Entity of a type parameter without reference constraints in a generic type is compared with 'null'.

Vulnerability and risk

If a type parameter in a generic type has no reference contraints, it can be substituted with a value type. Comparing value type entities with 'null' always returns false and is therefore useless.

Example 1

  namespace Namespace {
      class Foo<T1> where T1: class {
          T1 t;
          bool checkT() {
              return (t == null);  // OK - cannot be a value type
      class Bar<T2> where T2: struct {
          T2 t;
         bool setT(T2 arg) {
             if (arg != null)     // defect
                 t = arg;

Security training

Application security training materials provided by Secure Code Warrior.