- •Table of Contents
- •List of Figures
- •List of Tables
- •Acknowledgments
- •About This Report
- •The Secure Coding Standard Described in This Report
- •Guideline Priorities
- •Abstract
- •1 Introduction
- •1.1.2 Synchronization
- •1.1.3.1 Atomic Classes
- •1.1.3.3 Explicit Locking
- •2 Visibility and Atomicity (VNA) Guidelines
- •2.1.5 Exceptions
- •2.1.6 Risk Assessment
- •2.1.7 References
- •2.2.1 Noncompliant Code Example
- •2.2.2 Compliant Solution (Synchronization)
- •2.2.5 Risk Assessment
- •2.2.6 References
- •2.3.1 Noncompliant Code Example (Logical Negation)
- •2.3.2 Noncompliant Code Example (Bitwise Negation)
- •2.3.4 Compliant Solution (Synchronization)
- •2.3.8 Noncompliant Code Example (Addition of Primitives)
- •2.3.9 Noncompliant Code Example (Addition of Atomic Integers)
- •2.3.10 Compliant Solution (Addition)
- •2.3.11 Risk Assessment
- •2.3.12 References
- •2.4.2 Compliant Solution (Method Synchronization)
- •2.4.4 Compliant Solution (Synchronized Block)
- •2.4.6 Compliant Solution (Synchronization)
- •2.4.8 Risk Assessment
- •2.4.9 References
- •2.5.1 Noncompliant Code Example
- •2.5.2 Compliant Solution
- •2.5.3 Risk Assessment
- •2.5.4 References
- •2.6.1 Noncompliant Code Example
- •2.6.2 Compliant Solution (Volatile)
- •2.6.3 Exceptions
- •2.6.4 Risk Assessment
- •2.6.5 References
- •2.7.1 Noncompliant Code Example (Arrays)
- •2.7.3 Compliant Solution (Synchronization)
- •2.7.4 Noncompliant Code Example (Mutable Object)
- •2.7.6 Compliant Solution (Synchronization)
- •2.7.8 Compliant Solution (Instance Per Call/Defensive Copying)
- •2.7.9 Compliant Solution (Synchronization)
- •2.7.10 Compliant Solution (ThreadLocal Storage)
- •2.7.11 Risk Assessment
- •2.7.12 References
- •3 Lock (LCK) Guidelines
- •3.1.1 Noncompliant Code Example (Method Synchronization)
- •3.1.4 Noncompliant Code Example (Public Final Lock Object)
- •3.1.5 Compliant Solution (Private Final Lock Object)
- •3.1.6 Noncompliant Code Example (Static)
- •3.1.7 Compliant Solution (Static)
- •3.1.8 Exceptions
- •3.1.9 Risk Assessment
- •3.1.10 References
- •3.2.2 Noncompliant Code Example (Boxed Primitive)
- •3.2.7 Compliant Solution (Private Final Lock Object)
- •3.2.8 Risk Assessment
- •3.2.9 References
- •3.3.2 Compliant Solution (Class Name Qualification)
- •3.3.5 Compliant Solution (Class Name Qualification)
- •3.3.6 Risk Assessment
- •3.3.7 References
- •3.4.3 Risk Assessment
- •3.4.4 References
- •3.5.1 Noncompliant Code Example (Collection View)
- •3.5.2 Compliant Solution (Collection Lock Object)
- •3.5.3 Risk Assessment
- •3.5.4 References
- •3.6.1 Noncompliant Code Example
- •3.6.2 Compliant Solution
- •3.6.3 Risk Assessment
- •3.6.4 References
- •3.7.2 Noncompliant Code Example (Method Synchronization for Static Data)
- •3.7.3 Compliant Solution (Static Lock Object)
- •3.7.4 Risk Assessment
- •3.7.5 References
- •3.8.1 Noncompliant Code Example (Different Lock Orders)
- •3.8.2 Compliant Solution (Private Static Final Lock Object)
- •3.8.3 Compliant Solution (Ordered Locks)
- •3.8.5 Noncompliant Code Example (Different Lock Orders, Recursive)
- •3.8.6 Compliant Solution
- •3.8.7 Risk Assessment
- •3.8.8 References
- •3.9.1 Noncompliant Code Example (Checked Exception)
- •3.9.4 Noncompliant Code Example (Unchecked Exception)
- •3.9.6 Risk Assessment
- •3.9.7 References
- •3.10.1 Noncompliant Code Example (Deferring a Thread)
- •3.10.2 Compliant Solution (Intrinsic Lock)
- •3.10.3 Noncompliant Code Example (Network I/O)
- •3.10.4 Compliant Solution
- •3.10.5 Exceptions
- •3.10.6 Risk Assessment
- •3.10.7 References
- •3.11.1 Noncompliant Code Example
- •3.11.2 Compliant Solution (Volatile)
- •3.11.3 Compliant Solution (Static Initialization)
- •3.11.4 Compliant Solution (Initialize-On-Demand, Holder Class Idiom)
- •3.11.5 Compliant Solution (ThreadLocal Storage)
- •3.11.6 Compliant Solution (Immutable)
- •3.11.7 Exceptions
- •3.11.8 Risk Assessment
- •3.11.9 References
- •3.12.1 Noncompliant Code Example (Intrinsic Lock)
- •3.12.2 Compliant Solution (Private Final Lock Object)
- •3.12.3 Noncompliant Code Example (Class Extension and Accessible Member Lock)
- •3.12.4 Compliant Solution (Composition)
- •3.12.5 Risk Assessment
- •3.12.6 References
- •4 Thread APIs (THI) Guidelines
- •4.1.2 Compliant Solution (Volatile Flag)
- •4.1.5 Compliant Solution
- •4.1.6 Risk Assessment
- •4.1.7 References
- •4.2.1 Noncompliant Code Example
- •4.2.2 Compliant Solution
- •4.2.3 Risk Assessment
- •4.2.4 References
- •4.3.1 Noncompliant Code Example
- •4.3.2 Compliant Solution
- •4.3.3 Exceptions
- •4.3.4 Risk Assessment
- •4.3.5 References
- •4.4.1 Noncompliant Code Example
- •4.4.2 Compliant Solution
- •4.4.3 Risk Assessment
- •4.4.4 References
- •4.5.5 Compliant Solution (Unique Condition Per Thread)
- •4.5.6 Risk Assessment
- •4.5.7 References
- •4.6.2 Compliant Solution (Volatile Flag)
- •4.6.3 Compliant Solution (Interruptible)
- •4.6.5 Risk Assessment
- •4.6.6 References
- •4.7.1 Noncompliant Code Example (Blocking I/O, Volatile Flag)
- •4.7.2 Noncompliant Code Example (Blocking I/O, Interruptible)
- •4.7.3 Compliant Solution (Close Socket Connection)
- •4.7.4 Compliant Solution (Interruptible Channel)
- •4.7.5 Noncompliant Code Example (Database Connection)
- •4.7.7 Risk Assessment
- •4.7.8 References
- •5 Thread Pools (TPS) Guidelines
- •5.1.1 Noncompliant Code Example
- •5.1.2 Compliant Solution
- •5.1.3 Risk Assessment
- •5.1.4 References
- •5.2.1 Noncompliant Code Example (Interdependent Subtasks)
- •5.2.2 Compliant Solution (No Interdependent Tasks)
- •5.2.3 Noncompliant Code Example (Subtasks)
- •5.2.5 Risk Assessment
- •5.2.6 References
- •5.3.1 Noncompliant Code Example (Shutting Down Thread Pools)
- •5.3.2 Compliant Solution (Submit Interruptible Tasks)
- •5.3.3 Exceptions
- •5.3.4 Risk Assessment
- •5.3.5 References
- •5.4.1 Noncompliant Code Example (Abnormal Task Termination)
- •5.4.3 Compliant Solution (Uncaught Exception Handler)
- •5.4.5 Exceptions
- •5.4.6 Risk Assessment
- •5.4.7 References
- •5.5.1 Noncompliant Code Example
- •5.5.2 Noncompliant Code Example (Increase Thread Pool Size)
- •5.5.5 Exceptions
- •5.5.6 Risk Assessment
- •5.5.7 References
- •6 Thread-Safety Miscellaneous (TSM) Guidelines
- •6.1.1 Noncompliant Code Example (Synchronized Method)
- •6.1.2 Compliant Solution (Synchronized Method)
- •6.1.3 Compliant Solution (Private Final Lock Object)
- •6.1.4 Noncompliant Code Example (Private Lock)
- •6.1.5 Compliant Solution (Private Lock)
- •6.1.6 Risk Assessment
- •6.1.7 References
- •6.2.1 Noncompliant Code Example (Publish Before Initialization)
- •6.2.3 Compliant Solution (Volatile Field and Publish After Initialization)
- •6.2.4 Compliant Solution (Public Static Factory Method)
- •6.2.5 Noncompliant Code Example (Handlers)
- •6.2.6 Compliant Solution
- •6.2.7 Noncompliant Code Example (Inner Class)
- •6.2.8 Compliant Solution
- •6.2.9 Noncompliant Code Example (Thread)
- •6.2.10 Compliant Solution (Thread)
- •6.2.11 Exceptions
- •6.2.12 Risk Assessment
- •6.2.13 References
- •6.3.1 Noncompliant Code Example (Background Thread)
- •6.3.4 Exceptions
- •6.3.5 Risk Assessment
- •6.3.6 References
- •6.4.1 Noncompliant Code Example
- •6.4.2 Compliant Solution (Synchronization)
- •6.4.3 Compliant Solution (Final Field)
- •6.4.5 Compliant Solution (Static Initialization)
- •6.4.6 Compliant Solution (Immutable Object - Final Fields, Volatile Reference)
- •6.4.8 Exceptions
- •6.4.9 Risk Assessment
- •6.4.10 References
- •6.5.1 Obtaining Concurrency Annotations
- •6.5.3 Documenting Locking Policies
- •6.5.4 Construction of Mutable Objects
- •6.5.7 Risk Assessment
- •6.5.8 References
- •Appendix Definitions
- •Bibliography
Acknowledgments
We want to thank everyone who contributed their time and effort to the development of these guidelines, including Siddarth Adukia, Lokesh Agarwal, Ron Bandes, Kalpana Chatnani, Jose Sandoval Chaverri, Tim Halloran (SureLogic), Thomas Hawtin, Fei He, Ryan Hofler, Sam Kaplan, Georgios Katsis, Lothar Kimmeringer, Bastian Marquis, Michael Kross, Christopher Leonavicius, Bocong Liu, Efstathios Mertikas, David Neville, Justin Pincar, Michael Rosenman, Eric Schwelm, Tamir Sen, Philip Shirey, Jagadish Shrinivasavadhani, Robin Steiger, John Truelove, Theti Tsiampali, Tim Wilson, and Weam Abu Zaki.
We also want to thank the following people for their careful reviews of both this technical report and the wiki on which it is based: Hans Boehm, Joseph Bowbeer, Klaus Havelund, David Holmes, Bart Jacobs, Niklas Matthies, Bill Michell, Philip Miller, Nick Morrott, Attila Mravik, Tim Peierls, Alex Snaps, Kenneth A. Williams.
We also thank our editors: Pamela Curtis and Pennie Walters.
This research was supported by the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD).
CMU/SEI-2010-TR-015 | xi
CMU/SEI-2010-TR-015 | xii