Scope minimization helps developers to avoid common programming errors, improves code readability by tying together the declaration and actual use of a variable, and improves maintainability because unused variables are more easily detected and removed.
Noncompliant Code Example
This noncompliant code example shows a variable that is declared outside the for loop. This reduces reusability because the value of the loop index i will have changed after the for statement. Consider, for instance, the case when this code snippet is copied and pasted with the intent to use a different index j. If the index variable change were omitted, the new loop would then attempt to iterate over index i. Unexpected behavior can follow because i remains in scope.
...
It should be noted that this code is noncompliant because i is not used outside the for loop. If, for instance, the loop contained a break statement, and the value of i when the loop exits prematurely is inspected, that would be a valid reason for i to be declared local to the method.
Compliant Solution
Minimize the scope of variables where possible, for example, by declaring loop indexes within the for statement.
| Code Block | ||
|---|---|---|
| ||
public class Scope {
public static void main(String[] args) {
for (int i = 0; i < 10; i++) { //contains declaration
// Do operations
}
}
}
|
Noncompliant Code Example
This noncompliant code example shows a variable that is declared outside the counter method. This reduces reusability because the variable is not actually used anywhere outside the counter method.
| Code Block | ||
|---|---|---|
| ||
public class Foo {
private int count;
static private final int MAX_COUNT;
public void counter() {
count = 0;
while (condition()) {
/* ... */
if (count++ > MAX_COUNT) return;
}
}
/* No other method references count */
}
|
Compliant Solution
In this case, the count field is only accessible within the counter method.
| Code Block | ||
|---|---|---|
| ||
public class Foo {
static private final int MAX_COUNT;
public void counter() {
int count = 0;
while (condition()) {
/* ... */
if (count++ > MAX_COUNT) return;
}
}
/* No other method references count */
}
|
Risk Assessment
Using a larger scope than is necessary results in less reliable code.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
SCP00-J | low | unlikely | medium | P2 | L3 |
Automated Detection
Detecting local variables that are declared in a larger scope than is required by the as-written code is straightforward and can avoid any possibility of false positives.
Detecting multiple for statements that use the same index variable is straightforward; it will produce false positives in the unusual case where this was intended by the programmer.
Related Guidelines
C Secure Coding Standard: DCL19-C. Use as minimal a scope as possible for all variables and functions
C++ Secure Coding Standard: DCL07-CPP. Use as minimal scope as possible for all variables and methods
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
| Wiki Markup |
|---|
\[[Bloch 2001|AA. Bibliography#Bloch 01]\] Item 29, Minimize the scope of local variables \[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 14.4.2|http://java.sun.com/docs/books/jls/third_edition/html/statements.html#14.4.2], "Scope of Local Variable Declarations" |
...