False Negative: DoubleCheckedLockingWithInitRace.ql misses initialization races once the double-checked pattern is split across helpers or early returns.

[Carlson-JLQ]

False Negative: DoubleCheckedLockingWithInitRace.ql misses initialization races once the double-checked pattern is split across helpers or early returns.

Version
codeql 2.24.3

Checker

• Checker id: Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql
• Checker description: This checker detects a potential race condition in double-checked locking patterns where a field assignment inside a synchronized block may be visible to other threads before subsequent side-effect statements are executed.

Description of the false negative

These samples still publish f before the rest of the initialization work is complete. One variant moves the synchronized initialization into a helper, and the other rewrites the fast path as an early return, but the initialization race is the same.

Affected test cases

PosCase1_Var3.java

The helper call only hides the same double-checked-locking race where publication happens before later side effects.

// Double-checked locking with assignment to another field after the field assignment should be flagged as potential race condition.
package scensct.var.pos;

public class PosCase1_Var3 {
    private Object f;
    private Object otherField;

    public Object getF() {
        if (f == null) {
            initField();
        }
        return f;
    }

    private void initField() {
        synchronized (this) {
            if (f == null) {
                f = new Object();
                otherField = new Object();
            }
        }
    }
}

PosCase1_Var5.java

This still publishes the initialized object before a later field assignment completes, which is the race the query is meant to catch.

// Double-checked locking with assignment to another field after the field assignment should be flagged as potential race condition.
package scensct.var.pos;

public class PosCase1_Var5 {
    private Object f;
    private Object otherField;

    public Object getF() {
        if (f != null) {
            return f;
        }
        synchronized (this) {
            if (f == null) {
                f = new Object();
                otherField = new Object();
            }
            return f;
        }
    }
}

Cause analysis

The query appears too tied to one inline statement ordering pattern for double-checked initialization. Once the synchronized block is extracted into a helper or the fast path is expressed as an early return, it stops recognizing that f becomes visible before the remaining side effects complete.

That is a real concurrency gap. Initialization races often survive exactly this kind of refactoring.

References

None known.

[redsun82]

👋 @Carlson-JLQ thanks for this one. This one stands out to me in the batch of issues you have been posting. I will relay this internally.

Just as feedback to you 🙌 I think you should focus your efforts on cases like this. Static analysis will never be complete, there's always ways to fool it. Most of the other issues you posted these days, though technically true false positives or negatives, tend to be on somewhat artificial code snippets. While technically true, it makes it hard to get signal on potentially more impactful issues like this one. Finding instances of an issue happening in real repository (for example using multi-repository variant analysis) would also put much more weight on it.

[Carlson-JLQ]

👋 @Carlson-JLQ thanks for this one. This one stands out to me in the batch of issues you have been posting. I will relay this internally.

Just as feedback to you 🙌 I think you should focus your efforts on cases like this. Static analysis will never be complete, there's always ways to fool it. Most of the other issues you posted these days, though technically true false positives or negatives, tend to be on somewhat artificial code snippets. While technically true, it makes it hard to get signal on potentially more impactful issues like this one. Finding instances of an issue happening in real repository (for example using multi-repository variant analysis) would also put much more weight on it.

Thank you so much for your detailed and thoughtful feedback! I really appreciate you taking the time to explain this and for highlighting this issue as impactful.
Initially, we tested CodeQL on real-world projects, but we found it challenging to accurately identify and extract false positives/negatives, which also required a lot of manual effort and verification. For that reason, we focused on several checkers marked as security, correctness, and reliability, and used simplified test cases to check whether they suffer from false positives or negatives.
Going forward, I will follow your advice and focus more on impactful issues like this one. I will also pay closer attention to whether these false positive/negative patterns appear in real-world codebases and whether CodeQL can successfully detect them.
Thanks again for your guidance and for relaying this issue internally!

[Carlson-JLQ]

👋 @Carlson-JLQ thanks for this one. This one stands out to me in the batch of issues you have been posting. I will relay this internally.

Just as feedback to you 🙌 I think you should focus your efforts on cases like this. Static analysis will never be complete, there's always ways to fool it. Most of the other issues you posted these days, though technically true false positives or negatives, tend to be on somewhat artificial code snippets. While technically true, it makes it hard to get signal on potentially more impactful issues like this one. Finding instances of an issue happening in real repository (for example using multi-repository variant analysis) would also put much more weight on it.

We selected several checkers under corresponding CWE categories that have equivalent rules in other static analysis tools such as PMD, ErrorProne, and SonarQube.We conducted differential testing and found that these other tools did not produce false positives or false negatives on certain test cases, while the corresponding CodeQL checkers did.
Since these checkers are all CWE-related, we believe such false positives and false negatives are likely to appear in real-world projects.
For example, #21556
May I submit this entire batch of issues? There are 35 in total.