SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 190

changes.mady.by.user Robert Seacord (Manager)

Saved on

compared with

New Version 191

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
Compound operations are operations that consist of more than one discrete operation. Expressions that include postfix or prefix increment ({{\+\+}}),  postfix or prefix decrement ({{\-\-}}), or compound assignment operators always result in compound operations. Compound assignment expressions use operators such as {{\*=, /=, %=, \+=, \-=, <<=, >>=, >>>=, \^=}} and {{\|=}} \[[JLS 052005|AA. Java References#JLS 05]\]. Compound operations on shared variables  must be performed atomically to prevent [data races|BB. Definitions#data race] and [race conditions|BB. Definitions#race conditions].

For information about the atomicity of a grouping of calls to independently atomic methods that belong to thread-safe classes, see CON03guideline VNA03-J. Do not assume that a group of calls to independently atomic methods is atomic.

The Java Language Specification also permits reads and writes of 64-bit values to be non-atomic. For more information, see CON05guideline VNA05-J. Ensure atomicity when reading and writing 64-bit values.

...

Noncompliant Code Example (volatile)

Declaring flag as volatile does not help either:

...

The second execution order involves the same operations, but t2 starts and finishes before t1.

Compliance with CON07guideline LCK00-J. Use private final lock objects to synchronize classes that may interact with untrusted code can reduce the likelihood of misuse by ensuring that untrusted callers cannot access the lock object.

...

Wiki Markup
This approach may not be used when a getter method performs operations other than just returning the value of a {{volatile}} field without having to use any synchronization. Unless read performance is critical, this technique may not offer significant advantages over synchronization \[[Goetz 062006|AA. Java References#Goetz 06]\].

CON06Guideline VNA06-J. Do not assume that declaring an object reference volatile guarantees visibility of its members also addresses the volatile-read, synchronized-write pattern.

...

Wiki Markup
Read-write locks allow shared state to be accessed by multiple readers or a single writer but never both. According to Goetz \[[Goetz 062006|AA. Java References#Goetz 06]\]

...

In this noncompliant code example, multiple threads can invoke the setValues() method to set the a and b fields. Because this class does not test for integer overflow, a user of the Adder class must ensure that the arguments to the setValues() method can be added without overflow. (For more information, see guideline INT00-J. Perform explicit range checking to ensure integer operations do not overflow.)

...

The getSum() method contains a race condition. For example, if a and b currently have the values 0 and Integer.MAX_VALUE, respectively, and one thread calls getSum() while another calls setValues(Integer.MAX_VALUE, 0), the getSum() method might return 0 or Integer.MAX_VALUE, or it might overflow and wrap. Overflow will occur when the first thread reads a and b after the second thread has set the value of a to Integer.MAX_VALUE, but before it has set the value of b to 0.

...

If operations on shared variables are not atomic, unexpected results can be produced. For example, information can be disclosed inadvertently because one user can receive information about other users.

Rule Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

CON02 VNA02-J

medium

probable

medium

P8

L2

...

References

Wiki Markup
\[[API 062006|AA. Java References#API 06]\] Class AtomicInteger
\[[JLS 052005|AA. Java References#JLS 05]\] [Chapter 17, Threads and Locks|http://java.sun.com/docs/books/jls/third_edition/html/memory.html], Section 17.4.5 Happens-Before Order, Section 17.4.3 Programs and Program Order, Section 17.4.8 Executions and Causality Requirements
\[[Tutorials 082008|AA. Java References#Tutorials 08]\] [Java Concurrency Tutorial|http://java.sun.com/docs/books/tutorial/essential/concurrency/index.html]
\[[Lea 002000|AA. Java References#Lea 00]\] Section 2.2.7 The Java Memory Model, Section 2.1.1.1 Objects and Locks
\[[Bloch 082008|AA. Java References#Bloch 08]\] Item 66: Synchronize access to shared mutable data
\[[Goetz 062006|AA. Java References#Goetz 06]\] 2.3. "Locking"
\[[MITRE 092009|AA. Java References#MITRE 09]\] [CWE ID 667|http://cwe.mitre.org/data/definitions/667.html] "Insufficient Locking," [CWE ID 413|http://cwe.mitre.org/data/definitions/413.html] "Insufficient Resource Locking," [CWE ID 366|http://cwe.mitre.org/data/definitions/366.html] "Race Condition within a Thread," [CWE ID 567|http://cwe.mitre.org/data/definitions/567.html] "Unsynchronized Access to Shared Data"

...