SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 23

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version Current

changes.mady.by.user Michal Rozenau

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Parasoft Jtest 2022.2

The variable arity (varargs) feature was introduced in the JDK v1.5.0 . Its utility lies in allowing a method to to support methods that accept a variable number numbers of arguments.

Wiki MarkupAccording to the Java SE 6 documentation \[[Sun 2006|AA. Java References#Sun 06]\] [varargs|http://java.sun.com/j2se/1.5.0/docs/guide/language/varargs.html]

Wiki Markup
As an API designer, you should use \[varargs methods\] sparingly, only when the benefit is truly compelling. Generally speaking, you should not overload a varargs method, or it will be difficult for programmers to figure out which overloading gets called.

Noncompliant Code Example

[Oracle 2011b],

As an API designer, you should use [variable arity methods] sparingly, only when the benefit is truly compelling. Generally speaking, you should not overload a varargs method, or it will be difficult for programmers to figure out which overloading gets called.

Noncompliant Code Example

In this noncompliant code example, overloading variable arity methods makes it unclear which definition of displayBooleans() is invoked:Overloading varargs methods can create confusion as shown in this noncompliant code example. The programmer's intent is to invoke the variable argument (varargs) doSomething() method, but instead its overloaded, more specific form takes precedence.

Code Block
bgColor#FFCCCC

class OverloadedVarargsVarargs {
  private static void doSomethingdisplayBooleans(boolean... bool) {
    System.out.print("Number of arguments: " + bool.length + ", Contents: ");

    for (boolean b : bool)
      System.out.print("[" + b + "]");
  } 
  private static void doSomethingdisplayBooleans(boolean bool1, boolean bool2) {
    System.out.println("Overloaded method invoked");  
  }
  public static void main(String[] args) {
    doSomethingdisplayBooleans(true, false);
  }
}

When run, this program outputs

Code Block
Overloaded method invoked

because the nonvariable arity definition is more specific and consequently a better fit for the provided arguments. However, this complexity is best avoided.

Compliant Solution

Avoid To avoid overloading varargs methods. Use variable arity methods, use distinct method names so to ensure that the intended method gets is invoked, as prescribed by shown in this compliant solution. :

Code Block
bgColor#ccccff

class NotOverloadedVarargsVarargs {
  private static void doSomething1displayManyBooleans(boolean... bool) {
    System.out.print("Number of arguments: " + bool.length + ", Contents: ");

    for (boolean b : bool)
      System.out.print("[" + b + "]");
  } 
  private static void doSomething2displayTwoBooleans(boolean bool1, boolean bool2) {
    System.out.println("Overloaded method invoked");  
    System.out.println("Contents: [" + bool1 + "], [" + bool2 + "]");  
  }
  public static void main(String[] args) {
    doSomething1displayManyBooleans(true, false);
  }
}

Exceptions

Wiki Markup
*EX1:* Sometimes, it is desirable to violate the "do not overload varargs methods" advice for performance reasons (avoiding the cost of creation of an array instance and its initialization on every invocation of a varargs method). \[[Bloch 2008|AA. Java References#Bloch 08]\]

Applicability

Injudicious use of overloaded variable arity methods may create ambiguity and diminish code readability.

It may be desirable to violate this rule for performance reasons. One such reason would be to avoid the cost of creating an array instance and initializing it on every invocation of a method [Bloch 2008].

Code Block
bgColor#ccccff
Code Block

public void foo() { }
public void foo(int a1) { }
public void foo(int a1, int a2, int... rest) { }

The idiom shown above avoids the pitfalls When overloading variable arity methods, it is important to avoid any ambiguity regarding which method should be invoked. The preceding code sample avoids the possibility of incorrect method selection by using non-ambiguous unambiguous method signatures and can be discreetly used where required.

Risk Assessment

Unmindful use of the varargs feature may create ambiguity and diminish code readability.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

DCL08- J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Sun 2006|AA. Java References#Sun 06]\] [varargs|http://java.sun.com/j2se/1.5.0/docs/guide/language/varargs.html] 
\[[Bloch 2008|AA. Java References#Bloch 08]\] Item 42: "Use varargs judiciously"
\[[Steinberg 2005|AA. Java References#Steinberg 05]\] "Using the Varargs Language Feature"

.

Automated detection is straightforward.

Automated Detection

ToolVersionCheckerDescription
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.DCL57.OVAMAvoid overloading varargs methods

Bibliography

[Bloch 2008]

Item 42, "Use Varargs Judiciously"

[Steinberg 2008]

"Using the Varargs Language Feature"

[Oracle 2011b]

varargs


...

Image Added Image Added Image AddedDCL07-J. Beware of integer literals beginning with '0'      03. Declarations and Initialization (DCL)      DCL09-J. Enforce compile-time type checking of variable argument types