Java Reference
In-Depth Information
return stock; // Return list
}
}
// Class Client ...
Applicability
Returning a null value rather than a zero-length array or collection may lead to denial-of-
service vulnerabilities when the client code fails to handle null return values properly.
Automatic detection is straightforward; fixing the problem typically requires program-
mer intervention.
Bibliography
[Bloch 2008]
Item 43, “Return Empty Arrays or Collections, Not Nulls”
42. Use exceptions only for exceptional conditions
Exceptions should be used only to denote exceptional conditions; they should not be used
for ordinary control flow purposes. Catching a generic object such as
Throwable
is likely
to catch unexpected errors; see
The CERT
®
Oracle
®
Secure Coding Standard for Java
™
[Long 2012] ERR08-J, “Do not catch
NullPointerException
or any of its ancestors,”
for examples. When a program catches a specific type of exception, it does not always
know from where that exception was thrown. Using a
catch
clause to handle an excep-
tionthatoccursinadistantknownlocationisapoorsolution;itispreferabletohandlethe
error as soon as it occurs or to prevent it, if possible.
The nonlocality of
throw
statements and corresponding
catch
statements can also im-
pedeoptimizersfromimprovingcodethatreliesonexceptionhandling.Relyingoncatch-
ing exceptions for control flow also complicates debugging, because exceptions indicate
a jump in control flow from the
throw
statement to the
catch
clause. Finally, exceptions
need not be highly optimized as it is assumed that they are thrown only in exceptional cir-
cumstances. Throwing and catching an exception frequently has worse performance than
handling the error with some other mechanism.
Noncompliant Code Example
This noncompliant code example attempts to concatenate the processed elements of the
strings
array: