-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathReadResolveObject.qhelp
More file actions
65 lines (52 loc) · 2.16 KB
/
ReadResolveObject.qhelp
File metadata and controls
65 lines (52 loc) · 2.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
<!DOCTYPE qhelp PUBLIC
"-//Semmle//qhelp//EN"
"qhelp.dtd">
<qhelp>
<overview>
<p>
If a class uses the <code>readResolve</code> method to specify a replacement object instance when the object is read from a stream,
ensure that the signature of <code>readResolve</code> is <em>exactly</em> what the Java serialization mechanism
expects.</p>
</overview>
<recommendation>
<p>
Ensure that the signature of the <code>readResolve</code> method in the class matches the expected signature:</p>
<p>
<code>
ANY-ACCESS-MODIFIER Object readResolve() throws ObjectStreamException;
</code>
</p>
<p>Note that the method <em>must</em> return a <code>java.lang.Object</code>.
</p>
<p>
If <code>readResolve</code> is used for instance control of a serializable singleton,
(that is, to make sure that deserializing a singleton class does not result in another instance of the singleton)
it may be possible to use an <code>enum</code> with a single element instead. The Java serialization specification
explicitly ensures that deserializing an <code>enum</code> does not create a new instance.
(For details about this technique, see [Bloch].)
</p>
</recommendation>
<example>
<p>In the following example, <code>FalseSingleton.readResolve</code> has the wrong signature, which
causes deserialization to create a new instance of the singleton. However, <code>Singleton.readResolve</code>
has the correct signature, which means that deserialization does not result in another instance of
the singleton.</p>
<sample src="ReadResolveObject.java" />
</example>
<references>
<li>
Java API Specification:
<a href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/io/Serializable.html">Serializable</a>.
</li>
<li>
Java Object Serialization Specification:
<a href="https://docs.oracle.com/en/java/javase/11/docs/specs/serialization/input.html#the-readresolve-method">3.7 The readResolve Method</a>,
<a href="https://docs.oracle.com/en/java/javase/11/docs/specs/serialization/serial-arch.html#serialization-of-enum-constants">1.12 Serialization of Enum Constants</a>.
</li>
<li>
J. Bloch, <em>Effective Java (second edition)</em>,
Item 77.
Addison-Wesley, 2008.
</li>
</references>
</qhelp>