Arrays do not override the In Java, arrays are objects and support object methods such as Object.equals()
method; rather, the implementation of the equals()
method compares array references rather than their contents. To . However, arrays do not support any methods besides those provided by Object
. Consequently, using Object.equals()
on any array compares only array references, not their contents. Programmers who wish to compare the contents of two arrays , must use the static two-argument Arrays.equals()
method instead. When intentionally testing . This method considers two arrays equivalent if both arrays contain the same number of elements, and all corresponding pairs of elements in the two arrays are equivalent, according to Object.equals()
. In other words, two arrays are equal if they contain equivalent elements in the same order. To test for reference equality, use the reference equality operators, ==
and !=
. Inappropriate
Because the effect of using Object.
use of the equals()
method can lead to unexpected results. Consequently, programs must reserve use of the array equality operators == and != for testing whether two array references specifically refer to the same array object, and are required to use the two-argument Arrays.equals()
method for all other cases.This rule is a specialization of EXP01-J. Do not confuse abstract object equality with reference equality to compare two arrays is often misconstrued as content equality, and because a better alternative exists in the use of reference equality operators, the use of the Object.equals()
method to compare two arrays is disallowed.
Noncompliant Code Example
This noncompliant code example incorrectly uses the Object.equals()
method to compare two arrays.:
Code Block | ||
---|---|---|
| ||
public void arrayEqualsExample(){ int[] arr1 = new int[20]; // initializedInitialized to 0 int[] arr2 = new int[20]; // initializedInitialized to 0 System.out.println(arr1.equals(arr2)); // Prints false } |
Compliant Solution
This compliant solution compares the two content of two arrays using the two-argument Arrays.equals()
method.:
Code Block | ||
---|---|---|
| ||
int[] arr1 = new int[20]; // Initialized to 0
int[] arr2 = new int[20]; // Initialized to 0
System.out.println(Arrays.equals(arr1, arr2)); // Prints true
|
Compliant Solution
This compliant solution compares the array references using the reference equality operators ==
:
Code Block | ||
---|---|---|
| ||
public void arrayEqualsExample(){ int[] arr1 = new int[20]; // initializedInitialized to 0 int[] arr2 = new int[20]; // initializedInitialized to 0 ArraysSystem.out.equalsprintln(arr1, == arr2); // true } Prints false |
Risk Assessment
Using the equals()
method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
EXP02-J |
Low |
Likely |
Low | P9 | L2 |
Automated Detection
The Coverity Prevent Version 5.0 BAD_EQ checker can detect the instance where the == operator is being used for equality of objects when, ideally, equals()
should have been used. The == operator could consider the objects to be different, whereas the equals()
method would consider them to be the same.
Static detection of calls to Object.equals()
is straightforward. However, it is not always possible to statically resolve the class of a method invocation's target. Consequently, it may not always be possible to determine when Object.equals()
is invoked for an array type.
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| JAVA.COMPARE.EQ | Should Use equals() Instead of == (Java) | ||||||
Coverity | 7.5 | BAD_EQ | Implemented | ||||||
Parasoft Jtest |
| CERT.EXP02.UEIC | Do not use '==' or '!=' to compare objects | ||||||
SonarQube |
| S2159 | Silly equality checks should not be made |
...
Related Guidelines
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="aceb457d-605f-4b28-8180-959c0f62c80f"><ac:plain-text-body><![CDATA[
] |
http://download.oracle.com/javase/6/docs/api/java/util/Arrays.html]
]]></ac:plain-text-body></ac:structured-macro>
...
...
confuse abstract object equality with reference equality 02. Expressions (EXP)