Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This rule specifically deals with primitive operators like ++. For atomicity of other functions, see CON07-J. Multiple calls to atomic functions are not themselves atomic.

The Java Specification also permits reads and writes of 64-bit values to be non-atomic; for more information, see CON25-J. Ensure atomicity when reading and writing 64-bit values.

Noncompliant Code Example (volatile)

In this noncompliant code example, the volatile field itemsInInventory can be accessed by multiple threads. However, when a thread is updating the value of itemsInInventory, it is possible for other threads to read the original value (that is, the value before the update). This is because the post decrement operator is non-atomic.

Code Block
bgColor#FFcccc
private volatile int itemsInInventory = 100;

public int removeItem() {
  if(itemsInInventory > 0) {
    return itemsInInventory--;  // Returns new count of items in inventory
  } 
  return -1; // Error code  
}

Compliant Solution (java.util.concurrent.atomic classes)

Volatile variables are unsuitable when more than one load/store operation needs to be atomic. There is an alternative method to perform multiple operations atomically. This compliant solution uses a java.util.concurrent.atomic.AtomicInteger variable.

...

Wiki Markup
The {{compareAndSet()}} method takes two arguments, the expected value of a variable when the method is invoked and the updated value. This compliant solution uses this method to atomically set the value to the given updated value if and only if the current value equals the expected value. \[[API 06|AA. Java References#API 06]\] 

Compliant Solution (method synchronization)

This compliant solution uses method synchronization to synchronize access to shared variables. Consequently, access to itemsInInventory is mutually exclusive and consistent across all object states.

...

Wiki Markup
Synchronization is more expensive than using the optimized {{java.util.concurrent}} utilities and should only be used when the utilities do not contain the facilities (methods) required to carry out the atomic operation. When using explicit synchronization, the programmer must also ensure that two or more threads are not mutually accessible from a different set of two or more threads such that each thread holds a lock while trying to obtain another lock that is held by the other thread \[[Lea 00|AA. Java References#Lea 00]\]. Failure to follow this advice results in deadlocks ([CON12-J. Avoid deadlock by requesting and releasing locks in the same order]).

Compliant Solution (block synchronization)

Constructors and methods can use an alternative representation called block synchronization which synchronizes a block of code rather than a method, as highlighted in this compliant solution.

...

If the synchronized block was moved inside the if condition to reduce the performance cost associated with synchronization, the variable itemsInInventory would be required to be declared as volatile because the check to determine whether it is greater than 0 relies on the latest value of the variable.

Compliant Solution (ReentrantLock)

This compliant solution uses a java.util.concurrent.locks.ReentrantLock to atomically perform the operation.

...

Code that uses this lock behaves similar to synchronized code that uses the traditional monitor lock. In addition, it provides several other capabilities, for instance, the tryLock() method does not block waiting if another thread is already holding the lock. The class java.util.concurrent.locks.ReentrantReadWriteLock can be used when a thread requires a lock to write information while other threads require the lock to simultaneously read the information.

Risk Assessment

If operations on shared variables are not atomic, unexpected results may be produced. For example, there can be inadvertent information disclosure as one user may be able to receive information about other users.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

CON01- J

medium

probable

medium

P8

L2

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] Class AtomicInteger
\[[JLS 05|AA. Java References#JLS 05]\] [Chapter 17, Threads and Locks|http://java.sun.com/docs/books/jls/third_edition/html/memory.html], section 17.4.5 Happens-before Order, section 17.4.3 Programs and Program Order, section 17.4.8 Executions and Causality Requirements
\[[Tutorials 08|AA. Java References#Tutorials 08]\] [Java Concurrency Tutorial|http://java.sun.com/docs/books/tutorial/essential/concurrency/index.html]
\[[Lea 00|AA. Java References#Lea 00]\] Sections, 2.2.7 The Java Memory Model, 2.2.5 Deadlock, 2.1.1.1 Objects and locks
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 66: Synchronize access to shared mutable data
\[[Daconta 03|AA. Java References#Daconta 03]\] Item 31: Instance Variables in Servlets
\[[JavaThreads 04|AA. Java References#JavaThreads 04]\] Section 5.2 Atomic Variables
\[[Goetz 06|AA. Java References#Goetz 06]\] 2.3. "Locking"
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 667|http://cwe.mitre.org/data/definitions/667.html] "Insufficient Locking", [CWE ID 413|http://cwe.mitre.org/data/definitions/413.html] "Insufficient Resource Locking", [CWE ID 366|http://cwe.mitre.org/data/definitions/366.html]  "Race Condition within a Thread", [CWE ID 567|http://cwe.mitre.org/data/definitions/567.html]  "Unsynchronized Access to Shared Data"

...