Never use {{return}}, {{break}}, {{continue}}, or {{throw}} statements within a {{finally}} block. When program execution enters a {{try}} block that has a {{finally}} block, the {{finally}} block always executes, regardless of whether the {{try}} block (or any associated {{catch}} blocks) executes to completion. Statements that cause the {{finally}} block to terminate abruptly also cause the {{try}} block to terminate abruptly and consequently mask any exception thrown from the {{try}} or {{catch}} blocks \[[JLS 2005|http://java.sun.com/docs/books/jls/third_edition/html/statements.html#14.20.2]\]. |
In this noncompliant code example, the finally block completes abruptly because of a return statement in the block.
class TryFinally {
private static boolean doLogic() {
try {
throw new IllegalStateException();
} finally {
System.out.println("Uncaught Exception");
return true;
}
}
public static void main(String[] args) {
doLogic();
}
}
|
The IllegalStateException is suppressed by the abrupt termination of the finally block caused by the return statement.
This compliant solution removes the return statement from the finally block.
class TryFinally {
private static boolean doLogic() {
try {
throw new IllegalStateException();
} finally {
System.out.println("Caught Exception");
}
// Any return statements must go here; applicable only when exception is thrown conditionally
}
public static void main(String[] args) {
doLogic();
}
}
|
Exiting abruptly from a finally block masks any exceptions thrown inside the associated try and catch blocks.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
ERR04-J |
low |
probable |
medium |
P4 |
L3 |
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bb30b090-0046-46b7-a0dd-602efe62c2be"><ac:plain-text-body><![CDATA[ |
[[MITRE 2009 |
AA. Bibliography#MITRE 09]] |
[CWE-705 |
http://cwe.mitre.org/data/definitions/705.html] "Incorrect Control Flow Scoping" and [CWE-584 |
http://cwe.mitre.org/data/definitions/584.html] "Return Inside Finally Block" |
]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4ff4ffc5-f8c3-4fbb-ac7b-8347f8cb80ae"><ac:plain-text-body><![CDATA[ |
[[Bloch 2005 |
AA. Bibliography#Bloch 05]] |
Puzzle 36: Indecision |
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5354d210-be62-4c2e-91f7-36a32fc2a2aa"><ac:plain-text-body><![CDATA[ |
[[Chess 2007 |
AA. Bibliography#Chess 07]] |
8.2 Managing Exceptions, "The Vanishing Exception" |
]]></ac:plain-text-body></ac:structured-macro> |
|
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7914e8fb-168a-4059-b414-753cff72d004"><ac:plain-text-body><![CDATA[ |
[[JLS 2005 |
AA. Bibliography#JLS 05]] |
[§14.20.2, Execution of try-catch-finally |
http://java.sun.com/docs/books/jls/third_edition/html/statements.html#14.20.2] |
]]></ac:plain-text-body></ac:structured-macro> |
06. Exceptional Behavior (ERR)