Arrays do not override the Object.equals() method; the implementation of the equals() method compares array references rather than their contents. Programs Programmers who wish to compare the contents of two arrays must use the twothe two-argument Arrays.equals() method to compare the contents of two arrays. Programs must . Two arrays are considered equal if both arrays contain the same number of elements, and all corresponding pairs of elements in the two arrays are equal. In other words, two arrays are equal if they contain the same elements in the same order. To test for reference equality, programmers can use the reference equality operators, == and !=, when intentionally testing reference equality.. Because the effect of using Object.equals() to compare two arrays is often misunderstood, and because a better alternative exists in the use of reference equality operators, the use of the Object.equals() method to compare two arrays is disallowed by this rule.
Noncompliant Code Example
This noncompliant code example incorrectly uses the Object.equals() method to compare two arrays.
| Code Block | ||
|---|---|---|
| ||
public void arrayEqualsExamplearraysEqual() { int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 arr1.equals(arr2); // false } |
Compliant Solution
This compliant solution compares the two content of two arrays using the two-argument Arrays.equals() method.
| Code Block | ||
|---|---|---|
| ||
public void arrayEqualsExamplearrayContentsEqual() { int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 Arrays.equals(arr1, arr2); // true } |
Compliant Solution
This compliant solution compares the array references using the reference equality operators ==.
| Code Block | ||
|---|---|---|
| ||
public void arrayReferencesEqual(int[] arr1, int[] arr2) {
arr1 = arr2;
}
|
Risk Assessment
Using the equals() method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP02-J | Low | Likely | Low | P9 | L2 |
Automated Detection
Static detection of calls to to Object.equals() is straightforward. However, it is not always possible to statically resolve the class of a method invocation's target. Consequently, it may not always be possible to determine when Object.equals() is invoked for an array type.Also, it is not possible to determine whether or not use of reference equality (operators == and !=) is intentional.
Tool | Version | Checker | Description |
|---|---|---|---|
| Coverity | 7.5 | BAD_EQ FB.EQ_ABSTRACT_SELF FB.EQ_ALWAYS_FALSE FB.EQ_ALWAYS_TRUE FB.EQ_CHECK_FOR_OPERAND_NOT_ COMPATIBLE_WITH_THIS FB.EQ_COMPARETO_USE_OBJECT_ EQUALS FB.EQ_COMPARING_CLASS_NAMES FB.EQ_DOESNT_OVERRIDE_EQUALS FB.EQ_DONT_DEFINE_EQUALS_ FOR_ENUM FB.EQ_GETCLASS_AND_CLASS_ CONSTANT FB.EQ_OTHER_NO_OBJECT FB.EQ_OTHER_USE_OBJECT FB.EQ_OVERRIDING_EQUALS_ NOT_SYMMETRIC FB.EQ_SELF_NO_OBJECT FB.EQ_SELF_USE_OBJECT FB.EQ_UNUSUAL | Implemented |
Related Guidelines
Bibliography
...
EXP01-J. Never dereference null pointers 02. Expressions (EXP)