Reuse of names leads to obscuration or shadowing; that is, the names in the current scope mask those defined elsewhere. Name reuse creates ambiguity and burdens code maintenance, especially when code requires access to both the original named entity and the entity with the reused name. The problem is aggravated when the reused name is required to be defined in a different package.
...
This implies that a variable can obscure a type or a package, and a type can obscure a package name. Shadowing, on the other hand, refers to masking variables, fields, types, method parameters, labels, and exception handler parameters in a subscope. Both these differ from hiding wherein an accessible member (typically non-private) that should have been inherited by a subclass is forgone in lieu of replaced by a locally declared subclass member that assumes the same name.
...
- a superclass
- an interface
- a field defined in a superclass
- a field that appears in a different scope within the same method
- a field, type, or another parameter across packages
Noncompliant Code Example (Class Name)
This noncompliant code example implements a class that reuses the name of the class java.util.Vector. It attempts to introduce a different condition for the isEmpty() method for interfacing with native legacy code, by overriding the corresponding method in java.util.Vector.
A future programmer maintainer might not know about this extension and incorrectly use the custom Vector class when his intention was to use the original java.util.Vector class. The custom type Vector can obscure a class name from another package (for example, java.util.Vector), as specified by JLS 6.3.2 (see above). Should this occur, it can cause undesirable effects by violating the programmer's assumptions.
...
| Code Block | ||
|---|---|---|
| ||
class Vector {
private int val = 1;
public boolean isEmpty() {
if (val == 1) { //compares with 1 instead of 0
return true;
} else {
return false;
}
}
//other functionality is same as java.util.Vector
}
// import java.util.Vector; omitted
public class VectorUser {
public static void main(String[] args) {
Vector v = new Vector();
if (v.isEmpty()) {
System.out.println("Vector is empty");
}
}
}
|
Compliant Solution (Class Name)
This compliant solution declares the class Vector with a different name.
...
| Wiki Markup |
|---|
Note: When the developer and organization control the original hidden class, in addition to the code being written, it may be preferable to change the design strategy of the original in accordance with Bloch's _Effective Java_ \[[Bloch 2008|AA. Bibliography#Bloch 08]\] "Item 16: Prefer interfaces to abstract classes." Changing the original class into an interface would permit class {{MyVector}} to declare that it implements the hypothetical {{Vector}} interface. This would permit client code that intended to use {{MyVector}} to remain compatible with code that uses the original implementation of {{Vector}}. |
Noncompliant Code Example (Field Shadowing)
This noncompliant code example reuses the name of the val instance field in the scope of an instance method. This behavior can be classified as shadowing.
| Code Block | ||
|---|---|---|
| ||
class MyVector {
private int val = 1;
private void doLogic() {
int val;
//...
}
}
|
Compliant Solution (Field Shadowing)
This compliant solution eliminates shadowing by changing the name of the variable defined in method scope.
| Code Block | ||
|---|---|---|
| ||
class MyVector {
private int val = 1;
private void doLogic() {
int newValue;
//...
}
}
|
Exceptions
SCP02-EX1: Reuse of names is permitted for trivial loop counter declarations in the same scope:
| Code Block | ||
|---|---|---|
| ||
for (int i = 0; i < 10; i++) { }
for (int i = 0; i < 20; i++) { }
|
Risk Assessment
Name reuse makes code more difficult to read and maintain. This can result in security weaknesses.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SCP02-J | low | unlikely | medium | P2 | L3 |
Automated Detection
| Wiki Markup |
|---|
An automated tool can easily detect reuse of names whose earlier definition appears somewhere in the Java include path. FindBugs, for example, detects at least four sub-instances of this guideline \[[FindBugs 2008|AA. Bibliography#FindBugs 08]\]: |
- Nm: Class names shouldn't shadow simple name of implemented interface
- Nm: Class names shouldn't shadow simple name of superclass
- MF: Class defines field that masks a superclass field
- MF: Method defines a variable that obscures a field
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Related Guidelines
C Secure Coding Standard: DCL01-C. Do not reuse variable names in subscopes
C++ Secure Coding Standard: DCL01-CPP. Do not reuse variable names in subscopes
Bibliography
| Wiki Markup |
|---|
\[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 6.3.2|http://java.sun.com/docs/books/jls/third_edition/html/names.html#6.3.2] "Obscured Declarations", [Section 6.3.1|http://java.sun.com/docs/books/jls/third_edition/html/names.html#6.3.1] "Shadowing Declarations", [Section 7.5.2|http://java.sun.com/docs/books/jls/third_edition/html/packages.html#7.5.2] "Type-Import-On_Demand Declaration", [Section 14.4.3|http://java.sun.com/docs/books/jls/third_edition/html/statements.html#14.4.3] "Shadowing of Names by Local Variables" \[[Bloch 2005|AA. Bibliography#Bloch 05]\] Puzzle 67: All Strung Out \[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 16: Prefer interfaces to abstract classes \[[Kabanov 2009|AA. Bibliography#Kabanov 09]\] \[[Conventions 2009|AA. Bibliography#Conventions 09]\] 6.3 Placement \[[FindBugs 2008|AA. Bibliography#FindBugs 08]\] |
...