Merge pull request #19844 from tamasvajk/tamasvajk/threadpoolexecutor

Java: Add `java/javautilconcurrentscheduledthreadpoolexecutor` query for zero thread pool size
2025-12-16 16:53:25 +01:00 · 2025-06-26 12:36:09 +02:00
parent afc78ced50 1bd543a8a2
commit ae36f94d5e
7 changed files with 78 additions and 0 deletions
--- a/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected
+++ b/java/ql/integration-tests/java/query-suite/java-code-quality-extended.qls.expected
@@ -32,6 +32,7 @@ ql/java/ql/src/Likely Bugs/Concurrency/CallsToRunnableRun.ql
 ql/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLocking.ql
 ql/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql
 ql/java/ql/src/Likely Bugs/Concurrency/NonSynchronizedOverride.ql
+ql/java/ql/src/Likely Bugs/Concurrency/ScheduledThreadPoolExecutorZeroThread.ql
 ql/java/ql/src/Likely Bugs/Concurrency/SynchOnBoxedType.ql
 ql/java/ql/src/Likely Bugs/Concurrency/SynchSetUnsynchGet.ql
 ql/java/ql/src/Likely Bugs/Frameworks/JUnit/JUnit5MissingNestedAnnotation.ql
--- a/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected
+++ b/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected
@@ -30,6 +30,7 @@ ql/java/ql/src/Likely Bugs/Concurrency/CallsToRunnableRun.ql
 ql/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLocking.ql
 ql/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql
 ql/java/ql/src/Likely Bugs/Concurrency/NonSynchronizedOverride.ql
+ql/java/ql/src/Likely Bugs/Concurrency/ScheduledThreadPoolExecutorZeroThread.ql
 ql/java/ql/src/Likely Bugs/Concurrency/SynchOnBoxedType.ql
 ql/java/ql/src/Likely Bugs/Concurrency/SynchSetUnsynchGet.ql
 ql/java/ql/src/Likely Bugs/Frameworks/JUnit/JUnit5MissingNestedAnnotation.ql
--- a/Bugs/Concurrency/ScheduledThreadPoolExecutorZeroThread.md
+++ b/Bugs/Concurrency/ScheduledThreadPoolExecutorZeroThread.md
@@ -0,0 +1,24 @@
+## Overview
+
+According to the Java documentation on `ScheduledThreadPoolExecutor`, it is not a good idea to set `corePoolSize` to zero, since doing so indicates the executor to keep 0 threads in its pool and the executor will serve no purpose.
+
+## Recommendation
+
+Set the `ScheduledThreadPoolExecutor` to have 1 or more threads in its thread pool and use the class's other methods to create a thread execution schedule.
+
+## Example
+
+```java
+public class Test {
+    void f() {
+        int i = 0;
+        ScheduledThreadPoolExecutor s = new ScheduledThreadPoolExecutor(1); // COMPLIANT
+        ScheduledThreadPoolExecutor s1 = new ScheduledThreadPoolExecutor(0); // NON_COMPLIANT
+        s.setCorePoolSize(0); // NON_COMPLIANT
+        s.setCorePoolSize(i); // NON_COMPLIANT
+    }
+}
+```
+
+## References
+- [ScheduledThreadPoolExecutor](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/util/concurrent/ScheduledThreadPoolExecutor.html)
--- a/Bugs/Concurrency/ScheduledThreadPoolExecutorZeroThread.ql
+++ b/Bugs/Concurrency/ScheduledThreadPoolExecutorZeroThread.ql
@@ -0,0 +1,36 @@
+/**
+ * @id java/java-util-concurrent-scheduledthreadpoolexecutor
+ * @name Zero threads set for `java.util.concurrent.ScheduledThreadPoolExecutor`
+ * @description Setting `java.util.concurrent.ScheduledThreadPoolExecutor` to have 0 threads serves
+ *              no purpose and may indicate programmer error.
+ * @kind problem
+ * @precision very-high
+ * @problem.severity recommendation
+ * @previous-id java/javautilconcurrentscheduledthreadpoolexecutor
+ * @tags quality
+ *       reliability
+ *       correctness
+ *       concurrency
+ */
+
+import java
+import semmle.code.java.dataflow.DataFlow
+
+/**
+ * A `Call` that has the ability to set or modify the `corePoolSize` of the `java.util.concurrent.ScheduledThreadPoolExecutor` type.
+ */
+class Sink extends Call {
+  Sink() {
+    this.getCallee()
+        .hasQualifiedName("java.util.concurrent", "ThreadPoolExecutor", "setCorePoolSize") or
+    this.getCallee()
+        .hasQualifiedName("java.util.concurrent", "ScheduledThreadPoolExecutor",
+          "ScheduledThreadPoolExecutor")
+  }
+}
+
+from IntegerLiteral zero, Sink set
+where
+  DataFlow::localFlow(DataFlow::exprNode(zero), DataFlow::exprNode(set.getArgument(0))) and
+  zero.getIntValue() = 0
+select set, "ScheduledThreadPoolExecutor.corePoolSize is set to have 0 threads."
--- a/java/ql/test/query-tests/ScheduledThreadPoolExecutorZeroThread/ScheduledThreadPoolExecutorZeroThread.expected
+++ b/java/ql/test/query-tests/ScheduledThreadPoolExecutorZeroThread/ScheduledThreadPoolExecutorZeroThread.expected
@@ -0,0 +1,3 @@
+| Test.java:7:42:7:75 | new ScheduledThreadPoolExecutor(...) | ScheduledThreadPoolExecutor.corePoolSize is set to have 0 threads. |
+| Test.java:8:9:8:28 | setCorePoolSize(...) | ScheduledThreadPoolExecutor.corePoolSize is set to have 0 threads. |
+| Test.java:9:9:9:28 | setCorePoolSize(...) | ScheduledThreadPoolExecutor.corePoolSize is set to have 0 threads. |
--- a/java/ql/test/query-tests/ScheduledThreadPoolExecutorZeroThread/ScheduledThreadPoolExecutorZeroThread.qlref
+++ b/java/ql/test/query-tests/ScheduledThreadPoolExecutorZeroThread/ScheduledThreadPoolExecutorZeroThread.qlref
@@ -0,0 +1,2 @@
+query: Likely Bugs/Concurrency/ScheduledThreadPoolExecutorZeroThread.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/java/ql/test/query-tests/ScheduledThreadPoolExecutorZeroThread/Test.java
+++ b/java/ql/test/query-tests/ScheduledThreadPoolExecutorZeroThread/Test.java
@@ -0,0 +1,11 @@
+import java.util.concurrent.ScheduledThreadPoolExecutor;
+
+public class Test {
+    void f() {
+        int i = 0;
+        ScheduledThreadPoolExecutor s = new ScheduledThreadPoolExecutor(1); // Compliant
+        ScheduledThreadPoolExecutor s1 = new ScheduledThreadPoolExecutor(0); // $ Alert
+        s.setCorePoolSize(0); // $ Alert
+        s.setCorePoolSize(i); // $ Alert
+    }
+}