...
- Use of locks or other synchronization-based mechanisms within a finalizer can cause deadlock or starvation. This possibility arises because neither the invocation order nor the specific executing thread or threads for finalizers can be guaranteed or controlled.
Object finalizers have also been deprecated since Java 9. See MET02-J. Do not use deprecated or obsolete classes or methods for more information.
Because of these problems, finalizers must not be used in new classes.
...
This noncompliant code example uses the System.runFinalizersOnExit()
method to simulate a garbage-collection run. Note that this method is deprecated because of thread-safety issues; see MET02-J. Do not use deprecated or obsolete classes or methods.
According to the Java API [API 2014] class System
, runFinalizersOnExit()
method documentation,
...
Improper use of finalizers can result in resurrection of garbage-collection-ready objects and result in denial-of-service vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MET12-J | Medium | Probable | Medium | P8 | L2 |
Automated Detection
Tool | Version | Checker | Description |
---|---|---|---|
CodeSonar | 4.2 | FB.BAD_PRACTICE.FI_EMPTY FB.BAD_PRACTICE.FI_EXPLICIT_INVOCATION FB.BAD_PRACTICE.FI_FINALIZER_NULLS_FIELDS FB.BAD_PRACTICE.FI_FINALIZER_ONLY_NULLS_FIELDS FB.BAD_PRACTICE.FI_MISSING_SUPER_CALL |
FB.BAD_PRACTICE.FI_NULLIFY_SUPER FB.MALICIOUS_CODE.FI_PUBLIC_SHOULD_BE_PROTECTED FB.BAD_PRACTICE.FI_USELESS | Empty finalizer should be deleted |
Finalizer nullifies superclass finalizer | ||
Coverity | 7.5 | CALL_ |
SUPER | Implemented |
Parasoft Jtest |
| CERT.MET12.MNDF | Do not define 'finalize()' method in bean classes Call 'super.finalize()' from 'finalize()' Do not use 'finalize()' methods to unregister listeners Call 'super.finalize()' in the "finally" block of 'finalize()' methods Do not call 'finalize()' explicitly Do not overload the 'finalize()' method Avoid empty 'finalize()' methods Avoid redundant 'finalize()' methods which only call the superclass' 'finalize()' method Give "finalize()" methods "protected" access | |||||||
SonarQube |
| S1113 S1111 S1174 S2151 S1114 | The Object.finalize() method should not be overriden The Object.finalize() method should not be called "Object.finalize()" should remain protected (versus public) when overriding "runFinalizersOnExit" should not be called "super.finalize()" should be called at the end of "Object.finalize()" implementations |
Related Vulnerabilities
AXIS2-4163 describes a vulnerability in the finalize()
method in the Axis web services framework. The finalizer incorrectly calls super.finalize()
before doing its own cleanup, leading to errors in GlassFish
when the garbage collector runs.
Related Guidelines
CWE-586, Explicit call to CWE-583, CWE-568, |
Bibliography
[API 2014] | |
Item 7, "Avoid Finalizers" | |
"'Sneaky' Memory Retention" | |
Section 9.5, "The Finalize Method" | |
Section 3.3, "Destroying and Finalizing Objects" | |
[JLS 2015] |
...
...