Skip to content

Java: Add new quality query to detect finalize calls #19075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jcogs33 merged 22 commits into from
Apr 22, 2025
Merged

Java: Add new quality query to detect finalize calls #19075

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
56ea9b6
Java: move original files
Mar 20, 2025
9a6e241
Java: update to only find 'finalize' calls and add 'super.finalize' e…
Mar 20, 2025
d9482ae
Java: update tests to use inline expectations
Mar 20, 2025
c689a0e
Java: add more test cases
Mar 21, 2025
dd57d1a
Java: add quality tag
Mar 21, 2025
44445db
Java: minor refactor
Mar 21, 2025
2e25498
Java: add change note
Mar 21, 2025
f73eda0
Java: add previous-id and change 'use' to 'call'
Mar 27, 2025
ed22a16
Java: exclude overloads of finalize
Mar 27, 2025
3631df0
Java: add to code-quality suite
Mar 27, 2025
caf21a8
Java: update qhelp and add 'performace' tag
Mar 28, 2025
416643c
Java: update qhelp recommendation and example
Apr 1, 2025
e621f9f
Java: update comments in tests
Apr 1, 2025
c4b8396
fix typo in query description
jcogs33 Apr 1, 2025
1a2c34d
Java: update qhelp implementation notes for clarity
Apr 1, 2025
05d7b9a
Java: add reliability tag
Apr 2, 2025
0380279
Java: update qhelp implementation notes for more clarity
Apr 2, 2025
fc21abc
Java: update qhelp implementation notes to say 'method declarations'
Apr 3, 2025
798907d
Java: remove change note
Apr 4, 2025
2b91605
Apply docs review suggestion
jcogs33 Apr 21, 2025
72d49f2
Merge branch 'main' into jcogs33/java/do-not-use-finalizers
jcogs33 Apr 21, 2025
3aa6b49
Java: Add new query to java-code-quality.qls.expected
Apr 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Java: exclude overloads of finalize
  • Loading branch information
Jami Cogswell authored and Jami Cogswell committed Mar 27, 2025
commit ed22a16f32dfb1ba5c940dece2a1dfb105dd88cb
6 changes: 3 additions & 3 deletions java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
## Overview

Calling `finalize` in application code may cause inconsistent program state or unpredicatable behavior.
Calling `finalize()` in application code may cause inconsistent program state or unpredicatable behavior.

## Recommendation

Avoid calling `finalize` in application code. Allow the JVM to determine a garbage collection schedule instead.
Avoid calling `finalize()` in application code. Allow the JVM to determine a garbage collection schedule instead.

## Example

Expand All @@ -19,7 +19,7 @@ public class Test {

# Implementation Notes

This rule is focused on the use of existing `finalize` invocations rather than attempts to write a custom implementation.
This rule is focused on the use of existing `finalize()` invocations rather than attempts to write a custom implementation.
Comment thread
owen-mc marked this conversation as resolved.
Outdated

## References

Expand Down
12 changes: 6 additions & 6 deletions java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
/**
* @id java/do-not-call-finalize
* @previous-id java/do-not-use-finalizers
* @name Do not call `finalize`
* @description Calling `finalize` in application code may cause
* @name Do not call `finalize()`
* @description Calling `finalize()` in application code may cause
* inconsistent program state or unpredicatable behavior.
Comment thread
jcogs33 marked this conversation as resolved.
Outdated
* @kind problem
* @precision high
Expand All @@ -16,13 +16,13 @@ import java

from MethodCall mc
where
mc.getMethod().hasName("finalize") and
// The Java documentation for `finalize` states: "If a subclass overrides
mc.getMethod() instanceof FinalizeMethod and
// The Java documentation for `finalize()` states: "If a subclass overrides
// `finalize` it must invoke the superclass finalizer explicitly". Therefore,
// we do not alert on `super.finalize` calls that occur within a callable
// we do not alert on `super.finalize()` calls that occur within a callable
// that overrides `finalize`.
not exists(Callable caller, FinalizeMethod fm | caller = mc.getCaller() |
caller.(Method).overrides(fm) and
mc.getQualifier() instanceof SuperAccess
)
select mc, "Call to 'finalize'."
select mc, "Call to 'finalize()'."
2 changes: 1 addition & 1 deletion java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
---
category: newQuery
---
* Added a new quality query, `java/do-not-call-finalize`, to detect calls to `finalize`.
* Added a new quality query, `java/do-not-call-finalize`, to detect calls to `finalize()`.
3 changes: 1 addition & 2 deletions java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1 @@
| Test.java:4:9:4:23 | finalize(...) | Call to 'finalize'. |
| Test.java:25:9:25:33 | finalize(...) | Call to 'finalize'. |
| Test.java:4:9:4:23 | finalize(...) | Call to 'finalize()'. |
6 changes: 3 additions & 3 deletions java/ql/test/query-tests/DoNotCallFinalize/Test.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ void f1() throws Throwable {

@Override
protected void finalize() throws Throwable {
// COMPLIANT: If a subclass overrides `finalize`
// COMPLIANT: If a subclass overrides `finalize()`
// it must invoke the superclass finalizer explicitly.
super.finalize();
}
Expand All @@ -20,9 +20,9 @@ protected void finalize(String s) throws Throwable {
System.out.println(s);
}
Comment thread
owen-mc marked this conversation as resolved.

// NON_COMPLIANT: call to overload of `finalize`
// COMPLIANT: call to overload of `finalize`
void f2() throws Throwable {
this.finalize("overload"); // $ Alert
this.finalize("overload");
}

}