Java coding guidelines: 75 recommendations for reliable and secure programs (2014)

Glossary

atomicity When applied to an operation on primitive data, indicates that other threads that might access the data might see the data as it exists before the operation occurs or after the operation has completed, but may never see an intermediate value of the data.

canonicalization Reducing the input to its equivalent simplest known form.

class variable “A class variable is a field declared using the keyword static within a class declaration, or with or without the keyword static within an interface declaration. A class variable is created when its class or interface is prepared and is initialized to a default value. The class variable effectively ceases to exist when its class or interface is unloaded” [JLS 2013, §4.12.3, “Kinds of Variables”].

condition predicate An expression constructed from the state variables of a class that must be true for a thread to continue execution. The thread pauses execution, via Object.wait(), Thread.sleep(), or some other mechanism, and is resumed later, presumably when the requirement is true and when it is notified [Goetz 2006].

controlling expression The top-level expression in the conditional expression of an if, while, do... while, or switch statement.

data race “When a program contains two conflicting accesses that are not ordered by a happens-before relationship, it is said to contain a data race” [JLS 2013, §17.4.5, “Happens-before Order”].

happens-before order “Two actions can be ordered by a happens-before relationship. If one action happens-before another, then the first is visible to and ordered before the second. . . . It should be noted that the presence of a happens-before relationship between two actions does not necessarily imply that they have to take place in that order in an implementation. If the reordering produces results consistent with a legal execution, it is not illegal. . . . More specifically, if two actions share a happens-before relationship, they do not necessarily have to appear to have happened in that order to any code with which they do not share a happens-before relationship. Writes in one thread that are in a data race with reads in another thread may, for example, appear to occur out of order to those reads” [JLS 2013, §17.4.5, “Happens-before Order”].

heap memory “Memory that can be shared between threads is called shared memory or heap memory. All instance fields, static fields and array elements are stored in heap memory. . . . Local variables, formal method parameters or exception handler parameters are never shared between threads and are unaffected by the memory model” [JLS 2013, §17.4.1, “Shared Variables”].

hide One class field hides a field in a superclass if they have the same identifier. The hidden field is not accessible from the class. Likewise, a class method hides a method in a superclass if they have the same identifier, but incompatible signatures. The hidden method is not accessible from the class. See the JLS, §8.4.8.2, “Hiding (by Class Methods)” [JLS 2013] for the formal definition. Contrast with override.

immutable When applied to an object, immutable means that its state cannot be changed after being initialized. An object is immutable if

Image Its state cannot be modified after construction;

Image All its fields are final; and

Image It is properly constructed (the this reference does not escape during construction) [Goetz 2006].

It is technically possible to have an immutable object without all fields being final. String is such a class but this relies on delicate reasoning about benign data races that requires a deep understanding of the Java Memory Model.

liveness Every operation or method invocation executes to completion without interruptions, even if it goes against safety.

memory model “The rules that determine how memory accesses are ordered and when they are guaranteed to be visible are known as the memory model of the Java programming language” [Arnold 2006]. “A memory model describes, given a program and an execution trace of that program, whether the execution trace is a legal execution of the program” [JLS 2013, §17.4, “Memory Model”].

normalization Lossy conversion of the data to its simplest known (and anticipated) form. “When implementations keep strings in a normalized form, they can be assured that equivalent strings have a unique binary representation” [Davis 2008].

obscure One scoped identifier obscures another identifier in a containing scope if the two identifiers are the same but the obscuring identifier does not shadow the obscured identifier. This can happen if the obscuring identifier is a variable and the obscured identifier is a type, for example. See the JLS, §6.4.2, “Obscuring” [JLS 2013], for more information.

override One class method overrides a method in a superclass if they have compatible signatures. The overridden method is still accessible from the class via the super keyword. See the JLS, §8.4.8.1, “Overriding (by Instance Methods)” [JLS 2013], for the formal definition. Contrast with hide.

publishing objects “Publishing an object means making it available to code outside of its current scope, such as by storing a reference to it where other code can find it, returning it from a nonprivate method, or passing it to a method in another class” [Goetz 2006].

race condition “General races cause nondeterministic execution and are failures in programs intended to be deterministic” [Netzer 1992]. “A race condition occurs when the correctness of a computation depends on the relative timing or interleaving of multiple threads by the runtime” [Goetz 2006].

safe publication “To publish an object safely, both the reference to the object and the [state of the object] must be made visible to other threads at the same time. A properly constructed object can be safely published by:

Image Initializing an object reference from a static initializer;

Image Storing a reference to it into a volatile field or AtomicReference;

Image Storing a reference to it into a final field of a properly constructed object; or

Image Storing a reference to it into a field that is properly guarded by a lock” [Goetz 2006, §3.5 “Safe Publication”].

safety Its main goal is to ensure that all objects maintain consistent states in a multithreaded environment [Lea 2000].

sanitization Validating input and transforming it to a representation that conforms to the input requirements of a complex subsystem. For example, a database may require all invalid characters to be escaped or eliminated before their storage. Input sanitization is the elimination of unwanted characters from the input by means of removing, replacing, encoding, or escaping the characters.

security flaw A software defect that poses a potential security risk [Seacord 2013].

sensitive code Any code that performs operations that would be forbidden to untrusted code. Also, any code that accesses sensitive data. For example, code whose correct operation requires enhanced privileges is typically considered to be sensitive.

sensitive data Any data that must be kept secure. Consequences of this security requirement include the following:

Image Untrusted code is forbidden to access sensitive data

Image Trusted code is forbidden to leak sensitive data to untrusted code

Examples of sensitive data include passwords and personally identifiable information.

shadow One scoped identifier shadows another identifier in a containing scope if the two identifiers are the same, and they both reference variables. They may also both reference methods or types. The shadowed identifier is not accessible in the scope of the shadowing identifier. See the JLS, §6.4.1, “Shadowing” [JLS 2013], for more information. Contrast with obscure.

synchronization “The Java programming language provides multiple mechanisms for communicating between threads. The most basic of these methods is synchronization, which is implemented using monitors. Each object in Java is associated with a monitor, which a thread can lock or unlock. Only one thread at a time may hold a lock on a monitor. Any other threads attempting to lock that monitor are blocked until they can obtain a lock on that monitor” [JLS 2013, §17.1, “Synchronization”].

thread-safe An object is thread-safe if it can be shared by multiple threads without the possibility of any data races. “A thread-safe object performs synchronization internally, so multiple threads can freely access it through its public interface without further synchronization” [Goetz 2006]. Immutable classes are thread-safe by definition. Mutable classes may also be thread-safe if they are properly synchronized.

trusted code Code that is loaded by the primordial class loader regardless of whether or not it constitutes the Java API. In this text, this meaning is extended to include code that is obtained from a known entity and given permissions that untrusted code lacks. By this definition, untrusted and trusted code can coexist in the namespace of a single class loader (not necessarily the primordial class loader). In such cases, the security policy must make this distinction clear by assigning appropriate privileges to trusted code while denying the same from untrusted code.

untrusted code Code of unknown origin that can potentially cause some harm when executed. Untrusted code may not always be malicious, but it is usually hard to determine automatically. Consequently, untrusted code should be run in a sandboxed environment.

volatile “A write to a volatile field happens-before every subsequent read of that field” [JLS 2013, §17.4.5, “Happens-before Order”]. “Operations on the master copies of volatile variables on behalf of a thread are performed by the main memory in exactly the order that the thread requested” [JVMSpec 1999]. Accesses to a volatile variable are sequentially consistent, which also means that the operations are exempt from compiler optimizations. Declaring a variable volatile ensures that all threads see the most up-to-date value of the variable if any thread modifies it. Volatile guarantees atomic reads and writes of primitive values, but it does not guarantee the atomicity of composite operations such as variable incrementation (read-modify-write sequence).

vulnerability “A set of conditions that allows an attacker to violate an explicit or implicit security policy” [Seacord 2013].