SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 73

changes.mady.by.user Fred Long

Saved on

compared with

New Version 74

changes.mady.by.user Fred Long

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

A related error can arise when a programmer declares a static final reference to a mutable object; see guideline "VOID OBJ02-J. Never conflate immutability of a reference with that of the referenced object" for additional information.

Noncompliant Code Example

In this noncompliant code example, class Foo declares a field whose value represents the version of the software. The field is subsequently accessed by class Bar from a separate compilation unit.

...

Although recompiling Bar.java solves this problem, a better solution is available.

Compliant Solution

Wiki Markup
According to [§13.4.9, "{{final}} Fields and Constants" |http://java.sun.com/docs/books/jls/third_edition/html/binaryComp.html#13.4.9]  of the _Java Language Specification_ \[[JLS 2005|AA. Bibliography#JLS 05]\]

...

As a result, the private version value cannot be copied into the Bar class when it is compiled, consequently preventing the bug. Note that most JIT code generators are capable of inlining the getVersion() method at runtime; consequently there is little or no performance penalty incurred.

Exceptions

Wiki Markup
*DCL04-EX1*: According to [§9.3, "Field (Constant) Declarations" |http://java.sun.com/docs/books/jls/third_edition/html/interfaces.html#9.3]  of the _Java Language Specification_ \[[JLS 2005|AA. Bibliography#JLS 05]\],
"Every field declaration in the body of an interface is implicitly {{public}}, {{static}}, and {{final}}. It is permitted to redundantly specify any or all of these modifiers for such fields."

...

DCL04-EX3: Constants whose value never changes throughout the entire lifetime of the software may be declared as final. For instance, the Java Language Specification recommends that mathematical constants be declared final.

Risk Assessment

Failing to declare mathematical constants static and final can lead to thread safety issues, as well as to inconsistent behavior.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

DCL04-J

low

probable

medium

P2

L3

Automated Detection

Static checking of this guideline is not feasible in the general case.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Related Guidelines

C Secure Coding Standard: "DCL00-C. Const-qualify immutable objects"

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2ad297825823a840-abd31480-43984dab-84c2a589-c8e3660e450206dba2a71bcf"><ac:plain-text-body><![CDATA[

[[JLS 2005

AA. Bibliography#JLS 05]]

[§13.4.9, "final Fields and Constants"

http://java.sun.com/docs/books/jls/third_edition/html/binaryComp.html#13.4.9]

]]></ac:plain-text-body></ac:structured-macro>

 

§9.3, "Field (Constant) Declarations"

 

§4.12.4, "final Variables"

 

§8.3.1.1, "static Fields"

...