1. Home
  2. CWE Database
  3. CWE-1235
Base · Medium

CWE-1235: Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.

CWE-1235 · Base Level ·1 Mitigations

Description

The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.

Potential Impact

Availability

DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), DoS: Resource Consumption (Other), Reduce Performance

Demonstrative Examples

Java has a boxed primitive for each primitive type. A long can be represented with the boxed primitive Long. Issues arise where boxed primitives are used when not strictly necessary.
Bad
Long count = 0L;
					
					for (long i = 0; i < Integer.MAX_VALUE; i++) {
					
						count += i;
						
					
					}
In the above loop, we see that the count variable is declared as a boxed primitive. This causes autoboxing on the line that increments. This causes execution to be magnitudes less performant (time and possibly space) than if the "long" primitive was used to declare the count variable, which can impact availability of a resource.
This code uses primitive long which fixes the issue.
Good
long count = 0L;
					
					for (long i = 0; i < Integer.MAX_VALUE; i++) {
					
						count += i;
						
					
					}

Mitigations & Prevention

Implementation

Use of boxed primitives should be limited to certain situations such as when calling methods with typed parameters. They should not be used for scientific computing or other performance critical operations. They are only suited to support "impedance mismatch" between reference types and primitives. Examine the use of boxed primitives prior to use. Use SparseArrays or ArrayMap instead of HashMap to avoid performance overhead.

Detection Methods

  • Automated Static Analysis — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea

CWE-400: Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Taxonomy Mappings

  • SEI CERT Oracle Coding Standard for Java: EXP04-J — Do not pass arguments to certain Java Collections Framework methods that are a different type than the collection parameter type
  • ISA/IEC 62443: Part 4-1 — Req SI-2

Frequently Asked Questions

What is CWE-1235?

CWE-1235 (Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.

How can CWE-1235 be exploited?

Attackers can exploit CWE-1235 (Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations) to dos: resource consumption (cpu), dos: resource consumption (memory), dos: resource consumption (other), reduce performance. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-1235?

Key mitigations include: Use of boxed primitives should be limited to certain situations such as when calling methods with typed parameters. They should not be used for scientific computing or other performance critical oper

What is the severity of CWE-1235?

CWE-1235 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.