Java supports overloading methods and can distinguish between methods with different method signatures. This means that, with some qualifications, methods within a class can have the same name if they have different parameter lists. In method overloading, the determination of the method to be invoked at runtime is determined at compile time. Consequently, the overloaded method associated with the static type of the object is invoked, even when the runtime type differs for each invocation.
Do not introduce ambiguity while overloading (see [MET01-J. Avoid ambiguous uses of overloading]) and use overloaded methods sparingly [[Tutorials 2010]] as they can make code much less readable.
Noncompliant Code Example
This noncompliant code example attempts to use the overloaded display() method to perform different actions depending on whether the method is passed an ArrayList<Integer> or a LinkedList<String>.
public class Overloader {
private static String display(ArrayList<Integer> a) {
return "ArrayList";
}
private static String display(LinkedList<String> l) {
return "LinkedList";
}
private static String display(List<?> l) {
return "List is not recognized";
}
public static void main(String[] args) {
// Single ArrayList
System.out.println(display(new ArrayList<Integer>()));
// Array of lists
List<?>[] invokeAll = new List<?>[] {new ArrayList<Integer>(),
new LinkedList<String>(), new Vector<Integer>()};
for (List<?> i : invokeAll) {
System.out.println(display(i));
}
}
}
At compile time, the type of the object array is List. The expected output is ArrayList, ArrayList, LinkedList and List is not recognized ( because java.util.Vector does not inherit from java.util.List). The actual output is ArrayList followed by three instances of List is not recognized. The cause of this unexpected behavior is that overloaded method invocations are affected only by the compile time type of their arguments: ArrayList for the first invocation and List for the others. Do not use overloading where overriding would be natural [[Bloch 2008]].
Compliant Solution
This compliant solution uses a single display method and instanceof to distinguish between different types. As expected, the output is ArrayList, ArrayList, LinkedList, List is not recognized.
class Overloader {
public class Overloader {
private static String display(List<?> l) {
return (
l instanceof ArrayList ? "Arraylist" :
(l instanceof LinkedList ? "LinkedList" :
"List is not recognized")
);
}
public static void main(String[] args) {
// Single ArrayList
System.out.println(display(new ArrayList<Integer>()));
List<?>[] invokeAll = new List<?>[] {new ArrayList<Integer>(),
new LinkedList<String>(), new Vector<Integer>()};
for (List<?> i : invokeAll) {
System.out.println(display(i));
}
}
}
Risk Assessment
Ambiguous uses of overloading can lead to unexpected results.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MET05-J |
low |
unlikely |
high |
P1 |
L3 |
Automated Detection
Sound automated detection of violations is infeasible, because it would require determination of programmer intent. Heuristic techniques may be useful.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[API 2006]] Interface Collection
[[Bloch 2008]] Item 41: Use overloading judiciously
[[Tutorials 2010]] Defining Methods
MET04-J. Ensure that constructors do not call overridable methods 05. Methods (MET) MET06-J. Do not call overridable methods from a privileged block