...
An object should use a private internal final lock object rather than its own intrinsic lock unless the class can guarantee that untrusted code may not:
...
This guideline is an extension of CON02-J. Always synchronize on the appropriate object and is fully compliant with it. It recommends block synchronization using an internal private lock object instead of synchronizing on the this reference of the class object.
Noncompliant Code Example (method synchronization)
This noncompliant code example exposes the object someObject to untrusted code.
...
The untrusted code attempts to acquire a lock on the object's monitor and upon succeeding, introduces an indefinite delay which holds up the synchronized changeValue() method from acquiring the same lock. Note that the untrusted code also violates CON20-J. Do not perform operations that may block while holding a lock.
Noncompliant Code Example (public nonfinal lock object)
This noncompliant code example locks on a public nonfinal object.
| Code Block | ||
|---|---|---|
| ||
public class SomeObject {
public Object lock = new Object();
public void changeValue() {
synchronized (lock) {
// ...
}
}
}
|
It is possible for untrusted code to change the value of the lock object and foil all attempts to synchronize.
Noncompliant Code Example (publicly-accessible final lock object)
This noncompliant code example synchronizes on a private but nonfinal field.
| Code Block | ||
|---|---|---|
| ||
public class SomeObject { private Object lock = new Object(); public void changeValue() { synchronized (lock) { // ... } } public void setLock(Integer lockvalue) { lock = lockValue; } } |
Any thread can modify the field's value to refer to some other object. This might cause two threads that intend to lock on the same object to lock on different objects, enabling them to execute the two critical sections in an unsafe manner.
Compliant Solution (private final internal lock)
Thread-safe classes that use intrinsic synchronization of the object may be protected by using the private lock object idiom and adapting them to use block synchronization. In this compliant solution, if the method changeValue() is called, the lock is obtained on a private Object that is inaccessible from the caller.
...
Using a private lock may only be achieved with block synchronization. Block synchronization is preferred over method synchronization, because operations that do not require synchronization can be moved outside the synchronized region which reduces the overall execution time.
Noncompliant Code Example (static)
This noncompliant code example exposes the class object of someObject to untrusted code.
...
The untrusted code attempts to acquire a lock on the class object's monitor and upon succeeding, introduces an indefinite delay which holds up the synchronized changeValue() method from acquiring the same lock. Note that the untrusted code also violates CON20-J. Do not perform operations that may block while holding a lock.
Compliant Solution (static)
Thread-safe classes that use intrinsic synchronization of the class object may be protected by using a static private lock object andblock synchronization.
...
Using a private lock may only be achieved with block synchronization, as static method synchronization always uses the intrinsic lock of the object's class. However, block synchronization is also preferred over method synchronization, because it is easy to move operations out of the synchronized block when they might take a long time and they are not truly a critical section.
Exceptions
EX1: A class may violate this guideline, if all the following conditions are met:
- it sufficiently documents that callers must not pass objects of this class to untrusted code,
- trusted callers do not use any untrusted classes that violate this guideline directly or indirectly,
- the synchronization policy of the class is properly documented
Risk Assessment
Exposing the class object to untrusted code can result in denial-of-service.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON04-J | low | probable | medium | P4 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Bloch 01|AA. Java References#Bloch 01]\] Item 52: "Document Thread Safety" |
...