From d2e32631d090cba13cab173752d4ac18143d3b4f Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Fri, 1 Aug 2014 23:24:52 -0400 Subject: [PATCH] fix incorrect lazy initialization of the list of HTTPS pins findbugs tells us: Incorrect lazy initialization and update of static field org.fdroid.fdroid. FDroidCertPins.PINLIST in org.fdroid.fdroid.FDroidCertPins.getPinList(). This method contains an unsynchronized lazy initialization of a static field. After the field is set, the object stored into that location is further updated or accessed. The setting of the field is visible to other threads as soon as it is set. If the futher accesses in the method that set the field serve to initialize the object, then you have a very serious multithreading bug, unless something else prevents any other thread from accessing the stored object until it is fully initialized. Even if you feel confident that the method is never called by multiple threads, it might be better to not set the static field until the value you are setting it to is fully populated/initialized. --- src/org/fdroid/fdroid/FDroidCertPins.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/org/fdroid/fdroid/FDroidCertPins.java b/src/org/fdroid/fdroid/FDroidCertPins.java index 646a792b2..cc7bb7f19 100644 --- a/src/org/fdroid/fdroid/FDroidCertPins.java +++ b/src/org/fdroid/fdroid/FDroidCertPins.java @@ -36,8 +36,9 @@ public class FDroidCertPins { public static String[] getPinList() { if (PINLIST == null) { - PINLIST = new ArrayList(); - PINLIST.addAll(Arrays.asList(DEFAULT_PINS)); + ArrayList pinlist = new ArrayList(); + pinlist.addAll(Arrays.asList(DEFAULT_PINS)); + PINLIST = pinlist; } return PINLIST.toArray(new String[PINLIST.size()]);