...
The
...
final
keyword can be used to specify constant values (that is, values that cannot change during program execution). However, constants that can change over the lifetime of a program should not be declared public final. The Java Language Specification (JLS) [JLS 2013] allows implementations to insert the value of any public final field inline in any compilation unit that reads the field. Consequently, if the declaring class is edited so that the new version gives a different value for the field, compilation units that read the public final field could still see the old value until they are recompiled. This problem may occur, for example, when a third-party library is updated to the latest version but the referencing code is not recompiled.
A related error can arise when a programmer declares a static final
reference to a mutable object (see OBJ50-J. Never confuse the immutability of a reference with that of the referenced object for additional information).
Noncompliant Code Example
In this noncompliant code example, class Foo
in Foo.java
declares a field whose value represents the version of the software:
Code Block | ||
---|---|---|
| ||
}} keyword identifies constant values. That is, {{final}} indicates fields whose value cannot change during an invocation of a program. The JLS allows implementations to insert the value of public final fields inline in any compilation unit that reads the field. Consequently, if the declaring class is edited such that the new version gives a different value for the field, compilation units that read the public final field may still see the old value until they are themselves re-compiled. A related error can arise when a programmer declares a {{static final}} reference to a mutable object; see guideline [OBJ01-J. Do not assume that declaring a reference to be final causes the referenced object to be immutable] for additional information. h2. Noncompliant Code Example In this noncompliant code example, class {{Foo}} declares a field whose value represents the version of the software. The field is subsequently accessed by class {{Bar}}, which lives in a separate compilation unit. Foo.java: {code:bgColor=#ffcccc} class Foo { public static public final int VERSION = 1; // ... } {code} |
The field is subsequently accessed by class Bar
from a separate compilation unit (Bar.java
):
Code Block | ||||
---|---|---|---|---|
| =
| |||
} class Bar { public static void main(String[] args) { printfSystem.out.println("You are using version " + Foo.VERSION); } } {code} |
When
...
compiled
...
and
...
run,
...
the
...
software
...
correctly
...
prints
Code Block |
---|
: {code} You are using version 1 {code} However |
But if a developer were to change the value of VERSION
to 2 by modifying Foo.java
and subsequently recompile Foo.java
while failing to recompile Bar.java
, the software would incorrectly print
Code Block |
---|
, a subtle flaw is possible in the future. Suppose a developer updates the version number by modifying Foo.java, changing the value of {{VERSION}} to be 2. The developer then recompiles Foo.java, but fails to recompile Bar.java. Now the software incorrectly prints: {code} You are using version 1 {code} because Bar.java still thinks that {{Foo.VERSION}} is 1. Although recompiling Bar.java will solve this problem, a better solution is available. h2. Compliant Solution According to the Java Language Specification \[[JLS 2005|AA. Bibliography#JLS 05]\], Section 13.4.9, "{{final}} Fields and Constants" {quote} Other |
Although recompiling Bar.java
solves this problem, a better solution is available.
Compliant Solution
According to §13.4.9, "final
Fields and Constants," of the JLS [JLS 2013],
Other than for true mathematical constants, we recommend that source code make very sparing use of class variables that are declared
static
andfinal
. If the read-only nature offinal
is required, a better choice is to declare aprivate static
variable and a suitable accessor method to get its value.
In this compliant solution, the version field in Foo.java
is declared private static and accessed by the getVersion()
method:
Code Block | ||
---|---|---|
| ||
class Foo { private static than for true mathematical constants, we recommend that source code make very sparing use of class variables that are declared {{static}} and {{final}}. If the read-only nature of {{final}} is required, a better choice is to declare a {{private static}} variable and a suitable accessor method to get its value. {quote} Thus a compliant solution would be: Foo.java: {code:bgColor=#ccccff} class Foo { static private final int version = 1; public static publicfinal Stringint getVersion() { return version; } // ... } {code} Bar |
The Bar
class in Bar.java
is modified to invoke the getVersion()
accessor method to retrieve the version
field from Foo.java
:
Code Block | ||||
---|---|---|---|---|
| =
| |||
} class Bar { public static void main(String[] args) { printf(System.out.println( "You are using version " + Foo.getVersion()); } } {code} The private version value can therefore not be copied into the Bar class when it is compiled, thus preventing the bug. Note that most JITs are capable of inlining the {getVersion()} method at runtime; consequently there is little or no performance penalty incurred. h2. Exceptions *DCL04-EX1*: According to the Java Language Specification \[[JLS 2005|AA. Bibliography#JLS 05]\], Section 9.3 "Field (Constant) Declarations," "Every field declaration in the body of an interface is implicitly {{public}}, {{static}}, and {{final}}. It is permitted to redundantly specify any or all of these modifiers for such fields." *DCL04-EX2:* Constants declared using the {{enum}} type may violate this guideline. *DCL04-EX3:* Constants that never change their values throughout the lifetime of the software may indeed be declared final. For instance, the JLS recommends that mathematical constants be declared final. h2. Risk Assessment Failing to declare mathematical constants {{static}} and {{final}} can lead to thread safety issues as well as to inconsistent behavior. || Guideline || Severity || Likelihood || Remediation Cost || Priority || Level || | DCL04-J | low | probable | medium | {color:green}{*}P2{*}{color} | {color:green}{*}L3{*}{color} | h3. Automated Detection Static checking of this guideline is not feasible in the general case. h3. Related Vulnerabilities Search for vulnerabilities resulting from the violation of this guideline on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+DCL31-J]. h2. Related Guidelines C Secure Coding Standard: [seccode:DCL00-C. Const-qualify immutable objects] h2. Bibliography \[[JLS 2005|AA. Bibliography#JLS 05]\] "13.4.9 final Fields and Constants", "9.3 Field (Constant) Declarations", "4.12.4 final Variables", "8.3.1.1 static Fields" ---- [!The CERT Oracle Secure Coding Standard for Java^button_arrow_left.png!|DCL03-J. Properly encode relationships in constant definitions] [!The CERT Oracle Secure Coding Standard for Java^button_arrow_up.png!|03. Declarations and Initialization (DCL)] [!The CERT Oracle Secure Coding Standard for Java^button_arrow_right.png!|DCL05-J. Do not attempt to assign to the loop variable in an enhanced for loop] |
In this solution, the private version value cannot be copied into the Bar
class when it is compiled, consequently preventing the bug. Note that this transformation imposes little or no performance penalty because most just-in-time (JIT) code generators can inline the getVersion()
method at runtime.
Applicability
Declaring a value that changes over the lifetime of the software as final may lead to unexpected results.
According to §9.3, "Field (Constant) Declarations," of the JLS [JLS 2013], "Every field declaration in the body of an interface is implicitly public
, static
, and final
. It is permitted to redundantly specify any or all of these modifiers for such fields." Therefore, this guideline does not apply to fields defined in interfaces. Clearly, if the value of a field in an interface changes, every class that implements or uses the interface must be recompiled (see MSC53-J. Carefully design interfaces before releasing them for more information).
Constants declared using the enum
type are permitted to violate this guideline.
Constants whose value never changes throughout the entire lifetime of the software may be declared as final. For instance, the JLS recommends that mathematical constants be declared final.
Bibliography
[JLS 2013] | §4.12.4, " |
...