Decimal Literal decimal floating-point numbers cannot always be precisely represented as a BigDecimal if an IEEE 754 floating-point value. Consequently, the BigDecimal(double val) constructor is usedmust not be passed a floating-point literal as an argument when doing so results in an unacceptable loss of precision.
Noncompliant Code Example
This noncompliant code example passes a double value to the BigDecimal constructor. Because of thisthe decimal literal 0.1 cannot be precisely represented by a double, precision of the literal BigDecimal is affected.
| Code Block | ||
|---|---|---|
| ||
// printsPrints 0.1000000000000000055511151231257827021181583404541015625 // when run in FP-strict mode System.out.println(new BigDecimal(0.1)); |
Compliant Solution
This compliant solution passes the decimal literal as a String so that the BigDecimal(String val) constructor is invoked . and the precision is preserved:
| Code Block | ||
|---|---|---|
| ||
// printsPrints 0.1 // when run in FP-strict mode System.out.println(new BigDecimal(""0.1"")); |
Risk Assessment
Using the BigDecimal constructor that accepts decimal (double val) constructor with decimal floating-point literals can lead to loss of precision.
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|
NUM10-J | Low |
Probable |
Yes |
Yes | P6 | L2 |
Automated Detection
...
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated detection is straightforward.
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Klocwork |
| JAVA.BIGDEC.FLOAT | |||||||
| Parasoft Jtest |
| CERT.NUM10.BBDCC | Do not pass floating point values to the 'BigDecimal' constructor | ||||||
| PVS-Studio |
| V6068 | |||||||
| SonarQube |
| S2111 | "BigDecimal(double)" should not be used |
Bibliography
...
References
[JLS 05]
FLP32-J. Range check before casting floating point numbers to narrower types 07. Floating Point (FLP) 07. Floating Point (FLP)