Merge pull request #19075 from jcogs33/jcogs33/java/do-not-use-finalizers

Java: Add new quality query to detect `finalize` calls
2026-04-28 02:05:14 +02:00 · 2025-04-22 14:11:14 -04:00
parent ed99088c2b 3aa6b49204
commit 4483a24133
7 changed files with 122 additions and 0 deletions
--- a/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected
+++ b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.expected
@@ -0,0 +1 @@
+| Test.java:4:9:4:23 | finalize(...) | Call to 'finalize()'. |
--- a/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref
+++ b/java/ql/test/query-tests/DoNotCallFinalize/DoNotCallFinalize.qlref
@@ -0,0 +1,2 @@
+query: Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/java/ql/test/query-tests/DoNotCallFinalize/Test.java
+++ b/java/ql/test/query-tests/DoNotCallFinalize/Test.java
@@ -0,0 +1,28 @@
+public class Test {
+    void f() throws Throwable {
+        // NON_COMPLIANT
+        this.finalize(); // $ Alert
+    }
+
+    void f1() throws Throwable {
+        f(); // COMPLIANT
+    }
+
+    @Override
+    protected void finalize() throws Throwable {
+        // COMPLIANT: If a subclass overrides `finalize()`
+        // it must invoke the superclass finalizer explicitly.
+        super.finalize();
+    }
+
+    // Overload of `finalize`
+    protected void finalize(String s) throws Throwable {
+        // ...
+    }
+
+    void f2() throws Throwable {
+        // COMPLIANT: call to overload of `finalize`
+        this.finalize("overload");
+    }
+
+}
				`@@ -0,0 +1 @@`
				`\| Test.java:4:9:4:23 \| finalize(...) \| Call to 'finalize()'. \|`