Methods invoked from within a finally
block can throw an exception. Failure to catch and handle such exceptions results in the abrupt termination of the entire try
block. This Abrupt termination causes any exception thrown in the try
block to be forgottenlost, preventing any possible recovery method from handling that specific problem. Additionally, the transfer of control associated with the exception may prevent execution of any expressions or statements that occur after the point in the finally
block from which the exception is thrown. Consequently, programs must appropriately handle checked exceptions that are thrown from within a finally
block.
Allowing checked exceptions to escape a finally
block also violates ERR04-J. Do not exit complete abruptly from a finally block.
Noncompliant Code Example
This noncompliant code example contains a finally
block that closes the reader
object. The programmer incorrectly assumes that the statements in the finally
block cannot throw exceptions , and consequently fails to appropriately handle any exception that may arise.
Code Block | ||
---|---|---|
| ||
public class Operation { public static void doOperation(String some_file) { // ... codeCode to check or set character encoding ... try { BufferedReader reader = new BufferedReader(new FileReader(some_file)); try { // Do operations } finally { reader.close(); // ... Other clean-upcleanup code ... } } catch (IOException x) { // Forward to handler } } } |
The close()
method can throw an IOException
, which, if thrown, would prevent execution of any subsequent clean-up cleanup statements. The compiler will correctly fail to diagnose this problem because IOException}}s are This problem will not be diagnosed by the compiler because any IOException
would be caught by the outer catch
block. Also, an exception thrown from the {{close()
operation can also mask any exception that gets thrown during execution of the Do operations
section block, preventing proper recovery.
...
This compliant solution encloses the close()
method invocation in a try-catch
block of its own within the finally
block. Consequently, the potential IOException
can be handled without permitting allowing it to propagate fartherfurther.
Code Block | ||
---|---|---|
| ||
public class Operation { public static void doOperation(String some_file) { // ... codeCode to check or set character encoding ... try { BufferedReader reader = new BufferedReader(new FileReader(some_file)); try { // Do operations } finally { try { reader.close(); } catch (IOException ie) { // Forward to handler } // ... Other clean-upcleanup code ... } } catch (IOException x) { // Forward to handler } } } |
Compliant Solution (
...
try
-with-resources)
Java 1.SE 7 provides introduced a new feature , called try
-with-resources, that that can close certain resources automatically in the event of an error. This compliant solution uses try
-with-resources to properly close the file.
Code Block | ||
---|---|---|
| ||
public class Operation { public static void doOperation(String some_file) { // ... codeCode to check or set character encoding ... try ( // try-with-resources BufferedReader reader = new BufferedReader(new FileReader(some_file))) { // Do operations } catch (IOException ex) { System.err.println("thrown exception: " + ex.toString()); Throwable[] suppressed = ex.getSuppressed(); for (int i = 0; i < suppressed.length; i++) { System.err.println("suppressed exception: " + suppressed[i].toString()); } // Forward to handler } } public static void main(String[] args) { if (args.length < 1) { System.out.println("Please supply a path as an argument"); return; } doOperation(args[0]); } } |
When an IOException
occurs in the try
block of the doOperation()
method, it will be is caught by the catch
block and be printed as the thrown exception. This includes both any exceptions while doing operations and also any exceptions incurred while Exceptions that occur while creating the BufferedReader
are included. When an IOException
occurs while closing the reader
, that exception will is also be caught by the catch
block and will be printed as the thrown exception. When If both the try
block and also closing the reader
throw an IOException
, the catch
clause catches both exceptions , and prints the try
- block exception as the thrown exception. The close exception is suppressed and printed as the suppressed exception. In all cases, the reader
is safely closed.
...
Failure to handle an exception in a finally
block can lead to may have unexpected results.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ERR05-J |
Low |
Unlikely |
Medium | P2 | L3 |
Related Vulnerabilities
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f589648e-6809-4dd2-bcc5-3a3d895a7c50"><ac:plain-text-body><![CDATA[ | [[MITRE 2009 | AA. Bibliography#MITRE 09]] | [CWE-460 | http://cwe.mitre.org/data/definitions/460.html] "Improper Cleanup on Thrown Exception" | ]]></ac:plain-text-body></ac:structured-macro> |
| CWE-584 "Return Inside Finally Block" | ||||
| CWE-248 "Uncaught Exception" | ||||
| CWE-705 "Incorrect Control Flow Scoping" |
Bibliography
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Coverity | 7.5 | PW.ABNORMAL_TERMINATION_ OF_FINALLY_BLOCK | Implemented | ||||||
Parasoft Jtest |
| CERT.ERR05.ARCF CERT.ERR05.ATSF | Avoid using 'return's inside 'finally blocks if thare are other 'return's inside the try-catch block Do not exit "finally" blocks abruptly | ||||||
SonarQube |
| S1163 | Exceptions should not be thrown in finally blocks |
Related Guidelines
CWE-248, Uncaught Exception CWE-460, Improper Cleanup on Thrown Exception CWE-584, Return inside CWE-705, Incorrect Control Flow Scoping CWE-754, Improper Check for Unusual or Exceptional Conditions |
Bibliography
Puzzle 41, "Field and Stream" | |
Section 8.3, "Preventing Resource Leaks (Java)" | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3a113091-d811-4f63-b9aa-049451fdaec3"><ac:plain-text-body><![CDATA[
[[Bloch 2005
AA. Bibliography#Bloch 05]]
Puzzle 41: Field and Stream
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7ad0dd6a-a408-4725-b854-0c4aaececc93"><ac:plain-text-body><![CDATA[
[[Chess 2007
AA. Bibliography#Chess 07]]
8.3 Preventing Resource Leaks (Java)
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="ab472a36-4ccf-4b74-b6ec-ee969dace646"><ac:plain-text-body><![CDATA[
[[Harold 1999
AA. Bibliography#Harold 99]]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a3d294bb-c714-46c3-9116-8b5f96b49faf"><ac:plain-text-body><![CDATA[
[[J2SE 2011
] | The |
]]></ac:plain-text-body></ac:structured-macro>
...
ERR04-J. Do not exit abruptly from a finally block 06. Exceptional Behavior (ERR) ERR06-J. Do not let code throw undeclared checked exceptions