SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2021.1

The enhanced for statement introduced in Java 1.5, commonly referred to as the for-each idiom, finds primary application in iterating over collections of objects. While similar to the usual for statement, this idiom cannot be used to assign values or initialize datais designed for iteration through Collections and arrays

The Java Language Specification (JLS) provides the following example of the enhanced for statement in §14.14.2, "The Enhanced for Statement" [JLS 2014]:

The enhanced for statement is equivalent to a basic for statement of the form:

Code Block
for (I #i = Expression.iterator(); #i.hasNext(); ) {
    {VariableModifier} TargetType Identifier =
        (TargetType) #i.next();
    Statement
}

#i is an automatically generated identifier that is distinct from any other identifiers (automatically generated or otherwise) that are in scope...at the point where the enhanced for statement occurs.

Unlike the basic for statement, assignments to the loop variable fail to affect the loop's iteration order over the underlying set of objects. Consequently, an assignment to the loop variable is equivalent to modifying a variable local to the loop body whose initial value is the object referenced by the loop iterator. This modification is not necessarily erroneous but can obscure the loop functionality or indicate a misunderstanding of the underlying implementation of the enhanced for statement.

Declare all enhanced for statement loop variables final. The final declaration causes Java compilers to flag and reject any assignments made to the loop variable.

Noncompliant Code Example

The intention behind this This noncompliant code example is attempts to initialize a Character array using a for-each idiom. Unbeknownst to the developer, the array is not suitably initialized. This is because it is impossible to carry out assignments from within a for-each loop. process a collection of integers using an enhanced for loop. It further intends to modify one item in the collection for processing:

Code Block
bgColor#ffcccc
langjava
List<Integer> list = Arrays.asList(new Integer[] {13, 14, 15});
boolean first = true;

System.out.println("Processing list...");
for (Integer i: list) {
  if (first) {
    first = false;
    i = new Integer(99);
  }
  System.out.println(" New item: " + i);
  // Process i
}

System.out.println("Modified list?");
for (Integer i: list) {
Code Block
bgColor#FFCCCC

Character[] array = new Character[10];
for(Character c: array) 
  c = 'x'; // initialization attempt

for(int i=0;i<array.length;i++) 
  System.out.print(array[i]);	  println("List item: " + i);
}

However, this code does not actually modify the list, as shown by the program's output:

Processing list...
New item: 99
New item: 14
New item: 15
Modified list?
List item: 13
List item: 14
List item: 15

Compliant Solution

Declaring i to be final mitigates this problem by causing the compiler to fail to permit i to be assigned a new value:

Code Block
bgColor#ffcccc
langjava
// ...
for (final Integer i: list) {

// ...

Compliant Solution

This compliant solution correctly initializes the array using a for loop.processes the "modified" list but leaves the actual list unchanged:

Code Block
bgColor#ccccff
lang

Character[] array = new Character[10];
for(int i=0;i<array.length;i++) 
  array[i] = 'x';

Risk Assessment

java
// ...
 
for (final Integer i: list) {
  Integer item = i;
  if (first) {
    first = false;
    item = new Integer(99);
  }
  System.out.println(" New item: " + item);
  // Process item
}

// ...

Risk Assessment

Assignments to the loop variable of an Attempts to initialize data from within the enhanced for loop (for-each idiom) will be futile and will leave the class fail to affect the overall iteration order, lead to programmer confusion, and can leave data in a fragile , or inconsistent state.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL30

DCL02-J

low

Low

unlikely

Unlikely

low

Low

P3

L3

Automated Detection

...

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

TODO

References

Wiki Markup
\[[JLS 05|AA. Java References#JLS 05]\] 14.14.2 "The enhanced for statement"

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.DCL02.ITMODDo not modify collection while iterating over it

Bibliography

[JLS 2014]

§14.14.2, "The Enhanced for Statement"


...

Image Added Image Added Image AddedDCL06-J. Beware integer literals beginning with '0'.      01. Declarations and Initialization (DCL)      01. Declarations and Initialization (DCL)