Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: REM cost reform

...

A

...

common

...

misconception

...

is

...

that

...

shared

...

references

...

to

...

immutable

...

objects

...

are

...

immediately visible

...

across

...

multiple

...

threads

...

as

...

soon

...

as

...

they

...

are

...

updated.

...

For

...

example,

...

a

...

developer

...

can

...

mistakenly

...

believe

...

that

...

a

...

class

...

containing

...

fields that refer only to immutable objects is itself immutable and consequently thread-safe.

...

Section

...

14.10.2,

...

"Final

...

Fields

...

and

...

Security,"

...

of

...

Java

...

Programming

...

Language,

...

Fourth

...

Edition [JPL 2006] states:

The problem is that, while the shared object is immutable, the reference used to access the shared object is itself shared and often mutable. Consequently, a correctly synchronized program must synchronize access to that shared reference, but often programs do not do this, because programmers do not recognize the need to do it.

References to both immutable and mutable objects must be made visible to all the threads. Immutable objects can be shared safely among multiple threads. However, references to mutable objects can be made visible before the objects are fully constructed. TSM03-J. Do not publish partially initialized objects describes object construction and visibility issues specific to mutable objects.

Noncompliant Code Example

This noncompliant code example consists of the immutable Helper class:

Code Block
bgColor#FFCCCC
 states the following \[[JPL 06|AA. Java References#JPL 06]\]:

{quote}
The problem is that, while the shared object is immutable, the reference used to access the shared object is itself shared and often mutable. Consequently, a correctly synchronized program must synchronize access to that shared reference, but often programs do not do this, because programmers do not recognize the need to do it. 
{quote}

{mc} The String example might be good for the intro...if the long quote was not a good idea, perhaps a "For example, ..." line will help {mc}

References to both immutable and mutable objects must be made visible to all the threads. Immutable objects can be shared safely among multiple threads. However, mutable objects may not be fully constructed when their references are made visible.  [CON26-J. Do not publish partially initialized objects] describes object construction and visibility issues specific to mutable objects. 

h2. Noncompliant Code Example

This noncompliant code example consists of an immutable class {{Helper}}: 

{code}
// Immutable Helper
public final class Helper {
  private final int n;

  public Helper(int n) {
    this.n = n;
  }
  // ...
}
{code}

and

...

a

...

mutable Foo class:

Code Block
bgColor#FFCCCC
 class {{Foo}}:   

{code:bgColor=#FFCCCC}
final class Foo {
  private Helper helper;

  public Helper getHelper() {
    return helper;
  }

  public void setHelper(int num) {
    helper = new Helper(num);
  }
}
{code}

The {{

The getHelper()

...

method

...

publishes

...

the

...

mutable

...

helper

...

field.

...

Because

...

the

...

Helper

...

class

...

is

...

immutable

...

,

...

it

...

cannot

...

be

...

changed

...

after

...

it

...

is

...

initialized.

Furthermore, because Helper is immutable, it is always constructed properly before its reference is made visible, in compliance with TSM03-J. Do not publish partially initialized objects. Unfortunately, a separate thread could observe a stale reference in the helper field of the Foo class.

Compliant Solution (Synchronization)

This compliant solution synchronizes the methods of the Foo class to ensure that no thread sees a stale Helper reference:

Code Block
bgColor#CCCCFF
{mc} do not replace with "after initialization" {mc}. Furthermore, because {{Helper}} is immutable, it is always constructed properly before its reference is made visible, in compliance with [CON26-J. Do not publish partially initialized objects]. Unfortunately, a separate thread could observe a stale reference in the {{helper}} field of the {{Foo}} class.

h2. Compliant Solution (Synchronization)

This compliant solution synchronizes the methods of class {{Foo}} to ensure that no thread sees a stale {{Helper}} reference. 

{code:bgColor=#CCCCFF}
final class Foo {
  private Helper helper;

  public synchronized Helper getHelper() {
    return helper;
  }

  public synchronized void setHelper(int num) {
    helper = new Helper(num);
  }
}
{code}

The

...

immutable

...

Helper

...

class

...

remains

...

unchanged.

...

Compliant

...

Solution

...

(

...

volatile

...

)

...

References

...

to

...

immutable

...

member

...

objects

...

can

...

be

...

made

...

visible

...

by

...

declaring

...

them volatile:

Code Block
bgColor#CCCCFF
 {{volatile}}.

{code:bgColor=#CCCCFF}
final class Foo {
  private volatile Helper helper;

  public Helper getHelper() {
    return helper;
  }

  public void setHelper(int num) {
    helper = new Helper(num);
  }
}
{code}

The

...

immutable

...

Helper

...

class

...

remains

...

unchanged.

...

Compliant

...

Solution

...

(

...

java.util.concurrent

...

Utilities)

...

This

...

compliant

...

solution

...

wraps

...

the mutable reference to the

...

immutable

...

Helper

...

object

...

within

...

an

...

AtomicReference

...

wrapper

...

that

...

can

...

be

...

updated atomically:

Code Block
bgColor#CCCCFF
 atomically.

{code:bgColor=#CCCCFF}
final class Foo {
  private final AtomicReference<Helper> helperRef =
      new AtomicReference<Helper>();

  public Helper getHelper() {
    return helperRef.get();
  }

  public void setHelper(int num) {
    helperRef.set(new Helper(num));
  }
}
{code}

The

...

immutable

...

Helper

...

class

...

remains unchanged.

Risk Assessment

The incorrect assumption that classes that contain only references to immutable objects are themselves immutable can cause serious thread-safety issues.

Rule

Severity

Likelihood

Detectable

Repairable

Priority

Level

VNA01-J

Low

Probable

Yes

No

P4

L3

Automated Detection

Some static analysis tools are capable of detecting violations of this rule.

ToolVersionCheckerDescription
Klocwork

Include Page
Klocwork_V
Klocwork_V

SV.SHARED.VAR
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V

CERT.VNA01.SGAS

Use the synchronized keyword on both the getter and setter methods, or on neither
ThreadSafe
Include Page
ThreadSafe_V
ThreadSafe_V

CCE_SL_INCONSISTENT
CCE_CC_CALLBACK_ACCESS
CCE_SL_MIXED
CCE_SL_INCONSISTENT_COL
CCE_SL_MIXED_COL
CCE_CC_UNSAFE_CONTENT

Implemented
SonarQube
Include Page
SonarQube_V
SonarQube_V
S2886Getters and setters should be synchronized in pairs


Bibliography

[API 2014]


[JPL 2006]

Section 14.10.2, "Final Fields and Security"

Issue Tracking

Tasklist
Review List
Review List
 unchanged.

{mc} Sometimes I use the area before the risk assessment as a summary area for other CSs that can simply be mentioned to avoid redundancy, or CSs that are worth considering but have limitations which preclude us from recommending them. Basically general advice so that the implementer is not left wondering with a "what if I use ..." question. You deleted the line about making Helper immutable so where could such advice go? {mc}

h2. Risk Assessment

The assumption that classes containing immutable objects are immutable is misleading and can cause serious thread-safety issues.

|| Rule || Severity || Likelihood || Remediation Cost || Priority || Level ||
| CON02-J | low | probable | medium | {color:green}{*}P4{*}{color} | {color:green}{*}L2{*}{color} |

h3. Automated Detection

TODO

h3. Related Vulnerabilities

Any vulnerabilities resulting from the violation of this rule are listed on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+CON28-J].

h2. References

\[[API 06|AA. Java References#API 06]\] 
\[[JPL 06|AA. Java References#JPL 06]\] Section 14.10.2, "Final Fields and Security"



h2. Issue Tracking

{tasklist:Review List}
||Completed||Priority||Locked||CreatedDate||CompletedDate||Assignee||Name||
|F|M|F|1270826173609|          |dmohindr|"Unfortunately, a separate thread -could- *can* observe a stale reference in the helper field of the Foo class."|
|T|M|F|1270826698362|1271441478121|svoboda|"This compliant solution synchronizes the methods of *class* Foo -class- " (it sounds strange with class occuring after Foo)|
{tasklist}

----
[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_left.png!|CON07-J. Do not assume that a group of calls to independently atomic methods is atomic]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_up.png!|11. Concurrency (CON)]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[!The CERT Sun Microsystems Secure Coding Standard for Java^button_arrow_right.png!|CON10-J. Do not override thread-safe methods with methods that are not thread-safe]


...

Image Added Image Added Image Added