...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CON01- J | medium | probable | medium | P8 | L2 |
Automated Detection
Dynamic analysis tools with a Java concurrency focus, such as SureLogic Flashlight and Coverity Dynamic Analysis will uncover the race conditions shown in the noncompliant code examples above. To accomplish this, however, these tools would have to observe the noncompliant code being called by two or more threads. Such as in an integration or stress test environment. These tools use a dynamic lockset analysis to detect race conditions. This analysis intersects the set of locks that are observed to be held when each piece of shared state in the program is accessed. If the lockset for a piece of shared state is empty then a race condition may have been observed and the tool reports this to the use.
Static analysis tools, such as FindBugs and PMD, do not detect problems with the noncompliant solutions shown above without some "hint" that the program code is intended to be thread-safe. For example, consider the compliant code below where the use of a synchronized method is a hint to the analysis tool that the class is intended to be used concurrently.
...
With the @GuardedBy annotation in place, and only with this annotation in place, FindBugs reports that the field is not guarded against concurrent access in the getValue() method.TODO Describe concurrency-focused analysis tools.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...