We have a first code audit coming up and I was told by someone that not using strictfp for floating point arithmetic might get us flagged. Software is coded on Windows machine and deployed to Solaris machines for production use. Any suggestions about it being true?
Also, if not using 'strictfp`can make floating point arithmetic code non - compliant or non - portable, why is doing computation in non - strictfp way allowed anyway?
CERT Secure Coding Standards, NUM53-J makes me feel like it's mandatory to use strictfp:
Programs that require consistent results from floating-point operations across different JVMs and platforms must use the strictfp modifier.
If your application needs floating-point operations to be consistent between different JVMs, then yes, you need strictfp. If it doesn't, then no, you don't. Some applications don't need consistency and benefit from the potential for greater precision during intermediate steps of calculations that not using strictfp can offer. Others need to give exactly the same output for the same inputs, and thus require strictfp to guarantee that output portably.