Find Bug...Static Analysis solution to find bugs in code

What is Static Analysis ?

• Analyzes your program without executing it
• Doesn’t depend on having good test cases or even any test cases
• Generally, doesn’t know what your software is supposed to do
• Looks for violations of reasonable programming
• Shouldn’t throw NPE
• Shouldn’t allow SQL injection
• Not a replacement for testing
• Very good at finding problems on untested paths
• But many defects can’t be found with static analysis

Common Wisdom about Bugs and Static Analysis

• Programmers are smart. Smart people don’t make dumb mistakes

• We have good techniques (e.g., unit testing, pair programming, code inspections) for finding bugs early

• So, bugs remaining in production code must be subtle, and finding them must require sophisticated static analysis techniques

• I tried lint and it sucked: lots of warnings, few real issues

Can You Find The Bug?

if (listeners == null)

listeners.remove(listener);

• JDK1.6.0, b105, sun.awt.x11.XMSelection

• lines 243-244

Why Do Bugs Occur?

• Nobody is perfect

• Misunderstood language features, API methods

• Typos (using wrong boolean operator, forgetting parentheses or brackets, etc.)

• Misunderstood class or method invariants

• Everyone makes syntax errors, but the compiler catches them

• What about bugs one step removed from a syntax error?

This tutorial

• What FindBugs is and does

• Using FindBugs well and wisely

• Customizing FindBugs to your needs

• Adapting FindBugs to your time budget

• Find your sweet spot

• Making FindBugs part of your continuous build and test framework

Bug Categories

• Correctness - the code seems to be clearly doing something the developer did not intend

• Bad practice - the code violates good practice

• Dodgy code - the code is doing something unusual that may be incorrect

• Multithreaded correctness

• Potential performance problems

• Malicious code vulnerability

Students are good bug generators.

A student came to office hours, was having trouble with

his constructor:

/** Construct a WebSpider */

public WebSpider() {

WebSpider w = new WebSpider();

}

• A second student had the same bug

• Wrote a detector, found 3 other students with same bug Infinite recursive loop

Does this code contain a null pointer bug?

String s = null;

if (x > 0) s = “x”;

if (y > 0) s = “y”;

return s.hashCode();

Finding Null Pointer Bugs

•FindBugs looks for a statement or branch that, if executed, guarantees a null pointer exception

•Either a null pointer exception could be thrown, or the program contains a statement/branch that can’t be executed

•Could look for exceptions that only occur on a path e.g., if x <= 0 and y <= 0, then a NPE will be thrown but would need to worry about whether that path is feasible

•FindBugs doesn’t do this

Bad Method Invocation

• Methods whose return value shouldn't be ignored

• Strings are immutable, so functions like trim() and toLowerCase() return new String

• Dumb/useless methods

• Invoking toString or equals on an array

• Lots of specific rules about particular API methods

• Hard to memorize, easy to get wrong

Bad Practice

•A class that defines an equals method but inherits hashCode from Object

•Violates contract that any two equal objects have the same hash code equals method doesn't handle null argument

•Serializable class without a serialVersionUID

•Exception caught and ignored

•Broken out from the correctness category because I never want a developer to yawn when I show them a "correctness" bug Fixing hashCode

• What if you want to define equals, but don't think your objects will ever get put into a HashMap?

• Suggestion:

public int hashCode() {

assert false

: "hashCode method not designed";

return 42;

}

Dodgy code

• Dead local store - a value is stored into a local

variable, but that value is never used

• Use of non-short circuit boolean logic

• Switch statement fallthrough

• Branch where code on both branches is identical

Multithreaded correctness

• Inconsistent synchronization - a lock is held most of the time a field is accessed, but not always

• Problems with wait/notify - e.g., call to wait() not in loop

• Thread unsafe lazy initialization of static field

Performance

• Unused field

• Invocation of Boolean or Integer constructors

• Using hashCode or equals method on a URL

• final constant field that could be made static

• Loop with quadratic string concatenation

• Inner class that could be made static

Vunerability to Malicious code

• public static non-final fields

• public static final fields that reference mutable objects

• Methods that don’t defensively copy mutable arguments before storing them into fields

• Methods that don’t defensively copy mutable values

stored in fields before returning them

Eclipse IDE

FindBugs Eclipse plugin
http://findbugs.cs.umd.edu/eclipse/
Run FindBugs incrementally as you edit code
This is how it will look like when we scan a file using findbug:

If you see OutOfMemory error dialogs after starting FindBugs analysis in Eclipse, please increase JVM available memory: change eclipse.ini and add the lines below to the end of the file:

    -vmargs
    -Xmx1000m

Plugin for Maven

Add <plugin> to <reporting> section of pom.xml:

Update for pom.xml

<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<version>1.1.1</version>
<configuration>
<xmlOutput>true|false</xmlOutput>
<xmlOutputDirectory>directory location of xml findbugs
report</xmlOutputDirectory>
<threshold>High|Normal|Low</threshold>
<effort>Min|Default|Max</effort>
</configuration>
</plugin>

Maven useful commands for finbug:

‘mvn findbugs:findbugs’ generates report
‘mvn site’ generates site files including a FindBugs report

Sample report:

Sources: findbugs-tutorials.googlecode.com