Page History

...

Code Block

bgColor	#FFCCCC

public class SomeObject {

  // Locks on the object's monitor
  public synchronized void changeValue() { 
    // ...
  }
 
  public static SomeObject lookup(String name) {
    // ...
  }
}

// Untrusted code
String name = // ...
SomeObject someObject = SomeObject.lookup(name);
if (someObject == null) {
  // ... handle error
}
synchronized (someObject) {
  while (true) {
    // Indefinitely delaylock someObject
    Thread.sleep(Integer.MAX_VALUE); 
  }
}

...

Exposing the lock object to untrusted code can result in DoS.

Rule	Severity	Likelihood	Remediation Cost	Priority	Level
LCK00-J	low	probable	medium	P4	L3

Automated Detection

Tool

Version

Checker

Description

The Checker Framework

Include Page

	The Checker Framework_V
	The Checker Framework_V

Lock Checker

Concurrency and lock errors (see Chapter 6)

CodeSonar

Include Page

	CodeSonar_V
	CodeSonar_V

JAVA.CONCURRENCY.LOCK.ISTR

Synchronization on Interned String (Java)

Parasoft Jtest

9.5TRS.SOPFImplementedSonarQube Java Plugin

Include Page

	Parasoft_V
	Parasoft_V

CERT.LCK00.SOPF

Do not synchronize on "public" fields since doing so may cause deadlocks

SonarQube

Include Page

	SonarQube

Java Plugin

_V
	SonarQube

Java Plugin

_V

S2445

Implemented

Related Guidelines

MITRE CWE

CWE-412. Unrestricted externally accessible lock

CWE-413. Improper resource locking

Bibliography

[Bloch 2001]

Item 52. Document Thread Safety

...

Space shortcuts

Page tree

Versions Compared

Old Version 201

New Version Current

Key

Automated Detection

Related Guidelines

Bibliography