SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 19

changes.mady.by.user Dhruv Mohindra

Saved on

compared with

New Version 20

changes.mady.by.user Ankur Goyal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by sciSpider Java v3.0

...

Code Block
bgColor#FFCCCC
class Helper {
  public void handle(String request) {
    //... 		
  }	
}

class GetRequest {
  protected final Helper h = new Helper();
  String request;

  public synchronized String accept() {
    String data = ""Read data from pipe"";
    // Read the request data, else block
    return data;
  }

  public void request() {
    while(true) {
      request = accept();
      new Thread(new Runnable() {
        public void run() {
          h.handle(request);
        }
      }).start();
    }
  }
}

...

Code Block
bgColor#ccccff
class GetRequest {
  protected final Helper h = new Helper();
  String request;

  public synchronized String accept() {
    String data = ""Read data from pipe"";
    // Read the request data, else block
    return data;
  }

  public void request() {
    int NoOfThreads = 200;
    Executor exec = (Executor) Executors.newFixedThreadPool(NoOfThreads);
    while(true) {
      request = accept();
      exec.execute(new Runnable() {
        public void run() {
          h.handle(request);
        }
      });
    }
  }
}

...

Using simplistic concurrency primitives (often incorrectly too) may lead to severe performance degradation, deadlocks and starvation, or exhaustion of system resources. This results in a denial-of-service conditionattack.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

CON02- J

low

probable

high

P2

L3

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[API 06|AA. Java References#API 06]\] [Interface Executor|http://java.sun.com/j2se/1.5.0/docs/api/java/util/concurrent/Executor.html]
\[[Lea 00|AA. Java References#Lea 00]\] Section 4.1.3 Thread-Per-Message and 4.1.4 Worker Threads
\[[Tutorials 08|AA. Java References#Tutorials 08]\] [Thread Pools|http://java.sun.com/docs/books/tutorial/essential/concurrency/pools.html]
\[[Goetz 06|AA. Java References#Goetz 06]\] Chapter 8, Applying Thread Pools
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 405|http://cwe.mitre.org/data/definitions/405.html] ""Asymmetric Resource Consumption (Amplification)"", [CWE ID 410|http://cwe.mitre.org/data/definitions/410.html] ""Insufficient Resource Pool""

...

CON01-J. Avoid using ThreadGroup APIs            11. Concurrency (CON)            CON03-J. Do not assume that elements of an array declared volatile are volatile