JD.UMC.FINALIZE

JD.UMC.FINALIZE shows that a method contains an explicit invocation of the finalize() method of an object.

Vulnerability and risk

Object finalizer methods are supposed to be executed once, and only by the JVM, so calling one explicitly is bad practice. Depending on the particular JVM and its method of implementation, the improper behavior may be because the object finalizer method was called twice.

Mitigation and prevention

It is better practice to avoid finalizers at all, and to create an explicit termination method with a different name. If absolutely necessary, a finalizer can call an object finalizer method as a "safety net".

Example 1

11
12
13
14
15
16
17
18
19
20
     OutputStream st;
     protected void finalize() throws Throwable {
         if (st!=null) st.close();
         super.finalize();
     }
 
     void run() throws Throwable{
         // ...
         finalize();
     }

JD.UMC.FINALIZE is reported for call on line 19: There is a call to a 'finalize()' method. This method is not intended to be called explicitly.

External guidance

• CERT MET12-J: Do not use finalizers
• STIG-ID:APP2060.4 The designer will not use unsafe functions documented in the project coding standards