SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 12

changes.mady.by.user Tracey Tamules

Saved on

compared with

New Version 13

changes.mady.by.user Tracey Tamules

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Along similar lines, assertions should not be used for argument-checking in public methods. Argument-checking is typically part of the contract of a method, and this contract must be upheld whether assertions are enabled or disabled.

Another problem with using assertions for argument checking is that erroneous arguments should result in an appropriate runtime exception (such as IllegalArgumentException, IndexOutOfBoundsException or NullPointerException). An assertion failure will not throw an appropriate exception.

Noncompliant Code Example

The method AbsAdd() computes and returns the sum of the absolute value of parameters x and y. It lacks parameter validation, in violation of MET01-J. Validate method parameters. Consequently, it can produce incorrect results either because of integer overflow or when either or both of its arguments are Math.abs(Integer.MIN_VALUE).

Code Block
bgColor#FFcccc
public static int AbsAdd(int x, int y) {
  return Math.abs(x) + Math.abs(y);
}
AbsAdd(Integer.MIN_VALUE, 1);

Noncompliant Code Example

This noncompliant code example uses assertions to validate arguments of a public method.

...

The conditions checked by the assertions are reasonable. However, the validation code is omitted when executing with assertions turned off.

Compliant Solution

This compliant solution validates the method arguments by ensuring that values passed to Math.abs() exclude Integer.MIN_VALUE and also by checking for integer overflow. Alternatively, the addition could be performed using type long and the result of the addition stored in a local variable of type long. This alternate implementation would require a check to ensure that the resulting long can be represented in the range of the type int. Failure of this latter check would indicate that an int version of the addition would have overflowed.

Code Block
bgColor#ccccff
public static int AbsAdd(int x, int y) {
  if (x == Integer.MIN_VALUE || y == Integer.MIN_VALUE) {
    throw new IllegalArgumentException();
  }
  int absX = Math.abs(x);
  int absY = Math.abs(y);
  if (absX > Integer.MAX_VALUE - absY) {
    throw new IllegalArgumentException();
  }
  return absX + absY;
}

Risk Assessment

Failure to validate method parameters can result in inconsistent computations, runtime exceptions, and control flow vulnerabilities.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MET02-J

medium

probable

medium

P8

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Bibliography

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6fca71161282da2e-da029d9f-4f1f4a94-b16da8f3-214ba0bb52f65c4eeec47958"><ac:plain-text-body><![CDATA[

[[Daconta 2003

AA. Bibliography#Daconta 03]]

Item 7: My Assertions Are Not Gratuitous

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6e4ddaa7774ca1eb-4781021f-414d4a25-8454bd9f-b7ffa783a6e2f23ff87ac12b"><ac:plain-text-body><![CDATA[

[[ESA 2005

AA. Bibliography#ESA 05]]

Rule 68: Explicitly check method parameters for validity, and throw an adequate exception in case they are not valid. Do not use the assert statement for this purpose

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="619229b93d2730ba-fc5a85b0-43de4eff-8e83a56b-a9852cd709b332286cc3cdbd"><ac:plain-text-body><![CDATA[

[[JLS 2005

AA. Bibliography#JLS 05]]

14.10 The assert Statement

]]></ac:plain-text-body></ac:structured-macro>

...