Skip to content

Commit 9a6e241

Browse files
Jami CogswellJami Cogswell
Jami Cogswell
authored and
Jami Cogswell
committed
Java: update to only find 'finalize' calls and add 'super.finalize' exclusion
1 parent 56ea9b6 commit 9a6e241

File tree

10 files changed

+65
-76
lines changed

10 files changed

+65
-76
lines changed

java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
## Overview
2+
3+
Calling `finalize` in application code may cause inconsistent program state or unpredicatable behavior.
4+
5+
## Recommendation
6+
7+
Avoid calling `finalize` in application code. Allow the JVM to determine a garbage collection schedule instead.
8+
9+
## Example
10+
11+
```java
12+
public class Test {
13+
void f() throws Throwable {
14+
this.finalize(); // NON_COMPLIANT
15+
}
16+
}
17+
18+
```
19+
20+
# Implementation Notes
21+
22+
This rule is focused on the use of existing `finalize` invocations rather than attempts to write a custom implementation.
23+
24+
## References
25+
26+
- Carnegie Mellon University, SEI CERT Oracle Coding Standard for Java: [MET12-J. Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers).
27+
- Common Weakness Enumeration: [CWE-586](https://cwe.mitre.org/data/definitions/586).

java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
/**
2+
* @id java/do-not-use-finalize
3+
* @name Do not use `finalize`
4+
* @description Calling `finalize` in application code may cause
5+
* inconsistent program state or unpredicatable behavior.
6+
* @kind problem
7+
* @precision high
8+
* @problem.severity error
9+
* @tags correctness
10+
* external/cwe/cwe-586
11+
*/
12+
13+
import java
14+
15+
from MethodCall mc, Method m
16+
where
17+
mc.getMethod() = m and
18+
m.hasName("finalize") and
19+
// The Java documentation for `finalize` states: "If a subclass overrides
20+
// `finalize` it must invoke the superclass finalizer explicitly". Therefore,
21+
// we do not alert on `super.finalize` calls that occur within a callable
22+
// that overrides `finalize`.
23+
not exists(Callable caller, FinalizeMethod fm | caller = mc.getCaller() |
24+
caller.(Method).overrides(fm) and
25+
mc.getQualifier() instanceof SuperAccess
26+
)
27+
select mc, "Call to 'finalize'."

java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md

Lines changed: 0 additions & 34 deletions
This file was deleted.

java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql

Lines changed: 0 additions & 25 deletions
This file was deleted.

java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
| Test.java:3:9:3:23 | finalize(...) | Call to 'finalize'. |

java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql

java/ql/test/query-tests/DoNotUseFinalize/Test.java

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
public class Test {
2+
void f() throws Throwable {
3+
this.finalize(); // NON_COMPLIANT
4+
}
5+
6+
void f1() throws Throwable {
7+
f(); // COMPLIANT
8+
}
9+
}

java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected

Lines changed: 0 additions & 3 deletions
This file was deleted.

java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref

Lines changed: 0 additions & 1 deletion
This file was deleted.

java/ql/test/query-tests/DoNotUseFinalizers/Test.java

Lines changed: 0 additions & 13 deletions
This file was deleted.

0 commit comments

Comments
 (0)