Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Arrays do not override the In Java, arrays are objects and support object methods such as Object.equals() method; rather, the implementation of the equals() method compares array references rather than their contents. To . However, arrays do not support any methods besides those provided by Object. Consequently, using Object.equals() on any array compares only array references, not their contents. Programmers who wish to compare the contents of two arrays , must use the static two-argument Arrays.equals() method instead. When intentionally testing . This method considers two arrays equivalent if both arrays contain the same number of elements, and all corresponding pairs of elements in the two arrays are equivalent, according to Object.equals(). In other words, two arrays are equal if they contain equivalent elements in the same order. To test for reference equality, use the reference equality operators, == and !=. Inappropriate   

Because the effect of using Object. use of the equals() method can lead to unexpected results. Consequently, programs must reserve use of the array equality operators == and != for testing whether two array references specifically refer to the same array object, and are required to use the two-argument Arrays.equals() method for all other cases.This rule is a specialization of EXP01-J. Do not confuse abstract object equality with reference equality to compare two arrays is often misconstrued as content equality, and because a better alternative exists in the use of reference equality operators, the use of the Object.equals() method to compare two arrays is disallowed.

Noncompliant Code Example

This noncompliant code example incorrectly uses the Object.equals() method to compare two arrays.:

Code Block
bgColor#FFCCCC

public void arrayEqualsExample(){

int[] arr1 = new int[20]; // initializedInitialized to 0
int[] arr2 = new int[20]; // initializedInitialized to 0
System.out.println(arr1.equals(arr2)); // Prints false

}

Compliant Solution

This compliant solution compares the two content of two arrays using the two-argument Arrays.equals() method.:

Code Block
bgColor#ccccff
int[] arr1 = new int[20]; // Initialized to 0
int[] arr2 = new int[20]; // Initialized to 0
System.out.println(Arrays.equals(arr1, arr2)); // Prints true

Compliant Solution

This compliant solution compares the array references using the reference equality operators ==:

Code Block
bgColor#ccccff

public void arrayEqualsExample(){

int[] arr1 = new int[20]; // initializedInitialized to 0
int[] arr2 = new int[20]; // initializedInitialized to 0
ArraysSystem.out.equalsprintln(arr1, == arr2); // true

} Prints false 

Risk Assessment

Using the equals() method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

EXP02-J

low

Low

likely

Likely

low

Low

P9

L2

Automated Detection

The Coverity Prevent Version 5.0 BAD_EQ checker can detect the instance where the == operator is being used for equality of objects when, ideally, equals() should have been used. The == operator could consider the objects to be different, whereas the equals() method would consider them to be the same.

Static detection of calls to Object.equals() is straightforward. However, it is not always possible to statically resolve the class of a method invocation's target. Consequently, it may not always be possible to determine when Object.equals() is invoked for an array type.

Tool
Version
Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.COMPARE.EQ
JAVA.COMPARE.EQARRAY

Should Use equals() Instead of == (Java)
equals on Array (Java)

Coverity7.5

BAD_EQ
FB.EQ_ABSTRACT_SELF
FB.EQ_ALWAYS_FALSE
FB.EQ_ALWAYS_TRUE
FB.EQ_CHECK_FOR_OPERAND_NOT_ COMPATIBLE_WITH_THIS
FB.EQ_COMPARETO_USE_OBJECT_ EQUALS
FB.EQ_COMPARING_CLASS_NAMES
FB.EQ_DOESNT_OVERRIDE_EQUALS
FB.EQ_DONT_DEFINE_EQUALS_ FOR_ENUM
FB.EQ_GETCLASS_AND_CLASS_ CONSTANT
FB.EQ_OTHER_NO_OBJECT
FB.EQ_OTHER_USE_OBJECT
FB.EQ_OVERRIDING_EQUALS_ NOT_SYMMETRIC
FB.EQ_SELF_NO_OBJECT
FB.EQ_SELF_USE_OBJECT
FB.EQ_UNUSUAL

Implemented
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.EXP02.UEICDo not use '==' or '!=' to compare objects
SonarQube
Include Page
SonarQube_V
SonarQube_V
S2159Silly equality checks should not be made

...

Related Guidelines

MITRE CWE

CWE

ID

-595,

"

Comparison of Object References Instead of Object Contents

"

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="aceb457d-605f-4b28-8180-959c0f62c80f"><ac:plain-text-body><![CDATA[

[

[API 2006

AA. Bibliography#API 06]

]

[

Class Arrays

http://download.oracle.com/javase/6/docs/api/java/util/Arrays.html]

]]></ac:plain-text-body></ac:structured-macro>

...


...

Image Added Image Added confuse abstract object equality with reference equality      02. Expressions (EXP)