Java: Add new quality query to detect calls to Thread.run()

[jcogs33]

DRAFT

Will likely be merged with CallsToRunnableRun.ql.

Description

Updates the pre-existing java/call-to-thread-run quality query based on the similar java/run-method-called-on-java-lang-thread-directly query from the services team's quality queries.

Consideration

Changes from the services team's query. Let me know if you disagree with any of these changes:

• TODO: Not keeping the very-high/warning precision/severity, but leaving as the existing high/recommendation?
• Not keeping the performance tag.
• Not keeping the reliance on the existence of a java.lang.Thread import statement from the services team's query. Since java.lang classes do not need to be explicitly imported, the reliance on the existence of this import statement was causing FNs.
• Keeping the exclusion for calls to run within a run method that is in the pre-existing query, but was not in the services team's query.
• Alert count comparison between the two queries. The differences are mainly caused by the FNs from the java.lang.Thread import statement requirement.
  • MRVA top-100:
    • java/run-method-called-on-java-lang-thread-directly: 8 alerts
    • java/call-to-thread-run: 62 alerts
  • MRVA top-1000:
    • java/run-method-called-on-java-lang-thread-directly: 18 alerts
    • java/call-to-thread-run: 161 alerts

Questions:

• TODO: Is this query valuable enough to be in the code-quality suite?

Other Notes:

• Autofixes: TODO
• DCA: TODO

[github-actions]

QHelp previews:

java/ql/src/Likely Bugs/Concurrency/CallsToRunnableRun.qhelp

Direct call to a 'run()' method

A direct call of a Thread object's run method does not start a separate thread. The method is executed within the current thread. This is an unusual use because Thread.run() is normally intended to be called from within a separate thread.

Recommendation

To execute Runnable.run from within a separate thread, do one of the following:

• Construct a Thread object using the Runnable object, and call start on the Thread object.
• Define a subclass of a Thread object, and override the definition of its run method. Then construct an instance of this subclass and call start on that instance directly.

Example

In the following example, the main thread, ThreadDemo, calls the child thread, NewThread, using run. This causes the child thread to run to completion before the rest of the main thread is executed, so that "Child thread activity" is printed before "Main thread activity".

public class ThreadDemo {
    public static void main(String args[]) {
        NewThread runnable = new NewThread();

        runnable.run();    // Call to 'run' does not start a separate thread

        System.out.println("Main thread activity.");
    }
}

class NewThread extends Thread {
    @Override
    public void run() {
        try {
            Thread.sleep(10000);
        }
        catch (InterruptedException e) {
            System.out.println("Child interrupted.");
        }
        System.out.println("Child thread activity.");
    }
}

To enable the two threads to run concurrently, create the child thread and call start, as shown below. This causes the main thread to continue while the child thread is waiting, so that "Main thread activity" is printed before "Child thread activity".

public class ThreadDemo {
    public static void main(String args[]) {
    	NewThread runnable = new NewThread();

        runnable.start();    // Call 'start' method

        System.out.println("Main thread activity.");
    }
}

References

• The Java Tutorials: Defining and Starting a Thread.
• Java API Specification: Thread.run().
• SEI CERT Oracle Coding Standard for Java: THI00-J. Do not invoke Thread.run().
• Common Weakness Enumeration: CWE-572.