...
This compliant solution demonstrates correct use both of both a shallow copy (for the array of {{int}}s) and also of a deep copy (for the array of cookies).
...
This compliant solution protects against potential malicious overriding by creating a new instance of the non-final mutable input, using the expected class rather than the actual class of the potentially malicious provided object. The newly created instance can be forwarded to any code capable of modifying it.
...
Some objects appear to be immutable because they have no mutator methods. For example, the java.lang.CharacterSequence interface describes an immutable sequence of characters. Note, however, that a variable of type CharacterSequence is a reference to an underlying object of some other class that implements the CharacterSequence interface; that other class may be mutable. When the underlying object changes, the CharacterSequence changes. Essentially, the java.lang.CharacterSequence interface omits methods that would permit object mutation through that interface, but lacks any guarantee of true immutability. Such objects must be defensively copied before use. It is also permissible to use For the case of the java.lang.CharacterSequence interface, one permissible approach is to obtain an immutable copy of the characters by using the toString() method to make them immutable before passing them as parameters. Mutable fields should not be stored in static variables. When there is no other alternative, create defensive copies of the fields to avoid exposing them to untrusted code.
...