SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 49 Next »

According to the Java Language Specification [[JLS 2005]], Section 12.4, "Initialization of Classes and Interfaces"

Initialization of a class consists of executing its static initializers and the initializers for static fields (class variables) declared in the class.

In other words, the presence of a static field triggers the initialization of a class. However, a static field might depend on the initialization of a class, and might create an initialization cycle. The Java Language Specification also states: ([[JLS 2005]], Section 8.3.2.1, "Initializers for Class Variables")

...at run time, static variables that are final and that are initialized with compile-time constant values are initialized first.

While this statement typically holds, it can be misleading as it does not account for instances that use values of static final fields initialized at a later stage. Even if a field is static final, it is not necessarily initialized before being read.

Noncompliant Code Example (intra-class cycle)

In this noncompliant code example, a recursive attempt is being made to initialize the class, creating an initialization cycle. 

public class Cycle {
  private static final Cycle c = new Cycle();
  private final int balance;
  private static final int deposit = (int) (Math.random() * 100); // Random deposit

  public Cycle() {
    balance = deposit - 10; // Subtract processing fee
  }

  public static void main(String[] args) {
    System.out.println("The account balance is: " + c.balance);	
  }
}

Because such recursive attempts are ignored by the JVM, the default value of deposit is 0 during the initialization [[Bloch 2005]]. The code tries to calculate the account balance by subtracting the processing fee from the deposited amount, but fails to do so. The Cycle class object c is instantiated before the deposit field is initialized. As a result, the constructor Cycle() is invoked which computes the balance based on the initial value of deposit (0) rather than the random value. As a result, the balance is always equal to -10.

Compliant Solution (intra-class cycle)

This compliant solution changes the initialization order of the class Cycle so that the fields meant to be used in computations get duly initialized without creating any dependency cycles.

public class Cycle {
  private final int balance;
  private static final int deposit = (int) (Math.random() * 100); // Random deposit
  private static final Cycle c = new Cycle();  // Inserted after initialization of required fields
  public Cycle() {
    balance = deposit - 10; // Subtract processing fee
  }

  public static void main(String[] args) {
    System.out.println("The account balance is: " + c.balance);	
  }
}

As initialization cycles can become insidious when many classes are involved, proper care must be taken to inspect the control flow.

Noncompliant Code Example (inter-class cycle)

This noncompliant code example uses two classes with static variables that depend on each other. When seen together, the cycle is obvious, but the cycle can be easily missed when the classes are viewed separately.

class A {
    static public final int a = B.b + 1;
    // ...
}

class B {
    static public final int b = A.a + 1;
    // ...
}

The values of A.a and B.b can vary, depending on which class gets initialized first. If class A is initialized first, then A.a will have the value 2 and B.b will have the value 1. The values will be reversed if class B is initialized first.

Compliant Solution (inter-class cycle)

This compliant solution eliminates one of the dependencies.

class A {
    static public final int a = 2;
    // ...
}

// class B unchanged: b = A.a + 1

With the cycle broken, the initial values will always be A.a = 2 and B.b = 3, no matter which class gets initialized first.

Risk Assessment

Initialization cycles may lead to unexpected results.

Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

DCL12-J

low

unlikely

medium

P2

L3

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this guideline on the CERT website.

Other Languages

This guideline appears in the C++ Secure Coding Standard as DCL14-CPP. Avoid assumptions about the initialization order between translation units.

Bibliography

[[JLS 2005]] Sections 8.3.2.1, Initializers for Class Variables; 12.4, Initialization of Classes and Interfaces
Puzzle 49: Larger Than Life
[[MITRE 2009]] CWE ID 665 "Improper Initialization"

MSC06-J. Avoid memory leaks      49. Miscellaneous (MSC)      DCL13-J. Avoid cyclic dependencies between packages

  • No labels