SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 63

changes.mady.by.user vishal patel

Saved on

compared with

New Version 64

changes.mady.by.user Pamela Curtis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
            According to the Java Language Specification \[[JLS 2005|AA. Bibliography#JLS 05]\], Section 12.5, "Creation of New Class Instances,"

Unlike C++, the Java programming language does not specify altered rules for method dispatch during the creation of a new class instance. If methods are invoked that are overridden in subclasses in the object being initialized, then these overriding methods are used, even before the new object is completely initialized.

...

Code Block
bgColor#FFcccc
class SuperClass {
  public SuperClass () {
    doLogic();
  }
	
  public void doLogic() {
    System.out.println("This is super-classsuperclass!");
  }	
}

class SubClass extends SuperClass {
  private String color = null;
  public SubClass() {
    super();	
    color = "Red";
  }
	
  public void doLogic() {
    // Color becomes null
    System.out.println("This is sub-classsubclass! The color is :" + color); 
    // ...
  }
}

public class Overridable {
  public static void main(String[] args) {
    SuperClass bc = new SuperClass(); // Prints "This is super-classsuperclass!"
    SuperClass sc = new SubClass();  // Prints "This is sub-classsubclass! The color is :null"		
  }
}

The doLogic() method is invoked from the superclass's constructor. When the superclass is constructed directly, the doLogic() method in the superclass is invoked and executes successfully. However, when the subclass initiates the super classsuperclass's construction, the subclass's doLogic() method is invoked instead. In this case, the value of color is still null because the subclass's constructor has not yet concluded.

...

This compliant solution declares the doLogic() method as final so that it cannot be overridden.

Code Block
bgColor#ccccff
class SuperClass {
  public SuperClass() {
    doLogic();
  }
	
  public final void doLogic() {
    System.out.println("This is super-classsuperclass!");
  }	
}

Risk Assessment

Allowing a constructor to call overridable methods may give an attacker access to the this reference before an object is fully initialized, which , in turn , could lead to a vulnerability.

...

Automated detection of constructors that contain invocations of overridable methods appears to be straight forwardstraightforward.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

...

Wiki Markup
\[[ESA 2005|AA. Bibliography#ESA 05]\] Rule 62: Do not call non-final methods from within a constructor.
\[[JLS 2005|AA. Bibliography#JLS 05]\] [Chapter 8, Classes|http://java.sun.com/docs/books/jls/third_edition/html/classes.html], 12.5 "Creation of New Class Instances"
\[[Rogue 2000|AA. Bibliography#Rogue 2000]\] Rule 81: Do not call non-final methods from within a constructor.
\[[SCG 2007|AA. Bibliography#SCG 07]\] Guideline 4-3, Prevent constructors from calling methods that can be overridden

...