Custom Detectors for FindBugs (London Java Community Unconference 2)

A basic introduction to Writing Custom Detectors for FindBugs

FindBugs
Static analysis tool for Java
Detects suspicious patterns in code
-> See BugExamples.java
Detectors for ~370 bug types
-> See bug list
Use filters to select specific sets of detectors
What's Findbugs?

Run as...
IDE plugin
Ant task – part of Continuous Integration build
Standalone app (CLI or UI)
Operates on Java ByteCode, so you can analyse:
Your compiled Java code
Dependent libraries (binaries)
Other JVM languages, compiled to ByteCode?
FindBugs What's Findbugs?

Enforce a project-specific constraint, e.g.:
Ensure all logging is guarded
Flag common API misuses
Environment/platform-specific constraints
Enforce naming conventions
You've identified a new, general bug pattern:
A common misuse of a JCL API
A sequence of operations that is doomed to fail
Custom Detectors Why create a custom detector?

A plugin is a jar file containing at least 3 files:
findbugs.xml
messages.xml
A detector class
FindBugs loads plugin jars from its “plugin” directory.
One plugin jar can contain multiple detector classes.
One detector class can report multiple bug types.
Custom Detectors FindBugs Plugins

Custom Detectors The XML files
-> See examples

The Detector Class The Most Simple Detector... public class MyDetector implements Detector { private BugReporter reporter ; /** Instantiated when analysis starts. */ public MyDetector (BugReporter reporter) { this . reporter = reporter; } /** Invoked for every class to analyse */ @Override public void visitClassContext(ClassContext classContext) { } /** Invoked after all classes have been analysed by all detectors. */ @Override public void report() { } }
-> Examples

The Detector Class Visitors & Detectors Visitor visit(class) visit(const) visit(field) visit(method) … state
-> Examples

A character set used on IBM mainframes.
Usually pronounced eb-sih-dic.
It is not ASCII-compatible.
… but it becomes relevant when your code runs in an IBM mainframe!
The EBCDIC Issue What's EBCDIC? “ EBCDIC is not relevant to your life.” -Joel Spolsky

Programs often convert between bytes and character data
Writing/reading text to/from the file system
Sending/receiving text over the network
Such conversions always use a character set, e.g.:
The EBCDIC Issue é [0xC3, 0xA9] [0xE9] Text Byte value Charset Character Sets

In Java, if no charset is specified, a default is used.
The default is platform-specific.
The EBCDIC Issue hello [0x68,0x65,0x6C,0x6C,0x6F] Default Charset in Java String s1 = new String(myByteArray, Charset.forName( "UTF-8" )); // Uses UTF-8 String s2 = new String( myByteArray ); // Uses default charset
On most platforms, this default is “ASCII-compatible”:
These characters have the same byte value in all ASCII-compatible Character sets.

EBCDIC is not ASCII-compatible.
Imagine you're sending bytes over the network and the client is expecting ISO8859-1 text:
On ASCII-compatible platforms , the code above sends the correct ISO8859-1 bytes for HELLO .
On z/OS , it sends data that ISO88591-decodes to: ÈÅÓÓÖ
The code should look something like:
The EBCDIC Issue If you �Unicode, you’ll ��EBCDIC connection.getOutputStream().write( "HELLO" .getBytes()); connection.getOutputStream().write( "HELLO" .getBytes( " ISO8859-1 " ));

The file.encoding system property can be used to change the default.
Not a suitable solution if different libraries make different assumptions about the default.
Can be useful for testing that your code works OK in an EBCDIC environment, e.g.:
The EBCDIC Issue -Dfile.encoding
java -Dfile.encoding=IBM-1047 -Dconsole.encoding=ISO8859-1 ...

The EBCDIC Issue Affected Java Class Library Methods java.lang.String.getBytes() java.lang.String(byte[] bytes) java.io.ByteArrayOutputStream.toString() java.io.FileReader(String filename) java.io.FileReader(File file) java.io.FileReader(FileDescriptor fileDescriptor) java.io.FileWriter(String filename) java.io.FileWriter(File file) java.io.FileWriter(FileDescriptor fileDescriptor) java.io.InputStreamReader(InputStream input) java.io.OutputStreamWriter(OutputStream output) java.io.PrintStream(File file) java.io.PrintStream(OutputStream output) java.io.PrintStream(String string) java.io.PrintWriter(File file) java.io.PrintWriter(OutputStream output) java.io.PrintWriter(String string) java.util.Scanner(InputStream input) java.util.Formatter(String filename) java.util.Formatter(File file) java.util.Formatter(OutputStream output)

-> See code. Default Encoding Detector Implementation of the default encoding detector

BugAccumulator: helps avoid reporting same bug many times
Class metadata and identifiers :
XClass, ClassDescriptor, JavaClass (BCEL)
XMethod, MethodDescriptor, Method (BCEL)
...
AnnotationDatabase: helps to simplify marking interesting classes, methods, fields... and identify their usage.
StatelessDetector: Marker interface – detector is cloned on each class so any state that is not cloned can be GC'd
DataflowAnalysis: Provides access to a c ontrol flow graph
More FindBugs Classes

Examine the built-in detectors
Find one that detects a pattern similar to yours.
Write tests for your detector.
Run Findbugs on test data, compare report against baseline .
Or see this blog post for a lighter approach.
-> Example using annotations to mark expected bugs
Build and test your custom detector as part of your CI.
Ensures freshest, correct version is always used.
Don't be put off by ByteCode
Use this ByteCode Viewer plugin for Eclipse.
Misc. Tips

This presentation: http://bit.ly/fb_slides Today's code: http://bit.ly/fb_demo Encoding detector: http://bit.ly/fb_enc References / further reading / tools:
developerWorks article about custom detectors: http://bit.ly/fb_dw
Daniel Schneller's blog posts about custom detectors: http://bit.ly/fb_dsblog
Josh Cummings' blog post about testing detectors: http://bit.ly/fb_jcblog
ByteCode Outline plugin for Eclipse: http://bit.ly/fb_bytecode
FindBugs Mailing List
Links

Custom Detectors for FindBugs (London Java Community Unconference 2)

by Robin Fernandes

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Custom Detectors for FindBugs (London Java Community Unconference 2) Presentation Transcript