The conditional operator ?:
uses the boolean
value of its first operand to decide which of the other two expressions will be evaluated (see JLS Section 15.25, "Conditional Operator ? :
".)
The general form of a Java conditional expression is operand1 ? operand2 : operand3
.
- If the value of the first operand (
operand1
) istrue
, then the second operand expression (operand2
) is chosen. - If the value of the first operand is
false
, then the third operand expression (operand3
) is chosen.
The conditional operator is syntactically right-associative; for example, a?b:c?d:e?f:g
is equivalent to a?b:(c?d:(e?f:g))
.
The JLS-defined rules for determining the type of the result of a conditional expression (tabulated below) are complicated; programmers could be surprised by the type conversions required for expressions they have written.
Result type determination begins from the top of the table; the compiler applies the first matching rule. The "Operand 2" and "Operand 3" columns refer to operand2
and operand3
(from the above definition), respectively. In the table, constant int
refers to constant expressions of type int
(such as '0' or variables declared final
).
Rule |
Operand 2 |
Operand 3 |
Resultant type |
---|---|---|---|
1 |
type T |
type T |
type T |
2 |
|
|
|
3 |
|
|
|
4 |
|
|
|
5 |
|
|
|
6 |
|
|
|
7 |
|
|
|
8 |
|
|
|
9 |
|
|
|
10 |
other numeric |
other numeric |
promoted type of the 2nd and 3rd operands |
11 |
T1 = boxing conversion (S1) |
T2 = boxing conversion(S2) |
apply capture conversion to lub(T1,T2) |
See JLS Section 5.1.7, "Boxing Conversion"; JLS Section 5.1.10, "Capture Conversion"; and JLS Section 15.12.2.7, "Inferring Type Arguments Based on Actual Arguments" for additional information on the final table entry.
The complexity of the rules that determine the result type of a conditional expression can lead to unintended type conversions. Consequently, the second and third operands of each conditional expression should have identical types. This recommendation also applies to boxed primitives.
Noncompliant Code Example
In this noncompliant code example, the programmer expects that both print statements will print the value of alpha
as a char
— A
. The first print statement does print A
, because the compiler applies the eighth rule from the result type determination table to determine that the second and third operands of the conditional expression are, or are converted to, type char
. However, the second print statement prints 65
— the value of alpha
as an int
. The first matching rule from the table above is the tenth rule; consequently, the compiler promotes the value of alpha
to type int
.
public class Expr { public static void main(String[] args) { char alpha = 'A'; int i = 0; /* other code. Value of i may change */ boolean trueExp = ...; // some expression that evaluates to true System.out.print(trueExp ? alpha : 0); // prints A System.out.print(trueExp ? alpha : i); // prints 65 } }
Compliant Solution
This compliant solution uses identical types for the second and third operands of each conditional expression; the explicit casts specify the type expected by the programmer.
public class Expr { public static void main(String[] args) { char alpha = 'A'; int i = 0; boolean trueExp = ...; // some expression that evaluates to true System.out.print(trueExp ? alpha : ((char) 0)); // prints A // Deliberate narrowing cast of i; possible truncation OK System.out.print(trueExp ? alpha : ((char) i)); // prints A } }
Note that the explicit cast in the first conditional expression is redundant; that is, the value printed remains identical whether the cast is present or absent. Nevertheless, use of the redundant cast is good practice; it serves as an explicit indication of the programmer's intent, and consequently improves maintainability. When the value of i
in the second conditional expression falls outside the range that can be represented as a char
, the explicit cast will truncate its value. This usage complies with exception EXP13-EX1 of guideline NUM15-J. Ensure conversions of numeric types to narrower types do not result in lost or misinterpreted data.
Noncompliant Code Example
This noncompliant code example prints 100 as the size of the HashSet
rather than the expected result (some value between 0 and 50). The combination of values of types short
and int
in the second argument of the conditional expression (the operation i-1
) causes the result to be an int
as specified by the normal integer promotion rules. Consequently, the Short
object in the third argument is autounboxed into a short
, which is then promoted into an int
. The result of the conditional expression is then autoboxed into an object of type Integer
. Because the HashSet
contains only values of type Short
, the call to HashSet.remove()
has no effect.
public class ShortSet { public static void main(String[] args) { HashSet<Short> s = new HashSet<Short>(); for (short i = 0; i < 100; i++) { s.add(i); // Cast of i-1 is safe, because value is always representable Short workingVal = (short) (i-1); ... // other code may update workingVal s.remove(((i & 1) == 0) ? i-1 : workingVal); } System.out.println(s.size()); } }
Compliant Solution
This compliant solution casts the second operand to type short
, then explicitly invokes the Short.valueOf
method to create a Short
instance whose value is i - 1
. Consequently, the second and third operands of the conditional expression both have type Short
, and the remove()
call has the expected result.
public class ShortSet { public static void main(String[] args) { HashSet<Short> s = new HashSet<Short>(); for (short i = 0; i < 100; i++) { s.add(i); // Cast of i-1 is safe, because value is always representable Short workingVal = (short) (i-1); ... // other code may update workingVal // Cast of i-1 is safe, because value is always representable s.remove(((i & 1) == 0) ? Short.valueOf((short) (i-1)) : workingVal); } System.out.println(s.size()); } }
Writing the conditional expression as ((i & 1) == 0) ? (short) (i-1)) : workingVal
also complies with this guideline, because both the second and third operands in this form have type short
. However, this alternative is less efficient, because it forces both autounboxing of workingVal
on each even iteration of the loop and also autoboxing of the result of the conditional expression (from short
to Short
) on every iteration of the loop.
Risk Assessment
When the second and third operands of a conditional expression have different types, they can be subject to unexpected type conversions.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP12-J |
low |
unlikely |
medium |
P2 |
L3 |
Automated Detection
Automated detection of condition expressions whose second and third operands are of different types is straightforward.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[Bloch 2005]] Puzzle 8: Dos Equis
[[Findbugs 2008]] "Bx: Primitive value is unboxed and coerced for ternary operator"
[[JLS 2005]] Section 15.25, "Conditional Operator ? :
"