Page History

Wiki MarkupAccording to the The Java Language Specification \[[JLS 2005|AA. Bibliography#JLS 05]\], Section 12, §12.5, "Creation of New Class Instances"[JLS 2015]:

Unlike C++, the Java programming language does not specify altered rules for method dispatch during the creation of a new class instance. If methods are invoked that are overridden in subclasses in the object being initialized, then these overriding methods are used, even before the new object is completely initialized.

This means that a method may use uninitialized data that causes Invocation of an overridable method during object construction may result in the use of uninitialized data, leading to runtime exceptions or leads to unanticipated outcomes. Calling overridable methods from constructors can also result in leak the escaping of the this reference before construction has concluded. (See guideline object construction is complete, potentially exposing uninitialized or inconsistent data to other threads (see TSM01-J. Do not let the ( this ) reference escape during object construction.) In addition to constructors, do not call overridable methods from the clone(), readObject() and readObjectNoData() methods as it would allow attackers to obtain partially initialized instances of classes. (See guidelines MET07-J. Do not invoke overridable methods on the clone under construction and SER11-J. Do not invoke overridable methods from the readObject method.) It is also insecure to call an overridden method from the finalize() method. This can prolong the subclass' life and in fact, render the finalization call useless (see the example in guideline MET18-J. Avoid using finalizers.) Additionally, if the subclass's finalizer has terminated key resources, invoking its methods from the superclass may lead one to observe the object in an inconsistent state and in the worst case result in a NullPointerException. for additional information). As a result, a class's constructor must invoke (directly or indirectly) only methods in that class that are static, final or private.

Noncompliant Code Example

This noncompliant code example results in the use of uninitialized data by the doLogic() method.:

Code Block

bgColor	#FFcccc


class SuperClass {
  public SuperClass () {
    doLogic();
  }
	
  public void doLogic() {
    System.out.println("This is super-classsuperclass!");
  }	
}

class SubClass extends SuperClass {
  private String color = null;
  public SubClass() {
    super();	
    color = "Red"red";
  }
	
  public void doLogic() {
    // Color becomes null
    System.out.println("This is sub-classsubclass! The color is :" + color); 
    // ...
  }
}

public class Overridable {
  public static void main(String[] args) {
    SuperClass bc = new SuperClass();
    // Prints "This is super-classsuperclass!"
    SuperClass sc = new SubClass();
    // Prints "This is sub-classsubclass! The color is :null"		
  }
}

The doLogic() method is invoked from the superclass's constructor. When the superclass is constructed directly, the doLogic() method in the superclass is invoked without issueand executes successfully. However, when the subclass initiates the super classsuperclass's construction, the subclassessubclass's doLogic() method is invoked instead. In this case, the value of color is still null because the subclasses subclass's constructor has not yet concluded.

Compliant Solution

This compliant solution declares the doLogic() method as final so that it is no longer overridable.cannot be overridden:

Code Block

bgColor	#ccccff


class SuperClass {
  public SuperClass() {
    doLogic();
  }
	
  public final void doLogic() {
    System.out.println("This is super-classsuperclass!");
  }	
}

Risk Assessment

Allowing a constructor to call overridable methods may give can provide an attacker with access to the this reference before an object is fully initialized, which , in turn, could lead to a vulnerability.

Guideline

Rule	Severity	Likelihood	Remediation Cost	Priority	Level

MET04

MET05-J

medium

Medium

probable

Probable

medium

Medium

P8

L2

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Bibliography

Wiki Markup

\[[JLS 2005|AA. Bibliography#JLS 05]\] [Chapter 8, Classes|http://java.sun.com/docs/books/jls/third_edition/html/classes.html], 12.5 "Creation of New Class Instances"
\[[SCG 2007|AA. Bibliography#SCG 07]\] Guideline 4-3 Prevent constructors from calling methods that can be overridden
\[[ESA 2005|AA. Bibliography#ESA 05]\] Rule 62: Do not call non-final methods from within a constructor.
\[[Rogue 2000|AA. Bibliography#Rogue 2000]\] Rule 81: Do not call non-final methods from within a constructor.

Automated detection of constructors that contain invocations of overridable methods is straightforward.

Tool

Version

Checker

Description

PVS-Studio

Include Page

	PVS-Studio_V
	PVS-Studio_V

V6052

SonarQube

Include Page

	SonarQube_V
	SonarQube_V

S1699

Constructors should only call non-overridable methods

SpotBugs

Include Page

	SpotBugs_V
	SpotBugs_V

MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR

Implemented (since 4.5.0)

Related Guidelines

ISO/IEC TR 24772:2010	Inheritance [RIP]
Secure Coding Guidelines for Java SE, Version 5.0	Guideline 7-4 / OBJECT-4: Prevent constructors from calling methods that can be overridden

Bibliography

[ESA 2005]	Rule 62, Do not call nonfinal methods from within a constructor
[JLS 2015]	Chapter 8, "Classes" §12.5, "Creation of New Class Instances"
[Rogue 2000]	Rule 81, Do not call non-final methods from within a constructor

...

Image Added Image Added Image Added Image Removed 05. Methods (MET) MET05-J. Do not use overloaded methods to differentiate between runtime types

Space shortcuts

Page tree

Versions Compared

Old Version 56

New Version Current

Key

Noncompliant Code Example

Compliant Solution

Risk Assessment

Automated Detection

Related Vulnerabilities

Bibliography

Related Guidelines

Bibliography