In the presence of a finally block, irrespective When program execution enters a try block that has a finally block, the finally block always executes, regardless of whether the try block (or any associated catch blocks) execute to completion or not, . Statements that cause the finally block is executed. Consequently, statements that to terminate abruptly also cause the finally try block to terminate abruptly may , and consequently mask any thrown exceptions. Keywords such as exception thrown from the try or catch blocks. Never use return, break, continue and throw should never be used or throw statements within a finally block.
Noncompliant Code Example
In this noncompliant code example, the finally block completes abruptly because due to a return statement occurs within its body.
| Code Block | ||
|---|---|---|
| ||
class TryFinally {
private static boolean doLogic() {
try {
throw new IllegalStateException();
} finally {
System.out.println("Uncaught Exception");
return true;
}
}
public static void main(String[] args) {
doLogic();
}
}
|
Consequently, when the IllegalStateException is thrown, it does not propagate all the way up through the call stack. This is because of Rather, the abrupt termination of the finally block that suppresses any useful exception information from being displayed as a result of overriding the exception thrown in the try block.Note that this example would not be insecure if only the try block were to return some value; the finally block always executessuppresses the IllegalStateException because it the return statement becomes the final cause of abrupt termination of the try block.
Compliant Solution
This compliant solution removes the return statement from the finally block. Any return statements must occur after this block.
| Code Block | ||
|---|---|---|
| ||
class TryFinally {
private static boolean doLogic() {
try {
throw new IllegalStateException();
} finally {
System.out.println("Caught Exception");
}
// Any return statements must go here; applicable only when exception is thrown conditionally
}
public static void main(String[] args) {
doLogic();
}
}
|
If In this is adoptedexample, the compiler throws reports an error as because the return statement is unreachable because of the explicit, unavoidable due to the unconditional throwing of IllegalStateException. If the exception is were thrown conditionally, the return statement can could be used without any compilation errorserror.
Risk Assessment
Exiting abruptly from a finally block may result in the masking of thrown exceptionsmasks any exceptions thrown inside the associated try and catch blocks.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXC04-J | low | probable | medium | P4 | L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
| Wiki Markup |
|---|
\[[Bloch 2005|AA. Bibliography#Bloch 05]\] Puzzle 36: Indecision \[[Chess 2007|AA. Bibliography#Chess 07]\] 8.2 Managing Exceptions, "The Vanishing Exception" \[[JLS 2005|AA. Bibliography#JLS 05]\] [Section 14.20.2, Execution of try-catch-finally|http://java.sun.com/docs/books/jls/third_edition/html/statements.html#14.20.2] \[[Bloch 2005|AA. Bibliography#Bloch 05]\] Puzzle 36: Indecision \[[Chess 2007|AA. Bibliography#Chess 07]\] 8.2 Managing Exceptions, "The Vanishing Exception" \[[MITRE 2009|AA. Bibliography#MITRE 09]\] [CWE ID 705|http://cwe.mitre.org/data/definitions/705.html] "Incorrect Control Flow Scoping", [CWE ID 584|http://cwe.mitre.org/data/definitions/584.html] "Return Inside Finally Block" |
...