Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java: document serialization proxy pattern #18480

Merged
merged 1 commit into from
Jan 14, 2025
Merged

Java: document serialization proxy pattern #18480

merged 1 commit into from
Jan 14, 2025

Conversation

smowton
Copy link
Contributor

@smowton smowton commented Jan 13, 2025

Note I haven't included a reference because I can't find a sufficiently-authoritative source -- only a blog quoting Effective Java seems close to appropriate, and I suspect that's pirated.

@smowton
Java: document serialization proxy pattern
0b62338 
Note I haven't included a reference because I can't find a sufficiently-authoritative source -- only a blog quoting Effective Java seems close to appropriate, and I suspect that's pirated.
@Copilot Copilot bot review requested due to automatic review settings January 13, 2025 11:49
@smowton smowton requested a review from a team as a code owner January 13, 2025 11:49
Copilot
Copilot AI reviewed Jan 13, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)
  • java/ql/src/Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.qhelp: Language not supported

Tip: Copilot code review supports C#, Go, Java, JavaScript, Markdown, Python, Ruby and TypeScript, with more languages coming soon. Learn more

@github-actions GitHub Actions
Copy link
Contributor

QHelp previews:

java/ql/src/Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.qhelp

Serializable but no void constructor

A serializable class that is a subclass of a non-serializable class cannot be deserialized if its superclass does not declare a no-argument constructor. The Java serialization framework uses the no-argument constructor when it initializes the object instance that is created during deserialization. Deserialization fails with an InvalidClassException if its superclass does not declare a no-argument constructor.

The Java Development Kit API documentation states:

To allow subtypes of non-serializable classes to be serialized, the subtype may assume responsibility for saving and restoring the state of the supertype's public, protected, and (if accessible) package fields. The subtype may assume this responsibility only if the class it extends has an accessible no-arg constructor to initialize the class's state. It is an error to declare a class Serializable if this is not the case. The error will be detected at runtime.

Recommendation

Make sure that every non-serializable class that is extended by a serializable class has a no-argument constructor. Alternatively, consider defining a writeReplace method that replaces the Serializable class instance with a serialization proxy, so as to avoid direct deserialization of a class whose parent lacks a no-argument constructor.

Example

In the following example, the class WrongSubItem cannot be deserialized because its superclass WrongItem does not declare a no-argument constructor. However, the class SubItem can be serialized because it declares a no-argument constructor.

class WrongItem {
    private String name;

    // BAD: This class does not have a no-argument constructor, and throws an
    // 'InvalidClassException' at runtime.

    public WrongItem(String name) {
        this.name = name;
    }
}

class WrongSubItem extends WrongItem implements Serializable {
    public WrongSubItem() {
        super(null);
    }

    public WrongSubItem(String name) {
        super(name);
    }
}

class Item {
    private String name;

    // GOOD: This class declares a no-argument constructor, which allows serializable 
    // subclasses to be deserialized without error.
    public Item() {}

    public Item(String name) {
        this.name = name;
    }
}

class SubItem extends Item implements Serializable {
    public SubItem() { 
        super(null); 
    }

    public SubItem(String name) {
        super(name);
    }
}

References

  • Java API Specification: Serializable.
  • J. Bloch, Effective Java (second edition), Item 74. Addison-Wesley, 2008.

@smowton smowton merged commit 3e10e78 into main Jan 14, 2025
11 checks passed
@smowton smowton deleted the smowton/admin/document-serialization-proxy branch January 14, 2025 12:34
@smowton smowton mentioned this pull request Jan 14, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@owen-mc owen-mc owen-mc approved these changes

Assignees
No one assigned
Labels
documentation Java
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smowton @owen-mc