 
                            Sometimes it is desired to obtain consistent results from floating point operations, across different JVMs and platforms. This guarantee is imposed by the strictfp modifier. On the downside, it is more likely that intermediate operations will overflow or underflow when strictfp is used because platform specific floating point behavior is disregarded. This issue is unavoidable when portability is the main concern. The strictfp modifier can be used with a class, method or interface. 
| Usage | Strictness Behavior | 
|---|---|
| Class | All code in the class including (instance, variable, static initializers), code in nested classes | 
| Method | All code within the method is subject to strictness constraints | 
| Interface | All code in the class that implements the interface is also strict | 
An expression is strict if any of the containing classes, methods or interfaces is declared to be a strictfp. Constant expressions containing floating point operations are also evaluated strictly. All compile-time constant expressions are by default, strictfp.
Notably, the strict behavior cannot be inherited by a subclass that extends a strictfp superclass. An overriding method may independently choose to be strictfp when the overridden method is not or vice versa.
Noncompliant Code Example
This noncompliant code example does not enforce the strictfp constraints. Double.MAX_VALUE is being multiplied by 1.1 and reduced back by dividing by 1.1 according to the evaluation order. JVM implementations are not required to report an overflow resulting from the initial multiplication, although they may choose to treat this case as strictfp. The ability to use extended exponent ranges to represent intermediate values is implementation defined.  
class Strictfp {
  public static void main(String[] args) {
    double d = Double.MAX_VALUE;
    System.out.println("This value \"" + ((d * 1.1) / 1.1) + "\" cannot be represented as double.");
  }
}
Compliant Solution
To be compliant, use the strictfp modifier within an expression (class, method or interface) to guarantee that intermediate results do not vary because of implementation defined compiler optimizations or by design. This code snippet is guaranteed to return positive INFINITY because of the intermediate overflow condition. 
strictfp class Strictfp {
  public static void main(String[] args) {
    double d = Double.MAX_VALUE;
    System.out.println("This value \"" + ((d * 1.1) / 1.1) + "\" cannot be represented as double.");
  }
}
Risk Assessment
Not using the strictfp modifier can result in platform defined behavior with respect to the accuracy of floating point operations.
| Rule | Severity | Likelihood | Remediation Cost | Priority | Level | 
|---|---|---|---|---|---|
| FLP04- J | low | unlikely | high | P1 | L3 | 
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[JLS 2005]] 15.4 FP-strict Expressions
[[JPL 2005]] 9.1.3. Strict and Non-Strict Floating-Point Arithmetic
[[McCluskey 2001]] Making Deep Copies of Objects, Using strictfp, and Optimizing String Performance
[[Darwin 2004]] Ensuring the Accuracy of Floating-Point Numbers
FLP03-J. Range check before casting floating point numbers to narrower types 07. Floating Point (FLP) FLP05-J. Do not attempt comparisons with NaN