Skip to content

Commit 815802f

Browse files
Jami CogswellJami Cogswell
Jami Cogswell
authored and
Jami Cogswell
committed
Java: update to only find 'finalize' calls and add 'super.finalize' exclusion
1 parent dd10345 commit 815802f

File tree

10 files changed

+65
-76
lines changed

10 files changed

+65
-76
lines changed

java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
## Overview
2+
3+
Calling `finalize` in application code may cause inconsistent program state or unpredicatable behavior.
4+
5+
## Recommendation
6+
7+
Avoid calling `finalize` in application code. Allow the JVM to determine a garbage collection schedule instead.
8+
9+
## Example
10+
11+
```java
12+
public class Test {
13+
void f() throws Throwable {
14+
this.finalize(); // NON_COMPLIANT
15+
}
16+
}
17+
18+
```
19+
20+
# Implementation Notes
21+
22+
This rule is focused on the use of existing `finalize` invocations rather than attempts to write a custom implementation.
23+
24+
## References
25+
26+
- Carnegie Mellon University, SEI CERT Oracle Coding Standard for Java: [MET12-J. Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers).
27+
- Common Weakness Enumeration: [CWE-586](https://cwe.mitre.org/data/definitions/586).

java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
/**
2+
* @id java/do-not-use-finalize
3+
* @name Do not use `finalize`
4+
* @description Calling `finalize` in application code may cause
5+
* inconsistent program state or unpredicatable behavior.
6+
* @kind problem
7+
* @precision high
8+
* @problem.severity error
9+
* @tags correctness
10+
* external/cwe/cwe-586
11+
*/
12+
13+
import java
14+
15+
from MethodCall mc, Method m
16+
where
17+
mc.getMethod() = m and
18+
m.hasName("finalize") and
19+
// The Java documentation for `finalize` states: "If a subclass overrides
20+
// `finalize` it must invoke the superclass finalizer explicitly". Therefore,
21+
// we do not alert on `super.finalize` calls that occur within a callable
22+
// that overrides `finalize`.
23+
not exists(Callable caller, FinalizeMethod fm | caller = mc.getCaller() |
24+
caller.(Method).overrides(fm) and
25+
mc.getQualifier() instanceof SuperAccess
26+
)
27+
select mc, "Call to 'finalize'."

java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md

Lines changed: 0 additions & 34 deletions
This file was deleted.

java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql

Lines changed: 0 additions & 25 deletions
This file was deleted.

java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
| Test.java:3:9:3:23 | finalize(...) | Call to 'finalize'. |

java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql

java/ql/test/query-tests/DoNotUseFinalize/Test.java

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
public class Test {
2+
void f() throws Throwable {
3+
this.finalize(); // NON_COMPLIANT
4+
}
5+
6+
void f1() throws Throwable {
7+
f(); // COMPLIANT
8+
}
9+
}

java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected

Lines changed: 0 additions & 3 deletions
This file was deleted.

java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref

Lines changed: 0 additions & 1 deletion
This file was deleted.

java/ql/test/query-tests/DoNotUseFinalizers/Test.java

Lines changed: 0 additions & 13 deletions
This file was deleted.

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy