SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 29

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version Current

changes.mady.by.user Will Snavely

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Java supports overloading methods and can distinguish between methods with different method signatures. This means thatConsequently, with some qualifications, methods within a class can have the same name if they have different parameter lists. In method overloading, the determination as to which method is method to be invoked at runtime is determined at compile time. This means that even if the runtime type differs for each invocationConsequently, the overloaded method associated with the static type of the object is invoked . even when the runtime type differs for each invocation.

For program understandability, do not introduce ambiguity while overloading (see MET50-J. Avoid ambiguous or confusing uses of overloading), and use overloaded methods sparingly [Tutorials 2013] Wiki MarkupDo not introduce ambiguity while overloading (see [MET01-J. Avoid ambiguous uses of overloading]) and use overloaded methods sparingly \[[Tutorials 2010|AA. Bibliography#Tutorials 10]\] as they can make code much less readable.

Noncompliant Code Example

This noncompliant code example attempts to use the overloaded display() method to perform different actions depending on whether the method is passed an ArrayList<Integer> or a LinkedList<String>. :

Code Block
bgColor#FFCCCC

public class Overloader {
  private static String display(ArrayList<Integer> aarrayList) {
    return "ArrayList";
  }

  private static String display(LinkedList<String> llinkedList) {
    return "LinkedList";
  }

  private static String display(List<?> llist) {
    return "List is not recognized";
  }

  public static void main(String[] args) {
    // Single ArrayList
    System.out.println(display(new ArrayList<Integer>()));
    // Array of lists
    List<?>[] invokeAll = new List<?>[] {
        new ArrayList<Integer>(), 
        new LinkedList<String>(), 
        new Vector<Integer>()};

    for (List<?> ilist : invokeAll) {
      System.out.println(display(ilist));
    }
  }
}

Wiki MarkupAt compile time, the type of the object array is {{List}}. The expected output is {{ArrayList}}, {{LinkedList}} and {{List is not recognized}} ({{java.util.Vector}} does not inherit from {{java.util.List}}). However, in all three instances {{List is not recognized}} is displayed. This happens because in overloading, the method invocations are not affected by the runtime types but only the compile time type ({{List}}). It is dangerous to implement overloading to tally with overriding, more so, because the latter is characterized by inheritance unlike the former \[[Bloch 2008|AA. Bibliography#Bloch 08]\]. ArrayList, ArrayList, LinkedList, and List is not recognized (because java.util.Vector is neither an ArrayList nor a LinkedList). The actual output is ArrayList followed by List is not recognized repeated three times. The cause of this unexpected behavior is that overloaded method invocations are affected only by the compile-time type of their arguments: ArrayList for the first invocation and List for the others.

Compliant Solution

This compliant solution uses a single display method and instanceof to distinguish between different types. As expected, the output is ArrayList, ArrayList, LinkedList, List is not recognized. :

Code Block
bgColor#ccccff

class Overloader {
public class Overloader {
  private static String display(List<?> llist) {
    return (
      llist instanceof ArrayList ? "Arraylist" : 
      (llist instanceof LinkedList ? "LinkedList" : 
      "List is not recognized")
    );
  }

  public static void main(String[] args) {
    // Single ArrayList
    System.out.println(display(new ArrayList<Integer>()));

    List<?>[] invokeAll = new List<?>[] {
        new ArrayList<Integer>(), 
        new LinkedList<String>(), 
        new Vector<Integer>()};

    for (List<?> ilist : invokeAll) {
      System.out.println(display(ilist));
    }
  }
}

...

Applicability

Ambiguous uses of overloading can lead to unexpected results.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

MET05-J

low

unlikely

high

P1

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

...

...

[API 2013]Interface Collection<E>
[Bloch 2008]Item 41, "Use Overloading Judiciously"
[Tutorials 2013]Defining Methods

 

...

Image Added Image Added Image Added[API 2006|AA. Bibliography#API 06]\] [Interface Collection|http://java.sun.com/j2se/1.4.2/docs/api/java/util/Collection.html] \[[Bloch 2008|AA. Bibliography#Bloch 08]\] Item 41: Use overloading judiciously \[[Tutorials 2010|AA. Bibliography#Tutorials 10]\] [Defining Methods|http://download.oracle.com/javase/tutorial/java/javaOO/methods.html]MET04-J. Ensure that constructors do not call overridable methods      05. Methods (MET)      MET06-J. Do not call overridable methods from a privileged block