Home page logo

fulldisclosure logo Full Disclosure mailing list archives

java.text.MessageFormat - thread safety - a vital question
From: Phani <pklanka () gmail com>
Date: Sun, 13 Mar 2011 08:20:44 +0530

Hello Forum

This question is especially on the function *"public static String
format(String pattern, Object... arguments)"* in Message format class. No
information is given in Javadoc for this function regarding thread safety.
However a generic message for the entire class is given in the javadoc
stating that the - *"Message formats are not synchronized. It is recommended
to create separate format instances for each thread. If multiple threads
access a format concurrently, it must be synchronized externally."*

It is for this reason I believe the code scanning tools like Fortify catch
this function as having lack of thread safety for web applications.

However, if you look at the decompiled source of the function - no shared
object is being accessed. The decompiled source of this function is below -

*public static String format(String pattern, Object ... arguments) {*
*MessageFormat temp = new MessageFormat(pattern);*
*return temp.format(arguments);*

Here *no shared object is being accessed*, a new object is created within
the static method and the same is used for formatting. This decompiled
version indicates that this method is actually thread safe (since no shared
object is present and each method stack in each thread will have its own
copy of MessageFormat. No sharing happens).

Could you tell us if this is the case in the current scenario. This
particular format method is actually thread safe when compared to other
format methods.

Phani Lanka
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • java.text.MessageFormat - thread safety - a vital question Phani (Mar 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]