Poor code quality leads to unpredictable behavior. From a user's perspective that often manifests itself as poor usability. For an attacker it provides an opportunity to stress the system in unexpected ways.
assert
Solidity function to check on a false statement.assert
Solidity function is intended to only check on statements that evaluate to true
. Having a false
statement passed into this function points at the code not functioning correctly or the function being misused, for instance, to validate input.assert
function to check on a false statement.
contract A {
B b = new B(7);
function checkWithAssert(){
assert(b.retValue() == 21);
...
}
}
contract B {
uint _par;
constructor(uint par){
_par = par;
}
function retValue() returns(uint){
return _par;
}
}
getChunk == NULL
will always be false because getChunk
is the name of a function defined in the program.
if (getChunk == NULL)
return ERR;
char* getName() {
char name[STR_MAX];
fillInName(name);
return name;
}
class AccessLevel{
public static final int ROOT = 0;
//...
public static final int NONE = 9;
}
//...
class User {
private static int access;
public User(){
access = AccessLevel.ROOT;
}
public static int getAccessLevel(){
return access;
}
//...
}
class RegularUser extends User {
private static int access;
public RegularUser(){
access = AccessLevel.NONE;
}
public static int getAccessLevel(){
return access;
}
public static void escalatePrivilege(){
access = AccessLevel.ROOT;
}
//...
}
//...
class SecureArea {
//...
public static void doRestrictedOperation(User user){
if (user instanceof RegularUser){
if (user.getAccessLevel() == AccessLevel.ROOT){
System.out.println("doing a privileged operation");
}else{
throw new RuntimeException();
}
}
}
}
getAccessLevel()
against the instance user
and not against the classes User
or RegularUser
, it will mean that this condition will always return true
, and the restricted operation will be performed even though instanceof
was used in order to get into this part of the if/else
block.serialPersistentFields
correctly, it must be declared private
, static
, and final
.serialPersistentFields
array. This feature will only work if serialPersistentFields
is declared as private
, static
, and final
.serialPersistentFields
will not be used to define Serializable
fields because it is not private
, static
, and final
.
class List implements Serializable {
public ObjectStreamField[] serialPersistentFields = { new ObjectStreamField("myField", List.class) };
...
}
Object.equals()
on an array instead of java.util.Arrays.equals().
Object.equals()
against an array is a mistake in most cases, since this will check the equality of the arrays' addresses, instead of the equality of the arrays' elements, and should usually be replaced by java.util.Arrays.equals()
.Object.equals()
function.
...
int[] arr1 = new int[10];
int[] arr2 = new int[10];
...
if (arr1.equals(arr2)){
//treat arrays as if identical elements
}
...
pthread_cleanup_push()
to push the function routine
onto the calling thread's cleanup stack and returns. Since pthread_cleanup_push()
and its partner function pthread_cleanup_pop()
are implemented as macros on platforms other than IBM AIX, the data structure created by pthread_cleanup_push()
will not be accessible to subsequent calls to pthread_cleanup_pop()
. The code will either fail to compile or behave incorrectly at runtime on all platforms where these functions are implemented as macros.
void helper() {
...
pthread_cleanup_push (routine, arg);
}