[jira] [Updated] (LANG-1295) ArrayUtils has unsafe use of varargs, which are marked as safe

Mon, 12 Dec 2016 06:30:16 -0800 

     [ 
https://issues.apache.org/jira/browse/LANG-1295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Duncan Jones updated LANG-1295:
-------------------------------
    Affects Version/s: 3.5
          Description: 
{{ArrayUtils.toArray(T... items)}} is marked as {{@SafeVarargs}}, but I suspect 
the use of the varargs is unsafe.

An example, drawn heavily from [this StackOverflow 
answer|http://stackoverflow.com/a/14252221/474189], demonstrates this:

{code:java}
static <T> T[] arrayOfTwo(T a, T b) {
    return ArrayUtils.toArray(a, b);
}

@Test
public void testBadVarArgs() throws Exception {
    @SuppressWarnings("unused") // Need to assign to trigger exception
    String[] result = arrayOfTwo("foo", "bar");
}
{code}

the above code throws an exception: {{java.lang.ClassCastException: 
[Ljava.lang.Object; cannot be cast to [Ljava.lang.String;}}.

  was:
{{ArrayUtils.toArray(T... items)}} is marked as {{@SafeVarargs}}, but I suspect 
the use of the varargs is unsafe.

An example, drawn heavily from [this StackOverflow 
answer|http://stackoverflow.com/a/14252221/474189], demonstrates this:

{code:java}
static <T> T[] arrayOfTwo(T a, T b) {
    return ArrayUtils.toArray(a, b);
}

@Test
public void testBadVarArgs() throws Exception {
    @SuppressWarnings("unused") // Need to assign to trigger exception
    String[] result = arrayOfTwo("foo", "bar");
}
{code}

the above code throws an exception: {{java.lang.ClassCastException: 
[Ljava.lang.Object; cannot be cast to [Ljava.lang.String;}}.

The method {{ArrayUtils.addAll(null, a, b)}} looks unsafe for similar reasons.  
However, {{ArrayUtils.removeElements(final T[] array, final T... values)}} 
looks safe.


Unfortunately, this method seems to do exactly what you're not supposed to do 
with varargs.

We may have to deprecate this and warn people off using it.

I'm going to create another issue for the {{addAll}} method, since the solution 
(and discussion thereof) is likely to be different.

> ArrayUtils has unsafe use of varargs, which are marked as safe
> --------------------------------------------------------------
>
>                 Key: LANG-1295
>                 URL: https://issues.apache.org/jira/browse/LANG-1295
>             Project: Commons Lang
>          Issue Type: Bug
>          Components: lang.*
>    Affects Versions: 3.5
>            Reporter: Duncan Jones
>            Priority: Critical
>
> {{ArrayUtils.toArray(T... items)}} is marked as {{@SafeVarargs}}, but I 
> suspect the use of the varargs is unsafe.
> An example, drawn heavily from [this StackOverflow 
> answer|http://stackoverflow.com/a/14252221/474189], demonstrates this:
> {code:java}
> static <T> T[] arrayOfTwo(T a, T b) {
>     return ArrayUtils.toArray(a, b);
> }
> @Test
> public void testBadVarArgs() throws Exception {
>     @SuppressWarnings("unused") // Need to assign to trigger exception
>     String[] result = arrayOfTwo("foo", "bar");
> }
> {code}
> the above code throws an exception: {{java.lang.ClassCastException: 
> [Ljava.lang.Object; cannot be cast to [Ljava.lang.String;}}.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to