...
Unchecked exception classes such as Error and its subclasses do not undergo compile time checking as it is tedious to account for all cases and recovery is generally difficult. However, most often recovery is not impossible or at least a graceful exit that logs the error is feasible.
...
Noncompliant Code Example
This code generates a StackOverflowError due to infinite recursion. This would tend to exhaust the existing stack space.
| Code Block | ||
|---|---|---|
| ||
public class StackOverflow {
public static void main(String[] args) {
infiniteRun();
System.out.println("Continuing...");
}
private static void infiniteRun() {
infiniteRun();
}
}
|
Compliant Solution
This compliant solution shows how a try-catch block can be used to capture java.lang.Error or java.lang.Throwable. A log entry can be made at this point followed by attempts to free system resources.
| Code Block | ||
|---|---|---|
| ||
public class StackOverflow {
public static void main(String[] args) {
infiniteRun();
System.out.println("Continuing...");
}
private static void infiniteRun() {
try {
infiniteRun();
}catch(Throwable t) {
System.out.println("Handling error...");
//free cache, release resources and log error to file
}
}
}
|
Risk Assessment
TODO
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
CTL00-J | ?? | ?? | ?? | P?? | L?? |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
Covert Java, Chapter 16, Intercepting Control Flow - Intercepting System Errors
JLS, 11.2 Compile-Time Checking of Exceptions