SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 4

changes.mady.by.user Fred Long

Saved on

compared with

New Version 5

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

Wiki Markup
The Java compiler type-checks the arguments to a varargs method to ensure that they are of the same type or object reference. However, the compile-time checking is ineffective when two method signatures are used in particular - {{Object}} and the generic type {{T}} \[[Bloch 08|AA. Java References#Bloch 08]\].

Another requirement for providing strong compile-time type checking of variable argument methods is to be as specific as possible when declaring the type of the method parameter.

Noncompliant Code Example

This noncompliant code example declares two methods, one with an Object parameter and another with a generic type T. Both these approaches are flawed as they break string compile-time type checking.

Code Block
bgColor#FFCCCC
ReturnType1 suspect1(Object... args) { }
<T> ReturnType2 suspect2(T... args) { }

Compliant Solution

Do not use generic types like Object in varargs and be as specific as possible when declaring parameter types.

Code Block
bgColor#ccccff
ReturnType1 specific1(primitiveType1... args) { }
ReturnType2 specific2(primitiveType2... args) { }

Noncompliant Code Example

This noncompliant code example shows autoboxing in action when the doSomething method is called with the primitive integer 1 as a parameter (converted to Integer type).

Code Block
bgColor#FFCCCC
doSomething(1)

private void doSomething(Integer... i) {
  System.out.println("autoboxed");
}

Compliant Solution

Be as specific as possible while defining the type of a varargs method to enforce strong compile-time checking.

Code Block
bgColor#ccccff
doSomething(1)

private void doSomething(int... i) { // use int instead of Integer here
  System.out.println("specific");
}

Wiki Markup
Retrofitting old methods containing {{final}} array parameters with generically typed varargs is not always a good idea. This is because if some method did not accept an argument of a particular type, it may be possible to override the compile-time checking so that with the use of generic varargs, it now compiles cleanly. \[[Bloch 08|AA. Java References#Bloch 08]\]

Risk Assessment

Unmindful use of the varargs feature breaks strong compile-time type checking, may create ambiguity and diminish code readability.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL08- J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Sun 06|AA. Java References#Sun 06]\] [varargs|http://java.sun.com/j2se/1.5.0/docs/guide/language/varargs.html] 
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 42: "Use varargs judiciously"
\[[Steinberg 05|AA. Java References#Steinberg 05]\] "Using the Varargs Language Feature"

DCL07-J. Ensure failure atomicity by declaring class and instance variables final and initializing immediately      02. Declarations and Initialization (DCL)      02. Declarations and Initialization (DCL)