SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 29

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 30

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

Wiki Markup
According to the Java Language Specification \[[JLS 05|AA. Java References#JLS 05]\], section 12.5 ""Creation of New Class Instances"":

Unlike C++, the Java programming language does not specify altered rules for method dispatch during the creation of a new class instance. If methods are invoked that are overridden in subclasses in the object being initialized, then these overriding methods are used, even before the new object is completely initialized.

...

Code Block
bgColor#FFcccc
class BaseClass {
  public BaseClass() {
    doLogic();
  }
	
  public void doLogic() {
    System.out.println(""This is super-class!"");
  }	
}

class SubClass extends BaseClass {
  private String color = null;
  public SubClass() {
    super();	
    color = "Red""Red";
  }
	
  public void doLogic() {
    // Color becomes null
    System.out.println(""This is sub-class! The color is :"" + color); 
    // Other operations
  }
}

public class Overridable {
  public static void main(String[] args) {
    BaseClass bc = new BaseClass(); // Prints ""This is super-class!""
    BaseClass sc = new SubClass();  // Prints ""This is sub-class! The color is :null""		
  }
}

Compliant Solution

This compliant solution declares the doLogic() method as final so that it is no longer overridable.

Code Block
bgColor#ccccff
class BaseClass {
  public BaseClass() {
    doLogic();
  }
	
  public final void doLogic() {
    System.out.println(""This is super-class!"");
  }	
}

In addition to constructors, do not call overridable methods from the clone(), readObject() and readObjectNoData() methods as it would allow attackers to obtain partially initialized instances of classes. An equally dangerous idea is to disobey this advice by calling an overridden method from the finalize() method. This can prolong the subclass' life and in fact render the finalization call useless (See the example in OBJ02-J. Avoid using finalizers). Additionally, if the subclass's finalizer has terminated key resources, invoking its methods from the superclass may lead one to observe the object in an inconsistent state and in the worst case result in the infamous NullPointerException.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[JLS 05|AA. Java References#JLS 05]\] [Chapter 8, Classes|http://java.sun.com/docs/books/jls/third_edition/html/classes.html], 12.5 ""Creation of New Class Instances""
\[[SCG 07|AA. Java References#SCG 07]\] Guideline 4-3 Prevent constructors from calling methods that can be overridden
\[[ESA 05|AA. Java References#ESA 05]\] Rule 62: Do not call non-final methods from within a constructor.

...

MET31-J. Ensure that hashCode() is overridden when equals() is overridden            12. Methods (MET)            MET33-J. Do not subject overloaded methods to polymorphic invocations