SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Pennie Walters

Saved on

compared with

New Version 8

changes.mady.by.user Pennie Walters

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Invoking overridable methods from the readObject() method can cause the overriding method to read the state of the subclass before it is fixed. This is because the base class is deserialized first, followed by the subclass. Also see the related guidelines CON08-J. Do not call overridable methods from synchronized regions and MET07-J. Do not invoke overridable methods on the clone under construction.

Noncompliant Code Example

This noncompliant code example invokes an overridable method from the readObject() method.

Code Block
bgColor#FFCCCC
private void readObject(final ObjectInputStream stream) throws 
    IOException, ClassNotFoundException {
  overridableMethod(); 
  stream.defaultReadObject();
}

Compliant Solution

This compliant solution removes the call to the overridable method.

Code Block
bgColor#ccccff
private void readObject(final ObjectInputStream stream) throws 
    IOException, ClassNotFoundException {
  stream.defaultReadObject();
}

Risk Assessment

Invoking overridable methods from the readObject() method can lead to initialization errors.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SER39- J

low

probable

medium

P4

L1

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] 
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 17: "Design and document for inheritance or else prohibit it"

...