SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

The Java compiler type-checks the arguments to a varargs method to ensure that they are of the same type or object reference. However, the compile-time checking is ineffective when two method signatures are used in particular - Object and the generic type T [[Bloch 08]].

Another requirement for providing strong compile-time type checking of variable argument methods is to be as specific as possible when declaring the type of the method parameter.

Noncompliant Code Example

This noncompliant code example declares two methods, one with an Object parameter and another with a generic type T. Both these approaches are flawed as they break strong compile-time type checking.

ReturnType1 suspect1(Object... args) { }
<T> ReturnType2 suspect2(T... args) { }

Compliant Solution

Do not use generic types like Object in varargs and be as specific as possible when declaring parameter types.

ReturnType1 specific1(primitiveType1... args) { }
ReturnType2 specific2(primitiveType2... args) { }

Retrofitting old methods containing final array parameters with generically typed varargs is not always a good idea. This is because if some method did not accept an argument of a particular type, it may be possible to override the compile-time checking so that with the use of generic varargs, it now compiles cleanly. [[Bloch 08]]

Also note that autoboxing does not allow strong compile time type checking of primitive types and their corresponding wrapper classes.

Risk Assessment

Unmindful use of the varargs feature breaks strong compile-time type checking, may create ambiguity and diminish code readability.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

DCL08- J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Sun 06]] varargs
[[Bloch 08]] Item 42: "Use varargs judiciously"
[[Steinberg 05]] "Using the Varargs Language Feature"

DCL07-J. Ensure failure atomicity by declaring class and instance variables final and initializing immediately      02. Declarations and Initialization (DCL)      DCL30-J. Do not attempt to assign to the loop variable in an enhanced for loop

  • No labels