forked from github/codeql
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDoNotCallFinalize.ql
More file actions
30 lines (28 loc) · 980 Bytes
/
DoNotCallFinalize.ql
File metadata and controls
30 lines (28 loc) · 980 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
/**
* @id java/do-not-call-finalize
* @previous-id java/do-not-use-finalizers
* @name Do not call `finalize()`
* @description Calling `finalize()` in application code may cause
* inconsistent program state or unpredictable behavior.
* @kind problem
* @precision high
* @problem.severity error
* @tags quality
* reliability
* correctness
* performance
* external/cwe/cwe-586
*/
import java
from MethodCall mc
where
mc.getMethod() instanceof FinalizeMethod and
// The Java documentation for `finalize()` states: "If a subclass overrides
// `finalize` it must invoke the superclass finalizer explicitly". Therefore,
// we do not alert on `super.finalize()` calls that occur within a callable
// that overrides `finalize`.
not exists(Callable caller, FinalizeMethod fm | caller = mc.getCaller() |
caller.(Method).overrides(fm) and
mc.getQualifier() instanceof SuperAccess
)
select mc, "Call to 'finalize()'."