1

We've started running our code through Fortify, and as an exercise I wanted to see if Sonarqube would pick up any of the same issues.

One of the first ones I'm unable to replicate is S2168:Double-Checked Locking

The guilty code fragment:

if (instance == null)
    {
        // thread safe singleton
        synchronized (ESSingletonClient.class)
        {
            if (instance == null) // doubly check
            {
               ...stuff
            }
        }
    }

I was running this on the default quality profile, Sonar Way, which appears to have this in its list. For grins I created a new profile based off "Sonar Way", and then added everything from "Findbugs Security Audit", but that's not finding the code segment, either.

Any thoughts on what I may be missing?

clean install: - Docker: sonarqube:alpine (7.0)

UPDATE (4/11/18):

I created a simple class with only 2 methods. They're identical to the original code, except one uses the volatile and the other doesn't. I ran it through SQ, and neither method is flagged for a double check. - SonarJava: 5.2 (build 13398)

UPDATE (4/12/18):

Added assignment to variables, calling another method, as is done in our original code. Still not being flagged.

/** volatile instance. */
private static volatile Integer v_instance = null;
/** non-volatile instance. */
private static Integer n_instance = null;

public static void getVolatileInstance() 
{
    if (v_instance == null)
    {
        // thread safe singleton
        synchronized (DoubleCheck.class)
        {
            if (v_instance == null) // doubly check
            {
                assignVolatile(5);
            }
        }
    }
}
public static void getNonVolatileInstance() 
{
    if (n_instance == null)
    {
        // thread safe singleton
        synchronized (DoubleCheck.class)
        {
            if (n_instance == null) // doubly check
            {
               assignNonVolatile(6);
            }
        }
    }
}    

public static void assignVolatile(Integer value)
{
    v_instance = value;
}

public static void assignNonVolatile(Integer value)
{
    n_instance = value;
}
Adam L
  • 137
  • 1
  • 10
  • 1
    Is `instance` declared as volatile? – BeUndead Apr 09 '18 at 21:33
  • private static volatile – Adam L Apr 09 '18 at 21:41
  • I'd guess that SonarQube's just being smarter about it then; while it's rarely a good idea to do DCL, this appears to be a valid use of it. – BeUndead Apr 09 '18 at 21:42
  • Are you suggesting if I ran the same code through, but without volatile, that it would be picked up? – Adam L Apr 09 '18 at 21:46
  • I wouldn't be surprised. – BeUndead Apr 09 '18 at 21:47
  • 1
    sadly, no such luck. it's still not being flagged. – Adam L Apr 09 '18 at 21:54
  • SonarQube and Fority are two different products with different goals. See also [this](https://wiki.sei.cmu.edu/confluence/display/java/LCK10-J.+Use+a+correct+form+of+the+double-checked+locking+idiom) discussion. – Jeroen Heier Apr 10 '18 at 04:04
  • yes, they are. But this is a case where they both happen to support catching the same feature. And it's being caught in one, but not the other. – Adam L Apr 10 '18 at 18:41
  • I checked it and SonarQube 7.0 with SonarJava 5.2 finds double-checked locking problem when instance variable has signature `private static Type instance` (without `volatile`). Could you add a class for which the issue in not reported (you can write a new one if your current class is secret ;-) ). It will allow to verify that you didn't hit a FP. – agabrys Apr 10 '18 at 21:31
  • @agabrys I've updated my original post. – Adam L Apr 12 '18 at 18:57
  • Please change `System.out.println("stuff");` to assignment operation and verify again. You should get one issue (for variable which is not `volatile`) – agabrys Apr 12 '18 at 19:00
  • @agabrys Thank you for your participation. I made the recommended changes, updated OP, and still nothing. – Adam L Apr 12 '18 at 22:54

1 Answers1

2

You hit a False Positive Negative (@benzonico rightly pointed out that it is not a False Positive but False Negative). I sent an email with detailed information to SonarQube distribution list (https://groups.google.com/d/topic/sonarqube/1UXBR9eZydU/discussion):

Hello,

Adam L hit a false positive in the S2168 rule when an instance is assigned in an other method. He added a post on Stack Overflow Sonarqube:Java is not catching "Double-checked Locking" (S2168) (I apologize for cross-posting) and today I finally confirmed that the problem is caused by the rule.

Environment:

  • SonarQube 7.0
  • SonarJava 5.2

Example class: https://github.com/agabrys/sonarqube-falsepositives/blob/master/src/main/java/biz/gabrys/agabrys/sonarqube/falsepositives/d20180415/S2168.java

Project: https://github.com/agabrys/sonarqube-falsepositives

Build: mvn clean package sonar

Regards

Now we have to wait for an answer with two possibilities:

  • a ticket to handle it will be created
  • they will decide to not fix it

Edit:

I upgraded SonarJava from 5.2 to 5.5 and the issue is marked as fixed.

agabrys
  • 8,728
  • 3
  • 35
  • 73