finalize() Method Without super.finalize()

Draft Variant

Structure: Simple

Description

The product contains a finalize() method that does not call super.finalize().

Extended Description

The Java Language Specification states that it is a good practice for a finalize() method to call super.finalize().

Common Consequences 1

Scope: Other

Impact: Quality Degradation

Detection Methods 1

Automated Static AnalysisHigh

Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

Potential Mitigations 2

Phase: Implementation

Call the super.finalize() method.

Phase: Testing

Use static analysis tools to spot such issues in your code.

Demonstrative Examples 1

The following method omits the call to super.finalize().

Code Example:Bad
Java
java

Applicable Platforms

Languages:

Java : Undetermined

Modes of Introduction

Implementation

Related Weaknesses

ChildOf:

Improper Following of Specification by Caller (CWE-573)

ChildOf:

Incomplete Cleanup (CWE-459)

Taxonomy Mapping

The CERT Oracle Secure Coding Standard for Java (2011)
Software Fault Patterns