...
The behavior of an iterator is unspecified if the underlying collection is modified while the iteration is in progress in any way other than by calling this method.
Such behavior may be observed in both single-threaded and multithreaded programs. Concurrent modification in single-threaded programs is usually a symptom result of inserting or removing an element during iteration. Multithreaded programs add the possibility that a collection may be modified by one thread while another thread iterates over the collection. Unspecified behavior can result results in either case. Many implementations throw a ConcurrentModificationException
when they detect concurrent modification.
Wiki Markup |
---|
According to the Java API documentation \[[API 2006|AA. Bibliography#API 06]\] for {{ConcurrentModificationException}}: |
... it It is not generally permissible for one thread to modify a
Collection
while another thread is iterating over it. In general, the results of the iteration are undefined under these circumstances. SomeIterator
implementations (including those of all the general purpose collection implementations provided by the JRE) may choose to throw this exception if this behavior is detected.Iterators
that do this are known as fail-fast iterators, as they fail quickly and cleanly, rather that risking arbitrary, non-deterministic behavior at an undetermined time in the future.Note that fail-fast behavior cannot be guaranteed because it is, generally speaking, impossible to make any hard guarantees in the presence of unsynchronized concurrent modification. Fail-fast operations throw
ConcurrentModificationException
on a best-effort basis. Consequently, it would be wrong to write a program that depended on this exception for its correctness:ConcurrentModificationException
should be used only to detect bugs.
Wiki Markup |
---|
Reliance on {{ConcurrentModificationException}} is insufficientinadequate to stopprevent sideundefined effectsbehavior resulting from modifying an underlying Collectioncollection while simultaneously iterating over the collection. The fail-fast behavior may occur only after processing an arbitrary number of elements. In _Java Concurrency Inin Practice_ \[[Goetz 2006|AA. Bibliography#Goetz 06]\], Goetz etand al.colleagues note ": |
Wiki Markup \[Fail-fast iterators\] are implemented by associating a modification count with the collection: if the modification count changes during iteration, {{hasNext}} or {{next}} throws {{ConcurrentModificationException}}. However, this check is done without synchronization, so there is a risk of seeing a stale value of the modification count and therefore
...
...that the iterator does not realize a modification has been made. This was a deliberate design tradeoff to reduce the performance impact of the concurrent modification detection code.
...
Note that the enhanced for
loop (for-each idiom) uses an Iterator
internally. Consequently, enhanced for
loops can also participate in concurrent modification issues, even though they lack an obvious iterator.
...
This noncompliant code example (based on Sun Developer Network SDN 20082011 bug report 6687277) uses the Collection
's remove()
method to remove an element from an ArrayList
while iterating over the ArrayList
. The resulting behavior is unspecified.
Code Block | ||
---|---|---|
| ||
class BadIterate { public static void main(String[] args) { List<String> list = new ArrayList<String>(); list.add("one"); list.add("two"); Iterator iter = list.iterator(); while (iter.hasNext()) { String s = (String)iter.next(); if (s.equals("one")) { list.remove(s); } } } } |
...
The Iterator.remove()
method removes from the underlying Collection
the last element returned by the iterator from the underlying Collection
. Its behavior is fully specified, so it may be safely invoked while iterating over a collection.
...
Although acceptable in a single-threaded environment, this noncompliant code example is insecure in a multithreaded environment because it is possible for another thread to modify the widgetList
while the current thread iterates over the widgetList
. Additionally, the doSomething()
method could also modify the collection during iteration.
...
Code Block | ||
---|---|---|
| ||
List<Widget> widgetList =
Collections.synchronizedList(new ArrayList<Widget>());
public void widgetOperation() {
for (Widget w : widgetList) {
doSomething(w);
}
}
|
Wiki Markup |
---|
This approach needs tomust be implemented correctly to avoid starvation, deadlock, and scalability issues \[[Goetz 2006|AA. Bibliography#Goetz 06]\]. |
...
Wiki Markup |
---|
Creating deep copies of the list prevents underlying changes in the original list from affecting the iteration in progress. "Since the clone is thread-confined, no other thread can modify it during iteration, eliminating the possibility of {{ConcurrentModificationException}}. (The collection still must be locked during the clone operation itself)" \[[Goetz 20062006a|AA. Bibliography#Goetz 06]\]. However, this approach is often more expensive than other techniques. There is also a risk of operating on stale data, which may affect the correctness of the code. |
...
Code Block | ||
---|---|---|
| ||
List<Widget> widgetList = new CopyOnWriteArrayList<Widget>(); public void widgetOperation() { for (Widget w : widgetList) { doSomething(w); } } |
Exceptions
...
Risk Assessment
Modifying a Collection while iterating over it can lead to nondeterministic results in undefined behavior.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MSC06-J | low | probable | medium | P4 | L3 |
Automated Detection
The Coverity Prevent Version 5.0 INVALIDATE_ITERATOR checker can detect the instance Some static analysis tools can detect some cases where an iterator is being used after the source container of the iterator is modified.
Related Vulnerabilities
The Apache Geronimo Harmony bug HARMONY-6236 documents an ArrayList
breaking when given concurrent collections as input.
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="50bed0fbe260bbae-e698ff18-4d104cee-9dbf82ea-792ad8f11516d95b73d00f35"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | Class [ | http://java.sun.com/j2se/1.5.0/docs/api/java/util/ConcurrentModificationException.html] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="381f6c4989fd994c-df3a66c0-4624462f-957e908b-1a93254e819e71c31f3afcbc"><ac:plain-text-body><![CDATA[ | [[SDN 2008 | AA. Bibliography#SDN 08]] | [Sun Bug database, Bug ID:6687277 | http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6687277] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4e3b016d8c088e4a-575a1d82-4d344dcb-83778595-a4da841723f04cfad0b1ae41"><ac:plain-text-body><![CDATA[ | [[Goetz 2006 | AA. Bibliography#Goetz 06]] | 5.1.2. Iterators and Concurrentmodificationexception | ]]></ac:plain-text-body></ac:structured-macro> |
...