...
Tasks
...
that
...
run
...
for
...
extended
...
periods
...
of
...
time
...
should
...
provide
...
a
...
notification
...
mechanism
...
to
...
alert
...
upper
...
layers
...
when
...
they
...
terminate
...
abnormally.
...
Failure
...
to
...
do
...
this
...
does
...
not
...
cause
...
any
...
resource
...
leaks
...
because
...
the
...
threads
...
in
...
the
...
pool
...
are
...
still
...
recycled,
...
however,
...
it
...
makes
...
failure
...
diagnosis
...
extremely
...
difficult.
...
The
...
best
...
way
...
to
...
handle
...
exceptions
...
at
...
a
...
global
...
level
...
is
...
to
...
use
...
an
...
exception
...
handler.
...
The
...
handler
...
can
...
perform
...
diagnostic
...
actions,
...
clean-up
...
and
...
shutdown
...
the
...
Java Virtual Machine (JVM) or simply log the details of the failure. This guideline may be violated if the code for all tasks has been audited to ensure that no exceptional conditions are possible. Nonetheless, it is usually a good practice to install a handler to initiate recovery.
| Wiki Markup |
|---|
Task specific recovery or clean-up actions |
...
can also be performed by overriding the class {{java.util.concurrent.ThreadPoolExecutor}}'s {{afterExecute()}} hook. This hook is called when |
...
a task |
...
completes |
...
successfully |
...
by |
...
executing |
...
all |
...
statements |
...
in |
...
its {{run()}} |
...
method, or halts because of an exception ( |
...
Errors might not be captured on specific implementations, see [Bug ID 6450211|http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6450211] \[[SDN 08|AA. Java References#SDN 08]\]). Similarly, the {{terminated()}} hook is called after all the tasks have |
...
finished executing, and the {{Executor}} has terminated cleanly. |
...
This hook can be overridden to release resources acquired by the thread pool over |
...
its lifetime, much like a {{finally}} block. |
...
Noncompliant
...
Code
...
Example
...
This
...
noncompliant
...
code
...
example
...
consists
...
of
...
class
...
PoolService that encapsulates a thread pool and a runnable class, Task. The run() method of the task can throw runtime exceptions such as NullPointerException.
| Code Block | ||
|---|---|---|
| ||
}} that encapsulate a thread pool and a runnable class, {{Task}}. The {{run()}} method of the task can throw runtime exceptions such as {{NullPointerException}}. {code:bgColor=#FFCCCC} final class PoolService { private final ExecutorService pool = Executors.newFixedThreadPool(10); public void doSomething() throws InterruptedException, IOException { pool.execute(new Task()); } } final class Task implements Runnable { @Override public void run() { // ... throw new NullPointerException(); // ... } } {code} |
The
...
task
...
does
...
not
...
notify
...
upper
...
layers
...
when
...
it
...
unexpectedly terminates as a result of the runtime exception. Moreover, it does not use any recovery mechanism.
Compliant Solution (Custom exception reporter)
This compliant solution refactors the task so that it catches Throwable and forwards it to a custom exception reporter (see EXC01-J. Use a class dedicated to reporting exceptions for details on class MyExceptionReporter).
| Code Block | ||
|---|---|---|
| ||
terminates because of the runtime exception. Moreover, there is no recovery code. h2. Compliant Solution (Custom exception reporter) This compliant solution refactors the task so that it catches {{Throwable}} and forwards it to a custom exception reporter (see [EXC01-J. Use a class dedicated to reporting exceptions] for details on class {{MyExceptionReporter}}). {code:bgColor=#ccccff} // ... final class Task implements Runnable { @Override public void run() { try { // ... throw new NullPointerException(); // ... } catch(Throwable t) { // Execute any recovery code MyExceptionReporter.report(t); } finally { // Perform clean-up actions } } } |
A finally block can be used to perform clean-up actions. If the task cannot be refactored, wrap it within a Runnable or Callable that catches Throwable and submit the wrapper task to the thread pool instead of the wrapped task.
Another compliant solution is to substitute the executor service with a custom ThreadPoolExecutor that overrides the afterExecute() hook as shown below:
| Code Block | ||
|---|---|---|
| ||
class CustomThreadPoolExecutor extends ThreadPoolExecutor {
// ... Constructor ...
@Override
public void afterExecute(Runnable r, Throwable t) {
super.afterExecute(r, t);
// Perform task-specific recovery and clean-up
}
@Override
public void terminated() {
super.terminated();
// Perform final clean-up
}
}
|
Compliant Solution (Uncaught exception handler)
This compliant solution sets an uncaught exception handler on behalf of the thread pool. During its construction, an argument of type ThreadFactory is passed to the thread pool. The factory is responsible for creating new threads and setting the uncaught exception handler on their behalf. The class Task remains the same as the noncompliant code example.
| Code Block | ||
|---|---|---|
| ||
{code} {mc} overriding the afterExecute method in ThreadPoolExecutor}} is also suggested {mc} h2. Compliant Solution (Uncaught exception handler) This compliant solution sets an uncaught exception handler for the thread pool. During the construction of the thread pool, a {{ThreadFactory}} argument is passed. The factory is responsible for creating new threads and setting the uncaught exception handler on their behalf. The class {{Task}} remains the same as the noncompliant code example. {code:bgColor=#ccccff} final class PoolService { private static final ThreadFactory factory = new ExceptionThreadFactory(new MyExceptionHandler()); private static final ExecutorService pool = Executors.newFixedThreadPool(10, factory); public void doSomething() throws InterruptedException, IOException { pool.execute(new Task()); // Task is a runnable class } public static class ExceptionThreadFactory implements ThreadFactory { private static final ThreadFactory defaultFactory = Executors.defaultThreadFactory(); private final Thread.UncaughtExceptionHandler handler; public ExceptionThreadFactory(Thread.UncaughtExceptionHandler handler) { this.handler = handler; } @Override public Thread newThread(Runnable run) { Thread thread = defaultFactory.newThread(run); thread.setUncaughtExceptionHandler(handler); return thread; } } public static class MyExceptionHandler extends ExceptionReporter implements Thread.UncaughtExceptionHandler { private final Logger logger = Logger.getLogger("com.organization.Log"); // ... @Override public void uncaughtException(Thread thread, Throwable t) { logger.log(Level.SEVERE, "Thread exited with exception: " + thread.getName(), t); } } } {code} |
| Wiki Markup |
|---|
Note that the uncaught exception handler is not called if the method {{ExecutorService.submit()}} is |
...
invoked. This is because the thrown exception is considered to be part of the return status and is consequently, |
...
re-thrown by {{Future.get()}}, wrapped in an {{ExecutionException}} \[[Goetz 06|AA. Java References#Goetz 06]\]. |
...
Risk
...
Assessment
...
Failing
...
to
...
provide
...
a
...
mechanism
...
to
...
report
...
that
...
tasks
...
in
...
a
...
thread
...
pool
...
failed
...
as
...
a
...
result
...
of
...
an
...
exceptional
...
condition,
...
can
...
make
...
it
...
harder
...
to
...
find
...
the source of the issue.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON37- J | low | probable | medium | P4 | L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[API 06|AA. Java References#API 06]\] |
...
interfaces {{ExecutorService}}, {{ThreadFactory}} and class {{Thread}} \[[Goetz 06|AA. Java References#Goetz 06]\] Chapter 7.3: |
...
Handling |
...
abnormal thread termination |
...
...
...
...
...
...
...
...
...
...
...
...
order 11. Concurrency (CON) VOID CON14-J.
...
...
...
...
...
...