According to the Java Language Specification [[JLS 2005]], Section 12.4, "Initialization of Classes and Interfaces"
Initialization of a class consists of executing its
static
initializers and the initializers forstatic
fields (class variables) declared in the class.
In other words, the presence of a static
field triggers the initialization of a class. However, a static field might depend on the initialization of a class, and might create an initialization cycle. The Java Language Specification also states: ([[JLS 2005]], Section 8.3.2.1, "Initializers for Class Variables")
...at run time,
static
variables that arefinal
and that are initialized with compile-time constant values are initialized first.
While this statement typically holds, it can be misleading as it does not account for instances that use values of static final
fields initialized at a later stage. Even when a field is static final
, it is not necessarily initialized before being read.
Noncompliant Code Example (intra-class cycle)
This noncompliant code example contains an intra-class initialization cycle.
public class Cycle { private final int balance; private static final Cycle c = new Cycle(); private static final int deposit = (int) (Math.random() * 100); // Random deposit public Cycle() { balance = deposit - 10; // Subtract processing fee } public static void main(String[] args) { System.out.println("The account balance is: " + c.balance); } }
The Cycle()
class declares a private static final class variable which is initialized to a new instance of the Cycle()
class. Static initializers are guaranteed to be invoked once at some point before the first use of a static class member or the first invocation of a constructor.
The programmer's intent is to calculate the account balance by subtracting the processing fee from the deposited amount. However, the initialization of the c
class variable happens before the deposit
field is initialized because it is lexically before the initialization of the deposit
field. Consequently, the value of deposit
seen by the constructor when invoked during the static initialization of c
is the initial value of deposit
(0) rather than the random value. As a result, the balance is always equal to -10
.
The JLS permits implementations to ignore the possibility of such recursive attempts [[Bloch 2005]].
Compliant Solution (intra-class cycle)
This compliant solution changes the initialization order of the class Cycle
so that the fields are initialized without creating any dependency cycles. Specifically, the initialization of c
is placed lexically after the initialization of deposit
so that it occurs temporally after deposit
is fully initialized.
public class Cycle { private final int balance; private static final int deposit = (int) (Math.random() * 100); // Random deposit private static final Cycle c = new Cycle(); // Inserted after initialization of required fields public Cycle() { balance = deposit - 10; // Subtract processing fee } public static void main(String[] args) { System.out.println("The account balance is: " + c.balance); } }
Such initialization cycles become insidious when many fields are involved; ensure that the control flow lacks such cycles.
Noncompliant Code Example (inter-class cycle)
This noncompliant code example uses two classes with static variables that depend on each other. When seen together, the cycle is obvious, but the cycle can be easily missed when the classes are viewed separately.
class A { static public final int a = B.b + 1; // ... }
class B { static public final int b = A.a + 1; // ... }
The values of A.a
and B.b
can vary, depending on which class gets initialized first. If class A
is initialized first, then A.a
will have the value 2 and B.b
will have the value 1. The values will be reversed if class B
is initialized first.
Compliant Solution (inter-class cycle)
This compliant solution eliminates one of the dependencies.
class A { static public final int a = 2; // ... } // class B unchanged: b = A.a + 1
With the cycle broken, the initial values will always be A.a = 2
and B.b = 3
, no matter which class gets initialized first.
Risk Assessment
Initialization cycles may lead to unexpected results.
Guideline |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
DCL12-J |
low |
unlikely |
medium |
P2 |
L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Other Languages
This guideline appears in the C++ Secure Coding Standard as DCL14-CPP. Avoid assumptions about the initialization order between translation units.
Bibliography
[[JLS 2005]] Sections 8.3.2.1, Initializers for Class Variables; 12.4, Initialization of Classes and Interfaces
Puzzle 49: Larger Than Life
[[MITRE 2009]] CWE ID 665 "Improper Initialization"
MSC06-J. Avoid memory leaks 49. Miscellaneous (MSC) DCL13-J. Avoid cyclic dependencies between packages