The readObject()
method must not call any overridable methods. Invoking overridable methods from the readObject()
method can allow provide the overriding method with access to read the object's state of the subclass before it is fully constructed, since the base class is deserialized first, followed by the subclass. As a result, readObject()
must not call any overridable methods.Also see the related rule initialized. This premature access is possible because, in deserialization, readObject
plays the role of object constructor and therefore object initialization is not complete until readObject
exits (see also MET06-J. Do not invoke overridable methods in clone()).
Noncompliant Code Example
This noncompliant code example invokes an overridable method from the readObject()
method. :
Code Block | ||
---|---|---|
| ||
private void readObject(final ObjectInputStream stream) throws throws IOException, ClassNotFoundException { overridableMethod(); stream.defaultReadObject(); } public void overridableMethod() { // ... } |
Compliant Solution
This compliant solution removes the call to the overridable method. When removing such calls is infeasible, ensure that declare the method is declared private or final.
Code Block | ||
---|---|---|
| ||
private void readObject(final ObjectInputStream stream) throws throws IOException, ClassNotFoundException { stream.defaultReadObject(); } |
Exceptions
unmigratedSER09-wiki-markup*SER09-EX1:* "The {{readObject}} methods will often call {{J-EX0: The readObject()
method may invoke the overridable methods defaultReadObject()
and readFields()
in class java.io.ObjectInputStream
.defaultReadObject}}, which is an overridable method" \[ [SCG 2009|AA. Bibliography#SCG 09]\]. Such calls are permitted.
Risk Assessment
Invoking overridable methods from the readObject()
method can lead to initialization errors.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
SER09-J |
Low |
Probable |
Medium | P4 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Bibliography
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Parasoft Jtest |
| CERT.SER09.VREADOBJ | Do not invoke overridable methods from the readObject() method |
Related Guidelines
Guideline 7-4 / OBJECT-4: |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="db675c4e-9cf2-4528-9767-ab6f60549581"><ac:plain-text-body><![CDATA[
[[API 2006
AA. Bibliography#API 06]]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="54431647-043c-4b33-b48d-37bface0f5f5"><ac:plain-text-body><![CDATA[
[[SCG 2009
AA. Bibliography#SCG 09]]
Prevent constructors from calling methods that can be overridden |
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="982482a5-77ce-4db4-8559-b56874afa1c5"><ac:plain-text-body><![CDATA[
[[Bloch 2008
Bibliography
[API 2014] | |
Item 17 |
, "Design and |
Document for |
Inheritance or Else Prohibit It" |
]]></ac:plain-text-body></ac:structured-macro>
[SCG 2009] |
...