Search code examples
javasonarqubedouble-checked-locking

Sonarqube:Java is not catching "Double-checked Locking" (S2168)

We've started running our code through Fortify, and as an exercise I wanted to see if Sonarqube would pick up any of the same issues.

One of the first ones I'm unable to replicate is S2168:Double-Checked Locking

The guilty code fragment:

if (instance == null)
    {
        // thread safe singleton
        synchronized (ESSingletonClient.class)
        {
            if (instance == null) // doubly check
            {
               ...stuff
            }
        }
    }

I was running this on the default quality profile, Sonar Way, which appears to have this in its list. For grins I created a new profile based off "Sonar Way", and then added everything from "Findbugs Security Audit", but that's not finding the code segment, either.

Any thoughts on what I may be missing?

clean install: - Docker: sonarqube:alpine (7.0)

UPDATE (4/11/18):

I created a simple class with only 2 methods. They're identical to the original code, except one uses the volatile and the other doesn't. I ran it through SQ, and neither method is flagged for a double check. - SonarJava: 5.2 (build 13398)

UPDATE (4/12/18):

Added assignment to variables, calling another method, as is done in our original code. Still not being flagged.

/** volatile instance. */
private static volatile Integer v_instance = null;
/** non-volatile instance. */
private static Integer n_instance = null;

public static void getVolatileInstance() 
{
    if (v_instance == null)
    {
        // thread safe singleton
        synchronized (DoubleCheck.class)
        {
            if (v_instance == null) // doubly check
            {
                assignVolatile(5);
            }
        }
    }
}
public static void getNonVolatileInstance() 
{
    if (n_instance == null)
    {
        // thread safe singleton
        synchronized (DoubleCheck.class)
        {
            if (n_instance == null) // doubly check
            {
               assignNonVolatile(6);
            }
        }
    }
}    

public static void assignVolatile(Integer value)
{
    v_instance = value;
}

public static void assignNonVolatile(Integer value)
{
    n_instance = value;
}
Solution

  • You hit a False Positive Negative (@benzonico rightly pointed out that it is not a False Positive but False Negative). I sent an email with detailed information to SonarQube distribution list (https://groups.google.com/d/topic/sonarqube/1UXBR9eZydU/discussion):

    Hello,

    Adam L hit a false positive in the S2168 rule when an instance is assigned in an other method. He added a post on Stack Overflow Sonarqube:Java is not catching "Double-checked Locking" (S2168) (I apologize for cross-posting) and today I finally confirmed that the problem is caused by the rule.

    Environment:

    • SonarQube 7.0
    • SonarJava 5.2

    Example class: https://github.com/agabrys/sonarqube-falsepositives/blob/master/src/main/java/biz/gabrys/agabrys/sonarqube/falsepositives/d20180415/S2168.java

    Project: https://github.com/agabrys/sonarqube-falsepositives

    Build: mvn clean package sonar

    Regards

    Now we have to wait for an answer with two possibilities:

    • a ticket to handle it will be created
    • they will decide to not fix it

    Edit:

    I upgraded SonarJava from 5.2 to 5.5 and the issue is marked as fixed.