SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 35

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 36

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

If the JVM is operating on a platform that uses a file system that operates over the network, then file I/O might also suffer the same performance hits as networked I/O. If such a platform is in use, then file I/O to files over the network should also not be performed while locks are held.

Noncompliant Code Example

This noncompliant code example shows the method sendPage() that sends a Page object from a server to a client. The method is synchronized so that the array pageBuff is accessed safely, when multiple threads request concurrent access.

...

Calling writeObject() within the synchronized sendPage() method can result in delays and deadlock-like conditions in high latency networks or when network connections are inherently lossy.

Compliant Solution

This compliant solution entails separating the actions into a sequence of steps:

...

Code Block
bgColor#ccccff
public boolean sendPage(Socket socket, String pageName) { // No synchronization
  Page targetPage = getPage(pageName); 

  if(targetPage == null)
    return FAILURE;

  return deliverPage(socket, targetPage);
}

private synchronized Page getPage(String pageName) { // Requires synchronization
  Page targetPage = null;

  for(Page p : pageBuff) {
    if(p.getName().equals(pageName)) {
      targetPage = p;
    }
  }
  return targetPage;
}

public boolean deliverPage(Socket socket, Page page){
  try{
    // Get the output stream to write the Page to
    ObjectOutputStream out = new ObjectOutputStream(socket.getOutputStream());

    // Send the Page to the client
    out.writeObject(page);

  } catch(IOException io){
    // If recovery is not possible return FAILURE
    return FAILURE;    
  } finally {
    out.flush();
    out.close();
  }  
  return SUCCESS;
}

Risk Assessment

If a lock is held by a block that contains network transactional logic, temporary or permanent deadlocks may result.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

CON20- J

low

probable

high

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[Grosso 01|AA. Java References#Grosso 01]\] [Chapter 10: Serialization|http://oreilly.com/catalog/javarmi/chapter/ch10.html]
\[[JLS 05|AA. Java References#JLS 05]\] [Chapter 17, Threads and Locks|http://java.sun.com/docs/books/jls/third_edition/html/memory.html]
\[[Rotem 08|AA. Java References#Rotem 08]\] [Falacies of Distributed Computing Explained|http://www.rgoarchitects.com/Files/fallacies.pdf]

...