According to the Java API \[[API 06|AA. Java References#API 06]\], interface {{java.util.concurrent.ExecutorService}}, method {{shutdownNow()}} documentation: |
Attempts to stop all actively executing tasks, halts the processing of waiting tasks, and returns a list of the tasks that were awaiting execution. There are no guarantees beyond best-effort attempts to stop processing actively executing tasks. For example, typical implementations will cancel via Thread.interrupt(), so any task that fails to respond to interrupts may never terminate.
Consequently, care must be taken so that only interruptible tasks are submitted to the thread pool.
This noncompliant code example uses the SocketReader class defined earlier in Compliant Solution (close socket connection) of the guideline CON24-J. Ensure that threads and tasks performing blocking operations can be terminated and submits it as a task to a thread pool defined in class PoolService.
class PoolService {
private final ExecutorService pool;
public PoolService(int poolSize) {
pool = Executors.newFixedThreadPool(poolSize);
}
public void doSomething() throws InterruptedException, IOException {
pool.submit(new SocketReader());
// ...
List<Runnable> awaitingTasks = pool.shutdownNow();
}
public static void main(String[] args) throws InterruptedException, IOException {
PoolService service = new PoolService(5);
service.doSomething();
}
}
class SocketReader implements Runnable {
private final Socket socket;
// ...
}
|
Because the task does not support interruption through the use of Thread.interrupted(), there is no guarantee that the shutdownNow() method will shutdown the thread pool. Using the shutdown() method does not fix the problem either because it waits until all executing tasks have finished. Likewise, tasks that check a volatile flag to determine whether it is safe to shutdown are not responsive to these methods.
Tasks that do not support interruption using Thread.interrupt() should not be submitted to a thread pool. This compliant solution submits the interruptible version of SocketReader discussed in Compliant Solution (interruptible channel) of the guideline CON24-J. Ensure that threads and tasks performing blocking operations can be terminated, to the thread pool.
class PoolService {
// ...
}
class SocketReader implements Runnable {
private final SocketChannel sc;
// ...
}
|
Similarly, when trying to cancel individual tasks within the thread pool using the Future.cancel() method, ensure that the task supports interruption. If it does, pass a boolean argument true to cancel(), otherwise pass false. The value false indicates that the task will be canceled if it has not already started.
Submitting tasks that are not interruptible may preclude the shut down procedure of a thread pool and cause denial of service.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
CON36- J |
low |
probable |
medium |
P4 |
L3 |
TODO
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
\[[API 06|AA. Java References#API 06]\] Class Thread, method {{stop}}, interface ExecutorService
\[[Goetz 06|AA. Java References#Goetz 06]\] Chapter 7: Cancellation and shutdown |
CON12-J. Avoid deadlock by requesting and releasing locks in the same order 11. Concurrency (CON) VOID CON14-J. Ensure atomicity of 64-bit operations