Bug 991388

Summary: RTGov uses Strings as lock objects
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Jiri Pechanec <jpechane>
Component: RT GovernanceAssignee: Gary Brown <gbrown>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Sedlacek <jsedlace>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.0.0 GACC: oskutka, soa-p-jira
Target Milestone: ER1   
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-06 15:25:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiri Pechanec 2013-08-02 10:18:38 UTC 
There are multiple places in RTGov that uses constant string as a lock object
rtgov/modules/activity-analysis/reports/src/main/java/org/overlord/rtgov/reports/ReportManagerAccessor.java:    private static final String SYNC=new String("sync");
rtgov/modules/activity-management/activity/src/main/java/org/overlord/rtgov/activity/validator/ActivityValidatorManagerAccessor.java:    private static final String SYNC=new String("sync");
rtgov/modules/activity-management/activity/src/main/java/org/overlord/rtgov/activity/processor/InformationProcessorManagerAccessor.java:    private static final String SYNC=new String("sync");
rtgov/modules/activity-management/activity/src/main/java/org/overlord/rtgov/activity/collector/ActivityCollectorAccessor.java:    private static final String SYNC=new String("sync");
rtgov/modules/event-processor-network/epn-core/src/main/java/org/overlord/rtgov/epn/EPNManagerAccessor.java:    private static final String SYNC=new String("sync");
rtgov/modules/active-queries/active-collection/src/main/java/org/overlord/rtgov/active/collection/ActiveCollectionManagerAccessor.java:    private static final String SYNC=new String("sync");

This is an antipattern and can lead to unpredictable behaviour as the String constant acts as a global JVM lock

https://www.securecoding.cert.org/confluence/display/java/LCK01-J.+Do+not+synchronize+on+objects+that+may+be+reused
Comment 1 Gary Brown 2013-08-02 10:29:13 UTC 
These are not string constants, they are string instances. If you look on the referenced page under "Compliant Solution (String Instance)" you will find they are ok.
Comment 2 Jiri Pechanec 2013-08-02 10:36:26 UTC 
Right, under these conditions I am lowering the severity to low - refer to the sentence
-- Nevertheless, a better approach is to synchronize on a private final lock object, as shown in the following compliant solution. --
Comment 3 Jiri Pechanec 2013-09-16 09:29:19 UTC 
Verified in ER2
Comment 7 JBoss JIRA Server 2014-07-02 09:18:50 UTC 
Gary Brown <gary> updated the status of jira RTGOV-242 to Closed