The Java language provides two primitive types, float and double, which "are conceptually associated with the single-precision 32-bit and double-precision 64-bit format IEEE 754 values and operations as specified in IEEE Standard for Binary Floating-Point Arithmetic, ANSI/IEEE Standard 754-1985 (IEEE, New York)" ([[JLS 2005]] Section 4.2.3
"Floating-Point Types, Formats, and Values"). Each of the floating point types has a fixed, limited number of mantissa bits. Consequently, it is impossible to precisely represent any irrational number (e.g. pi). Further, because these types use a binary mantissa, they cannot precisely represent many finite decimal numbers, such as 1/10, because these numbers have repeating binary representations.
Avoid using the primitive floating point types when precise computation is necessary, and especially when performing currency calculations. Rather, consider alternative representations that are be able to completely represent the necessary values. Whatever representation you choose, carefully and methodically estimate the maximum cumulative error of the computations to ensure that the resulting error is within tolerances. Consider using numerical analysis to properly understand the problem. See [[Goldberg 1991]] for an introduction to these issues.
Noncompliant Code Example
This noncompliant code example performs some basic currency calculations.
double dollar = 1.0;
double dime = 0.1;
int number = 7;
System.out.println ("A dollar less " + number + " dimes is $" +
(dollar - number * dime) );
Unfortunately, because of the 1/10 cannot be represented precisely in any binary floating point format, this program prints:
A dollar less 7 dimes is $0.29999999999999993
Compliant Solution
This compliant solution uses an integer type (such as long) and works in cents rather than dollars.
long dollar = 100;
long dime = 10;
int number = 7;
System.out.println ("A dollar less " + number + " dimes is " +
(dollar - number * dime) + " cents" );
This code outputs: A dollar less 7 dimes is 30 cents
Compliant Solution
An alternative approach is to use the BigDecimal type, though it is less efficient.
import java.math.BigDecimal;
BigDecimal dollar = new BigDecimal("1.0");
BigDecimal dime = new BigDecimal("0.1");
int number = 7;
System.out.println ("A dollar less " + number + " dimes is $" +
(dollar.subtract(new BigDecimal(number).multiply(dime) )) );
This code outputs: A dollar less 7 dimes is $0.3
Risk Assessment
Using a representation other than floating point may allow for more precision and accuracy for critical arithmetic.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FLP00-J |
low |
probable |
high |
P2 |
L3 |
Automated Detection
Automated detection of floating point arithmetic is straight-forward; determining which code suffers from insufficient precision is not feasible in the general case. Heuristic checks, such as flagging floating point literals that cannot be represented precisely, may be useful.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Other Languages
This guideline appears in the C Secure Coding Standard as FLP02-C. Avoid using floating point numbers when precise computation is needed.
This guideline appears in the C++ Secure Coding Standard as FLP02-CPP. Avoid using floating point numbers when precise computation is needed.
Bibliography
[[Bloch 2008]] Item 48: Avoid float and double if exact answers are required
[[Bloch 2005]] Puzzle 2: Time for a Change
[[Goldberg 1991]]
[[JLS 2005]] Section 4.2.3, Floating-Point Types, Formats, and Values
07. Floating Point (FLP) 07. Floating Point (FLP) FLP01-J. Take care in rearranging floating point expressions