Why you should care
A program should never call finalize explicitly, except to call super.finalize() inside an implementation of finalize(). In mobile code situations, the otherwise error prone practice of manual garbage collection can become a security threat if an attacker can maliciously invoke one of your finalize() methods because it is declared with public access. If you are using finalize() as it was designed, there is no reason to declare finalize() with anything other than protected access.
How we detect
CAST Highlight counts one occurrence each time a class is declaring a finalyze() method with public modifier or no modifier (visibility is public by default).
public class CrashedFinalizable {
@Override
public void finalize() { // +1 VIOLATION
System.out.print("");
}
}
public class CrashedFinalizable_2 {
@Override
def finalize() { // +1 VIOLATION (public is the default visibility)
System.out.print("");
}
}
References
About CAST and Highlight’s Code Insights
Over the last 25 years, CAST has leveraged unique knowledge on software quality measurement by analyzing thousands of applications and billions of lines of code. Based on this experience and community standards on programming best practices, Highlight implements hundreds of code insights across 15+ technologies to calculate health factors of a software.