...
- Use of locks or other synchronization-based mechanisms within a finalizer can cause deadlock or starvation. This possibility arises because neither the invocation order nor the specific executing thread or threads for finalizers can be guaranteed or controlled.
Object finalizers have also been deprecated since Java 9. See MET02-J. Do not use deprecated or obsolete classes or methods for more information.
Because of these problems, finalizers must not be used in new classes.
...
This noncompliant code example uses the System.runFinalizersOnExit() method to simulate a garbage-collection run. Note that this method is deprecated because of thread-safety issues; see MET02-J. Do not use deprecated or obsolete classes or methods.
According to the Java API [API 2014] class System, runFinalizersOnExit() method documentation,
...
Improper use of finalizers can result in resurrection of garbage-collection-ready objects and result in denial-of-service vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MET12-J | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description |
|---|
| Coverity |
| 7. |
| 5 |
CALL_SUPER |
.FI_EXPLICIT_INVOCATION |
.FI_FINALIZER_NULLS_FIELDS |
.FI_FINALIZER_ONLY_NULLS_FIELDS |
.FI_MISSING_SUPER_CALL |
FI_NULLIFY_SUPER |
FI_ |
USELESS |
FB.BAD_PRACTICE.FI_USELESS
Empty finalizer should be deleted
Explicit invocation of finalizer
Finalizer nulls fields
Finalizer nulls fields
Finalizer does not call superclass finalizer
Finalizer nullifies superclass finalizer
Finalizer should be protected, not public
Finalizer does nothing but call superclass finalizer
CALL_SUPER
DC.THREADING
FB.FI_EMPTY
FB.FI_EXPLICIT_INVOCATION
FB.FI_FINALIZER_NULLS_FIELDS
FB.FI_FINALIZER_ONLY_NULLS_FIELDS
FB.FI_MISSING_SUPER_CALL
FB.FI_NULLIFY_SUPER
FB.FI_USELESS
FB.FI_PUBLIC_SHOULD_BE_ PROTECTED
| Implemented | |||||||||
| Klocwork |
| JD.UMC.RUNFIN | |||||||
| Parasoft Jtest |
| CERT.MET12.MNDF | Do not define 'finalize()' method in bean classes Call 'super.finalize()' from 'finalize()' Do not use 'finalize()' methods to unregister listeners Call 'super.finalize()' in the "finally" block of 'finalize()' methods Do not call 'finalize()' explicitly Do not overload the 'finalize()' method Avoid empty 'finalize()' methods Avoid redundant 'finalize()' methods which only call the superclass' 'finalize()' method Give "finalize()" methods "protected" access | ||||||
| SonarQube |
| S1113 S1111 S1174 S2151 S1114 | The Object.finalize() method should not be overriden The Object.finalize() method should not be called "Object.finalize()" should remain protected (versus public) when overriding "runFinalizersOnExit" should not be called "super.finalize()" should be called at the end of "Object.finalize()" implementations |
Related Vulnerabilities
AXIS2-4163 describes a vulnerability in the finalize() method in the Axis web services framework. The finalizer incorrectly calls super.finalize() before doing its own cleanup, leading to errors in GlassFish when the garbage collector runs.
Related Guidelines
CWE-586, Explicit call to CWE-583, CWE-568, |
Bibliography
[API 2014] | |
Item 7, "Avoid Finalizers" | |
"'Sneaky' Memory Retention" | |
Section 9.5, "The Finalize Method" | |
Section 3.3, "Destroying and Finalizing Objects" | |
[JLS 2015] |
...
...