JD.CAST.COL.MIGHT

Possible ClassCastException for collection

JD.CAST.COL.MIGHT occurs when more than one type is stored in the same collection (Map or List) and at least one of the stored types is related to the type used for a type cast.

Vulnerability and risk

This may cause a ClassCastException, because objects in the collection have different types.

Vulnerable code example 1

Copy 
  public class Test {
      protected static final String NAME = "name";
      protected static final String ID = "id";
      private static final Map<String, Object> map = new HashMap<String, Object>();
      public void setInfo(String name, int id) {
          map.put(ID, new Integer(id));
          map.put(NAME, name);
      }
      public static getInfo() {
          Test test = new Test();
          test.setInfo("me", 1);
          Integer id = (Integer)map.get(ID));
          String name = (String)map.get(NAME));
      }
  }

Klocwork reports a JD.CAST.COL.MIGHT defect at line 21, indicating: "May be suspicious cast to ‘java.lang.Integer’ of collection element. Object was put into the collection as ‘java.lang.String’.-> 16: map.put(NAME, name); -> 21: Integer id = (Integer)map.get(ID)); And for line 22: May be suspicious cast to ‘java.lang.String’ of collection element. Object was put into the collection as ‘java.lang.Integer’. ->16: map.put(ID, new Integer(id)); -> 22: String name = (String)map.get(NAME));".

Fixed code example 1

Copy 
   public class Test {
       Map<String, Object> map = new HashMap<String, Object>();
       public void setInfo(String str1, String str2) {
           map.put("ID", str1);
           map.put("NAME", str2);
       }
       public getInfo() {
           Test test = new Test();
           test.setInfo("might", "must");
         for(Object obj : map.keySet()){
             if(map.get(obj) instanceof String){
                 System.out.println("Name==>"+(String)map.get(obj));
             }
         }
     }
  }

Klocwork no longer reports a defect, since the objects in the collection are of the same type.

Vulnerable code example 2

Copy 
   public class Test {
       ArrayList<Object> list = new ArrayList<Object>();
       public void setInfo() {
           list.add("name");
           list.add(new Integer(30));
       }
       public void display() {
           System.out.println("==>"+(String) list.get(0));
           System.out.println("==>"+(Integer) list.get(1));
     }
 }

Klocwork reports a JD.CAST.COL.MIGHT defect at line 8, indicating: "May be suspicious cast to ‘java.lang.String’ of collection element. Object was put into the collection as ‘java.lang.Integer’.-> 5: list.add(new Integer(30)); -> 8: System.out.println("name==>"+(String) list.get(0)); And for line 9: May be suspicious cast to ‘java.lang.Integer’ of collection element. Object was put into the collection as ‘java.lang.String’. ->4: list.add("name"); -> 9: System.out.println("name==>"+(Integer) list.get(1));".

Fixed code example 2

Copy 
   public class Test {
       ArrayList<Object> list = new ArrayList<Object>();
       public void setInfo() {
           list.add("might");
           list.add("must");
       }
       public void display() {
           Test test = new Test();
           test.setInfo();
         for(Object obj : list) {
             if(obj instanceof String) {
                 System.out.println("name==>"+(String) obj);
             }
         }
     }
 }

Klocwork no longer reports a defect, since the objects in the collection are of the same type.

Related checkers