Index: doc/Changes.html |
diff --git a/doc/Changes.html b/doc/Changes.html |
index 440b153b4fdbb5ab52f8f84f53cc472dfcd18459..21b4551e1eab6bbf26e31f876a2faf62c2672315 100644 |
--- a/doc/Changes.html |
+++ b/doc/Changes.html |
@@ -1,16 +1,17 @@ |
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> |
<html> |
- <head> |
- <title>FindBugs Change Log</title> |
- <link rel="stylesheet" type="text/css" href="findbugs.css"> |
- |
- </head> |
+<head> |
+<title>FindBugs Change Log</title> |
+<link rel="stylesheet" type="text/css" href="findbugs.css"> |
- <body> |
+</head> |
- <table width="100%"> |
- <tr> |
+<body> |
- |
+ <table width="100%"> |
+ <tr> |
+ |
+ |
<td bgcolor="#b9b9fe" valign="top" align="left" width="20%"> |
<table width="100%" cellspacing="0" border="0"> |
<tr><td><a class="sidebar" href="index.html"><img src="umdFindbugs.png" alt="FindBugs"></a></td></tr> |
@@ -54,1105 +55,1432 @@ |
</table> |
</td> |
- <td align="left" valign="top"> |
- |
- |
- <h1>FindBugs Change Log, Version 2.0.1</h1> |
- |
- <ul> |
- <li>New bug patterns; in some cases, bugs previous reported as other bug patterns are reported |
- as instances of these new bug patterns in order to make it easier for developers to understand |
- the bug reports</li> |
- <ul> |
- <li><a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL |
- </a> |
- <li><a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_RELATIVE_PATH_TRAVERSAL">PT_RELATIVE_PATH_TRAVERSAL |
- </a> |
- <li><a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR |
- </a> |
- <li><a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_REFACTORED_TO_BE_FINAL">MS_SHOULD_BE_REFACTORED_TO_BE_FINAL |
- </a> |
- <li><a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST_OF_RETURN_VALUE">BC_UNCONFIRMED_CAST_OF_RETURN_VALUE |
- </a> |
- <li><a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL |
- </a> |
- <li><a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS">TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS |
- </a> |
- </ul> |
- <li>Changes to fix false negatives for the following bug patterns: <a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>, |
- <a href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_BAD_ARRAY_COMPARE">EC_BAD_ARRAY_COMPARE</a>, |
- <a href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_UNUSUAL">EQ_UNUSUAL</a>, <a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>, |
- and <a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>. |
+ <td align="left" valign="top"> |
- |
- <li>Changes to fix false positions for the following bug patterns: <a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_DOH">DMI_DOH</a>, <a |
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>, |
- and <a href="http://findbugs.sourceforge.net/bugDescriptions.html#SE_BAD_FIELD">SE_BAD_FIELD</a>. |
- |
- </ul> |
- |
- <h1> |
- FindBugs Change Log, Version 2.0.0 |
- </h1> |
- |
- <h2> Changes since version 1.3.8</h2> |
- <ul> |
- <li>New bug patterns; in some cases, bugs previous reported as other bug patterns are reported as instances |
- of these new bug patterns in order to make it easier for developers to understand the bug reports</li> |
- <ul> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED </a> |
- </ul> |
- <li>Providing a bug rank (1-20), and the ability to filter by bug rank. Eventually, |
- it will be possible to specify your own rules for ranking bugs, but the procedure for doing so hasn't been specified yet. |
- <li>Fixed about <a href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45 bugs filed</a> through SourceForge |
- <li>Various reclassifications and priority tweaks |
- <li>Added more bug annotations to a variety of bug reports. |
- This provides more context for understanding bug reports |
- (e.g., if the value in question was is the return value |
- of a method, the method is described as the source of |
- the value in a bug annotation). This also provide more |
- accurate tracking of issues across versions of the code |
- being analyzed, but has the downside that when comparing |
- results from FindBugs 1.3.8 and FindBugs 1.3.9 on the |
- same version of code being analyzed, |
- FindBugs may think that mistakenly believe that the |
- issue reported by 1.3.8 was fixed and a new issue was |
- introduced that was reported by FindBugs 1.3.9. While |
- annoying, it would be unusual for more than a dozen |
- issues per million |
- lines of codes to be mistracked. |
- <li> Lots of internal changes moving towards FindBugs 2.0, but these |
- features are undocumented, not yet officially supported, and subject to |
- radical changes before FindBugs 2.0 is released. |
- |
- |
- </ul> |
- |
- |
- |
- <p> Changes since version 1.3.8</p> |
- <ul> |
- <li>New bug patterns; in some cases, bugs previous reported as other bug patterns are reported as instances |
- of these new bug patterns in order to make it easier for developers to understand the bug reports</li> |
- <ul> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL </a> |
- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED </a> |
- </ul> |
- <li>Providing a bug rank (1-20), and the ability to filter by bug rank. Eventually, |
- it will be possible to specify your own rules for ranking bugs, but the procedure for doing so hasn't been specified yet. |
- <li>Fixed about <a href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45 bugs filed</a> through SourceForge |
- <li>Various reclassifications and priority tweaks |
- <li>Added more bug annotations to a variety of bug reports. |
- This provides more context for understanding bug reports |
- (e.g., if the value in question was is the return value |
- of a method, the method is described as the source of |
- the value in a bug annotation). This also provide more |
- accurate tracking of issues across versions of the code |
- being analyzed, but has the downside that when comparing |
- results from FindBugs 1.3.8 and FindBugs 1.3.9 on the |
- same version of code being analyzed, |
- FindBugs may think that mistakenly believe that the |
- issue reported by 1.3.8 was fixed and a new issue was |
- introduced that was reported by FindBugs 1.3.9. While |
- annoying, it would be unusual for more than a dozen |
- issues per million |
- lines of codes to be mistracked. |
- <li> Lots of internal changes moving towards FindBugs 2.0, but these |
- features are undocumented, not yet officially supported, and subject to |
- radical changes before FindBugs 2.0 is released. |
- |
- |
- </ul> |
- <p> Changes since version 1.3.7</p> |
- <ul> |
- <li>Primarily another small bugfix release.</li> |
- <li>FindBugs base:</li> |
- <ul> |
- <li>New Reports:</li> |
- <ul> |
- <li>SF_SWITCH_NO_DEFAULT: missing default case in switch statement.</li> |
- <li>SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW: value ignored when switch fallthrough leads to |
- thrown exception.</li> |
- <li>INT_VACUOUS_BIT_OPERATION: bit operations that don't do any meaningful work.</li> |
- <li>FB_UNEXPECTED_WARNING: warning generated that conflicts with @NoWarning FindBugs annotation.</li> |
- <li>FB_MISSING_EXPECTED_WARNING: warning not generated despite presence of @ExpectedWarning FindBugs annotation.</li> |
- <li>NOISE category: intended for use in data mining experiments.</li> |
- <ul> |
- <li>NOISE_NULL_DEREFERENCE: fake null point dereference warning.</li> |
- <li>NOISE_METHOD_CALL: fake method call warning.</li> |
- <li>NOISE_FIELD_REFERENCE: fake field dereference warning.</li> |
- <li>NOISE_OPERATION: fake operation warning.</li> |
- </ul> |
- </ul> |
- <li>Other:</li> |
- <ul> |
- <li>Garvin Leclaire has created a new Apache Maven repository for FindBugs at |
- <a href="http://code.google.com/p/findbugs/">the Google Code FindBugs SVN repository</a>. (Thanks Garvin!)</li> |
- </ul> |
- <li>Fixes:</li> |
- <ul> |
- <li>[ 2317842 ] Highlighting broken in Windows</li> |
- <li>[ 2515908 ] check for oddness should track sign of argument</li> |
- <li>[ 2487936 ] "L B GC" false pos cast from Map.Entry.getKey() to Map.get()</li> |
- <li>[ 2528264 ] Ant tasks not compatible with Ant 1.7.1</li> |
- <li>[ 2539590 ] SF_SWITCH_FALLTHROUGH wrong message reported </li> |
- <li>[ 2020066 ] Bug history displayed in fancy-hist.xsl is incorrect</li> |
- <li>[ 2545098 ] Invalid character in analysis results file</li> |
- <li>[ 2492673 ] Plugin sites should specify 'requires Eclipse 3.3 or newer'</li> |
- <li>[ 2588044 ] a tiny typing error</li> |
- <li>[ 2589048 ] Documentation for convertXmlToText insufficient</li> |
- <li>[ 2638739 ] NullPointerException when building</li> |
- </ul> |
- <li>Patches:</li> |
- <ul> |
- <li>[ 2538184 ] Make BugCollection implement Iterable<BugInstance> (thanks to Tomas Pollak)</li> |
- <li>[ 2249771 ] Add Maven2 Findbugs plugin link to the Links page (thanks to Garvin Leclaire)</li> |
- <li>[ 2609526 ] Japanese manual update (thanks to K. Hashimoto)</li> |
- <li>[ 2119482 ] CheckBcel checks for nonexistent classes (thanks to Jerry James)</li> |
- </ul> |
- </ul> |
- <li>FindBugs Eclipse plugin:</li> |
- <ul> |
- <li>Major feature enhancements (thanks to Andrey Loskutov). |
- See <a href="http://andrei.gmxhome.de/findbugs/index.html">this overview</a> for more information.</li> |
- <li>Major test improvements (thanks to Tomas Pollak).</li> |
- <li>Fixes:</li> |
- <ul> |
- <li>[ 2532365 ] Compiler warning</li> |
- <li>[ 2522989 ] Fix filter files selection</li> |
- <li>[ 2504068 ] NullPointerException</li> |
- <li>[ 2640849 ] NPE in Eclipse plugin 1.3.7 and Eclipse 3.5 M5</li> |
- </ul> |
- <li>Patches:</li> |
- <ul> |
- <li>[ 2143140 ] Unchecked conversion fixes for Eclipse plugin (thanks to Jerry James) |
- </ul> |
- </ul> |
- </ul> |
- </ul> |
- |
- <p> Changes since version 1.3.6</p> |
- <ul> |
- <li>Overall, a small bugfix release. |
- <li>New detection of accidental vacuous/useless calls to EasyMock methods, |
- and of generic signatures that proclaim the use of unhashable classes |
- in ways that require that they be hashed. |
- <li>Eliminate some false positives where we were warning about |
- a useless call (e.g., comparing two incompatible types for equality), |
- but the only thing the code was doing with the result was |
- passing it to assertFalse. |
- <li>Japanese localization and manual by K.Hashimoto. (Thanks!) |
- <li>Added -exclude and -outputDir command line options to rejarForAnalysis |
- <li>Extended -adjustPriorities option to FindBugs analysis textui so that you |
- can modify the priorities of individual bug patterns as well as visitors, |
- and also completely suppress individual bug patterns or visitors. |
- <ul> |
- <li> e.g., -adjustPriority MS_SHOULD_BE_FINAL=suppress,MS_PKGPROTECT=suppress,EI_EXPOSE_REP=suppress,EI_EXPOSE_REP2=suppress,PZLA_PREFER_ZERO_LENGTH_ARRAYS=raise |
- </ul> |
- </ul> |
- |
- <p> Changes since version 1.3.5</p> |
- <ul> |
- <li>Added fairly exhaustive static analysis |
- of uses of format strings, checking for missing or |
- extra arguements, invalid format specifiers, |
- or mismatched format specifiers and arguments (e.g, |
- passing a String value for a %d format specifier). |
- The logic for doing so is derived from Sun's java.util.Formatter class, |
- and available separately from FindBugs as part of the |
- <a href="https://jformatstring.dev.java.net/">jFormatString</a> project. |
+ <h1>FindBugs Change Log, Version 2.0.3</h1> |
+ <ul> |
+ <li>New Bug patterns: <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_BOXED_PRIMITIVE_FOR_PARSING">DM_BOXED_PRIMITIVE_FOR_PARSING</a>, |
+ <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_RETURN_RELAXING_ANNOTATION">NP_METHOD_RETURN_RELAXING_ANNOTATION</a>, |
+ and |
+ <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION">NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION</a> |
+ </li> |
+ <li>Add the ability in the GUI to save the currently viewable/filtered bugs to HTML output. |
+ <li>When dataflow does't terminate, make sure we continue with |
+ analysis. |
- <li>More tuning of the unsatisfied obligation detector. Since this |
- detector is still rather noisy and an unfinished research project, |
- I've moved the generated issues to a new category: EXPERIMENTAL. |
+ <li>Fix some problems that resulting in dataflow analysis not |
+ terminating |
- <li>Added check for <a href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_ADD_OF_SIGNED_BYTE">BIT_ADD_OF_SIGNED_BYTE</a>; similar to <a href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_IOR_OF_SIGNED_BYTE">BIT_IOR_OF_SIGNED_BYTE</a>, except that |
- addition is being used to combine shifted signed bytes. |
+ <li>Get parameter annotations from default parameters |
+ annotations applied to the method. |
+ <li>Add subversion change number to eclipse plugin qualifier. |
- <li>Changed detection of EI_EXPOSE_REP2, so we only report it if the value stored |
- is guaranteed to be the same value that was passed in as a parameter. |
+ <li>Disabled detector for <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#AM_CREATES_EMPTY_JAR_FILE_ENTRY">AM_CREATES_EMPTY_JAR_FILE_ENTRY</a>; |
+ it complaints inappropriately about code that creates directory |
+ entries. |
- <li>Added <a href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS">EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS</a>, a warning when |
- an equals method checks to see if an operand is an instance of a class not |
- compatible with itself. For example, if the Foo class checks to see if the argument |
- is an instance of String. This is either a questionable design decision or a coding mistake. |
- <li>Added <a href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_INVOKING_HASHCODE_ON_ARRAY">DMI_INVOKING_HASHCODE_ON_ARRAY</a>, |
- which checks for invoking <code>hashCode()</code> on an array, which returns a hash code that ignores the contents of the array. |
- <li>Added checks for using <code>x.removeAll(x)</code> to rather than <code>x.clear()</code> |
- to clear an array. |
- <li>Add checks for calls such as <code>x.contains(x)</code>, <code>x.remove(x)</code> and <code>x.containsAll(x)</code>. |
- <li>Improvements to Eclipse plugin (thanks to Andrey Loskutov): |
- <ul> |
- <li>Report separate markers for each occurrence of an issue that appears multiple times in a method |
- <li> fine tuning for reported markers: add only one marker for fields, add marker on right position |
- <li> link bugs selected in bug explorer view to the opened editor and vice versa |
- <li> select bugs selected in editor ruler in the opened bug explorer view |
- <li> consistent abbreviations used in both bug explorer and bug details view |
- <li> added "Expand All" button to the bug explorer view |
- <li> added "Go Into/Go Up" buttons to the bug explorer view |
- <li> added "Copy to clipboard" menu/functionality to the details view list widget |
- <li> fix for CNF exception if loading the backup solution for broken browser widget |
+ <li>Add warnings about incompatible types passed to |
+ org.testng.Assert.assertEquals</li> |
+ <li>Add logic that understands more of the Google Guava APIs. |
+ <li>Disable type qualifier validator execution within Eclipse plugin; |
+ too many problems with class loading and security manager (see #1154 Random obscure Eclipse failures) |
+ <li>Consistently check both access flags and attributes to see if something is synthetic. Compiler is |
+ inconsistent about where synthetic elements are marked. |
- </ul></ul> |
+ <li>Fixed false positives for the following bug patterns (17 |
+ occurrences in findbugsTestCases): |
+ <ul> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC">BC</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_INSTANCEOF">BC_IMPOSSIBLE_INSTANCEOF</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE">INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IS2_INCONSISTENT_SYNC">IS2_INCONSISTENT_SYNC</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS">NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#OBL_UNSATISFIED_OBLIGATION">OBL_UNSATISFIED_OBLIGATION</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE">RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a> |
+ </li> |
+ </ul> |
+ <li>Fixed false negatives for the following bug patterns (45 |
+ occurrences in findbugsTestCases): |
+ <ul> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_NUMBER_CTOR">DM_NUMBER_CTOR</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_ARRAY_AND_NONARRAY">EC_ARRAY_AND_NONARRAY</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE">EC_INCOMPATIBLE_ARRAY_COMPARE</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IS_FIELD_NOT_GUARDED">IS_FIELD_NOT_GUARDED</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IT_NO_SUCH_ELEMENT">IT_NO_SUCH_ELEMENT</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS">JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH">NP_NULL_ON_SOME_PATH</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_PARAM_VIOLATION">NP_NONNULL_PARAM_VIOLATION</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE">NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_STORE_INTO_NONNULL_FIELD">NP_STORE_INTO_NONNULL_FIELD</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RE_POSSIBLE_UNINTENDED_PATTERN">RE_POSSIBLE_UNINTENDED_PATTERN</a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a> |
+ </ul> |
+ </ul> |
+ <h1>FindBugs Change Log, Version 2.0.2</h1> |
+ |
+ <ul> |
+ <li>Fix false positions for <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a> |
+ - fixing <a |
+ href="https://sourceforge.net/tracker/?func=detail&aid=3547559&group_id=96405&atid=614693">Bug3547559</a>, |
+ <a |
+ href="https://sourceforge.net/tracker/?func=detail&aid=3555408&group_id=96405&atid=614693">Bug3555408</a>, |
+ <a |
+ href="https://sourceforge.net/tracker/?func=detail&aid=3580266&group_id=96405&atid=614693">Bug3580266</a> |
+ and <a |
+ href="https://sourceforge.net/tracker/?func=detail&aid=3587164&group_id=96405&atid=614693">Bug3587164</a>. |
+ |
+ |
+ </li> |
+ <li>Fix false positives for <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SF_SWITCH_NO_DEFAULT">SF_SWITCH_NO_DEFAULT</a> |
+ <li>Inline access methods for private fields, |
+ fixing false positive in <a |
+ href="https://sourceforge.net/tracker/?func=detail&aid=3484713&group_id=96405&atid=614693">Bug3484713</a>. |
+ |
+ <li>Type qualifier annotations, including nullness |
+ annotations, are now ignored on vararg parameters (including |
+ default and inherited annotations), awaiting JSR308. |
+ <li>Defined new bug pattern to give better explanations of |
+ issues involving strict type qualifiers <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a> |
+ <li>Adjusted analysis of type qualifiers, now giving warnings |
+ where a computed value is used in a place where a value with a |
+ strict type qualifier is required. |
+ <li>Complain about missing classes only if they are |
+ encountered while analyzing application classes; ignore missing |
+ classes that are encounted while analyzing classes loaded from the |
+ auxclasspath. Fix for <a |
+ href="https://sourceforge.net/tracker/?func=detail&aid=3588379&group_id=96405&atid=614693">Bug3588379</a> |
+ <li>Fixed false positive null pointer warning coming from |
+ synthetic bridge methods, fixing <a |
+ href="https://sourceforge.net/tracker/?func=detail&aid=3589328&group_id=96405&atid=614693">Bug3589328</a> |
+ <li>In general, suppress warnings in synthetic methods. |
+ <li>Fix some false positives involving <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a> |
+ on classes that extend generic collection classes. |
+ |
+ </li> |
+ <li>Combine multiple identical warnings about |
+ <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_DEFAULT_ENCODING">DM_DEFAULT_ENCODING</a> |
+ that occur in the same method, |
+ simplifying issue triage. |
+ |
+ <li>Changes by Andrey Loskutov |
+ <ul> |
+ <li>fixed job scheduling errors in 3.8/4.2 Eclipse <a |
+ href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=393748">bug |
+ report</a> |
+ <li>more realistic progress bar updates for jobs |
+ <li>added nullness annotations for some common Eclipse API |
+ methods known to usually return null values |
+ <li>Added support for org.eclipse.jdt.annotation.Nullable, |
+ NonNull and NonNullByDefault annotations (introduced with |
+ Eclipse 3.8/4.2)</li> |
+ </ul> |
+ <li>Documentation improvements |
+ <li><a href="http://code.google.com/p/findbugs/source/list">lots |
+ of other small changes</a> |
+ </ul> |
+ <h1>FindBugs Change Log, Version 2.0.1</h1> |
+ |
+ <ul> |
+ <li>New bug patterns; in some cases, bugs previous reported as |
+ other bug patterns are reported as instances of these new bug |
+ patterns in order to make it easier for developers to understand |
+ the bug reports |
+ <ul> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_RELATIVE_PATH_TRAVERSAL">PT_RELATIVE_PATH_TRAVERSAL</a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_REFACTORED_TO_BE_FINAL">MS_SHOULD_BE_REFACTORED_TO_BE_FINAL</a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST_OF_RETURN_VALUE">BC_UNCONFIRMED_CAST_OF_RETURN_VALUE</a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS">TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS</a></li> |
+ </ul> |
+ </li> |
+ |
+ <li>Changes to fix false negatives for the following bug |
+ patterns: <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>, |
+ <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_BAD_ARRAY_COMPARE">EC_BAD_ARRAY_COMPARE</a>, |
+ <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_UNUSUAL">EQ_UNUSUAL</a>, |
+ <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>, |
+ and <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>. |
+ </li> |
+ |
+ <li>Changes to fix false positions for the following bug |
+ patterns: <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_DOH">DMI_DOH</a>, |
+ <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>, |
+ and <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SE_BAD_FIELD">SE_BAD_FIELD</a>. |
+ </li> |
+ </ul> |
+ |
+ <h1>FindBugs Change Log, Version 2.0.0</h1> |
+ |
+ <h2>Changes since version 1.3.8</h2> |
+ <ul> |
+ <li>New bug patterns; in some cases, bugs previous reported as |
+ other bug patterns are reported as instances of these new bug |
+ patterns in order to make it easier for developers to understand |
+ the bug reports |
+ <ul> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR |
+ </a></li> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED |
+ </a></li> |
+ </ul> |
+ </li> |
+ <li>Providing a bug rank (1-20), and the ability to filter by |
+ bug rank. Eventually, it will be possible to specify your own |
+ rules for ranking bugs, but the procedure for doing so hasn't been |
+ specified yet.</li> |
+ <li>Fixed about <a |
+ href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45 |
+ bugs filed</a> through SourceForge |
+ </li> |
+ <li>Various reclassifications and priority tweaks</li> |
+ <li>Added more bug annotations to a variety of bug reports. |
+ This provides more context for understanding bug reports (e.g., if |
+ the value in question was is the return value of a method, the |
+ method is described as the source of the value in a bug |
+ annotation). This also provide more accurate tracking of issues |
+ across versions of the code being analyzed, but has the downside |
+ that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9 |
+ on the same version of code being analyzed, FindBugs may think |
+ that mistakenly believe that the issue reported by 1.3.8 was fixed |
+ and a new issue was introduced that was reported by FindBugs |
+ 1.3.9. While annoying, it would be unusual for more than a dozen |
+ issues per million lines of codes to be mistracked.</li> |
+ <li>Lots of internal changes moving towards FindBugs 2.0, but |
+ these features are undocumented, not yet officially supported, and |
+ subject to radical changes before FindBugs 2.0 is released.</li> |
+ </ul> |
+ |
+ <p>Changes since version 1.3.8</p> |
+ <ul> |
+ <li>New bug patterns; in some cases, bugs previous reported as |
+ other bug patterns are reported as instances of these new bug |
+ patterns in order to make it easier for developers to understand |
+ the bug reports |
+ <ul> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR |
+ </a> |
+ <li><a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED |
+ </a> |
+ </ul> |
+ </li> |
+ <li>Providing a bug rank (1-20), and the ability to filter by |
+ bug rank. Eventually, it will be possible to specify your own |
+ rules for ranking bugs, but the procedure for doing so hasn't been |
+ specified yet.</li> |
+ <li>Fixed about <a |
+ href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45 |
+ bugs filed</a> through SourceForge |
+ </li> |
+ <li>Various reclassifications and priority tweaks</li> |
+ <li>Added more bug annotations to a variety of bug reports. |
+ This provides more context for understanding bug reports (e.g., if |
+ the value in question was is the return value of a method, the |
+ method is described as the source of the value in a bug |
+ annotation). This also provide more accurate tracking of issues |
+ across versions of the code being analyzed, but has the downside |
+ that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9 |
+ on the same version of code being analyzed, FindBugs may think |
+ that mistakenly believe that the issue reported by 1.3.8 was fixed |
+ and a new issue was introduced that was reported by FindBugs |
+ 1.3.9. While annoying, it would be unusual for more than a dozen |
+ issues per million lines of codes to be mistracked.</li> |
+ <li>Lots of internal changes moving towards FindBugs 2.0, but |
+ these features are undocumented, not yet officially supported, and |
+ subject to radical changes before FindBugs 2.0 is released.</li> |
+ </ul> |
+ |
+ <p>Changes since version 1.3.7</p> |
+ <ul> |
+ <li>Primarily another small bugfix release.</li> |
+ <li>FindBugs base: |
+ <ul> |
+ <li>New Reports: |
+ <ul> |
+ <li>SF_SWITCH_NO_DEFAULT: missing default case in switch |
+ statement.</li> |
+ <li>SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW: |
+ value ignored when switch fallthrough leads to thrown |
+ exception.</li> |
+ <li>INT_VACUOUS_BIT_OPERATION: bit operations that don't |
+ do any meaningful work.</li> |
+ <li>FB_UNEXPECTED_WARNING: warning generated that |
+ conflicts with @NoWarning FindBugs annotation.</li> |
+ <li>FB_MISSING_EXPECTED_WARNING: warning not generated |
+ despite presence of @ExpectedWarning FindBugs annotation.</li> |
+ <li>NOISE category: intended for use in data mining |
+ experiments. |
+ <ul> |
+ <li>NOISE_NULL_DEREFERENCE: fake null point dereference |
+ warning.</li> |
+ <li>NOISE_METHOD_CALL: fake method call warning.</li> |
+ <li>NOISE_FIELD_REFERENCE: fake field dereference |
+ warning.</li> |
+ <li>NOISE_OPERATION: fake operation warning.</li> |
+ </ul> |
+ </li> |
+ </ul> |
+ </li> |
+ <li>Other: |
+ <ul> |
+ <li>Garvin Leclaire has created a new Apache Maven |
+ repository for FindBugs at <a |
+ href="http://code.google.com/p/findbugs/">the Google Code |
+ FindBugs SVN repository</a>. (Thanks Garvin!) |
+ </li> |
+ </ul> |
+ </li> |
+ <li>Fixes: |
+ <ul> |
+ <li>[ 2317842 ] Highlighting broken in Windows</li> |
+ <li>[ 2515908 ] check for oddness should track sign of |
+ argument</li> |
+ <li>[ 2487936 ] "L B GC" false pos cast from |
+ Map.Entry.getKey() to Map.get()</li> |
+ <li>[ 2528264 ] Ant tasks not compatible with Ant 1.7.1</li> |
+ <li>[ 2539590 ] SF_SWITCH_FALLTHROUGH wrong message |
+ reported</li> |
+ <li>[ 2020066 ] Bug history displayed in fancy-hist.xsl is |
+ incorrect</li> |
+ <li>[ 2545098 ] Invalid character in analysis results file</li> |
+ <li>[ 2492673 ] Plugin sites should specify "requires |
+ Eclipse 3.3 or newer"</li> |
+ <li>[ 2588044 ] a tiny typing error</li> |
+ <li>[ 2589048 ] Documentation for convertXmlToText |
+ insufficient</li> |
+ <li>[ 2638739 ] NullPointerException when building</li> |
+ </ul> |
+ </li> |
+ <li>Patches: |
+ <ul> |
+ <li>[ 2538184 ] Make BugCollection implement |
+ Iterable<BugInstance> (thanks to Tomas Pollak)</li> |
+ <li>[ 2249771 ] Add Maven2 Findbugs plugin link to the |
+ Links page (thanks to Garvin Leclaire)</li> |
+ <li>[ 2609526 ] Japanese manual update (thanks to K. |
+ Hashimoto)</li> |
+ <li>[ 2119482 ] CheckBcel checks for nonexistent classes |
+ (thanks to Jerry James)</li> |
+ </ul> |
+ </li> |
+ </ul> |
+ </li> |
+ <li>FindBugs Eclipse plugin: |
+ <ul> |
+ <li>Major feature enhancements (thanks to Andrey Loskutov). |
+ See <a href="http://andrei.gmxhome.de/findbugs/index.html">this |
+ overview</a> for more information. |
+ </li> |
+ <li>Major test improvements (thanks to Tomas Pollak).</li> |
+ <li>Fixes: |
+ <ul> |
+ <li>[ 2532365 ] Compiler warning</li> |
+ <li>[ 2522989 ] Fix filter files selection</li> |
+ <li>[ 2504068 ] NullPointerException</li> |
+ <li>[ 2640849 ] NPE in Eclipse plugin 1.3.7 and Eclipse |
+ 3.5 M5</li> |
+ </ul> |
+ </li> |
+ <li>Patches: |
+ <ul> |
+ <li>[ 2143140 ] Unchecked conversion fixes for Eclipse |
+ plugin (thanks to Jerry James) |
+ </ul> |
+ </li> |
+ </ul> |
+ </li> |
+ </ul> |
+ |
+ <p>Changes since version 1.3.6</p> |
+ <ul> |
+ <li>Overall, a small bugfix release. |
+ <li>New detection of accidental vacuous/useless calls to |
+ EasyMock methods, and of generic signatures that proclaim the use |
+ of unhashable classes in ways that require that they be hashed. |
+ <li>Eliminate some false positives where we were warning about |
+ a useless call (e.g., comparing two incompatible types for |
+ equality), but the only thing the code was doing with the result |
+ was passing it to assertFalse. |
+ <li>Japanese localization and manual by K.Hashimoto. (Thanks!) |
+ <li>Added -exclude and -outputDir command line options to |
+ rejarForAnalysis |
+ <li>Extended -adjustPriorities option to FindBugs analysis |
+ textui so that you can modify the priorities of individual bug |
+ patterns as well as visitors, and also completely suppress |
+ individual bug patterns or visitors. |
+ <ul> |
+ <li>e.g., -adjustPriority |
+ MS_SHOULD_BE_FINAL=suppress,MS_PKGPROTECT=suppress,EI_EXPOSE_REP=suppress,EI_EXPOSE_REP2=suppress,PZLA_PREFER_ZERO_LENGTH_ARRAYS=raise |
+ |
+ </ul> |
+ </ul> |
+ |
+ |
+ <p>Changes since version 1.3.5</p> |
+ <ul> |
+ <li>Added fairly exhaustive static analysis of uses of format |
+ strings, checking for missing or extra arguements, invalid format |
+ specifiers, or mismatched format specifiers and arguments (e.g, |
+ passing a String value for a %d format specifier). The logic for |
+ doing so is derived from Sun's java.util.Formatter class, and |
+ available separately from FindBugs as part of the <a |
+ href="https://jformatstring.dev.java.net/">jFormatString</a> |
+ project. |
+ <li>More tuning of the unsatisfied obligation detector. Since |
+ this detector is still rather noisy and an unfinished research |
+ project, I've moved the generated issues to a new category: |
+ EXPERIMENTAL. |
+ <li>Added check for <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_ADD_OF_SIGNED_BYTE">BIT_ADD_OF_SIGNED_BYTE</a>; |
+ similar to <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_IOR_OF_SIGNED_BYTE">BIT_IOR_OF_SIGNED_BYTE</a>, |
+ except that addition is being used to combine shifted signed |
+ bytes. |
+ <li>Changed detection of EI_EXPOSE_REP2, so we only report it |
+ if the value stored is guaranteed to be the same value that was |
+ passed in as a parameter. |
+ <li>Added <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS">EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS</a>, |
+ a warning when an equals method checks to see if an operand is an |
+ instance of a class not compatible with itself. For example, if |
+ the Foo class checks to see if the argument is an instance of |
+ String. This is either a questionable design decision or a coding |
+ mistake. |
+ <li>Added <a |
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_INVOKING_HASHCODE_ON_ARRAY">DMI_INVOKING_HASHCODE_ON_ARRAY</a>, |
+ which checks for invoking <code>hashCode()</code> on an array, |
+ which returns a hash code that ignores the contents of the array. |
+ <li>Added checks for using <code>x.removeAll(x)</code> to |
+ rather than <code>x.clear()</code> to clear an array. |
+ <li>Add checks for calls such as <code>x.contains(x)</code>, <code>x.remove(x)</code> |
+ and <code>x.containsAll(x)</code>. |
+ <li>Improvements to Eclipse plugin (thanks to Andrey |
+ Loskutov): |
+ <ul> |
+ <li>Report separate markers for each occurrence of an issue |
+ that appears multiple times in a method |
+ <li>fine tuning for reported markers: add only one marker |
+ for fields, add marker on right position |
+ <li>link bugs selected in bug explorer view to the opened |
+ editor and vice versa |
+ <li>select bugs selected in editor ruler in the opened bug |
+ explorer view |
+ <li>consistent abbreviations used in both bug explorer and |
+ bug details view |
+ <li>added "Expand All" button to the bug explorer view |
+ <li>added "Go Into/Go Up" buttons to the bug explorer view |
+ <li>added "Copy to clipboard" menu/functionality to the |
+ details view list widget |
+ <li>fix for CNF exception if loading the backup solution for |
+ broken browser widget |
+ </ul> |
+ </ul> |
- <p> Changes since version 1.3.4</p> |
- <ul> |
+ |
+ |
+ <p>Changes since version 1.3.4</p> |
+ <ul> |
<li>Analysis about 15% faster |
- <li><a href="http://sourceforge.net/tracker/?atid=614693&group_id=96405&func=browse&status=closed">38 bugs closed</a></li> |
+ <li><a |
+ href="http://sourceforge.net/tracker/?atid=614693&group_id=96405&func=browse&status=closed">38 |
+ bugs closed</a></li> |
<li>New defect warnings: |
- <ul> |
- <li>calls to methods that always throw |
- UnsupportedOperationException (DMI_UNSUPPORTED_METHOD) |
- <li>repeated conditional tests (e.g., |
- <code>if (x < 0 || x < 0) ...</code>) |
- (RpC_REPEATED_CONDITIONAL_TEST) |
- <li>Complete rewrite of detector for format string problems. |
- More accurate, finds more problems, generates |
- more descriptive reports, several different |
- bug pattern |
- (VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED, |
- VA_FORMAT_STRING_ILLEGAL, |
- VA_FORMAT_STRING_MISSING_ARGUMENT, |
- VA_FORMAT_STRING_BAD_ARGUMENT, |
- VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT) |
- |
- <li>Fairly complete implementation of JSR-305 custom type qualifier |
- analysis (no support for custom validators yet). |
- (TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK |
- TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK |
- TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK) |
- <li>New detector for unsatisfied obligations such forgetting to |
- close a file (OBL_UNSATISFIED_OBLIGATION). |
- <li>Warning when a parameter is marked as nullable, but is |
- always dereferenced. |
- (NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE) |
- <lI>Separate warning for dereference the result of readLine (NP_DEREFERENCE_OF_READLINE_VALUE) |
- </ul> |
- <li>When XML is generated with messages, the project stats now |
- include <FileStat> elements. |
- For each source file, this gives the path for the file, |
- the total number of warnings for that file, and a bugHash |
- for the file. While the instanceHash for a bug is intended |
- to be version invariant (ignoring line numbers, etc), the |
- bugHash for a file is intended to reflect all the information |
- about the warnings in that file. The intended use case is that |
- if the bugHash for a file is the same in two analysis runs, |
- then <em>nothing</em> has changed about any of the warnings |
- reported for that file between the two analysis runs. |
- <li>More merging of similar issues within a method. For example, |
- if the result of readLine() is dereferences multiple times |
- within a method, it will be reported as a single warning |
+ <ul> |
+ <li>calls to methods that always throw |
+ UnsupportedOperationException (DMI_UNSUPPORTED_METHOD) |
+ <li>repeated conditional tests (e.g., <code>if (x |
+ < 0 || x < 0) ...</code>) (RpC_REPEATED_CONDITIONAL_TEST) |
+ <li>Complete rewrite of detector for format string problems. |
+ More accurate, finds more problems, generates more descriptive |
+ reports, several different bug pattern |
+ (VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED, |
+ VA_FORMAT_STRING_ILLEGAL, VA_FORMAT_STRING_MISSING_ARGUMENT, |
+ VA_FORMAT_STRING_BAD_ARGUMENT, |
+ VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT) |
+ <li>Fairly complete implementation of JSR-305 custom type |
+ qualifier analysis (no support for custom validators yet). |
+ (TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK |
+ TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK |
+ TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK) |
+ <li>New detector for unsatisfied obligations such forgetting |
+ to close a file (OBL_UNSATISFIED_OBLIGATION). |
+ <li>Warning when a parameter is marked as nullable, but is |
+ always dereferenced. |
+ (NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE) |
+ <lI>Separate warning for dereference the result of readLine |
+ (NP_DEREFERENCE_OF_READLINE_VALUE) |
+ </ul> |
+ <li>When XML is generated with messages, the project stats now |
+ include <FileStat> elements. For each source file, this |
+ gives the path for the file, the total number of warnings for that |
+ file, and a bugHash for the file. While the instanceHash for a bug |
+ is intended to be version invariant (ignoring line numbers, etc), |
+ the bugHash for a file is intended to reflect all the information |
+ about the warnings in that file. The intended use case is that if |
+ the bugHash for a file is the same in two analysis runs, then <em>nothing</em> |
+ has changed about any of the warnings reported for that file |
+ between the two analysis runs. |
+ <li>More merging of similar issues within a method. For |
+ example, if the result of readLine() is dereferences multiple |
+ times within a method, it will be reported as a single warning |
with occurrences at multiple source lines. |
- </ul> |
- <p> Changes since version 1.3.3</p> |
- |
- <ul> |
- <li>FindBugs base |
- <ul> |
- <li>New Reports:</li> |
- <ul> |
- <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: |
- equals method overrides equals in superclass and may not be symmetric</li> |
- <li>EQ_ALWAYS_TRUE: |
- equals method always returns true</li> |
- <li>EQ_ALWAYS_FALSE: |
- equals method always returns false</li> |
- <li>EQ_COMPARING_CLASS_NAMES: |
- equals method compares class names rather than class objects</li> |
- <li>EQ_UNUSUAL: Unusual equals method</li> |
- <li>EQ_GETCLASS_AND_CLASS_CONSTANT: |
- equals method fails for subtypes</li> |
- <li>SE_READ_RESOLVE_IS_STATIC: |
- The readResolve method must not be declared as a static method.</li> |
- <li>SE_PRIVATE_READ_RESOLVE_NOT_INHERITED: |
- private readResolve method not inherited by subclasses</li> |
- <li>MSF_MUTABLE_SERVLET_FIELD: Mutable servlet field</li> |
- <li>XSS_REQUEST_PARAMETER_TO_SEND_ERROR: |
- Servlet reflected cross site scripting vulnerability</li> |
- <li>SKIPPED_CLASS_TOO_BIG: Class too big for analysis</li> |
- </ul> |
- <li>Other:</li> |
- <ul> |
- <li>Value-number analysis now more space-efficient</li> |
- <li>Enhancements to reduce memory overhead when |
- analyzing very large classes</li> |
- <li>Now skips very large classes that would otherwise |
- take too much time and memory to analyze</li> |
- <li>Infrastructure for tracking effectively-constant/ |
- effectively-final fields</li> |
- <li>Added more cweids</li> |
- <li>Enhanced taint tracking for taint-based detectors</li> |
- <li>Ignore doomed calls to equals if result is used |
- as an argument to assertFalse</li> |
- <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC handles compareTo</li> |
- <li>Priority tweak for ICAST_INTEGER_MULTIPLY_CAST_TO_LONG |
- (only low priority if multiplying by 1000)</li> |
- <li>Improved tracking of fields across method calls</li> |
- </ul> |
- <li>Fixes:</li> |
- <ul> |
- <li>[ 1941450 ] DLS_DEAD_LOCAL_STORE not reported</li> |
- <li>[ 1953323 ] Omitted break statement in SynchronizeAndNullCheckField</li> |
- <li>[ 1942620 ] Source Directories selection dialog interface confusion (partial)</li> |
- <li>[ 1948275 ] Unhelpful "Load of known null"</li> |
- <li>[ 1933922 ] MWM error in findbugs</li> |
- <li>[ 1934772 ] 1.3.3 appears to rely on JDK 1.6, JNLP still specifies 1.5</li> |
- <li>[ 1933945 ] -loadbugs doesn't work</li> |
- <li>Fixed problems for class names starting with '$'</li> |
- <li>Fixed bugs and incomplete handling of annotations in |
- VersionInsensitiveBugComparator</li> |
- </ul> |
- <li>Patches:</li> |
- <ul> |
- <li>[ 1955106 ] Javadoc fixes</li> |
- <li>[ 1951930 ] Superfluous import statements (thanks to Jerry James)</li> |
- <li>[ 1951907 ] Missing @Deprecated annotations (thanks to Jerry James)</li> |
- <li>[ 1951876 ] Infonode Docking Windows compile fix (thanks to Jerry James)</li> |
- <li>[ 1936055 ] bugfix for findbugs.de.comment not working (thanks to Peter Fokkinga) |
- </ul> |
- </ul> |
- <li>FindBugs BlueJ plugin</li> |
- <ul> |
- <li>Updated to use FindBugs 1.3.4 (first new release since 1.1.3)</li> |
- </ul> |
- </ul> |
- |
- <p> Changes since version 1.3.2</p> |
- |
- <ul> |
- <li>FindBugs base</li> |
- <ul> |
- <li>New Detectors:</li> |
- <ul> |
- <li>FieldItemSummary: Produces summary information |
- for what is stored into fields </li> |
- <li>SynchronizeOnClassLiteralNotGetClass: Look for |
- code that synchronizes on the results of getClass |
- rather than on class literals</li> |
- <li>SynchronizingOnContentsOfFieldToProtectField: This |
- detector looks for code that seems to be |
- synchronizing on a field in order to guard updates |
- of that field </li> |
- </ul> |
- <li>New BugCode:</li> |
- <ul> |
- <li> HRS: HTTP Response splitting vulnerability </li> |
- <li> WL: Possible locking on wrong object </li> |
- </ul> |
- <li>New Reports:</li> |
- <ul> |
- <li>DMI_CONSTANT_DB_PASSWORD: |
- This code creates a database connect using a hard coded, constant password </li> |
- <li>HRS_REQUEST_PARAMETER_TO_COOKIE: |
- HTTP cookie formed from untrusted input </li> |
- <li>HRS_REQUEST_PARAMETER_TO_HTTP_HEADER: |
- HTTP parameter directly written to HTTP header output </li> |
- <li>CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE: |
- Class defines clone() but doesn't implement Cloneable </li> |
- <li>DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE: |
- Synchronization on boxed primitive could lead to deadlock </li> |
- <li> DL_SYNCHRONIZATION_ON_BOOLEAN: |
- Synchronization on Boolean could lead to deadlock </li> |
- <li> ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD: |
- Synchronization on field in futile attempt to guard that field </li> |
- <li> DLS_DEAD_LOCAL_STORE_IN_RETURN: |
- Useless assignment in return statement </li> |
- <li> WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL: |
- Synchronization on getClass rather than class literal </li> |
- </ul> |
- <li>Other:</li> |
- <ul> |
- <li>Many enhancements to cross-site scripting detector and its documentation</li> |
- <li> Enhanced switch fall through handling </li> |
- <li> Enhanced unread field handling (look for IF_ACMPEQ and IF_ACMPNE) </li> |
- <li> Clarified documentation for @Nullable in manual </li> |
- <li> Fewer DeadLocalStore false positives </li> |
- <li> Fewer UnreadField false positives </li> |
- <li> Fewer StaticCalendarDetector false positives </li> |
- <li> Performance fix for slow file system IO e.g. Clearcase repositories (thanks, Andrei!) </li> |
- <li> Other, general performance enhancements (thanks, Andrei!) </li> |
- <li> Enhancements for using FindBugs scripts with MKS on Windows (thanks, Kelly O'Hair!) </li> |
- <li> Noted in the manual that jsr305.jar must be present for annotations to compile </li> |
- <li> Added and fine-tuned default-nullness annotations </li> |
- <li> More CWE IDs added </li> |
- <li> Check and warning for unexpected BCEL version in classpath </li> |
- </ul> |
- <li>Fixes:</li> |
- <ul> |
- <li>Bug fix to handling of local variable tables in BCEL</li> |
- <li>Refined documentation for MTIA_SUSPECT_STRUTS_INSTANCE_FIELD</li> |
- <li>[ 1927295 ] NPE when called on project root</li> |
- <li>[ 1926405 ] Incorrect dead store warning</li> |
- <li>[ 1926409 ] Incorrect redundant nullcheck warning</li> |
- <li>[ 1926389 ] Wrong line number printed/highlighted in bug</li> |
- <li>[ 1927040 ] typo in bug description</li> |
- <li>[ 1926263 ] Minor glitch in HTML output</li> |
- <li>[ 1926240 ] Minor error in standard options in manual</li> |
- <li>[ 1926236 ] Minor bug in installation section of manual</li> |
- <li>[ 1925539 ] ZIP is default file system code base</li> |
- <li>[ 1894701 ] Livelock / memory leak in ObjectTypeFactory (thanks, Andrei!)</li> |
- <li>[ 1867491 ] Doesn't reload annotations after code changes in IDE (thanks, Andrei!)</li> |
- <li>[ 1921399 ] -project option not supported</li> |
- <li>[ 1913834 ] "Dead" store to variable with method call</li> |
- <li>[ 1917352 ] H B se:...field in serializable class</li> |
- <li>[ 1911617 ] CloneIdiom relies on getNameConstantOperand for INSTANCEOF</li> |
- <li>[ 1911620 ] False +: DLS predecrement before return</li> |
- <li>[ 1871376 ] False negative: non-serializable Map field</li> |
- <li>[ 1871051 ] non standard clone() method</li> |
- <li>[ 1908854 ] Error in TestASM</li> |
- <li>[ 1907539 ] 22 minor errors in bug checker documentation</li> |
- <li>[ 1897323 ] EJB implementation class false positives</li> |
- <li>[ 1899648 ] Crash on startup on Vista with Java 1.6.0_04</li> |
- </ul> |
- </ul> |
- <li>FindBugs Eclipse plugin (change log by Andrey Loskutov)</li> |
- <ul> |
- <li> new feature: export basic FindBugs numbers for projects via File->Export->Java->BugCounts (Andrey Loskutov) </li> |
- <li> new feature: jobs for different projects will be run in parallel per default if running on a |
- multi-core PC ("fb.allowParallelBuild" system property not used anymore) (Andrey Loskutov) </li> |
- <li> fixed performance slowdown in the multi-threaded build, caused by workspace operation locks during |
- assigning marker attributes (Andrey Loskutov)</li> |
- </ul> |
- </ul> |
- |
- <p> Changes since version 1.3.1</p> |
- |
- <ul> |
- <li>FindBugs base</li> |
- <ul> |
- <li>New Bug Category:</li> |
- <ul> |
- <li>SECURITY (Abbrev: S), A use of untrusted input in |
- a way that could create a remotely exploitable |
- security vulnerability</li> |
- </ul> |
- <li>New Detectors:</li> |
- <ul> |
- <li>CrossSiteScripting: This detector looks for |
- obvious/blatant cases of cross site scripting |
- vulnerabilities</li> |
- </ul> |
- <li>New BugCode:</li> |
- <ul> |
- <li>XSS: Cross site scripting</li> |
- </ul> |
- <li>New Reports:</li> |
- <ul> |
- <li>XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER: HTTP |
- parameter directly written to Servlet output, |
- giving XSS vulnerability</li> |
- <li>XSS_REQUEST_PARAMETER_TO_JSP_WRITER: HTTP |
- parameter directly written to JSP output, giving |
- XSS vulnerability</li> |
- <li>EQ_OTHER_USE_OBJECT: equals() method defined that |
- doesn't override Object.equals(Object)</li> |
- <li>EQ_OTHER_NO_OBJECT: equals() method inherits |
- rather than overrides equals(Object)</li> |
- <li>NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE: |
- Possible null pointer dereference on path that |
- might be infeasible</li> |
- </ul> |
- <li>Other:</li> |
- <ul> |
- <li>Added -noClassOk command-line parameter to |
- command-line and ant interfaces; when -noClassOk |
- is specified and no classfiles are given, FindBugs |
- will print a warning message and output a well- |
- formed file with no warnings</li> |
- <li>Fewer false positives for null pointer bugs</li> |
- <li>Suppress dead-local-store false positives in .jsp |
- code</li> |
- <li>Type fixes in warning messages</li> |
- <li>Better warning message for |
- NP_NULL_ON_SOME_PATH</li> |
- <li>"WMI" bug code description renamed from "Wrong |
- Map Iterator" to "Inefficient Map Iterator"</li> |
- </ul> |
- <li>Fixes:</li> |
- <ul> |
- <li>[ 1893048 ] FindBugs confused by a findbugs.xml file</li> |
- <li>[ 1878528 ] XSL xforms don't support history features</li> |
- <li>[ 1876584 ] two default.xsl flaws</li> |
- <li>[ 1874856 ] Format string bug detector doesn't handle special operators</li> |
- <li>[ 1872645 ] computeBugHistory - java.lang.IllegalArgumentException</li> |
- <li>[ 1872237 ] Ant task fails when no .class files</li> |
- <li>[ 1868670 ] Filters: include AND exclude don't allowed</li> |
- <li>[ 1868666 ] check-for-oddness reported, but array length can never be negative</li> |
- <li>[ 1866108 ] SetBugDatabaseInfoTask strips dir from output filename</li> |
- <li>[ 1866021 ] MineBugHistoryTask strips dir of output filename</li> |
- <li>[ 1865265 ] code doesn't handle StringBuffer.append([CII) right</li> |
- <li>[ 1864793 ] Warning when casting a null reference compared to a String</li> |
- <li>[ 1863376 ] Typo in manual chap 8: Filter Files</li> |
- <li>[ 1862705 ] Transient fields that default to null</li> |
- <li>[ 1842545 ] DLS on catch variable (with priority tweaking)</li> |
- <li>[ 1816258 ] false positive BC_IMPOSSIBLE_CAST</li> |
- <li>[ 1551732 ] Get erroneous DLS with while loop</li> |
- </ul> |
- </ul> |
- <li>FindBugs Eclipse plugin (change log by Andrey Loskutov)</li> |
- <ul> |
- <li>new feature: added Bug explorer view (replacing Bug tree view), based on Common Navigator framework (Andrey Loskutov)</li> |
- <li>bug 1873860 fixed: empty projects are no longer shown in Bug tree view (Andrey Loskutov)</li> |
- <li>new feature: bug counts decorators for projects, folders and files (has to be activated |
- via Preferences -> general -> appearance -> label decorations)(Andrey Loskutov)</li> |
- <li>patch 1746499: better icons (Alessandro Nistico)</li> |
- <li>patch 1893685: Find bug actions on change sets bug (Alessandro Nistico)</li> |
- <li>fixed bug 1855384: Bug configuration is broken in Eclipse (Andrey Loskutov)</li> |
- <li>refactored FindBugs properties page (Andrey Loskutov)</li> |
- <li>refactored FindBugs worker/builder/run action (Andrey Loskutov)</li> |
- <li>FB detects now only bugs from classes on project's classpath (no double work on |
- duplicated class files) (Andrey Loskutov)</li> |
- <li>fixed bug introduced by the bad patch for 1867951: FB cannot be executed incrementally |
- on a folder of file (Andrey Loskutov)</li> |
- <li>fixed job rule: now jobs for different projects may run in parallel if running on a |
- multi-core PC and "fb.allowParallelBuild" system property is set to true (Andrey Loskutov)</li> |
- <li>fixed FB auto-build not started if .fbprefs or .classpath was changed (Andrey Loskutov)</li> |
- <li>fixed not reporting bugs on secondary types (classes defined in java files with |
- different name) (Andrey Loskutov) </li> |
- </ul> |
- </ul> |
- |
- <p> Changes since version 1.3.0</p> |
- <ul> |
- <li>New Reports</li> |
- <ul> |
- <li>VA_FORMAT_STRING_ARG_MISMATCH: |
- A format-string method with a variable number of arguments is called, |
- but the number of arguments passed does not match with the number of |
- % placeholders in the format string. This is probably not what the |
- author intended. |
- <li>IO_APPENDING_TO_OBJECT_OUTPUT_STREAM: |
- This code opens a file in append mode and that wraps the result in an object output stream. |
- This won't allow you to append to an existing object output stream stored in a file. If you want to be |
- able to append to an object output stream, you need to keep the object output stream open. |
- The only situation in which opening a file in append mode and the writing an object output stream |
- could work is if on reading the file you plan to open it in random access mode and seek to the byte offset |
- where the append started. |
- <li>NP_BOOLEAN_RETURN_NULL: |
- A method that returns either Boolean.TRUE, Boolean.FALSE or null is an accident waiting to happen. |
- This method can be invoked as though it returned a value of type boolean, and |
- the compiler will insert automatic unboxing of the Boolean value. If a null value is returned, |
- this will result in a NullPointerException. |
- </ul> |
- <li>Changes to Existing Reports</li> |
- <ul> |
- <li>RV_DONT_JUST_NULL_CHECK_READLINE: CORRECTNESS -> STYLE</li> |
- <li>DMI_INVOKING_TOSTRING_ON_ARRAY: Long description mentions array name whenever possible</li> |
- </ul> |
- <li>Fixes:</li> |
- <ul> |
- <li>Updated manual to mention that Java 1.5 is now a requirement for running FindBugs |
- <li>Applied patch 1840206 fixing issue "Ant task does not work when presetdef is used" - thanks to phejl |
- <li>Applied patch 1778690 fixing issue "Ant task: tolerate but complain about invalid auxClasspath" - thanks to David Schmidt |
- <li>Applied patch 1852125 adding a Chinese-language GUI bundle props file - thanks to fifi |
- <li>Applied patch 1845903 adding ability to load XML results with the Eclipse plugin - thanks to Alex Mont |
- <li>Fixed issue 1844671 - "FP for "reversed" null check in catch for stream close" |
- <li>Fixed issue 1836050 - "-onlyAnalyze broken" |
- <li>Fixed issue 1853011 - "Typo: Field names should start with aN lower case letter" |
- <li>Fixed issue 1844181 - "JNLP file does not contain all necessary JARs" |
- <li>Fixed issue 1840245 - "xxxException class does not derive from Exception" |
- <li>Fixed issue 1840277 - "[M D EC] Typo in bug documentation" |
- <li>Fixed issue 1782447 - "OutOfMemoryError if i activate Findbugs on my project" |
- <li>Fixed issue 1830576 - "[regression] keySet/entrySet false positive" |
- </ul> |
- <li>Other:</li> |
- <ul> |
- <li>New bug code: "IO" (for IO_APPENDING_TO_OBJECT_OUTPUT_STREAM)</li> |
- <li>Added "-onlyMostRecent" option for computeBugHistory script/ant task |
- <li>More explicit language in RV_RETURN_VALUE_IGNORED_BAD_PRACTICE messages |
- <li>Modified ResourceValueAnalysis to correctly identify null == X or null != X as a null check (for issue 1844671) |
- <li>Modified DMI_HARDCODED_ABSOLUTE_FILENAME logic in DumbMethodInvocations to ignore files from /etc or /dev and increase priority of files from /home |
- <li>Better bug details for infinite loop warnings |
- <li>Modified unread-fields detector to reduce false positives from reflective fields |
- <li>build.xml "classes" target now builds all sources in one step |
- </ul> |
- </ul> |
- |
- <p> Changes since version 1.2.1</p> |
- <ul> |
- <li>New Detectors and Reports</li> |
- <ul> |
- <li>SynchronizationOnSharedBuiltinConstant</li> |
- <ul> |
- <li>DL_SYNCHRONIZATION_ON_SHARED_CONSTANT: |
- The code synchronizes on a shared primitive |
- constant, such as an interned String. Such |
- constants are interned and shared across all other |
- classes loaded by the JVM. Thus, this could be |
- locking on something that other code might also be |
- locking. This could result in very strange and hard |
- to diagnose blocking and deadlock behavior. See |
- <a href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a> |
- and |
- <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>. |
- </ul> |
- <li>OverridingEqualsNotSymmetrical</li> |
- <ul> |
- <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: |
- Looks for equals methods that override equals |
- methods in a superclass where the equivalence |
- relationship might not be symmetrical. |
- </ul> |
- <li>CheckTypeQualifiers</li> |
- <ul> |
- <li>TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED: |
- A value specified as carrying a type qualifier |
- annotation is consumed in a location or locations |
- requiring that the value not carry that annotation. |
- More precisely, a value annotated with a type |
- qualifier specifying when=ALWAYS is guaranteed to reach |
- a use or uses where the same type qualifier specifies |
- when=NEVER. |
- </li> |
- <li>TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED: |
- A value specified as not carrying a type qualifier |
- annotation is guaranteed to be consumed in a location |
- or locations requiring that the value does carry that |
- annotation. More precisely, a value annotated with a |
- type qualifier specifying when=NEVER is guaranteed to |
- reach a use or uses where the same type qualifier |
- specifies when=ALWAYS. |
- </li> |
- <li>TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK: |
- A value that might not carry a type qualifier |
- annotation reaches a use which requires that |
- annotation. |
- </li> |
- <li>TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK: |
- A value which might carry a type qualifier annotation |
- reaches a use which forbids values carrying that |
- annotation. |
- </li> |
- </ul> |
- </ul> |
- <li>New Reports (existing detectors)</li> |
- <ul> |
- <li>FindHEmismatch</li> |
- <ul> |
- <li>EQ_DOESNT_OVERRIDE_EQUALS: |
- This class extends a class that defines an equals |
- method and adds fields, but doesn't define an equals |
- method itself. Thus, equality on instances of this |
- class will ignore the identity of the subclass and the |
- added fields. Be sure this is what is intended, and |
- that you don't need to override the equals method. Even |
- if you don't need to override the equals method, |
- consider overriding it anyway to document the fact that |
- the equals method for the subclass just return the |
- result of invoking super.equals(o). |
- </li> |
- </ul> |
- <li>Naming |
- <ul> |
- <li>NM_WRONG_PACKAGE, NM_WRONG_PACKAGE_INTENTIONAL: |
- The method in the subclass doesn't override a similar |
- method in a superclass because the type of a parameter |
- doesn't exactly match the type of the corresponding |
- parameter in the superclass. |
- </li> |
- <li>NM_SAME_SIMPLE_NAME_AS_SUPERCLASS: |
- This class has a simple name that is identical to that |
- of its superclass, except that its superclass is in a |
- different package (e.g., <code>alpha.Foo</code> |
- extends <code>beta.Foo</code>). This can be |
- exceptionally confusing, create lots of situations in |
- which you have to look at import statements to resolve |
- references and creates many opportunities to |
- accidently define methods that do not override methods |
- in their superclasses. |
- </li> |
- <li>NM_SAME_SIMPLE_NAME_AS_INTERFACE: |
- This class/interface has a simple name that is |
- identical to that of an implemented/extended |
- interface, except that the interface is in a different |
- package (e.g., <code>alpha.Foo</code> extends |
- <code>beta.Foo</code>). This can be exceptionally |
- confusing, create lots of situations in which you have |
- to look at import statements to resolve references and |
- creates many opportunities to accidently define methods |
- that do not override methods in their superclasses. |
- </li> |
- </ul> |
- <li>FindRefComparison</li> |
- <ul> |
- <li>EC_UNRELATED_TYPES_USING_POINTER_EQUALITY: |
- This method uses using pointer equality to compare two |
- references that seem to be of different types. The |
- result of this comparison will always be false at |
- runtime. |
- </li> |
- </ul> |
- <li>IncompatMask</li> |
- <ul> |
- <li>BIT_SIGNED_CHECK, BIT_SIGNED_CHECK_HIGH_BIT: |
- This method compares an expression such as |
- <tt>((event.detail & SWT.SELECTED) > 0)</tt>. Using |
- bit arithmetic and then comparing with the greater than |
- operator can lead to unexpected results (of course |
- depending on the value of SWT.SELECTED). If |
- SWT.SELECTED is a negative number, this is a candidate |
- for a bug. Even when SWT.SELECTED is not negative, it |
- seems good practice to use '!= 0' instead of '> 0'. |
- </li> |
- </ul> |
- <li>LazyInit</li> |
- <ul> |
- <li>LI_LAZY_INIT_UPDATE_STATIC: |
- This method contains an unsynchronized lazy |
- initialization of a static field. After the field is |
- set, the object stored into that location is further |
- accessed. The setting of the field is visible to other |
- threads as soon as it is set. If the further accesses in |
- the method that set the field serve to initialize the |
- object, then you have a <em>very serious</em> |
- multithreading bug, unless something else prevents any |
- other thread from accessing the stored object until it |
- is fully initialized. |
- </li> |
- </ul> |
- <li>FindDeadLocalStores</li> |
- <ul> |
- <li>DLS_DEAD_STORE_OF_CLASS_LITERAL: |
- This instruction assigns a class literal to a variable |
- and then never uses it. |
- <a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">The behavior of this differs in Java 1.4 and in Java 5.</a> |
- In Java 1.4 and earlier, a reference to |
- <code>Foo.class</code> would force the static |
- initializer for <code>Foo</code> to be executed, if it |
- has not been executed already. In Java 5 and later, it |
- does not. See Sun's |
- <a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">article on Java SE compatibility</a> |
- for more details and examples, and suggestions on how |
- to force class initialization in Java 5. |
- </li> |
- </ul> |
- <li>MethodReturnCheck</li> |
- <ul> |
- <li>RV_RETURN_VALUE_IGNORED_BAD_PRACTICE: |
- This method returns a value that is not checked. The |
- return value should be checked since it can indication |
- an unusual or unexpected function execution. For |
- example, the <code>File.delete()</code> method returns |
- false if the file could not be successfully deleted |
- (rather than throwing an Exception). If you don't |
- check the result, you won't notice if the method |
- invocation signals unexpected behavior by returning an |
- atypical return value. |
- </li> |
- <li>RV_EXCEPTION_NOT_THROWN: |
- This code creates an exception (or error) object, but |
- doesn't do anything with it. |
- </li> |
- </ul> |
- </ul> |
- <li>Changes to Existing Reports</li> |
- <ul> |
- <li>NS_NON_SHORT_CIRCUIT: BAD_PRACTICE -> STYLE</li> |
- <li>NS_DANGEROUS_NON_SHORT_CIRCUIT: CORRECTNESS -> STYLE</li> |
- <li>RC_REF_COMPARISON: CORRECTNESS -> BAD_PRACTICE</li> |
- </ul> |
- <li>GUI Changes</li> |
- <ul> |
- <li>Added importing and exporting of bug filters</li> |
- <li>Better handling of failed analysis runs</li> |
- <li>Added "-look" parameter for selecting look-and-feel</li> |
- <li>Fixed incorrect package filtering</li> |
- <li>Fixed issue where "synchronized" was not syntax-highlighted</li> |
- </ul> |
- <li>Ant-task Changes</li> |
- <ul> |
- <li>Refactored common ant-task code to AbstractFindBugsTask</li> |
- <li>Added tasks for computeBugHistory, convertXmlToText, filterBugs, mineBugHistory, setBugDatabaseInfo</li> |
- </ul> |
- <li>Manual</li> |
- <ul> |
- <li>Updates to GUI section, including new screenshots</li> |
- <li>Added description of rejarForAnalysis</li> |
- <li>Revamp of data-mining section</li> |
- </ul> |
- <li>Other Major</li> |
- <ul> |
- <li>Internal restructuring for lower memory overhead</li> |
- </ul> |
- <li>Other Minor</li> |
- <ul> |
- <li>Fixed typo: was STCAL_STATIC_SIMPLE_DATA_FORMAT_INSTANCE now STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE</li> |
- <li>-outputFile parameter became -output</li> |
- <li>More sensitivity and specificity inLazyInit detector</li> |
- <li>More sensitivity and specificity in Naming detector</li> |
- <li>More sensitivity and specificity in UnreadFields detector</li> |
- <li>More sensitivity in FindNullDeref detector</li> |
- <li>More sensitivity in FindBadCast2 detector</li> |
- <li>More specificity in FindReturnRef detector</li> |
- <li>Many other tweaks and bug fixes</li> |
- </ul> |
- </ul> |
- |
- <p> Changes since version 1.2.0</p> |
- <ul> |
- <li>Bug fixes: |
- <ul> |
- <li><a href="http://fisheye2.cenqua.com/changelog/findbugs/?cs=8219">Fix</a> <a href="http://sourceforge.net/tracker/index.php?func=detail&aid=1726946&group_id=96405&atid=614693">bug</a> with detectors that were requested to be disabled but were enabled due to requirements of other detectors.</li> |
- <li>Fix bugs in incremental analysis within Eclipse plugin</li> |
- <li>Fix some analysis errors</li> |
- <li>Fix some threading bugs in GUI2</li> |
- <li>Report version as version when it was compiled, not when it was run</li> |
- <li>Copy analysis time stamp when filtering or transforming analysis files.</li> |
- </ul> |
- <li>Enabled StaticCalendarDetector |
+ </ul> |
+ <p>Changes since version 1.3.3</p> |
+ |
+ <ul> |
+ <li>FindBugs base |
+ <ul> |
+ <li>New Reports: |
+ <ul> |
+ <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: equals method |
+ overrides equals in superclass and may not be symmetric</li> |
+ <li>EQ_ALWAYS_TRUE: equals method always returns true</li> |
+ <li>EQ_ALWAYS_FALSE: equals method always returns false</li> |
+ <li>EQ_COMPARING_CLASS_NAMES: equals method compares class |
+ names rather than class objects</li> |
+ <li>EQ_UNUSUAL: Unusual equals method</li> |
+ <li>EQ_GETCLASS_AND_CLASS_CONSTANT: equals method fails |
+ for subtypes</li> |
+ <li>SE_READ_RESOLVE_IS_STATIC: The readResolve method must |
+ not be declared as a static method.</li> |
+ <li>SE_PRIVATE_READ_RESOLVE_NOT_INHERITED: private |
+ readResolve method not inherited by subclasses</li> |
+ <li>MSF_MUTABLE_SERVLET_FIELD: Mutable servlet field</li> |
+ <li>XSS_REQUEST_PARAMETER_TO_SEND_ERROR: Servlet reflected |
+ cross site scripting vulnerability</li> |
+ <li>SKIPPED_CLASS_TOO_BIG: Class too big for analysis</li> |
+ </ul> |
+ </li> |
+ <li>Other: |
+ <ul> |
+ <li>Value-number analysis now more space-efficient</li> |
+ <li>Enhancements to reduce memory overhead when analyzing |
+ very large classes</li> |
+ <li>Now skips very large classes that would otherwise take |
+ too much time and memory to analyze</li> |
+ <li>Infrastructure for tracking effectively-constant/ |
+ effectively-final fields</li> |
+ <li>Added more cweids</li> |
+ <li>Enhanced taint tracking for taint-based detectors</li> |
+ <li>Ignore doomed calls to equals if result is used as an |
+ argument to assertFalse</li> |
+ <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC handles compareTo</li> |
+ <li>Priority tweak for ICAST_INTEGER_MULTIPLY_CAST_TO_LONG |
+ (only low priority if multiplying by 1000)</li> |
+ <li>Improved tracking of fields across method calls</li> |
+ </ul> |
+ </li> |
+ <li>Fixes: |
+ <ul> |
+ <li>[ 1941450 ] DLS_DEAD_LOCAL_STORE not reported</li> |
+ <li>[ 1953323 ] Omitted break statement in |
+ SynchronizeAndNullCheckField</li> |
+ <li>[ 1942620 ] Source Directories selection dialog |
+ interface confusion (partial)</li> |
+ <li>[ 1948275 ] Unhelpful "Load of known null"</li> |
+ <li>[ 1933922 ] MWM error in findbugs</li> |
+ <li>[ 1934772 ] 1.3.3 appears to rely on JDK 1.6, JNLP |
+ still specifies 1.5</li> |
+ <li>[ 1933945 ] -loadbugs doesn't work</li> |
+ <li>Fixed problems for class names starting with '$'</li> |
+ <li>Fixed bugs and incomplete handling of annotations in |
+ VersionInsensitiveBugComparator</li> |
+ </ul> |
+ </li> |
+ <li>Patches: |
+ <ul> |
+ <li>[ 1955106 ] Javadoc fixes</li> |
+ <li>[ 1951930 ] Superfluous import statements (thanks to |
+ Jerry James)</li> |
+ <li>[ 1951907 ] Missing @Deprecated annotations (thanks to |
+ Jerry James)</li> |
+ <li>[ 1951876 ] Infonode Docking Windows compile fix |
+ (thanks to Jerry James)</li> |
+ <li>[ 1936055 ] bugfix for findbugs.de.comment not working |
+ (thanks to Peter Fokkinga) |
+ </ul> |
+ </li> |
+ </ul> |
+ <li>FindBugs BlueJ plugin |
+ <ul> |
+ <li>Updated to use FindBugs 1.3.4 (first new release since |
+ 1.1.3)</li> |
+ </ul> |
</li> |
- <li>Reworked GUI2 to use standard FindBugs filters |
+ </ul> |
+ |
+ <p>Changes since version 1.3.2</p> |
+ |
+ <ul> |
+ <li>FindBugs base |
+ <ul> |
+ <li>New Detectors: |
+ <ul> |
+ <li>FieldItemSummary: Produces summary information for |
+ what is stored into fields</li> |
+ <li>SynchronizeOnClassLiteralNotGetClass: Look for code |
+ that synchronizes on the results of getClass rather than on |
+ class literals</li> |
+ <li>SynchronizingOnContentsOfFieldToProtectField: This |
+ detector looks for code that seems to be synchronizing on a |
+ field in order to guard updates of that field</li> |
+ </ul> |
+ </li> |
+ <li>New BugCode: |
+ <ul> |
+ <li>HRS: HTTP Response splitting vulnerability</li> |
+ <li>WL: Possible locking on wrong object</li> |
+ </ul> |
+ </li> |
+ <li>New Reports: |
+ <ul> |
+ <li>DMI_CONSTANT_DB_PASSWORD: This code creates a database |
+ connect using a hard coded, constant password</li> |
+ <li>HRS_REQUEST_PARAMETER_TO_COOKIE: HTTP cookie formed |
+ from untrusted input</li> |
+ <li>HRS_REQUEST_PARAMETER_TO_HTTP_HEADER: HTTP parameter |
+ directly written to HTTP header output</li> |
+ <li>CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE: Class defines |
+ clone() but doesn't implement Cloneable</li> |
+ <li>DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE: Synchronization |
+ on boxed primitive could lead to deadlock</li> |
+ <li>DL_SYNCHRONIZATION_ON_BOOLEAN: Synchronization on |
+ Boolean could lead to deadlock</li> |
+ <li>ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD: |
+ Synchronization on field in futile attempt to guard that field |
+ </li> |
+ <li>DLS_DEAD_LOCAL_STORE_IN_RETURN: Useless assignment in |
+ return statement</li> |
+ <li>WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL: |
+ Synchronization on getClass rather than class literal</li> |
+ </ul> |
+ </li> |
+ <li>Other: |
+ <ul> |
+ <li>Many enhancements to cross-site scripting detector and |
+ its documentation</li> |
+ <li>Enhanced switch fall through handling</li> |
+ <li>Enhanced unread field handling (look for IF_ACMPEQ and |
+ IF_ACMPNE)</li> |
+ <li>Clarified documentation for @Nullable in manual</li> |
+ <li>Fewer DeadLocalStore false positives</li> |
+ <li>Fewer UnreadField false positives</li> |
+ <li>Fewer StaticCalendarDetector false positives</li> |
+ <li>Performance fix for slow file system IO e.g. Clearcase |
+ repositories (thanks, Andrei!)</li> |
+ <li>Other, general performance enhancements (thanks, |
+ Andrei!)</li> |
+ <li>Enhancements for using FindBugs scripts with MKS on |
+ Windows (thanks, Kelly O'Hair!)</li> |
+ <li>Noted in the manual that jsr305.jar must be present |
+ for annotations to compile</li> |
+ <li>Added and fine-tuned default-nullness annotations</li> |
+ <li>More CWE IDs added</li> |
+ <li>Check and warning for unexpected BCEL version in |
+ classpath</li> |
+ </ul> |
+ </li> |
+ <li>Fixes: |
+ <ul> |
+ <li>Bug fix to handling of local variable tables in BCEL</li> |
+ <li>Refined documentation for |
+ MTIA_SUSPECT_STRUTS_INSTANCE_FIELD</li> |
+ <li>[ 1927295 ] NPE when called on project root</li> |
+ <li>[ 1926405 ] Incorrect dead store warning</li> |
+ <li>[ 1926409 ] Incorrect redundant nullcheck warning</li> |
+ <li>[ 1926389 ] Wrong line number printed/highlighted in |
+ bug</li> |
+ <li>[ 1927040 ] typo in bug description</li> |
+ <li>[ 1926263 ] Minor glitch in HTML output</li> |
+ <li>[ 1926240 ] Minor error in standard options in manual</li> |
+ <li>[ 1926236 ] Minor bug in installation section of |
+ manual</li> |
+ <li>[ 1925539 ] ZIP is default file system code base</li> |
+ <li>[ 1894701 ] Livelock / memory leak in |
+ ObjectTypeFactory (thanks, Andrei!)</li> |
+ <li>[ 1867491 ] Doesn't reload annotations after code |
+ changes in IDE (thanks, Andrei!)</li> |
+ <li>[ 1921399 ] -project option not supported</li> |
+ <li>[ 1913834 ] "Dead" store to variable with method call</li> |
+ <li>[ 1917352 ] H B se:...field in serializable class</li> |
+ <li>[ 1911617 ] CloneIdiom relies on |
+ getNameConstantOperand for INSTANCEOF</li> |
+ <li>[ 1911620 ] False +: DLS predecrement before return</li> |
+ <li>[ 1871376 ] False negative: non-serializable Map field</li> |
+ <li>[ 1871051 ] non standard clone() method</li> |
+ <li>[ 1908854 ] Error in TestASM</li> |
+ <li>[ 1907539 ] 22 minor errors in bug checker |
+ documentation</li> |
+ <li>[ 1897323 ] EJB implementation class false positives</li> |
+ <li>[ 1899648 ] Crash on startup on Vista with Java |
+ 1.6.0_04</li> |
+ </ul> |
+ </li> |
+ </ul> |
</li> |
- <ul> |
- <li>Allow a suppression filter to be stored in a project and persisted to the XML representation of a project. |
+ <li>FindBugs Eclipse plugin (change log by Andrey Loskutov) |
+ <ul> |
+ <li>new feature: export basic FindBugs numbers for projects |
+ via File->Export->Java->BugCounts (Andrey Loskutov)</li> |
+ <li>new feature: jobs for different projects will be run in |
+ parallel per default if running on a multi-core PC |
+ ("fb.allowParallelBuild" system property not used anymore) |
+ (Andrey Loskutov)</li> |
+ <li>fixed performance slowdown in the multi-threaded build, |
+ caused by workspace operation locks during assigning marker |
+ attributes (Andrey Loskutov)</li> |
+ </ul> |
</li> |
- </ul> |
- |
- <li>Move away from old GUI2 save format (a directory containing an xml file and another file containing serialized filters). |
+ </ul> |
+ |
+ <p>Changes since version 1.3.1</p> |
+ |
+ <ul> |
+ <li>FindBugs base |
+ <ul> |
+ <li>New Bug Category: |
+ <ul> |
+ <li>SECURITY (Abbrev: S), A use of untrusted input in a |
+ way that could create a remotely exploitable security |
+ vulnerability</li> |
+ </ul> |
+ </li> |
+ <li>New Detectors: |
+ <ul> |
+ <li>CrossSiteScripting: This detector looks for |
+ obvious/blatant cases of cross site scripting vulnerabilities</li> |
+ </ul> |
+ </li> |
+ <li>New BugCode: |
+ <ul> |
+ <li>XSS: Cross site scripting</li> |
+ </ul> |
+ </li> |
+ <li>New Reports: |
+ <ul> |
+ <li>XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER: HTTP |
+ parameter directly written to Servlet output, giving XSS |
+ vulnerability</li> |
+ <li>XSS_REQUEST_PARAMETER_TO_JSP_WRITER: HTTP parameter |
+ directly written to JSP output, giving XSS vulnerability</li> |
+ <li>EQ_OTHER_USE_OBJECT: equals() method defined that |
+ doesn't override Object.equals(Object)</li> |
+ <li>EQ_OTHER_NO_OBJECT: equals() method inherits rather |
+ than overrides equals(Object)</li> |
+ <li>NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE: Possible |
+ null pointer dereference on path that might be infeasible</li> |
+ </ul> |
+ </li> |
+ <li>Other: |
+ <ul> |
+ <li>Added -noClassOk command-line parameter to |
+ command-line and ant interfaces; when -noClassOk is specified |
+ and no classfiles are given, FindBugs will print a warning |
+ message and output a well- formed file with no warnings</li> |
+ <li>Fewer false positives for null pointer bugs</li> |
+ <li>Suppress dead-local-store false positives in .jsp code</li> |
+ <li>Type fixes in warning messages</li> |
+ <li>Better warning message for NP_NULL_ON_SOME_PATH</li> |
+ <li>"WMI" bug code description renamed from "Wrong Map |
+ Iterator" to "Inefficient Map Iterator"</li> |
+ </ul> |
+ </li> |
+ <li>Fixes: |
+ <ul> |
+ <li>[ 1893048 ] FindBugs confused by a findbugs.xml file</li> |
+ <li>[ 1878528 ] XSL xforms don't support history features</li> |
+ <li>[ 1876584 ] two default.xsl flaws</li> |
+ <li>[ 1874856 ] Format string bug detector doesn't handle |
+ special operators</li> |
+ <li>[ 1872645 ] computeBugHistory - |
+ java.lang.IllegalArgumentException</li> |
+ <li>[ 1872237 ] Ant task fails when no .class files</li> |
+ <li>[ 1868670 ] Filters: include AND exclude don't allowed</li> |
+ <li>[ 1868666 ] check-for-oddness reported, but array |
+ length can never be negative</li> |
+ <li>[ 1866108 ] SetBugDatabaseInfoTask strips dir from |
+ output filename</li> |
+ <li>[ 1866021 ] MineBugHistoryTask strips dir of output |
+ filename</li> |
+ <li>[ 1865265 ] code doesn't handle |
+ StringBuffer.append([CII) right</li> |
+ <li>[ 1864793 ] Warning when casting a null reference |
+ compared to a String</li> |
+ <li>[ 1863376 ] Typo in manual chap 8: Filter Files</li> |
+ <li>[ 1862705 ] Transient fields that default to null</li> |
+ <li>[ 1842545 ] DLS on catch variable (with priority |
+ tweaking)</li> |
+ <li>[ 1816258 ] false positive BC_IMPOSSIBLE_CAST</li> |
+ <li>[ 1551732 ] Get erroneous DLS with while loop</li> |
+ </ul> |
+ </li> |
+ </ul> |
+ </li> |
+ <li>FindBugs Eclipse plugin (change log by Andrey Loskutov) |
+ <ul> |
+ <li>new feature: added Bug explorer view (replacing Bug tree |
+ view), based on Common Navigator framework (Andrey Loskutov)</li> |
+ <li>bug 1873860 fixed: empty projects are no longer shown in |
+ Bug tree view (Andrey Loskutov)</li> |
+ <li>new feature: bug counts decorators for projects, folders |
+ and files (has to be activated via Preferences -> general |
+ -> appearance -> label decorations)(Andrey Loskutov)</li> |
+ <li>patch 1746499: better icons (Alessandro Nistico)</li> |
+ <li>patch 1893685: Find bug actions on change sets bug |
+ (Alessandro Nistico)</li> |
+ <li>fixed bug 1855384: Bug configuration is broken in |
+ Eclipse (Andrey Loskutov)</li> |
+ <li>refactored FindBugs properties page (Andrey Loskutov)</li> |
+ <li>refactored FindBugs worker/builder/run action (Andrey |
+ Loskutov)</li> |
+ <li>FB detects now only bugs from classes on project's |
+ classpath (no double work on duplicated class files) (Andrey |
+ Loskutov)</li> |
+ <li>fixed bug introduced by the bad patch for 1867951: FB |
+ cannot be executed incrementally on a folder of file (Andrey |
+ Loskutov)</li> |
+ <li>fixed job rule: now jobs for different projects may run |
+ in parallel if running on a multi-core PC and |
+ "fb.allowParallelBuild" system property is set to true (Andrey |
+ Loskutov)</li> |
+ <li>fixed FB auto-build not started if .fbprefs or |
+ .classpath was changed (Andrey Loskutov)</li> |
+ <li>fixed not reporting bugs on secondary types (classes |
+ defined in java files with different name) (Andrey Loskutov)</li> |
+ </ul> |
+ </li> |
+ </ul> |
+ |
+ <p>Changes since version 1.3.0</p> |
+ <ul> |
+ <li>New Reports |
+ <ul> |
+ <li>VA_FORMAT_STRING_ARG_MISMATCH: A format-string method |
+ with a variable number of arguments is called, but the number of |
+ arguments passed does not match with the number of % |
+ placeholders in the format string. This is probably not what the |
+ author intended. |
+ <li>IO_APPENDING_TO_OBJECT_OUTPUT_STREAM: This code opens a |
+ file in append mode and that wraps the result in an object |
+ output stream. This won't allow you to append to an existing |
+ object output stream stored in a file. If you want to be able to |
+ append to an object output stream, you need to keep the object |
+ output stream open. The only situation in which opening a file |
+ in append mode and the writing an object output stream could |
+ work is if on reading the file you plan to open it in random |
+ access mode and seek to the byte offset where the append |
+ started. |
+ <li>NP_BOOLEAN_RETURN_NULL: A method that returns either |
+ Boolean.TRUE, Boolean.FALSE or null is an accident waiting to |
+ happen. This method can be invoked as though it returned a value |
+ of type boolean, and the compiler will insert automatic unboxing |
+ of the Boolean value. If a null value is returned, this will |
+ result in a NullPointerException. |
+ </ul> |
+ </li> |
+ <li>Changes to Existing Reports |
+ <ul> |
+ <li>RV_DONT_JUST_NULL_CHECK_READLINE: CORRECTNESS -> |
+ STYLE</li> |
+ <li>DMI_INVOKING_TOSTRING_ON_ARRAY: Long description |
+ mentions array name whenever possible</li> |
+ </ul> |
+ </li> |
+ <li>Fixes: |
+ <ul> |
+ <li>Updated manual to mention that Java 1.5 is now a |
+ requirement for running FindBugs |
+ <li>Applied patch 1840206 fixing issue "Ant task does not |
+ work when presetdef is used" - thanks to phejl |
+ <li>Applied patch 1778690 fixing issue "Ant task: tolerate |
+ but complain about invalid auxClasspath" - thanks to David |
+ Schmidt |
+ <li>Applied patch 1852125 adding a Chinese-language GUI |
+ bundle props file - thanks to fifi |
+ <li>Applied patch 1845903 adding ability to load XML results |
+ with the Eclipse plugin - thanks to Alex Mont |
+ <li>Fixed issue 1844671 - "FP for "reversed" null check in |
+ catch for stream close" |
+ <li>Fixed issue 1836050 - "-onlyAnalyze broken" |
+ <li>Fixed issue 1853011 - "Typo: Field names should start |
+ with aN lower case letter" |
+ <li>Fixed issue 1844181 - "JNLP file does not contain all |
+ necessary JARs" |
+ <li>Fixed issue 1840245 - "xxxException class does not |
+ derive from Exception" |
+ <li>Fixed issue 1840277 - "[M D EC] Typo in bug |
+ documentation" |
+ <li>Fixed issue 1782447 - "OutOfMemoryError if i activate |
+ Findbugs on my project" |
+ <li>Fixed issue 1830576 - "[regression] keySet/entrySet |
+ false positive" |
+ </ul> |
+ </li> |
+ <li>Other: |
+ <ul> |
+ <li>New bug code: "IO" (for |
+ IO_APPENDING_TO_OBJECT_OUTPUT_STREAM)</li> |
+ <li>Added "-onlyMostRecent" option for computeBugHistory |
+ script/ant task |
+ <li>More explicit language in |
+ RV_RETURN_VALUE_IGNORED_BAD_PRACTICE messages |
+ <li>Modified ResourceValueAnalysis to correctly identify |
+ null == X or null != X as a null check (for issue 1844671) |
+ <li>Modified DMI_HARDCODED_ABSOLUTE_FILENAME logic in |
+ DumbMethodInvocations to ignore files from /etc or /dev and |
+ increase priority of files from /home |
+ <li>Better bug details for infinite loop warnings |
+ <li>Modified unread-fields detector to reduce false |
+ positives from reflective fields |
+ <li>build.xml "classes" target now builds all sources in one |
+ step |
+ </ul> |
+ </li> |
+ </ul> |
+ |
+ <p>Changes since version 1.2.1</p> |
+ <ul> |
+ <li>New Detectors and Reports |
+ <ul> |
+ <li>SynchronizationOnSharedBuiltinConstant |
+ <ul> |
+ <li>DL_SYNCHRONIZATION_ON_SHARED_CONSTANT: The code |
+ synchronizes on a shared primitive constant, such as an |
+ interned String. Such constants are interned and shared across |
+ all other classes loaded by the JVM. Thus, this could be |
+ locking on something that other code might also be locking. |
+ This could result in very strange and hard to diagnose |
+ blocking and deadlock behavior. See <a |
+ href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a> |
+ and <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>. |
+ |
+ </ul> |
+ </li> |
+ <li>OverridingEqualsNotSymmetrical |
+ <ul> |
+ <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: Looks for equals |
+ methods that override equals methods in a superclass where the |
+ equivalence relationship might not be symmetrical. |
+ </ul> |
+ </li> |
+ <li>CheckTypeQualifiers |
+ <ul> |
+ <li>TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED: A value |
+ specified as carrying a type qualifier annotation is consumed |
+ in a location or locations requiring that the value not carry |
+ that annotation. More precisely, a value annotated with a type |
+ qualifier specifying when=ALWAYS is guaranteed to reach a use |
+ or uses where the same type qualifier specifies when=NEVER.</li> |
+ <li>TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED: A value |
+ specified as not carrying a type qualifier annotation is |
+ guaranteed to be consumed in a location or locations requiring |
+ that the value does carry that annotation. More precisely, a |
+ value annotated with a type qualifier specifying when=NEVER is |
+ guaranteed to reach a use or uses where the same type |
+ qualifier specifies when=ALWAYS.</li> |
+ <li>TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK: A value |
+ that might not carry a type qualifier annotation reaches a use |
+ which requires that annotation.</li> |
+ <li>TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK: A value |
+ which might carry a type qualifier annotation reaches a use |
+ which forbids values carrying that annotation.</li> |
+ </ul> |
+ </li> |
+ </ul> |
+ </li> |
+ <li>New Reports (existing detectors) |
+ <ul> |
+ <li>FindHEmismatch |
+ <ul> |
+ <li>EQ_DOESNT_OVERRIDE_EQUALS: This class extends a class |
+ that defines an equals method and adds fields, but doesn't |
+ define an equals method itself. Thus, equality on instances of |
+ this class will ignore the identity of the subclass and the |
+ added fields. Be sure this is what is intended, and that you |
+ don't need to override the equals method. Even if you don't |
+ need to override the equals method, consider overriding it |
+ anyway to document the fact that the equals method for the |
+ subclass just return the result of invoking super.equals(o).</li> |
+ </ul> |
+ </li> |
+ <li>Naming |
+ <ul> |
+ <li>NM_WRONG_PACKAGE, NM_WRONG_PACKAGE_INTENTIONAL: The |
+ method in the subclass doesn't override a similar method in a |
+ superclass because the type of a parameter doesn't exactly |
+ match the type of the corresponding parameter in the |
+ superclass.</li> |
+ <li>NM_SAME_SIMPLE_NAME_AS_SUPERCLASS: This class has a |
+ simple name that is identical to that of its superclass, |
+ except that its superclass is in a different package (e.g., <code>alpha.Foo</code> |
+ extends <code>beta.Foo</code>). This can be exceptionally |
+ confusing, create lots of situations in which you have to look |
+ at import statements to resolve references and creates many |
+ opportunities to accidently define methods that do not |
+ override methods in their superclasses. |
+ </li> |
+ <li>NM_SAME_SIMPLE_NAME_AS_INTERFACE: This class/interface |
+ has a simple name that is identical to that of an |
+ implemented/extended interface, except that the interface is |
+ in a different package (e.g., <code>alpha.Foo</code> extends <code>beta.Foo</code>). |
+ This can be exceptionally confusing, create lots of situations |
+ in which you have to look at import statements to resolve |
+ references and creates many opportunities to accidently define |
+ methods that do not override methods in their superclasses. |
+ </li> |
+ </ul> |
+ <li>FindRefComparison |
+ <ul> |
+ <li>EC_UNRELATED_TYPES_USING_POINTER_EQUALITY: This method |
+ uses using pointer equality to compare two references that |
+ seem to be of different types. The result of this comparison |
+ will always be false at runtime.</li> |
+ </ul> |
+ </li> |
+ <li>IncompatMask |
+ <ul> |
+ <li>BIT_SIGNED_CHECK, BIT_SIGNED_CHECK_HIGH_BIT: This |
+ method compares an expression such as <tt>((event.detail |
+ & SWT.SELECTED) > 0)</tt>. Using bit arithmetic and then |
+ comparing with the greater than operator can lead to |
+ unexpected results (of course depending on the value of |
+ SWT.SELECTED). If SWT.SELECTED is a negative number, this is a |
+ candidate for a bug. Even when SWT.SELECTED is not negative, |
+ it seems good practice to use '!= 0' instead of '> 0'. |
+ </li> |
+ </ul> |
+ </li> |
+ <li>LazyInit |
+ <ul> |
+ <li>LI_LAZY_INIT_UPDATE_STATIC: This method contains an |
+ unsynchronized lazy initialization of a static field. After |
+ the field is set, the object stored into that location is |
+ further accessed. The setting of the field is visible to other |
+ threads as soon as it is set. If the further accesses in the |
+ method that set the field serve to initialize the object, then |
+ you have a <em>very serious</em> multithreading bug, unless |
+ something else prevents any other thread from accessing the |
+ stored object until it is fully initialized. |
+ </li> |
+ </ul> |
+ </li> |
+ <li>FindDeadLocalStores |
+ <ul> |
+ <li>DLS_DEAD_STORE_OF_CLASS_LITERAL: This instruction |
+ assigns a class literal to a variable and then never uses it. |
+ <a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">The |
+ behavior of this differs in Java 1.4 and in Java 5.</a> In Java |
+ 1.4 and earlier, a reference to <code>Foo.class</code> would |
+ force the static initializer for <code>Foo</code> to be |
+ executed, if it has not been executed already. In Java 5 and |
+ later, it does not. See Sun's <a |
+ href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">article |
+ on Java SE compatibility</a> for more details and examples, and |
+ suggestions on how to force class initialization in Java 5. |
+ </li> |
+ </ul> |
+ </li> |
+ <li>MethodReturnCheck |
+ <ul> |
+ <li>RV_RETURN_VALUE_IGNORED_BAD_PRACTICE: This method |
+ returns a value that is not checked. The return value should |
+ be checked since it can indication an unusual or unexpected |
+ function execution. For example, the <code>File.delete()</code> |
+ method returns false if the file could not be successfully |
+ deleted (rather than throwing an Exception). If you don't |
+ check the result, you won't notice if the method invocation |
+ signals unexpected behavior by returning an atypical return |
+ value. |
+ </li> |
+ <li>RV_EXCEPTION_NOT_THROWN: This code creates an |
+ exception (or error) object, but doesn't do anything with it. |
+ </li> |
+ </ul> |
+ </li> |
+ </ul> |
+ </li> |
+ <li>Changes to Existing Reports |
+ <ul> |
+ <li>NS_NON_SHORT_CIRCUIT: BAD_PRACTICE -> STYLE</li> |
+ <li>NS_DANGEROUS_NON_SHORT_CIRCUIT: CORRECTNESS -> STYLE</li> |
+ <li>RC_REF_COMPARISON: CORRECTNESS -> BAD_PRACTICE</li> |
+ </ul> |
+ </li> |
+ <li>GUI Changes |
+ <ul> |
+ <li>Added importing and exporting of bug filters</li> |
+ <li>Better handling of failed analysis runs</li> |
+ <li>Added "-look" parameter for selecting look-and-feel</li> |
+ <li>Fixed incorrect package filtering</li> |
+ <li>Fixed issue where "synchronized" was not |
+ syntax-highlighted</li> |
+ </ul> |
+ </li> |
+ <li>Ant-task Changes |
+ <ul> |
+ <li>Refactored common ant-task code to AbstractFindBugsTask</li> |
+ <li>Added tasks for computeBugHistory, convertXmlToText, |
+ filterBugs, mineBugHistory, setBugDatabaseInfo</li> |
+ </ul> |
+ </li> |
+ <li>Manual |
+ <ul> |
+ <li>Updates to GUI section, including new screenshots</li> |
+ <li>Added description of rejarForAnalysis</li> |
+ <li>Revamp of data-mining section</li> |
+ </ul> |
+ </li> |
+ <li>Other Major |
+ <ul> |
+ <li>Internal restructuring for lower memory overhead</li> |
+ </ul> |
+ </li> |
+ <li>Other Minor |
+ <ul> |
+ <li>Fixed typo: was STCAL_STATIC_SIMPLE_DATA_FORMAT_INSTANCE |
+ now STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE</li> |
+ <li>-outputFile parameter became -output</li> |
+ <li>More sensitivity and specificity inLazyInit detector</li> |
+ <li>More sensitivity and specificity in Naming detector</li> |
+ <li>More sensitivity and specificity in UnreadFields |
+ detector</li> |
+ <li>More sensitivity in FindNullDeref detector</li> |
+ <li>More sensitivity in FindBadCast2 detector</li> |
+ <li>More specificity in FindReturnRef detector</li> |
+ <li>Many other tweaks and bug fixes</li> |
+ </ul> |
</li> |
+ </ul> |
+ |
+ <p>Changes since version 1.2.0</p> |
+ <ul> |
+ <li>Bug fixes: |
+ <ul> |
+ <li><a |
+ href="http://fisheye2.cenqua.com/changelog/findbugs/?cs=8219">Fix</a> |
+ <a |
+ href="http://sourceforge.net/tracker/index.php?func=detail&aid=1726946&group_id=96405&atid=614693">bug</a> |
+ with detectors that were requested to be disabled but were |
+ enabled due to requirements of other detectors.</li> |
+ <li>Fix bugs in incremental analysis within Eclipse plugin</li> |
+ <li>Fix some analysis errors</li> |
+ <li>Fix some threading bugs in GUI2</li> |
+ <li>Report version as version when it was compiled, not when |
+ it was run</li> |
+ <li>Copy analysis time stamp when filtering or transforming |
+ analysis files.</li> |
+ </ul> |
+ <li>Enabled StaticCalendarDetector</li> |
+ <li>Reworked GUI2 to use standard FindBugs filters |
+ <ul> |
+ <li>Allow a suppression filter to be stored in a project and |
+ persisted to the XML representation of a project.</li> |
+ </ul> |
+ </li> |
+ |
+ <li>Move away from old GUI2 save format (a directory |
+ containing an xml file and another file containing serialized |
+ filters).</li> |
<li>Support/recommend use of two new file extensions/formats: |
- <dl><dt>.fba - FindBugs Analysis File</dt> |
- <dd>Exactly the same as an existing bug collection file stored in XML format, but using a distinct file extension |
- to make it easier to figure out which xml files contain FindBugs results.</dd> |
- <dt>.fbp - FindBugs Project File</dt><dd>Contains just the information needed to run FindBugs and display the results (e.g., the files to be analyzed, the auxiliary class path and the location of source files)</dl></li> |
- </ul> |
- <p> Changes since version 1.1.3</p> |
- <ul> |
- <li>Added -xml:withAbridgedMessages option to generate xml containing shorter messages. |
- The messages will be shorted by doing things like eliding package names, and leaving off |
- the source line from the LongMessage. |
- These messages are appropriate if being used in a context where |
- the non-message components of the bug annotations will be used to provide more information |
- (e.g., clicking on the message for a MethodAnnotation will display the source for the method). |
- <ul><li>FindBugsDisplayFeatures.setAbridgedMessages(true) can be used to generate abridged messages |
- when FindBugs is being accessed directly (not via generated XML) from a GUI or IDE. |
- </li> |
- </ul> |
- <li>In null pointer analysis, try to be better about always showing two locations: where it is known null and |
- where it is dereferenced. |
- <li>Interprocedural analysis of which methods return nonnull values |
- <li>Use method calls to select order in which classes are analyzed, and order in which methods |
- are analyzed, to improve interprocedural analysis results. |
- <li>Significant improvements in memory footprint, memory allocation and CPU utilization |
- (20-30% reduction in all three) |
- <li>Added a project name, to provide better descriptions in the HTML output. |
- <li>Added new bug pattern: Casting to char, or bit masking with nonnegative value, and then checking to see |
- if the result is negative. |
- <li>Stopped reporting transient fields |
- of classes not marked as serializable. Transient is used by other persistence frameworks. |
- <li>Improvements to detector for SQL injection (Thanks to <a href="http://www.clock.org/~matt">Matt Hargett</a> for |
- his contributions |
- <li>Changed open/save options in GUI2 to not distinguish between FindBugs projects |
- and saved FindBugs analysis results. |
- <li>Improvements to detection of serious non-short-circuit evaluation. |
+ <dl> |
+ <dt>.fba - FindBugs Analysis File</dt> |
+ <dd>Exactly the same as an existing bug collection file |
+ stored in XML format, but using a distinct file extension to |
+ make it easier to figure out which xml files contain FindBugs |
+ results.</dd> |
+ <dt>.fbp - FindBugs Project File</dt> |
+ <dd>Contains just the information needed to run FindBugs and |
+ display the results (e.g., the files to be analyzed, the |
+ auxiliary class path and the location of source files) |
+ </dl> |
+ </li> |
+ </ul> |
+ <p>Changes since version 1.1.3</p> |
+ <ul> |
+ <li>Added -xml:withAbridgedMessages option to generate xml |
+ containing shorter messages. The messages will be shorted by doing |
+ things like eliding package names, and leaving off the source line |
+ from the LongMessage. These messages are appropriate if being used |
+ in a context where the non-message components of the bug |
+ annotations will be used to provide more information (e.g., |
+ clicking on the message for a MethodAnnotation will display the |
+ source for the method). |
+ <ul> |
+ <li>FindBugsDisplayFeatures.setAbridgedMessages(true) can be |
+ used to generate abridged messages when FindBugs is being |
+ accessed directly (not via generated XML) from a GUI or IDE.</li> |
+ </ul> |
+ <li>In null pointer analysis, try to be better about always |
+ showing two locations: where it is known null and where it is |
+ dereferenced. |
+ <li>Interprocedural analysis of which methods return nonnull |
+ values |
+ <li>Use method calls to select order in which classes are |
+ analyzed, and order in which methods are analyzed, to improve |
+ interprocedural analysis results. |
+ <li>Significant improvements in memory footprint, memory |
+ allocation and CPU utilization (20-30% reduction in all three) |
+ <li>Added a project name, to provide better descriptions in |
+ the HTML output. |
+ <li>Added new bug pattern: Casting to char, or bit masking |
+ with nonnegative value, and then checking to see if the result is |
+ negative. |
+ <li>Stopped reporting transient fields of classes not marked |
+ as serializable. Transient is used by other persistence |
+ frameworks. |
+ <li>Improvements to detector for SQL injection (Thanks to <a |
+ href="http://www.clock.org/~matt">Matt Hargett</a> for his |
+ contributions |
+ <li>Changed open/save options in GUI2 to not distinguish |
+ between FindBugs projects and saved FindBugs analysis results. |
+ <li>Improvements to detection of serious non-short-circuit |
+ evaluation. |
<li>Updated Japanese localization (thanks to Ruimo Uno) |
- |
<li>Eclipse plugin changes: |
- <ul> |
- <li>Created Bug User Annotations and Bug Tree Views |
- <li>Use different icons for different bug priorities |
- <li>Provide more information in Bug Details view |
- </ul> |
- </ul> |
- |
- <p> |
- Changes since version 1.1.2: |
- </p> |
- <ul> |
+ <ul> |
+ <li>Created Bug User Annotations and Bug Tree Views |
+ <li>Use different icons for different bug priorities |
+ <li>Provide more information in Bug Details view |
+ </ul> |
+ </ul> |
+ |
+ <p>Changes since version 1.1.2:</p> |
+ <ul> |
<li>Fixed broken Ant task |
<li>Added running ant task to smoke test |
<li>Added validating xml and html output to smoke test |
- <li>Fixed some (but not all) issues with html output validation |
+ <li>Fixed some (but not all) issues with html output |
+ validation |
<li>Added check for x.equals(x) and x.compareTo(x) |
<li>Various bug fixes |
- </ul> |
- <p> |
- Changes since version 1.1.1: |
- </p> |
- <ul> |
- <li> |
- Added check for infinite iterative loops |
- </li> |
- <li> |
- Added check for use of incompatible types in a collection (e.g., |
- checking to see if a Set<String> contains a StringBuffer). |
- </li> |
- <li> |
- Added check for invocations of equals or hashCode on a URL, |
- which, |
- <a |
- href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">surprising |
- many people</a>, requires DNS resolution. |
- </li> |
- <li> |
- Added check for classes that define compareTo but not equals; |
- such classes can exhibit some anomalous behavior (e.g., they are |
- treated differently by PriorityQueues in Java 5 and Java 6). |
- </li> |
- <li> |
- Added a check for useless self operations (e.g., x < x or x ^ x). |
- </li> |
- <li> |
- Fixed a data race that could cause the GUI to fail on startup |
- </li> |
- <li> |
- Partial internationalization of the new GUI |
- </li> |
- <li> |
- Fix bug in "Redo analysis" option of new GUI |
- </li> |
- <li> |
- Tuning to reduce false positives |
- </li> |
- <li> |
- Fixed a bug in null pointer analysis that was generating false |
- positive null pointer warnings on exception paths. Fixing this |
- bug eliminates about 1/4 of the warnings on null pointer |
- exceptions on exception paths. |
- </li> |
- <li> |
- Fixed a bug in the processing of phi nodes for fields in the null |
- pointer analysis |
- </li> |
- <li> |
- Applied contributed patch that provides more quick fixes in |
- Eclipse plugin. |
- </li> |
- <li> |
- Fixed a number of bugs in the Eclipse auto update sites, and in the way |
- date qualifiers were being used in the Eclipse plugin. You may need to manually |
- disable your existing version of the plugin and download the 1.1.2 from the update |
- site to get the automatic update function working correctly. |
- The Eclipse update sites are described at <a href="http://findbugs.cs.umd.edu/eclipse/">http://findbugs.cs.umd.edu/eclipse/</a>. |
- |
- </li> |
- <li> |
- Fixed progress bar in Eclipse plugin |
- </li> |
- <li> |
- A number of other bug fixes. |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 1.1.0: |
- </p> |
- <ul> |
- <li> |
- less scanning of classes not on the analysis path (This was |
- causing some performance problems.) |
- </li> |
- <li> |
- no unread field warnings for fields annotated with |
- javax.persistent or javax.ejb3 |
- </li> |
- <li> |
- Eclipse plugin |
- <ul> |
- <li> |
- bug annotation info displayed in Bug Details tab |
- </li> |
- <li> |
- .fbwarnings data file now stored in .metadata (not in the |
- project itself) |
- </li> |
- </ul> |
- </li> |
- <li> |
- new SE_BAD_FIELD_INNER_CLASS pattern |
- </li> |
- <li> |
- updates to Japanese translation (ruimo) |
- </li> |
- <li> |
- fix some internal slashed/dotted path confusion |
- </li> |
- <li> |
- other minor improvements |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 1.0.0: |
- </p> |
- |
- <ul> |
- <li> |
- Overall, the change from FindBugs 1.0.0 to FindBugs 1.1.0 has |
- been a big change. We've done a lot of work in a lot of areas, |
- and aren't even going to try to enumerate all the changes. |
- </li> |
- <li> |
- We spent a lot of time reviewing the results generated by |
- FindBugs for open source and commercial code bases, and made a |
- number of changes, small and large, to minimize the number of |
- false positives. Our primary focus for this was warnings reported |
- as high and medium priority correctness warnings. Our internal |
- evaluation is that we produce very few high/medium priority |
- correctness warnings where the analysis is actually wrong, and |
- that more than 75% of the high/medium priority correctness |
- warnings correspond to real coding defects that need addressing |
- in the source code. The remaining 25% are largely cases such as a |
- branch or statement that if taken would lead to an error, but in |
- fact is a dead branch or statement that can never be taken. Such |
- coding is confusing and hard to maintain, so it should arguably |
- be fixed, but it is unlikely to actually result in an error |
- during execution. Thus, some might classify those warnings as |
- false positives. |
- |
- </li> |
- <li> |
- We've substantially improved the analysis for errors that could |
- result in null pointer dereferences. Overall, our experience has |
- been that these changes have roughly doubled the number of null |
- pointer errors we detect, without increasing the number of false |
- positives (in fact, our false positive rate has gone down). The |
- improvements are due to four factors: |
- <ul> |
- <li> |
- By default, we now do some interprocedural analysis to |
- determine methods that unconditionally dereference their |
- parameters. |
- </li> |
- <li> |
- FindBugs also comes with a model of which JDK methods |
- unconditionally dereference their parameters. |
- </li> |
- <li> |
- We do limited tracking of fields, so that we can detect null |
- values stored in fields that lead to exceptions. |
- </li> |
- <li> |
- We implemented a new analysis technique to find guaranteed |
- dereferences. Consider the following example: |
- |
- <code> |
- <pre>public int f(Object x, boolean b) { |
+ </ul> |
+ <p>Changes since version 1.1.1:</p> |
+ <ul> |
+ <li>Added check for infinite iterative loops</li> |
+ <li>Added check for use of incompatible types in a collection |
+ (e.g., checking to see if a Set<String> contains a |
+ StringBuffer).</li> |
+ <li>Added check for invocations of equals or hashCode on a |
+ URL, which, <a |
+ href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">surprising |
+ many people</a>, requires DNS resolution. |
+ </li> |
+ <li>Added check for classes that define compareTo but not |
+ equals; such classes can exhibit some anomalous behavior (e.g., |
+ they are treated differently by PriorityQueues in Java 5 and Java |
+ 6).</li> |
+ <li>Added a check for useless self operations (e.g., x < x |
+ or x ^ x).</li> |
+ <li>Fixed a data race that could cause the GUI to fail on |
+ startup</li> |
+ <li>Partial internationalization of the new GUI</li> |
+ <li>Fix bug in "Redo analysis" option of new GUI</li> |
+ <li>Tuning to reduce false positives</li> |
+ <li>Fixed a bug in null pointer analysis that was generating |
+ false positive null pointer warnings on exception paths. Fixing |
+ this bug eliminates about 1/4 of the warnings on null pointer |
+ exceptions on exception paths.</li> |
+ <li>Fixed a bug in the processing of phi nodes for fields in |
+ the null pointer analysis</li> |
+ <li>Applied contributed patch that provides more quick fixes |
+ in Eclipse plugin.</li> |
+ <li>Fixed a number of bugs in the Eclipse auto update sites, |
+ and in the way date qualifiers were being used in the Eclipse |
+ plugin. You may need to manually disable your existing version of |
+ the plugin and download the 1.1.2 from the update site to get the |
+ automatic update function working correctly. The Eclipse update |
+ sites are described at <a |
+ href="http://findbugs.cs.umd.edu/eclipse/">http://findbugs.cs.umd.edu/eclipse/</a>. |
+ |
+ </li> |
+ <li>Fixed progress bar in Eclipse plugin</li> |
+ <li>A number of other bug fixes.</li> |
+ </ul> |
+ |
+ <p>Changes since version 1.1.0:</p> |
+ <ul> |
+ <li>less scanning of classes not on the analysis path (This |
+ was causing some performance problems.)</li> |
+ <li>no unread field warnings for fields annotated with |
+ javax.persistent or javax.ejb3</li> |
+ <li>Eclipse plugin |
+ <ul> |
+ <li>bug annotation info displayed in Bug Details tab</li> |
+ <li>.fbwarnings data file now stored in .metadata (not in |
+ the project itself)</li> |
+ </ul> |
+ </li> |
+ <li>new SE_BAD_FIELD_INNER_CLASS pattern</li> |
+ <li>updates to Japanese translation (ruimo)</li> |
+ <li>fix some internal slashed/dotted path confusion</li> |
+ <li>other minor improvements</li> |
+ </ul> |
+ |
+ <p>Changes since version 1.0.0:</p> |
+ |
+ <ul> |
+ <li>Overall, the change from FindBugs 1.0.0 to FindBugs 1.1.0 |
+ has been a big change. We've done a lot of work in a lot of areas, |
+ and aren't even going to try to enumerate all the changes.</li> |
+ <li>We spent a lot of time reviewing the results generated by |
+ FindBugs for open source and commercial code bases, and made a |
+ number of changes, small and large, to minimize the number of |
+ false positives. Our primary focus for this was warnings reported |
+ as high and medium priority correctness warnings. Our internal |
+ evaluation is that we produce very few high/medium priority |
+ correctness warnings where the analysis is actually wrong, and |
+ that more than 75% of the high/medium priority correctness |
+ warnings correspond to real coding defects that need addressing in |
+ the source code. The remaining 25% are largely cases such as a |
+ branch or statement that if taken would lead to an error, but in |
+ fact is a dead branch or statement that can never be taken. Such |
+ coding is confusing and hard to maintain, so it should arguably be |
+ fixed, but it is unlikely to actually result in an error during |
+ execution. Thus, some might classify those warnings as false |
+ positives.</li> |
+ <li>We've substantially improved the analysis for errors that |
+ could result in null pointer dereferences. Overall, our experience |
+ has been that these changes have roughly doubled the number of |
+ null pointer errors we detect, without increasing the number of |
+ false positives (in fact, our false positive rate has gone down). |
+ The improvements are due to four factors: |
+ <ul> |
+ <li>By default, we now do some interprocedural analysis to |
+ determine methods that unconditionally dereference their |
+ parameters.</li> |
+ <li>FindBugs also comes with a model of which JDK methods |
+ unconditionally dereference their parameters.</li> |
+ <li>We do limited tracking of fields, so that we can detect |
+ null values stored in fields that lead to exceptions.</li> |
+ <li>We implemented a new analysis technique to find |
+ guaranteed dereferences. Consider the following example: <pre>public int f(Object x, boolean b) { |
int result = 0; |
if (x == null) result++; |
else result--; |
@@ -1168,2368 +1496,1300 @@ |
return result - x.hashCode(); |
} |
</pre> |
- </code> |
- |
- <p> |
- FindBugs 1.0 used forward dataflow analysis to determine |
- whether each value is definitely null, null on a simple path, |
- possible null on a complex path, or definitely nonnull. Thus, |
- at the statement where |
- <code> |
- result |
- </code> |
- is decremented, we know that |
- <code> |
- x |
- </code> |
- is definitely null, and at the point before |
- <code> |
- if (b) |
- </code> |
- , we know that |
- <code> |
- x |
- </code> |
- is null on a simple path. If |
- <code> |
- x |
- </code> |
- were to be dereferenced here, we would generate a warning, |
- because if the else branch of the |
- <code> |
- if (x == null) |
- </code> |
- were ever taken, a null pointer exception would result. |
- </p> |
- |
- <p> |
- However, in both the then and else branches of the |
- <code> |
- if (b) |
- </code> |
- statement, |
- <code> |
- x |
- </code> |
- is only null on a complex path that may be infeasible. It |
- might be that the program logic is such that if |
- <code> |
- x |
- </code> |
- is null, then |
- <code> |
- b |
- </code> |
- is never true, so generating a warning about the dereference |
- in the then clause might be a false positive. We could try to |
- analyze the program to determine whether it is possible for |
- <code> |
- x |
- </code> |
- to be null and |
- <code> |
- b |
- </code> |
- to be true, but that can be a hard analysis problem. |
- </p> |
- |
- <p> |
- However, |
- <code> |
- x |
- </code> |
- is dereferenced in both the then |
- <em>and</em> else branches of the |
- <code> |
- if (b) |
- </code> |
- statement. So at the point immediately before |
- <code> |
- if (b) |
- </code> |
- , we know that |
- <code> |
- x |
- </code> |
- is null on a simple path |
- <em>and</em> that |
- <code> |
- x |
- </code> |
- is guaranteed to be dereferenced on all paths from this point |
- forward. FindBugs 1.1 performs a backwards data flow analysis |
- to determine the values that are guaranteed to be |
- dereferenced, and will generate a warning in this case. |
- </p> |
- </li> |
- </ul> |
- <p> |
- The following screen shot of our new GUI shows an example of |
- this analysis, as well as showing off our new GUI and points out |
- a limitation of our current plugins for Eclipse and NetBeans. |
- The screen shot shows a null pointer bug in HelpDisplay.java. |
- The test for |
- <code> |
- href!=null |
- </code> |
- on line 78 suggests that |
- <code> |
- href |
- </code> |
- could be null. If it is, then |
- <code> |
- href |
- </code> |
- will be dereferenced on either line 87 or on line 90, generating |
- a NPE. Note that our analysis here also understands that passing |
- <code> |
- href |
- </code> |
- to |
- <code> |
- URLEncoder.encode |
- </code> |
- will deference it, and thus treats line 87 as a dereference, |
- even though |
- <code> |
- href |
- </code> |
- is not actually dereferenced at that line. Within our new GUI, |
- all of these locations are highlighted and listed in the summary |
- panel. In the original GUI (and in HTML output) we list all of |
- the locations, but only the primary location is highlighted by |
- the original GUI. In the Eclipse and NetBeans plugins, only the |
- primary location is displayed; fixing this is on our todo list |
- (contributions welcome). |
- </p> |
- <p> |
- <img src="guaranteedDereference.png" alt=""> |
- |
- |
- </p> |
- |
- </li> |
- <li> |
- Preliminary support for detectors using the frameworks other than |
- BCEL, such as the |
- <a href="http://asm.objectweb.org/">ASM</a> bytecode framework. |
- You may experiment with writing ASM-based detectors, but beware |
- the API may still change (which could possibly also affect |
- BCEL-based detectors). In general, we've started trying to move |
- away from a deep dependence on BCEL, but that change is only |
- partially complete. Probably best to just avoid this until we |
- complete more work on this. This change is only visible to |
- FindBugs plugin developers, and shouldn't be visible to FindBugs |
- users. |
- </li> |
- <li> |
- <p> |
- Bug categories (CORRECTNESS, MT_CORRECTNESS, etc.) are no longer |
- hard-coded, but rather defined in xml files associated with |
- plugins, including the core plugin which defines the standard |
- categories. Third-party plugins can define their own categories. |
- </p> |
- </li> |
- <li> |
- <p> |
- Several bug patterns have been moved from CORRECTNESS and STYLE |
- into a new category, BAD_PRACTICE. The English localization of |
- STYLE has changed from "Style" to "Dodgy." |
- </p> |
- <p> |
- In general, we've worked very hard to limit CORRECTNESS bugs to |
- be real programming errors and sins of commission. We have |
- reclassified as BAD_PRACTICE a number of bad design practices |
- that result in overly fragile code, such as defining an equals |
- method that doesn't accept null or defining class with a equals |
- method that inherits hashCode from class Object. |
- </p> |
- <p> |
- In general, our guidelines for deciding whether a bug should be |
- classified as CORRECTNESS, BAD_PRACTICE or STYLE are: |
- </p> |
- <dl> |
- <dt> |
- CORRECTNESS |
- </dt> |
- <dd> |
- A problem that we can recognize with high confidence and is an |
- issue that we believe almost all developers would want to |
- examine and address. We recommend that software teams review |
- all high and medium priority warnings in their entire code |
- base. |
- </dd> |
- <dt> |
- BAD_PRACTICE |
- </dt> |
- <dd> |
- A problem that we can recognize with high confidence and |
- represents a clear violation of recommended and standard coding |
- practice. We believe each software team should decide which bad |
- practices identified by FindBugs it wants to prohibit in the |
- team's coding standard, and take action to remedy violations of |
- those coding standards. |
- </dd> |
- <dt> |
- STYLE |
- </dt> |
- <dd> |
- These are places where something strange or dodgy is going on, |
- such as a dead store to a local variable. Typically, less than |
- half of these represent actionable programming defects. |
- Reviewing these warnings in any code under active development |
- is probably a good idea, but reviewing all such warnings in |
- your entire code base might be appropriate only in some |
- situations. Individual or team programming styles can |
- substantially influence the effectiveness of each of these |
- warnings (e.g., you might have a coding practice or style in |
- your group that confuses one of the detectors into generating a |
- lot of STYLE warnings); you will likely want to selectively |
- suppress or report the STYLE warnings that are effective for |
- your group. |
- </dd> |
- </dl> |
- </li> |
- <li> |
- Released a preliminary version of a new GUI (known internally as |
- GUI2 -- not very creative, huh?) |
- </li> |
- <li> |
- Provided standard ways to mark user designations of bug warnings |
- (e.g., as NOT_A_BUG or SHOULD_FIX). The internal logic now |
- records this, it is represented in the XML file, and GUI2 allows |
- the designations to be applied (along with free-form user |
- annotations about each warning). The user designations and |
- annotations are not yet supported by the Eclipse plugin, but we |
- clearly want to support it in Eclipse shortly. |
- </li> |
- <li> |
- Added a check for a bad comparison with a signed byte with a |
- value not in the range -128..127. For example: |
- <code> |
- <pre>boolean find200(byte b[]) { |
+ |
+ <p> |
+ FindBugs 1.0 used forward dataflow analysis to determine |
+ whether each value is definitely null, null on a simple path, |
+ possible null on a complex path, or definitely nonnull. Thus, |
+ at the statement where |
+ <code> result </code> |
+ is decremented, we know that |
+ <code> x </code> |
+ is definitely null, and at the point before |
+ <code> if (b) </code> |
+ , we know that |
+ <code> x </code> |
+ is null on a simple path. If |
+ <code> x </code> |
+ were to be dereferenced here, we would generate a warning, |
+ because if the else branch of the |
+ <code> if (x == null) </code> |
+ were ever taken, a null pointer exception would result. |
+ </p> |
+ |
+ <p> |
+ However, in both the then and else branches of the |
+ <code> if (b) </code> |
+ statement, |
+ <code> x </code> |
+ is only null on a complex path that may be infeasible. It might |
+ be that the program logic is such that if |
+ <code> x </code> |
+ is null, then |
+ <code> b </code> |
+ is never true, so generating a warning about the dereference in |
+ the then clause might be a false positive. We could try to |
+ analyze the program to determine whether it is possible for |
+ <code> x </code> |
+ to be null and |
+ <code> b </code> |
+ to be true, but that can be a hard analysis problem. |
+ </p> |
+ |
+ <p> |
+ However, |
+ <code> x </code> |
+ is dereferenced in both the then <em>and</em> else branches of |
+ the |
+ <code> if (b) </code> |
+ statement. So at the point immediately before |
+ <code> if (b) </code> |
+ , we know that |
+ <code> x </code> |
+ is null on a simple path <em>and</em> that |
+ <code> x </code> |
+ is guaranteed to be dereferenced on all paths from this point |
+ forward. FindBugs 1.1 performs a backwards data flow analysis |
+ to determine the values that are guaranteed to be dereferenced, |
+ and will generate a warning in this case. |
+ </p> |
+ </li> |
+ </ul> |
+ <p> |
+ The following screen shot of our new GUI shows an example of this |
+ analysis, as well as showing off our new GUI and points out a |
+ limitation of our current plugins for Eclipse and NetBeans. The |
+ screen shot shows a null pointer bug in HelpDisplay.java. The |
+ test for |
+ <code> href!=null </code> |
+ on line 78 suggests that |
+ <code> href </code> |
+ could be null. If it is, then |
+ <code> href </code> |
+ will be dereferenced on either line 87 or on line 90, generating |
+ a NPE. Note that our analysis here also understands that passing |
+ <code> href </code> |
+ to |
+ <code> URLEncoder.encode </code> |
+ will deference it, and thus treats line 87 as a dereference, even |
+ though |
+ <code> href </code> |
+ is not actually dereferenced at that line. Within our new GUI, |
+ all of these locations are highlighted and listed in the summary |
+ panel. In the original GUI (and in HTML output) we list all of |
+ the locations, but only the primary location is highlighted by |
+ the original GUI. In the Eclipse and NetBeans plugins, only the |
+ primary location is displayed; fixing this is on our todo list |
+ (contributions welcome). |
+ </p> |
+ <p> |
+ <img src="guaranteedDereference.png" alt=""> |
+ |
+ |
+ </p> |
+ |
+ </li> |
+ <li>Preliminary support for detectors using the frameworks |
+ other than BCEL, such as the <a href="http://asm.objectweb.org/">ASM</a> |
+ bytecode framework. You may experiment with writing ASM-based |
+ detectors, but beware the API may still change (which could |
+ possibly also affect BCEL-based detectors). In general, we've |
+ started trying to move away from a deep dependence on BCEL, but |
+ that change is only partially complete. Probably best to just |
+ avoid this until we complete more work on this. This change is |
+ only visible to FindBugs plugin developers, and shouldn't be |
+ visible to FindBugs users. |
+ </li> |
+ <li> |
+ <p>Bug categories (CORRECTNESS, MT_CORRECTNESS, etc.) are no |
+ longer hard-coded, but rather defined in xml files associated |
+ with plugins, including the core plugin which defines the |
+ standard categories. Third-party plugins can define their own |
+ categories.</p> |
+ </li> |
+ <li> |
+ <p>Several bug patterns have been moved from CORRECTNESS and |
+ STYLE into a new category, BAD_PRACTICE. The English localization |
+ of STYLE has changed from "Style" to "Dodgy."</p> |
+ <p>In general, we've worked very hard to limit CORRECTNESS |
+ bugs to be real programming errors and sins of commission. We |
+ have reclassified as BAD_PRACTICE a number of bad design |
+ practices that result in overly fragile code, such as defining an |
+ equals method that doesn't accept null or defining class with a |
+ equals method that inherits hashCode from class Object.</p> |
+ <p>In general, our guidelines for deciding whether a bug |
+ should be classified as CORRECTNESS, BAD_PRACTICE or STYLE are:</p> |
+ <dl> |
+ <dt>CORRECTNESS</dt> |
+ <dd>A problem that we can recognize with high confidence and |
+ is an issue that we believe almost all developers would want to |
+ examine and address. We recommend that software teams review all |
+ high and medium priority warnings in their entire code base.</dd> |
+ <dt>BAD_PRACTICE</dt> |
+ <dd>A problem that we can recognize with high confidence and |
+ represents a clear violation of recommended and standard coding |
+ practice. We believe each software team should decide which bad |
+ practices identified by FindBugs it wants to prohibit in the |
+ team's coding standard, and take action to remedy violations of |
+ those coding standards.</dd> |
+ <dt>STYLE</dt> |
+ <dd>These are places where something strange or dodgy is |
+ going on, such as a dead store to a local variable. Typically, |
+ less than half of these represent actionable programming |
+ defects. Reviewing these warnings in any code under active |
+ development is probably a good idea, but reviewing all such |
+ warnings in your entire code base might be appropriate only in |
+ some situations. Individual or team programming styles can |
+ substantially influence the effectiveness of each of these |
+ warnings (e.g., you might have a coding practice or style in |
+ your group that confuses one of the detectors into generating a |
+ lot of STYLE warnings); you will likely want to selectively |
+ suppress or report the STYLE warnings that are effective for |
+ your group.</dd> |
+ </dl> |
+ </li> |
+ <li>Released a preliminary version of a new GUI (known |
+ internally as GUI2 -- not very creative, huh?)</li> |
+ <li>Provided standard ways to mark user designations of bug |
+ warnings (e.g., as NOT_A_BUG or SHOULD_FIX). The internal logic |
+ now records this, it is represented in the XML file, and GUI2 |
+ allows the designations to be applied (along with free-form user |
+ annotations about each warning). The user designations and |
+ annotations are not yet supported by the Eclipse plugin, but we |
+ clearly want to support it in Eclipse shortly.</li> |
+ <li>Added a check for a bad comparison with a signed byte with |
+ a value not in the range -128..127. For example: <pre>boolean find200(byte b[]) { |
for(int i = 0; i < b.length; i++) if (b[i] == 200) return i; |
return -1; |
} |
</pre> |
- </code> |
- </li> |
- <li> |
- Added a checking for testing if a value is equal to Double.NaN |
- (no value is equal to NaN, not even NaN). |
- </li> |
- <li> |
- Added a check for using a class with an equals method but no |
- hashCode method in a hashed data structure. |
- </li> |
- <li> |
- Added check for uncallable method of an anonymous inner class. |
- For example, in the following code, it is impossible to invoke |
- the initalValue method (because the name is misspelled and as a |
- result is doesn't override a method in ThreadLocal). |
- <code> |
- <pre>private static ThreadLocal serialNum = new ThreadLocal() { |
+ </li> |
+ <li>Added a checking for testing if a value is equal to |
+ Double.NaN (no value is equal to NaN, not even NaN).</li> |
+ <li>Added a check for using a class with an equals method but |
+ no hashCode method in a hashed data structure.</li> |
+ <li>Added check for uncallable method of an anonymous inner |
+ class. For example, in the following code, it is impossible to |
+ invoke the initalValue method (because the name is misspelled and |
+ as a result is doesn't override a method in ThreadLocal). <pre>private static ThreadLocal serialNum = new ThreadLocal() { |
protected synchronized Object initalValue() { |
return new Integer(nextSerialNum++); |
} |
}; |
</pre> |
- </code> |
- </li> |
- <li> |
- Added check for a dead local store caused by a switch statement |
- fall through |
- </li> |
- <li> |
- Added check for computing the absolute value of a random 32 bit |
- integer or of a hashcode. This is broken because |
- <code> |
- Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE |
- </code> |
- , and thus result of calling Math.abs, which is expected to be |
- nonnegative, will in fact be negative one time out of 2 |
- <sup> |
- 32 |
- </sup> |
- , which will invariably be the time your boss is demoing the |
- software to your customers. |
- |
- </li> |
- <li> |
- More careful resolution of inherited methods and fields. Some of |
- the shortcuts we were taking in FindBugs 1.0.0 were leading to |
- inaccurate results, and it was fairly easy to address this by |
- making the analysis more accurate. |
- </li> |
- <li> |
- Overall, analysis times are about 1.6 times longer in FindBugs |
- 1.1.0 than in FindBugs 1.0.0. This is because we have enabled |
- substantial additional analysis at the default effort level (the |
- actual analysis engine is significantly faster than in FindBugs |
- 1.0). On a recent AMD Athlon processor, analyzing JDK1.6.0 (about |
- 1 million lines of code) requires about 15 minutes of wall clock |
- time. |
- </li> |
- <li> |
- Provided class and script (printClass) to print classfile in the |
- human readable format produced by BCEL |
- </li> |
- <li> |
- Provided -findSource option to setBugDatabaseInfo |
- </li> |
- </ul> |
- |
- |
- <p> |
- Changes since version 0.9.7: |
- </p> |
- |
- <ul> |
- <li> |
- fix ObjectTypeFactory bug that was suppressing some bugs |
- </li> |
- <li> |
- opcode stack may determine definite zeros on some paths |
- </li> |
- <li> |
- opcode stack can track some constant string concatenations |
- (dbrosius) |
- </li> |
- <li> |
- default effort performs iterative opcode analysis (but min effort |
- does not) |
- </li> |
- <li> |
- default heap size upped to 384m |
- </li> |
- <li> |
- schema for XML output available: bugcollection.xsd |
- </li> |
- <li> |
- fixed some internal confusion between dotted and slashed class |
- names |
- </li> |
- <li> |
- New detectors |
- <ul> |
- <li> |
- CheckImmutableAnnotation.java: checks JCIP annotations |
- </li> |
- </ul> |
- </li> |
- <li> |
- Updated detectors |
- <ul> |
- <li> |
- BadRegEx.java: understands Pattern.LITERAL, warns about "." |
- </li> |
- <li> |
- FindUnreleasedLock.java: fewer false positives |
- </li> |
- <li> |
- DumbMethods.java: check for vacuous comparisons to MAX_INTEGER |
- or MIN_INTEGER, fix bugs detecting DM_NEXTINT_VIA_NEXTDOUBLE |
- </li> |
- <li> |
- FindPuzzlers.java: detect |
- <tt>n%2==1</tt>, detect toString() on array types |
- </li> |
- <li> |
- FindInconsistentSync2.java: detects IS_FIELD_NOT_GUARDED |
- </li> |
- <li> |
- MethodReturnCheck.java: add check for discarded newly |
- constructed values, increase priority of some ignored |
- constructed exceptions, better handling of bytecode compiled by |
- Eclipse |
- </li> |
- <li> |
- FindEmptySynchronizedBlock.java: better handling of bytecode |
- compiled by Eclipse |
- </li> |
- <li> |
- DoInsideDoPrivileged.java: warn if call to setAccessible isn't |
- in doPriviledged, don't report private methods |
- </li> |
- <li> |
- LoadOfKnownNullValue.java: fix bug that was reporting false |
- positives on |
- <code> |
- finally |
- </code> |
- blocks |
- </li> |
- <li> |
- CheckReturnAnnotationDatabase.java: better checks for unstarted |
- threads |
- </li> |
- <li> |
- ConfusionBetweenInheritedAndOuterMethod.java: fewer false |
- positives, fixed a package-handling bug |
- </li> |
- <li> |
- BadResultSetAccess.java: separate bug pattern for |
- PreparedStatements, |
- <code> |
- BRZA |
- </code> |
- category folded into |
- <code> |
- SQL |
- </code> |
- category |
- </li> |
- <li> |
- FindDeadLocalStores.java, FindBadCast2.java, DumbMethods.java, |
- RuntimeExceptionCapture.java: coalesce similar bugs within a |
- method into a single bug instance with multiple source lines |
- </li> |
- </ul> |
- </li> |
- <li> |
- Eclipse plugin |
- <ul> |
- <li> |
- plugin ID changed from |
- <tt>de.tobject.findbugs</tt> to |
- <tt>edu.umd.cs.findbugs.plugin.eclipse</tt> |
- </li> |
- <li> |
- support for findbugs eclipse auto-update site |
- </li> |
- </ul> |
- </li> |
- <li> |
- Updated test case files |
- <ul> |
- <li> |
- BadRegEx.java |
- </li> |
- <li> |
- JSR166.java |
- </li> |
- <li> |
- ConcurrentModificationBug.java |
- </li> |
- <li> |
- DeadStore.java |
- </li> |
- <li> |
- InstanceOf.java |
- </li> |
- <li> |
- LoadKnownNull.java |
- </li> |
- <li> |
- NeedsToCheckReturnValue.java |
- </li> |
- <li> |
- BadResultSetAccessTest.java |
- </li> |
- <li> |
- DeadStore.java |
- </li> |
- <li> |
- TestNonNull2.java |
- </li> |
- <li> |
- TestImmutable.java |
- </li> |
- <li> |
- TestGuardedBy.java |
- </li> |
- <li> |
- BadRandomInt.java |
- </li> |
- <li> |
- six test cases added to new |
- <code> |
- TigerTraps |
- </code> |
- directory |
- </li> |
- </ul> |
- </li> |
- <li> |
- fix bug that was generating duplicate uids |
- </li> |
- <li> |
- fix bug with |
- <code> |
- -onlyAnalyze some.package.* |
- </code> |
- on jdk1.4 |
- </li> |
- <li> |
- fix regression bug in DismantleByteCode.getRefConstantOperand() |
- </li> |
- <li> |
- fix some minor bugs with the Swing GUI |
- </li> |
- <li> |
- reordered some bugInstances so that source line annotations come |
- last |
- </li> |
- <li> |
- removed references to unused java system properties |
- </li> |
- <li> |
- French translation updates (David Cotton) |
- </li> |
- <li> |
- Japanese translation updates (Hanai Shisei) |
- </li> |
- <li> |
- content cleanup for findbugs.xml and messages.xml |
- </li> |
- <li> |
- references to cvs hostname updated to |
- findbugs.cvs.sourceforge.net |
- </li> |
- <li> |
- documented xdoc output options, new |
- mineBugHistory/computeBugHistory options |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.9.6: |
- </p> |
- |
- <ul> |
- <li> |
- performance improvements |
- </li> |
- <li> |
- ObjectType instances are cached to reduce memory footprint |
- </li> |
- <li> |
- for performance and memory reasons stateless detectors are no |
- longer cloned, must clear their own state between .class files |
- </li> |
- <li> |
- fixed bug in bytecode-set lookup for methods (was causing bad |
- results for IS2, perhaps others) |
- </li> |
- <li> |
- fix some OpcodeStack bugs with integer and long operations, |
- perform iterative analysis when effort is |
- <tt>max</tt> |
- </li> |
- <li> |
- HTML output includes LongMessage text again (regression in 0.95 - |
- 0.96) |
- </li> |
- <li> |
- New detectors |
- <ul> |
- <li> |
- CalledMethods.java: builds a list of invoked methods for other |
- detectors to consult (non-reporting) |
- </li> |
- <li> |
- UncallableMethodOfAnonymousClass.java: detect anonymous inner |
- classes that define methods that are probably intended to but |
- do not override methods in a superclass. |
- </li> |
- </ul> |
- </li> |
- <li> |
- Updated detectors |
- <ul> |
- <li> |
- FindFieldSelfAssignment.java: recognize separate fields with |
- the same name (one from superclass) |
- </li> |
- <li> |
- FindLocalSelfAssignment2.java: handles backward branches better |
- (Dave Brosius) |
- </li> |
- <li> |
- FindBadCast2.java: BC_NULL_INSTANCEOF changed to |
- NP_NULL_INSTANCEOF |
- </li> |
- <li> |
- FindPuzzlers.java: eliminate false positive on setDate() (Dave |
- Brosius) |
- </li> |
- </ul> |
- </li> |
- <li> |
- Eclipse plugin |
- <ul> |
- <li> |
- fix serious threading bug |
- </li> |
- <li> |
- preferences for Filters and effort (Peter Hendriks) |
- </li> |
- <li> |
- French localization (David Cotton) |
- </li> |
- <li> |
- fix bug when reporting inner classes (Peter Friese) |
- </li> |
- </ul> |
- </li> |
- <li> |
- Updated test case files |
- <ul> |
- <li> |
- Mwn.java (Carl Burke/Dave Brosius) |
- </li> |
- <li> |
- DumbMethodInvocations.java (Anto paul/Dave Brosius) |
- </li> |
- <!--sic--> |
- </ul> |
- </li> |
- <li> |
- XML output includes garbage collection duration |
- </li> |
- <li> |
- French messages updated (David Cotton) |
- </li> |
- <li> |
- Swing GUI shows file name after Load Bugs command |
- </li> |
- <li> |
- Ant task to launch the findbugs frame (Mark McKay) |
- </li> |
- <li> |
- miscellaneous code cleanup |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.9.5: |
- </p> |
- |
- <ul> |
- <li> |
- Updated detectors |
- <ul> |
- <li> |
- FindNullDeref.java: respect NonNull and CheckForNull field |
- annotations |
- </li> |
- <li> |
- SerializableIdiom.java: detect non-private readObject and |
- writeObject methods |
- </li> |
- <li> |
- FindRefComparison.java: smarter array comparison detection |
- </li> |
- <li> |
- IsNullValueAnalysis.java: detect |
- <tt>null instanceof</tt> |
- </li> |
- <li> |
- FindLocalSelfAssignment2.java: suppress some false positives |
- (Dave Brosius) |
- </li> |
- <li> |
- FindUnreleasedLock.java: don't waste time processing classes |
- that don't refer to java.util.concurrent.locks |
- </li> |
- <li> |
- MutableStaticFields.java: report the source line (Dave Brosius) |
- </li> |
- <li> |
- SwitchFallthrough.java: better handling of System.exit() (Dave |
- Brosius) |
- </li> |
- <li> |
- MultithreadedInstanceAccess.java: better handling of |
- Servlet.init() (Dave Brosius) |
- </li> |
- <li> |
- ConfusionBetweenInheritedAndOuterMethod.java: now enabled |
- </li> |
- </ul> |
- </li> |
- <li> |
- Eclipse plugin |
- <ul> |
- <li> |
- background processing (Peter Friese) |
- </li> |
- <li> |
- internationalization, Japanese localization (Takashi Okamoto) |
- </li> |
- </ul> |
- </li> |
- <li> |
- findbugs |
- <tt>-onlyAnalyze</tt> option now works on windows platforms |
- </li> |
- <li> |
- mineBugHistory |
- <tt>-noTabs</tt> option for better alignment of output columns |
- </li> |
- <li> |
- filterBugs |
- <tt>-fixed</tt> option (also: will now recognize the most recent |
- version string) |
- </li> |
- <li> |
- XML output includes running time and memory usage data |
- </li> |
- <li> |
- miscellaneous minor corrections to the manual |
- </li> |
- <li> |
- better bytecode analysis of the |
- <tt>iinc</tt> instruction |
- </li> |
- <li> |
- fix bug in null pointer analysis |
- </li> |
- <li> |
- improved catch block heuristics |
- </li> |
- <li> |
- some type analysis tweaks |
- </li> |
- <li> |
- Bug priority changes |
- <ul> |
- <li> |
- DumbMethodInvocations.java: decrease priority of hard-coded |
- <tt>/tmp</tt> filenames |
- </li> |
- <li> |
- ComparatorIdiom.java: decrease priority of non-serializable |
- anonymous comparators |
- </li> |
- <li> |
- FindSqlInjection.java: decrease priority of appending a |
- constant or a static |
- </li> |
- </ul> |
- </li> |
- <li> |
- Updated bug explanations |
- <ul> |
- <li> |
- NM_VERY_CONFUSING (Dave Brosius) |
- </li> |
- </ul> |
- </li> |
- <li> |
- Updated test case files |
- <ul> |
- <li> |
- BadStoreOfNonSerializableObject.java |
- </li> |
- <li> |
- BadRandomInt.java |
- </li> |
- <li> |
- TestFieldAnnotations.java |
- </li> |
- <li> |
- UseInitCause.java |
- </li> |
- <li> |
- SqlInjection.java |
- </li> |
- <li> |
- ArrayEquality.java |
- </li> |
- <li> |
- BadIntegerOperations.java |
- </li> |
- <li> |
- Pilhuhn.java |
- </li> |
- <li> |
- InstanceOf.java |
- </li> |
- <li> |
- SwitchFallthrough.java (Dave Brosius) |
- </li> |
- </ul> |
- </li> |
- <li> |
- fix URL decoding bug when running under Java Web Start (Dave |
- Brosius) |
- </li> |
- <li> |
- distribution includes |
- <tt>project.xml</tt> file for NetBeans |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.9.4: |
- </p> |
- <ul> |
- <li> |
- New detectors |
- <ul> |
- <li> |
- VarArgsProblems.java |
- </li> |
- <li> |
- FindSqlInjection.java: now enabled |
- </li> |
- <li> |
- ComparatorIdiom.java: comparators usually implement |
- serializable |
- </li> |
- <li> |
- Naming.java: detect methods not overridden due to eponymously |
- typed args from different packages |
- </li> |
- </ul> |
- </li> |
- <li> |
- Updated detectors |
- <ul> |
- <li> |
- SwitchFallthrough.java: surpress some false positives |
- </li> |
- <li> |
- DuplicateBranches.java: surpress some false positives |
- </li> |
- <li> |
- IteratorIdioms.java: surpress some false positives |
- </li> |
- <li> |
- FindHEmismatch.java: surpress some false positives |
- </li> |
- <li> |
- QuestionableBooleanAssignment.java: finds more cases of |
- <tt>if (b=true)</tt> ilk |
- </li> |
- <li> |
- DumbMethods.java: detect int remainder by 1, delayed gc errors |
- </li> |
- <li> |
- SerializableIdiom.java: detect store of nonserializable object |
- into field of serializable class |
- </li> |
- <li> |
- FindNullDeref.java: fix potential exception |
- </li> |
- <li> |
- IsNullValue.java: fix potential exception |
- </li> |
- <li> |
- MultithreadedInstanceAccess.java: fix potential exception |
- </li> |
- <li> |
- PreferZeroLengthArrays.java: flag the method, not the line |
- </li> |
- </ul> |
- </li> |
- <li> |
- Remove some inadvertent dependencies on JDK 1.5 |
- </li> |
- <li> |
- Sort order should be more consistent |
- </li> |
- <li> |
- XML output changes |
- <ul> |
- <li> |
- Option to sort XML bug output |
- </li> |
- <li> |
- Now contains instance IDs |
- </li> |
- <li> |
- uid no longer missing (was causing problems with fancy HTML |
- output) |
- </li> |
- <li> |
- Typo fixed |
- </li> |
- </ul> |
- </li> |
- <li> |
- Internal changes to track source files, |
- <tt>-sourceInfo</tt> option |
- </li> |
- <li> |
- Bug matching: first try exact bug pattern matching, option to |
- compare priorities, option to disable package moves |
- </li> |
- <li> |
- Architecture documentation in |
- <tt>design/architecture</tt> |
- </li> |
- <li> |
- Test cases move into their own CVS project |
- </li> |
- <li> |
- Don't report warnings that occur outside the analyzed classes |
- </li> |
- <li> |
- Fixes to the build.xml files |
- </li> |
- <li> |
- Better handling of @CheckReturnValue and @CheckForNull |
- annotations (also, some additional methods searched for check |
- return value and check for null) |
- </li> |
- <li> |
- Fixed some stream-closing bugs (one by |
- <tt>z-fb-user</tt>/Dave Brosius) |
- </li> |
- <li> |
- Bug priority changes |
- <ul> |
- <li> |
- increase priority of ignoring return value of |
- java.sql.Connection methods |
- </li> |
- <li> |
- increase priority of comparing classes like Integer using |
- <tt>==</tt> |
- </li> |
- <li> |
- decrease priority of IT_NO_SUCH_ELEMENT if we see any call to |
- <tt>next()</tt> |
- </li> |
- <li> |
- tweak priority of NM_METHOD_CONSTRUCTOR_CONFUSION |
- </li> |
- <li> |
- decrease priority of RV_RETURN_VALUE_IGNORED for an inherited |
- annotation that doesn't return same type as class |
- </li> |
- </ul> |
- </li> |
- <li> |
- Updated bug explanations |
- <ul> |
- <li> |
- RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE |
- </li> |
- <li> |
- DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED |
- </li> |
- <li> |
- IMA_INEFFICIENT_MEMBER_ACCESS (Dave Brosius) |
- </li> |
- <li> |
- some Japanese improvements to messages_ja.xml ( |
- <tt>ruimo</tt>) |
- </li> |
- <li> |
- some German improvements to findbugs_de.properties (Dave |
- Brosius, |
- <tt>dvholten</tt>) |
- </li> |
- </ul> |
- </li> |
- <li> |
- Updated test case files |
- <ul> |
- <li> |
- BadIntegerOperations.java |
- </li> |
- <li> |
- SecondKaboom.java |
- </li> |
- <li> |
- OpenDatabase.java (Dave Brosius) |
- </li> |
- <li> |
- FindOpenStream.java (Dave Brosius) |
- </li> |
- <li> |
- BadRandomInt.java |
- </li> |
- </ul> |
- </li> |
- <li> |
- Source-lines info maintained for methods (handy for abstract and |
- native methods) |
- </li> |
- <li> |
- Remove surrounding opcodes from source line annotations |
- </li> |
- <li> |
- Better error when can't read file |
- </li> |
- <li> |
- Swing GUI: removed console pane from FindBugsFrame, fix missing |
- classes bug |
- </li> |
- <li> |
- Fixes to OpcodeStack.java |
- </li> |
- <li> |
- Detectors may attach a custom value to an OpcodeStack.Item (Dave |
- Brosius) |
- </li> |
- <li> |
- Filter.java: ability to add text messages to XML output, fix bug |
- with |
- <tt>-withMessages</tt> |
- </li> |
- <li> |
- SourceInfoMap supports ranges of source lines |
- </li> |
- <li> |
- Ant task supports the |
- <tt>timestampNow</tt> attribute |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.9.3: |
- </p> |
- <ul> |
- <li> |
- Substantial rework of datamining code |
- </li> |
- <li> |
- Removed bogus warnings about await on things other than Condition |
- not being in a loop |
- </li> |
- <li> |
- Fixed bug in OpcodeStack handling of dup2 of long/double values |
- </li> |
- <li> |
- Don't report array types as missing classes |
- </li> |
- <li> |
- Adjustment of some warnings on ignored return values |
- </li> |
- <li> |
- Added thread safety annotations from Java Concurrency in Practice |
- (no detectors written for these yet) |
- </li> |
- <li> |
- Added annotation for methods that, if overridden, should be |
- invoked by overriding methods via a call to super |
- </li> |
- <li> |
- Updated -html:fancy.xsl (Etienne Giraudy) |
- </li> |
- </ul> |
- |
- <p> |
- Note: there was no version 0.9.2 |
- </p> |
- |
- <p> |
- Changes since version 0.9.1: |
- </p> |
- <ul> |
- <!-- New detectors --> |
- <li> |
- Embellish USM to find abstract methods that implement an |
- interface method (Dave Brosius) |
- </li> |
- <li> |
- New detector to find stores of literal booleans inside if or |
- while expressions (Dave Brosius) |
- </li> |
- <li> |
- New style detector to find final classes that declare protected |
- fields (Dave Brosius) |
- </li> |
- <li> |
- New detector to find subclass methods that simply forward, |
- verbatim, to the super class (Dave Brosius) |
- </li> |
- <li> |
- Detector to find instances where code is attempting to write an |
- object out via an implementation of DataOutput, but the object is |
- not guaranteed to be Serializable (Jon Christiansen, Bill Pugh) |
- </li> |
- |
- <!-- Feature enhancements --> |
- <li> |
- Large (35%) analysis speedup (Bill Pugh) |
- </li> |
- <li> |
- Add line numbers to Swing GUI code panel (Dave Brosius) |
- </li> |
- <li> |
- Added effort options to Swing GUI (Dave Brosius) |
- </li> |
- <li> |
- Add ability to specify bugs file to open from command line for |
- GUI version, through -loadbugs (Phillip Martin) |
- </li> |
- <li> |
- New stylesheet for generating HTML: use option |
- <tt>-html:plain.xsl</tt> (Chris Nappin) |
- </li> |
- <li> |
- New stylesheet for generating HTML: use option |
- <tt>-html:fancy.xsl</tt> (Etienne Giraudy) |
- </li> |
- <li> |
- Updated Japanese bug message translations (Shisei Hanai) |
- </li> |
- |
- <!-- Bug fixes --> |
- <li> |
- XHTML compliance fixes for bug details (Etienne Giraudy) |
- </li> |
- <li> |
- Various detector fixes (Shisei Hanai) |
- </li> |
- <li> |
- Fixed bugs in the project preferences dialog int the Eclipse |
- plugin (Takashi Okamoto, Thomas Einwaller) |
- </li> |
- <li> |
- Lowered priority of analysis thread in Swing GUI (David |
- Hovemeyer, suggested by Shisei Hanai and Jeffrey W. Badorek) |
- </li> |
- <li> |
- Fixed EclipsePlugin to correctly pick up auxclasspath entries |
- (Jon Christiansen) |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.9.0: |
- </p> |
- <ul> |
- <li> |
- Fixed dependence on JRE 1.5: all features should work on JRE 1.4 |
- again |
- </li> |
- <li> |
- Fixed -effort command line option handling for Swing GUI |
- </li> |
- <li> |
- Fixed conserveSpace and workHard attributes int Ant task |
- </li> |
- <li> |
- Added support for effort attribute in Ant task |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.8.8: |
- </p> |
- <ul> |
- <!-- New detectors and bug patterns --> |
- <li> |
- XMLFactoryBypass detector to find direct allocation of xml class |
- implementations (Dave Brosius) |
- </li> |
- <li> |
- InefficientMemberAccess detector to find accesses to owning class |
- private members (Dave Brosius) |
- </li> |
- <li> |
- DuplicateBranches detector checks switch statements too (Dave |
- Brosius) |
- </li> |
- |
- <!-- Feature enhancements --> |
- <li> |
- FindBugs available from findbugs.sourceforge.net as Java Web |
- Start application (Dave Brosius) |
- </li> |
- <li> |
- Updated Japanese bug message translations (Shisei Hanai) |
- </li> |
- <li> |
- Improved bug detail message for covariant equals() (Shisei Hanai) |
- </li> |
- <li> |
- Modeling of instanceof checks is now enabled by default, making |
- the bad cast detector much more useful (Bill Pugh, David |
- Hovemeyer) |
- </li> |
- <li> |
- Support for detector ordering constraints in plugin descriptor |
- (David Hovemeyer) |
- </li> |
- <li> |
- Simpler option to control analysis effort: -effort: |
- <i>value</i>, where |
- <i>value</i> is one of |
- <code> |
- min |
- </code> |
- , |
- <code> |
- default |
- </code> |
- , or |
- <code> |
- max |
- </code> |
- (David Hovemeyer) |
- </li> |
- <li> |
- Using -effort:max, FindNullDeref checks for null arguments passed |
- to methods which dereference them unconditionally (David |
- Hovemeyer) |
- </li> |
- <li> |
- FindNullDeref checks @Null and @NonNull annotations for |
- parameters and return values (David Hovemeyer) |
- </li> |
- |
- <!-- Bug fixes --> |
- </ul> |
- |
- <p> |
- Changes since version 0.8.7: |
- </p> |
- |
- <ul> |
- <!-- New detectors and bug patterns --> |
- <li> |
- New detector to find duplicate code in if/else statements (Dave |
- Brosius) |
- </li> |
- <li> |
- Look for calls to wait() on Condition objects (David Hovemeyer) |
- </li> |
- <li> |
- Look for java.util.concurrent.Lock objects not released on every |
- path out of method (David Hovemeyer) |
- </li> |
- <li> |
- Look for calls to Thread.sleep() with a lock held (David |
- Hovemeyer) |
- </li> |
- <li> |
- More accurate detection of impossible casts (Bill Pugh, David |
- Hovemeyer) |
- </li> |
- |
- <!-- Feature enhancements --> |
- <li> |
- Saved XML now contains project statistics (Jay Dunning) |
- </li> |
- <li> |
- Filter files can select by bug pattern type and warning priority |
- (David Hovemeyer) |
- </li> |
- |
- <!-- Bug fixes --> |
- <li> |
- Restored some files inadvertently omitted from previous release |
- (Rohan Lloyd, David Hovemeyer) |
- </li> |
- <li> |
- Make sure detectors requiring JDK 1.5 runtime classes are only |
- executed if those classes are available (David Hovemeyer) |
- </li> |
- <li> |
- Don't display analysis error dialog unless there is really an |
- error (David Hovemeyer) |
- </li> |
- <li> |
- Updated and expanded French translations of bug patterns and |
- Swing GUI (Olivier Parent) |
- </li> |
- <li> |
- Fixed invalid character encoding in German Swing GUI translation |
- (Olivier Parent) |
- </li> |
- <li> |
- Fix locale used for date format in project stats (K. Hashimoto) |
- </li> |
- <li> |
- Fixed LongDescription elements in xml:withMessages output format |
- (K. Hashimoto) |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.8.6: |
- </p> |
- |
- <ul> |
- <!-- new detectors --> |
- <li> |
- Extend Naming detector to look for classes that are named |
- XXXException but that are not Exceptions (Dave Brosius) |
- </li> |
- <li> |
- New detector to find classes that expose semaphores in the public |
- implementation through the 'this' reference. (Dave Brosius) |
- </li> |
- <li> |
- New Style detector to find Struts Action/Servlet derived classes |
- that reference instance member variable not in synchronized |
- blocks. (Dave Brosius) |
- </li> |
- <li> |
- New Style detector to find classes that declare implementation of |
- interfaces that are already implemented by super classes (Dave |
- Brosius) |
- </li> |
- <li> |
- New Style detector to find circular dependencies between classes |
- (Dave Brosius) |
- </li> |
- <li> |
- New Style detector to find unnecessary math on constants (Dave |
- Brosius) |
- </li> |
- <li> |
- New detector to find equality comparisons using floating point |
- math (Jay Dunning) |
- </li> |
- <li> |
- New faster detector to find local self assignments (Bill Pugh) |
- </li> |
- <li> |
- New detector to find infinite recursive loops (Bill Pugh) |
- </li> |
- <li> |
- New detector to find for loops with an incorrect increment (Bill |
- Pugh) |
- </li> |
- <li> |
- New detector to find suspicious uses of BufferedReader.readLine() |
- and String.indexOf() (Bill Pugh) |
- </li> |
- <li> |
- New detector to find suspicious integer to double casts (David |
- Hovemeyer, Bill Pugh) |
- </li> |
- <li> |
- New detector to find invalid regular expression patterns (Bill |
- Pugh) |
- </li> |
- <li> |
- New detector to find Bloch/Gafter Java puzzlers (Bill Pugh) |
- </li> |
+ </li> |
+ <li>Added check for a dead local store caused by a switch |
+ statement fall through</li> |
+ <li>Added check for computing the absolute value of a random |
+ 32 bit integer or of a hashcode. This is broken because <code> |
+ Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE </code> , and thus |
+ result of calling Math.abs, which is expected to be nonnegative, |
+ will in fact be negative one time out of 2 <sup> 32 </sup> , which |
+ will invariably be the time your boss is demoing the software to |
+ your customers. |
- <!-- feature enhancements --> |
- <li> |
- New system property to suppress reporting of DLS based on local |
- variable name (Glenn Boysko) |
- </li> |
- <li> |
- Enhancements to configuration dialog in Eclipse plugin, allow for |
- saving enabled detectors in Eclipse projects (Phil Crosby) |
- </li> |
- <li> |
- Sortable columns in detector dialog (Dave Brosius) |
- </li> |
- <li> |
- New tab in gui for showing bugs grouped by category (Dave |
- Brosius) |
- </li> |
- <li> |
- Improved German translation of Swing GUI (Thomas Kuehne) |
- </li> |
- <li> |
- Improved source file reporting in Emacs output format (Len Trigg) |
- </li> |
- <li> |
- Improvements to redundant null comparison detector (Bill Pugh) |
- </li> |
- <li> |
- Localization of run analysis and analysis error dialogs in Swing |
- GUI (K. Hashimoto) |
- </li> |
- |
- <!-- Bug fixes --> |
- <li> |
- Don't scan equals methods in FindHEMismatch if code is native |
- (Greg Bentz) |
- </li> |
- <li> |
- French translation fixes (David Cotton) |
- </li> |
- <li> |
- Internationalization report fixes (K. Hashimoto) |
- </li> |
- <li> |
- Japanese translations updates (SHISEI Hanai) |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.8.5: |
- |
- </p> |
- <ul> |
- <!-- new detectors --> |
- <li> |
- New detector to find catch blocks that may inadvertently catch |
- runtime exceptions (Brian Goetz) |
- </li> |
- <li> |
- New detector to find objects that are instantiated based on |
- classes that only have static methods and fields, using the |
- synthesized constructor (Dave Brosius) |
- </li> |
- <li> |
- New detector to find calls to Thread.interrupted() in a non |
- static context, and especially with non currentThread() threads |
- (Dave Brosius) |
- </li> |
- <li> |
- New detector to find calls to equals() methods that use Object's |
- version. (Dave Brosius) |
- </li> |
- <li> |
- New detector to find Applets that call methods in the constructor |
- refering to the AppletStub (Dave Brosius) |
- </li> |
- <li> |
- New detector to find some cases of infinite recursion (Bill Pugh) |
- </li> |
- <li> |
- New detector to find dead stores to local variables (David |
- Hovemeyer, Bill Pugh) |
- </li> |
- <li> |
- Extend Dumb Method detector for toUpperCase(), toLowerCase() |
- without a locale, new Integer(1).toString(), new |
- XXX().getClass(), and new Thread() without a run implementation |
- (Dave Brosius) |
- <!-- feature enhancements --> |
- </li> |
- <li> |
- Ant task supports "errorProperty" attribute, which sets an Ant |
- property to "true" if an error occurs running FindBugs (Michael |
- Tamm) |
- </li> |
- <li> |
- Eclipse plugin allows filtering of warnings by bug category, |
- priority (David Hovemeyer) |
- </li> |
- <li> |
- Swing GUI allows filtering of warnings by bug category (David |
- Hovemeyer) |
- </li> |
- <li> |
- Ability to annotate methods using Java 1.5 annotations that |
- suppress FindBugs warnings (Bill Pugh) |
- </li> |
- <li> |
- New -adjustExperimental for lowering priority of BugPatterns that |
- are experimental (Dave Brosius) |
- </li> |
- <li> |
- Allow for command line options 'files' using the @ symbol (David |
- Hovemeyer) |
- </li> |
- <li> |
- New -adjustPriority command line option to for adjusting bug |
- priorites (David Hovemeyer) |
- </li> |
- <li> |
- Added an Edit menu (cut/copy/paste) to Swing GUI (Dave Brosius) |
- </li> |
- <li> |
- French translation supplied (David Cotton) |
- <!-- Bug fixes --> |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.8.4: |
- |
- </p> |
- <ul> |
- <!-- new detectors --> |
- <li> |
- New detector for volatile references to arrays (Bill Pugh) |
- </li> |
- <li> |
- New detector to find instanceof usage where inheritance can be |
- determined statically (Dave Brosius) |
- </li> |
- <li> |
- New detector to find ResultSet.getXXX updateXXX calls using index |
- 0 (Dave Brosius) |
- </li> |
- <li> |
- New detector to find empty zip or jar entries (Bill Pugh) |
- |
- <!-- feature enhancements --> |
- </li> |
- <li> |
- HTML output generation using built-in XSLT stylesheet or |
- user-defined stylesheet (David Hovemeyer) |
- </li> |
- <li> |
- Allow URLs to be specified to analyze zip/jar files, local |
- directories, and single classfiles (David Hovemeyer) |
- </li> |
- <li> |
- New command line option -onlyAnalyze restricts analysis to |
- selected classes and packages without reducing accuracy (David |
- Hovemeyer) |
- </li> |
- <li> |
- Allow Swing GUI to show source code in jar files on Windows |
- systems (Dave Brosius) |
- |
- <!-- Bug fixes --> |
- </li> |
- <li> |
- Fix the Switch Fall Thru detector (Dave Brosius, David Hovemeyer, |
- Bill Pugh) |
- </li> |
- <li> |
- MacOS GUI fixes (Rohan Lloyd) |
- </li> |
- <li> |
- Fix false positive in BOA in case where method is correctly and |
- 'incorrectly' overridden (Dave Brosius) |
- </li> |
- <li> |
- Fixed memory blowup when analyzing methods which access a large |
- number of fields (David Hovemeyer) |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.8.3: |
- </p> |
- <ul> |
- <li> |
- Initial and preliminary localization of the Swing GUI. |
- Translations by: |
- <ul> |
- <li> |
- German - Peter D. Stout, Holger Stenzhorn |
- </li> |
- <li> |
- Finnish - Juha Knuutila |
- </li> |
- <li> |
- Estonian - Tanel Lebedev |
- </li> |
- <li> |
- Japanese - Hanai Shisei |
- </li> |
- </ul> |
- </li> |
- <li> |
- Eliminated debug print statements inadvertently left enabled |
- </li> |
- <li> |
- Reverted some changes in the open stream detector: this should |
- fix some false positives that were introduced in the previous |
- release |
- </li> |
- <li> |
- Fixed a couple missing class reports |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.8.2: |
- </p> |
- <ul> |
- |
- <!-- New detectors --> |
- <li> |
- New detector to find improperly overridden GUI Adapter classes |
- (Dave Brosius) |
- </li> |
- <li> |
- New detector to find improperly setup JUnit TestCases (Dave |
- Brosius) |
- </li> |
- <li> |
- New detector to find variables that mask class level fields (Dave |
- Brosius) |
- </li> |
- <li> |
- New detector to find comparisons of values computed with bitwise |
- operators that always yield the same result (Tom Truscott) |
- </li> |
- <li> |
- New detector to find unsafe getClass().getResource() calls (Bill |
- Pugh) |
- </li> |
- <li> |
- New detector to find GUI changes not in GUI thread but in static |
- main (Bill Pugh) |
- </li> |
- <li> |
- New detector to find calls to Collection.toArray() with |
- zero-length array argument; it is more efficient to pass an array |
- the size of the collection, which can be populated and returned |
- as the result (Dave Brosius) |
- |
- <!-- Analysis improvements --> |
- </li> |
- <li> |
- Better suppression of false warnings in various detectors (Bill |
- Pugh, David Hovemeyer) |
- </li> |
- <li> |
- Enhancement to ReadReturnShouldBeChecked detector for skip() |
- (Dave Brosius) |
- </li> |
- <li> |
- Enhancement to DumbMethods detector (Dave Brosius) |
- </li> |
- <li> |
- Open stream detector does not report wrappers of streams passed |
- as method parameters (David Hovemeyer) |
- |
- <!-- Feature enhancements --> |
- </li> |
- <li> |
- Cancel confirmation dialog in Swing GUI (Pete Angstadt) |
- </li> |
- <li> |
- Better relative path saving in Project file (Dave Brosius) |
- </li> |
- <li> |
- Detector Priority in GUI is now saved in prefs file (Dave |
- Brosius) |
- </li> |
- <li> |
- Controls in GUI to reorder source and classpath entries, and |
- ability to flip between Project details and bugs pages (Dave |
- Brosius) |
- </li> |
- <li> |
- In Swing GUI, analysis error dialog supports "Select All" and |
- "Copy" operations for easy generation of error reports (Dave |
- Brosius) |
- </li> |
- <li> |
- Complete translation of bug descriptions and messages into |
- Japanese (Hanai Shisei) |
- |
- <!-- Bug fixes --> |
- </li> |
- <li> |
- Fixed bug in DroppedException detector (Dave Brosius) |
- |
- <!-- Development stuff --> |
- </li> |
- <li> |
- The source distribution defaults to using JDK 1.5 javac to |
- compile, but support for compiling with JSR-14 prototype is still |
- supported |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.8.1: |
- </p> |
- <ul> |
- <li> |
- Fixed a critical ClassCastException bug (triggered if the |
- -workHard option was used, and an exception type was merged with |
- an array type during type inference) |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.8.0: |
- |
- </p> |
- <ul> |
- <li> |
- Disabled SwitchFallthrough detector to work around |
- NullPointerExceptions |
- </li> |
- <li> |
- Added some additional false positive suppression heuristics |
- </li> |
- </ul> |
- |
- <p> |
- Also, two contributors to the 0.8.0 release were inadvertently |
- left out of the credits: |
- |
- </p> |
- <ul> |
- <li> |
- Pete Angstadt fixed several problems in the Swing GUI |
- </li> |
- <li> |
- Francis Lalonde provided a task resource file for the FindBugs |
- Ant task |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.7.4: |
- |
- </p> |
- <ul> |
- <li> |
- New detector to look for uses of "+" operator to concatenate |
- String objects in a loop (Dave Brosius) |
- </li> |
- <li> |
- Reference comparison detector looks for places where the argument |
- passed to the equals(Object) method isn't the same type as the |
- receiver object |
- </li> |
- <li> |
- Better suppression of false warnings in many detectors |
- </li> |
- <li> |
- Many improvements to Eclipse plugin (Andrey Loskutov, Peter |
- Friese) |
- </li> |
- <li> |
- Fixed problem with building Eclipse plugin on Windows (Thomas |
- Klaeger) |
- </li> |
- <li> |
- Open stream detector looks for unclosed PreparedStatement objects |
- (Thomas Klaeger, Rohan Lloyd) |
- </li> |
- <li> |
- Fix for open stream detector: it wasn't detecting close() methods |
- called through an invokeinterface instruction (Thomas Klaeger) |
- </li> |
- <li> |
- Refactoring of visitor classes to enforce use of accessors for |
- visited class features (Brian Goetz) |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.7.3: |
- |
- </p> |
- <ul> |
- <li> |
- Experimental modification of open stream detector to look for |
- non-escaping JDBC resources (connections and statements) that |
- aren't closed on all paths out of method |
- </li> |
- <li> |
- Eclipse plugin fixed so it compiles and runs on Eclipse 2.1.x |
- (Peter Friese) |
- </li> |
- <li> |
- Option to Swing GUI and command line to generate project file |
- using relative paths for archives, source directories, and aux |
- classpath entries (Dave Brosius) |
- </li> |
- <li> |
- Improvements to findbugs.bat script for launching FindBugs on |
- Windows (Dave Brosius) |
- </li> |
- <li> |
- Updated Japanese message translations (Hiroshi Okugawa) |
- </li> |
- <li> |
- Uncalled private methods are now reported as low priority, unless |
- they have the same name as another method in the class (which is |
- more likely to indicate an actual bug) |
- </li> |
- <li> |
- Added some missing data in the bug messages XML files |
- </li> |
- <li> |
- Fixed some problems building from source on Windows systems |
- </li> |
- <li> |
- Various minor bug fixes |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.7.2: |
- |
- </p> |
- <ul> |
- <li> |
- Enhanced Eclipse plugin, which displays the detailed bug |
- description in a view (Phil Crosby) |
- </li> |
- <li> |
- Various tweaks to existing detectors to reduce false warnings |
- </li> |
- <li> |
- New command line option |
- <code> |
- -workHard |
- </code> |
- enables pruning of infeasible or unlikely exception edges, which |
- results in better accuracy in the open stream detector, at the |
- expense of a 30%-100% slowdown |
- </li> |
- <li> |
- New website and HTML documentation design |
- </li> |
- <li> |
- Documentation includes an HTML document with descriptions of all |
- bug patterns reported by FindBugs |
- </li> |
- <li> |
- Web page has a link to a |
- <a href="http://www.simeji.com/findbugs/doc/manual_ja/index.html">Japanese |
- translation</a> of the FindBugs manual, contributed by Hiroshi |
- Okugawa |
- </li> |
- <li> |
- Changed the Inconsistent Synchronization detector so that fields |
- synchronized 50% of the time (or more) are reported as medium |
- priority bugs (previously they were reported as low) |
- </li> |
- <li> |
- New detector to find code that catches |
- IllegalMonitorStateException |
- </li> |
- <li> |
- New detector to find private methods that are never called |
- </li> |
- <li> |
- New detector to find suspicious uses of non-short-circuiting |
- boolean operators ( |
- <code> |
- & |
- </code> |
- and |
- <code> |
- | |
- </code> |
- , rather than |
- <code> |
- && |
- </code> |
- and |
- <code> |
- || |
- </code> |
- ) |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.7.1: |
- |
- </p> |
- <ul> |
- <li> |
- Incorporated patched version of BCEL, which allows classes |
- compiled with JDK 1.5.0 beta to be analyzed |
- </li> |
- <li> |
- Fixed some bugs related to lookups of array classes |
- </li> |
- <li> |
- Fixed bug that prevented GUI from loading XML result files when |
- running under JDK 1.5.0 beta |
- </li> |
- <li> |
- Added new experimental bug detector, LazyInit, which looks for |
- potentially buggy lazy initializations of static fields |
- </li> |
- <li> |
- Because of long filenames, switched to distributing the source |
- archive as a zip file rather than a tar file |
- </li> |
- <li> |
- The 0.7.1 source tarfile was botched - 0.7.2 has a valid source |
- archive |
- </li> |
- <li> |
- Fixed some problems in the Ant build script |
- </li> |
- <li> |
- Fixed NullPointerException when checking Class-Path attribute for |
- Jar files without manifests |
- </li> |
- <li> |
- Generate version numbers for the core and UI Eclipse plugins |
- using the Version class; all version numbers are now in a common |
- location |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.7.0: |
- |
- </p> |
- <ul> |
- <li> |
- Eclipse plugin (contributed by Peter Friese) |
- </li> |
- <li> |
- Source package structure rearranged: all source (other than |
- Eclipse plugin UI) is in the edu.umd.cs.findbugs package, or a |
- subpackage |
- </li> |
- <li> |
- Class-Path attributes of manifests of analyzed jar files are used |
- to set the aux classpath automatically (Peter D. Stout) |
- </li> |
- <li> |
- GUI starts in directory specified by user.home property (Peter D. |
- Stout) |
- </li> |
- <li> |
- Added -project option to GUI (Mikko T.) |
- </li> |
- <li> |
- Added -look:{plastic,gtk,native} option to GUI, for setting look |
- and feel (Mikko T.) |
- </li> |
- <li> |
- Fixed DataflowAnalysisException in inconsistent synchronization |
- detector |
- </li> |
- <li> |
- Ant task supports failOnError parameter (Rohan Lloyd) |
- </li> |
- <li> |
- Serializable class warnings are downgraded to low priority for |
- GUI classes |
- </li> |
- <li> |
- MWN detector will only report calls to wait(), notify(), and |
- notifyAll() methods that have the correct signature |
- </li> |
- <li> |
- FindBugs works with latest CVS version of BCEL |
- </li> |
- <li> |
- Zip and Jar files may be added to the source path |
- </li> |
- <li> |
- The GUI will automatically find source files residing in analyzed |
- Zip or Jar files |
- </li> |
- </ul> |
- |
- <p> |
- Note that the version number jumped from 0.6.6 to 0.6.9; there |
- were no 0.6.7 or 0.6.8 releases. |
- |
- </p> |
- <p> |
- Changes since version 0.6.9: |
- </p> |
- <ul> |
- <li> |
- Added -conserveSpace option to reduce memory use at the expense |
- of analysis precision |
- </li> |
- <li> |
- Bug fixes in findbugs.bat script: JAVA_HOME handling, |
- autodetection of FINDBUGS_HOME, missing output with -textui |
- </li> |
- <li> |
- Fixed NullPointerException when a missing class is encountered |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.6.6: |
- |
- </p> |
- <ul> |
- <li> |
- The null pointer dereference detector is more powerful |
- </li> |
- <li> |
- Significantly improved heuristics and bug fixes in inconsistent |
- synchronization detector |
- </li> |
- <li> |
- Improved heuristics in open stream and dropped exception |
- detectors; fewer false positives should be reported |
- </li> |
- <li> |
- Save HTML summary in XML results files, rather than recomputing; |
- this makes loading results in GUI much faster |
- </li> |
- <li> |
- Report at most one String comparison using == or != per method |
- </li> |
- <li> |
- The findbugs.bat script on Windows autodetects FINDBUGS_HOME, and |
- doesn't open a DOS window when launching the GUI (contributed by |
- TJSB) |
- </li> |
- <li> |
- Emacs reporting format (contributed by David Li) |
- </li> |
- <li> |
- Various bug fixes |
- </li> |
- </ul> |
- |
- <p> |
- Changes since 0.6.5: |
- |
- </p> |
- <ul> |
- <li> |
- Rewritten inconsistent synchronization detector; accuracy is |
- significantly improved, and bug reports are prioritized |
- </li> |
- <li> |
- New detector to find self assignment (x=x) of local variables |
- (suggested by Jeff Martin) |
- </li> |
- <li> |
- New detector to find calls to wait(), notify(), and notifyAll() |
- on an object which is not obviously locked |
- </li> |
- <li> |
- Open stream detector now reports Readers and Writers |
- </li> |
- <li> |
- Fixed bug in finalizer idioms detector which caused spurious |
- warnings about failure to call super.finalize() (reported by Jim |
- Menard) |
- </li> |
- <li> |
- Fixed bug where output stream was not closed using non-XML output |
- (reported by Sigiswald Madou) |
- </li> |
- <li> |
- Fixed corrupted HTML bug detail message (reported by Trevor |
- Harmon) |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.6.4: |
- |
- </p> |
- <ul> |
- <li> |
- For redundant comparison of reference values, fixed false |
- positives resulting from duplication of code in finally blocks |
- </li> |
- <li> |
- Fixed false positives resulting from wrapped byte array streams |
- left open |
- </li> |
- <li> |
- Fixed bug in Ant task preventing output file from working |
- properly if a relative path was used |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.6.3: |
- |
- </p> |
- <ul> |
- <li> |
- Fixed bug in Ant task where output would be corrupted, and added |
- a |
- <code> |
- timeout |
- </code> |
- attribute |
- </li> |
- <li> |
- Added -outputFile option to text UI, for explicitly specifying an |
- output file |
- </li> |
- <li> |
- GUI has a summary window, for statistics about overall bug |
- densities (contributed by Mike Fagan) |
- </li> |
- <li> |
- Find redundant comparisons of reference values |
- </li> |
- <li> |
- More accurate detection of Strings compared with == and != |
- operators |
- </li> |
- <li> |
- Detection of other reference types which should generally not be |
- compared with == and != operators; Boolean, Integer, etc. |
- </li> |
- <li> |
- Find non-transient non-serializable instance fields in |
- Serializable classes |
- </li> |
- <li> |
- Source code may be compiled with latest early access |
- generics-enabled javac (version 2.2) |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.6.2: |
- |
- </p> |
- <ul> |
- <li> |
- GUI supports filtering bugs by priority |
- </li> |
- <li> |
- Ant task rewritten; supports all functionality offered by Text UI |
- (contributed by Mike Fagan) |
- </li> |
- <li> |
- Ant task is fully documented in the manual |
- </li> |
- <li> |
- Classes in nested archives are analyzed; this allows full support |
- for analyzing .ear and .war files (contributed by Mike Fagan) |
- </li> |
- <li> |
- DepthFirstSearch changed to use non-recursive implementation; |
- this should fix the StackOverflowErrors that several users |
- reported |
- </li> |
- <li> |
- Various minor bugfixes and improvements |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.6.1: |
- |
- </p> |
- <ul> |
- <li> |
- New detector to look for useless control flow (suggested by |
- Richard P. King and Mike Fagan) |
- </li> |
- <li> |
- Look for places where return value of |
- java.io.File.createNewFile() is ignored (suggested by Richard P. |
- King) |
- </li> |
- <li> |
- Fixed bug in resolution of source files (only the first source |
- directory was searched) |
- </li> |
- <li> |
- Fixed a NullPointerException in the bytecode pattern matching |
- code |
- </li> |
- <li> |
- Ant task supports project files (contributed by Mike Fagan) |
- </li> |
- <li> |
- Unix findbugs script honors the |
- <code> |
- JAVA_HOME |
- </code> |
- environment variable (contributed by Pedro Morais) |
- </li> |
- <li> |
- Allow .war and .ear files to be analyzed |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.6.0: |
- |
- </p> |
- <ul> |
- <li> |
- New bug pattern detector which looks for places where a null |
- pointer might be dereferenced |
- </li> |
- <li> |
- New bug pattern detector which looks for IO streams that are |
- opened, do not escape the method, and are not closed on all paths |
- out of the method |
- </li> |
- <li> |
- New bug pattern detector to find methods that can return null |
- instead of a zero-length array |
- </li> |
- <li> |
- New bug pattern detector to find places where the == or != |
- operators are used to compare String objects |
- </li> |
- <li> |
- Command line interface can save bugs as XML |
- </li> |
- <li> |
- GUI can save bugs to and load bugs from XML |
- </li> |
- <li> |
- An "Annotations" window in the GUI allows the user to add textual |
- annotations to bug reports; these annotations are preserved when |
- bugs are saved as XML |
- </li> |
- <li> |
- In this release, the Japanese bug summary translations by Germano |
- Leichsenring are really included (they were inadvertently omitted |
- in the previous release) |
- </li> |
- <li> |
- Completely rewrote the control flow graph builder, hopefully for |
- the last time |
- </li> |
- <li> |
- Simplified implementation of control flow graphs, which should |
- reduce memory use and possibly improve performance |
- </li> |
- <li> |
- Improvements to command line interface (list bug priorities, |
- filter by priority, specify aux classpath, specify project to |
- analyze) |
- </li> |
- <li> |
- Various bug fixes and enhancements |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.5.4 |
- |
- </p> |
- <ul> |
- <li> |
- Added an |
- <a href="http://ant.apache.org/">Ant</a> task for FindBugs, |
- contributed by Mike Fagan. |
- </li> |
- <li> |
- Added a GUI dialog which allows individual bug pattern detectors |
- to be enabled or disabled. Disabling certain slow detectors |
- can greatly speed up analysis of large programs, at the expense |
- of reducing the number of potential bugs found. |
- </li> |
- <li> |
- Added a new detector for finding improperly ignored return values |
- for methods such as |
- <code> |
- String.trim() |
- </code> |
- . Suggested by Andreas Mandel. |
- </li> |
- <li> |
- Japanese translations of the bug summaries, contributed by |
- Germano Leichsenring. |
- </li> |
- <li> |
- Filtering of results is supported in command line interface. See |
- the |
- <a href="manual/index.html">FindBugs manual</a> for details. |
- </li> |
- <li> |
- Added "byte code patterns", a general pattern matching |
- infrastructure for bytecode instructions. This feature |
- significantly reduces the complexity of implementing new bug |
- pattern detectors. |
- </li> |
- <li> |
- Enabled a new general dataflow analysis to track values in |
- methods. |
- </li> |
- <li> |
- Switched to new control-flow graph builder implementation. |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.5.3 |
- |
- </p> |
- <ul> |
- <li> |
- Fixed a bug in the script used to launch FindBugs on Windows |
- platforms. |
- </li> |
- <li> |
- Fixed crashes when analyzing class files without source line |
- information. |
- </li> |
- <li> |
- All major errors are reported using an error dialog; file not |
- found errors are more informative. |
- </li> |
- <li> |
- Minor GUI improvements. |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.5.2 |
- |
- </p> |
- <ul> |
- <li> |
- All of the source code and related files are in a single |
- directory tree. |
- </li> |
- <li> |
- Updated some of the detectors to produce source line information. |
- </li> |
- <li> |
- <a href="http://ant.apache.org/">Ant</a> build script and several |
- GUI enhancements and fixes contributed by Mike Fagan. |
- </li> |
- <li> |
- Converted to use a |
- <a href="AddingDetectors.txt">plugin architecture</a> for loading |
- bug detectors. |
- </li> |
- <li> |
- Eliminated generics-related compiler warnings. |
- </li> |
- <li> |
- More complete documentation has been added. |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.5.1: |
- </p> |
- <ul> |
- <li> |
- Fixed a large number of bugs in the BCEL Repository and |
- FindBugs's use of the Repository. With these changes, |
- FindBugs should |
- <em>never</em> crash or otherwise misbehave because of Repository |
- lookup failures. Because of these changes, you must use a |
- modified version of |
- <code> |
- bcel.jar |
- </code> |
- with FindBugs. This jar file is included in the FindBugs |
- 0.5.2 binary release. A complete patch containing the |
- <a |
- href="http://faculty.ycp.edu/~dhovemey/bcel-30-April-2003.patch">modifications |
- against the BCEL CVS main branch as of April 30, 2003</a> is also |
- available. |
- </li> |
- <li> |
- Implemented the "auxiliary classpath entry list". Aux |
- classpath entries can be added to a project to provide classes |
- that are referenced by the analyzed application, but should not |
- themselves be analyzed. Having all referenced classes |
- available allows FindBugs to produce more accurate results. |
- </li> |
- </ul> |
- |
- <p> |
- Changes since version 0.5.0: |
- </p> |
- <ul> |
- <li> |
- Many user interface bugs have been fixed. |
- </li> |
- <li> |
- Upgraded to a recent CVS version of BCEL, with some bug |
- fixes. This should prevent FindBugs from crashing when |
- there is a failure to find a class on the classpath. |
- </li> |
- <li> |
- Added support for Plastic look and feel from |
- <a href="http://www.jgoodies.com/">jgoodies.com</a>. |
- </li> |
- <li> |
- Major overhaul of infrastructure for doing dataflow analysis. |
- </li> |
- </ul> |
+ </li> |
+ <li>More careful resolution of inherited methods and fields. |
+ Some of the shortcuts we were taking in FindBugs 1.0.0 were |
+ leading to inaccurate results, and it was fairly easy to address |
+ this by making the analysis more accurate.</li> |
+ <li>Overall, analysis times are about 1.6 times longer in |
+ FindBugs 1.1.0 than in FindBugs 1.0.0. This is because we have |
+ enabled substantial additional analysis at the default effort |
+ level (the actual analysis engine is significantly faster than in |
+ FindBugs 1.0). On a recent AMD Athlon processor, analyzing |
+ JDK1.6.0 (about 1 million lines of code) requires about 15 minutes |
+ of wall clock time.</li> |
+ <li>Provided class and script (printClass) to print classfile |
+ in the human readable format produced by BCEL</li> |
+ <li>Provided -findSource option to setBugDatabaseInfo</li> |
+ </ul> |
+ |
+ |
+ <p>Changes since version 0.9.7:</p> |
+ |
+ <ul> |
+ <li>fix ObjectTypeFactory bug that was suppressing some bugs</li> |
+ <li>opcode stack may determine definite zeros on some paths</li> |
+ <li>opcode stack can track some constant string concatenations |
+ (dbrosius)</li> |
+ <li>default effort performs iterative opcode analysis (but min |
+ effort does not)</li> |
+ <li>default heap size upped to 384m</li> |
+ <li>schema for XML output available: bugcollection.xsd</li> |
+ <li>fixed some internal confusion between dotted and slashed |
+ class names</li> |
+ <li>New detectors |
+ <ul> |
+ <li>CheckImmutableAnnotation.java: checks JCIP annotations</li> |
+ </ul> |
+ </li> |
+ <li>Updated detectors |
+ <ul> |
+ <li>BadRegEx.java: understands Pattern.LITERAL, warns about |
+ "."</li> |
+ <li>FindUnreleasedLock.java: fewer false positives</li> |
+ <li>DumbMethods.java: check for vacuous comparisons to |
+ MAX_INTEGER or MIN_INTEGER, fix bugs detecting |
+ DM_NEXTINT_VIA_NEXTDOUBLE</li> |
+ <li>FindPuzzlers.java: detect <tt>n%2==1</tt>, detect |
+ toString() on array types |
+ </li> |
+ <li>FindInconsistentSync2.java: detects IS_FIELD_NOT_GUARDED |
+ </li> |
+ <li>MethodReturnCheck.java: add check for discarded newly |
+ constructed values, increase priority of some ignored |
+ constructed exceptions, better handling of bytecode compiled by |
+ Eclipse</li> |
+ <li>FindEmptySynchronizedBlock.java: better handling of |
+ bytecode compiled by Eclipse</li> |
+ <li>DoInsideDoPrivileged.java: warn if call to setAccessible |
+ isn't in doPriviledged, don't report private methods</li> |
+ <li>LoadOfKnownNullValue.java: fix bug that was reporting |
+ false positives on <code> finally </code> blocks |
+ </li> |
+ <li>CheckReturnAnnotationDatabase.java: better checks for |
+ unstarted threads</li> |
+ <li>ConfusionBetweenInheritedAndOuterMethod.java: fewer |
+ false positives, fixed a package-handling bug</li> |
+ <li>BadResultSetAccess.java: separate bug pattern for |
+ PreparedStatements, <code> BRZA </code> category folded into <code> |
+ SQL </code> category |
+ </li> |
+ <li>FindDeadLocalStores.java, FindBadCast2.java, |
+ DumbMethods.java, RuntimeExceptionCapture.java: coalesce similar |
+ bugs within a method into a single bug instance with multiple |
+ source lines</li> |
+ </ul> |
+ </li> |
+ <li>Eclipse plugin |
+ <ul> |
+ <li>plugin ID changed from <tt>de.tobject.findbugs</tt> to <tt>edu.umd.cs.findbugs.plugin.eclipse</tt> |
+ </li> |
+ <li>support for findbugs eclipse auto-update site</li> |
+ </ul> |
+ </li> |
+ <li>Updated test case files |
+ <ul> |
+ <li>BadRegEx.java</li> |
+ <li>JSR166.java</li> |
+ <li>ConcurrentModificationBug.java</li> |
+ <li>DeadStore.java</li> |
+ <li>InstanceOf.java</li> |
+ <li>LoadKnownNull.java</li> |
+ <li>NeedsToCheckReturnValue.java</li> |
+ <li>BadResultSetAccessTest.java</li> |
+ <li>DeadStore.java</li> |
+ <li>TestNonNull2.java</li> |
+ <li>TestImmutable.java</li> |
+ <li>TestGuardedBy.java</li> |
+ <li>BadRandomInt.java</li> |
+ <li>six test cases added to new <code> TigerTraps </code> |
+ directory |
+ </li> |
+ </ul> |
+ </li> |
+ <li>fix bug that was generating duplicate uids</li> |
+ <li>fix bug with <code> -onlyAnalyze some.package.* </code> on |
+ jdk1.4 |
+ </li> |
+ <li>fix regression bug in |
+ DismantleByteCode.getRefConstantOperand()</li> |
+ <li>fix some minor bugs with the Swing GUI</li> |
+ <li>reordered some bugInstances so that source line |
+ annotations come last</li> |
+ <li>removed references to unused java system properties</li> |
+ <li>French translation updates (David Cotton)</li> |
+ <li>Japanese translation updates (Hanai Shisei)</li> |
+ <li>content cleanup for findbugs.xml and messages.xml</li> |
+ <li>references to cvs hostname updated to |
+ findbugs.cvs.sourceforge.net</li> |
+ <li>documented xdoc output options, new |
+ mineBugHistory/computeBugHistory options</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.9.6:</p> |
+ |
+ <ul> |
+ <li>performance improvements</li> |
+ <li>ObjectType instances are cached to reduce memory footprint |
+ </li> |
+ <li>for performance and memory reasons stateless detectors are |
+ no longer cloned, must clear their own state between .class files |
+ </li> |
+ <li>fixed bug in bytecode-set lookup for methods (was causing |
+ bad results for IS2, perhaps others)</li> |
+ <li>fix some OpcodeStack bugs with integer and long |
+ operations, perform iterative analysis when effort is <tt>max</tt> |
+ </li> |
+ <li>HTML output includes LongMessage text again (regression in |
+ 0.95 - 0.96)</li> |
+ <li>New detectors |
+ <ul> |
+ <li>CalledMethods.java: builds a list of invoked methods for |
+ other detectors to consult (non-reporting)</li> |
+ <li>UncallableMethodOfAnonymousClass.java: detect anonymous |
+ inner classes that define methods that are probably intended to |
+ but do not override methods in a superclass.</li> |
+ </ul> |
+ </li> |
+ <li>Updated detectors |
+ <ul> |
+ <li>FindFieldSelfAssignment.java: recognize separate fields |
+ with the same name (one from superclass)</li> |
+ <li>FindLocalSelfAssignment2.java: handles backward branches |
+ better (Dave Brosius)</li> |
+ <li>FindBadCast2.java: BC_NULL_INSTANCEOF changed to |
+ NP_NULL_INSTANCEOF</li> |
+ <li>FindPuzzlers.java: eliminate false positive on setDate() |
+ (Dave Brosius)</li> |
+ </ul> |
+ </li> |
+ <li>Eclipse plugin |
+ <ul> |
+ <li>fix serious threading bug</li> |
+ <li>preferences for Filters and effort (Peter Hendriks)</li> |
+ <li>French localization (David Cotton)</li> |
+ <li>fix bug when reporting inner classes (Peter Friese)</li> |
+ </ul> |
+ </li> |
+ <li>Updated test case files |
+ <ul> |
+ <li>Mwn.java (Carl Burke/Dave Brosius)</li> |
+ <li>DumbMethodInvocations.java (Anto paul/Dave Brosius)</li> |
+ <!--sic--> |
+ </ul> |
+ </li> |
+ <li>XML output includes garbage collection duration</li> |
+ <li>French messages updated (David Cotton)</li> |
+ <li>Swing GUI shows file name after Load Bugs command</li> |
+ <li>Ant task to launch the findbugs frame (Mark McKay)</li> |
+ <li>miscellaneous code cleanup</li> |
+ </ul> |
- |
+ <p>Changes since version 0.9.5:</p> |
+ |
+ <ul> |
+ <li>Updated detectors |
+ <ul> |
+ <li>FindNullDeref.java: respect NonNull and CheckForNull |
+ field annotations</li> |
+ <li>SerializableIdiom.java: detect non-private readObject |
+ and writeObject methods</li> |
+ <li>FindRefComparison.java: smarter array comparison |
+ detection</li> |
+ <li>IsNullValueAnalysis.java: detect <tt>null |
+ instanceof</tt> |
+ </li> |
+ <li>FindLocalSelfAssignment2.java: suppress some false |
+ positives (Dave Brosius)</li> |
+ <li>FindUnreleasedLock.java: don't waste time processing |
+ classes that don't refer to java.util.concurrent.locks</li> |
+ <li>MutableStaticFields.java: report the source line (Dave |
+ Brosius)</li> |
+ <li>SwitchFallthrough.java: better handling of System.exit() |
+ (Dave Brosius)</li> |
+ <li>MultithreadedInstanceAccess.java: better handling of |
+ Servlet.init() (Dave Brosius)</li> |
+ <li>ConfusionBetweenInheritedAndOuterMethod.java: now |
+ enabled</li> |
+ </ul> |
+ </li> |
+ <li>Eclipse plugin |
+ <ul> |
+ <li>background processing (Peter Friese)</li> |
+ <li>internationalization, Japanese localization (Takashi |
+ Okamoto)</li> |
+ </ul> |
+ </li> |
+ <li>findbugs <tt>-onlyAnalyze</tt> option now works on windows |
+ platforms |
+ </li> |
+ <li>mineBugHistory <tt>-noTabs</tt> option for better |
+ alignment of output columns |
+ </li> |
+ <li>filterBugs <tt>-fixed</tt> option (also: will now |
+ recognize the most recent version string) |
+ </li> |
+ <li>XML output includes running time and memory usage data</li> |
+ <li>miscellaneous minor corrections to the manual</li> |
+ <li>better bytecode analysis of the <tt>iinc</tt> instruction |
+ </li> |
+ <li>fix bug in null pointer analysis</li> |
+ <li>improved catch block heuristics</li> |
+ <li>some type analysis tweaks</li> |
+ <li>Bug priority changes |
+ <ul> |
+ <li>DumbMethodInvocations.java: decrease priority of |
+ hard-coded <tt>/tmp</tt> filenames |
+ </li> |
+ <li>ComparatorIdiom.java: decrease priority of |
+ non-serializable anonymous comparators</li> |
+ <li>FindSqlInjection.java: decrease priority of appending a |
+ constant or a static</li> |
+ </ul> |
+ </li> |
+ <li>Updated bug explanations |
+ <ul> |
+ <li>NM_VERY_CONFUSING (Dave Brosius)</li> |
+ </ul> |
+ </li> |
+ <li>Updated test case files |
+ <ul> |
+ <li>BadStoreOfNonSerializableObject.java</li> |
+ <li>BadRandomInt.java</li> |
+ <li>TestFieldAnnotations.java</li> |
+ <li>UseInitCause.java</li> |
+ <li>SqlInjection.java</li> |
+ <li>ArrayEquality.java</li> |
+ <li>BadIntegerOperations.java</li> |
+ <li>Pilhuhn.java</li> |
+ <li>InstanceOf.java</li> |
+ <li>SwitchFallthrough.java (Dave Brosius)</li> |
+ </ul> |
+ </li> |
+ <li>fix URL decoding bug when running under Java Web Start |
+ (Dave Brosius)</li> |
+ <li>distribution includes <tt>project.xml</tt> file for |
+ NetBeans |
+ </li> |
+ </ul> |
+ |
+ <p>Changes since version 0.9.4:</p> |
+ <ul> |
+ <li>New detectors |
+ <ul> |
+ <li>VarArgsProblems.java</li> |
+ <li>FindSqlInjection.java: now enabled</li> |
+ <li>ComparatorIdiom.java: comparators usually implement |
+ serializable</li> |
+ <li>Naming.java: detect methods not overridden due to |
+ eponymously typed args from different packages</li> |
+ </ul> |
+ </li> |
+ <li>Updated detectors |
+ <ul> |
+ <li>SwitchFallthrough.java: surpress some false positives</li> |
+ <li>DuplicateBranches.java: surpress some false positives</li> |
+ <li>IteratorIdioms.java: surpress some false positives</li> |
+ <li>FindHEmismatch.java: surpress some false positives</li> |
+ <li>QuestionableBooleanAssignment.java: finds more cases of |
+ <tt>if (b=true)</tt> ilk |
+ </li> |
+ <li>DumbMethods.java: detect int remainder by 1, delayed gc |
+ errors</li> |
+ <li>SerializableIdiom.java: detect store of nonserializable |
+ object into field of serializable class</li> |
+ <li>FindNullDeref.java: fix potential exception</li> |
+ <li>IsNullValue.java: fix potential exception</li> |
+ <li>MultithreadedInstanceAccess.java: fix potential |
+ exception</li> |
+ <li>PreferZeroLengthArrays.java: flag the method, not the |
+ line</li> |
+ </ul> |
+ </li> |
+ <li>Remove some inadvertent dependencies on JDK 1.5</li> |
+ <li>Sort order should be more consistent</li> |
+ <li>XML output changes |
+ <ul> |
+ <li>Option to sort XML bug output</li> |
+ <li>Now contains instance IDs</li> |
+ <li>uid no longer missing (was causing problems with fancy |
+ HTML output)</li> |
+ <li>Typo fixed</li> |
+ </ul> |
+ </li> |
+ <li>Internal changes to track source files, <tt>-sourceInfo</tt> |
+ option |
+ </li> |
+ <li>Bug matching: first try exact bug pattern matching, option |
+ to compare priorities, option to disable package moves</li> |
+ <li>Architecture documentation in <tt>design/architecture</tt> |
+ </li> |
+ <li>Test cases move into their own CVS project</li> |
+ <li>Don't report warnings that occur outside the analyzed |
+ classes</li> |
+ <li>Fixes to the build.xml files</li> |
+ <li>Better handling of @CheckReturnValue and @CheckForNull |
+ annotations (also, some additional methods searched for check |
+ return value and check for null)</li> |
+ <li>Fixed some stream-closing bugs (one by <tt>z-fb-user</tt>/Dave |
+ Brosius) |
+ </li> |
+ <li>Bug priority changes |
+ <ul> |
+ <li>increase priority of ignoring return value of |
+ java.sql.Connection methods</li> |
+ <li>increase priority of comparing classes like Integer |
+ using <tt>==</tt> |
+ </li> |
+ <li>decrease priority of IT_NO_SUCH_ELEMENT if we see any |
+ call to <tt>next()</tt> |
+ </li> |
+ <li>tweak priority of NM_METHOD_CONSTRUCTOR_CONFUSION</li> |
+ <li>decrease priority of RV_RETURN_VALUE_IGNORED for an |
+ inherited annotation that doesn't return same type as class</li> |
+ </ul> |
+ </li> |
+ <li>Updated bug explanations |
+ <ul> |
+ <li>RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE</li> |
+ <li>DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED</li> |
+ <li>IMA_INEFFICIENT_MEMBER_ACCESS (Dave Brosius)</li> |
+ <li>some Japanese improvements to messages_ja.xml ( <tt>ruimo</tt>) |
+ </li> |
+ <li>some German improvements to findbugs_de.properties (Dave |
+ Brosius, <tt>dvholten</tt>) |
+ </li> |
+ </ul> |
+ </li> |
+ <li>Updated test case files |
+ <ul> |
+ <li>BadIntegerOperations.java</li> |
+ <li>SecondKaboom.java</li> |
+ <li>OpenDatabase.java (Dave Brosius)</li> |
+ <li>FindOpenStream.java (Dave Brosius)</li> |
+ <li>BadRandomInt.java</li> |
+ </ul> |
+ </li> |
+ <li>Source-lines info maintained for methods (handy for |
+ abstract and native methods)</li> |
+ <li>Remove surrounding opcodes from source line annotations</li> |
+ <li>Better error when can't read file</li> |
+ <li>Swing GUI: removed console pane from FindBugsFrame, fix |
+ missing classes bug</li> |
+ <li>Fixes to OpcodeStack.java</li> |
+ <li>Detectors may attach a custom value to an OpcodeStack.Item |
+ (Dave Brosius)</li> |
+ <li>Filter.java: ability to add text messages to XML output, |
+ fix bug with <tt>-withMessages</tt> |
+ </li> |
+ <li>SourceInfoMap supports ranges of source lines</li> |
+ <li>Ant task supports the <tt>timestampNow</tt> attribute |
+ </li> |
+ </ul> |
+ |
+ <p>Changes since version 0.9.3:</p> |
+ <ul> |
+ <li>Substantial rework of datamining code</li> |
+ <li>Removed bogus warnings about await on things other than |
+ Condition not being in a loop</li> |
+ <li>Fixed bug in OpcodeStack handling of dup2 of long/double |
+ values</li> |
+ <li>Don't report array types as missing classes</li> |
+ <li>Adjustment of some warnings on ignored return values</li> |
+ <li>Added thread safety annotations from Java Concurrency in |
+ Practice (no detectors written for these yet)</li> |
+ <li>Added annotation for methods that, if overridden, should |
+ be invoked by overriding methods via a call to super</li> |
+ <li>Updated -html:fancy.xsl (Etienne Giraudy)</li> |
+ </ul> |
+ |
+ <p>Note: there was no version 0.9.2</p> |
+ |
+ <p>Changes since version 0.9.1:</p> |
+ <ul> |
+ <!-- New detectors --> |
+ <li>Embellish USM to find abstract methods that implement an |
+ interface method (Dave Brosius)</li> |
+ <li>New detector to find stores of literal booleans inside if |
+ or while expressions (Dave Brosius)</li> |
+ <li>New style detector to find final classes that declare |
+ protected fields (Dave Brosius)</li> |
+ <li>New detector to find subclass methods that simply forward, |
+ verbatim, to the super class (Dave Brosius)</li> |
+ <li>Detector to find instances where code is attempting to |
+ write an object out via an implementation of DataOutput, but the |
+ object is not guaranteed to be Serializable (Jon Christiansen, |
+ Bill Pugh)</li> |
+ |
+ <!-- Feature enhancements --> |
+ <li>Large (35%) analysis speedup (Bill Pugh)</li> |
+ <li>Add line numbers to Swing GUI code panel (Dave Brosius)</li> |
+ <li>Added effort options to Swing GUI (Dave Brosius)</li> |
+ <li>Add ability to specify bugs file to open from command line |
+ for GUI version, through -loadbugs (Phillip Martin)</li> |
+ <li>New stylesheet for generating HTML: use option <tt>-html:plain.xsl</tt> |
+ (Chris Nappin) |
+ </li> |
+ <li>New stylesheet for generating HTML: use option <tt>-html:fancy.xsl</tt> |
+ (Etienne Giraudy) |
+ </li> |
+ <li>Updated Japanese bug message translations (Shisei Hanai)</li> |
+ |
+ <!-- Bug fixes --> |
+ <li>XHTML compliance fixes for bug details (Etienne Giraudy)</li> |
+ <li>Various detector fixes (Shisei Hanai)</li> |
+ <li>Fixed bugs in the project preferences dialog int the |
+ Eclipse plugin (Takashi Okamoto, Thomas Einwaller)</li> |
+ <li>Lowered priority of analysis thread in Swing GUI (David |
+ Hovemeyer, suggested by Shisei Hanai and Jeffrey W. Badorek)</li> |
+ <li>Fixed EclipsePlugin to correctly pick up auxclasspath |
+ entries (Jon Christiansen)</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.9.0:</p> |
+ <ul> |
+ <li>Fixed dependence on JRE 1.5: all features should work on |
+ JRE 1.4 again</li> |
+ <li>Fixed -effort command line option handling for Swing GUI</li> |
+ <li>Fixed conserveSpace and workHard attributes int Ant task</li> |
+ <li>Added support for effort attribute in Ant task</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.8.8:</p> |
+ <ul> |
+ <!-- New detectors and bug patterns --> |
+ <li>XMLFactoryBypass detector to find direct allocation of xml |
+ class implementations (Dave Brosius)</li> |
+ <li>InefficientMemberAccess detector to find accesses to |
+ owning class private members (Dave Brosius)</li> |
+ <li>DuplicateBranches detector checks switch statements too |
+ (Dave Brosius)</li> |
+ |
+ <!-- Feature enhancements --> |
+ <li>FindBugs available from findbugs.sourceforge.net as Java |
+ Web Start application (Dave Brosius)</li> |
+ <li>Updated Japanese bug message translations (Shisei Hanai)</li> |
+ <li>Improved bug detail message for covariant equals() (Shisei |
+ Hanai)</li> |
+ <li>Modeling of instanceof checks is now enabled by default, |
+ making the bad cast detector much more useful (Bill Pugh, David |
+ Hovemeyer)</li> |
+ <li>Support for detector ordering constraints in plugin |
+ descriptor (David Hovemeyer)</li> |
+ <li>Simpler option to control analysis effort: -effort: <i>value</i>, |
+ where <i>value</i> is one of <code> min </code> , <code> |
+ default </code> , or <code> max </code> (David Hovemeyer) |
+ </li> |
+ <li>Using -effort:max, FindNullDeref checks for null arguments |
+ passed to methods which dereference them unconditionally (David |
+ Hovemeyer)</li> |
+ <li>FindNullDeref checks @Null and @NonNull annotations for |
+ parameters and return values (David Hovemeyer)</li> |
+ |
+ <!-- Bug fixes --> |
+ </ul> |
+ |
+ <p>Changes since version 0.8.7:</p> |
+ |
+ <ul> |
+ <!-- New detectors and bug patterns --> |
+ <li>New detector to find duplicate code in if/else statements |
+ (Dave Brosius)</li> |
+ <li>Look for calls to wait() on Condition objects (David |
+ Hovemeyer)</li> |
+ <li>Look for java.util.concurrent.Lock objects not released on |
+ every path out of method (David Hovemeyer)</li> |
+ <li>Look for calls to Thread.sleep() with a lock held (David |
+ Hovemeyer)</li> |
+ <li>More accurate detection of impossible casts (Bill Pugh, |
+ David Hovemeyer)</li> |
+ |
+ <!-- Feature enhancements --> |
+ <li>Saved XML now contains project statistics (Jay Dunning)</li> |
+ <li>Filter files can select by bug pattern type and warning |
+ priority (David Hovemeyer)</li> |
+ |
+ <!-- Bug fixes --> |
+ <li>Restored some files inadvertently omitted from previous |
+ release (Rohan Lloyd, David Hovemeyer)</li> |
+ <li>Make sure detectors requiring JDK 1.5 runtime classes are |
+ only executed if those classes are available (David Hovemeyer)</li> |
+ <li>Don't display analysis error dialog unless there is really |
+ an error (David Hovemeyer)</li> |
+ <li>Updated and expanded French translations of bug patterns |
+ and Swing GUI (Olivier Parent)</li> |
+ <li>Fixed invalid character encoding in German Swing GUI |
+ translation (Olivier Parent)</li> |
+ <li>Fix locale used for date format in project stats (K. |
+ Hashimoto)</li> |
+ <li>Fixed LongDescription elements in xml:withMessages output |
+ format (K. Hashimoto)</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.8.6:</p> |
+ |
+ <ul> |
+ <!-- new detectors --> |
+ <li>Extend Naming detector to look for classes that are named |
+ XXXException but that are not Exceptions (Dave Brosius)</li> |
+ <li>New detector to find classes that expose semaphores in the |
+ public implementation through the 'this' reference. (Dave Brosius) |
+ </li> |
+ <li>New Style detector to find Struts Action/Servlet derived |
+ classes that reference instance member variable not in |
+ synchronized blocks. (Dave Brosius)</li> |
+ <li>New Style detector to find classes that declare |
+ implementation of interfaces that are already implemented by super |
+ classes (Dave Brosius)</li> |
+ <li>New Style detector to find circular dependencies between |
+ classes (Dave Brosius)</li> |
+ <li>New Style detector to find unnecessary math on constants |
+ (Dave Brosius)</li> |
+ <li>New detector to find equality comparisons using floating |
+ point math (Jay Dunning)</li> |
+ <li>New faster detector to find local self assignments (Bill |
+ Pugh)</li> |
+ <li>New detector to find infinite recursive loops (Bill Pugh) |
+ </li> |
+ <li>New detector to find for loops with an incorrect increment |
+ (Bill Pugh)</li> |
+ <li>New detector to find suspicious uses of |
+ BufferedReader.readLine() and String.indexOf() (Bill Pugh)</li> |
+ <li>New detector to find suspicious integer to double casts |
+ (David Hovemeyer, Bill Pugh)</li> |
+ <li>New detector to find invalid regular expression patterns |
+ (Bill Pugh)</li> |
+ <li>New detector to find Bloch/Gafter Java puzzlers (Bill |
+ Pugh)</li> |
+ |
+ <!-- feature enhancements --> |
+ <li>New system property to suppress reporting of DLS based on |
+ local variable name (Glenn Boysko)</li> |
+ <li>Enhancements to configuration dialog in Eclipse plugin, |
+ allow for saving enabled detectors in Eclipse projects (Phil |
+ Crosby)</li> |
+ <li>Sortable columns in detector dialog (Dave Brosius)</li> |
+ <li>New tab in gui for showing bugs grouped by category (Dave |
+ Brosius)</li> |
+ <li>Improved German translation of Swing GUI (Thomas Kuehne)</li> |
+ <li>Improved source file reporting in Emacs output format (Len |
+ Trigg)</li> |
+ <li>Improvements to redundant null comparison detector (Bill |
+ Pugh)</li> |
+ <li>Localization of run analysis and analysis error dialogs in |
+ Swing GUI (K. Hashimoto)</li> |
+ |
+ <!-- Bug fixes --> |
+ <li>Don't scan equals methods in FindHEMismatch if code is |
+ native (Greg Bentz)</li> |
+ <li>French translation fixes (David Cotton)</li> |
+ <li>Internationalization report fixes (K. Hashimoto)</li> |
+ <li>Japanese translations updates (SHISEI Hanai)</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.8.5:</p> |
+ <ul> |
+ <!-- new detectors --> |
+ <li>New detector to find catch blocks that may inadvertently |
+ catch runtime exceptions (Brian Goetz)</li> |
+ <li>New detector to find objects that are instantiated based |
+ on classes that only have static methods and fields, using the |
+ synthesized constructor (Dave Brosius)</li> |
+ <li>New detector to find calls to Thread.interrupted() in a |
+ non static context, and especially with non currentThread() |
+ threads (Dave Brosius)</li> |
+ <li>New detector to find calls to equals() methods that use |
+ Object's version. (Dave Brosius)</li> |
+ <li>New detector to find Applets that call methods in the |
+ constructor refering to the AppletStub (Dave Brosius)</li> |
+ <li>New detector to find some cases of infinite recursion |
+ (Bill Pugh)</li> |
+ <li>New detector to find dead stores to local variables (David |
+ Hovemeyer, Bill Pugh)</li> |
+ <li>Extend Dumb Method detector for toUpperCase(), |
+ toLowerCase() without a locale, new Integer(1).toString(), new |
+ XXX().getClass(), and new Thread() without a run implementation |
+ (Dave Brosius) <!-- feature enhancements --> |
+ </li> |
+ <li>Ant task supports "errorProperty" attribute, which sets an |
+ Ant property to "true" if an error occurs running FindBugs |
+ (Michael Tamm)</li> |
+ <li>Eclipse plugin allows filtering of warnings by bug |
+ category, priority (David Hovemeyer)</li> |
+ <li>Swing GUI allows filtering of warnings by bug category |
+ (David Hovemeyer)</li> |
+ <li>Ability to annotate methods using Java 1.5 annotations |
+ that suppress FindBugs warnings (Bill Pugh)</li> |
+ <li>New -adjustExperimental for lowering priority of |
+ BugPatterns that are experimental (Dave Brosius)</li> |
+ <li>Allow for command line options 'files' using the @ symbol |
+ (David Hovemeyer)</li> |
+ <li>New -adjustPriority command line option to for adjusting |
+ bug priorites (David Hovemeyer)</li> |
+ <li>Added an Edit menu (cut/copy/paste) to Swing GUI (Dave |
+ Brosius)</li> |
+ <li>French translation supplied (David Cotton) <!-- Bug fixes --> |
+ </li> |
+ </ul> |
+ |
+ <p>Changes since version 0.8.4:</p> |
+ <ul> |
+ <!-- new detectors --> |
+ <li>New detector for volatile references to arrays (Bill Pugh) |
+ </li> |
+ <li>New detector to find instanceof usage where inheritance |
+ can be determined statically (Dave Brosius)</li> |
+ <li>New detector to find ResultSet.getXXX updateXXX calls |
+ using index 0 (Dave Brosius)</li> |
+ <li>New detector to find empty zip or jar entries (Bill Pugh) |
+ |
+ <!-- feature enhancements --> |
+ </li> |
+ <li>HTML output generation using built-in XSLT stylesheet or |
+ user-defined stylesheet (David Hovemeyer)</li> |
+ <li>Allow URLs to be specified to analyze zip/jar files, local |
+ directories, and single classfiles (David Hovemeyer)</li> |
+ <li>New command line option -onlyAnalyze restricts analysis to |
+ selected classes and packages without reducing accuracy (David |
+ Hovemeyer)</li> |
+ <li>Allow Swing GUI to show source code in jar files on |
+ Windows systems (Dave Brosius) <!-- Bug fixes --> |
+ </li> |
+ <li>Fix the Switch Fall Thru detector (Dave Brosius, David |
+ Hovemeyer, Bill Pugh)</li> |
+ <li>MacOS GUI fixes (Rohan Lloyd)</li> |
+ <li>Fix false positive in BOA in case where method is |
+ correctly and 'incorrectly' overridden (Dave Brosius)</li> |
+ <li>Fixed memory blowup when analyzing methods which access a |
+ large number of fields (David Hovemeyer)</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.8.3:</p> |
+ <ul> |
+ <li>Initial and preliminary localization of the Swing |
+ GUI. Translations by: |
+ <ul> |
+ <li>German - Peter D. Stout, Holger Stenzhorn</li> |
+ <li>Finnish - Juha Knuutila</li> |
+ <li>Estonian - Tanel Lebedev</li> |
+ <li>Japanese - Hanai Shisei</li> |
+ </ul> |
+ </li> |
+ <li>Eliminated debug print statements inadvertently left |
+ enabled</li> |
+ <li>Reverted some changes in the open stream detector: this |
+ should fix some false positives that were introduced in the |
+ previous release</li> |
+ <li>Fixed a couple missing class reports</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.8.2:</p> |
+ <ul> |
+ |
+ <!-- New detectors --> |
+ <li>New detector to find improperly overridden GUI Adapter |
+ classes (Dave Brosius)</li> |
+ <li>New detector to find improperly setup JUnit TestCases |
+ (Dave Brosius)</li> |
+ <li>New detector to find variables that mask class level |
+ fields (Dave Brosius)</li> |
+ <li>New detector to find comparisons of values computed with |
+ bitwise operators that always yield the same result (Tom Truscott) |
+ </li> |
+ <li>New detector to find unsafe getClass().getResource() calls |
+ (Bill Pugh)</li> |
+ <li>New detector to find GUI changes not in GUI thread but in |
+ static main (Bill Pugh)</li> |
+ <li>New detector to find calls to Collection.toArray() with |
+ zero-length array argument; it is more efficient to pass an array |
+ the size of the collection, which can be populated and returned as |
+ the result (Dave Brosius) <!-- Analysis improvements --> |
+ </li> |
+ <li>Better suppression of false warnings in various detectors |
+ (Bill Pugh, David Hovemeyer)</li> |
+ <li>Enhancement to ReadReturnShouldBeChecked detector for |
+ skip() (Dave Brosius)</li> |
+ <li>Enhancement to DumbMethods detector (Dave Brosius)</li> |
+ <li>Open stream detector does not report wrappers of streams |
+ passed as method parameters (David Hovemeyer) <!-- Feature enhancements --> |
+ </li> |
+ <li>Cancel confirmation dialog in Swing GUI (Pete Angstadt)</li> |
+ <li>Better relative path saving in Project file (Dave Brosius) |
+ </li> |
+ <li>Detector Priority in GUI is now saved in prefs file (Dave |
+ Brosius)</li> |
+ <li>Controls in GUI to reorder source and classpath entries, |
+ and ability to flip between Project details and bugs pages (Dave |
+ Brosius)</li> |
+ <li>In Swing GUI, analysis error dialog supports "Select All" |
+ and "Copy" operations for easy generation of error reports (Dave |
+ Brosius)</li> |
+ <li>Complete translation of bug descriptions and messages into |
+ Japanese (Hanai Shisei) <!-- Bug fixes --> |
+ </li> |
+ <li>Fixed bug in DroppedException detector (Dave Brosius) <!-- Development stuff --> |
+ </li> |
+ <li>The source distribution defaults to using JDK 1.5 javac to |
+ compile, but support for compiling with JSR-14 prototype is still |
+ supported</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.8.1:</p> |
+ <ul> |
+ <li>Fixed a critical ClassCastException bug (triggered if the |
+ -workHard option was used, and an exception type was merged with |
+ an array type during type inference)</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.8.0:</p> |
+ <ul> |
+ <li>Disabled SwitchFallthrough detector to work around |
+ NullPointerExceptions</li> |
+ <li>Added some additional false positive suppression |
+ heuristics</li> |
+ </ul> |
+ |
+ <p>Also, two contributors to the 0.8.0 release were |
+ inadvertently left out of the credits:</p> |
+ <ul> |
+ <li>Pete Angstadt fixed several problems in the Swing GUI</li> |
+ <li>Francis Lalonde provided a task resource file for the |
+ FindBugs Ant task</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.7.4:</p> |
+ <ul> |
+ <li>New detector to look for uses of "+" operator to |
+ concatenate String objects in a loop (Dave Brosius)</li> |
+ <li>Reference comparison detector looks for places where the |
+ argument passed to the equals(Object) method isn't the same type |
+ as the receiver object</li> |
+ <li>Better suppression of false warnings in many detectors</li> |
+ <li>Many improvements to Eclipse plugin (Andrey Loskutov, |
+ Peter Friese)</li> |
+ <li>Fixed problem with building Eclipse plugin on Windows |
+ (Thomas Klaeger)</li> |
+ <li>Open stream detector looks for unclosed PreparedStatement |
+ objects (Thomas Klaeger, Rohan Lloyd)</li> |
+ <li>Fix for open stream detector: it wasn't detecting close() |
+ methods called through an invokeinterface instruction (Thomas |
+ Klaeger)</li> |
+ <li>Refactoring of visitor classes to enforce use of accessors |
+ for visited class features (Brian Goetz)</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.7.3:</p> |
+ <ul> |
+ <li>Experimental modification of open stream detector to look |
+ for non-escaping JDBC resources (connections and statements) that |
+ aren't closed on all paths out of method</li> |
+ <li>Eclipse plugin fixed so it compiles and runs on Eclipse |
+ 2.1.x (Peter Friese)</li> |
+ <li>Option to Swing GUI and command line to generate project |
+ file using relative paths for archives, source directories, and |
+ aux classpath entries (Dave Brosius)</li> |
+ <li>Improvements to findbugs.bat script for launching FindBugs |
+ on Windows (Dave Brosius)</li> |
+ <li>Updated Japanese message translations (Hiroshi Okugawa)</li> |
+ <li>Uncalled private methods are now reported as low priority, |
+ unless they have the same name as another method in the class |
+ (which is more likely to indicate an actual bug)</li> |
+ <li>Added some missing data in the bug messages XML files</li> |
+ <li>Fixed some problems building from source on Windows |
+ systems</li> |
+ <li>Various minor bug fixes</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.7.2:</p> |
+ <ul> |
+ <li>Enhanced Eclipse plugin, which displays the detailed bug |
+ description in a view (Phil Crosby)</li> |
+ <li>Various tweaks to existing detectors to reduce false |
+ warnings</li> |
+ <li>New command line option <code> -workHard </code> enables |
+ pruning of infeasible or unlikely exception edges, which results |
+ in better accuracy in the open stream detector, at the expense of |
+ a 30%-100% slowdown |
+ </li> |
+ <li>New website and HTML documentation design</li> |
+ <li>Documentation includes an HTML document with descriptions |
+ of all bug patterns reported by FindBugs</li> |
+ <li>Web page has a link to a <a |
+ href="http://www.simeji.com/findbugs/doc/manual_ja/index.html">Japanese |
+ translation</a> of the FindBugs manual, contributed by Hiroshi |
+ Okugawa |
+ </li> |
+ <li>Changed the Inconsistent Synchronization detector so that |
+ fields synchronized 50% of the time (or more) are reported as |
+ medium priority bugs (previously they were reported as low)</li> |
+ <li>New detector to find code that catches |
+ IllegalMonitorStateException</li> |
+ <li>New detector to find private methods that are never called |
+ </li> |
+ <li>New detector to find suspicious uses of |
+ non-short-circuiting boolean operators ( <code> & </code> and |
+ <code> | </code> , rather than <code> && </code> and <code> |
+ || </code> ) |
+ </li> |
+ </ul> |
+ |
+ <p>Changes since version 0.7.1:</p> |
+ <ul> |
+ <li>Incorporated patched version of BCEL, which allows classes |
+ compiled with JDK 1.5.0 beta to be analyzed</li> |
+ <li>Fixed some bugs related to lookups of array classes</li> |
+ <li>Fixed bug that prevented GUI from loading XML result files |
+ when running under JDK 1.5.0 beta</li> |
+ <li>Added new experimental bug detector, LazyInit, which looks |
+ for potentially buggy lazy initializations of static fields</li> |
+ <li>Because of long filenames, switched to distributing the |
+ source archive as a zip file rather than a tar file</li> |
+ <li>The 0.7.1 source tarfile was botched - 0.7.2 has a valid |
+ source archive</li> |
+ <li>Fixed some problems in the Ant build script</li> |
+ <li>Fixed NullPointerException when checking Class-Path |
+ attribute for Jar files without manifests</li> |
+ <li>Generate version numbers for the core and UI Eclipse |
+ plugins using the Version class; all version numbers are now in a |
+ common location</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.7.0:</p> |
+ <ul> |
+ <li>Eclipse plugin (contributed by Peter Friese)</li> |
+ <li>Source package structure rearranged: all source (other |
+ than Eclipse plugin UI) is in the edu.umd.cs.findbugs package, or |
+ a subpackage</li> |
+ <li>Class-Path attributes of manifests of analyzed jar files |
+ are used to set the aux classpath automatically (Peter D. Stout)</li> |
+ <li>GUI starts in directory specified by user.home property |
+ (Peter D. Stout)</li> |
+ <li>Added -project option to GUI (Mikko T.)</li> |
+ <li>Added -look:{plastic,gtk,native} option to GUI, for |
+ setting look and feel (Mikko T.)</li> |
+ <li>Fixed DataflowAnalysisException in inconsistent |
+ synchronization detector</li> |
+ <li>Ant task supports failOnError parameter (Rohan Lloyd)</li> |
+ <li>Serializable class warnings are downgraded to low priority |
+ for GUI classes</li> |
+ <li>MWN detector will only report calls to wait(), notify(), |
+ and notifyAll() methods that have the correct signature</li> |
+ <li>FindBugs works with latest CVS version of BCEL</li> |
+ <li>Zip and Jar files may be added to the source path</li> |
+ <li>The GUI will automatically find source files residing in |
+ analyzed Zip or Jar files</li> |
+ </ul> |
+ |
+ <p>Note that the version number jumped from 0.6.6 to 0.6.9; |
+ there were no 0.6.7 or 0.6.8 releases.</p> |
+ <p>Changes since version 0.6.9:</p> |
+ <ul> |
+ <li>Added -conserveSpace option to reduce memory use at the |
+ expense of analysis precision</li> |
+ <li>Bug fixes in findbugs.bat script: JAVA_HOME handling, |
+ autodetection of FINDBUGS_HOME, missing output with -textui</li> |
+ <li>Fixed NullPointerException when a missing class is |
+ encountered</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.6.6:</p> |
+ <ul> |
+ <li>The null pointer dereference detector is more powerful</li> |
+ <li>Significantly improved heuristics and bug fixes in |
+ inconsistent synchronization detector</li> |
+ <li>Improved heuristics in open stream and dropped exception |
+ detectors; fewer false positives should be reported</li> |
+ <li>Save HTML summary in XML results files, rather than |
+ recomputing; this makes loading results in GUI much faster</li> |
+ <li>Report at most one String comparison using == or != per |
+ method</li> |
+ <li>The findbugs.bat script on Windows autodetects |
+ FINDBUGS_HOME, and doesn't open a DOS window when launching the |
+ GUI (contributed by TJSB)</li> |
+ <li>Emacs reporting format (contributed by David Li)</li> |
+ <li>Various bug fixes</li> |
+ </ul> |
+ |
+ <p>Changes since 0.6.5:</p> |
+ <ul> |
+ <li>Rewritten inconsistent synchronization detector; accuracy |
+ is significantly improved, and bug reports are prioritized</li> |
+ <li>New detector to find self assignment (x=x) of local |
+ variables (suggested by Jeff Martin)</li> |
+ <li>New detector to find calls to wait(), notify(), and |
+ notifyAll() on an object which is not obviously locked</li> |
+ <li>Open stream detector now reports Readers and Writers</li> |
+ <li>Fixed bug in finalizer idioms detector which caused |
+ spurious warnings about failure to call super.finalize() (reported |
+ by Jim Menard)</li> |
+ <li>Fixed bug where output stream was not closed using non-XML |
+ output (reported by Sigiswald Madou)</li> |
+ <li>Fixed corrupted HTML bug detail message (reported by |
+ Trevor Harmon)</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.6.4:</p> |
+ <ul> |
+ <li>For redundant comparison of reference values, fixed false |
+ positives resulting from duplication of code in finally blocks</li> |
+ <li>Fixed false positives resulting from wrapped byte array |
+ streams left open</li> |
+ <li>Fixed bug in Ant task preventing output file from working |
+ properly if a relative path was used</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.6.3:</p> |
+ <ul> |
+ <li>Fixed bug in Ant task where output would be corrupted, and |
+ added a <code> timeout </code> attribute |
+ </li> |
+ <li>Added -outputFile option to text UI, for explicitly |
+ specifying an output file</li> |
+ <li>GUI has a summary window, for statistics about overall bug |
+ densities (contributed by Mike Fagan)</li> |
+ <li>Find redundant comparisons of reference values</li> |
+ <li>More accurate detection of Strings compared with == and != |
+ operators</li> |
+ <li>Detection of other reference types which should generally |
+ not be compared with == and != operators; Boolean, Integer, etc.</li> |
+ <li>Find non-transient non-serializable instance fields in |
+ Serializable classes</li> |
+ <li>Source code may be compiled with latest early access |
+ generics-enabled javac (version 2.2)</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.6.2:</p> |
+ <ul> |
+ <li>GUI supports filtering bugs by priority</li> |
+ <li>Ant task rewritten; supports all functionality offered by |
+ Text UI (contributed by Mike Fagan)</li> |
+ <li>Ant task is fully documented in the manual</li> |
+ <li>Classes in nested archives are analyzed; this allows full |
+ support for analyzing .ear and .war files (contributed by Mike |
+ Fagan)</li> |
+ <li>DepthFirstSearch changed to use non-recursive |
+ implementation; this should fix the StackOverflowErrors that |
+ several users reported</li> |
+ <li>Various minor bugfixes and improvements</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.6.1:</p> |
+ <ul> |
+ <li>New detector to look for useless control flow (suggested |
+ by Richard P. King and Mike Fagan)</li> |
+ <li>Look for places where return value of |
+ java.io.File.createNewFile() is ignored (suggested by Richard P. |
+ King)</li> |
+ <li>Fixed bug in resolution of source files (only the first |
+ source directory was searched)</li> |
+ <li>Fixed a NullPointerException in the bytecode pattern |
+ matching code</li> |
+ <li>Ant task supports project files (contributed by Mike |
+ Fagan)</li> |
+ <li>Unix findbugs script honors the <code> JAVA_HOME </code> |
+ environment variable (contributed by Pedro Morais) |
+ </li> |
+ <li>Allow .war and .ear files to be analyzed</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.6.0:</p> |
+ <ul> |
+ <li>New bug pattern detector which looks for places where a |
+ null pointer might be dereferenced</li> |
+ <li>New bug pattern detector which looks for IO streams that |
+ are opened, do not escape the method, and are not closed on all |
+ paths out of the method</li> |
+ <li>New bug pattern detector to find methods that can return |
+ null instead of a zero-length array</li> |
+ <li>New bug pattern detector to find places where the == or != |
+ operators are used to compare String objects</li> |
+ <li>Command line interface can save bugs as XML</li> |
+ <li>GUI can save bugs to and load bugs from XML</li> |
+ <li>An "Annotations" window in the GUI allows the user to add |
+ textual annotations to bug reports; these annotations are |
+ preserved when bugs are saved as XML</li> |
+ <li>In this release, the Japanese bug summary translations by |
+ Germano Leichsenring are really included (they were inadvertently |
+ omitted in the previous release)</li> |
+ <li>Completely rewrote the control flow graph builder, |
+ hopefully for the last time</li> |
+ <li>Simplified implementation of control flow graphs, which |
+ should reduce memory use and possibly improve performance</li> |
+ <li>Improvements to command line interface (list bug |
+ priorities, filter by priority, specify aux classpath, specify |
+ project to analyze)</li> |
+ <li>Various bug fixes and enhancements</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.5.4</p> |
+ <ul> |
+ <li>Added an <a href="http://ant.apache.org/">Ant</a> task for |
+ FindBugs, contributed by Mike Fagan. |
+ </li> |
+ <li>Added a GUI dialog which allows individual bug pattern |
+ detectors to be enabled or disabled. Disabling certain slow |
+ detectors can greatly speed up analysis of large programs, at the |
+ expense of reducing the number of potential bugs found.</li> |
+ <li>Added a new detector for finding improperly ignored return |
+ values for methods such as <code> String.trim() </code> . |
+ Suggested by Andreas Mandel. |
+ </li> |
+ <li>Japanese translations of the bug summaries, contributed by |
+ Germano Leichsenring.</li> |
+ <li>Filtering of results is supported in command line |
+ interface. See the <a href="manual/index.html">FindBugs manual</a> |
+ for details. |
+ </li> |
+ <li>Added "byte code patterns", a general pattern matching |
+ infrastructure for bytecode instructions. This feature |
+ significantly reduces the complexity of implementing new bug |
+ pattern detectors.</li> |
+ <li>Enabled a new general dataflow analysis to track values in |
+ methods.</li> |
+ <li>Switched to new control-flow graph builder implementation. |
+ </li> |
+ </ul> |
+ |
+ <p>Changes since version 0.5.3</p> |
+ <ul> |
+ <li>Fixed a bug in the script used to launch FindBugs on |
+ Windows platforms.</li> |
+ <li>Fixed crashes when analyzing class files without source |
+ line information.</li> |
+ <li>All major errors are reported using an error dialog; file |
+ not found errors are more informative.</li> |
+ <li>Minor GUI improvements.</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.5.2</p> |
+ <ul> |
+ <li>All of the source code and related files are in a single |
+ directory tree.</li> |
+ <li>Updated some of the detectors to produce source line |
+ information.</li> |
+ <li><a href="http://ant.apache.org/">Ant</a> build script and |
+ several GUI enhancements and fixes contributed by Mike Fagan.</li> |
+ <li>Converted to use a <a href="AddingDetectors.txt">plugin |
+ architecture</a> for loading bug detectors. |
+ </li> |
+ <li>Eliminated generics-related compiler warnings.</li> |
+ <li>More complete documentation has been added.</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.5.1:</p> |
+ <ul> |
+ <li>Fixed a large number of bugs in the BCEL Repository and |
+ FindBugs's use of the Repository. With these changes, |
+ FindBugs should <em>never</em> crash or otherwise misbehave |
+ because of Repository lookup failures. Because of these |
+ changes, you must use a modified version of <code> bcel.jar |
+ </code> with FindBugs. This jar file is included in the FindBugs |
+ 0.5.2 binary release. A complete patch containing the <a |
+ href="http://faculty.ycp.edu/~dhovemey/bcel-30-April-2003.patch">modifications |
+ against the BCEL CVS main branch as of April 30, 2003</a> is also |
+ available. |
+ </li> |
+ <li>Implemented the "auxiliary classpath entry list". |
+ Aux classpath entries can be added to a project to provide classes |
+ that are referenced by the analyzed application, but should not |
+ themselves be analyzed. Having all referenced classes |
+ available allows FindBugs to produce more accurate results.</li> |
+ </ul> |
+ |
+ <p>Changes since version 0.5.0:</p> |
+ <ul> |
+ <li>Many user interface bugs have been fixed.</li> |
+ <li>Upgraded to a recent CVS version of BCEL, with some bug |
+ fixes. This should prevent FindBugs from crashing when there |
+ is a failure to find a class on the classpath.</li> |
+ <li>Added support for Plastic look and feel from <a |
+ href="http://www.jgoodies.com/">jgoodies.com</a>. |
+ </li> |
+ <li>Major overhaul of infrastructure for doing dataflow |
+ analysis.</li> |
+ </ul> |
<hr> <p> |
<script language="JavaScript" type="text/javascript"> |
<!---//hide script from old browsers |
@@ -3540,11 +2800,11 @@ document.write( "Last updated "+ document.lastModified + "." ); |
<p> |
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=96405&type=5" width="210" height="62" border="0" alt="SourceForge.net Logo" /></A> |
- </td> |
+ </td> |
- </tr> |
- </table> |
+ </tr> |
+ </table> |
- </body> |
+</body> |
</html> |