Page History

Arrays do not override the In Java, arrays are objects and support object methods such as Object.equals() method; the implementation of the . However, arrays do not support any methods besides those provided by Object. Consequently, using Object.equals() method on any array compares only array references rather than , not their contents. Programs Programmers who wish to compare the contents of two arrays must use the static two-argument Arrays.equals() method to compare the contents of two arrays. Programs must . This method considers two arrays equivalent if both arrays contain the same number of elements, and all corresponding pairs of elements in the two arrays are equivalent, according to Object.equals(). In other words, two arrays are equal if they contain equivalent elements in the same order. To test for reference equality, use the reference equality operators, == and !=, when intentionally testing reference equality. Programs also must not use the array .

Because the effect of using Object.equals() to compare two arrays is often misconstrued as content equality, and because a better alternative exists in the use of reference equality operators, the use of the Object.equals() method because it can lead to unexpected resultsto compare two arrays is disallowed.

Noncompliant Code Example

This noncompliant code example incorrectly uses the Object.equals() method to compare two arrays.:

Code Block

bgColor	#FFCCCC


public void arrayEqualsExample() {
  int[] arr1 = new int[20]; // initializedInitialized to 0
  int[] arr2 = new int[20]; // initializedInitialized to 0
  System.out.println(arr1.equals(arr2)); // Prints false
}

Compliant Solution

This compliant solution compares the two content of two arrays using the two-argument Arrays.equals() method.:

Code Block

bgColor	#ccccff

int[] arr1 = new int[20]; // Initialized to 0
int[] arr2 = new int[20]; // Initialized to 0
System.out.println(Arrays.equals(arr1, arr2)); // Prints true

Compliant Solution

This compliant solution compares the array references using the reference equality operators ==:

Code Block

bgColor	#ccccff


public void arrayEqualsExample() {
  int[] arr1 = new int[20]; // initializedInitialized to 0
  int[] arr2 = new int[20]; // initializedInitialized to 0
  Arrays.equalsSystem.out.println(arr1, == arr2); // true
}
Prints false

Risk Assessment

Using the equals() method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
EXP02-J

low

Low

likely

Likely

low

Low

P9

L2

Automated Detection

Static detection of calls to ArraysObject.equals(), as well as calls to is straightforward. However, it is not always possible to statically resolve the class of a method invocation's target. Consequently, it may not always be possible to determine when Object.equals() and invocations of the == operator is straightforward. is invoked for an array type.

Tool

Version

Checker

Description

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

JAVA.COMPARE.EQ
JAVA.COMPARE.EQARRAY

Should Use equals() Instead of == (Java)
equals on Array (Java)

Coverity

7.5

BAD_EQ
FB.EQ_ABSTRACT_SELF
FB.EQ_ALWAYS_FALSE
FB.EQ_ALWAYS_TRUE
FB.EQ_CHECK_FOR_OPERAND_NOT_ COMPATIBLE_WITH_THIS
FB.EQ_COMPARETO_USE_OBJECT_ EQUALS
FB.EQ_COMPARING_CLASS_NAMES
FB.EQ_DOESNT_OVERRIDE_EQUALS
FB.EQ_DONT_DEFINE_EQUALS_ FOR_ENUM
FB.EQ_GETCLASS_AND_CLASS_ CONSTANT
FB.EQ_OTHER_NO_OBJECT
FB.EQ_OTHER_USE_OBJECT
FB.EQ_OVERRIDING_EQUALS_ NOT_SYMMETRIC
FB.EQ_SELF_NO_OBJECT
FB.EQ_SELF_USE_OBJECT
FB.EQ_UNUSUAL