SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 78

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 79

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
            According to the _Java Language Specification_ (JLS), [§12.4, "Initialization of Classes and Interfaces" |http://java.sun.com/docs/books/jls/third_edition/html/execution.html#12.4] of the _Java Language Specification_ \[[JLS 2005|AA. Bibliography#JLS 05]\]:

...

Wiki Markup
In other words, the presence of a {{static}} field triggers the initialization of a class. However, a static field could depend on the initialization of aanother class, possibly creating an initialization cycle. The _Java Language Specification_JLS also states in [§8.3.2.1, "Initializers for Class Variables" |http://java.sun.com/docs/books/jls/third_edition/html/classes.html#8.3.2.1] \[[JLS 2005|AA. Bibliography#JLS 05]\]

...at At run time, static variables that are final and that are initialized with compile-time constant values are initialized first.

...

Programs in general should — and security-sensitive programs must — eliminate all class initialization cycles.

Noncompliant Code Example (Intra-

...

class Cycle)

This noncompliant code example contains an intra-class initialization cycle.

...

The programmer's intent is to calculate the account balance by subtracting the processing fee from the deposited amount. However, the initialization of the c class variable happens before the deposit field is initialized because it appears lexically before the initialization of the deposit field. Consequently, the value of deposit seen by the constructor, when invoked during the static initialization of c, is the initial value of deposit (0) rather than the random value. As a result, the balance is always computed to be -10.

Wiki Markup
The _Java Language Specification_ JLS permits implementations to ignore the possibility of such recursive initialization attemptscycles \[[Bloch 2005|AA. Bibliography#Bloch 05]\].

Compliant Solution (Intra-

...

class Cycle)

This compliant solution changes the initialization order of the class Cycle so that the fields are initialized without creating any dependency cycles. Specifically, the initialization of c is placed lexically after the initialization of deposit so that it occurs temporally after deposit is fully initialized.

...

Such initialization cycles become insidious when many fields are involved; . Consequently, it is important to ensure that the control flow lacks such cycles.

Although this compliant solution prevents the initialization cycle, it depends on declaration order and is consequently fragile; later maintainers of the software may be unaware that the declaration order must be maintained to preserve correctness. Consequently, such dependencies must be clearly documented in the code.

Noncompliant Code Example (Inter-

...

class Cycle)

This noncompliant code example declares two classes with static variables whose values depend on each other. The cycle is obvious when the classes are seen together (as here) , but can easily be missed but is easy to miss when viewing the classes separately.

Code Block
bgColor#FFcccc
class A {
    public static final int a = B.b + 1;
    // ...
}
Code Block
bgColor#FFcccc
class B {
    public static final int b = A.a + 1;
    // ...
}

The initialization order of the classes can vary and, consequently, cause computation of different values for A.a and B.b. When class A is initialized first, A.a will have the value 2, and B.b will have the value 1. These values will be reversed when class B is initialized first.

Compliant Solution (Inter-

...

class Cycle)

This compliant solution breaks the inter-class interclass cycle by eliminating one of the dependencies.

Code Block
bgColor#ccccff
class A {
    public static final int a = 2;
    // ...
}

// class B unchanged: b = A.a + 1

...

The CERT C++ Secure Coding Standard

DCL14-CPP. Avoid assumptions about the initialization order between translation units

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="62edc144211d2f6f-a5caa415-44b94476-a2a3af5c-d9b647d86ed0514885bc4dfe"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

" Initialization of Variables variables [LAV] "

]]></ac:plain-text-body></ac:structured-macro>

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="0f639814ed661d96-e8681559-40b54061-a5d089ab-885873cedcaa595d7fe67699"><ac:plain-text-body><![CDATA[

[[JLS 2005

AA. Bibliography#JLS 05]]

[§8.3.2.1, " Initializers for Class Variables"

http://java.sun.com/docs/books/jls/third_edition/html/classes.html#8.3.2.1]

]]></ac:plain-text-body></ac:structured-macro>

 

§12.4, " Initialization of Classes and Interfaces"

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="98f8936d579e6a70-29140d8a-47224951-9d3a8f69-d75f4b72d4e5ea84aeab7965"><ac:plain-text-body><![CDATA[

[[Bloch 2005

AA. Bibliography#Bloch 05]]

Puzzle 49: , Larger Than Life

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fd1a56afbaf75f3d-e2fd9456-41c64ce1-8cac91e2-752d237cd8684ddacd82a4d0"><ac:plain-text-body><![CDATA[

[[MITRE 2009

AA. Bibliography#MITRE 09]]

[CWE-665

http://cwe.mitre.org/data/definitions/665.html] ". Improper Initialization"initialization

]]></ac:plain-text-body></ac:structured-macro>

...