DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Java

Java

Made by DeepSource
Use Analyzer

Custom serialization method is declared with an incorrect signature JAVA-E1033

Bug risk
Major

This class declares one or more custom serialization methods but these methods do not match the signatures expected by Java's serialization API.

Change the signature(s) to match the expected type.

Java expects the signatures of the readObject, readObjectNoData and writeObject methods to exactly match certain signatures, as codified in the specification for the Serializable API:

Classes that require special handling during the serialization and deserialization process must implement special methods with these exact signatures:

private void writeObject(java.io.ObjectOutputStream out) throws IOException;

private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException;

private void readObjectNoData() throws ObjectStreamException;

If these methods are not declared with the correct signatures, Java will perform serialization without the expected custom behavior.

The reason serialization works like this is because the custom serialization behavior of a class only applies to the fields declared in that class, and cannot be shared with its descendants. Thus, custom serialization methods are private. Descendants of the class are likewise expected to privately implement extra logic as required to serialize and deserialize data for their own declared fields.

Bad Practice

<div class="highlight markdown-rendered">
<pre><span></span><code><span class="c1">// readObjectNoData should return void!</span>
<span class="kd">private</span><span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="nf">readObjectNoData</span><span class="p">()</span><span class="w"> </span><span class="kd">throws</span><span class="w"> </span><span class="n">ObjectStreamException</span><span class="w"> </span><span class="p">{</span>
<span class="w">    </span><span class="c1">// ...</span>
<span class="p">}</span>

<span class="c1">// readObject should not be public!</span>
<span class="kd">public</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="nf">readObject</span><span class="p">(</span><span class="n">ObjectInputStream</span><span class="w"> </span><span class="n">in</span><span class="p">)</span><span class="w"> </span><span class="kd">throws</span><span class="w"> </span><span class="n">IOException</span><span class="p">,</span><span class="w"> </span><span class="n">ClassNotFoundException</span><span class="w"> </span><span class="p">{</span>
<span class="w">    </span><span class="c1">// ...</span>
<span class="p">}</span>

<span class="c1">// writeObject should not throw ClassNotFoundException!</span>
<span class="kd">private</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="nf">writeObject</span><span class="p">(</span><span class="n">ObjectOutputStream</span><span class="w"> </span><span class="n">object</span><span class="p">)</span><span class="w"> </span><span class="kd">throws</span><span class="w"> </span><span class="n">ClassNotFoundException</span><span class="w"> </span><span class="p">{</span>
<span class="w">    </span><span class="c1">// ...</span>
<span class="p">}</span>
</code></pre>
</div>

Recommended

Specify the method signatures for these methods as expected by Java.

References