Java serialization: readObject() vs. readResolve()

Question

The book Effective Java and other sources provide a pretty good explanation on how and when to use the readObject() method when working with serializable Java classes. The readResolve() method, on the other hand, remains a bit of a mystery. Basically all documents I found either mention only one of the two or mention both only individually.

Questions that remain unanswered are:

What is the difference between the two methods?
When should which method be implemented?
How should readResolve() be used, especially in terms of returning what?

I hope you can shed some light on this matter.

Example from Oracle's JDK: `String.CaseInsensitiveComparator.readResolve()` — kevinarpe, Jan 06 '18 at 11:26

score 167 · Accepted Answer · answered Jul 22 '09 at 21:31

167

readResolve is used for replacing the object read from the stream. The only use I've ever seen for this is enforcing singletons; when an object is read, replace it with the singleton instance. This ensures that nobody can create another instance by serializing and deserializing the singleton.

answered Jul 22 '09 at 21:31

Michael Myers

188,989
46
291
292

3

There is a number of way for malicious code (or even data) to get around that. – Tom Hawtin - tackline Jul 22 '09 at 21:33
Yes, please explain. Flyweight patterns rely on this working, so how can it break? – Steve Armstrong Mar 18 '10 at 15:46
7

Josh Bloch talks about the conditions under which this breaks in effective Java 2nd ed. Item 77. He mentions about this in this talk he gave in Google IO couple of years back (some times towards the end of the talk): http://www.youtube.com/watch?v=pi_I7oD_uGI – calvinkrishy Sep 18 '10 at 03:26
Book page mentioned by @calvinkrishy: http://books.google.co.uk/books?id=ka2VUBqHiWkC&lpg=PP1&dq=effective+java&pg=PA308&redir_esc=y#v=onepage&q&f=false – TWiStErRob Jun 02 '14 at 21:42
And in this scenario, the singleton must be eagerly loaded. – shellbye Apr 06 '15 at 03:13
26

I find this answer slightly inadequate, as it does not mention `transient` fields. `readResolve` is used for *resolving* the object after it is read. An example use is perhaps an object holds some cache that can be recreated from existing data and does not need to be serialized; the cached data can be declared `transient` and `readResolve()` can rebuild it after deserialization. Things like that are what this method is for. – Jason C May 06 '15 at 02:33
2

@JasonC your comment that "Things like that [transient handling] are what this method _is for_" is misleading. See the Java doc for `Serializable`: it says "Classes that need to designate a **replacement** when an instance of it is read from the stream should implement this [`readResolve`] special method...". – Opher Oct 12 '16 at 12:30
@Opher I think it's safe to say, the name of the method is misleading! However, I imagine both use cases are possible. – jpaugh Oct 14 '16 at 15:09
2

readResolve method can also be used in a corner case wherein suppose you have serialized a lot of objects and stored them in database. If at later point of time, you want to migrate that data to new format, you can easily achieve that in readResolve method. – Nilesh Rajani May 20 '18 at 12:26
1

*Josh Bloch talks about the conditions under which this breaks in effective Java 2nd ed. Item 77*: Here's a link with the time code (28:51) where this is mentioned. https://www.youtube.com/watch?v=pi_I7oD_uGI&t=1731 – antak Feb 17 '19 at 06:25
1

https://www.geeksforgeeks.org/prevent-singleton-pattern-reflection-serialization-cloning/#:~:text=Suppose%20you%20serialize%20an%20object,hence%20break%20the%20singleton%20pattern.&text=As%20you%20can%20see%2C%20hashCode,class%20is%20no%20more%20singleton. – Asad Shakeel Oct 02 '20 at 09:55

Tom Hawtin - tackline · Answer 2 · 2019-05-04T11:56:18.797

Item 90, Effective Java, 3rd Ed covers readResolve and writeReplace for serial proxies - their main use. The examples do not write out readObject and writeObject methods because they are using default serialisation to read and write fields.

readResolve is called after readObject has returned (conversely writeReplace is called before writeObject and probably on a different object). The object the method returns replaces this object returned to the user of ObjectInputStream.readObject and any further back references to the object in the stream. Both readResolve and writeReplace may return objects of the same or different types. Returning the same type is useful in some cases where fields must be final and either backward compatibility is required or values must copied and/or validated.

Use of readResolve does not enforce the singleton property.

score 9 · Answer 3 · edited Sep 01 '16 at 12:01

9

readResolve can be used to change the data that is serialized through readObject method. For e.g. xstream API uses this feature to initialize some attributes that were not in the XML to be deserialized.

http://x-stream.github.io/faq.html#Serialization

edited Sep 01 '16 at 12:01

facundofarias

2,973
28
27

answered May 05 '13 at 00:42

endless

3,316
4
26
33

1

XML and Xstream aren't relevant to a question about Java Serialization, and the question was answered correctly years ago. -1 – user207421 May 05 '13 at 00:45
5

The accepted answer states that readResolve is used to replace an object. This answer provides the useful additional information that it can be used to modify an object during deserialization. XStream was given as an example, not as the only possible library in which that happens. – Enwired Feb 26 '14 at 01:00

score 8 · Answer 4 · edited May 06 '22 at 07:01

readObject() is an existing method in ObjectInputStream class. At the time of deserialization readObject() method internally checks whether the object that is being deserialized has readResolve() method implemented. If readResolve() method exists then it will be invoked

A sample readResolve() implementation would look like this

protected Object readResolve() {
  return INSTANCE:
}

So, the intent of writing readResolve() method is to ensure that the same object that lives in JVM is returned instead of creating new object during deserialization.

score 5 · Answer 5 · answered Jun 27 '14 at 19:47

5

readResolve is for when you may need to return an existing object, e.g. because you're checking for duplicate inputs that should be merged, or (e.g. in eventually-consistent distributed systems) because it's an update that may arrive before you're aware of any older versions.

answered Jun 27 '14 at 19:47

Pr0methean

303
4
14

readResolve() was clear to me but still i have some unexplainable questions in mind but your answer just read my mind, thanks – Rajni Gangwar Nov 20 '17 at 17:31

score 3 · Answer 6 · answered Mar 17 '19 at 17:06

As already answered, readResolve is an private method used in ObjectInputStream while deserializing an object. This is called just before actual instance is returned. In case of Singleton, here we can force return already existing singleton instance reference instead of deserialized instance reference. Similary we have writeReplace for ObjectOutputStream.

Example for readResolve:

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;

public class SingletonWithSerializable implements Serializable {
private static final long serialVersionUID = 1L;

public static final SingletonWithSerializable INSTANCE = new SingletonWithSerializable();

private SingletonWithSerializable() {
    if (INSTANCE != null)
        throw new RuntimeException("Singleton instance already exists!");
}

private Object readResolve() {
    return INSTANCE;
}

public void leaveTheBuilding() {
    System.out.println("SingletonWithPublicFinalField.leaveTheBuilding() called...");
}

public static void main(String[] args) throws FileNotFoundException, IOException, ClassNotFoundException {
    SingletonWithSerializable instance = SingletonWithSerializable.INSTANCE;

    System.out.println("Before serialization: " + instance);

    try (ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream("file1.ser"))) {
        out.writeObject(instance);
    }

    try (ObjectInputStream in = new ObjectInputStream(new FileInputStream("file1.ser"))) {
        SingletonWithSerializable readObject = (SingletonWithSerializable) in.readObject();
        System.out.println("After deserialization: " + readObject);
    }

}

}

Output:

Before serialization: com.ej.item3.SingletonWithSerializable@7852e922
After deserialization: com.ej.item3.SingletonWithSerializable@7852e922

score 3 · Answer 7 · edited Jun 20 '20 at 09:12

3

readResolve() will ensure the singleton contract while serialization.
Please refer

edited Jun 20 '20 at 09:12

Community

1
1

answered Aug 28 '11 at 14:20

Kanagavelu Sugumar

18,766
20
94
101

score 2 · Answer 8 · answered Dec 18 '16 at 19:35

When serialization is used to convert an object so that it can be saved in file, we can trigger a method, readResolve(). The method is private and is kept in the same class whose object is being retrieved while deserialization. It ensures that after the deserialization, what object is returned is the same as was serialised. That is, instanceSer.hashCode() == instanceDeSer.hashCode()

readResolve() method is not a static method. After in.readObject() is called while deserialisation it just makes sure that the returned object is the same as the one which was serialized as below while out.writeObject(instanceSer)

..
    ObjectOutput out = new ObjectOutputStream(new FileOutputStream("file1.ser"));
    out.writeObject(instanceSer);
    out.close();

In this way, it also helps in singleton design pattern implementation, because every time same instance is returned.

public static ABCSingleton getInstance(){
    return ABCSingleton.instance; //instance is static 
}

score 2 · Answer 9 · answered Apr 22 '19 at 16:42

I know this question is really old and has an accepted answer, but as it pops up very high in google search I thought I'd weigh in because no provided answer covers the three cases I consider important - in my mind the primary use for these methods. Of course, all assume that there is actually a need for custom serialization format.

Take, for example collection classes. Default serialization of a linked list or a BST would result in a huge loss of space with very little performance gain comparing to just serializing the elements in order. This is even more true if a collection is a projection or a view - keeps a reference to a larger structure than it exposes by its public API.

If the serialized object has immutable fields which need custom serialization, original solution of writeObject/readObject is insufficient, as the deserialized object is created before reading the part of the stream written in writeObject. Take this minimal implementation of a linked list:

public class List<E> extends Serializable {
    public final E head;
    public final List<E> tail;

    public List(E head, List<E> tail) {
        if (head==null)
            throw new IllegalArgumentException("null as a list element");
        this.head = head;
        this.tail = tail;
    }

    //methods follow...
}

This structure can be serialized by recursively writing the head field of every link, followed by a null value. Deserializing such a format becomes however impossible: readObject can't change the values of member fields (now fixed to null). Here come the writeReplace/readResolve pair:

private Object writeReplace() {
    return new Serializable() {
        private transient List<E> contents = List.this;

        private void writeObject(ObjectOutputStream oos) {
            List<E> list = contents;
            while (list!=null) {
                oos.writeObject(list.head);
                list = list.tail;
            }
            oos.writeObject(null);
        }

        private void readObject(ObjectInputStream ois) {
            List<E> tail = null;
            E head = ois.readObject();
            if (head!=null) {
                readObject(ois); //read the tail and assign it to this.contents
                this.contents = new List<>(head, this.contents)
            }                     
        }


        private Object readResolve() {
            return this.contents;
        }
    }
}

I am sorry if the above example doesn't compile (or work), but hopefully it is sufficient to illustrate my point. If you think this is a very far fetched example please remember that many functional languages run on the JVM and this approach becomes essential in their case.

We may want to actually deserialize an object of a different class than we wrote to the ObjectOutputStream. This would be the case with views such as a java.util.List list implementation which exposes a slice from a longer ArrayList. Obviously, serializing the whole backing list is a bad idea and we should only write the elements from the viewed slice. Why stop at it however and have a useless level of indirection after deserialization? We could simply read the elements from the stream into an ArrayList and return it directly instead of wrapping it in our view class.
Alternatively, having a similar delegate class dedicated to serialization may be a design choice. A good example would be reusing our serialization code. For example, if we have a builder class (similar to the StringBuilder for String), we can write a serialization delegate which serializes any collection by writing an empty builder to the stream, followed by collection size and elements returned by the colection's iterator. Deserialization would involve reading the builder, appending all subsequently read elements, and returning the result of final build() from the delegates readResolve. In that case we would need to implement the serialization only in the root class of the collection hierarchy, and no additional code would be needed from current or future implementations, provided they implement abstract iterator() and builder() method (the latter for recreating the collection of the same type - which would be a very useful feature in itself). Another example would be having a class hierarchy which code we don't fully control - our base class(es) from a third party library could have any number of private fields we know nothing about and which may change from one version to another, breaking our serialized objects. In that case it would be safer to write the data and rebuild the object manually on deserialization.

score 1 · Answer 10 · answered Jan 28 '16 at 04:15

The readResolve Method

For Serializable and Externalizable classes, the readResolve method allows a class to replace/resolve the object read from the stream before it is returned to the caller. By implementing the readResolve method, a class can directly control the types and instances of its own instances being deserialized. The method is defined as follows:

ANY-ACCESS-MODIFIER Object readResolve() throws ObjectStreamException;

The readResolve method is called when ObjectInputStream has read an object from the stream and is preparing to return it to the caller. ObjectInputStream checks whether the class of the object defines the readResolve method. If the method is defined, the readResolve method is called to allow the object in the stream to designate the object to be returned. The object returned should be of a type that is compatible with all uses. If it is not compatible, a ClassCastException will be thrown when the type mismatch is discovered.

For example, a Symbol class could be created for which only a single instance of each symbol binding existed within a virtual machine. The readResolve method would be implemented to determine if that symbol was already defined and substitute the preexisting equivalent Symbol object to maintain the identity constraint. In this way the uniqueness of Symbol objects can be maintained across serialization.

Java serialization: readObject() vs. readResolve()

10 Answers10

Linked

Related