The Java Virtual Machine Specification Java SE 7 Edition finally has a section about method overriding (5.4.5). Unfortunately, it does not document the behavior of the Java 7 reference implementation, nor the Java 6 behavior. It also turns out to be a bad design.
Suppose you have a third party widget framework that has a class:
package org.example;
public class Widget
{
}
And your application has a subclass of Widget:
package fubar.tech;
public class MyWidget extends org.example.Widget
{
void frob() { ... }
}
The frob() method is package private and you don't want external code calling it. Now a new version of the widget framework is released that adds a frob method to Widget:
package org.example;
public class Widget
{
public void frob() { }
}
Starting with Java 7 (and this particular behavior is defined by the spec) your package private MyWidget frob() will now override Widget.frob() and hence be callable by anyone who happens to have a reference to your object. If MyWidget.frob() does anything security critical, the third party framework has now introduced a vulnerability in your code.
Java already had a poor story for adding virtual methods to public classes, but this change has made it even worse.