Exceptions should only be used to denote exceptional conditions. They should not be used for ordinary control flow purposes. Failure to follow this advice complicates both security analysis and debugging, can result in abnormal control flow and can cause performance degradation.
Noncompliant Code Example
This noncompliant code example attempts to concatenate the string elements of the array values, storing the result as the first element.
...
The purpose of exception handling is to detect and recover from exceptional conditions, rather than to transfer control flow. Further, the exception-based idiom is slower than the standard non-exceptional code. It also prevents optimizations that the JVM would otherwise perform.
Compliant Solution
This compliant solution uses a standard for loop to concatenate the strings.
| Code Block | ||
|---|---|---|
| ||
String values[] = new String[3];
values[0] = "value1";
values[1] = "value2";
values[2] = "value3";
int i;
for (i = 1; i < values.length; i++) {
values[0] = values[0].concat(values[i]);
}
i = 0; // Initialize i to 0 after operation
|
Risk Assessment
Use of exceptions for any purpose other than detecting and handling exceptional conditions complicates both security analysis and debugging, and can cause performance degradation.
Guideline | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXC02-J | low | unlikely | medium | P2 | L3 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this guideline on the CERT website.
Bibliography
| Wiki Markup |
|---|
\[java:[Bloch 2001|AA. Bibliography#Bloch 01]\] Item 39: "Use exceptions only for exceptional conditions" \[java:[JLS 2005|AA. Bibliography#JLS 05]\] |
...