...
Assertions should never be used to verify the absence of runtime (as opposed to logic) errors, such as the following:
- invalid Invalid user input (including command-line arguments and environment variables)
- file File errors (for example, errors opening, reading, or writing files)
- network Network errors (including network protocol errors)
- outOut-of-memory conditions (when the Java Virtual Machine cannot allocate space for a new object and the garbage collector cannot make sufficient space available)
- system System resource exhaustion (for example, out-of-file descriptors, processes, threads)
- system System call errors (for example, errors executing files, locking or unlocking mutexes)
- invalid Invalid permissions (for example, file, memory, user)
Code that protects against an inputI/output O error, for example, cannot be implemented as an assertion because it must be present in the deployed executable.
...
This noncompliant code example uses the assert statement to verify that input was available. :
| Code Block | ||
|---|---|---|
| ||
BufferedReader br; // Set up the BufferedReader br String line; // ... line = br.readLine(); assert line != null; |
...
This compliant solution demonstrates the recommended way to detect and handle unavailability of input.:
| Code Block | ||
|---|---|---|
| ||
BufferedReader br;
// Set up the BufferedReader br
String line;
// ...
line = br.readLine();
if (line == null) {
// handleHandle error
}
|
Applicability
Assertions are a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities. The absence of assertions, however, does not mean that code is incorrect.
...
Bibliography
...