Finding bugs that matter with Findbugs

1. 1 FindBugs™ - Find Bugs in Java Programs Defective Java Code Learning from mistakes Carol McDonald

3. Looks for defects based on bug patterns

4. Bug patterns come from real bugs

5. bug patterns are grouped into categories:

6. correctness, bad practice, performance…

7. assigned a priority: high, medium or low.

8. High-Medium priority have low false positive rates

10. a read or write on a null pointer

11. typos

12. Methods whose return value should not be ignored

13. Also specific bug patterns:

14. Every Programming Puzzler

15. Eclipse documented bug fixes

16. Every chapter in Effective Java

17. Many postings to http://thedailywtf.com/3

22. Smart people don’t make dumb mistakes

23. WRONG!

24. Smart people make dumb mistakes

25. Common errors:

26. wrong boolean operator, forgetting parentheses, etc.

29. Google, Ebay, Sun, Wells Fargo…

30. Bill Pugh spent a year sabbatical at Google working Findbugs into their development process

31. Google runs FindBugs over all Java code

32. 1800s issues identified, > 600 fixed.

34. Concurrency

35. Performance• Security defect

36. 11 Can you find the Bug? public String sendMessage (User user, String body, Date time) { return sendMessage(user, body, null); } public String sendMessage (User user, String body, Date time, List attachments) { String xml = buildXML (body, attachments); String response = sendMessage(user, xml); return response; }

37. 12 Infinite recursive loopHigh priority correctness public String sendMessage (User user, String body, Date time) { return sendMessage(user, body, null); } public String sendMessage (User user, String body, Date time, List attachments) { String xml = buildXML (body, attachments); String response = sendMessage(user, xml); return response; }

38. 13 Can you find the Bug? public String foundType() { return this.foundType(); }

39. 14 Infinite recursive loop public String foundType() { return this.foundType(); } // should be public String foundType() { return this.foundType; } • Findbugs found 5 infinite recursive loops in JDK1.6.0-b13 • Including this one written by Joshua Bloch • Smart people make dumb mistakes • 27 across all versions of JDK, 31 in Google’s Java code • Embrace and fix your dumb mistakes

40. 15 Can you find the Bug? if (name != null || name.length > 0)

41. 16 Can you find the Bug? if (name != null || name.length > 0) if (name != null &&name.length > 0) Found in //com.sun.corba.se.impl.naming.cosnaming.NamingContextImpl

42. 17 Can you find the Bug? if (part == null | part.equals(""))

43. 18 Can you find the Bug? if (part == null | part.equals("")) if (part == null ||part.equals("")) Found in //com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser

44. 19 Null Pointer Bugs found in com.sun…. if (name != null || name.length > 0) if (part == null | part.equals("")) // sun.awt.x11.ScrollPanePeer if (g != null) paintScrollBars(g,colors); g.dispose();

46. © Availity, LLC | All rights reserved. 21 found in Jetty…. //BoundedThreadPoolprivate final String _lock = "LOCK";...synchronized(_lock){...} Constant Strings are shared across all other classes loaded by the JVM. Could lead to unexpected deadlocks in conjunction with other code

47. 22 Problem? public final WritableRaster filter( Raster src, WritableRasterdst) { intdstLength = dst.getNumBands(); // Create a new destination Raster,if needed if (dst == null) dst = createCompatibleDestRaster(src);

48. 23 Redundant Check for Null Is it a bug or a redundant check? public final WritableRaster filter( Raster src, WritableRasterdst) { intdstLength = dst.getNumBands(); // Create a new destination Raster,if needed if (dst == null) dst = createCompatibleDestRaster(src); can't be null because there would have been a NPE if it were null

51. 26 Bad Method Call // com.sun.xml.internal.txw2.output.XMLWriter try { ... } catch (IOException e) { new SAXException("Server side Exception:" + e); } Exception created and dropped rather than thrown try { ... } catch (IOException e) { throw new SAXException("Server side Exception:" + e); }

52. 27 Problem? public static String getNameById(String userId) { String str = userId; ... str.replace(' ', '_'); return str; }

53. 28 Method Ignores return valueCorrectness public static String getNameById(String userId) { String str = userId; ... str= str.replace(' ', '_'); return str; } Methods whose return value shouldn't be ignored • Strings are immutable, so functions like trim() and replace() return new String

54. 29 What does it Print? Integer one = 1; Long addressTypeCode = 1L; if (addressTypeCode.equals(one)) { System.out.println("equals"); } else { System.out.println("not equals"); }

55. 30 Comparing Different Types Integer one = 1; Long addressTypeCode = 1L; if (addressTypeCode.equals(one)) { System.out.println("equals"); } else { System.out.println("not equals"); } According to the contract of equals(), objects of different classes should always compare as unequal;

57. Using .equals to compare arrays

58. only checks if the same array

59. Checking to see if a Set<Long> contains an Integer

60. never found, even if the same integral value is contained in the map

61. Calling get(String) on a Map<Integer,String>

63. May be introduced by refactoring

65. 32 Best Way to use Findbugs •Want to find an effective/profitable way to use static analysis to improve software quality Mistakes That Don’t Mistakes That Matter Testing Deployment Static Analysis

67. While code is fresh in developers heads

68. Don’t be too eager to fix old issuesMistakes That Matter Mistakes That Don’t Static Analysis Testing Deployment

69. Runtime exceptions can be your friend… Errors which cause a runtime exception are more easily found Throwing a runtime exception is often a reasonable way to fail safely and report a failure. runtime exceptions represent conditions that reflect errors in your program's logic and cannot be reasonably recovered from IllegalArgumentException, NullPointerException, or IllegalStateException © Availity, LLC | All rights reserved. 34

71. silently cause the wrong answer to be computed

72. Mistakes that cause loss of money when they occur

74. 36 Can you find the (Google) bug ? // calculate DR amount by aggregating CR amounts BigDecimaldrAmount = new BigDecimal(0); for (JournalEntry je: journalEntries) drAmount.add(je.getCrAmount()); // persist to db getTrxnService().saveJournalEntry(id, drAmount, // aggregated amount true, // Debit "USD", "Revenue");

75. 37 A Google Bug //Ignored return value of BigDecimal.add for (JournalEntry je: journalEntries) drAmount.add(je.getCrAmount()); // should be drAmount= drAmount.add(je.getCrAmount()); Fixed within 30 minutes of being reported

76. 38 Bug ? int value2; Public boolean equals(Integer value1){ return value1== intValue() ; } public Integer intValue() { return value2; }

77. 39 Using reference equality rather than .equals int value2; Public boolean equals(Integer value1){ return value1.equals(intValue() ); } public Integer intValue() { return value2; } For boxed primitives, == and != are computed using pointer equality, but <, <=, >, >= are computed by comparing unboxed primitive values This can bite you on other classes (e.g., String) • but boxed primitives is where people get bit

78. 40 Bug ? ConcurrentMap<Long,XmitTimeStat> xmit_time_stats = ...; ..... stat = new XmitTimeStat(); xmit_time_stats.putIfAbsent(key, stat); stat.xmit_rsps_sent.addAndGet(sent);

79. 41 misusing putIfAbsentorg.jgroups.protocols.pbcast.NAKACK ConcurrentMap<Long,XmitTimeStat> xmit_time_stats = ...; ..... stat = new XmitTimeStat(); XmitTimeStat stat2 = xmit_time_stats.putIfAbsent(key, stat); if (stat2 != null) stat = stat2; stat.xmit_rsps_sent.addAndGet(sent); ConcurrentMap provides putIfAbsent • atomically add key -> value mapping • but only if the key isnʼt already in the map • if non-null value is returned, put failed and value returned is the value already associated with the key

81. They don’t cause as many problems as they should

82. Problems will probably increase with bigger core systems

85. a lock is held sometimes when field accessed

86. Problems with wait/notify –

87. e.g., call to wait() not in loop

89. 44 Bug ? synchronized (object) { if (<condition does not hold>) { object.wait(); } // Proceed when condition holds }

90. 45 call to wait() not in loop synchronized (object) { while (<condition does not hold>) { object.wait(); } // Proceed when condition holds }

94. 9 synchronizations on CopyOnWriteArrayList

97. Need:

98. Risk analysis, careful design, static analysis, dynamic testing and analysis

101. public static non-final fields

102. Methods that don’t defensively copy mutable arguments before storing them into fields

103. Methods that don’t defensively copy mutable values stored in fields before returning them

104. Untrusted input:

105. Included in SQL

106. included in HTTP response

109. http://findbugs.sourceforge.net/manual/eclipse.html

111. 51 Findbugsplugin in Eclipse

113. http://findbugs.sourceforge.net/

114. Bill Pugh FindbugsDevoxx talk

115. http://www.parleys.com/#id=2106&st=5

116. Bill Pugh Oredev talk:

Finding bugs that matter with Findbugs

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (8)

Similar to Finding bugs that matter with Findbugs

Similar to Finding bugs that matter with Findbugs (20)

More from Carol McDonald

More from Carol McDonald (20)

Recently uploaded

Recently uploaded (20)

Finding bugs that matter with Findbugs