|
Veracode scan reports issue "Race Condition within a Thread" on ViewStatusMessagesServletBase
Description (from Veracode):
"There are total of 4 instances. A shared variable 'count' is used here without a locking mechanism such as a synchronized block.
If two threads of execution reference a shared variable simultaneously, the variable may be invalid or in an unexpected state.
Remediation: Use locking functionality around code that alters or reads persistent data in a multi-threaded environment."
Same issue is characterized as "mutable servlet field" here:
http://grepcode.com/file/repo1.maven.org/maven2/ch.qos.logback/logback-core/0.9.17/ch/qos/logback/core/status/ViewStatusMessagesServletBase.java#105
Considering how the count attribute appears to be used, the actual impact of an issue, if it actually occurred, should not be serious.
I am attaching a version of ViewStatusMessagesServletBase.java I made that puts getting and setting of the count variable within synchronized blocks, within getter and setter methods.
This seems like it would work to eliminate the complaint from Veracode.
Questions:
Count is set with default, ("package private") access. Is there a reason for this? I couldn't see where other classes within the package are accessing it.
If there are, and I missed them for some reason, they should be set to use getter/setter for count (which would need to have its access changed).
|
