...
Tasks
...
that
...
run
...
for
...
extended
...
periods
...
of
...
time
...
should
...
provide
...
a
...
notification
...
mechanism
...
to
...
alert
...
upper
...
layers
...
when
...
they
...
terminate
...
abnormally.
...
Failure
...
to
...
do
...
this
...
does
...
not
...
cause
...
any
...
resource
...
leaks
...
because
...
the
...
threads
...
in
...
the
...
pool
...
are
...
still
...
recycled,
...
however,
...
it
...
makes
...
failure
...
diagnosis
...
extremely
...
difficult.
...
The
...
best
...
way
...
to
...
handle
...
exceptions
...
at
...
a
...
global
...
level
...
is
...
to
...
use
...
an
...
exception
...
handler.
...
The
...
handler
...
can
...
perform
...
diagnostic
...
actions,
...
clean-up
...
and
...
shutdown
...
the
...
Java
...
Virtual
...
Machine
...
(JVM)
...
or
...
simply
...
log
...
the
...
details
...
of
...
the
...
failure.
...
This
...
guideline
...
may
...
be
...
violated
...
if
...
the
...
code
...
for
...
all
...
runnable
...
and
...
callable
...
tasks
...
has
...
been
...
audited
...
to
...
ensure
...
that
...
no
...
exceptional
...
conditions
...
are
...
possible.
...
Nonetheless,
...
it
...
is
...
usually
...
a
...
good
...
practice
...
to
...
install
...
a
...
task
...
specific
...
or
...
global
...
exception
...
handler
...
to
...
initiate
...
recovery.
Noncompliant Code Example
This noncompliant code example consists of class PoolService that encapsulates a thread pool and a runnable class, Task. The run() method of the task can throw runtime exceptions such as NullPointerException.
| Code Block | ||
|---|---|---|
| ||
h2. Noncompliant Code Example This noncompliant code example consists of class {{PoolService}} that encapsulates a thread pool and a runnable class, {{Task}}. The {{run()}} method of the task can throw runtime exceptions such as {{NullPointerException}}. {code:bgColor=#FFCCCC} final class PoolService { private final ExecutorService pool = Executors.newFixedThreadPool(10); public void doSomething() { pool.execute(new Task()); } } final class Task implements Runnable { @Override public void run() { // ... throw new NullPointerException(); // ... } } {code} |
The
...
task
...
does
...
not
...
notify
...
upper
...
layers
...
when
...
it
...
terminates
...
unexpectedly
...
as
...
a
...
result
...
of
...
the
...
runtime
...
exception.
...
Moreover,
...
it
...
does
...
not
...
use
...
any
...
recovery
...
mechanism.
| Tasklist | ||||
|---|---|---|---|---|
| ||||
||Completed||Priority||Locked||CreatedDate||CompletedDate||Assignee||Name||
|F|M|F|1269129541975| |dmohindr|test|
|
Compliant Solution (Custom exception reporter)
This compliant solution refactors the task so that it catches Throwable and forwards it to a custom exception reporter (see EXC01-J. Use a class dedicated to reporting exceptions for details on class MyExceptionReporter).
| Code Block | ||
|---|---|---|
| ||
{dynamictasklist:thingsToDo} h2. Compliant Solution (Custom exception reporter) This compliant solution refactors the task so that it catches {{Throwable}} and forwards it to a custom exception reporter (see [EXC01-J. Use a class dedicated to reporting exceptions] for details on class {{MyExceptionReporter}}). {code:bgColor=#ccccff} // ... final class Task implements Runnable { @Override public void run() { try { // ... throw new NullPointerException(); // ... } catch(Throwable t) { // Execute any recovery code MyExceptionReporter.report(t); } finally { // Perform clean-up actions } } } {code} A {{finally}} block can be used to perform |
A finally block can be used to perform clean-up
...
actions.
...
If
...
the
...
task
...
cannot
...
be
...
refactored,
...
it
...
may
...
be
...
wrapped
...
within
...
a
...
Runnable
...
or
...
Callable
...
that
...
catches
...
Throwable
...
,
...
and
...
submitted
...
to
...
the
...
thread
...
pool.
...
Compliant Solution (ThreadPoolExecutor hooks)
| Wiki Markup |
|---|
Task specific recovery or clean-up actions can also be performed by overriding the class {{java.util.concurrent.ThreadPoolExecutor}}'s {{afterExecute()}} hook. This hook is called when a task completes successfully by executing all statements in its {{run()}} method, or halts because of an exception (A {{java.lang.Error}} might not be captured on specific implementations, see [Bug ID 6450211|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6450211] \[[SDN 08|AA. Java References#SDN 08]\]). When using this approach, substitute the executor service with a custom {{ThreadPoolExecutor}} that overrides the {{afterExecute()}} hook as shown below: |
| Code Block | ||||
|---|---|---|---|---|
| =
| |||
} final class PoolService { // The values have been hardcoded for brevity ExecutorService pool = new CustomThreadPoolExecutor(10, 10, 10, TimeUnit.SECONDS, new ArrayBlockingQueue<Runnable>(10)); // ... } class CustomThreadPoolExecutor extends ThreadPoolExecutor { // ... Constructor ... @Override public void afterExecute(Runnable r, Throwable t) { super.afterExecute(r, t); // Perform task-specific recovery and clean-up } @Override public void terminated() { super.terminated(); // Perform final clean-up } } {code} |
Similarly,
...
the
...
terminated()
...
hook
...
is
...
called
...
after
...
all
...
the
...
tasks
...
have
...
finished
...
executing,
...
and
...
the
...
Executor
...
has
...
terminated
...
cleanly.
...
This
...
hook
...
can
...
be
...
overridden
...
to
...
release
...
resources
...
acquired
...
by
...
the
...
thread
...
pool
...
over
...
its
...
lifetime,
...
much
...
like
...
a
...
finally
...
block.
...
Compliant Solution (Uncaught
...
exception
...
handler)
...
This
...
compliant
...
solution
...
sets
...
an
...
uncaught
...
exception
...
handler
...
on
...
behalf
...
of
...
the
...
thread
...
pool.
...
During
...
its
...
construction,
...
an
...
argument
...
of
...
type
...
ThreadFactory
...
is
...
passed
...
to
...
the
...
thread
...
pool.
...
The
...
factory
...
is
...
responsible
...
for
...
creating
...
new
...
threads
...
and
...
setting
...
the
...
uncaught
...
exception
...
handler
...
on
...
their
...
behalf.
...
The
...
class
...
Task
...
remains
...
the
...
same
...
as
...
the
...
noncompliant
...
code
...
example.
| Code Block | ||||
|---|---|---|---|---|
| =
| |||
} final class PoolService { private static final ThreadFactory factory = new ExceptionThreadFactory(new MyExceptionHandler()); private static final ExecutorService pool = Executors.newFixedThreadPool(10, factory); public void doSomething() { pool.execute(new Task()); // Task is a runnable class } public static class ExceptionThreadFactory implements ThreadFactory { private static final ThreadFactory defaultFactory = Executors.defaultThreadFactory(); private final Thread.UncaughtExceptionHandler handler; public ExceptionThreadFactory(Thread.UncaughtExceptionHandler handler) { this.handler = handler; } @Override public Thread newThread(Runnable run) { Thread thread = defaultFactory.newThread(run); thread.setUncaughtExceptionHandler(handler); return thread; } } public static class MyExceptionHandler extends ExceptionReporter implements Thread.UncaughtExceptionHandler { private final Logger logger = Logger.getLogger("com.organization.Log"); // ... @Override public void uncaughtException(Thread thread, Throwable t) { logger.log(Level.SEVERE, "Thread exited with exception: " + thread.getName(), t); } } } {code} |
| Wiki Markup |
|---|
Note that the uncaught exception handler is not called if the method {{ExecutorService.submit()}} is invoked. This is because the thrown exception is considered to be part of the return status and is consequently, re-thrown by {{Future.get()}}, wrapped in an {{ExecutionException}} \[[Goetz 06|AA. Java References#Goetz 06]\]. |
...
Risk
...
Assessment
...
Failing
...
to
...
provide
...
a
...
mechanism
...
to
...
report
...
that
...
tasks
...
in
...
a
...
thread
...
pool
...
failed
...
as
...
a
...
result
...
of
...
an
...
exceptional
...
condition,
...
can
...
make
...
it
...
harder
...
to
...
find
...
the
...
source
...
of
...
the
...
issue.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON37- J | low | probable | medium | P4 | L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[API 06|AA. Java References#API 06]\] interfaces {{ExecutorService}}, {{ThreadFactory}} and class {{Thread}}
\[[Goetz 06|AA. Java References#Goetz 06]\] Chapter 7.3: Handling abnormal thread termination |
...
...
...
...
...
...
...
...
...
...
...
...
...
order 11. Concurrency (CON) VOID CON14-J.
...
...
...
...
...
...