rspec/rules/S2168/java/rule.adoc

== Why is this an issue?

Double-checked locking is the practice of checking a lazy-initialized object's state both before and after a `synchronized` block is entered to determine whether to initialize the object.
In early JVM versions, synchronizing entire methods was not performant, which sometimes caused this practice to be used in its place.


Apart from `float` and `int` types, this practice does not work reliably in a platform-independent manner without additional synchronization of mutable instances.
Using double-checked locking for the lazy initialization of any other type of primitive or mutable object risks a second thread using an uninitialized or partially initialized member while the first thread is still creating it.
The results can be unexpected, potentially even causing the application to crash.


== How to fix it

Given significant performance improvements of `synchronized` methods in recent JVM versions, `synchronized` methods are now preferred over the less robust double-checked locking.

If marking the entire method as `synchronized` is not an option, consider using an inner `static class` to hold the reference instead.
Inner static classes are guaranteed to be initialized lazily.

=== Code examples

==== Noncompliant code example

[source,java,diff-id=1,diff-type=noncompliant]
----
public class ResourceFactory {
    private static Resource resource;

    public static Resource getInstance() {
        if (resource == null) {
            synchronized (DoubleCheckedLocking.class) { // Noncompliant, not thread-safe due to the use of double-checked locking.
                if (resource == null)
                    resource = new Resource();
            }
        }
        return resource;
    }
}
----


==== Compliant solution

[source,java,diff-id=1,diff-type=compliant]
----
public class ResourceFactory {
    private static Resource resource;

    public static synchronized Resource getInstance() { // Compliant, the entire method is synchronized and hence thread-safe
        if (resource == null)
            resource = new Resource();
        return resource;
    }
}
----

==== Compliant solution

Alternatively, a static inner class can be used.
However, this solution is less explicit in its intention and hence should be used with care.

[source,java]
----
public class ResourceFactory {
    private static class ResourceHolder {
        public static Resource resource = new Resource(); // Compliant, as this will be lazily initialised by the JVM
    }

    public static Resource getResource() {
        return ResourceFactory.ResourceHolder.resource;
    }
}
----

== Resources

* https://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html[The "Double-Checked Locking is Broken" Declaration]
* https://wiki.sei.cmu.edu/confluence/x/6zdGBQ[CERT, LCK10-J.] - Use a correct form of the double-checked locking idiom
* CWE - https://cwe.mitre.org/data/definitions/609[CWE-609 - Double-checked locking]
* https://docs.oracle.com/javase/specs/jls/se7/html/jls-12.html#jls-12.4[JLS 12.4] - Initialization of Classes and Interfaces
* Wikipedia: https://en.wikipedia.org/wiki/Double-checked_locking#Usage_in_Java[Double-checked locking]


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Remove this dangerous instance of double-checked locking.


'''
== Comments And Links
(visible only on this page)

=== on 21 Nov 2024, 16:48:00 Alban Auzeill wrote:
[test-code-support-investigation-for-java] Decision for scope: Main -> All.

=== on 20 Jul 2015, 07:45:24 Ann Campbell wrote:
Tagged java-top by Ann

=== on 8 Nov 2016, 14:58:08 Tibor Blenessy wrote:
I believe that this rule is actually a subset of https://www.securecoding.cert.org/confluence/display/java/TSM03-J.+Do+not+publish+partially+initialized+objects[TSM03-J]. Do we have a rule targeting that? Do we want to implement both?


This rule can be implemented on semantic level, however it will catch only simple cases of this. To do this properly we need to do full escape analysis and implement equivalent of  https://www.securecoding.cert.org/confluence/display/java/TSM03-J.+Do+not+publish+partially+initialized+objects[TSM03-J]

=== on 8 Nov 2016, 16:56:41 Ann Campbell wrote:
\[~tibor.blenessy] I considered adding that mapping to this rule, but really see it as tangential to the rule as currently described. Let me know if you disagree.

=== on 8 Nov 2016, 18:41:56 Tibor Blenessy wrote:
Code samples are from book  Java Concurrency in Practice and they are available under public domain on this url  \http://jcip.net.s3-website-us-east-1.amazonaws.com/listings.html

endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			Double-checked locking is the practice of checking a lazy-initialized object's state both before and after a `synchronized` block is entered to determine whether to initialize the object.
			`In early JVM versions, synchronizing entire methods was not performant, which sometimes caused this practice to be used in its place.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00

SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			Apart from `float` and `int` types, this practice does not work reliably in a platform-independent manner without additional synchronization of mutable instances.
			`Using double-checked locking for the lazy initialization of any other type of primitive or mutable object risks a second thread using an uninitialized or partially initialized member while the first thread is still creating it.`
			`The results can be unexpected, potentially even causing the application to crash.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00

SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			`== How to fix it`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			Given significant performance improvements of `synchronized` methods in recent JVM versions, `synchronized` methods are now preferred over the less robust double-checked locking.
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			If marking the entire method as `synchronized` is not an option, consider using an inner `static class` to hold the reference instead.
			`Inner static classes are guaranteed to be initialized lazily.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			`=== Code examples`

			`==== Noncompliant code example`

			`[source,java,diff-id=1,diff-type=noncompliant]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			`public class ResourceFactory {`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`private static Resource resource;`

			`public static Resource getInstance() {`
			`if (resource == null) {`
SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			`synchronized (DoubleCheckedLocking.class) { // Noncompliant, not thread-safe due to the use of double-checked locking.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`if (resource == null)`
			`resource = new Resource();`
			`}`
			`}`
			`return resource;`
			`}`
			`}`
			`----`

Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			`==== Compliant solution`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			`[source,java,diff-id=1,diff-type=compliant]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			`public class ResourceFactory {`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`private static Resource resource;`

SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			`public static synchronized Resource getInstance() { // Compliant, the entire method is synchronized and hence thread-safe`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`if (resource == null)`
			`resource = new Resource();`
			`return resource;`
			`}`
			`}`
			`----`
SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00
			`==== Compliant solution`

			`Alternatively, a static inner class can be used.`
			`However, this solution is less explicit in its intention and hence should be used with care.`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,java]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`----`
			`public class ResourceFactory {`
			`private static class ResourceHolder {`
SONARJAVA-4495 Update S2168 in line with LayC. (#2817) 2023-08-08 17:31:04 +02:00			`public static Resource resource = new Resource(); // Compliant, as this will be lazily initialised by the JVM`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`}`

			`public static Resource getResource() {`
			`return ResourceFactory.ResourceHolder.resource;`
			`}`
			`}`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Resources`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00
			`* https://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html[The "Double-Checked Locking is Broken" Declaration]`
			`* https://wiki.sei.cmu.edu/confluence/x/6zdGBQ[CERT, LCK10-J.] - Use a correct form of the double-checked locking idiom`
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/609[CWE-609 - Double-checked locking]`
Restructure one-lang rspecs 2021-04-28 16:49:39 +02:00			`* https://docs.oracle.com/javase/specs/jls/se7/html/jls-12.html#jls-12.4[JLS 12.4] - Initialization of Classes and Interfaces`
			`* Wikipedia: https://en.wikipedia.org/wiki/Double-checked_locking#Usage_in_Java[Double-checked locking]`
Fix the missing default metadata fields 2021-04-28 18:08:03 +02:00
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Remove this dangerous instance of double-checked locking.`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

Modify rules S1612,S1640,S1643,S1656,S1710,S1751,S1849,S1858,S1862,S1871,S1872,S1940,S1994,S2093,S2130,S2133,S2140,S2147,S2153,S2154,S2168,S2178,S2183,S2185: SONARJAVA-5186 Improve Test Code Support Part 3 (#4525) 2024-11-22 09:51:54 +01:00			`=== on 21 Nov 2024, 16:48:00 Alban Auzeill wrote:`
			`[test-code-support-investigation-for-java] Decision for scope: Main -> All.`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== on 20 Jul 2015, 07:45:24 Ann Campbell wrote:`
			`Tagged java-top by Ann`

			`=== on 8 Nov 2016, 14:58:08 Tibor Blenessy wrote:`
			`I believe that this rule is actually a subset of https://www.securecoding.cert.org/confluence/display/java/TSM03-J.+Do+not+publish+partially+initialized+objects[TSM03-J]. Do we have a rule targeting that? Do we want to implement both?`


			`This rule can be implemented on semantic level, however it will catch only simple cases of this. To do this properly we need to do full escape analysis and implement equivalent of https://www.securecoding.cert.org/confluence/display/java/TSM03-J.+Do+not+publish+partially+initialized+objects[TSM03-J]`

			`=== on 8 Nov 2016, 16:56:41 Ann Campbell wrote:`
			`\[~tibor.blenessy] I considered adding that mapping to this rule, but really see it as tangential to the rule as currently described. Let me know if you disagree.`

			`=== on 8 Nov 2016, 18:41:56 Tibor Blenessy wrote:`
			`Code samples are from book Java Concurrency in Practice and they are available under public domain on this url \http://jcip.net.s3-website-us-east-1.amazonaws.com/listings.html`

Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`