Skip to content

False Positive: DoNotCallFinalize.ql cannot detect 'finalize()' in the function call chain. #21394

New issue
New issue
Open
Open
False Positive: DoNotCallFinalize.ql cannot detect 'finalize()' in the function call chain.#21394
Labels
false-positive
@Carlson-JLQ

Description

@Carlson-JLQ
Carlson-JLQ
opened on Mar 1, 2026

Version
2.23.9

Description of the false positive

When I use java/Violations of Best Practice/Undesirable Calls/DoNotCallFinalize.ql to detect the code as below, it passes normally.

public class NegCase2 {
    @Override
    protected void finalize() throws Throwable {
        // Override of finalize with super.finalize call is allowed.
        super.finalize();
    }
}

However, when I put "super.finalize();" into another function for calling, DoNotCallFinalize.ql reported a problem.

public class NegCase2_Var3 {
    // Helper method to encapsulate the call
    private void callSuperFinalize() throws Throwable {
        super.finalize(); // [REPORTED LINE]
    }
    @Override
    protected void finalize() throws Throwable {
        // Delegate to helper
        callSuperFinalize();
    }
}

These two code snippets are essentially the same and should both pass the test.

Metadata

Metadata

Assignees

No one assigned

    Labels

    false-positive

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions