, and Optimizing String Performance

 

...

Image Added      Image AddedNUM05-J. Do not use denormalized numbers      03. Numeric Types and Operations (NUM)      Image Modified