Custom Detectors for FindBugs (London Java Community Unconference 2)

1. A basic introduction to Writing Custom Detectors for FindBugs

2. FindBugs Static analysis tool for Java

3. Detects suspicious patterns in code -> See bug examples Detectors for ~370 bug types -> See bug list Use filters to select specific sets of detectors What's FindBugs?

4. Run as... IDE plugin

5. Ant task / maven plugin – part of CI build

6. Standalone app (CLI and GUI) Operates on Java ByteCode, so you can analyse: Your compiled Java code

7. Dependent libraries (binaries)

8. Other JVM languages, compiled to ByteCode? FindBugs What's FindBugs?

9. Enforce a project-specific constraint, e.g.: Ensure all logging is guarded

10. Flag common API misuses

11. Environment/platform-specific constraints

12. Enforce naming conventions You've identified a new, general bug pattern: A common misuse of a JCL API

13. A sequence of operations that is doomed to fail Custom Detectors Why create a custom detector?

14. A plugin is a jar file containing at least 3 files: findbugs.xml

15. messages.xml

16. A detector class FindBugs loads plugin jars from its “plugin” directory. One plugin jar can contain multiple detector classes.

17. One detector class can report multiple bug types. Custom Detectors FindBugs Plugins

18. Custom Detectors The XML files -> See examples

19. The Detector Class The Most Simple Detector... public class MyDetector implements Detector { private BugReporter reporter ; /** Instantiated when analysis starts. */ public MyDetector(BugReporter reporter) { this . reporter = reporter; } /** Invoked for every class to analyse */ @Override public void visitClassContext(ClassContext classContext) { } /** Invoked after all classes have been analysed by all detectors. */ @Override public void report() { } } -> Examples

20. The Detector Class Visitors & Detectors Visitor visit(class) visit(const) visit(field) visit(method) … state -> Examples

21. A character set used on IBM mainframes.

22. Usually pronounced eb-sih-dic.

23. It is not ASCII-compatible.

24. … but it becomes relevant when your code runs in an IBM mainframe! The EBCDIC Issue What's EBCDIC? “ EBCDIC is not relevant to your life.” -Joel Spolsky

25. Programs often convert between bytes and character data Writing/reading text to/from the file system

26. Sending/receiving text over the network Such conversions always use a character set, e.g.: The EBCDIC Issue é [0xC3, 0xA9] [0xE9] Text Byte value Charset Character Sets

27. In Java, if no charset is specified, a default is used.

28. The default is platform-specific. The EBCDIC Issue hello [0x68,0x65,0x6C,0x6C,0x6F] Default Charset in Java String s1 = new String(myByteArray, Charset.forName( "UTF-8" )); // Uses UTF-8 String s2 = new String( myByteArray ); // Uses default charset On most platforms, this default is “ASCII-compatible”: These characters have the same byte value in all ASCII-compatible Character sets.

29. EBCDIC is not ASCII-compatible.

30. Imagine you're sending bytes over the network and the client is expecting ISO8859-1 text:

31. On ASCII-compatible platforms , the code above sends the correct ISO8859-1 bytes for HELLO .

32. On z/OS , it sends data that ISO88591-decodes to: ÈÅÓÓÖ

33. The code should look something like: The EBCDIC Issue If you �Unicode, you’ll ��EBCDIC connection.getOutputStream().write( "HELLO" .getBytes()); connection.getOutputStream().write( "HELLO" .getBytes( " ISO8859-1 " ));

34. The file.encoding system property can be used to change the default.

35. Not a suitable solution if different libraries make different assumptions about the default.

36. Can be useful for testing that your code works OK in an EBCDIC environment, e.g.: The EBCDIC Issue -Dfile.encoding java -Dfile.encoding=IBM-1047 -Dconsole.encoding=ISO8859-1 ...

37. The EBCDIC Issue Affected Java Class Library Methods java.lang.String.getBytes() java.lang.String(byte[] bytes) java.io.ByteArrayOutputStream.toString() java.io.FileReader(String filename) java.io.FileReader(File file) java.io.FileReader(FileDescriptor fileDescriptor) java.io.FileWriter(String filename) java.io.FileWriter(File file) java.io.FileWriter(FileDescriptor fileDescriptor) java.io.InputStreamReader(InputStream input) java.io.OutputStreamWriter(OutputStream output) java.io.PrintStream(File file) java.io.PrintStream(OutputStream output) java.io.PrintStream(String string) java.io.PrintWriter(File file) java.io.PrintWriter(OutputStream output) java.io.PrintWriter(String string) java.util.Scanner(InputStream input) java.util.Formatter(String filename) java.util.Formatter(File file) java.util.Formatter(OutputStream output)

38. -> See code. Default Encoding Detector Implementation of the default encoding detector

39. BugAccumulator: helps avoid reporting same bug many times

40. Class metadata and identifiers : XClass, ClassDescriptor, JavaClass (BCEL)

41. XMethod, MethodDescriptor, Method (BCEL)

42. ... AnnotationDatabase: helps to simplify marking interesting classes, methods, fields... and identify their usage.

43. StatelessDetector: Marker interface – detector is cloned on each class so any state that is not cloned can be GC'd

44. DataflowAnalysis: Provides access to a control flow graph More FindBugs Classes

45. Examine the built-in detectors Find one that detects a pattern similar to yours. Testing your detector Run Findbugs on test data, compare report against baseline

46. Or see this blog post for a lighter approach. -> Example using annotations to mark expected bugs Don't be put off by ByteCode Try the ByteCode Outline plugin for Eclipse Misc. Tips

47. This presentation: http://bit.ly/fb_slides Today's code: http://bit.ly/fb_demo2011 Encoding detector: http://bit.ly/fb_enc References / further reading / tools: developerWorks article about custom detectors: http://bit.ly/fb_dw

48. Presentation on custom detectors by FindBugs authors: http://bit.ly/fb_4r

49. Daniel Schneller's blog posts about custom detectors: http://bit.ly/fb_dsblog

50. Josh Cummings' blog post about testing detectors: http://bit.ly/fb_jcblog

51. ByteCode Outline plugin for Eclipse: http://asm.ow2.org/eclipse/index.html

52. FindBugs Mailing List Links

Custom Detectors for FindBugs (London Java Community Unconference 2)

More Related Content

What's hot (20)

Similar to Custom Detectors for FindBugs (London Java Community Unconference 2) (20)

More from Robin Fernandes (6)

Recently uploaded (20)

Custom Detectors for FindBugs (London Java Community Unconference 2)