Your SlideShare is downloading. ×
Custom Detectors for FindBugs (London Java Community Unconference 2)
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Custom Detectors for FindBugs (London Java Community Unconference 2)


Published on

Slides for presentation / demo for a basic introduction to writing custom detectors for FindBugs. …

Slides for presentation / demo for a basic introduction to writing custom detectors for FindBugs.

Talk was given at the London Java Community Unconference 2, 26th June 2010.

The example code that goes with the slides is here:

Published in: Technology, Education

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. A basic introduction to Writing Custom Detectors for FindBugs
  • 2. FindBugs
    • Static analysis tool for Java
    • 3. Detects suspicious patterns in code
      • -> See
    • Detectors for ~370 bug types
      • -> See bug list
    • Use filters to select specific sets of detectors
    What's Findbugs?
  • 4.
    • Run as...
      • IDE plugin
      • 5. Ant task – part of Continuous Integration build
      • 6. Standalone app (CLI or UI)
    • Operates on Java ByteCode, so you can analyse:
      • Your compiled Java code
      • 7. Dependent libraries (binaries)
      • 8. Other JVM languages, compiled to ByteCode?
    FindBugs What's Findbugs?
  • 9.
    • Enforce a project-specific constraint, e.g.:
      • Ensure all logging is guarded
      • 10. Flag common API misuses
      • 11. Environment/platform-specific constraints
      • 12. Enforce naming conventions
    • You've identified a new, general bug pattern:
      • A common misuse of a JCL API
      • 13. A sequence of operations that is doomed to fail
    Custom Detectors Why create a custom detector?
  • 14.
    • A plugin is a jar file containing at least 3 files:
      • findbugs.xml
      • 15. messages.xml
      • 16. A detector class
    • FindBugs loads plugin jars from its “plugin” directory.
    • One plugin jar can contain multiple detector classes.
    • 17. One detector class can report multiple bug types.
    Custom Detectors FindBugs Plugins
  • 18. Custom Detectors The XML files
      -> See examples
  • 19. The Detector Class The Most Simple Detector... public class MyDetector implements Detector { private BugReporter reporter ; /** Instantiated when analysis starts. */ public MyDetector (BugReporter reporter) { this . reporter = reporter; } /** Invoked for every class to analyse */ @Override public void visitClassContext(ClassContext classContext) { } /** Invoked after all classes have been analysed by all detectors. */ @Override public void report() { } }
      -> Examples
  • 20. The Detector Class Visitors & Detectors Visitor visit(class) visit(const) visit(field) visit(method) … state
      -> Examples
  • 21.
    • A character set used on IBM mainframes.
    • 22. Usually pronounced eb-sih-dic.
    • 23. It is not ASCII-compatible.
    • 24. … but it becomes relevant when your code runs in an IBM mainframe!
    The EBCDIC Issue What's EBCDIC? “ EBCDIC is not relevant to your life.” -Joel Spolsky
  • 25.
    • Programs often convert between bytes and character data
      • Writing/reading text to/from the file system
      • 26. Sending/receiving text over the network
    • Such conversions always use a character set, e.g.:
    The EBCDIC Issue é [0xC3, 0xA9] [0xE9] Text Byte value Charset Character Sets
  • 27.
    • In Java, if no charset is specified, a default is used.
    • 28. The default is platform-specific.
    The EBCDIC Issue hello [0x68,0x65,0x6C,0x6C,0x6F] Default Charset in Java String s1 = new String(myByteArray, Charset.forName( "UTF-8" )); // Uses UTF-8 String s2 = new String( myByteArray ); // Uses default charset
    • On most platforms, this default is “ASCII-compatible”:
    These characters have the same byte value in all ASCII-compatible Character sets.
  • 29.
    • EBCDIC is not ASCII-compatible.
    • 30. Imagine you're sending bytes over the network and the client is expecting ISO8859-1 text:
    • 31. On ASCII-compatible platforms , the code above sends the correct ISO8859-1 bytes for HELLO .
    • 32. On z/OS , it sends data that ISO88591-decodes to: ÈÅÓÓÖ
    • 33. The code should look something like:
    The EBCDIC Issue If you �Unicode, you’ll �����EBCDIC connection.getOutputStream().write( "HELLO" .getBytes()); connection.getOutputStream().write( "HELLO" .getBytes( " ISO8859-1 " ));
  • 34.
    • The file.encoding system property can be used to change the default.
    • 35. Not a suitable solution if different libraries make different assumptions about the default.
    • 36. Can be useful for testing that your code works OK in an EBCDIC environment, e.g.:
    The EBCDIC Issue -Dfile.encoding
      java -Dfile.encoding=IBM-1047 -Dconsole.encoding=ISO8859-1 ...
  • 37. The EBCDIC Issue Affected Java Class Library Methods java.lang.String.getBytes() java.lang.String(byte[] bytes) filename) file) fileDescriptor) filename) file) fileDescriptor) input) output) file) output) string) file) output) string) java.util.Scanner(InputStream input) java.util.Formatter(String filename) java.util.Formatter(File file) java.util.Formatter(OutputStream output)
  • 38. -> See code. Default Encoding Detector Implementation of the default encoding detector
  • 39.
    • BugAccumulator: helps avoid reporting same bug many times
    • 40. Class metadata and identifiers :
      • XClass, ClassDescriptor, JavaClass (BCEL)
      • 41. XMethod, MethodDescriptor, Method (BCEL)
      • 42. ...
    • AnnotationDatabase: helps to simplify marking interesting classes, methods, fields... and identify their usage.
    • 43. StatelessDetector: Marker interface – detector is cloned on each class so any state that is not cloned can be GC'd
    • 44. DataflowAnalysis: Provides access to a c ontrol flow graph
    More FindBugs Classes
  • 45.
    • Examine the built-in detectors
      • Find one that detects a pattern similar to yours.
    • Write tests for your detector.
      • Run Findbugs on test data, compare report against baseline .
      • 46. Or see this blog post for a lighter approach.
        • -> Example using annotations to mark expected bugs
    • Build and test your custom detector as part of your CI.
      • Ensures freshest, correct version is always used.
    • Don't be put off by ByteCode
      • Use this ByteCode Viewer plugin for Eclipse.
    Misc. Tips
  • 47. This presentation: Today's code: Encoding detector: References / further reading / tools:
    • developerWorks article about custom detectors:
    • 48. Daniel Schneller's blog posts about custom detectors:
    • 49. Josh Cummings' blog post about testing detectors:
    • 50. ByteCode Outline plugin for Eclipse:
    • 51. FindBugs Mailing List