...
While this statement typically holds, it can be misleading as it does not account for instances that use values of static final fields initialized at a later stage. Even if a field is static final, it is not necessarily initialized at first go.
Noncompliant Code Example
This noncompliant code example contrives to calculate the account balance by subtracting the processing fee from the deposited amount, but fails to do so. The Cycle class object c is instantiated before the deposit field gets initialized. As a result, the Cycle is invoked which computes the balance based on the initial value of deposit (0) rather than the random value. As a result, the balance always remains -10.
...
| Code Block | ||
|---|---|---|
| ||
public class Cycle {
private static final Cycle c = new Cycle();
private final int balance;
private static final int deposit = (int) (Math.random() * 100); // Random deposit
public Cycle(){
balance = deposit - 10; // Subtract processing fee
}
public static void main(String[] args) {
System.out.println("The account balance is: " + c.balance);
}
}
|
Compliant Solution
This compliant solution changes the initialization order of the class Cycle so that the fields meant to be used in computations get duly initialized. As initialization cycles can become insidious when many classes are involved, proper care must be taken to inspect the control flow.
| Code Block | ||
|---|---|---|
| ||
public class Cycle {
private final int balance;
private static final int deposit = (int) (Math.random() * 100); // Random deposit
private static final Cycle c = new Cycle(); // Inserted after initialization of required fields
public Cycle(){
balance = deposit - 10; // Subtract processing fee
}
public static void main(String[] args) {
System.out.println("The account balance is: " + c.balance);
}
}
|
Noncompliant Code Example
| Wiki Markup |
|---|
This noncompliant code example uses an inner class that extends the outer class. The outer class in turn, uses the {{static}} instance of the inner class. This results in a circular initialization issue \[[Findbugs 08|AA. Java References#Findbugs 08]\]. |
| Code Block | ||
|---|---|---|
| ||
public class CircularClassInit {
static class InnerClassSingleton extends CircularClassInit {
static final InnerClassSingleton singleton = new InnerClassSingleton();
}
static final CircularClassInit foo = InnerClassSingleton.singleton;
}
|
Compliant Solution
This compliant solution removes the instance of the inner class from the outer class.
...
| Wiki Markup |
|---|
Notably, class initialization cycles can also occur because of circularity in the code present within the {{static}} initializers of two or more classes \[[Findbugs 08|AA. Java References#Findbugs 08]\]. Also see the related guideline [MSC02-J. Avoid cyclic dependencies between packages]. |
Risk Assessment
Initialization cycles may lead to unexpected results.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC00- J | low | unlikely | medium | P2 | L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C++ Secure Coding Standard as DCL14-CPP. Do not make assumptions about the order of global variable initialization across translation units.
References
| Wiki Markup |
|---|
\[[JLS 05|AA. Java References#JLS 05]\] Sections [8.3.2.1, Initializers for Class Variables|http://java.sun.com/docs/books/jls/third_edition/html/classes.html#8.3.2.1]; [12.4, Initialization of Classes and Interfaces|http://java.sun.com/docs/books/jls/third_edition/html/execution.html#12.4] Puzzle 49: Larger Than Life \[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 665|http://cwe.mitre.org/data/definitions/665.html] "Improper Initialization" |
...