From 56ea9b65234d68f3c74dc4611967b1695d6020a8 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 08:21:15 -0400 Subject: [PATCH 01/21] Java: move original files --- .../Undesirable Calls/DoNotUseFinalizers.md | 34 +++++++++++++++++++ .../Undesirable Calls/DoNotUseFinalizers.ql | 25 ++++++++++++++ .../DoNotUseFinalizers.expected | 3 ++ .../DoNotUseFinalizers.qlref | 1 + .../query-tests/DoNotUseFinalizers/Test.java | 13 +++++++ 5 files changed, 76 insertions(+) create mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md create mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql create mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected create mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref create mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/Test.java diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md new file mode 100644 index 000000000000..70a1236e3a73 --- /dev/null +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md @@ -0,0 +1,34 @@ +# J-FIN-002: Calling garbage collection methods in application code may cause inconsistent program state + +Calling garbage collection or finalizer methods in application code may cause inconsistent program state or unpredicatable behavior. + +## Overview + +Triggering garbage collection explicitly may either have no effect or may trigger unnecessary garbage collection, leading to erratic behavior or deadlock. + +## Recommendation + +Avoid calling finalizers and garbage collection methods in application code. Allow the JVM to determine a garbage collection schedule instead. + +## Example + +```java +public class Test { + void f() throws Throwable { + System.gc(); // NON_COMPLIANT + Runtime.getRuntime().gc(); // NON_COMPLIANT + System.runFinalizersOnExit(true); //NON_COMPLIANT + this.finalize(); // NON_COMPLIANT + } +} + +``` + +# Implementation Notes + +This rule covers a concept related to J-FIN-001; this rule is focused on the use of existing finalizer invocations rather than attempts to write a custom implementation (J-FIN-001). + +## References + +- [Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers) +- [CWE-586](https://cwe.mitre.org/data/definitions/586) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql new file mode 100644 index 000000000000..b2e553024301 --- /dev/null +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql @@ -0,0 +1,25 @@ +/** + * @id java/do-not-use-finalizers + * @name J-D-004: Calling garbage collection methods in application code may cause inconsistent program state + * @description Calling garbage collection or finalizer methods in application code may cause + * inconsistent program state or unpredicatable behavior. + * @kind problem + * @precision high + * @problem.severity error + * @tags correctness + * external/cwe/cwe-586 + */ + +import java + +from MethodCall c, Method m +where + c.getMethod() = m and + ( + m.hasQualifiedName("java.lang", "System", ["gc", "runFinalizersOnExit"]) + or + m.hasQualifiedName("java.lang", "Runtime", "gc") + or + m.hasQualifiedName(_, _, "finalize") + ) +select c, "Call to prohibited method that may modify the JVM's garbage collection process." diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected new file mode 100644 index 000000000000..3a96af624f69 --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected @@ -0,0 +1,3 @@ +| Test.java:3:9:3:19 | gc(...) | Call to prohibited method that may modify the JVM's garbage collection process. | +| Test.java:4:9:4:33 | gc(...) | Call to prohibited method that may modify the JVM's garbage collection process. | +| Test.java:5:9:5:23 | finalize(...) | Call to prohibited method that may modify the JVM's garbage collection process. | diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref new file mode 100644 index 000000000000..e429708f146e --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref @@ -0,0 +1 @@ +rules/J-FIN-002/DoNotUseFinalizers.ql diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/Test.java b/java/ql/test/query-tests/DoNotUseFinalizers/Test.java new file mode 100644 index 000000000000..cca4a6b8f21a --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalizers/Test.java @@ -0,0 +1,13 @@ +public class Test { + void f() throws Throwable { + System.gc(); // NON_COMPLIANT + Runtime.getRuntime().gc(); // NON_COMPLIANT + this.finalize(); // NON_COMPLIANT + // this is removed in Java 11 + //System.runFinalizersOnExit(true); // NON_COMPLIANT + } + + void f1() throws Throwable { + f(); // COMPLIANT + } +} From 9a6e241f540021744dca8154c0939a7a4b5a6f4f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 08:58:48 -0400 Subject: [PATCH 02/21] Java: update to only find 'finalize' calls and add 'super.finalize' exclusion --- .../Undesirable Calls/DoNotUseFinalize.md | 27 +++++++++++++++ .../Undesirable Calls/DoNotUseFinalize.ql | 27 +++++++++++++++ .../Undesirable Calls/DoNotUseFinalizers.md | 34 ------------------- .../Undesirable Calls/DoNotUseFinalizers.ql | 25 -------------- .../DoNotUseFinalize.expected | 1 + .../DoNotUseFinalize/DoNotUseFinalize.qlref | 1 + .../query-tests/DoNotUseFinalize/Test.java | 9 +++++ .../DoNotUseFinalizers.expected | 3 -- .../DoNotUseFinalizers.qlref | 1 - .../query-tests/DoNotUseFinalizers/Test.java | 13 ------- 10 files changed, 65 insertions(+), 76 deletions(-) create mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md create mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql delete mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md delete mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql create mode 100644 java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected create mode 100644 java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref create mode 100644 java/ql/test/query-tests/DoNotUseFinalize/Test.java delete mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected delete mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref delete mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/Test.java diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md new file mode 100644 index 000000000000..7acb4186fe60 --- /dev/null +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md @@ -0,0 +1,27 @@ +## Overview + +Calling `finalize` in application code may cause inconsistent program state or unpredicatable behavior. + +## Recommendation + +Avoid calling `finalize` in application code. Allow the JVM to determine a garbage collection schedule instead. + +## Example + +```java +public class Test { + void f() throws Throwable { + this.finalize(); // NON_COMPLIANT + } +} + +``` + +# Implementation Notes + +This rule is focused on the use of existing `finalize` invocations rather than attempts to write a custom implementation. + +## References + +- Carnegie Mellon University, SEI CERT Oracle Coding Standard for Java: [MET12-J. Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers). +- Common Weakness Enumeration: [CWE-586](https://cwe.mitre.org/data/definitions/586). diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql new file mode 100644 index 000000000000..fe4203226355 --- /dev/null +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql @@ -0,0 +1,27 @@ +/** + * @id java/do-not-use-finalize + * @name Do not use `finalize` + * @description Calling `finalize` in application code may cause + * inconsistent program state or unpredicatable behavior. + * @kind problem + * @precision high + * @problem.severity error + * @tags correctness + * external/cwe/cwe-586 + */ + +import java + +from MethodCall mc, Method m +where + mc.getMethod() = m and + m.hasName("finalize") and + // The Java documentation for `finalize` states: "If a subclass overrides + // `finalize` it must invoke the superclass finalizer explicitly". Therefore, + // we do not alert on `super.finalize` calls that occur within a callable + // that overrides `finalize`. + not exists(Callable caller, FinalizeMethod fm | caller = mc.getCaller() | + caller.(Method).overrides(fm) and + mc.getQualifier() instanceof SuperAccess + ) +select mc, "Call to 'finalize'." diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md deleted file mode 100644 index 70a1236e3a73..000000000000 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md +++ /dev/null @@ -1,34 +0,0 @@ -# J-FIN-002: Calling garbage collection methods in application code may cause inconsistent program state - -Calling garbage collection or finalizer methods in application code may cause inconsistent program state or unpredicatable behavior. - -## Overview - -Triggering garbage collection explicitly may either have no effect or may trigger unnecessary garbage collection, leading to erratic behavior or deadlock. - -## Recommendation - -Avoid calling finalizers and garbage collection methods in application code. Allow the JVM to determine a garbage collection schedule instead. - -## Example - -```java -public class Test { - void f() throws Throwable { - System.gc(); // NON_COMPLIANT - Runtime.getRuntime().gc(); // NON_COMPLIANT - System.runFinalizersOnExit(true); //NON_COMPLIANT - this.finalize(); // NON_COMPLIANT - } -} - -``` - -# Implementation Notes - -This rule covers a concept related to J-FIN-001; this rule is focused on the use of existing finalizer invocations rather than attempts to write a custom implementation (J-FIN-001). - -## References - -- [Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers) -- [CWE-586](https://cwe.mitre.org/data/definitions/586) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql deleted file mode 100644 index b2e553024301..000000000000 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql +++ /dev/null @@ -1,25 +0,0 @@ -/** - * @id java/do-not-use-finalizers - * @name J-D-004: Calling garbage collection methods in application code may cause inconsistent program state - * @description Calling garbage collection or finalizer methods in application code may cause - * inconsistent program state or unpredicatable behavior. - * @kind problem - * @precision high - * @problem.severity error - * @tags correctness - * external/cwe/cwe-586 - */ - -import java - -from MethodCall c, Method m -where - c.getMethod() = m and - ( - m.hasQualifiedName("java.lang", "System", ["gc", "runFinalizersOnExit"]) - or - m.hasQualifiedName("java.lang", "Runtime", "gc") - or - m.hasQualifiedName(_, _, "finalize") - ) -select c, "Call to prohibited method that may modify the JVM's garbage collection process." diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected new file mode 100644 index 000000000000..5dd0c3cbdf57 --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected @@ -0,0 +1 @@ +| Test.java:3:9:3:23 | finalize(...) | Call to 'finalize'. | diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref new file mode 100644 index 000000000000..7b36e5a63d40 --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref @@ -0,0 +1 @@ +Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql diff --git a/java/ql/test/query-tests/DoNotUseFinalize/Test.java b/java/ql/test/query-tests/DoNotUseFinalize/Test.java new file mode 100644 index 000000000000..6e039dffe8e7 --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalize/Test.java @@ -0,0 +1,9 @@ +public class Test { + void f() throws Throwable { + this.finalize(); // NON_COMPLIANT + } + + void f1() throws Throwable { + f(); // COMPLIANT + } +} diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected deleted file mode 100644 index 3a96af624f69..000000000000 --- a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected +++ /dev/null @@ -1,3 +0,0 @@ -| Test.java:3:9:3:19 | gc(...) | Call to prohibited method that may modify the JVM's garbage collection process. | -| Test.java:4:9:4:33 | gc(...) | Call to prohibited method that may modify the JVM's garbage collection process. | -| Test.java:5:9:5:23 | finalize(...) | Call to prohibited method that may modify the JVM's garbage collection process. | diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref deleted file mode 100644 index e429708f146e..000000000000 --- a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref +++ /dev/null @@ -1 +0,0 @@ -rules/J-FIN-002/DoNotUseFinalizers.ql diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/Test.java b/java/ql/test/query-tests/DoNotUseFinalizers/Test.java deleted file mode 100644 index cca4a6b8f21a..000000000000 --- a/java/ql/test/query-tests/DoNotUseFinalizers/Test.java +++ /dev/null @@ -1,13 +0,0 @@ -public class Test { - void f() throws Throwable { - System.gc(); // NON_COMPLIANT - Runtime.getRuntime().gc(); // NON_COMPLIANT - this.finalize(); // NON_COMPLIANT - // this is removed in Java 11 - //System.runFinalizersOnExit(true); // NON_COMPLIANT - } - - void f1() throws Throwable { - f(); // COMPLIANT - } -} From d9482ae334f2ed817507f310a5aa637f72f0f389 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 13:38:08 -0400 Subject: [PATCH 03/21] Java: update tests to use inline expectations --- .../test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref | 3 ++- java/ql/test/query-tests/DoNotUseFinalize/Test.java | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref index 7b36e5a63d40..c47232fa1194 100644 --- a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref +++ b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql +query: Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/DoNotUseFinalize/Test.java b/java/ql/test/query-tests/DoNotUseFinalize/Test.java index 6e039dffe8e7..ecb30cb1b37d 100644 --- a/java/ql/test/query-tests/DoNotUseFinalize/Test.java +++ b/java/ql/test/query-tests/DoNotUseFinalize/Test.java @@ -1,6 +1,7 @@ public class Test { void f() throws Throwable { - this.finalize(); // NON_COMPLIANT + // NON_COMPLIANT + this.finalize(); // $ Alert } void f1() throws Throwable { From c689a0e9b718ff14fd5923e25c0b57224badf64b Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 20:36:21 -0400 Subject: [PATCH 04/21] Java: add more test cases --- .../DoNotUseFinalize/DoNotUseFinalize.expected | 3 ++- .../query-tests/DoNotUseFinalize/Test.java | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected index 5dd0c3cbdf57..2445343c293f 100644 --- a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected +++ b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected @@ -1 +1,2 @@ -| Test.java:3:9:3:23 | finalize(...) | Call to 'finalize'. | +| Test.java:4:9:4:23 | finalize(...) | Call to 'finalize'. | +| Test.java:25:9:25:33 | finalize(...) | Call to 'finalize'. | diff --git a/java/ql/test/query-tests/DoNotUseFinalize/Test.java b/java/ql/test/query-tests/DoNotUseFinalize/Test.java index ecb30cb1b37d..3ef4e74e4dc3 100644 --- a/java/ql/test/query-tests/DoNotUseFinalize/Test.java +++ b/java/ql/test/query-tests/DoNotUseFinalize/Test.java @@ -7,4 +7,22 @@ void f() throws Throwable { void f1() throws Throwable { f(); // COMPLIANT } + + @Override + protected void finalize() throws Throwable { + // COMPLIANT: If a subclass overrides `finalize` + // it must invoke the superclass finalizer explicitly. + super.finalize(); + } + + // Overload of `finalize` + protected void finalize(String s) throws Throwable { + System.out.println(s); + } + + // NON_COMPLIANT: call to overload of `finalize` + void f2() throws Throwable { + this.finalize("overload"); // $ Alert + } + } From dd57d1aec6c2a8de30d6b70e790cb5e93208f6ec Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 20:51:03 -0400 Subject: [PATCH 05/21] Java: add quality tag --- .../Undesirable Calls/DoNotUseFinalize.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql index fe4203226355..36ca6697fd66 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql @@ -6,7 +6,8 @@ * @kind problem * @precision high * @problem.severity error - * @tags correctness + * @tags quality + * correctness * external/cwe/cwe-586 */ From 44445dbeb8230e7a93c531e249e9dd95846e76d0 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 20:52:06 -0400 Subject: [PATCH 06/21] Java: minor refactor --- .../Undesirable Calls/DoNotUseFinalize.ql | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql index 36ca6697fd66..720d72b6c201 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql @@ -13,10 +13,9 @@ import java -from MethodCall mc, Method m +from MethodCall mc where - mc.getMethod() = m and - m.hasName("finalize") and + mc.getMethod().hasName("finalize") and // The Java documentation for `finalize` states: "If a subclass overrides // `finalize` it must invoke the superclass finalizer explicitly". Therefore, // we do not alert on `super.finalize` calls that occur within a callable From 2e254981437cb42799c46611ef72f1a1e918e41f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 21:23:23 -0400 Subject: [PATCH 07/21] Java: add change note --- java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md diff --git a/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md b/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md new file mode 100644 index 000000000000..27e4c530cbd2 --- /dev/null +++ b/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* Added a new quality query, `java/do-not-use-finalize`, to detect calls to `finalize`. From f73eda0c38ab9c02407d9d2f1ce380d42a653401 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 27 Mar 2025 18:17:26 -0400 Subject: [PATCH 08/21] Java: add previous-id and change 'use' to 'call' --- .../{DoNotUseFinalize.md => DoNotCallFinalize.md} | 0 .../{DoNotUseFinalize.ql => DoNotCallFinalize.ql} | 5 +++-- java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md | 4 ++++ java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md | 4 ---- .../DoNotCallFinalize.expected} | 0 .../query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref | 2 ++ .../{DoNotUseFinalize => DoNotCallFinalize}/Test.java | 0 .../test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref | 2 -- 8 files changed, 9 insertions(+), 8 deletions(-) rename java/ql/src/Violations of Best Practice/Undesirable Calls/{DoNotUseFinalize.md => DoNotCallFinalize.md} (100%) rename java/ql/src/Violations of Best Practice/Undesirable Calls/{DoNotUseFinalize.ql => DoNotCallFinalize.ql} (88%) create mode 100644 java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md delete mode 100644 java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md rename java/ql/test/query-tests/{DoNotUseFinalize/DoNotUseFinalize.expected => DoNotCallFinalize/DoNotCallFinalize.expected} (100%) create mode 100644 java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref rename java/ql/test/query-tests/{DoNotUseFinalize => DoNotCallFinalize}/Test.java (100%) delete mode 100644 java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md similarity index 100% rename from java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md rename to java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql similarity index 88% rename from java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql rename to java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql index 720d72b6c201..592a27ef6616 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql @@ -1,6 +1,7 @@ /** - * @id java/do-not-use-finalize - * @name Do not use `finalize` + * @id java/do-not-call-finalize + * @previous-id java/do-not-use-finalizers + * @name Do not call `finalize` * @description Calling `finalize` in application code may cause * inconsistent program state or unpredicatable behavior. * @kind problem diff --git a/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md b/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md new file mode 100644 index 000000000000..101b94136a15 --- /dev/null +++ b/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* Added a new quality query, `java/do-not-call-finalize`, to detect calls to `finalize`. diff --git a/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md b/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md deleted file mode 100644 index 27e4c530cbd2..000000000000 --- a/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new quality query, `java/do-not-use-finalize`, to detect calls to `finalize`. diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected similarity index 100% rename from java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected rename to java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected diff --git a/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref new file mode 100644 index 000000000000..b301797d5295 --- /dev/null +++ b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref @@ -0,0 +1,2 @@ +query: Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/DoNotUseFinalize/Test.java b/java/ql/test/query-tests/DoNotCallFinalize/Test.java similarity index 100% rename from java/ql/test/query-tests/DoNotUseFinalize/Test.java rename to java/ql/test/query-tests/DoNotCallFinalize/Test.java diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref deleted file mode 100644 index c47232fa1194..000000000000 --- a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref +++ /dev/null @@ -1,2 +0,0 @@ -query: Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql From ed22a16f32dfb1ba5c940dece2a1dfb105dd88cb Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 27 Mar 2025 19:33:38 -0400 Subject: [PATCH 09/21] Java: exclude overloads of finalize --- .../Undesirable Calls/DoNotCallFinalize.md | 6 +++--- .../Undesirable Calls/DoNotCallFinalize.ql | 12 ++++++------ .../change-notes/2025-03-20-do-not-call-finalize.md | 2 +- .../DoNotCallFinalize/DoNotCallFinalize.expected | 3 +-- java/ql/test/query-tests/DoNotCallFinalize/Test.java | 6 +++--- 5 files changed, 14 insertions(+), 15 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index 7acb4186fe60..9c3e3ebd4a03 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -1,10 +1,10 @@ ## Overview -Calling `finalize` in application code may cause inconsistent program state or unpredicatable behavior. +Calling `finalize()` in application code may cause inconsistent program state or unpredicatable behavior. ## Recommendation -Avoid calling `finalize` in application code. Allow the JVM to determine a garbage collection schedule instead. +Avoid calling `finalize()` in application code. Allow the JVM to determine a garbage collection schedule instead. ## Example @@ -19,7 +19,7 @@ public class Test { # Implementation Notes -This rule is focused on the use of existing `finalize` invocations rather than attempts to write a custom implementation. +This rule is focused on the use of existing `finalize()` invocations rather than attempts to write a custom implementation. ## References diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql index 592a27ef6616..3b6be7b652dd 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql @@ -1,8 +1,8 @@ /** * @id java/do-not-call-finalize * @previous-id java/do-not-use-finalizers - * @name Do not call `finalize` - * @description Calling `finalize` in application code may cause + * @name Do not call `finalize()` + * @description Calling `finalize()` in application code may cause * inconsistent program state or unpredicatable behavior. * @kind problem * @precision high @@ -16,13 +16,13 @@ import java from MethodCall mc where - mc.getMethod().hasName("finalize") and - // The Java documentation for `finalize` states: "If a subclass overrides + mc.getMethod() instanceof FinalizeMethod and + // The Java documentation for `finalize()` states: "If a subclass overrides // `finalize` it must invoke the superclass finalizer explicitly". Therefore, - // we do not alert on `super.finalize` calls that occur within a callable + // we do not alert on `super.finalize()` calls that occur within a callable // that overrides `finalize`. not exists(Callable caller, FinalizeMethod fm | caller = mc.getCaller() | caller.(Method).overrides(fm) and mc.getQualifier() instanceof SuperAccess ) -select mc, "Call to 'finalize'." +select mc, "Call to 'finalize()'." diff --git a/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md b/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md index 101b94136a15..8317dce595c1 100644 --- a/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md +++ b/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md @@ -1,4 +1,4 @@ --- category: newQuery --- -* Added a new quality query, `java/do-not-call-finalize`, to detect calls to `finalize`. +* Added a new quality query, `java/do-not-call-finalize`, to detect calls to `finalize()`. diff --git a/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected index 2445343c293f..ac3c4fa59c01 100644 --- a/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected +++ b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected @@ -1,2 +1 @@ -| Test.java:4:9:4:23 | finalize(...) | Call to 'finalize'. | -| Test.java:25:9:25:33 | finalize(...) | Call to 'finalize'. | +| Test.java:4:9:4:23 | finalize(...) | Call to 'finalize()'. | diff --git a/java/ql/test/query-tests/DoNotCallFinalize/Test.java b/java/ql/test/query-tests/DoNotCallFinalize/Test.java index 3ef4e74e4dc3..eb7ac19da593 100644 --- a/java/ql/test/query-tests/DoNotCallFinalize/Test.java +++ b/java/ql/test/query-tests/DoNotCallFinalize/Test.java @@ -10,7 +10,7 @@ void f1() throws Throwable { @Override protected void finalize() throws Throwable { - // COMPLIANT: If a subclass overrides `finalize` + // COMPLIANT: If a subclass overrides `finalize()` // it must invoke the superclass finalizer explicitly. super.finalize(); } @@ -20,9 +20,9 @@ protected void finalize(String s) throws Throwable { System.out.println(s); } - // NON_COMPLIANT: call to overload of `finalize` + // COMPLIANT: call to overload of `finalize` void f2() throws Throwable { - this.finalize("overload"); // $ Alert + this.finalize("overload"); } } From 3631df03c7faec4d2d4371f73217a783164cfb3f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 27 Mar 2025 19:38:10 -0400 Subject: [PATCH 10/21] Java: add to code-quality suite --- java/ql/src/codeql-suites/java-code-quality.qls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/codeql-suites/java-code-quality.qls b/java/ql/src/codeql-suites/java-code-quality.qls index ac1f52624c4f..552d803eec11 100644 --- a/java/ql/src/codeql-suites/java-code-quality.qls +++ b/java/ql/src/codeql-suites/java-code-quality.qls @@ -11,4 +11,5 @@ - java/unused-container - java/input-resource-leak - java/output-resource-leak - - java/type-variable-hides-type \ No newline at end of file + - java/type-variable-hides-type + - java/do-not-call-finalize From caf21a8202c3055273d5955e2fc273c58881fe82 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 27 Mar 2025 20:20:48 -0400 Subject: [PATCH 11/21] Java: update qhelp and add 'performace' tag --- .../Undesirable Calls/DoNotCallFinalize.md | 5 +++-- .../Undesirable Calls/DoNotCallFinalize.ql | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index 9c3e3ebd4a03..46dd0802b961 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -1,6 +1,6 @@ ## Overview -Calling `finalize()` in application code may cause inconsistent program state or unpredicatable behavior. +Triggering garbage collection by directly calling `finalize()` may either have no effect or may trigger unnecessary garbage collection, leading to erratic behavior, performance issues, or deadlock. ## Recommendation @@ -23,5 +23,6 @@ This rule is focused on the use of existing `finalize()` invocations rather than ## References -- Carnegie Mellon University, SEI CERT Oracle Coding Standard for Java: [MET12-J. Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers). +- SEI CERT Oracle Coding Standard for Java: [MET12-J. Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers). +- Java API Specification: [Object.finalize()](https://docs.oracle.com/javase/10/docs/api/java/lang/Object.html#finalize()). - Common Weakness Enumeration: [CWE-586](https://cwe.mitre.org/data/definitions/586). diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql index 3b6be7b652dd..8ee12909a6d7 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql @@ -9,6 +9,7 @@ * @problem.severity error * @tags quality * correctness + * performance * external/cwe/cwe-586 */ From 416643ce3906480834d6592b19a5fb1f3aaab37e Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 31 Mar 2025 21:09:21 -0400 Subject: [PATCH 12/21] Java: update qhelp recommendation and example --- .../Undesirable Calls/DoNotCallFinalize.md | 39 +++++++++++++++++-- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index 46dd0802b961..26c46286cd5d 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -4,14 +4,43 @@ Triggering garbage collection by directly calling `finalize()` may either have n ## Recommendation -Avoid calling `finalize()` in application code. Allow the JVM to determine a garbage collection schedule instead. +Avoid calling `finalize()` in application code. Allow the JVM to determine a garbage collection schedule instead. If you need to explicitly release resources, provide a specific method to do so, such as by implementing the `AutoCloseable` interface and overriding its `close` method. You can then use a `try-with-resources` block to ensure that the resource is closed. ## Example ```java -public class Test { - void f() throws Throwable { - this.finalize(); // NON_COMPLIANT +class LocalCache { + private Collection cacheFiles = ...; + // ... +} + +void main() { + LocalCache cache = new LocalCache(); + // ... + cache.finalize(); // NON_COMPLIANT +} + +``` + +```java +import java.lang.AutoCloseable; +import java.lang.Override; + +class LocalCache implements AutoCloseable { + private Collection cacheFiles = ...; + // ... + + @Override + public void close() throws Exception { + // release resources here if required + } +} + +void main() { + // COMPLIANT: uses try-with-resources to ensure that + // a resource implementing AutoCloseable is closed. + try (LocalCache cache = new LocalCache()) { + // ... } } @@ -25,4 +54,6 @@ This rule is focused on the use of existing `finalize()` invocations rather than - SEI CERT Oracle Coding Standard for Java: [MET12-J. Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers). - Java API Specification: [Object.finalize()](https://docs.oracle.com/javase/10/docs/api/java/lang/Object.html#finalize()). +- Java API Specification: [Interface AutoCloseable](https://docs.oracle.com/javase/10/docs/api/java/lang/AutoCloseable.html). +- Java SE Documentation: [The try-with-resources Statement](https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html). - Common Weakness Enumeration: [CWE-586](https://cwe.mitre.org/data/definitions/586). From e621f9fd4903d60ca266e87afbd8f9969955bddc Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 1 Apr 2025 15:48:52 -0400 Subject: [PATCH 13/21] Java: update comments in tests --- java/ql/test/query-tests/DoNotCallFinalize/Test.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/DoNotCallFinalize/Test.java b/java/ql/test/query-tests/DoNotCallFinalize/Test.java index eb7ac19da593..b70d0e47581a 100644 --- a/java/ql/test/query-tests/DoNotCallFinalize/Test.java +++ b/java/ql/test/query-tests/DoNotCallFinalize/Test.java @@ -17,11 +17,11 @@ protected void finalize() throws Throwable { // Overload of `finalize` protected void finalize(String s) throws Throwable { - System.out.println(s); + // ... } - // COMPLIANT: call to overload of `finalize` void f2() throws Throwable { + // COMPLIANT: call to overload of `finalize` this.finalize("overload"); } From c4b83963334bb29137d921e3dbf4bf5a221bee01 Mon Sep 17 00:00:00 2001 From: Jami <57204504+jcogs33@users.noreply.github.com> Date: Tue, 1 Apr 2025 15:52:57 -0400 Subject: [PATCH 14/21] fix typo in query description Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> --- .../Undesirable Calls/DoNotCallFinalize.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql index 8ee12909a6d7..80171e4d49e3 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql @@ -3,7 +3,7 @@ * @previous-id java/do-not-use-finalizers * @name Do not call `finalize()` * @description Calling `finalize()` in application code may cause - * inconsistent program state or unpredicatable behavior. + * inconsistent program state or unpredictable behavior. * @kind problem * @precision high * @problem.severity error From 1a2c34dd28d25eba9d1c214af07bf569f6c6a492 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 1 Apr 2025 16:24:13 -0400 Subject: [PATCH 15/21] Java: update qhelp implementation notes for clarity --- .../Undesirable Calls/DoNotCallFinalize.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index 26c46286cd5d..b2bcfdae6127 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -48,7 +48,8 @@ void main() { # Implementation Notes -This rule is focused on the use of existing `finalize()` invocations rather than attempts to write a custom implementation. +This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on overrides of `finalize()`. + ## References From 05d7b9a19a1e84266fbb5f46505c3a577b7f99f8 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Wed, 2 Apr 2025 19:11:26 -0400 Subject: [PATCH 16/21] Java: add reliability tag --- .../Undesirable Calls/DoNotCallFinalize.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql index 80171e4d49e3..1abe96f91857 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql @@ -8,6 +8,7 @@ * @precision high * @problem.severity error * @tags quality + * reliability * correctness * performance * external/cwe/cwe-586 From 0380279c39079c713a1d64a412669b18abccee7a Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Wed, 2 Apr 2025 19:43:33 -0400 Subject: [PATCH 17/21] Java: update qhelp implementation notes for more clarity --- .../Undesirable Calls/DoNotCallFinalize.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index b2bcfdae6127..46ce835d50d7 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -48,8 +48,7 @@ void main() { # Implementation Notes -This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on overrides of `finalize()`. - +This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on method overrides of `finalize()`. ## References From fc21abc7e4af6b6b1045c5b3e25e8a7114126680 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 3 Apr 2025 16:05:23 -0400 Subject: [PATCH 18/21] Java: update qhelp implementation notes to say 'method declarations' --- .../Undesirable Calls/DoNotCallFinalize.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index 46ce835d50d7..d6fd5cf76bd4 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -48,7 +48,7 @@ void main() { # Implementation Notes -This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on method overrides of `finalize()`. +This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on method declarations overriding `finalize()`. ## References From 798907dc5045d644d67e15ac2130a5f48c4f66fe Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Fri, 4 Apr 2025 14:01:35 -0400 Subject: [PATCH 19/21] Java: remove change note --- java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md diff --git a/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md b/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md deleted file mode 100644 index 8317dce595c1..000000000000 --- a/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new quality query, `java/do-not-call-finalize`, to detect calls to `finalize()`. From 2b9160526a7bccc904f5108a10a302aefbc4a119 Mon Sep 17 00:00:00 2001 From: Jami <57204504+jcogs33@users.noreply.github.com> Date: Sun, 20 Apr 2025 21:47:25 -0400 Subject: [PATCH 20/21] Apply docs review suggestion Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com> --- .../Undesirable Calls/DoNotCallFinalize.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index d6fd5cf76bd4..385cbfb5cfe2 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -1,6 +1,6 @@ ## Overview -Triggering garbage collection by directly calling `finalize()` may either have no effect or may trigger unnecessary garbage collection, leading to erratic behavior, performance issues, or deadlock. +Triggering garbage collection by directly calling `finalize()` may either have no effect or trigger unnecessary garbage collection, leading to erratic behavior, performance issues, or deadlock. ## Recommendation From 3aa6b49204d2acd38ba026de88afa9b202f91ee5 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 21 Apr 2025 10:02:08 -0400 Subject: [PATCH 21/21] Java: Add new query to java-code-quality.qls.expected --- .../java/query-suite/java-code-quality.qls.expected | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected b/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected index 2cff4a3eaa62..bdd51d7eee69 100644 --- a/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected +++ b/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected @@ -10,3 +10,4 @@ ql/java/ql/src/Likely Bugs/Likely Typos/SuspiciousDateFormat.ql ql/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql ql/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql ql/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql +ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy