Skip to content

Java: Enhance java/jvm-exit query and add to quality #20190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Java: Enhance java/jvm-exit query and add to quality #20190

wants to merge 7 commits into from

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented Aug 8, 2025
edited
Loading

This PR integrates improvements from the java/jvm-exit-prevents-cleanup-and-reuse query in codeql-quality-queries into the main CodeQL repository. The enhanced query now provides better detection of problematic JVM termination calls with reduced false positives and has been promoted quality query suite.

It was decided to keep this query at low/medium precision, as there are quite a few false positives. This is largely due to the way command-line interfaces (CLI) and build tools handle application termination: they often use exit calls in ways that differ from standard software practices. As a result, the query may incorrectly flag these legitimate uses as potential issues, which impacts its overall accuracy.

Autofix appears feasible, though acceptance may vary depending on the specific case, as some instances could require more extensive refactoring within the repository.

Note: Since the query's precision is low/medium, it will only be included in the code quality extended suite, and not in the main code quality suite.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Aug 8, 2025
edited
Loading

QHelp previews:

java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToSystemExit.qhelp

Forcible JVM termination

Calling one of the methods System.exit, Runtime.halt, and Runtime.exit immediately terminates the Java Virtual Machine (JVM), effectively killing all threads without giving any of them a chance to perform cleanup actions or recover. As such, it is a dangerous thing to do: firstly, it can terminate the entire program inadvertently, and secondly, it can prevent important resources from being released or program state from being written to disk consistently.

It is sometimes considered acceptable to call System.exit from a program's main method in order to indicate the overall exit status of the program. The main method should be the primary place where exit conditions are handled, as it represents the natural termination point of the application. Such calls are an exception to this rule.

Recommendation

Instead of calling System.exit from non-main methods, prefer to propagate errors upward to the main method where they can be handled appropriately. Consider returning a special value (perhaps null) that users of the current method check for and recover from appropriately. Alternatively, throw a suitable exception, which unwinds the stack and allows properly written code to clean up after itself, while leaving other threads undisturbed. The main method can then catch these exceptions and decide whether to exit the program and with what exit code.

Example

In the following example, problem 1 shows that FileOutput.write tries to write some data to disk and terminates the JVM if this fails. This leaves the partially-written file on disk without any cleanup code running. It would be better to either return false to indicate the failure, or let the IOException propagate upwards and be handled by a method that knows how to recover.

Problem 2 is more subtle. In this example, there is just one entry point to the program (the main method), which constructs an Action and performs it. Action.run calls System.exit to indicate successful completion. Instead, the run method should return a status code or throw an exception on failure, allowing the main method to decide whether to exit and with what exit code. Consider how this code might be integrated in an application server that constructs Action instances and calls run on them without going through main. The fact that run terminates the JVM instead of returning its exit code makes that use-case impossible.

// Problem 1: Miss out cleanup code 
class FileOutput {
    boolean write(String[] s) {
        try {
            output.write(s.getBytes());
        } catch (IOException e) {
            System.exit(1); // BAD: Should handle or propagate error instead of exiting
        }
        return true;
    }
}

// Problem 2: Make code reuse difficult
class Action {
    public void run() {
        // ...
        // Perform tasks ...
        // ...
        System.exit(0); // BAD: Should return status or throw exception
    }
    public static void main(String[] args) {
        new Action().run();
    }
}

// Good example: Proper error handling
class BetterAction {
    public int run() throws Exception {
        // ...
        // Perform tasks ...
        // ...
        return 0; // Return status instead of calling System.exit
    }
    
    public static void main(String[] args) {
        try {
            BetterAction action = new BetterAction();
            int exitCode = action.run();
            System.exit(exitCode); // GOOD: Exit from main method
        } catch (Exception e) {
            System.err.println("Error: " + e.getMessage());
            System.exit(1); // GOOD: Exit from main method on error
        }
    }
}

References

@Napalys Napalys force-pushed the java/jvm-exit-query-promotion branch 4 times, most recently from 2cf0828 to 5a643be Compare August 11, 2025 06:48
@Napalys Napalys added the no-change-note-required This PR does not need a change note label Aug 11, 2025
@Napalys Napalys force-pushed the java/jvm-exit-query-promotion branch from 5a643be to f6aad96 Compare August 11, 2025 07:24
@Napalys Napalys marked this pull request as ready for review August 11, 2025 08:48
@Napalys Napalys requested a review from a team as a code owner August 11, 2025 08:48
@Copilot Copilot AI review requested due to automatic review settings August 11, 2025 08:48
Copilot
Copilot AI reviewed Aug 11, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the java/jvm-exit query by improving its accuracy and reducing false positives, then promotes it from low to medium precision and includes it in the quality query suite.

  • Enhanced the query logic to better distinguish between legitimate and problematic JVM exit calls
  • Added comprehensive test coverage with examples for System.exit(), Runtime.exit(), and Runtime.halt()
  • Updated documentation with improved guidance on proper error handling patterns

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file
File Description
CallsToSystemExit.ql Refactored query with improved filtering logic to reduce false positives and better precision
CallsToSystemExit.qhelp Enhanced documentation with clearer recommendations and better examples
CallsToSystemExit.java Extended example code with both problematic and recommended patterns
Test files (ExampleSystemExit.java, etc.) Added comprehensive test cases covering different exit method scenarios
Query suite files Added the enhanced query to the quality suite and removed from excluded list

@Napalys Napalys requested a review from knewbury01 August 11, 2025 13:04
michaelnebel
michaelnebel reviewed Aug 21, 2025
View reviewed changes
Copy link
Contributor

@michaelnebel michaelnebel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great improvement!

java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToSystemExit.ql
@@ -4,26 +4,71 @@
* reuse and prevent important cleanup steps from running.
* @kind problem
* @problem.severity warning
* @precision low
* @precision medium
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note, that setting this to medium only adds the query to java-code-quality-extended (and not java-code-quality). Maybe it is worth reflecting it in the PR description.

The DCA run for the query looks fine in the sense that, if the query was included in the code-quality suite it wouldn't cause any overall performance regressions and it appears to produce some results. However, it is worth noting that

  • The query was only included in the nightly.qls in the DCA run as the precision was set to high before the force push (which set it to medium).
  • The query is only included in the second variant of DCA (due to the above), due to the change in precision.

As the query is only included in query execution for the second DCA variant we are not testing the performance and/or result implications for the changes made to the query in this PR. I think it will make sense to make a DCA run that specifically targets this query (to get the result and performance diff) to get the query included in the executions on both DCA variants.

java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToSystemExit.ql Outdated
this.fromSource() and
not this instanceof MainMethod and
not this instanceof LikelyTestMethod and
not this.getEnclosingCallable() instanceof LikelyTestMethod
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It this to capture local classes in test methods? If so, can local classes be nested?

Copy link
Contributor Author

@Napalys Napalys Aug 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I have tried to extend it for nested local classes here 41a78a0 -> eb6e9b8. What do you think, does this sound good?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, that looks good.

Napalys and others added 2 commits August 21, 2025 13:21
@Napalys Napalys force-pushed the java/jvm-exit-query-promotion branch from 681e568 to 71e827e Compare August 21, 2025 14:15
@Napalys Napalys force-pushed the java/jvm-exit-query-promotion branch from 71e827e to eb6e9b8 Compare August 21, 2025 14:20
@Napalys Napalys requested a review from michaelnebel August 22, 2025 06:36
@Napalys @michaelnebel
Update java/ql/src/Violations of Best Practice/Undesirable Calls/Call…
4a693d9 
…sToSystemExit.ql

Co-authored-by: Michael Nebel <michaelnebel@github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelnebel michaelnebel michaelnebel left review comments

Copilot code review Copilot Copilot left review comments

@knewbury01 knewbury01 Awaiting requested review from knewbury01

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
documentation Java no-change-note-required This PR does not need a change note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Napalys @michaelnebel