3

We have a first code audit coming up and I was told by someone that not using strictfp for floating point arithmetic might get us flagged. Software is coded on Windows machine and deployed to Solaris machines for production use. Any suggestions about it being true?

Also, if not using 'strictfp`can make floating point arithmetic code non - compliant or non - portable, why is doing computation in non - strictfp way allowed anyway?

CERT Secure Coding Standards, NUM53-J makes me feel like it's mandatory to use strictfp:

Programs that require consistent results from floating-point operations across different JVMs and platforms must use the strictfp modifier.

Binkan Salaryman
  • 3,008
  • 1
  • 17
  • 29
Sabir Khan
  • 9,826
  • 7
  • 45
  • 98
  • 1
    Don't just link, also quote the relevant bit. I've guessed at the bit you probably meant. – T.J. Crowder Dec 21 '15 at 09:02
  • If you're deploying it to Windows or Solaris on Intel hardware then it makes no difference whether you have strictfp or not. (But if there is any chance that you deploy to hardware for which strictfp does make a difference, then it's a good idea to have strictfp all over your code) See answers to one of my older questions: https://stackoverflow.com/questions/22562510/does-java-strictfp-modifier-have-any-effect-on-modern-cpus – Erwin Bolwidt Dec 21 '15 at 09:04
  • When you say "non-compliant" - non-compliant with what? – Klitos Kyriacou Dec 21 '15 at 09:07
  • @KlitosKyriacou - for portability. – Sabir Khan Dec 21 '15 at 09:13
  • @Erwin - Thanks, thats very helpful. Developer machines are Intel ones, trying to find production server details. – Sabir Khan Dec 21 '15 at 09:16
  • @Sabir_Khan: Yes, but production server details can change over time, as can developer machine details. – T.J. Crowder Dec 21 '15 at 09:34
  • @T.J.Crowder: Thanks for pointing root of problem and usage of BigDecimal or similar techniques. There are places in code ( old pieces ) where integer + scale way is not being followed but pure float and doubles. We need to correct that. – Sabir Khan Dec 21 '15 at 10:49
  • @Sabir_Khan: Good deal, glad to have helped. Good luck with the audit (not that it sounds like you need luck)! – T.J. Crowder Dec 21 '15 at 11:19

1 Answers1

6

If your application needs floating-point operations to be consistent between different JVMs, then yes, you need strictfp. If it doesn't, then no, you don't. Some applications don't need consistency and benefit from the potential for greater precision during intermediate steps of calculations that not using strictfp can offer. Others need to give exactly the same output for the same inputs, and thus require strictfp to guarantee that output portably.

T.J. Crowder
  • 1,031,962
  • 187
  • 1,923
  • 1,875
  • In my application, consistency ( same end result everywhere ) matters as product deals with mortgage interest rate and stuff like that. I am guessing that we need strictfp. – Sabir Khan Dec 21 '15 at 09:18
  • 6
    @Sabir_Khan: If you're dealing with mortgage interest rates and other financial calculations, surely `strictfp` is irrelevant to your application, as it [only applies to `double` and `float`](https://docs.oracle.com/javase/specs/jls/se8/html/jls-8.html#jls-8.1.1.3). You're not using `double`s or `float`s for financial calculations, are you? If so, you have a much bigger audit note coming. For financials, usually you want `BigDecimal` (or a direct implementaton of its technique, which is to use an integer value and a scale). – T.J. Crowder Dec 21 '15 at 09:31