The synchronized keyword is used to acquire a mutual-exclusion lock so that no other thread can acquire the lock while it is being held by the executing thread. Recall that there are two ways to synchronize access to shared mutable variables, method synchronization and block synchronization.
A method declared as synchronized always uses the object's monitor (intrinsic lock) and so does code that synchronizes uses a synchronized block on the this reference using a synchronized block. This lock is available to any code that the object is available to; consequently. Consequently, any code that can lock on the object can potentially cause a denial of service (DoS). An inappropriate synchronization policy can expose create a DoS vulnerability because another class whose member locks on the same object, can fail to release the lock promptlya hostile class can 'take hostage' of a benign class's intrinsic lock. However, this requires the victim class to be accessible from the hostile class.
| Wiki Markup |
|---|
The _private lock object_ idiom can be used to prevent this vulnerability. The idiom consists of a {{private}} and {{final}} object declared as an instance field. The {{private}} object must be explicitly used for locking purposes in {{synchronized}} blocks, within the class's methods. This intrinsic lock is associated with the instance of the internal private object and not with the class itself. Consequently, there is no lock contention between this class's methods and methods of a hostile class. \[[Bloch 01|AA. Java References#Bloch 01]\] |
The idiom Static state has the same potential problem, and can also be extended to protect static state by declaring the lock as private, static and finalsolved by a variant of the private lock object. If a static method is declared synchronized, the intrinsic lock of the Class object is acquired before executing the statements in its body, and released when the method completes. Any untrusted code that can access an object of the class, or a subclass, can use the getClass() method to gain access to the Class object. Reducing the accessibility of the class to package-private may offer some reprieve when using strategies other than internal locking. The private lock idiom can be used to protect static data by declaring the lock as private, static and final.
This idiom can also be suitably used by classes designed for inheritance. If a superclass thread requests a lock on the object's monitor, a subclass thread can interfere with its operation. For example, a subclass may use the superclass object's intrinsic lock for unrelated operations, causing significant increase increases in lock contention. Also, excessive use of the same lock frequently results in deadlocks. This idiom separates the locking strategy of the superclass from that of the subclass. It also permits fine-grained locking as opposed to coarse grained because multiple lock objects can then be used for seemingly unrelated operations. This increases the overall responsiveness of the application.
An object should use a an internal private internal final lock object rather than its own intrinsic lock unless the class can guarantee that untrusted code cannotcan not:
- Subclass the class or its superclass (trusted code is allowed to subclass the class)
- Create an object of the class (or its superclass, or subclass)
- Access or acquire an object instance of the class (or its superclass, or subclass)
If a superclass uses an internal private lock to synchronize shared data, subclasses must also use an internal private lock. However, if it a class uses intrinsic synchronization over the class object without documenting this its locking policy, subclasses may not use intrinsic synchronization over their own class object, unless they explicitly document this their locking policy. If the superclass documents this its policy by stating that client-side locking is supported, the subclasses have the option of choosing between intrinsic locking over the class object and an internal private lock. Regardless of what is chosen, subclasses must document the their locking policy. Refer to the guideline CON10-J. Do not override thread-safe methods with methods that are not thread-safe for related information.
...
The untrusted code attempts to acquire a lock on the object's monitor and upon succeeding, introduces an indefinite delay which holds up prevents the synchronized changeValue() method from acquiring the same lock. Note that the untrusted code also violates CON20-J. Do not perform operations that may block while holding a lock.
...
However, it is possible for untrusted code to change the value of the lock object and foil all attempts to synchronize on the correct object.
Noncompliant Code Example (publicly-accessible final lock object)
...
A private final lock can only be used with block synchronization. Block synchronization is sometimes preferred over method synchronization, because operations that do not require synchronization can be moved outside the synchronized region which reduces , reducing the overall execution time. Note that there is no need to declare lock as volatile because of the strong visibility semantics of final fields. Instead of using setter methods to change the lock, declare and use multiple internal lock objects to achieve the necessary fine-grained locking semantics.
...
The untrusted code attempts to acquire a lock on the class object's monitor and upon succeeding, introduces an indefinite delay which holds up prevents the synchronized changeValue() method from acquiring the same lock.
A complete implementation of this noncompliant code example would be in compliance comply with CON32-J. Internally synchronize classes containing accessible mutable static fields. However, the untrusted code violates CON20-J. Do not perform operations that may block while holding a lock.
...
EX2: If a superclass of the class documents that it supports client-side locking and synchronizes on its class object, the class should also support client-side locking in the same way and document this policy. If instead the superclass uses an internal private lock, the derived class should document its inconsistent own locking policy.
Risk Assessment
...