You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 64 Next »

Code that uses synchronization can sometimes be enigmatic and tricky to debug. Misuse of synchronization primitives is a common source of implementation errors. An analysis of the JDK 1.6.0 source code unveiled at least 31 bugs that fell into this category. [[Pugh 08]]

There are several oversights and programming errors associated with the improper use of locks, for example:

  • The lock object might be accessible to hostile code that can acquire the lock and hold it indefinitely. We recommend that locks not be accessible outside of their containing package.
  • A field referring to a lock object might be modified to refer to a different lock object. This can cause two critical sections of code that expect to lock on the same object to lock on different objects instead, or, two critical sections intending to lock on different objects may end up locking on the same shared object.
  • Any object that supports the java.util.concurrent.Lock interface should not have its intrinsic lock used; as this may cause confusion and inconsistency during maintainance.

Noncompliant Code Example (public nonfinal lock object)

This noncompliant code example locks on a public nonfinal object.

public Object publicLock = new Object();

private void doSomething() {
  synchronized(publicLock) { 
    // body
  }
}

It is possible for untrusted code to change the value of the lock object and foil all attempts to synchronize.

Noncompliant Code Example (publicly-accessible non-final lock object)

This noncompliant code example synchronizes on a nonfinal field and demonstrates no mutual exclusion properties.

private Integer lock = new Integer(0);

private void doSomething() {
  synchronized(lock) { /* ... */ }
}

public void setLock(Integer lockvalue) {
  lock = lockValue;
}

This is because the thread that holds a lock on the nonfinal field object can modify the field's value to reference some other object. This might cause two threads that lock on the same field to actually not lock on the same object, causing them to execute critical sections of code simultaneously.

Compliant Solution (private and final lock object)

This compliant solution synchronizes using a lock object that is declared as final.

private final Integer lock = new Integer(0);

private void doSomething() {
  synchronized(lock) { /* ... */ }
}

// setValue() is disallowed

Noncompliant Code Example (Boolean lock object)

This noncompliant code example uses a Boolean field for synchronization. However, because the field is non-final, there can be two possible valid values (true and false, discounting null) that a Boolean can assume. Consequently, any other code that synchronizes on the same value can cause unresponsiveness and deadlocks [[Findbugs 08]].

private Boolean initialized = Boolean.FALSE;
synchronized(initialized) { 
  if (!initialized) {
    // Perform initialization
    initialized = Boolean.TRUE;
  }
}

Even if the field were final, the code would use the intrinsic lock of Boolean.FALSE or Boolean.TRUE, which are accessible throughout the program. Consequently any other code could lock these objects and cause deadlock.

Noncompliant Code Example (Boxed primitive)

This noncompliant code example locks on a boxed Integer object.

int lock = 0;
final Integer Lock = lock; // Boxed primitive Lock will be shared
synchronized(Lock) { /* ... */ }

Boxed types are allowed to use the same instance for a range of integer values and consequently, suffer from the same problems as Boolean constants. Note that the boxed Integer primitive is shared and not the Integer object (new Integer(value)) itself. In general, holding a lock on any data structure that contains a boxed value is insecure.

Noncompliant Code Example (String constant)

This noncompliant code example locks on a final String literal.

// This bug was found in jetty-6.1.3 BoundedThreadPool
private final String lock = "one";
synchronized(lock) { /* ... */ }

A String literal is a constant and is interned. According to the Java API [[API 06]], class String documentation:

When the intern() method is invoked, if the pool already contains a string equal to this String object as determined by the equals(Object) method, then the string from the pool is returned. Otherwise, this String object is added to the pool and a reference to this String object is returned.

Consequently, a String constant behaves like a global variable in the JVM. As demonstrated in this noncompliant code example, even if each instance of an object maintains its own field lock, the field points to a common String constant in the JVM. Trusted code that locks on the same String constant renders all synchronization attempts inadequate. Likewise, hostile code from any other package can exploit this vulnerability.

Noncompliant Code Example (getClass() lock object)

Synchronizing on return values of the Object.getClass() method, rather than a class literal can also be counterproductive. Whenever the implementing class is subclassed, the subclass locks on a completely different Class object (subclass's type).

synchronized(getClass()) { /* ... */ }

Section 4.3.2 "The Class Object" of the Java Language specification [[JLS 05]] describes how method synchronization works:

A class method that is declared synchronized synchronizes on the lock associated with the Class object of the class.

This does not mean that a subclass using getClass() can only synchronize on the Class object of the base class. In fact, it will lock on its own Class object, which may or may not be want the programmer had in mind.

Compliant Solution (class name qualification)

Explicitly define the name of the class through name qualification (superclass in this example) in the synchronization block.

synchronized(SuperclassName.class) { 
  // ... 
}

The class object being synchronized must not be accessible to hostile code. If the class is package-private, then external packages may not access the Class object, ensuring its trustworthiness as an intrinsic lock object. For more information, see CON04-J. Use the private lock object idiom instead of the Class object's intrinsic locking mechanism.

Compliant Solution (Class.forName())

This compliant solution uses the Class.forName() method to synchronize on the superclass's Class object.

synchronized(Class.forName("SuperclassName")) { 
  // ... 
}

Again, the class object being synchronized must not be accessible to hostile code, as discussed in the previous example.

Noncompliant Code Example (nonstatic lock object for static data)

This noncompliant code example uses a nonstatic lock object to guard access to a static field. If two Runnable tasks, each consisting of a thread are started, they will create two instances of the lock object and lock on each separately. This does not prevent either thread from observing an inconsistent value of counter because the increment operation on volatile fields is not atomic in the absence of proper synchronization.

class CountBoxes implements Runnable {
  static volatile int counter;
  // ...

  Object lock = new Object();    

  public void run() {
    synchronized(lock) {
      counter++; 
      // ... 
    } 
  }

  public static void main(String[] args) {
    Runnable r1 = new CountBoxes();
    Thread t1 = new Thread(r1);
    Runnable r2 = new CountBoxes();
    Thread t2 = new Thread(r2);
    t1.start();
    t2.start();
  }
}

Noncompliant Code Example (method synchronization for static data)

This noncompliant code example uses method synchronization to protect access to a static class member.

class CountBoxes implements Runnable {
  static volatile int counter;
  // ...

  public synchronized void run() {
      counter++; 
      // ... 
  }
  // ...
}

The problem is that this lock is associated with each instance of the class and not with the class object itself. Consequently, threads constructed using different Runnable instances may observe inconsistent values of the counter.

Compliant Solution (static lock object)

This compliant solution declares the lock object as static and consequently, ensures the atomicity of the increment operation.

class CountBoxes implements Runnable {
  static int counter;
  // ...

  private static final Object lock = new Object();    
  
  public void run() {
    synchronized(lock) {
      counter++; 
      // ...
  }
  // ...
}

There is no requirement of declaring the counter variable as volatile when synchronization is used.

Noncompliant Code Example (ReentrantLock lock object)

This noncompliant code example incorrectly uses a ReentrantLock as the lock object.

final Lock lock = new ReentrantLock();
synchronized(lock) { /* ... */ }

This problem usually comes up in practice when refactoring from intrinsic locking to the java.util.concurrent utilities.

Compliant Solution (lock() and unlock())

Instead of using the intrinsic locks of objects that implement the Lock interface, including ReentrantLock, use the lock() and unlock() methods provided by the Lock interface.

final Lock lock = new ReentrantLock();
lock.lock();
try {
  // ...
} finally {
  lock.unlock();
}

Noncompliant Code Example (collection view)

Finally, it is more important to recognize the entities with whom synchronization is required rather than indiscreetly scavenging for variables or objects to synchronize on. This noncompliant code example synchronizes on the view of a synchronized map.

Map<Integer, String> m = Collections.synchronizedMap(new HashMap<Integer, String>());
Set<Integer> s = m.keySet();
synchronized(s) {  // Incorrectly synchronizes on s
  for(Integer k : s) { 
    // Do something 
  }
}

When using synchronization wrappers, the synchronization object must be the Collection object. The synchronization is necessary to enforce atomicity ([CON07-J. Do not assume that a grouping of calls to independently atomic methods is atomic]). This noncompliant code example demonstrates inappropriate synchronization resulting from locking on a Collection view instead of the Collection object itself [[Tutorials 08]].

The Collections class documentation [[API 06]] says:

It is imperative that the user manually synchronize on the returned map when iterating over any of its collection views... Failure to follow this advice may result in non-deterministic behavior.

Compliant Solution (collection lock object)

This compliant solution correctly synchronizes on the Collection object instead of the Collection view.

// ...
Map<Integer, String> m = Collections.synchronizedMap(new HashMap<Integer, String>());
synchronized(m) {  // Synchronize on m, not s
  for(Integer k : m) { 
    // Do something  
  }
}

Risk Assessment

Synchronizing on an incorrect variable can provide a false sense of thread safety and result in nondeterministic behavior.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

CON02- J

medium

probable

medium

P8

L2

Automated Detection

TODO

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[API 06]] Class String, Collections
[[Pugh 08]] "Synchronization"
[[Miller 09]] Locking
[[Tutorials 08]] Wrapper Implementations


VOID CON00-J. Synchronize access to shared mutable variables      11. Concurrency (CON)      CON03-J. Do not use background threads during class initialization

  • No labels