SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 49

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 50

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

While this statement typically holds, it can be misleading as it does not account for instances that use values of static final fields initialized at a later stage. Even if when a field is static final, it is not necessarily initialized before being read.

Noncompliant Code Example (intra-class cycle)

In this This noncompliant code example , a recursive attempt is being made to initialize the class, creating an contains an intra-class initialization cycle.

Code Block
bgColor#FFcccc
public class Cycle {
  private final int balance;
  private static final Cycle c = new Cycle();
  private final int balance;
  private static final int deposit = (int) (Math.random() * 100); // Random deposit

  public Cycle() {
    balance = deposit - 10; // Subtract processing fee
  }

  public static void main(String[] args) {
    System.out.println("The account balance is: " + c.balance);	
  }
}

The Cycle() class declares a private static final class variable which is initialized to a new instance of the Cycle() class. Static initializers are guaranteed to be invoked once at some point before the first use of a static class member or the first invocation of a constructor.

The programmer's intent is to calculate the account balance by subtracting the processing fee from the deposited amount. However, the initialization of the c class variable happens before the deposit field is initialized because it is lexically before the initialization of the deposit field. Consequently, the value of deposit seen by the constructor when invoked during the static initialization of c is the initial value of deposit (0) rather than the random value. As a result, the balance is always equal to -10.

Wiki Markup
The JLS permits implementations to ignore the possibility of such recursive attempts \[[Bloch 2005|AA. Bibliography#Bloch 05]\]
Wiki Markup
Because such recursive attempts are ignored by the JVM, the default value of {{deposit}} is {{0}} during the initialization \[[Bloch 2005|AA. Bibliography#Bloch 05]\].  The code tries to calculate the account balance by subtracting the processing fee from the deposited amount, but fails to do so. The {{Cycle}} class object {{c}} is instantiated before the {{deposit}} field is initialized. As a result, the constructor {{Cycle()}} is invoked which computes the balance based on the initial value of {{deposit}} (0) rather than the random value. As a result, the balance is always equal to {{-10}}.

Compliant Solution (intra-class cycle)

This compliant solution changes the initialization order of the class Cycle so that the fields meant to be used in computations get duly are initialized without creating any dependency cycles. Specifically, the initialization of c is placed lexically after the initialization of deposit so that it occurs temporally after deposit is fully initialized.

Code Block
bgColor#ccccff
public class Cycle {
  private final int balance;
  private static final int deposit = (int) (Math.random() * 100); // Random deposit
  private static final Cycle c = new Cycle();  // Inserted after initialization of required fields
  public Cycle() {
    balance = deposit - 10; // Subtract processing fee
  }

  public static void main(String[] args) {
    System.out.println("The account balance is: " + c.balance);	
  }
}

As Such initialization cycles can become insidious when many classes fields are involved, proper care must be taken to inspect ; ensure that the control flow lacks such cycles.

Noncompliant Code Example (inter-class cycle)

This noncompliant code example uses two classes with static variables that depend on each other. When seen together, the cycle is obvious, but the cycle can be easily missed when the classes are viewed separately.

...

The values of A.a and B.b can vary, depending on which class gets initialized first. If class A is initialized first, then A.a will have the value 2 and B.b will have the value 1. The values will be reversed if class B is initialized first.

Compliant Solution (inter-class cycle)

This compliant solution eliminates one of the dependencies.

...

With the cycle broken, the initial values will always be A.a = 2 and B.b = 3, no matter which class gets initialized first.

Risk Assessment

Initialization cycles may lead to unexpected results.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

DCL12-J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Other Languages

This guideline appears in the C++ Secure Coding Standard as DCL14-CPP. Avoid assumptions about the initialization order between translation units.

Bibliography

Wiki Markup
\[[JLS 2005|AA. Bibliography#JLS 05]\] Sections [8.3.2.1, Initializers for Class Variables|http://java.sun.com/docs/books/jls/third_edition/html/classes.html#8.3.2.1]; [12.4, Initialization of Classes and Interfaces|http://java.sun.com/docs/books/jls/third_edition/html/execution.html#12.4]
  Puzzle 49: Larger Than Life
\[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 665|http://cwe.mitre.org/data/definitions/665.html] "Improper Initialization"

...