CWE - CWE-585: Empty Synchronized Block (2.11)

Weakness ID: 585

Abstraction: Variant

Status: Draft

Presentation Filter:

Description

Description Summary

The software contains an empty synchronized block.

Extended Description

An empty synchronized block does not actually accomplish any synchronization and may indicate a troubled section of code. An empty synchronized block can occur because code no longer needed within the synchronized block is commented out without removing the synchronized block.

Time of Introduction

Implementation

Applicable Platforms

Languages

Java

Common Consequences

Scope	Effect
Other	Technical Impact: Other An empty synchronized block will wait until nobody else is using the synchronizer being specified. While this may be part of the desired behavior, because you haven't protected the subsequent code by placing it inside the synchronized block, nothing is stopping somebody else from modifying whatever it was you were waiting for while you run the subsequent code.

Demonstrative Examples

Example 1

The following code attempts to synchronize on an object, but does not execute anything in the synchronized block. This does not actually accomplish anything and may be a sign that a programmer is wrestling with synchronization but has not yet achieved the result they intend.

(Bad Code)

Example Language: Java

synchronized(this) { }

Instead, in a correct usage, the synchronized statement should contain procedures that access or modify data that is exposed to multiple threads. For example, consider a scenario in which several threads are accessing student records at the same time. The method which sets the student ID to a new value will need to make sure that nobody else is accessing this data at the same time and will require synchronization.

(Good Code)

public void setID(int ID){

synchronized(this){

this.ID = ID;

}

Potential Mitigations

Phase: Implementation

When you come across an empty synchronized statement, or a synchronized statement in which the code has been commented out, try to determine what the original intentions were and whether or not the synchronized block is still necessary.

Relationships

Nature	Type	ID	Name	View(s) this relationship pertains to
ChildOf	Category	371	State Issues	Development Concepts699
ChildOf	Weakness Class	398	Indicator of Poor Code Quality	Development Concepts (primary)699 Research Concepts (primary)1000
ChildOf	Category	987	SFP Secondary Cluster: Multiple Locks/Unlocks	Software Fault Pattern (SFP) Clusters (primary)888

Taxonomy Mappings

Mapped Taxonomy Name	Node ID	Fit	Mapped Node Name
Software Fault Patterns	SFP21		Multiple locks/unlocks

References

"Intrinsic Locks and Synchronization (in Java)". <http://java.sun.com/docs/books/tutorial/essential/concurrency/locksync.html>.

Content History

Modifications
Modification Date	Modifier	Organization	Source
2008-07-01	Eric Dalci	Cigital	External
2008-07-01	updated Potential_Mitigations, Time_of_Introduction
2008-09-08	CWE Content Team	MITRE	Internal
2008-09-08	updated Relationships, Other_Notes
2009-05-27	CWE Content Team	MITRE	Internal
2009-05-27	updated Common_Consequences, Demonstrative_Examples, Description, Other_Notes, Potential_Mitigations, References
2011-06-01	CWE Content Team	MITRE	Internal
2011-06-01	updated Common_Consequences
2012-05-11	CWE Content Team	MITRE	Internal
2012-05-11	updated Relationships
2014-07-30	CWE Content Team	MITRE	Internal
2014-07-30	updated Relationships, Taxonomy_Mappings


	Use of the Common Weakness Enumeration and the associated references from this website are subject to the Terms of Use. For more information, please email cwe@mitre.org. CWE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2006-2017, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.	Privacy policy Terms of use Contact us

Common Weakness Enumeration

CWE-585: Empty Synchronized Block