Page History

...

Hiding and overriding differ in the determination of which method is invoked from a call site. For overriding, the method invoked is determined at runtime based on the specific object instance in hand. For hiding, the method invoked is determined at compile time based on the specific qualified name or method invocation expression used at the call site.

Noncompliant Code Example

In this noncompliant example, the programmer hides the static method instead of overriding it. Consequently, the code invokes the displayAccountStatus() method of the superclass at two different call sites instead of invoking the superclass method at one call site and the subclass method at the other.

class GrantAccess {
  public static void displayAccountStatus() {
    System.out.println("Account details for admin: XX");
  }
}

class GrantUserAccess extends GrantAccess {
  public static void displayAccountStatus() {
    System.out.println("Account details for user: XX");
  }
}

public class StatMethod {
  public static void choose(String username) {
    GrantAccess admin = new GrantAccess();
    GrantAccess user = new GrantUserAccess();
    if (username.equals("admin")) {
      admin.displayAccountStatus();
    } else {
      user.displayAccountStatus();
    }
  }

  public static void main(String[] args) {
    choose("user");
  }
}

Compliant Solution

In this compliant solution, the programmer declares the displayAccountStatus() methods as instance methods, by removing the static keyword. Consequently, the dynamic dispatch at the call sites produces the expected result. The @Override annotation indicates intentional overriding of the parent method.

...

Technically, a private method cannot be hidden or overridden. There is no requirement that private methods with the same signature in the subclass and the superclass bear any relationship in terms of having the same return type or {{throws}} clause, the necessary conditions for hiding \[[JLS 2005|AA. Bibliography#JLS 05]\]. Consequently, hiding cannot occur when the methods have different return types or {{throws}} clauses.

Exceptions

MET11-EX0: Occasionally an API provides hidden methods. Invoking those methods is not a violation of this rule, provided that all invocations of hidden methods use qualified names or method invocation expressions that explicitly indicate which specific method is invoked. If the displayAccountStatus() is a hidden method, for example, the following implementation of the choose() method is an acceptable alternative:

  public static void choose(String username) {
    if (username.equals("admin")) {
      GrantAccess.displayAccountStatus();
    } else {
      GrantUserAccess.displayAccountStatus();
    }
  }

Risk Assessment

Confusing overriding and hiding can produce unexpected results.

Automated Detection

Automated detection of violations of this rule is straightforward. Automated determination of cases where method hiding is unavoidable is infeasible. However, determining whether all invocations of hiding or hidden methods explicitly indicate which specific method is invoked is straightforward.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

...