CWE-1235
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
Incomplete
2020-02-24
00h00 +00:00
00h00 +00:00
2025-12-11
00h00 +00:00
00h00 +00:00
Notifications pour un CWE
Restez informé de toutes modifications pour un CWE spécifique.
Nom: Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.
Informations générales
Informations de base
Languages such as Java and C# support automatic conversion through their respective compilers from primitive types into objects of the corresponding wrapper classes, and vice versa. For example, a compiler might convert an int to Integer (called autoboxing) or an Integer to int (called unboxing). This eliminates forcing the programmer to perform these conversions manually, which makes the code cleaner.Modes d'introduction
Implementation : The programmer may use boxed primitives when not strictly necessary.Plateformes applicables
Langue
Name: Java (Undetermined)Name: C# (Undetermined)
Systèmes d’exploitation
Class: Not OS-Specific (Undetermined)Architectures
Class: Not Architecture-Specific (Undetermined)Technologies
Class: Not Technology-Specific (Undetermined)Conséquences courantes
| Portée | Impact | Probabilité |
|---|---|---|
| Availability | DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other), Reduce Performance Note: Incorrect autoboxing/unboxing would result in reduced performance, which sometimes can lead to resource consumption issues, impacting availability when used with generic collections. | Low |
Mesures d’atténuation potentielles
Phases : ImplementationUse of boxed primitives should be limited to certain situations such as when calling methods with typed parameters. They should not be used for scientific computing or other performance critical operations. They are only suited to support "impedance mismatch" between reference types and primitives. Examine the use of boxed primitives prior to use. Use SparseArrays or ArrayMap instead of HashMap to avoid performance overhead.
Méthodes de détection
Automated Static Analysis
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Base level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
Références
REF-1051
Oracle Java Documentationhttps://docs.oracle.com/javase/1.5.0/docs/guide/language/autoboxing.html
REF-1052
SEI CERT Oracle Coding Standard for Java : Rule 02. Expressions (EXP)The Software Engineering Institute.
https://wiki.sei.cmu.edu/confluence/display/java/EXP04-J.+Do+not+pass+arguments+to+certain+Java+Collections+Framework+methods+that+are+a+different+type+than+the+collection+parameter+type
Soumission
| Nom | Organisation | Date | Date de publication | Version |
|---|---|---|---|---|
| Joe Harvey | 4.0 |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CWE Content Team | MITRE | updated Demonstrative_Examples | |
| CWE Content Team | MITRE | updated Relationships, Taxonomy_Mappings | |
| CWE Content Team | MITRE | updated Mapping_Notes | |
| CWE Content Team | MITRE | updated Background_Details, Common_Consequences, Description, Detection_Factors, Potential_Mitigations, Weakness_Ordinalities |
