Skip to content

Java: Add new quality query to detect finalize calls #19075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jcogs33 merged 22 commits into from
Apr 22, 2025
Merged

Java: Add new quality query to detect finalize calls #19075

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
56ea9b6
Java: move original files
Mar 20, 2025
9a6e241
Java: update to only find 'finalize' calls and add 'super.finalize' e…
Mar 20, 2025
d9482ae
Java: update tests to use inline expectations
Mar 20, 2025
c689a0e
Java: add more test cases
Mar 21, 2025
dd57d1a
Java: add quality tag
Mar 21, 2025
44445db
Java: minor refactor
Mar 21, 2025
2e25498
Java: add change note
Mar 21, 2025
f73eda0
Java: add previous-id and change 'use' to 'call'
Mar 27, 2025
ed22a16
Java: exclude overloads of finalize
Mar 27, 2025
3631df0
Java: add to code-quality suite
Mar 27, 2025
caf21a8
Java: update qhelp and add 'performace' tag
Mar 28, 2025
416643c
Java: update qhelp recommendation and example
Apr 1, 2025
e621f9f
Java: update comments in tests
Apr 1, 2025
c4b8396
fix typo in query description
jcogs33 Apr 1, 2025
1a2c34d
Java: update qhelp implementation notes for clarity
Apr 1, 2025
05d7b9a
Java: add reliability tag
Apr 2, 2025
0380279
Java: update qhelp implementation notes for more clarity
Apr 2, 2025
fc21abc
Java: update qhelp implementation notes to say 'method declarations'
Apr 3, 2025
798907d
Java: remove change note
Apr 4, 2025
2b91605
Apply docs review suggestion
jcogs33 Apr 21, 2025
72d49f2
Merge branch 'main' into jcogs33/java/do-not-use-finalizers
jcogs33 Apr 21, 2025
3aa6b49
Java: Add new query to java-code-quality.qls.expected
Apr 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Java: move original files
  • Loading branch information
Jami Cogswell authored and Jami Cogswell committed Mar 27, 2025
commit 56ea9b65234d68f3c74dc4611967b1695d6020a8
34 changes: 34 additions & 0 deletions java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# J-FIN-002: Calling garbage collection methods in application code may cause inconsistent program state

Calling garbage collection or finalizer methods in application code may cause inconsistent program state or unpredicatable behavior.

## Overview

Triggering garbage collection explicitly may either have no effect or may trigger unnecessary garbage collection, leading to erratic behavior or deadlock.

## Recommendation

Avoid calling finalizers and garbage collection methods in application code. Allow the JVM to determine a garbage collection schedule instead.

## Example

```java
public class Test {
void f() throws Throwable {
System.gc(); // NON_COMPLIANT
Runtime.getRuntime().gc(); // NON_COMPLIANT
System.runFinalizersOnExit(true); //NON_COMPLIANT
this.finalize(); // NON_COMPLIANT
}
}

```

# Implementation Notes

This rule covers a concept related to J-FIN-001; this rule is focused on the use of existing finalizer invocations rather than attempts to write a custom implementation (J-FIN-001).

## References

- [Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers)
- [CWE-586](https://cwe.mitre.org/data/definitions/586)
25 changes: 25 additions & 0 deletions java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
/**
* @id java/do-not-use-finalizers
* @name J-D-004: Calling garbage collection methods in application code may cause inconsistent program state
* @description Calling garbage collection or finalizer methods in application code may cause
* inconsistent program state or unpredicatable behavior.
* @kind problem
* @precision high
* @problem.severity error
* @tags correctness
* external/cwe/cwe-586
*/

import java

from MethodCall c, Method m
where
c.getMethod() = m and
(
m.hasQualifiedName("java.lang", "System", ["gc", "runFinalizersOnExit"])
or
m.hasQualifiedName("java.lang", "Runtime", "gc")
or
m.hasQualifiedName(_, _, "finalize")
)
select c, "Call to prohibited method that may modify the JVM's garbage collection process."
3 changes: 3 additions & 0 deletions java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
| Test.java:3:9:3:19 | gc(...) | Call to prohibited method that may modify the JVM's garbage collection process. |
| Test.java:4:9:4:33 | gc(...) | Call to prohibited method that may modify the JVM's garbage collection process. |
| Test.java:5:9:5:23 | finalize(...) | Call to prohibited method that may modify the JVM's garbage collection process. |
1 change: 1 addition & 0 deletions java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
rules/J-FIN-002/DoNotUseFinalizers.ql
Comment thread Fixed
13 changes: 13 additions & 0 deletions java/ql/test/query-tests/DoNotUseFinalizers/Test.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
public class Test {
void f() throws Throwable {
System.gc(); // NON_COMPLIANT
Runtime.getRuntime().gc(); // NON_COMPLIANT
this.finalize(); // NON_COMPLIANT
// this is removed in Java 11
//System.runFinalizersOnExit(true); // NON_COMPLIANT
}

void f1() throws Throwable {
f(); // COMPLIANT
}
}