Calling overridable methods from the clone() method is insecure. First, a malicious subclass could override the method and affect the behavior of the clone() method. Second, a trusted subclass could observe (and potentially modify) the cloned object in a partially initialized state before its construction has concluded. In either case, the subclass could leave the clone, the object being cloned, or both in an inconsistent state. Consequently, clone() methods may invoke only methods that are final or private. As an exception, it is permitted to call a superclass's method via super.func(...), since such calls will not be dynamically dispatched to methods defined by a subclass; indeed, calling super.clone() is expected behavior.
This rule is closely related to MET05-J. Ensure that constructors do not call overridable methods.
...