Arrays do not override the Object.equals()
method; rather, the implementation of the equals()
method compares array references rather than their contents. Programs must use the two-argument Arrays.equals()
method to compare the contents of two arrays. Programs must use the reference equality operators, ==
and !=
, when intentionally testing reference equality. Programs must not use the array equals()
method because it can lead to unexpected results.
Noncompliant Code Example
This noncompliant code example incorrectly uses the Object.equals()
method to compare two arrays.
public void arrayEqualsExample(){ int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 arr1.equals(arr2); // false }
Compliant Solution
This compliant solution compares the two arrays using the two-argument Arrays.equals()
method.
public void arrayEqualsExample(){ int[] arr1 = new int[20]; // initialized to 0 int[] arr2 = new int[20]; // initialized to 0 Arrays.equals(arr1, arr2); // true }
Risk Assessment
Using the equals()
method or relational operators with the intention of comparing array contents produces incorrect results, which can lead to vulnerabilities.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP02-J |
low |
likely |
low |
P9 |
L2 |
Automated Detection
The Coverity Prevent Version 5.0 BAD_EQ checker can detect the instance where the == operator is being used for equality of objects when, ideally, equals()
should have been used. The == operator could consider the objects to be different, whereas the equals()
method would consider them to be the same.
Static detection of attempts to use array_object.equals(...)
appears to be straightforward.
Related Guidelines
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e95efe33-6fbc-4817-b3ca-7b60d6e438cd"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
[Class |
http://download.oracle.com/javase/6/docs/api/java/util/Arrays.html] |
]]></ac:plain-text-body></ac:structured-macro> |
EXP01-J. Never dereference null pointers 02. Expressions (EXP)