CWE-609: Double-Checked Locking
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.
扩展描述
Double-checked locking refers to the situation where a programmer checks to see if a resource has been initialized, grabs a lock, checks again to see if the resource has been initialized, and then performs the initialization if it has not occurred yet. This should not be done, as it is not guaranteed to work in all languages and on all architectures. In summary, other threads may not be operating inside the synchronous block and are not guaranteed to see the operations execute in the same order as they would appear inside the synchronous block.
常见后果
影响范围: Integrity Other
技术影响: Modify Application Data Alter Execution Logic
潜在缓解措施
阶段: Implementation
描述: While double-checked locking can be achieved in some languages, it is inherently flawed in Java before 1.5, and cannot be achieved without compromising platform independence. Before Java 1.5, only use of the synchronized keyword is known to work. Beginning in Java 1.5, use of the "volatile" keyword allows double-checked locking to work successfully, although there is some debate as to whether it achieves sufficient performance gains. See references.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| The CERT Oracle Secure Coding Standard for Java (2011) | LCK10-J | Do not use incorrect forms of the double-checked locking idiom | - |
| Software Fault Patterns | SFP19 | Missing Lock | - |