...
Code Block |
---|
|
import java.io.IOException;
import java.lang.reflect.Field;
import sun.misc.Unsafe;
public class UnsafeCode {
public static void main( String[] args ) throws SecurityException, NoSuchFieldException,
IllegalArgumentException, IllegalAccessException {
Field f = Unsafe.class.getDeclaredField("theUnsafe""theUnsafe");
field.setAccessible(true);
Unsafe u = (Unsafe) field.get(null);
u.throwException(new IOException(""No need to declare this checked exception""));
}
}
|
Noncompliant Code Example
...
Code Block |
---|
|
public class BadNewInstance {
private static Throwable throwable;
private BadNewInstance() throws Throwable {
throw throwable;
}
public static synchronized void undeclaredThrow(Throwable throwable) {
// These two should not be passed
if (throwable instanceof IllegalAccessException || throwable instanceof InstantiationException) {
throw new IllegalArgumentException(); // Unchecked, no declaration required
}
BadNewInstance.throwable = throwable;
try {
BadNewInstance.class.newInstance();
} catch (InstantiationException e) { /* dead code */ }
catch (IllegalAccessException e) { /* dead code */ }
finally { BadNewInstance.throwable = null; } // Avoid memory leak
}
}
public class UndeclaredException {
public static void main(String[] args) { // No declared checked exceptions
BadNewInstance.undeclaredThrow(new Exception(""Any checked exception""));
}
}
|
Even if the programmer wishes to catch and handle the possible checked exceptions, the compiler refuses to believe that any can be thrown in the particular context. One way to deal with this difficulty is to catch Exception
and check whether the possible checked exception is an instance of it else re-throw the exception. This is shown below. The most obvious pitfall is that this technique is easy to bypass whenever an unanticipated checked exception is thrown.
Code Block |
---|
public static void main(String[] args) {
try {
BadNewInstance.undeclaredThrow(new IOException(""Any checked exception""));
} catch(Exception e) {
if (e instanceof IOException) {
System.out.println(""IOException occurred"");
} else if (e instanceof RuntimeException) {
throw (RuntimeException) e;
} else {
//some other unknown checked exception
}
}
}
|
...
Code Block |
---|
|
// Generic type for a builder used to build any object of type T
public interface Builder<T>Builder<T> {
public T build();
}
|
A client can pass a builder to a method and request the creation of an object. A bounded wildcard type should be used to constrain the builder's type parameter. In the code snippet that follows, a US Dollar (USD) is built from coins of different denomination.
Code Block |
---|
USD buildCurrency(Builder<Builder<? extends denomination>denomination> currencyBuilder) { /* ... */ }
|
...
Code Block |
---|
|
interface Thr<EXCThr<EXC extends Exception>Exception> {
void fn() throws EXC;
}
public class UndeclaredGen {
static void undeclaredThrow() throws RuntimeException {
@SuppressWarnings("unchecked""unchecked") // Suppresses warnings
Thr<RuntimeException>Thr<RuntimeException> thr = (Thr<RuntimeException>Thr<RuntimeException>)(Thr)
new Thr<IOException>Thr<IOException>() {
public void fn() throws IOException {
throw new IOException();
}
};
thr.fn();
}
public static void main(String[] args) {
undeclaredThrow();
}
}
|
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Wiki Markup |
---|
\[[JLS 05|AA. Java References#JLS 05]\] Chapter 11: Exceptions
\[[Venners 03|AA. Java References#Venners 03]\] ""Scalability of Checked Exceptions""
\[[Roubtsov 03|AA. Java References#Roubtsov 03]\]
\[[Schwarz 04|AA. Java References#Schwarz 04]\]
\[[Goetz 04b|AA. Java References#Goetz 04b]\]
\[[Bloch 08|AA. Java References#Bloch 08]\] Item 2: ""Consider a builder when faced with many constructor parameters""
\[[MITRE 09|AA. Java References#MITRE 09]\] [CWE ID 703|http://cwe.mitre.org/data/definitions/703.html] ""Failure to Handle Exceptional Conditions"", [CWE ID 248|http://cwe.mitre.org/data/definitions/248.html] ""Uncaught Exception"" |
...
EXC05-J. Use a class dedicated to reporting exceptions 13. Exceptional Behavior (EXC) EXC07-J. Restore prior object state on method failure