...
The
...
singleton
...
design
...
pattern's
...
intent
...
is
...
succinctly
...
described
...
by
...
the
...
seminal
...
work
...
of Gamma and colleagues [Gamma 1995]:
Ensure a class only has one instance, and provide a global point of access to it.
Because there is only one singleton instance, "any instance fields of a Singleton will occur only once per class, just like static fields. Singletons often control access to resources such as database connections or sockets" [Fox 2001]. Other applications of singletons involve maintaining performance statistics, monitoring and logging system activity, implementing printer spoolers, and even tasks such as ensuring that only one audio file plays at a time. Classes that contain only static methods are good candidates for the Singleton pattern.
The Singleton pattern typically uses a single instance of a class that encloses a private static class field. The instance can be created using lazy initialization, which means that the instance is not created when the class loads but when it is first used.
A class that implements the singleton design pattern must prevent multiple instantiations. Relevant techniques include the following:
- Making its constructor private
- Employing lock mechanisms to prevent an initialization routine from being run simultaneously by multiple threads
- Ensuring the class is not serializable
- Ensuring the class cannot be cloned
- Preventing the class from being garbage-collected if it was loaded by a custom class loader
Noncompliant Code Example (Nonprivate Constructor)
This noncompliant code example uses a nonprivate constructor for instantiating a singleton:
Code Block | ||
---|---|---|
| ||
Gamma et al. \[[Gamma 1995|AA. Bibliography#Gamma 95]\]: {quote} Ensure a class only has one instance, and provide a global point of access to it. {quote} "Since there is only one Singleton instance, any instance fields of a Singleton will occur only once per class, just like {{static}} fields. Singletons often control access to resources such as database connections or sockets" \[[Fox 2001|AA. Bibliography#Fox 01]\]. Other applications of singletons involve maintaining performance statistics, system monitoring and logging, implementing printer spoolers or even ensuring that only one audio file plays at a time. Classes that contain only {{static}} methods are good candidates for the singleton pattern. The Singleton pattern typically uses a single instance of a class that encloses a {{private static}} class field. The instance can be created using _lazy initialization_, which means that the instance is not created when the class loads but when it is first used. A class designed to hold a singleton object must prevent multiple instantiations of itself from being created. This includes: * making its constructor private * employing lock mechanisms to prevent an initialization routine from running simultaneously by multiple threads * ensuring the class is not serializable * ensuring the class cannot be cloned * preventing the class from being garbage-collected if it was loaded by a custom class loader h2. Noncompliant Code Example (Non-Private Constructor) This noncompliant code example uses a non-private constructor for instantiating a singleton. {code:bgColor=#FFcccc} class MySingleton { private static MySingleton Instanceinstance; protected MySingleton() { // private constructor prevents instantiation by untrusted callers Instanceinstance = new MySingleton(); } public static synchronized MySingleton getInstance() { return Instanceinstance; } } {code} |
A
...
malicious
...
subclass
...
may
...
extend
...
the
...
accessibility
...
of
...
the
...
constructor
...
from
...
protected
...
to
...
public
...
,
...
allowing
...
...
...
to
...
create
...
multiple
...
instances
...
of
...
the
...
singleton.
...
Also,
...
the
...
class
...
field
...
Instance
...
has
...
not
...
been
...
declared
...
final.
Compliant Solution (Private Constructor)
This compliant solution reduces the accessibility of the constructor to private and immediately initializes the field Instance
, allowing it to be declared final. Singleton constructors must be private.
Code Block | ||
---|---|---|
| ||
}}. h2. Compliant Solution ({{private}} Constructor) This compliant solution reduces the accessibility of the constructor to {{private}} and initializes the field {{Instance}} immediately, allowing it to be declared {{final}}. Singleton constructors must be {{private}}. {code:bgColor=#ccccff} class MySingleton { private static final MySingleton Instanceinstance = new MySingleton(); private MySingleton() { // privatePrivate constructor prevents instantiation by untrusted callers } public static synchronized MySingleton getInstance() { return Instanceinstance; } } {code} The {{MySingleton}} class need not be declared as final because it has a private constructor. h2. Noncompliant Code Example (Visibility Across Threads) If the getter method is |
The MySingleton
class need not be declared final because it has a private constructor.
(Note that the initialization of instance
is done when MySingleton
is loaded, consequently it is protected by the class's initialization lock. See the JLS s12.4.2 for more information.)
Noncompliant Code Example (Visibility across Threads)
Multiple instances of the Singleton
class can be created when the getter method is tasked with initializing the singleton when necessary, and the getter method is invoked by two or more threads simultaneously.
Code Block | ||
---|---|---|
| ||
tasked with initializing the singleton when necessary, and the getter method is invoked by two (or more) threads simultaneously, multiple instances of the {{Singleton}} class might result if access is unsynchronized. {code:bgColor=#FFcccc} class MySingleton { private static MySingleton Instanceinstance; private MySingleton() { // privatePrivate constructor prevents instantiation by untrusted callers } // Lazy initialization public static MySingleton getInstance() { // Not synchronized if (Instanceinstance == null) { Instanceinstance = new MySingleton(); } return Instanceinstance; } } {code} Consequently, a singleton initializer method in a multithreaded program must employ some form of locking to prevent construction of multiple singleton objects. h2. Noncompliant Code Example (Inappropriate Synchronization) Multiple instances can be |
A singleton initializer method in a multithreaded program must employ some form of locking to prevent construction of multiple singleton objects.
Noncompliant Code Example (Inappropriate Synchronization)
Multiple instances can be created even when the singleton construction is encapsulated in a synchronized block, as in this noncompliant code example:
Code Block | ||
---|---|---|
| ||
created even when the singleton construction is encapsulated in a {{synchronized}} block. {code:bgColor=#FFcccc} public static MySingleton getInstance() { if (Instanceinstance == null) { synchronized (MySingleton.class) { Instanceinstance = new MySingleton(); } } return Instanceinstance; } |
The reason multiple instances can be created in this case is that two or more threads may simultaneously see the field instance
as null
in the if
condition and enter the synchronized block one at a time.
Compliant Solution (Synchronized Method)
To address the issue of multiple threads creating more than one instance of the singleton, make getInstance()
a synchronized method:
Code Block | ||
---|---|---|
| ||
{code} This is because two or more threads may simultaneously see the field {{Instance}} as {{null}} in the {{if}} condition, and enter the synchronized block one at a time. h2. Compliant Solution ({{synchronized}} Method) To address the issue of multiple threads creating more than one instance of the singleton, make {{getInstance()}} a {{synchronized}} method. {code:bgColor=#ccccff} class MySingleton { private static MySingleton Instanceinstance; private MySingleton() { // privatePrivate constructor prevents instantiation by untrusted callers } // Lazy initialization public static synchronized MySingleton getInstance() { if (Instanceinstance == null) { Instanceinstance = new MySingleton(); } return Instanceinstance; } } {code} h2. Compliant Solution |
Compliant Solution (Double-Checked
...
Locking)
...
Another
...
compliant
...
solution
...
for
...
implementing
...
...
singletons
...
is
...
the correct use of the
...
double-checked
...
locking idiom:
Code Block | ||
---|---|---|
| ||
idiom. {code:bgColor=#ccccff} class MySingleton { private static volatile MySingleton Instanceinstance; private MySingleton() { // privatePrivate constructor prevents instantiation by untrusted callers } // Double-checked locking public static MySingleton getInstance() { if (Instanceinstance == null) { synchronized (MySingleton.class) { if (Instanceinstance == null) { Instanceinstance = new MySingleton(); } } } return Instanceinstance; } } {code} |
This
...
design
...
pattern
...
is
...
often
...
implemented
...
incorrectly (see LCK10-J.
...
Use a correct form of the double-checked
...
...
...
for
...
more
...
details
...
on
...
the correct
...
use
...
of
...
the
...
double-checked
...
locking
...
idiom).
...
Compliant
...
Solution
...
(Initialize-
...
on-Demand
...
Holder
...
Class
...
Idiom)
...
This
...
compliant
...
solution
...
uses
...
a
...
static
...
inner
...
class
...
to
...
create
...
the
...
singleton instance:
Code Block | ||
---|---|---|
| ||
instance. {code:bgColor=#ccccff} class MySingleton { static class SingletonHolder { static MySingleton Instanceinstance = new MySingleton(); } public static MySingleton getInstance() { return SingletonHolder.Instanceinstance; } } {code} This is known as the |
This approach is known as the initialize-on-demand
...
holder
...
class
...
idiom (see LCK10-J.
...
Use a correct form of the double-checked
...
...
...
for
...
more
...
information).
...
Noncompliant
...
Code
...
Example
...
(Serializable)
...
This
...
noncompliant
...
code
...
example
...
implements
...
the
...
java.io.Serializable
...
interface
...
, which
...
allows
...
the
...
class
...
to
...
be
...
serialized.
...
Deserialization
...
of
...
the
...
class
...
implies
...
that
...
multiple
...
instances
...
of
...
the
...
singleton
...
can
...
be
...
created.
Code Block | ||||
---|---|---|---|---|
| =
| |||
} class MySingleton implements Serializable { private static final long serialVersionUID = 6825273283542226860L; private static MySingleton Instanceinstance; private MySingleton() { // privatePrivate constructor prevents instantiation by untrusted callers } // Lazy initialization public static synchronized MySingleton getInstance() { if (Instanceinstance == null) { Instanceinstance = new MySingleton(); } return Instanceinstance; } } {code} |
A
...
singleton's
...
constructor
...
cannot
...
install
...
checks
...
to
...
enforce
...
the
...
requirement
...
that the class is instantiated only once because deserialization can bypass the object's constructor.
Noncompliant Code Example (readResolve()
Method)
Adding a readResolve()
method that returns the original instance is insufficient to enforce the singleton property. This technique is insecure even when all the fields are declared transient or static.
Code Block | ||
---|---|---|
| ||
the number of instances be limited to one because serialization provides a mechanism that bypasses the object's constructor. h2. Noncompliant Code Example ({{readResolve()}} Method) Adding a {{readResolve()}} method that returns the original instance is insufficient to ensure the singleton property. This is insecure even when all the fields are declared {{transient}} or {{static}}. {code:bgColor=#FFcccc} class MySingleton implements Serializable { private static final long serialVersionUID = 6825273283542226860L; private static MySingleton Instanceinstance; private MySingleton() { // privatePrivate constructor prevents instantiation by untrusted callers } // Lazy initialization public static synchronized MySingleton getInstance() { if (Instanceinstance == null) { Instanceinstance = new MySingleton(); } return Instanceinstance; } private Object readResolve() { return Instanceinstance; } } {code} At |
At runtime,
...
an
...
attacker
...
can
...
add
...
a
...
class
...
that
...
reads
...
in
...
a
...
crafted
...
serialized
...
stream:
Code Block |
---|
{code} public class Untrusted implements Serializable { public static MySingleton captured; public MySingleton capture; public Untrusted(MySingleton capture) { this.capture = capture; } private void readObject(java.io.ObjectInputStream in) throws Exception { in.defaultReadObject(); captured = capture; } } {code} |
The
...
crafted
...
stream
...
can be
...
generated
...
by
...
serializing
...
the
...
following
...
class:
Code Block |
---|
{code} public final class MySingleton implements java.io.Serializable { private static final long serialVersionUID = 6825273283542226860L; public Untrusted untrusted = new Untrusted(this); // Additional serial field public MySingleton() { } } {code} |
Upon
...
deserialization,
...
the
...
field
...
MySingleton.untrusted
...
is
...
reconstructed
...
before
...
MySingleton.readResolve()
...
is
...
called.
...
Consequently,
...
Untrusted.captured
...
is
...
assigned
...
the
...
deserialized
...
instance
...
of
...
the
...
crafted
...
stream
...
instead
...
of
...
MySingleton.
...
instance
.
...
This
...
issue
...
is
...
pernicious
...
when
...
an
...
attacker
...
can
...
add
...
classes
...
to
...
exploit
...
the
...
singleton
...
guarantee
...
of
...
an
...
existing
...
serializable
...
class.
...
Noncompliant
...
Code
...
Example
...
(
...
Nontransient Instance
...
Fields)
...
This
...
serializable
...
noncompliant
...
code
...
example
...
uses a nontransient instance field str
:
Code Block | ||
---|---|---|
| ||
a non-transient instance field {{str}}. {code:bgColor=#FFcccc} class MySingleton implements Serializable { private static final long serialVersionUID = 2787342337386756967L; private static MySingleton Instance;instance; // Nontransient instance field private String[] str = {"one", "two", "three"}; // non-transient instance field private MySingleton() { // privatePrivate constructor prevents instantiation by untrusted callers } public void displayStr() { System.out.println(Arrays.toString(str)); } private Object readResolve() { return Instanceinstance; } } {code} |
"If
...
a
...
singleton
...
contains
...
a
...
nontransient
...
object
...
reference
...
field,
...
the
...
contents
...
of
...
this
...
field
...
will
...
be
...
deserialized
...
before the singleton's readResolve
method is run. This allows a carefully crafted stream to 'steal' a reference to the originally deserialized singleton at the time the contents of the object reference field are deserialized" [Bloch 2008].
Compliant Solution (Enumeration Types)
Stateful singleton classes must be nonserializable. As a precautionary measure, classes that are serializable must not save a reference to a singleton object in their nontransient or nonstatic instance variables. This precaution prevents the singleton from being indirectly serialized.
Bloch [Bloch 2008] suggests the use of an enumeration type as a replacement for traditional implementations when serializable singletons are indispensable.
Code Block | ||
---|---|---|
| ||
the singletonâs {{readResolve}} method is run. This allows a carefully crafted stream to "steal" a reference to the originally deserialized singleton at the time the contents of the object reference field are deserialized" \[[Bloch 2008|AA. Bibliography#Bloch 08]\]. h2. Compliant Solution ({{enum}}) Stateful singleton classes must be made non-serializable. As a precautionary measure, classes that are serializable are forbidden to save a reference to a singleton object in their non-transient or non-static instance variables. This prevents the singleton from being indirectly serialized. Bloch \[[Bloch 2008|AA. Bibliography#Bloch 08]\] suggests the use of an {{enum}} type as a replacement for traditional implementations when serializable singletons are indispensable. {code:bgColor=#ccccff} public enum MySingleton { Instance; ; // Empty list of enum values private String[]static str = {"one"MySingleton instance; // Nontransient field private String[] str = {"one", "two", "three"}; // non-transient field public void displayStr() { System.out.println(Arrays.toString(str)); } } {code} |
This
...
approach
...
is
...
functionally
...
equivalent
...
to,
...
but
...
much
...
safer
...
than,
...
commonplace
...
implementations.
...
It
...
both
...
ensures
...
that
...
only
...
one
...
instance
...
of
...
the
...
object
...
exists
...
at
...
any
...
instant
...
and
...
provides
...
the
...
serialization
...
property
...
(because
...
java.lang.Enum<E>
...
extends
...
java.io.Serializable
...
).
...
Noncompliant Code Example (Cloneable Singleton)
When the singleton class implements java.lang.Cloneable
directly or through inheritance, it is possible to create a copy of the singleton by cloning it using the object's clone()
method. This noncompliant code example shows a singleton that implements the java.lang.Cloneable
interface.
Code Block | ||
---|---|---|
| ||
Singleton) It is also possible to create a copy of the singleton by cloning it using the object's {{clone()}} method if the singleton class implements {{java.lang.Cloneable}} directly or through inheritance. This noncompliant code example shows a singleton that implements the {{java.lang.Cloneable}} interface. {code:bgColor=#FFcccc} class MySingleton implements Cloneable { private static MySingleton Instanceinstance; private MySingleton() { // privatePrivate constructor prevents // instantiation by untrusted callers } // Lazy initialization public static synchronized MySingleton getInstance() { if (Instanceinstance == null) { Instanceinstance = new MySingleton(); } return Instanceinstance; } } {code} h2. Compliant Solution (Override {{ |
Compliant Solution (Override clone()
...
Method)
To avoid making the singleton class cloneable, do not implement the Cloneable
interface and do not derive from a class that already implements it.
When the singleton class must indirectly implement the Cloneable
interface through inheritance, the object's clone()
method must be overridden with one that throws a CloneNotSupportedException
exception [Daconta 2003].
Code Block | ||
---|---|---|
| ||
Avoid making the singleton class cloneable by not implementing the {{Cloneable}} interface or not deriving from a class that already implements it. If the singleton class indirectly implements the {{Cloneable}} interface through inheritance, the object's {{clone()}} method must be overridden with one that throws a {{CloneNotSupportedException}} exception \[[Daconta 2003|AA. Bibliography#Daconta 03]\]. {code:bgColor=#ccccff} class MySingleton implements Cloneable { private static MySingleton Instanceinstance; private MySingleton() { // privatePrivate constructor prevents instantiation by untrusted callers } // Lazy initialization public static synchronized MySingleton getInstance() { if (Instanceinstance == null) { Instanceinstance = new MySingleton(); } return Instanceinstance; } public Object clone() throws CloneNotSupportedException { throw new CloneNotSupportedException(); } } {code} See rule [ |
See OBJ07-J.
...
...
...
...
...
...
...
...
...
for
...
more
...
details
...
about
...
preventing misuse
...
of
...
the
...
clone()
...
method.
...
Noncompliant Code Example (Garbage
...
Collection)
A class may be garbage-collected when it is no longer reachable. This behavior can be problematic when the program must maintain the singleton property throughout the entire lifetime of the program.
A static singleton becomes eligible for garbage collection when its class loader becomes eligible for garbage collection. This usually happens when a nonstandard (custom) class loader is used to load the singleton. This noncompliant code example prints different values of the hash code of the singleton object from different scopes:
Code Block | ||
---|---|---|
| ||
When a class is no longer reachable, it is free to be garbage collected. This behavior can be troublesome when the program must maintain the singleton property throughout the entire lifetime of the program. A {{static}} singleton becomes eligible for garbage collection when its class loader becomes eligible for garbage collection. This usually happens when a nonstandard (custom) class loader is used to load the singleton. This noncompliant code example prints different values of the hashcode of the singleton object from different scopes. {code:bgColor=#FFcccc} { ClassLoader cl1 = new MyClassLoader(); Class class1 = cl1.loadClass(MySingleton.class.getName()); Method classMethod = class1.getDeclaredMethod("getInstance", new Class[] { }); Object singleton = classMethod.invoke(null, new Object[] { }); System.out.println(singleton.hashCode()); } ClassLoader cl1 = new MyClassLoader(); Class class1 = cl1.loadClass(MySingleton.class.getName()); Method classMethod = class1.getDeclaredMethod("getInstance", new Class[] { }); Object singleton = classMethod.invoke(null, new Object[] { } ); System.out.println(singleton.hashCode()); {code} {mc} back-up code { ClassLoader cl1 = new FirstClassLoader(); Class class1 = cl1.loadClass(MySingleton.class.getName()); Method instanceMethod = class1.getDeclaredMethod("getInstance", new Class[] { }); Object singleton = instanceMethod.invoke(null, new Object[] { } ); } ClassLoader cl2 = new SecondClassLoader(); Class class2 = cl2.loadClass(MySingleton.class.getName()); Method instanceMethod = class2.getDeclaredMethod("getInstance", new Class[] { }); Object singleton = instanceMethod.invoke(null, new Object[] { } ); {mc} Code that is outside the scope can create another instance of the singleton class even though the requirement was to use only the original instance. {mc} // The following class produces the same hashcode from different scopes, so is safe public class StaticClass { public void doSomething() { { MySingleton ms = new MySingleton(); Object singleton = ms.getInstance(); |
Code that is outside the scope can create another instance of the singleton class even though the requirement was to use only the original instance.
Because a singleton instance is associated with the class loader that is used to load it, it is possible to have multiple instances of the same class in the Java Virtual Machine. This situation typically occurs in J2EE containers and applets. Technically, these instances are different classes that are independent of each other. Failure to protect against multiple instances of the singleton may or may not be insecure depending on the specific requirements of the program.
Compliant Solution (Prevent Garbage Collection)
This compliant solution takes into account the garbage-collection issue described previously. A class cannot be garbage-collected until the ClassLoader
object used to load it becomes eligible for garbage collection. A simple scheme to prevent garbage collection is to ensure that there is a direct or indirect reference from a live thread to the singleton object that must be preserved.
This compliant solution demonstrates this technique. It prints a consistent hash code across all scopes. It uses the ObjectPreserver
class [Grand 2002] described in TSM02-J. Do not use background threads during class initialization.
Code Block | ||
---|---|---|
| ||
{ ClassLoader cl1 = new MyClassLoader(); Class class1 = cl1.loadClass(MySingleton.class.getName()); Method classMethod = class1.getDeclaredMethod("getInstance", new Class[] { }); Object singleton = classMethod.invoke(null, new Object[] { }); ObjectPreserver.preserveObject(singleton); // Preserve the object System.out.println(singleton.hashCode()); } MySingleton ms ClassLoader cl1 = new MySingletonMyClassLoader(); Class Object singleton class1 = mscl1.getInstance(); System.out.println(singleton.hashCodeloadClass(MySingleton.class.getName()); Method classMethod }= public static void main(Stringclass1.getDeclaredMethod("getInstance", new Class[] args) { StaticClass sc = new StaticClass(); sc.doSomething(); } } {mc} Because a singleton instance is associated with the class loader that is used to load it, it is possible to have multiple instances of the same class in the JVM. This typically happens in J2EE containers and applets. Technically, these instances are different classes that are independent of each other. Failing to protect against multiple instances of the singleton may or may not be insecure depending on the specific requirements of the program. h2. Compliant Solution (Prevent Garbage Collection) This compliant solution takes into account the garbage collection issue described above. A class cannot be garbage collected until the {{ClassLoader}} object used to load it becomes eligible for garbage collection. An easier scheme to prevent the garbage collection is to ensure that there is a direct or indirect reference from a live thread to the singleton object that must be preserved. This compliant solution demonstrates this technique. It prints a consistent hashcode across all scopes. It uses the {{ObjectPreserver}} class based on \[[Grand 2002|AA. Bibliography#Grand 02]\] and described in rule [TSM02-J. Do not use background threads during class initialization]. {code:bgColor=#ccccff} { ClassLoader cl1 = new MyClassLoader(); Class class1 = cl1.loadClass(MySingleton.class.getName()); Method classMethod = class1.getDeclaredMethod("getInstance", new Class[] { }); Object singleton = classMethod.invoke(null, new Object[] { }); ObjectPreserver.preserveObject(singleton); // Preserve the object System.out.println(singleton.hashCode()); } ClassLoader cl1 = new MyClassLoader(); Class class1 = cl1.loadClass(MySingleton.class.getName()); Method classMethod = class1.getDeclaredMethod("getInstance", new Class[] { }); Object singleton = ObjectPreserver.getObject(); // Retrieve the preserved object System.out.println(singleton.hashCode()); {code} h2. Risk Assessment Using improper forms of the singleton design pattern may lead to creation of multiple instances of the singleton and violate the expected contract of the class. || Rule || Severity || Likelihood || Remediation Cost || Priority || Level || | MSC16-J | low | unlikely | medium | {color:green}{*}P2{*}{color} | {color:green}{*}L3{*}{color} | h3. Related Vulnerabilities Search for vulnerabilities resulting from the violation of this rule on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+CON32-J]. h2. Related Guidelines | \[[MITRE 2009|AA. Bibliography#MITRE 09]\] | [CWE ID 543|http://cwe.mitre.org/data/definitions/543.html] "Use of Singleton Pattern Without Synchronization in a Multithreaded Context" | h2. Bibliography | \[[JLS 2005|AA. Bibliography#JLS 05]\] | [Chapter 17, Threads and Locks|http://java.sun.com/docs/books/jls/third_edition/html/memory.html] | | \[[Fox 2001|AA. Bibliography#Fox 01]\] | [When is a Singleton not a Singleton?|http://java.sun.com/developer/technicalArticles/Programming/singletons/] | | \[[Daconta 2003|AA. Bibliography#Daconta 03]\] | Item 15: Avoiding Singleton Pitfalls; | | \[[Darwin 2004|AA. Bibliography#Darwin 04]\] | 9.10 Enforcing the Singleton Pattern | | \[[Gamma 1995|AA. Bibliography#Gamma 95]\] | Singleton | | \[[Grand 2002|AA. Bibliography#Grand 02]\] | Chapter 5, Creational Patterns, Singleton | | \[[Bloch 2008|AA. Bibliography#Bloch 08]\] | Item 3: "Enforce the singleton property with a private constructor or an enum type" and Item 77: "For instance control, prefer enum types to readResolve" | ---- [!The CERT Oracle Secure Coding Standard for Java^button_arrow_left.png!|MSC10-J. Use inequality operators to terminate loops whose counter changes by more than one] [!The CERT Oracle Secure Coding Standard for Java^button_arrow_up.png!|49. Miscellaneous (MSC)] [!The CERT Oracle Secure Coding Standard for Java^button_arrow_right.png!|MSC17-J. Detect and remove dead code] { }); // Retrieve the preserved object Object singleton = ObjectPreserver.getObject(); System.out.println(singleton.hashCode()); |
Risk Assessment
Using improper forms of the Singleton design pattern may lead to creation of multiple instances of the singleton and violate the expected contract of the class.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MSC07-J | Low | Unlikely | Medium | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
The Checker Framework |
| Linear Checker | Control aliasing and prevent re-use (see Chapter 19) | ||||||
Coverity | 7.5 | SINGLETON_RACE | Implemented | ||||||
Parasoft Jtest |
| CERT.MSC07.ILI | Make lazy initializations thread-safe |
Related Guidelines
Bibliography
Item 3, "Enforce the Singleton Property with a Private Constructor or an | |
Item 15, "Avoiding Singleton Pitfalls" | |
Section 9.10, "Enforcing the Singleton Pattern" | |
[Fox 2001] | |
Singleton | |
Chapter 5, "Creational Patterns," section "Singleton" | |
[JLS 2015] |
...