Reuse of names leads to obscuration or shadowing, that is, the names in the current scope mask those defined elsewhere. This Name reuse creates ambiguity and burdens code maintenance, especially when code requires access to both the original names need to be used and burdens code maintenancenamed entity and the entity with the reused name. The problem is aggravated when the reused name is required to be defined in a different package.
...
This implies that a variable can obscure a type or a package, and a type can obscure a package name. Shadowing on the other hand refers to masking of variables, fields, types, method parameters, labels and exception handler parameters in a subscope. Both these differ from hiding wherein an accessible member (typically non-private) that should have been inherited by a subclass is forgone in lieu of a locally declared subclass member that assumes the same name.
As a tenetIn general, do not
- Reuse the name of a superclass
- Reuse the name of an interface
- Reuse the name of a field defined in a superclass
- Reuse the name of a field that appears in a different scope within the same method (in some different scope)
- Reuse the name of a field, type or another parameter across packages
...
A future programmer may not know about this extension and may incorrectly use the Vector idiom intending custom Vector class when his intention was to use the original java.util.Vector class. The custom type Vector can obscure a class name from another package name (e.g. java.util.Vector). This can ), as specified by JLS 6.3.2 (see above). Should this occur, it may cause undesirable effects by violating the programmer's assumptions.
| Wiki Markup |
|---|
Well defined import statements |
resolve these |
issues. However, when the definitions of the reused name are imported from other packages, use of the _type-import-on-demand declaration_ (see Java Language Specification \[[JLS 2005|AA. Bibliography#JLS 05]\] section 7.5.2 "Type-Import-on-Demand Declaration") can lead to unexpected import of a class that was not intended. Moreover, a common --- and potentially misleading --- tendency is to produce the import statements _after_ writing the code, often via automatic inclusion of import statements by an IDE. This creates further ambiguity with respect to the names; when a custom type is found earlier in the Java include path than the intended type, no further searches are conducted. |
| Code Block | ||
|---|---|---|
| ||
class Vector {
private int val = 1;
public boolean isEmpty() {
if(val == 1) { //compares with 1 instead of 0
return true;
} else {
return false;
}
}
//other functionality is same as java.util.Vector
}
// import java.util.Vector; omitted
public class VectorUser {
public static void main(String[] args) {
Vector v = new Vector();
if(v.isEmpty()) {
System.out.println("Vector is empty");
}
}
}
|
...
| Code Block | ||
|---|---|---|
| ||
class MyVector {
//other code
}
|
| Wiki Markup |
|---|
Note: When the developer and her organization control the original hidden class in addition to the code being written, it may be preferable to change the design strategy of the original in accordance with Bloch's _Effective Java_ \[[Bloch 2008|AA. Bibliography#Bloch 08]\] "Item 16: Prefer interfaces to abstract classes." Changing the original class into an interface would permit class {{MyVector}} to declare that it implements the hypothetical {{Vector}} interface. This would permit client code that intended to use {{MyVector}} to remain compatible with code that uses the original implementation of {{Vector}}. |
Noncompliant Code Example
...
This solution eliminates shadowing by using a different name for changing the name of the variable defined in method scope.
...
Method shadowing in different scopes becomes possible when two or more packages are used. Method shadowing is distinct differs from method overloading in that , subclasses are allowed to inherit overloadings defined in the base class. It differs from hiding in that the methods do need not have to be declared static. It is also distinct from method overriding as exemplified in this noncompliant code example.
...
Note that class y.C is accessible from the package x and so is its doLogic() method. However, if the main() method defined in class A tries to polymorphically invoke y.doLogic() as shown, the override corresponding to class B in package x takes precedence. This is because the doLogic() methods in classes x.A and x.B are not visible from class y.C due to the default access specifier. As a result, the class x.C is not considered a part of the overriding hierarchy. NotablyNote, however, that the code behaves as expected if the access specifiers of all of the methods are changed to public.
Compliant Solution
It is highly recommended that Use a different name be used so that it is clear to indicate that the class residing in another package is not meant intended to be a part of the overriding chain. A programmer can proceed to invoke methods on it by explicitly using the class name. Even use dotted notation to explicitly specify which class defines the method to be invoked. Avoid reusing names even when all the relevant classes define the affected methods with a public access specifier, it is better to avoid reusing names because an evolving class can limit method accessibility anytime in the future causing ; future evolution of one or more of the classes may reduce method accessibility, leading to unexpected results.
| Code Block | ||
|---|---|---|
| ||
package x;
public class A {
void doLogic() {
// print 'A'
}
public static void main(String[] args) {
// explicitly invokes doSequence() of class y.C and prints 'C'
y.C.doSequence();
}
}
package x;
public class B { /* ... */ }
package y; // different package
public class C extends x.B {
public void doSequence() { // now renamed
// print 'C'
}
}
|
...
| Code Block | ||
|---|---|---|
| ||
for(int i = 0; i < 10; i++) { }
for(int i = 0; i < 20; i++) { }
|
Risk Assessment
Reusing names leads to code that is harder Name reuse makes code more difficult to read and maintain and . This may result in security weaknesses.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SCP02-J | low | unlikely | medium | P2 | L3 |
Automated Detection
TODOAn automated tool can easily detect reuse of names whose earlier definition appears somewhere in the Java include path. FindBugs, for example, detects at least four sub-instances of this guideline.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
...