SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 16

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 17

changes.mady.by.user Dhruv Mohindra

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: fixed typos

Wiki Markup
According to the Java API interface {{java.util.concurrent.ExecutorService}}, method {{shutdownNow()}} documentation \[[API 06|AA. Java References#API 06]\]:

...

Attempts to stop all actively executing tasks, halts the processing of waiting tasks, and returns a list of the tasks that were awaiting execution. There are no guarantees beyond best-effort attempts to stop processing actively executing tasks. For example, typical implementations will cancel via Thread.interrupt(), 
...
 so 
...
 any 
...
 task 
...
 that 
...
 fails 
...
 to 
...
 respond 
...
 to 
...
 interrupts 
...
 may 
...
 never 
...
 terminate. 
...
Consequently, 
...
 tasks 
...
 that 
...
 do 
...
 not 
...
 support 
...
 interruption 
...
 using 
...
Thread.interrupt()
...
 should 
...
 not 
...
 be 
...
 submitted 
...
 to 
...
 a 
...
 thread 
...
 pool. 
...
 Similarly, 
...
 when 
...
 attempting 
...
 to 
...
 cancel 
...
 individual 
...
 tasks 
...
 within 
...
 the 
...
 thread 
...
 pool 
...
 using 
...
 the 
...
Future.cancel()
...
 method, 
...
 ensure 
...
 that 
...
 the 
...
 tasks 
...
 support 
...
 interruption. 
...
Noncompliant Code Example (shutting 
...
 down 
...
 thread 
...
 pools)
...
This 
...
 noncompliant 
...
 code 
...
 example 
...
 uses 
...
 the 
...
SocketReader
...
 class 
...
 defined 
...
 earlier 
...
 in 
...
 the 
...
 Compliant 
...
 Solution 
...
 (close 
...
 socket 
...
 connection) 
...
 of 
...
 the 
...
 guideline 
...
CON24-J. 
...
 Ensure 
...
 that 
...
 threads 
...
 and 
...
 tasks 
...
 performing 
...
 blocking 
...
 operations 
...
 can 
...
 be 
...
 terminated
...
 and 
...
 submits 
...
 it 
...
 as 
...
 a 
...
 task 
...
 to 
...
 a 
...
 thread 
...
 pool 
...
 defined 
...
 in 
...
 class 
...
 PoolService. 
 Code Block
bgColor#FFcccc
}}.  

{code:bgColor=#FFcccc}
public final class PoolService {
  private final ExecutorService pool;

  public PoolService(int poolSize) {
    pool = Executors.newFixedThreadPool(poolSize);
  }
	  
  public void doSomething() throws InterruptedException, IOException {	   
    pool.submit(new SocketReader());
    // ...
    List<Runnable> awaitingTasks = pool.shutdownNow();	      
  }

  public static void main(String[] args) throws InterruptedException, IOException {
    PoolService service = new PoolService(5);
    service.doSomething();
  }
}

public final class SocketReader implements Runnable {
  private final Socket socket;
  // ...
}
{code}


Because 
...
 the 
...
 task 
...
 does 
...
 not 
...
 support 
...
 interruption 
...
 through 
...
 the 
...
 use 
...
 of 
...
Thread.interrupted()
...
, 
...
 there 
...
 is 
...
 no 
...
 guarantee 
...
 that 
...
 the 
...
shutdownNow()
...
 method 
...
 will 
...
 quiickly 
...
 shutdown 
...
 the 
...
 thread 
...
 pool. 
...
 Using 
...
 the 
...
shutdown()
...
 method 
...
 does 
...
 not 
...
 fix 
...
 the 
...
 problem 
...
 either, 
...
 because 
...
 it 
...
 waits 
...
 until 
...
 all 
...
 executing 
...
 tasks 
...
 have 
...
finished. 
Similarly, tasks that use some mechanism other than Thread.interrupted()
...
 to 
...
 determine 
...
 when 
...
 to 
...
 shutdown 
...
 will 
...
 be 
...
unresponsive to shutdown()
...
 or 
...
shutdownNow()
...
. 
...
 For 
...
 instance, 
...
 tasks 
...
 that 
...
 check 
...
 a 
...
volatile
...
 flag 
...
 to 
...
 determine 
...
 whether 
...
 it 
...
 is 
...
 safe 
...
 to 
...
 shutdown 
...
 will 
...
 be 
...
 unresponsive 
...
 to 
...
 these 
...
 methods. 
...
 The 
...
 guideline 
...
CON13-J. 
...
 Do 
...
 not 
...
 use 
...
 Thread.stop() 
...
 to 
...
 terminate 
...
 threads
...
 provides 
...
 more 
...
 information 
...
 on 
...
 using 
...
 a 
...
 flag 
...
 to 
...
 terminate 
...
 threads.
...
Compliant Solution (submit 
...
 interruptible 
...
 tasks)
...
This 
...
 compliant 
...
 solution 
...
 submits 
...
 the 
...
 interruptible 
...
 version 
...
 of 
...
SocketReader
...
 discussed 
...
 in 
...
 the 
...
 Compliant 
...
 Solution 
...
 (interruptible 
...
 channel) 
...
 of 
...
 the 
...
 guideline 
...
CON24-J. 
...
 Ensure 
...
 that 
...
 threads 
...
 and 
...
 tasks 
...
 performing 
...
 blocking 
...
 operations 
...
 can 
...
 be 
...
 terminated
...
, 
...
 to 
...
 the 
...
 thread 
...
 pool. 
 Code Block
bgColor#ccccff
  

{code:bgColor=#ccccff}
public final class PoolService {
  // ...
}

public final class SocketReader implements Runnable {
  private final SocketChannel sc;
  // ...
}
{code}


h2. Exceptions

*EX1*: Tasks that execute without blocking may violate this guideline.

h2. Risk Assessment

Submitting tasks that are not interruptible may preclude the thread pool from shutting down and cause denial of service.

|| Rule || Severity || Likelihood || Remediation Cost || Priority || Level ||
| CON36- J | low | probable | medium | {color:green}{*}P4{*}{color} | {color:green}{*}L3{*}{color} |



h3. Automated Detection

TODO



h3. Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+CON35-J].

h2. References


Exceptions
EX1: Tasks that execute without blocking may violate this guideline.
Risk Assessment
Submitting tasks that are not interruptible may preclude the thread pool from shutting down and cause denial of service.
 Rule 
 Severity 
 Likelihood 
 Remediation Cost 
 Priority 
 Level 
 CON36- J 
 low 
 probable 
 medium 
 P4 
 L3 
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
 Wiki Markup
\[[API 06|AA. Java References#API 06]\] interface ExecutorService
\[[Goetz 06|AA. Java References#Goetz 06]\] Chapter 7: Cancellation and shutdown
...
...
CON35-J. 
...
 Do 
...
 not 
...
 synchronize 
...
 on 
...
 the 
...
 intrinsic 
...
 locks 
...
 of 
...
 high-level 
...
 concurrency 
...
objects      11. Concurrency (CON)      CON37-J. 
...
 Ensure 
...
 that 
...
 tasks 
...
 executing 
...
 in 
...
 a 
...
 thread 
...
 pool 
...
 do 
...
 not 
...
 fail 
...
 silently
...