1Using FindBugsDavid Hovemeyer <[email protected]>http://findbugs.sourceforge.net2Outline●Motivation●The FindBugs Tool●How it works●Conclusions3Motivation●Software is hard to get right–Complex library APIs–Difficult language features: e.g., threads●Nobody is perfect 100% of the time●Result: bugs–Wasted development time, frustrated users4Using Tools to Find Bugs●We can write programs, “b ug checkers”, to analyze code for potential errors●Running the bug checker produces a list of potential bugs in the code●Goal: find bugs early–Before debugging and testing–Before program is distributed to users5Observation●Many bugs share common characteristics●Bug Pattern: a code idiom that is frequently an error●Is it possible to detect instances of bug patterns automatically?–Yes!6Our Approach●We have developed a tool, FindBugs, to find instances of bug patterns●We try to find the simplest approach to detecting potential bugs●This approach can be effective:–About 45 bug patterns recognized–Hundreds of bugs found in real applications7Limitations●Static Analysis is the process of analyzing a program's code to find out how the program will behave at runtime●Nontrivial properties of programs are undecidable–E.g., the halting problem●We can never determine all possible program behaviors 8Consequences of Imprecision●Given that we can't predict all possible program behaviors:–We try to infer likely program behavior●False positives:–Tool reports a bug that can't really happen●False negatives:–Tool fails to report a bug than can happen9Limitations of Tools●Bug finding tools are not a panacaea●They generally can't help ensure that your code does what you intend●However, they are a useful first line of defense●Helpful when learning new areas of the language10Outline●Motivation●The FindBugs Tool●How it works●Conclusions11FindBugs●A tool to find instances of bug patterns in Java programs–Misuses of API functions–Language semantics: e.g., null pointer exceptions–Thread problems●Written in Java●Developed by Bill Pugh12Installing FindBugs●Download from FindBugs website:–http://findbugs.sourceforge.net●See instructions in manual:–http://findbugs.sourceforge.net/manual/index.html●Main user interfaces: command line, Swing GUI●Eclipse plugin: recently added, still needs work–We are actively working to make it better13Running FindBugs●FindBugs analyzes Java class files–Individual class files–Jar, zip archives–Directories containing class files●Produces results in two formats:–Minimal text output–XML output (can view in GUI: recommended)14Demo15What Can FindBugs Find?●We have used FindBugs to find hundreds of bugs in real applications●We have been surprised at how obvious many of the bugs are●A few examples...16Null Dereference●Dereferencing a null pointer is almost always a mistake●Eclipse 2.1.0, org.eclipse.jdt.internal.ui.javaeditor.ClassFileEditorif (entry == null) { IClasspathContainer container= JavaCore.getClasspathContainer(entry.getPath(), root.getJavaProject()); ...17Null Dereference (2)●Eclipse 2.1.0, org.eclipse.help.ui.internal.search.HelpSearchPageif (!searchQueryData.isBookFiltering() && (lastWS != null || lastWS.length() > 0)) { ...18Unused Return Value●String objects are immutable–Methods that modify Strings return a new object●Example: Eclipse 2.1.0:if (i < label.length()) label= label.substring(0, i) + label.substring(i+1);else label.substring(0, i);19Suspicious Reference Comparison●Objects should generally be compared using the equals(Object) method, not == and != operators–Those operators test reference equality, not object equality●GNU Classpath 0.06, gnu.java.net.protocol.jar.Handler.parseURL()String file = url.getFile();if (file != null && file != ""){ //has context url20Thread Bug Patterns●FindBugs looks for several bug patterns related to threads–Problems starting threads–Fields locked inconsistently–Wait/notify problems●This may be helpful when you do Project 421Outline●Motivation●The FindBugs Tool●How it works●Conclusions22How It Works●Two approaches to analyzing Java programs:–Source code–Bytecode (class files)●Analyzing source code has some advantages, but is more complicated●We analyze bytecode–Using the Apache Byte Code Engineering Library (BCEL)23Java Bytecode●Java source files are translated into bytecode–Essentially, a machine language for the Java Virtual Machine●Instead of registers, bytecode instructions use an operand stack–Each value on the stack is an object reference or numeric value●Bytecode is very easy to analyze24Java Bytecode Example●The command “ javap -c classname” prints the bytecode for methods in a class●Demo...25Analyzing Bytecode●How can we analyze bytecode to figure out what it does?●FindBugs uses several approaches:–Simple: Scanning–More complex: Scanning with control flow–Most complex: Dataflow analysis●Very similar to techniques used in compilers26Bytecode Scanning●Really simple approach: just scan through bytecode instructions, driving a state machine●Example: unconditional wait// Wrong:while (!someCondition) { synchronized (lock) { lock.wait(); }}// Right:synchronized (lock) { while (!someCondition) { lock.wait(); }}27Recognizing Unconditional Wait●Observation: a unconditional wait is when a lock is acquired, immediately followed by a call to Object.wait()–With no intervening branches●Acquiring a lock: monitorenter●Calling wait: invokevirtual Object.wait()●Scan for these instructions!●Example...28Control Flow●Scanning is good for bug patterns that don't involve control flow●Often, control flow is important–Conditional control flow gives us information: e.g.if (foo == null) { ...foo is null here...●Control Flow Graph (CFG) gives us this information29Control Flow Graphs (CFGs)●A Control Flow Graph is a data structure comprised of basic blocks and control edges●Basic block: linear sequence of instructions with no control flow●Control edge: indicates control transfer from one block to another30CFG Examplex = 1;for (i = 0; i < 10; ++i) { x = x + 1;}x = 1i = 0i < 10?x = x + 1++idone31Using CFGs●How does the CFG help us?●Scanning approach can now take control flow into account–E.g., for an “if” statement, continue scanning on both branches–Note: this can lead to exponential
View Full Document