An instance method defined in a subclass overrides another instance method in the superclass when
- Both have the same name
- Number and type of parameters is same
- Return type is same
The Hiding term is used in context of a class method (or field) that has the same signature as the corresponding class method (or field) in the superclass or superinterface.
The difference between these two is that the overridden method gets invoked from the subclass while the hidden method may get invoked from either the superclass or the subclass, depending on how it is invoked (name qualification).
Noncompliant Code Example
To differentiate between overriding and hiding, a common nomenclature is used. The method to be invoked is decided at either compile time (if the base method is static, as in this noncompliant code example) according to the type of the qualifier or at run time otherwise (for non-static methods). A qualifier is a part of the invocation expression before the dot (for example, the variables admin and user in this noncompliant code example).
This noncompliant example attempts to override a static method but fails to consider it as a hiding case. As a result the displayAccountStatus() method of the superclass is invoked on both the calls. Moreover, expressions that are normally used for dynamic dispatch while overriding have been used even though achieving this is impossible with static methods.
class GrantAccess {
public static void displayAccountStatus() {
System.out.print("Account details for admin: XX");
}
}
class GrantUserAccess extends GrantAccess {
public static void displayAccountStatus() {
System.out.print("Account details for user: XX");
}
}
public class StatMethod {
public static void choose(String username) {
GrantAccess admin = new GrantAccess();
GrantAccess user = new GrantUserAccess();
if(username.equals("admin")) {
admin.displayAccountStatus();
} else {
user.displayAccountStatus();
}
}
public static void main(String[] args) {
choose("user");
}
}
Compliant Solution
This compliant solution correctly classifies this case as hiding and uses absolute, fully qualified class names GrantAccess and GrantUserAccess to clearly state the intent. Refrain from qualifying a static method invocation with an expression meant for dynamic dispatch.
class GrantAccess {
public static void displayAccountStatus() {
System.out.print("Account details for admin: XX");
}
}
class GrantUserAccess extends GrantAccess {
public static void displayAccountStatus() {
System.out.print("Account details for user: XX");
}
}
public class StatMethod {
public static void choose(String username) {
if(username.equals("admin")) {
GrantAccess.displayAccountStatus();
} else {
GrantUserAccess.displayAccountStatus();
}
}
public static void main(String[] args) {
choose("user");
}
}
Note that "In a subclass, you can overload the methods inherited from the superclass. Such overloaded methods neither hide nor override the superclass methodsâ”they are new methods, unique to the subclass." [[Tutorials 2008]].
Technically, a private method cannot be hidden or overridden. There is no requirement that private methods with the same signature in the subclass and the superclass, bear any relationship in terms of having the same return type or throws clause, the necessary conditions for hiding [[JLS 2005]]. Consequently, there may be no hiding when the methods have different return types or throws clauses.
It is recommended that the @Override annotation be used to clearly specify that a method is the overridden version and not the hidden one.
Risk Assessment
Confusing overriding and hiding can produce unexpected results.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
MET11-J |
low |
unlikely |
medium |
P2 |
L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
[[Tutorials 2008]] Overriding and Hiding Methods
[[Bloch 2005]] Puzzle 48: All I Get Is Static
[[JLS 2005]] 8.4.6.3 Requirements in Overriding and Hiding
MET10-J. For methods that return an array or collection prefer returning an empty array or collection over a null value 16. Methods (MET) MET12-J. Follow the general contract while overriding the equals method