From 56ea9b65234d68f3c74dc4611967b1695d6020a8 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 08:21:15 -0400 Subject: [PATCH 01/19] Java: move original files --- .../Undesirable Calls/DoNotUseFinalizers.md | 34 +++++++++++++++++++ .../Undesirable Calls/DoNotUseFinalizers.ql | 25 ++++++++++++++ .../DoNotUseFinalizers.expected | 3 ++ .../DoNotUseFinalizers.qlref | 1 + .../query-tests/DoNotUseFinalizers/Test.java | 13 +++++++ 5 files changed, 76 insertions(+) create mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md create mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql create mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected create mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref create mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/Test.java diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md new file mode 100644 index 000000000000..70a1236e3a73 --- /dev/null +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md @@ -0,0 +1,34 @@ +# J-FIN-002: Calling garbage collection methods in application code may cause inconsistent program state + +Calling garbage collection or finalizer methods in application code may cause inconsistent program state or unpredicatable behavior. + +## Overview + +Triggering garbage collection explicitly may either have no effect or may trigger unnecessary garbage collection, leading to erratic behavior or deadlock. + +## Recommendation + +Avoid calling finalizers and garbage collection methods in application code. Allow the JVM to determine a garbage collection schedule instead. + +## Example + +```java +public class Test { + void f() throws Throwable { + System.gc(); // NON_COMPLIANT + Runtime.getRuntime().gc(); // NON_COMPLIANT + System.runFinalizersOnExit(true); //NON_COMPLIANT + this.finalize(); // NON_COMPLIANT + } +} + +``` + +# Implementation Notes + +This rule covers a concept related to J-FIN-001; this rule is focused on the use of existing finalizer invocations rather than attempts to write a custom implementation (J-FIN-001). + +## References + +- [Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers) +- [CWE-586](https://cwe.mitre.org/data/definitions/586) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql new file mode 100644 index 000000000000..b2e553024301 --- /dev/null +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql @@ -0,0 +1,25 @@ +/** + * @id java/do-not-use-finalizers + * @name J-D-004: Calling garbage collection methods in application code may cause inconsistent program state + * @description Calling garbage collection or finalizer methods in application code may cause + * inconsistent program state or unpredicatable behavior. + * @kind problem + * @precision high + * @problem.severity error + * @tags correctness + * external/cwe/cwe-586 + */ + +import java + +from MethodCall c, Method m +where + c.getMethod() = m and + ( + m.hasQualifiedName("java.lang", "System", ["gc", "runFinalizersOnExit"]) + or + m.hasQualifiedName("java.lang", "Runtime", "gc") + or + m.hasQualifiedName(_, _, "finalize") + ) +select c, "Call to prohibited method that may modify the JVM's garbage collection process." diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected new file mode 100644 index 000000000000..3a96af624f69 --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected @@ -0,0 +1,3 @@ +| Test.java:3:9:3:19 | gc(...) | Call to prohibited method that may modify the JVM's garbage collection process. | +| Test.java:4:9:4:33 | gc(...) | Call to prohibited method that may modify the JVM's garbage collection process. | +| Test.java:5:9:5:23 | finalize(...) | Call to prohibited method that may modify the JVM's garbage collection process. | diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref new file mode 100644 index 000000000000..e429708f146e --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref @@ -0,0 +1 @@ +rules/J-FIN-002/DoNotUseFinalizers.ql diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/Test.java b/java/ql/test/query-tests/DoNotUseFinalizers/Test.java new file mode 100644 index 000000000000..cca4a6b8f21a --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalizers/Test.java @@ -0,0 +1,13 @@ +public class Test { + void f() throws Throwable { + System.gc(); // NON_COMPLIANT + Runtime.getRuntime().gc(); // NON_COMPLIANT + this.finalize(); // NON_COMPLIANT + // this is removed in Java 11 + //System.runFinalizersOnExit(true); // NON_COMPLIANT + } + + void f1() throws Throwable { + f(); // COMPLIANT + } +} From 9a6e241f540021744dca8154c0939a7a4b5a6f4f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 08:58:48 -0400 Subject: [PATCH 02/19] Java: update to only find 'finalize' calls and add 'super.finalize' exclusion --- .../Undesirable Calls/DoNotUseFinalize.md | 27 +++++++++++++++ .../Undesirable Calls/DoNotUseFinalize.ql | 27 +++++++++++++++ .../Undesirable Calls/DoNotUseFinalizers.md | 34 ------------------- .../Undesirable Calls/DoNotUseFinalizers.ql | 25 -------------- .../DoNotUseFinalize.expected | 1 + .../DoNotUseFinalize/DoNotUseFinalize.qlref | 1 + .../query-tests/DoNotUseFinalize/Test.java | 9 +++++ .../DoNotUseFinalizers.expected | 3 -- .../DoNotUseFinalizers.qlref | 1 - .../query-tests/DoNotUseFinalizers/Test.java | 13 ------- 10 files changed, 65 insertions(+), 76 deletions(-) create mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md create mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql delete mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md delete mode 100644 java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql create mode 100644 java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected create mode 100644 java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref create mode 100644 java/ql/test/query-tests/DoNotUseFinalize/Test.java delete mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected delete mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref delete mode 100644 java/ql/test/query-tests/DoNotUseFinalizers/Test.java diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md new file mode 100644 index 000000000000..7acb4186fe60 --- /dev/null +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md @@ -0,0 +1,27 @@ +## Overview + +Calling `finalize` in application code may cause inconsistent program state or unpredicatable behavior. + +## Recommendation + +Avoid calling `finalize` in application code. Allow the JVM to determine a garbage collection schedule instead. + +## Example + +```java +public class Test { + void f() throws Throwable { + this.finalize(); // NON_COMPLIANT + } +} + +``` + +# Implementation Notes + +This rule is focused on the use of existing `finalize` invocations rather than attempts to write a custom implementation. + +## References + +- Carnegie Mellon University, SEI CERT Oracle Coding Standard for Java: [MET12-J. Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers). +- Common Weakness Enumeration: [CWE-586](https://cwe.mitre.org/data/definitions/586). diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql new file mode 100644 index 000000000000..fe4203226355 --- /dev/null +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql @@ -0,0 +1,27 @@ +/** + * @id java/do-not-use-finalize + * @name Do not use `finalize` + * @description Calling `finalize` in application code may cause + * inconsistent program state or unpredicatable behavior. + * @kind problem + * @precision high + * @problem.severity error + * @tags correctness + * external/cwe/cwe-586 + */ + +import java + +from MethodCall mc, Method m +where + mc.getMethod() = m and + m.hasName("finalize") and + // The Java documentation for `finalize` states: "If a subclass overrides + // `finalize` it must invoke the superclass finalizer explicitly". Therefore, + // we do not alert on `super.finalize` calls that occur within a callable + // that overrides `finalize`. + not exists(Callable caller, FinalizeMethod fm | caller = mc.getCaller() | + caller.(Method).overrides(fm) and + mc.getQualifier() instanceof SuperAccess + ) +select mc, "Call to 'finalize'." diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md deleted file mode 100644 index 70a1236e3a73..000000000000 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.md +++ /dev/null @@ -1,34 +0,0 @@ -# J-FIN-002: Calling garbage collection methods in application code may cause inconsistent program state - -Calling garbage collection or finalizer methods in application code may cause inconsistent program state or unpredicatable behavior. - -## Overview - -Triggering garbage collection explicitly may either have no effect or may trigger unnecessary garbage collection, leading to erratic behavior or deadlock. - -## Recommendation - -Avoid calling finalizers and garbage collection methods in application code. Allow the JVM to determine a garbage collection schedule instead. - -## Example - -```java -public class Test { - void f() throws Throwable { - System.gc(); // NON_COMPLIANT - Runtime.getRuntime().gc(); // NON_COMPLIANT - System.runFinalizersOnExit(true); //NON_COMPLIANT - this.finalize(); // NON_COMPLIANT - } -} - -``` - -# Implementation Notes - -This rule covers a concept related to J-FIN-001; this rule is focused on the use of existing finalizer invocations rather than attempts to write a custom implementation (J-FIN-001). - -## References - -- [Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers) -- [CWE-586](https://cwe.mitre.org/data/definitions/586) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql deleted file mode 100644 index b2e553024301..000000000000 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalizers.ql +++ /dev/null @@ -1,25 +0,0 @@ -/** - * @id java/do-not-use-finalizers - * @name J-D-004: Calling garbage collection methods in application code may cause inconsistent program state - * @description Calling garbage collection or finalizer methods in application code may cause - * inconsistent program state or unpredicatable behavior. - * @kind problem - * @precision high - * @problem.severity error - * @tags correctness - * external/cwe/cwe-586 - */ - -import java - -from MethodCall c, Method m -where - c.getMethod() = m and - ( - m.hasQualifiedName("java.lang", "System", ["gc", "runFinalizersOnExit"]) - or - m.hasQualifiedName("java.lang", "Runtime", "gc") - or - m.hasQualifiedName(_, _, "finalize") - ) -select c, "Call to prohibited method that may modify the JVM's garbage collection process." diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected new file mode 100644 index 000000000000..5dd0c3cbdf57 --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected @@ -0,0 +1 @@ +| Test.java:3:9:3:23 | finalize(...) | Call to 'finalize'. | diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref new file mode 100644 index 000000000000..7b36e5a63d40 --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref @@ -0,0 +1 @@ +Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql diff --git a/java/ql/test/query-tests/DoNotUseFinalize/Test.java b/java/ql/test/query-tests/DoNotUseFinalize/Test.java new file mode 100644 index 000000000000..6e039dffe8e7 --- /dev/null +++ b/java/ql/test/query-tests/DoNotUseFinalize/Test.java @@ -0,0 +1,9 @@ +public class Test { + void f() throws Throwable { + this.finalize(); // NON_COMPLIANT + } + + void f1() throws Throwable { + f(); // COMPLIANT + } +} diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected deleted file mode 100644 index 3a96af624f69..000000000000 --- a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.expected +++ /dev/null @@ -1,3 +0,0 @@ -| Test.java:3:9:3:19 | gc(...) | Call to prohibited method that may modify the JVM's garbage collection process. | -| Test.java:4:9:4:33 | gc(...) | Call to prohibited method that may modify the JVM's garbage collection process. | -| Test.java:5:9:5:23 | finalize(...) | Call to prohibited method that may modify the JVM's garbage collection process. | diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref b/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref deleted file mode 100644 index e429708f146e..000000000000 --- a/java/ql/test/query-tests/DoNotUseFinalizers/DoNotUseFinalizers.qlref +++ /dev/null @@ -1 +0,0 @@ -rules/J-FIN-002/DoNotUseFinalizers.ql diff --git a/java/ql/test/query-tests/DoNotUseFinalizers/Test.java b/java/ql/test/query-tests/DoNotUseFinalizers/Test.java deleted file mode 100644 index cca4a6b8f21a..000000000000 --- a/java/ql/test/query-tests/DoNotUseFinalizers/Test.java +++ /dev/null @@ -1,13 +0,0 @@ -public class Test { - void f() throws Throwable { - System.gc(); // NON_COMPLIANT - Runtime.getRuntime().gc(); // NON_COMPLIANT - this.finalize(); // NON_COMPLIANT - // this is removed in Java 11 - //System.runFinalizersOnExit(true); // NON_COMPLIANT - } - - void f1() throws Throwable { - f(); // COMPLIANT - } -} From d9482ae334f2ed817507f310a5aa637f72f0f389 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 13:38:08 -0400 Subject: [PATCH 03/19] Java: update tests to use inline expectations --- .../test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref | 3 ++- java/ql/test/query-tests/DoNotUseFinalize/Test.java | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref index 7b36e5a63d40..c47232fa1194 100644 --- a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref +++ b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref @@ -1 +1,2 @@ -Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql +query: Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/DoNotUseFinalize/Test.java b/java/ql/test/query-tests/DoNotUseFinalize/Test.java index 6e039dffe8e7..ecb30cb1b37d 100644 --- a/java/ql/test/query-tests/DoNotUseFinalize/Test.java +++ b/java/ql/test/query-tests/DoNotUseFinalize/Test.java @@ -1,6 +1,7 @@ public class Test { void f() throws Throwable { - this.finalize(); // NON_COMPLIANT + // NON_COMPLIANT + this.finalize(); // $ Alert } void f1() throws Throwable { From c689a0e9b718ff14fd5923e25c0b57224badf64b Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 20:36:21 -0400 Subject: [PATCH 04/19] Java: add more test cases --- .../DoNotUseFinalize/DoNotUseFinalize.expected | 3 ++- .../query-tests/DoNotUseFinalize/Test.java | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected index 5dd0c3cbdf57..2445343c293f 100644 --- a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected +++ b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected @@ -1 +1,2 @@ -| Test.java:3:9:3:23 | finalize(...) | Call to 'finalize'. | +| Test.java:4:9:4:23 | finalize(...) | Call to 'finalize'. | +| Test.java:25:9:25:33 | finalize(...) | Call to 'finalize'. | diff --git a/java/ql/test/query-tests/DoNotUseFinalize/Test.java b/java/ql/test/query-tests/DoNotUseFinalize/Test.java index ecb30cb1b37d..3ef4e74e4dc3 100644 --- a/java/ql/test/query-tests/DoNotUseFinalize/Test.java +++ b/java/ql/test/query-tests/DoNotUseFinalize/Test.java @@ -7,4 +7,22 @@ void f() throws Throwable { void f1() throws Throwable { f(); // COMPLIANT } + + @Override + protected void finalize() throws Throwable { + // COMPLIANT: If a subclass overrides `finalize` + // it must invoke the superclass finalizer explicitly. + super.finalize(); + } + + // Overload of `finalize` + protected void finalize(String s) throws Throwable { + System.out.println(s); + } + + // NON_COMPLIANT: call to overload of `finalize` + void f2() throws Throwable { + this.finalize("overload"); // $ Alert + } + } From dd57d1aec6c2a8de30d6b70e790cb5e93208f6ec Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 20:51:03 -0400 Subject: [PATCH 05/19] Java: add quality tag --- .../Undesirable Calls/DoNotUseFinalize.ql | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql index fe4203226355..36ca6697fd66 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql @@ -6,7 +6,8 @@ * @kind problem * @precision high * @problem.severity error - * @tags correctness + * @tags quality + * correctness * external/cwe/cwe-586 */ From 44445dbeb8230e7a93c531e249e9dd95846e76d0 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 20:52:06 -0400 Subject: [PATCH 06/19] Java: minor refactor --- .../Undesirable Calls/DoNotUseFinalize.ql | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql index 36ca6697fd66..720d72b6c201 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql @@ -13,10 +13,9 @@ import java -from MethodCall mc, Method m +from MethodCall mc where - mc.getMethod() = m and - m.hasName("finalize") and + mc.getMethod().hasName("finalize") and // The Java documentation for `finalize` states: "If a subclass overrides // `finalize` it must invoke the superclass finalizer explicitly". Therefore, // we do not alert on `super.finalize` calls that occur within a callable From 2e254981437cb42799c46611ef72f1a1e918e41f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 20 Mar 2025 21:23:23 -0400 Subject: [PATCH 07/19] Java: add change note --- java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md diff --git a/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md b/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md new file mode 100644 index 000000000000..27e4c530cbd2 --- /dev/null +++ b/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* Added a new quality query, `java/do-not-use-finalize`, to detect calls to `finalize`. From f73eda0c38ab9c02407d9d2f1ce380d42a653401 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 27 Mar 2025 18:17:26 -0400 Subject: [PATCH 08/19] Java: add previous-id and change 'use' to 'call' --- .../{DoNotUseFinalize.md => DoNotCallFinalize.md} | 0 .../{DoNotUseFinalize.ql => DoNotCallFinalize.ql} | 5 +++-- java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md | 4 ++++ java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md | 4 ---- .../DoNotCallFinalize.expected} | 0 .../query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref | 2 ++ .../{DoNotUseFinalize => DoNotCallFinalize}/Test.java | 0 .../test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref | 2 -- 8 files changed, 9 insertions(+), 8 deletions(-) rename java/ql/src/Violations of Best Practice/Undesirable Calls/{DoNotUseFinalize.md => DoNotCallFinalize.md} (100%) rename java/ql/src/Violations of Best Practice/Undesirable Calls/{DoNotUseFinalize.ql => DoNotCallFinalize.ql} (88%) create mode 100644 java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md delete mode 100644 java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md rename java/ql/test/query-tests/{DoNotUseFinalize/DoNotUseFinalize.expected => DoNotCallFinalize/DoNotCallFinalize.expected} (100%) create mode 100644 java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref rename java/ql/test/query-tests/{DoNotUseFinalize => DoNotCallFinalize}/Test.java (100%) delete mode 100644 java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md similarity index 100% rename from java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.md rename to java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql similarity index 88% rename from java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql rename to java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql index 720d72b6c201..592a27ef6616 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql @@ -1,6 +1,7 @@ /** - * @id java/do-not-use-finalize - * @name Do not use `finalize` + * @id java/do-not-call-finalize + * @previous-id java/do-not-use-finalizers + * @name Do not call `finalize` * @description Calling `finalize` in application code may cause * inconsistent program state or unpredicatable behavior. * @kind problem diff --git a/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md b/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md new file mode 100644 index 000000000000..101b94136a15 --- /dev/null +++ b/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md @@ -0,0 +1,4 @@ +--- +category: newQuery +--- +* Added a new quality query, `java/do-not-call-finalize`, to detect calls to `finalize`. diff --git a/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md b/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md deleted file mode 100644 index 27e4c530cbd2..000000000000 --- a/java/ql/src/change-notes/2025-03-20-do-not-use-finalize.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new quality query, `java/do-not-use-finalize`, to detect calls to `finalize`. diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected similarity index 100% rename from java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.expected rename to java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected diff --git a/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref new file mode 100644 index 000000000000..b301797d5295 --- /dev/null +++ b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref @@ -0,0 +1,2 @@ +query: Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql +postprocess: utils/test/InlineExpectationsTestQuery.ql diff --git a/java/ql/test/query-tests/DoNotUseFinalize/Test.java b/java/ql/test/query-tests/DoNotCallFinalize/Test.java similarity index 100% rename from java/ql/test/query-tests/DoNotUseFinalize/Test.java rename to java/ql/test/query-tests/DoNotCallFinalize/Test.java diff --git a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref b/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref deleted file mode 100644 index c47232fa1194..000000000000 --- a/java/ql/test/query-tests/DoNotUseFinalize/DoNotUseFinalize.qlref +++ /dev/null @@ -1,2 +0,0 @@ -query: Violations of Best Practice/Undesirable Calls/DoNotUseFinalize.ql -postprocess: utils/test/InlineExpectationsTestQuery.ql From ed22a16f32dfb1ba5c940dece2a1dfb105dd88cb Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 27 Mar 2025 19:33:38 -0400 Subject: [PATCH 09/19] Java: exclude overloads of finalize --- .../Undesirable Calls/DoNotCallFinalize.md | 6 +++--- .../Undesirable Calls/DoNotCallFinalize.ql | 12 ++++++------ .../change-notes/2025-03-20-do-not-call-finalize.md | 2 +- .../DoNotCallFinalize/DoNotCallFinalize.expected | 3 +-- java/ql/test/query-tests/DoNotCallFinalize/Test.java | 6 +++--- 5 files changed, 14 insertions(+), 15 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index 7acb4186fe60..9c3e3ebd4a03 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -1,10 +1,10 @@ ## Overview -Calling `finalize` in application code may cause inconsistent program state or unpredicatable behavior. +Calling `finalize()` in application code may cause inconsistent program state or unpredicatable behavior. ## Recommendation -Avoid calling `finalize` in application code. Allow the JVM to determine a garbage collection schedule instead. +Avoid calling `finalize()` in application code. Allow the JVM to determine a garbage collection schedule instead. ## Example @@ -19,7 +19,7 @@ public class Test { # Implementation Notes -This rule is focused on the use of existing `finalize` invocations rather than attempts to write a custom implementation. +This rule is focused on the use of existing `finalize()` invocations rather than attempts to write a custom implementation. ## References diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql index 592a27ef6616..3b6be7b652dd 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql @@ -1,8 +1,8 @@ /** * @id java/do-not-call-finalize * @previous-id java/do-not-use-finalizers - * @name Do not call `finalize` - * @description Calling `finalize` in application code may cause + * @name Do not call `finalize()` + * @description Calling `finalize()` in application code may cause * inconsistent program state or unpredicatable behavior. * @kind problem * @precision high @@ -16,13 +16,13 @@ import java from MethodCall mc where - mc.getMethod().hasName("finalize") and - // The Java documentation for `finalize` states: "If a subclass overrides + mc.getMethod() instanceof FinalizeMethod and + // The Java documentation for `finalize()` states: "If a subclass overrides // `finalize` it must invoke the superclass finalizer explicitly". Therefore, - // we do not alert on `super.finalize` calls that occur within a callable + // we do not alert on `super.finalize()` calls that occur within a callable // that overrides `finalize`. not exists(Callable caller, FinalizeMethod fm | caller = mc.getCaller() | caller.(Method).overrides(fm) and mc.getQualifier() instanceof SuperAccess ) -select mc, "Call to 'finalize'." +select mc, "Call to 'finalize()'." diff --git a/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md b/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md index 101b94136a15..8317dce595c1 100644 --- a/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md +++ b/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md @@ -1,4 +1,4 @@ --- category: newQuery --- -* Added a new quality query, `java/do-not-call-finalize`, to detect calls to `finalize`. +* Added a new quality query, `java/do-not-call-finalize`, to detect calls to `finalize()`. diff --git a/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected index 2445343c293f..ac3c4fa59c01 100644 --- a/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected +++ b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected @@ -1,2 +1 @@ -| Test.java:4:9:4:23 | finalize(...) | Call to 'finalize'. | -| Test.java:25:9:25:33 | finalize(...) | Call to 'finalize'. | +| Test.java:4:9:4:23 | finalize(...) | Call to 'finalize()'. | diff --git a/java/ql/test/query-tests/DoNotCallFinalize/Test.java b/java/ql/test/query-tests/DoNotCallFinalize/Test.java index 3ef4e74e4dc3..eb7ac19da593 100644 --- a/java/ql/test/query-tests/DoNotCallFinalize/Test.java +++ b/java/ql/test/query-tests/DoNotCallFinalize/Test.java @@ -10,7 +10,7 @@ void f1() throws Throwable { @Override protected void finalize() throws Throwable { - // COMPLIANT: If a subclass overrides `finalize` + // COMPLIANT: If a subclass overrides `finalize()` // it must invoke the superclass finalizer explicitly. super.finalize(); } @@ -20,9 +20,9 @@ protected void finalize(String s) throws Throwable { System.out.println(s); } - // NON_COMPLIANT: call to overload of `finalize` + // COMPLIANT: call to overload of `finalize` void f2() throws Throwable { - this.finalize("overload"); // $ Alert + this.finalize("overload"); } } From 3631df03c7faec4d2d4371f73217a783164cfb3f Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 27 Mar 2025 19:38:10 -0400 Subject: [PATCH 10/19] Java: add to code-quality suite --- java/ql/src/codeql-suites/java-code-quality.qls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/codeql-suites/java-code-quality.qls b/java/ql/src/codeql-suites/java-code-quality.qls index ac1f52624c4f..552d803eec11 100644 --- a/java/ql/src/codeql-suites/java-code-quality.qls +++ b/java/ql/src/codeql-suites/java-code-quality.qls @@ -11,4 +11,5 @@ - java/unused-container - java/input-resource-leak - java/output-resource-leak - - java/type-variable-hides-type \ No newline at end of file + - java/type-variable-hides-type + - java/do-not-call-finalize From caf21a8202c3055273d5955e2fc273c58881fe82 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 27 Mar 2025 20:20:48 -0400 Subject: [PATCH 11/19] Java: update qhelp and add 'performace' tag --- .../Undesirable Calls/DoNotCallFinalize.md | 5 +++-- .../Undesirable Calls/DoNotCallFinalize.ql | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index 9c3e3ebd4a03..46dd0802b961 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -1,6 +1,6 @@ ## Overview -Calling `finalize()` in application code may cause inconsistent program state or unpredicatable behavior. +Triggering garbage collection by directly calling `finalize()` may either have no effect or may trigger unnecessary garbage collection, leading to erratic behavior, performance issues, or deadlock. ## Recommendation @@ -23,5 +23,6 @@ This rule is focused on the use of existing `finalize()` invocations rather than ## References -- Carnegie Mellon University, SEI CERT Oracle Coding Standard for Java: [MET12-J. Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers). +- SEI CERT Oracle Coding Standard for Java: [MET12-J. Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers). +- Java API Specification: [Object.finalize()](https://docs.oracle.com/javase/10/docs/api/java/lang/Object.html#finalize()). - Common Weakness Enumeration: [CWE-586](https://cwe.mitre.org/data/definitions/586). diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql index 3b6be7b652dd..8ee12909a6d7 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql @@ -9,6 +9,7 @@ * @problem.severity error * @tags quality * correctness + * performance * external/cwe/cwe-586 */ From 416643ce3906480834d6592b19a5fb1f3aaab37e Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Mon, 31 Mar 2025 21:09:21 -0400 Subject: [PATCH 12/19] Java: update qhelp recommendation and example --- .../Undesirable Calls/DoNotCallFinalize.md | 39 +++++++++++++++++-- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index 46dd0802b961..26c46286cd5d 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -4,14 +4,43 @@ Triggering garbage collection by directly calling `finalize()` may either have n ## Recommendation -Avoid calling `finalize()` in application code. Allow the JVM to determine a garbage collection schedule instead. +Avoid calling `finalize()` in application code. Allow the JVM to determine a garbage collection schedule instead. If you need to explicitly release resources, provide a specific method to do so, such as by implementing the `AutoCloseable` interface and overriding its `close` method. You can then use a `try-with-resources` block to ensure that the resource is closed. ## Example ```java -public class Test { - void f() throws Throwable { - this.finalize(); // NON_COMPLIANT +class LocalCache { + private Collection cacheFiles = ...; + // ... +} + +void main() { + LocalCache cache = new LocalCache(); + // ... + cache.finalize(); // NON_COMPLIANT +} + +``` + +```java +import java.lang.AutoCloseable; +import java.lang.Override; + +class LocalCache implements AutoCloseable { + private Collection cacheFiles = ...; + // ... + + @Override + public void close() throws Exception { + // release resources here if required + } +} + +void main() { + // COMPLIANT: uses try-with-resources to ensure that + // a resource implementing AutoCloseable is closed. + try (LocalCache cache = new LocalCache()) { + // ... } } @@ -25,4 +54,6 @@ This rule is focused on the use of existing `finalize()` invocations rather than - SEI CERT Oracle Coding Standard for Java: [MET12-J. Do not use finalizers](https://wiki.sei.cmu.edu/confluence/display/java/MET12-J.+Do+not+use+finalizers). - Java API Specification: [Object.finalize()](https://docs.oracle.com/javase/10/docs/api/java/lang/Object.html#finalize()). +- Java API Specification: [Interface AutoCloseable](https://docs.oracle.com/javase/10/docs/api/java/lang/AutoCloseable.html). +- Java SE Documentation: [The try-with-resources Statement](https://docs.oracle.com/javase/tutorial/essential/exceptions/tryResourceClose.html). - Common Weakness Enumeration: [CWE-586](https://cwe.mitre.org/data/definitions/586). From e621f9fd4903d60ca266e87afbd8f9969955bddc Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 1 Apr 2025 15:48:52 -0400 Subject: [PATCH 13/19] Java: update comments in tests --- java/ql/test/query-tests/DoNotCallFinalize/Test.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/ql/test/query-tests/DoNotCallFinalize/Test.java b/java/ql/test/query-tests/DoNotCallFinalize/Test.java index eb7ac19da593..b70d0e47581a 100644 --- a/java/ql/test/query-tests/DoNotCallFinalize/Test.java +++ b/java/ql/test/query-tests/DoNotCallFinalize/Test.java @@ -17,11 +17,11 @@ protected void finalize() throws Throwable { // Overload of `finalize` protected void finalize(String s) throws Throwable { - System.out.println(s); + // ... } - // COMPLIANT: call to overload of `finalize` void f2() throws Throwable { + // COMPLIANT: call to overload of `finalize` this.finalize("overload"); } From c4b83963334bb29137d921e3dbf4bf5a221bee01 Mon Sep 17 00:00:00 2001 From: Jami <57204504+jcogs33@users.noreply.github.com> Date: Tue, 1 Apr 2025 15:52:57 -0400 Subject: [PATCH 14/19] fix typo in query description Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com> --- .../Undesirable Calls/DoNotCallFinalize.ql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql index 8ee12909a6d7..80171e4d49e3 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql @@ -3,7 +3,7 @@ * @previous-id java/do-not-use-finalizers * @name Do not call `finalize()` * @description Calling `finalize()` in application code may cause - * inconsistent program state or unpredicatable behavior. + * inconsistent program state or unpredictable behavior. * @kind problem * @precision high * @problem.severity error From 1a2c34dd28d25eba9d1c214af07bf569f6c6a492 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 1 Apr 2025 16:24:13 -0400 Subject: [PATCH 15/19] Java: update qhelp implementation notes for clarity --- .../Undesirable Calls/DoNotCallFinalize.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index 26c46286cd5d..b2bcfdae6127 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -48,7 +48,8 @@ void main() { # Implementation Notes -This rule is focused on the use of existing `finalize()` invocations rather than attempts to write a custom implementation. +This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on overrides of `finalize()`. + ## References From 05d7b9a19a1e84266fbb5f46505c3a577b7f99f8 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Wed, 2 Apr 2025 19:11:26 -0400 Subject: [PATCH 16/19] Java: add reliability tag --- .../Undesirable Calls/DoNotCallFinalize.ql | 1 + 1 file changed, 1 insertion(+) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql index 80171e4d49e3..1abe96f91857 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql @@ -8,6 +8,7 @@ * @precision high * @problem.severity error * @tags quality + * reliability * correctness * performance * external/cwe/cwe-586 From 0380279c39079c713a1d64a412669b18abccee7a Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Wed, 2 Apr 2025 19:43:33 -0400 Subject: [PATCH 17/19] Java: update qhelp implementation notes for more clarity --- .../Undesirable Calls/DoNotCallFinalize.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index b2bcfdae6127..46ce835d50d7 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -48,8 +48,7 @@ void main() { # Implementation Notes -This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on overrides of `finalize()`. - +This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on method overrides of `finalize()`. ## References From fc21abc7e4af6b6b1045c5b3e25e8a7114126680 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Thu, 3 Apr 2025 16:05:23 -0400 Subject: [PATCH 18/19] Java: update qhelp implementation notes to say 'method declarations' --- .../Undesirable Calls/DoNotCallFinalize.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md index 46ce835d50d7..d6fd5cf76bd4 100644 --- a/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md +++ b/java/ql/src/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.md @@ -48,7 +48,7 @@ void main() { # Implementation Notes -This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on method overrides of `finalize()`. +This rule ignores `super.finalize()` calls that occur within `finalize()` overrides since calling the superclass finalizer is required when overriding `finalize()`. Also, although overriding `finalize()` is not recommended, this rule only alerts on direct calls to `finalize()` and does not alert on method declarations overriding `finalize()`. ## References From 798907dc5045d644d67e15ac2130a5f48c4f66fe Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Fri, 4 Apr 2025 14:01:35 -0400 Subject: [PATCH 19/19] Java: remove change note --- java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md diff --git a/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md b/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md deleted file mode 100644 index 8317dce595c1..000000000000 --- a/java/ql/src/change-notes/2025-03-20-do-not-call-finalize.md +++ /dev/null @@ -1,4 +0,0 @@ ---- -category: newQuery ---- -* Added a new quality query, `java/do-not-call-finalize`, to detect calls to `finalize()`.