logo

Call to Thread run() instead of start()

Draft Variant
Structure: Simple
Description

This vulnerability occurs when a program incorrectly calls a thread's `run()` method directly, instead of using the `start()` method. This mistake causes the thread's code to execute within the caller's current thread, bypassing the creation of a new, concurrent thread of execution.

Extended Description

Calling `run()` directly is almost always a programming error. The developer's intent is to launch new, concurrent operations using the `Thread` class. However, by calling `run()`, the code within that method simply executes as a normal function call in the existing thread. This defeats the entire purpose of using threads, leading to sequential execution and potential performance issues, as no true parallelism or concurrency is achieved. The core issue is a misunderstanding of the Java threading model. The `start()` method is responsible for the native OS-level thread creation and scheduling, which then automatically calls the `run()` method in the new thread context. Bypassing `start()` means the `run()` method's code runs with the stack and context of the parent thread, which can cause unexpected behavior, block the UI, or break assumptions about thread-local data and synchronization.
Common Consequences 1
Scope: Other

Impact: Quality DegradationVaries by Context
Detection Methods 1
Automated Static AnalysisHigh
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Potential Mitigations 1
Phase: Implementation
Use the start() method instead of the run() method.
Demonstrative Examples 1
The following excerpt from a Java program mistakenly calls run() instead of start().

Code Example:

Bad
Java
java
Applicable Platforms
Languages:
Java : Undetermined
Modes of Introduction
Implementation
Affected Resources
  1. System Process
Related Weaknesses
ChildOf: Incorrect Synchronization (CWE-821)
Taxonomy Mapping
  • The CERT Oracle Secure Coding Standard for Java (2011)
  • Software Fault Patterns