| Wiki Markup |
|---|
According to the Java API \[[API 06|AA. Java References#API 06]\], class {{java.lang.ThreadLocal<T>}} documentation: |
...
This
...
class
...
provides
...
thread-local
...
variables.
...
These
...
variables
...
differ
...
from
...
their
...
normal
...
counterparts
...
in
...
that
...
each
...
thread
...
that
...
accesses
...
one
...
(via
...
its
...
get
...
or
...
set
...
method)
...
has
...
its
...
own,
...
independently
...
initialized
...
copy
...
of
...
the
...
variable.
...
ThreadLocal
...
instances
...
are
...
typically
...
private
...
static
...
fields
...
in
...
classes
...
that
...
wish
...
to
...
associate
...
state
...
with
...
a
...
thread
...
(e.g.,
...
a
...
user
...
ID
...
or
...
Transaction
...
ID).
...
| Wiki Markup |
|---|
The use of {{ThreadLocal}} objects is insecure in classes whose objects are required to be executed by several threads, in a thread pool. The technique of thread pooling allows threads to be reused when thread creation cost is too high or creating an unbounded number of threads is a potential threat to the reliability of the system. Every thread that enters the pool expects to see an an object in its default, initialized form. However, when {{ThreadLocal}} objects are set from a thread which is subsequently made available for reuse, the reusing thread which takes its place may see the most recent state that was set by the previous thread instead of the expected, default state. \[[JPL 06|AA. Java References#JPL 06]\] |
...
Noncompliant
...
Code
...
Example
...
This
...
noncompliant
...
code
...
example
...
consists
...
of
...
an
...
enumeration
...
Day
...
of
...
days,
...
a
...
class
...
Diary
...
and
...
a
...
class
...
DiaryPool
...
.
...
The
...
class
...
Diary
...
uses
...
a
...
ThreadLocal
...
variable
...
to
...
store
...
thread-specific
...
information,
...
such
...
as
...
each
...
thread's
...
current
...
day.
...
The
...
initial
...
value
...
of
...
the
...
current
...
day
...
is
...
Monday,
...
and
...
this
...
can
...
be
...
changed
...
later
...
by
...
using
...
the
...
setDay()
...
method.
...
The
...
thread
...
also
...
contains
...
a
...
thread-specific
...
threadSpecificTask()
...
instance
...
method
...
that
...
performs
...
a
...
thread
...
specific
...
task.
...
The
...
class
...
DiaryPool
...
consists
...
of
...
two
...
methods
...
doSomething1()
...
and
...
doSomething2()
...
that
...
start
...
a
...
thread
...
each,
...
respectively.
...
The
...
method
...
doSomething1()
...
changes
...
the
...
initial
...
(default)
...
value
...
of
...
the
...
day
...
in
...
the
...
diary
...
to
...
Friday
...
and
...
invokes
...
the
...
threadSpecificTask()
...
method.
...
However,
...
the
...
method
...
doSomething2()
...
relies
...
on
...
the
...
initial
...
value
...
of
...
the
...
day
...
(Monday)
...
in
...
the
...
diary
...
and
...
invokes
...
the
...
threadSpecificTask()
...
method.
...
The
...
main()
...
method
...
creates
...
one
...
thread
...
using
...
doSomething1()
...
and
...
two
...
more
...
using
...
doSomething2()
...
.
| Code Block | ||||
|---|---|---|---|---|
| =
| |||
} public enum Day { MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, SUNDAY; } public class Diary { private static ThreadLocal<Day> days = new ThreadLocal<Day>() { // Initialize to Monday protected Day initialValue() { return Day.MONDAY; } }; private static Day currentDay() { return days.get(); } public static void setDay(Day newDay) { days.set(newDay); } // Performs some thread-specific task public void threadSpecificTask() { // Do task ... System.out.println("The current day is: " + currentDay()); } } class DiaryPool { final int NoOfThreads = 2; // Maximum number of threads allowed in pool final Executor exec; final Diary diary; DiaryPool() { exec = (Executor) Executors.newFixedThreadPool(NoOfThreads); diary = new Diary(); } public void doSomething1() { exec.execute(new Runnable() { public void run() { Diary.setDay(Day.FRIDAY); diary.threadSpecificTask(); } }); } public void doSomething2() { exec.execute(new Runnable() { public void run() { diary.threadSpecificTask(); } }); } public static void main(String[] args) { DiaryPool dp = new DiaryPool(); dp.doSomething1(); // Thread 1, requires current day as Friday dp.doSomething2(); // Thread 2, requires current day as Monday dp.doSomething2(); // Thread 3, requires current day as Monday } } {code} |
This
...
noncompliant
...
code
...
example
...
sometimes
...
prints:
| Code Block |
|---|
{code} The current day is: FRIDAY The current day is: FRIDAY The current day is: MONDAY {code} |
The
...
issue
...
is
...
that
...
the
...
DiaryPool
...
class
...
uses
...
a
...
thread
...
pool
...
to
...
execute
...
multiple
...
threads.
...
This
...
allows
...
threads
...
to
...
be
...
reused
...
when
...
the
...
pool
...
is
...
full.
...
When
...
this
...
happens,
...
the
...
thread
...
local
...
state
...
of
...
a
...
previous
...
thread
...
may
...
be
...
inherited
...
by
...
a
...
new
...
thread
...
that
...
has
...
just
...
begun
...
execution.
...
In
...
this
...
case,
...
even
...
though
...
the
...
threads
...
that
...
were
...
started
...
using
...
doSomething2()
...
are
...
expected
...
to
...
see
...
the
...
current
...
day
...
as
...
Monday,
...
one
...
of
...
them
...
inherits
...
the
...
day
...
Friday
...
from
...
the
...
first
...
thread
...
when
...
the
...
thread
...
is
...
reused.
...
Changing
...
the
...
thread
...
pool
...
size
...
to
...
a
...
larger
...
size
...
(more
...
than
...
2)
...
appears
...
to
...
fix
...
the
...
problem
...
because
...
it
...
prints
...
the
...
expected
...
state
...
(Friday
...
occurs
...
only
...
once):
| Code Block |
|---|
} The current day is: FRIDAY The current day is: MONDAY The current day is: MONDAY {code} |
This
...
execution
...
order
...
may
...
differ
...
depending
...
on
...
thread
...
scheduling,
...
however,
...
Friday
...
occurs
...
just
...
once.
...
Note
...
that
...
increasing
...
the
...
thread
...
pool
...
size
...
from
...
time
...
to
...
time
...
is
...
not
...
a
...
feasible
...
option.
...
Compliant
...
Solution
...
The
...
class
...
Diary
...
does
...
not
...
use
...
a
...
ThreadLocal
...
object
...
in
...
this
...
compliant
...
solution.
...
Also,
...
the
...
class
...
DiaryPool
...
uses
...
local
...
instances
...
of
...
class
...
Diary
...
within
...
the
...
methods
...
doSomething1()
...
and
...
doSomething2()
...
.
...
The
...
Day
...
is
...
uniquely
...
maintained
...
by
...
each
...
instance
...
of
...
the
...
Diary
...
class.
...
As
...
multiple
...
threads
...
are
...
allowed
...
to
...
share
...
a
...
Diary
...
instance,
...
the
...
day
...
field
...
is
...
declared
...
static
...
.
...
Creating
...
two
...
Diary
...
instances
...
in
...
class
...
DiaryPool
...
allows
...
the
...
first
...
thread
...
to
...
work
...
with
...
the
...
object
...
instance
...
having
...
the
...
current
...
day
...
as
...
Friday
...
and
...
the
...
other
...
two
...
threads
...
to
...
work
...
with
...
the
...
object
...
instance
...
with
...
the
...
current
...
day
...
as Monday.
| Code Block | ||
|---|---|---|
| ||
Monday. {mc} The CS may need some work/explaining. Even if the noncompliant Diary class is used in the CS, it works just fine because different instances of Diary are created in DiaryPool as compared to the NCE {mc} {code:bgColor=#ccccff} class Diary { static Day day; Diary() { day = day.getInitialDay(Day.MONDAY); // Default } private Day currentDay() { return day; } public void setDay(Day d) { day = d; } // Performs some thread-specific task public void threadSpecificTask() { // Do task ... System.out.println("The day is: " + currentDay()); } } class DiaryPool { final int NoOfThreads = 2; // Maximum number of threads allowed in pool final Executor exec; DiaryPool() { exec = (Executor) Executors.newFixedThreadPool(NoOfThreads); } public void doSomething1() { final Diary diary = new Diary(); // First instance exec.execute(new Runnable() { public void run() { diary.setDay(Day.FRIDAY); diary.threadSpecificTask(); } }); } public void doSomething2() { final Diary diary = new Diary(); // Second instance exec.execute(new Runnable() { public void run() { diary.threadSpecificTask(); } }); } public static void main(String[] args) { DiaryPool dp = new DiaryPool(); dp.doSomething1(); // Thread 1, requires current day as Friday dp.doSomething2(); // Thread 2, requires current day as Monday dp.doSomething2(); // Thread 2, requires current day as Monday } } {code} |
As
...
expected,
...
this
...
code
...
correctly
...
prints
...
the
...
following
...
or
...
some
...
other
...
order
...
with
...
Friday
...
occurring
...
just
...
once:
| Code Block |
|---|
} The current day is: FRIDAY The current day is: MONDAY The current day is: MONDAY {code} |
Unmodifiable
...
classes
...
whose
...
design
...
incorporates
...
ThreadLocal
...
data
...
should
...
not
...
be
...
executed
...
in
...
thread
...
pools.
...
Risk
...
Assessment
...
When
...
objects
...
of
...
classes
...
that
...
use
...
ThreadLocal
...
data
...
are
...
executed
...
in
...
a
...
thread
...
pool
...
by
...
different
...
threads,
...
they
...
may
...
assume
...
stale
...
states,
...
resulting
...
in
...
corrupt
...
data.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON27- J | high | probable | medium | P12 | L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[API 06|AA. Java References#API 06]\] class {{java.lang.ThreadLocal<T>}}
\[[JPL 06|AA. Java References#JPL 06]\] 14.13. ThreadLocal Variables |
...
...
...
...
...
...
...
...
...
...
...