doc/Changes.html - Issue 139673002: Updating Findbugs from 2.0.1 to 2.0.3

Unified Diff: doc/Changes.html

Issue 139673002: Updating Findbugs from 2.0.1 to 2.0.3 (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/findbugs.git@master

Patch Set: bulach's nits Created 6 years, 11 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: doc/Changes.html

diff --git a/doc/Changes.html b/doc/Changes.html

index 440b153b4fdbb5ab52f8f84f53cc472dfcd18459..21b4551e1eab6bbf26e31f876a2faf62c2672315 100644

--- a/doc/Changes.html

+++ b/doc/Changes.html

@@ -1,16 +1,17 @@

+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>

- <head>

- <title>FindBugs Change Log</title>

- <link rel="stylesheet" type="text/css" href="findbugs.css">

- </head>

+<head>

+<title>FindBugs Change Log</title>

+<link rel="stylesheet" type="text/css" href="findbugs.css">

- <body>

+</head>

- <table width="100%">

- <tr>

+<body>

+ <table width="100%">

+ <tr>

@@ -54,1105 +55,1432 @@

</table>

</td>

- <td align="left" valign="top">

- <h1>FindBugs Change Log, Version 2.0.1</h1>

- <ul>

- <li>New bug patterns; in some cases, bugs previous reported as other bug patterns are reported

- as instances of these new bug patterns in order to make it easier for developers to understand

- the bug reports</li>

- <ul>

- <li><a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL

- </a>

- <li><a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_RELATIVE_PATH_TRAVERSAL">PT_RELATIVE_PATH_TRAVERSAL

- </a>

- <li><a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR

- </a>

- <li><a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_REFACTORED_TO_BE_FINAL">MS_SHOULD_BE_REFACTORED_TO_BE_FINAL

- </a>

- <li><a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST_OF_RETURN_VALUE">BC_UNCONFIRMED_CAST_OF_RETURN_VALUE

- </a>

- <li><a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL

- </a>

- <li><a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS">TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS

- </a>

- </ul>

- <li>Changes to fix false negatives for the following bug patterns: <a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>,

- <a href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_BAD_ARRAY_COMPARE">EC_BAD_ARRAY_COMPARE</a>,

- <a href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_UNUSUAL">EQ_UNUSUAL</a>, <a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>,

- and <a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>.

+ <td align="left" valign="top">

- <li>Changes to fix false positions for the following bug patterns: <a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_DOH">DMI_DOH</a>, <a

- href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>,

- and <a href="http://findbugs.sourceforge.net/bugDescriptions.html#SE_BAD_FIELD">SE_BAD_FIELD</a>.

- </ul>

- <h1>

- FindBugs Change Log, Version 2.0.0

- </h1>

- <h2> Changes since version 1.3.8</h2>

- <ul>

- <li>New bug patterns; in some cases, bugs previous reported as other bug patterns are reported as instances

- of these new bug patterns in order to make it easier for developers to understand the bug reports</li>

- <ul>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR </a> <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED </a>

- </ul>

- <li>Providing a bug rank (1-20), and the ability to filter by bug rank. Eventually,

- it will be possible to specify your own rules for ranking bugs, but the procedure for doing so hasn't been specified yet.

- <li>Fixed about <a href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45 bugs filed</a> through SourceForge

- <li>Various reclassifications and priority tweaks

- <li>Added more bug annotations to a variety of bug reports.

- This provides more context for understanding bug reports

- (e.g., if the value in question was is the return value

- of a method, the method is described as the source of

- the value in a bug annotation). This also provide more

- accurate tracking of issues across versions of the code

- being analyzed, but has the downside that when comparing

- results from FindBugs 1.3.8 and FindBugs 1.3.9 on the

- same version of code being analyzed,

- FindBugs may think that mistakenly believe that the

- issue reported by 1.3.8 was fixed and a new issue was

- introduced that was reported by FindBugs 1.3.9. While

- annoying, it would be unusual for more than a dozen

- issues per million

- lines of codes to be mistracked.

- <li> Lots of internal changes moving towards FindBugs 2.0, but these

- features are undocumented, not yet officially supported, and subject to

- radical changes before FindBugs 2.0 is released.

- </ul>

- Changes since version 1.3.8

- <ul>

- <li>New bug patterns; in some cases, bugs previous reported as other bug patterns are reported as instances

- of these new bug patterns in order to make it easier for developers to understand the bug reports</li>

- <ul>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE </a>

- <li><a href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL </a>

- </ul>

- <li>Providing a bug rank (1-20), and the ability to filter by bug rank. Eventually,

- it will be possible to specify your own rules for ranking bugs, but the procedure for doing so hasn't been specified yet.

- <li>Various reclassifications and priority tweaks

- <li>Added more bug annotations to a variety of bug reports.

- This provides more context for understanding bug reports

- (e.g., if the value in question was is the return value

- of a method, the method is described as the source of

- the value in a bug annotation). This also provide more

- accurate tracking of issues across versions of the code

- being analyzed, but has the downside that when comparing

- results from FindBugs 1.3.8 and FindBugs 1.3.9 on the

- same version of code being analyzed,

- FindBugs may think that mistakenly believe that the

- issue reported by 1.3.8 was fixed and a new issue was

- introduced that was reported by FindBugs 1.3.9. While

- annoying, it would be unusual for more than a dozen

- issues per million

- lines of codes to be mistracked.

- <li> Lots of internal changes moving towards FindBugs 2.0, but these

- features are undocumented, not yet officially supported, and subject to

- radical changes before FindBugs 2.0 is released.

- </ul>

- Changes since version 1.3.7

- <ul>

- <li>Primarily another small bugfix release.</li>

- <li>FindBugs base:</li>

- <ul>

- <li>New Reports:</li>

- <ul>

- <li>SF_SWITCH_NO_DEFAULT: missing default case in switch statement.</li>

- <li>SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW: value ignored when switch fallthrough leads to

- thrown exception.</li>

- <li>INT_VACUOUS_BIT_OPERATION: bit operations that don't do any meaningful work.</li>

- <li>FB_UNEXPECTED_WARNING: warning generated that conflicts with @NoWarning FindBugs annotation.</li>

- <li>FB_MISSING_EXPECTED_WARNING: warning not generated despite presence of @ExpectedWarning FindBugs annotation.</li>

- <li>NOISE category: intended for use in data mining experiments.</li>

- <ul>

- <li>NOISE_NULL_DEREFERENCE: fake null point dereference warning.</li>

- <li>NOISE_METHOD_CALL: fake method call warning.</li>

- <li>NOISE_FIELD_REFERENCE: fake field dereference warning.</li>

- <li>NOISE_OPERATION: fake operation warning.</li>

- </ul>

- <li>Other:</li>

- <ul>

- <li>Garvin Leclaire has created a new Apache Maven repository for FindBugs at

- <a href="http://code.google.com/p/findbugs/">the Google Code FindBugs SVN repository</a>. (Thanks Garvin!)</li>

- </ul>

- <li>Fixes:</li>

- <ul>

- <li>[ 2317842 ] Highlighting broken in Windows</li>

- <li>[ 2515908 ] check for oddness should track sign of argument</li>

- <li>[ 2487936 ] "L B GC" false pos cast from Map.Entry.getKey() to Map.get()</li>

- <li>[ 2528264 ] Ant tasks not compatible with Ant 1.7.1</li>

- <li>[ 2539590 ] SF_SWITCH_FALLTHROUGH wrong message reported </li>

- <li>[ 2020066 ] Bug history displayed in fancy-hist.xsl is incorrect</li>

- <li>[ 2545098 ] Invalid character in analysis results file</li>

- <li>[ 2492673 ] Plugin sites should specify 'requires Eclipse 3.3 or newer'</li>

- <li>[ 2588044 ] a tiny typing error</li>

- <li>[ 2589048 ] Documentation for convertXmlToText insufficient</li>

- <li>[ 2638739 ] NullPointerException when building</li>

- </ul>

- <li>Patches:</li>

- <ul>

- <li>[ 2538184 ] Make BugCollection implement Iterable<BugInstance> (thanks to Tomas Pollak)</li>

- <li>[ 2249771 ] Add Maven2 Findbugs plugin link to the Links page (thanks to Garvin Leclaire)</li>

- <li>[ 2609526 ] Japanese manual update (thanks to K. Hashimoto)</li>

- <li>[ 2119482 ] CheckBcel checks for nonexistent classes (thanks to Jerry James)</li>

- </ul>

- <li>FindBugs Eclipse plugin:</li>

- <ul>

- <li>Major feature enhancements (thanks to Andrey Loskutov).

- See <a href="http://andrei.gmxhome.de/findbugs/index.html">this overview</a> for more information.</li>

- <li>Major test improvements (thanks to Tomas Pollak).</li>

- <li>Fixes:</li>

- <ul>

- <li>[ 2532365 ] Compiler warning</li>

- <li>[ 2522989 ] Fix filter files selection</li>

- <li>[ 2504068 ] NullPointerException</li>

- <li>[ 2640849 ] NPE in Eclipse plugin 1.3.7 and Eclipse 3.5 M5</li>

- </ul>

- <li>Patches:</li>

- <ul>

- <li>[ 2143140 ] Unchecked conversion fixes for Eclipse plugin (thanks to Jerry James)

- </ul>

- Changes since version 1.3.6

- <ul>

- <li>Overall, a small bugfix release.

- <li>New detection of accidental vacuous/useless calls to EasyMock methods,

- and of generic signatures that proclaim the use of unhashable classes

- in ways that require that they be hashed.

- <li>Eliminate some false positives where we were warning about

- a useless call (e.g., comparing two incompatible types for equality),

- but the only thing the code was doing with the result was

- passing it to assertFalse.

- <li>Japanese localization and manual by K.Hashimoto. (Thanks!)

- <li>Added -exclude and -outputDir command line options to rejarForAnalysis

- <li>Extended -adjustPriorities option to FindBugs analysis textui so that you

- can modify the priorities of individual bug patterns as well as visitors,

- and also completely suppress individual bug patterns or visitors.

- <ul>

- <li> e.g., -adjustPriority MS_SHOULD_BE_FINAL=suppress,MS_PKGPROTECT=suppress,EI_EXPOSE_REP=suppress,EI_EXPOSE_REP2=suppress,PZLA_PREFER_ZERO_LENGTH_ARRAYS=raise

- </ul>

- Changes since version 1.3.5

- <ul>

- <li>Added fairly exhaustive static analysis

- of uses of format strings, checking for missing or

- extra arguements, invalid format specifiers,

- or mismatched format specifiers and arguments (e.g,

- passing a String value for a %d format specifier).

- The logic for doing so is derived from Sun's java.util.Formatter class,

- and available separately from FindBugs as part of the

- <a href="https://jformatstring.dev.java.net/">jFormatString</a> project.

+ <h1>FindBugs Change Log, Version 2.0.3</h1>

+ <ul>

+ <li>New Bug patterns: <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_BOXED_PRIMITIVE_FOR_PARSING">DM_BOXED_PRIMITIVE_FOR_PARSING</a>,

+ <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_RETURN_RELAXING_ANNOTATION">NP_METHOD_RETURN_RELAXING_ANNOTATION</a>,

+ and

+ <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION">NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION</a>

+ </li>

+ <li>Add the ability in the GUI to save the currently viewable/filtered bugs to HTML output.

+ <li>When dataflow does't terminate, make sure we continue with

+ analysis.

- <li>More tuning of the unsatisfied obligation detector. Since this

- detector is still rather noisy and an unfinished research project,

- I've moved the generated issues to a new category: EXPERIMENTAL.

+ <li>Fix some problems that resulting in dataflow analysis not

+ terminating

- <li>Added check for <a href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_ADD_OF_SIGNED_BYTE">BIT_ADD_OF_SIGNED_BYTE</a>; similar to <a href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_IOR_OF_SIGNED_BYTE">BIT_IOR_OF_SIGNED_BYTE</a>, except that

- addition is being used to combine shifted signed bytes.

+ <li>Get parameter annotations from default parameters

+ annotations applied to the method.

+ <li>Add subversion change number to eclipse plugin qualifier.

- <li>Changed detection of EI_EXPOSE_REP2, so we only report it if the value stored

- is guaranteed to be the same value that was passed in as a parameter.

+ <li>Disabled detector for <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#AM_CREATES_EMPTY_JAR_FILE_ENTRY">AM_CREATES_EMPTY_JAR_FILE_ENTRY</a>;

+ it complaints inappropriately about code that creates directory

+ entries.

- <li>Added <a href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS">EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS</a>, a warning when

- an equals method checks to see if an operand is an instance of a class not

- compatible with itself. For example, if the Foo class checks to see if the argument

- is an instance of String. This is either a questionable design decision or a coding mistake.

- <li>Added <a href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_INVOKING_HASHCODE_ON_ARRAY">DMI_INVOKING_HASHCODE_ON_ARRAY</a>,

- which checks for invoking <code>hashCode()</code> on an array, which returns a hash code that ignores the contents of the array.

- <li>Added checks for using <code>x.removeAll(x)</code> to rather than <code>x.clear()</code>

- to clear an array.

- <li>Add checks for calls such as <code>x.contains(x)</code>, <code>x.remove(x)</code> and <code>x.containsAll(x)</code>.

- <li>Improvements to Eclipse plugin (thanks to Andrey Loskutov):

- <ul>

- <li>Report separate markers for each occurrence of an issue that appears multiple times in a method

- <li> fine tuning for reported markers: add only one marker for fields, add marker on right position

- <li> link bugs selected in bug explorer view to the opened editor and vice versa

- <li> select bugs selected in editor ruler in the opened bug explorer view

- <li> consistent abbreviations used in both bug explorer and bug details view

- <li> added "Expand All" button to the bug explorer view

- <li> added "Go Into/Go Up" buttons to the bug explorer view

- <li> added "Copy to clipboard" menu/functionality to the details view list widget

- <li> fix for CNF exception if loading the backup solution for broken browser widget

+ <li>Add warnings about incompatible types passed to

+ org.testng.Assert.assertEquals</li>

+ <li>Add logic that understands more of the Google Guava APIs.

+ <li>Disable type qualifier validator execution within Eclipse plugin;

+ too many problems with class loading and security manager (see #1154 Random obscure Eclipse failures)

+ <li>Consistently check both access flags and attributes to see if something is synthetic. Compiler is

+ inconsistent about where synthetic elements are marked.

- </ul></ul>

+ <li>Fixed false positives for the following bug patterns (17

+ occurrences in findbugsTestCases):

+ <ul>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC">BC</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_INSTANCEOF">BC_IMPOSSIBLE_INSTANCEOF</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE">INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IS2_INCONSISTENT_SYNC">IS2_INCONSISTENT_SYNC</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS">NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#OBL_UNSATISFIED_OBLIGATION">OBL_UNSATISFIED_OBLIGATION</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE">RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a>

+ </li>

+ </ul>

+ <li>Fixed false negatives for the following bug patterns (45

+ occurrences in findbugsTestCases):

+ <ul>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_NUMBER_CTOR">DM_NUMBER_CTOR</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_ARRAY_AND_NONARRAY">EC_ARRAY_AND_NONARRAY</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE">EC_INCOMPATIBLE_ARRAY_COMPARE</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IS_FIELD_NOT_GUARDED">IS_FIELD_NOT_GUARDED</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IT_NO_SUCH_ELEMENT">IT_NO_SUCH_ELEMENT</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS">JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH">NP_NULL_ON_SOME_PATH</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_PARAM_VIOLATION">NP_NONNULL_PARAM_VIOLATION</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE">NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_STORE_INTO_NONNULL_FIELD">NP_STORE_INTO_NONNULL_FIELD</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RE_POSSIBLE_UNINTENDED_PATTERN">RE_POSSIBLE_UNINTENDED_PATTERN</a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a>

+ </ul>

+ <h1>FindBugs Change Log, Version 2.0.2</h1>

+ <ul>

+ <li>Fix false positions for <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a>

+ - fixing <a

+ href="https://sourceforge.net/tracker/?func=detail&aid=3547559&group_id=96405&atid=614693">Bug3547559</a>,

+ <a

+ href="https://sourceforge.net/tracker/?func=detail&aid=3555408&group_id=96405&atid=614693">Bug3555408</a>,

+ <a

+ href="https://sourceforge.net/tracker/?func=detail&aid=3580266&group_id=96405&atid=614693">Bug3580266</a>

+ and <a

+ href="https://sourceforge.net/tracker/?func=detail&aid=3587164&group_id=96405&atid=614693">Bug3587164</a>.

+ </li>

+ <li>Fix false positives for <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SF_SWITCH_NO_DEFAULT">SF_SWITCH_NO_DEFAULT</a>

+ <li>Inline access methods for private fields,

+ fixing false positive in <a

+ href="https://sourceforge.net/tracker/?func=detail&aid=3484713&group_id=96405&atid=614693">Bug3484713</a>.

+ <li>Type qualifier annotations, including nullness

+ annotations, are now ignored on vararg parameters (including

+ default and inherited annotations), awaiting JSR308.

+ <li>Defined new bug pattern to give better explanations of

+ issues involving strict type qualifiers <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a>

+ <li>Adjusted analysis of type qualifiers, now giving warnings

+ where a computed value is used in a place where a value with a

+ strict type qualifier is required.

+ <li>Complain about missing classes only if they are

+ encountered while analyzing application classes; ignore missing

+ classes that are encounted while analyzing classes loaded from the

+ auxclasspath. Fix for <a

+ href="https://sourceforge.net/tracker/?func=detail&aid=3588379&group_id=96405&atid=614693">Bug3588379</a>

+ <li>Fixed false positive null pointer warning coming from

+ synthetic bridge methods, fixing <a

+ href="https://sourceforge.net/tracker/?func=detail&aid=3589328&group_id=96405&atid=614693">Bug3589328</a>

+ <li>In general, suppress warnings in synthetic methods.

+ <li>Fix some false positives involving <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>

+ on classes that extend generic collection classes.

+ </li>

+ <li>Combine multiple identical warnings about

+ <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_DEFAULT_ENCODING">DM_DEFAULT_ENCODING</a>

+ that occur in the same method,

+ simplifying issue triage.

+ <li>Changes by Andrey Loskutov

+ <ul>

+ <li>fixed job scheduling errors in 3.8/4.2 Eclipse <a

+ href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=393748">bug

+ report</a>

+ <li>more realistic progress bar updates for jobs

+ <li>added nullness annotations for some common Eclipse API

+ methods known to usually return null values

+ <li>Added support for org.eclipse.jdt.annotation.Nullable,

+ NonNull and NonNullByDefault annotations (introduced with

+ Eclipse 3.8/4.2)</li>

+ </ul>

+ <li>Documentation improvements

+ <li><a href="http://code.google.com/p/findbugs/source/list">lots

+ of other small changes</a>

+ </ul>

+ <h1>FindBugs Change Log, Version 2.0.1</h1>

+ <ul>

+ <li>New bug patterns; in some cases, bugs previous reported as

+ other bug patterns are reported as instances of these new bug

+ patterns in order to make it easier for developers to understand

+ the bug reports

+ <ul>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_RELATIVE_PATH_TRAVERSAL">PT_RELATIVE_PATH_TRAVERSAL</a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_REFACTORED_TO_BE_FINAL">MS_SHOULD_BE_REFACTORED_TO_BE_FINAL</a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST_OF_RETURN_VALUE">BC_UNCONFIRMED_CAST_OF_RETURN_VALUE</a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS">TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS</a></li>

+ </ul>

+ </li>

+ <li>Changes to fix false negatives for the following bug

+ patterns: <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>,

+ <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_BAD_ARRAY_COMPARE">EC_BAD_ARRAY_COMPARE</a>,

+ <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_UNUSUAL">EQ_UNUSUAL</a>,

+ <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>,

+ and <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>.

+ </li>

+ <li>Changes to fix false positions for the following bug

+ patterns: <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_DOH">DMI_DOH</a>,

+ <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>,

+ and <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SE_BAD_FIELD">SE_BAD_FIELD</a>.

+ </li>

+ </ul>

+ <h1>FindBugs Change Log, Version 2.0.0</h1>

+ <h2>Changes since version 1.3.8</h2>

+ <ul>

+ <li>New bug patterns; in some cases, bugs previous reported as

+ other bug patterns are reported as instances of these new bug

+ patterns in order to make it easier for developers to understand

+ the bug reports

+ <ul>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR

+ </a></li>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED

+ </a></li>

+ </ul>

+ </li>

+ <li>Providing a bug rank (1-20), and the ability to filter by

+ bug rank. Eventually, it will be possible to specify your own

+ rules for ranking bugs, but the procedure for doing so hasn't been

+ specified yet.</li>

+ <li>Fixed about <a

+ href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45

+ bugs filed</a> through SourceForge

+ </li>

+ <li>Various reclassifications and priority tweaks</li>

+ <li>Added more bug annotations to a variety of bug reports.

+ This provides more context for understanding bug reports (e.g., if

+ the value in question was is the return value of a method, the

+ method is described as the source of the value in a bug

+ annotation). This also provide more accurate tracking of issues

+ across versions of the code being analyzed, but has the downside

+ that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9

+ on the same version of code being analyzed, FindBugs may think

+ that mistakenly believe that the issue reported by 1.3.8 was fixed

+ and a new issue was introduced that was reported by FindBugs

+ 1.3.9. While annoying, it would be unusual for more than a dozen

+ issues per million lines of codes to be mistracked.</li>

+ <li>Lots of internal changes moving towards FindBugs 2.0, but

+ these features are undocumented, not yet officially supported, and

+ subject to radical changes before FindBugs 2.0 is released.</li>

+ </ul>

+ Changes since version 1.3.8

+ <ul>

+ <li>New bug patterns; in some cases, bugs previous reported as

+ other bug patterns are reported as instances of these new bug

+ patterns in order to make it easier for developers to understand

+ the bug reports

+ <ul>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR

+ </a>

+ <li><a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED

+ </a>

+ </ul>

+ </li>

+ <li>Providing a bug rank (1-20), and the ability to filter by

+ bug rank. Eventually, it will be possible to specify your own

+ rules for ranking bugs, but the procedure for doing so hasn't been

+ specified yet.</li>

+ <li>Fixed about <a

+ bugs filed</a> through SourceForge

+ </li>

+ <li>Various reclassifications and priority tweaks</li>

+ <li>Added more bug annotations to a variety of bug reports.

+ This provides more context for understanding bug reports (e.g., if

+ the value in question was is the return value of a method, the

+ method is described as the source of the value in a bug

+ annotation). This also provide more accurate tracking of issues

+ across versions of the code being analyzed, but has the downside

+ that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9

+ on the same version of code being analyzed, FindBugs may think

+ that mistakenly believe that the issue reported by 1.3.8 was fixed

+ and a new issue was introduced that was reported by FindBugs

+ 1.3.9. While annoying, it would be unusual for more than a dozen

+ issues per million lines of codes to be mistracked.</li>

+ <li>Lots of internal changes moving towards FindBugs 2.0, but

+ these features are undocumented, not yet officially supported, and

+ subject to radical changes before FindBugs 2.0 is released.</li>

+ </ul>

+ Changes since version 1.3.7

+ <ul>

+ <li>Primarily another small bugfix release.</li>

+ <li>FindBugs base:

+ <ul>

+ <li>New Reports:

+ <ul>

+ <li>SF_SWITCH_NO_DEFAULT: missing default case in switch

+ statement.</li>

+ <li>SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW:

+ value ignored when switch fallthrough leads to thrown

+ exception.</li>

+ <li>INT_VACUOUS_BIT_OPERATION: bit operations that don't

+ do any meaningful work.</li>

+ <li>FB_UNEXPECTED_WARNING: warning generated that

+ conflicts with @NoWarning FindBugs annotation.</li>

+ <li>FB_MISSING_EXPECTED_WARNING: warning not generated

+ despite presence of @ExpectedWarning FindBugs annotation.</li>

+ <li>NOISE category: intended for use in data mining

+ experiments.

+ <ul>

+ <li>NOISE_NULL_DEREFERENCE: fake null point dereference

+ warning.</li>

+ <li>NOISE_METHOD_CALL: fake method call warning.</li>

+ <li>NOISE_FIELD_REFERENCE: fake field dereference

+ warning.</li>

+ <li>NOISE_OPERATION: fake operation warning.</li>

+ </ul>

+ </li>

+ </ul>

+ </li>

+ <li>Other:

+ <ul>

+ <li>Garvin Leclaire has created a new Apache Maven

+ repository for FindBugs at <a

+ href="http://code.google.com/p/findbugs/">the Google Code

+ FindBugs SVN repository</a>. (Thanks Garvin!)

+ </li>

+ </ul>

+ </li>

+ <li>Fixes:

+ <ul>

+ <li>[ 2317842 ] Highlighting broken in Windows</li>

+ <li>[ 2515908 ] check for oddness should track sign of

+ argument</li>

+ <li>[ 2487936 ] "L B GC" false pos cast from

+ Map.Entry.getKey() to Map.get()</li>

+ <li>[ 2528264 ] Ant tasks not compatible with Ant 1.7.1</li>

+ <li>[ 2539590 ] SF_SWITCH_FALLTHROUGH wrong message

+ reported</li>

+ <li>[ 2020066 ] Bug history displayed in fancy-hist.xsl is

+ incorrect</li>

+ <li>[ 2545098 ] Invalid character in analysis results file</li>

+ <li>[ 2492673 ] Plugin sites should specify "requires

+ Eclipse 3.3 or newer"</li>

+ <li>[ 2588044 ] a tiny typing error</li>

+ <li>[ 2589048 ] Documentation for convertXmlToText

+ insufficient</li>

+ <li>[ 2638739 ] NullPointerException when building</li>

+ </ul>

+ </li>

+ <li>Patches:

+ <ul>

+ <li>[ 2538184 ] Make BugCollection implement

+ Iterable<BugInstance> (thanks to Tomas Pollak)</li>

+ <li>[ 2249771 ] Add Maven2 Findbugs plugin link to the

+ Links page (thanks to Garvin Leclaire)</li>

+ <li>[ 2609526 ] Japanese manual update (thanks to K.

+ Hashimoto)</li>

+ <li>[ 2119482 ] CheckBcel checks for nonexistent classes

+ (thanks to Jerry James)</li>

+ </ul>

+ </li>

+ </ul>

+ </li>

+ <li>FindBugs Eclipse plugin:

+ <ul>

+ <li>Major feature enhancements (thanks to Andrey Loskutov).

+ See <a href="http://andrei.gmxhome.de/findbugs/index.html">this

+ overview</a> for more information.

+ </li>

+ <li>Major test improvements (thanks to Tomas Pollak).</li>

+ <li>Fixes:

+ <ul>

+ <li>[ 2532365 ] Compiler warning</li>

+ <li>[ 2522989 ] Fix filter files selection</li>

+ <li>[ 2504068 ] NullPointerException</li>

+ <li>[ 2640849 ] NPE in Eclipse plugin 1.3.7 and Eclipse

+ 3.5 M5</li>

+ </ul>

+ </li>

+ <li>Patches:

+ <ul>

+ <li>[ 2143140 ] Unchecked conversion fixes for Eclipse

+ plugin (thanks to Jerry James)

+ </ul>

+ </li>

+ </ul>

+ </li>

+ </ul>

+ Changes since version 1.3.6

+ <ul>

+ <li>Overall, a small bugfix release.

+ <li>New detection of accidental vacuous/useless calls to

+ EasyMock methods, and of generic signatures that proclaim the use

+ of unhashable classes in ways that require that they be hashed.

+ <li>Eliminate some false positives where we were warning about

+ a useless call (e.g., comparing two incompatible types for

+ equality), but the only thing the code was doing with the result

+ was passing it to assertFalse.

+ <li>Japanese localization and manual by K.Hashimoto. (Thanks!)

+ <li>Added -exclude and -outputDir command line options to

+ rejarForAnalysis

+ <li>Extended -adjustPriorities option to FindBugs analysis

+ textui so that you can modify the priorities of individual bug

+ patterns as well as visitors, and also completely suppress

+ individual bug patterns or visitors.

+ <ul>

+ <li>e.g., -adjustPriority

+ MS_SHOULD_BE_FINAL=suppress,MS_PKGPROTECT=suppress,EI_EXPOSE_REP=suppress,EI_EXPOSE_REP2=suppress,PZLA_PREFER_ZERO_LENGTH_ARRAYS=raise

+ </ul>

+ Changes since version 1.3.5

+ <ul>

+ <li>Added fairly exhaustive static analysis of uses of format

+ strings, checking for missing or extra arguements, invalid format

+ specifiers, or mismatched format specifiers and arguments (e.g,

+ passing a String value for a %d format specifier). The logic for

+ doing so is derived from Sun's java.util.Formatter class, and

+ available separately from FindBugs as part of the <a

+ href="https://jformatstring.dev.java.net/">jFormatString</a>

+ project.

+ <li>More tuning of the unsatisfied obligation detector. Since

+ this detector is still rather noisy and an unfinished research

+ project, I've moved the generated issues to a new category:

+ EXPERIMENTAL.

+ <li>Added check for <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_ADD_OF_SIGNED_BYTE">BIT_ADD_OF_SIGNED_BYTE</a>;

+ similar to <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_IOR_OF_SIGNED_BYTE">BIT_IOR_OF_SIGNED_BYTE</a>,

+ except that addition is being used to combine shifted signed

+ bytes.

+ <li>Changed detection of EI_EXPOSE_REP2, so we only report it

+ if the value stored is guaranteed to be the same value that was

+ passed in as a parameter.

+ <li>Added <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS">EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS</a>,

+ a warning when an equals method checks to see if an operand is an

+ instance of a class not compatible with itself. For example, if

+ the Foo class checks to see if the argument is an instance of

+ String. This is either a questionable design decision or a coding

+ mistake.

+ <li>Added <a

+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_INVOKING_HASHCODE_ON_ARRAY">DMI_INVOKING_HASHCODE_ON_ARRAY</a>,

+ which checks for invoking <code>hashCode()</code> on an array,

+ which returns a hash code that ignores the contents of the array.

+ <li>Added checks for using <code>x.removeAll(x)</code> to

+ rather than <code>x.clear()</code> to clear an array.

+ <li>Add checks for calls such as <code>x.contains(x)</code>, <code>x.remove(x)</code>

+ and <code>x.containsAll(x)</code>.

+ <li>Improvements to Eclipse plugin (thanks to Andrey

+ Loskutov):

+ <ul>

+ <li>Report separate markers for each occurrence of an issue

+ that appears multiple times in a method

+ <li>fine tuning for reported markers: add only one marker

+ for fields, add marker on right position

+ <li>link bugs selected in bug explorer view to the opened

+ editor and vice versa

+ <li>select bugs selected in editor ruler in the opened bug

+ explorer view

+ <li>consistent abbreviations used in both bug explorer and

+ bug details view

+ <li>added "Expand All" button to the bug explorer view

+ <li>added "Go Into/Go Up" buttons to the bug explorer view

+ <li>added "Copy to clipboard" menu/functionality to the

+ details view list widget

+ <li>fix for CNF exception if loading the backup solution for

+ broken browser widget

+ </ul>

- Changes since version 1.3.4

- <ul>

+ Changes since version 1.3.4

+ <ul>

<li>Analysis about 15% faster

- <li><a href="http://sourceforge.net/tracker/?atid=614693&group_id=96405&func=browse&status=closed">38 bugs closed</a></li>

+ <li><a

+ href="http://sourceforge.net/tracker/?atid=614693&group_id=96405&func=browse&status=closed">38

+ bugs closed</a></li>

<li>New defect warnings:

- <ul>

- <li>calls to methods that always throw

- UnsupportedOperationException (DMI_UNSUPPORTED_METHOD)

- <li>repeated conditional tests (e.g.,

- <code>if (x < 0 || x < 0) ...</code>)

- (RpC_REPEATED_CONDITIONAL_TEST)

- <li>Complete rewrite of detector for format string problems.

- More accurate, finds more problems, generates

- more descriptive reports, several different

- bug pattern

- (VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED,

- VA_FORMAT_STRING_ILLEGAL,

- VA_FORMAT_STRING_MISSING_ARGUMENT,

- VA_FORMAT_STRING_BAD_ARGUMENT,

- VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT)

- <li>Fairly complete implementation of JSR-305 custom type qualifier

- analysis (no support for custom validators yet).

- (TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK

- TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK

- TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK)

- <li>New detector for unsatisfied obligations such forgetting to

- close a file (OBL_UNSATISFIED_OBLIGATION).

- <li>Warning when a parameter is marked as nullable, but is

- always dereferenced.

- (NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE)

- <lI>Separate warning for dereference the result of readLine (NP_DEREFERENCE_OF_READLINE_VALUE)

- </ul>

- <li>When XML is generated with messages, the project stats now

- include <FileStat> elements.

- For each source file, this gives the path for the file,

- the total number of warnings for that file, and a bugHash

- for the file. While the instanceHash for a bug is intended

- to be version invariant (ignoring line numbers, etc), the

- bugHash for a file is intended to reflect all the information

- about the warnings in that file. The intended use case is that

- if the bugHash for a file is the same in two analysis runs,

- then nothing has changed about any of the warnings

- reported for that file between the two analysis runs.

- <li>More merging of similar issues within a method. For example,

- if the result of readLine() is dereferences multiple times

- within a method, it will be reported as a single warning

+ <ul>

+ <li>calls to methods that always throw

+ UnsupportedOperationException (DMI_UNSUPPORTED_METHOD)

+ <li>repeated conditional tests (e.g., <code>if (x

+ < 0 || x < 0) ...</code>) (RpC_REPEATED_CONDITIONAL_TEST)

+ <li>Complete rewrite of detector for format string problems.

+ More accurate, finds more problems, generates more descriptive

+ reports, several different bug pattern

+ (VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED,

+ VA_FORMAT_STRING_ILLEGAL, VA_FORMAT_STRING_MISSING_ARGUMENT,

+ VA_FORMAT_STRING_BAD_ARGUMENT,

+ VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT)

+ <li>Fairly complete implementation of JSR-305 custom type

+ qualifier analysis (no support for custom validators yet).

+ (TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK

+ TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK

+ TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK)

+ <li>New detector for unsatisfied obligations such forgetting

+ to close a file (OBL_UNSATISFIED_OBLIGATION).

+ <li>Warning when a parameter is marked as nullable, but is

+ always dereferenced.

+ (NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE)

+ <lI>Separate warning for dereference the result of readLine

+ (NP_DEREFERENCE_OF_READLINE_VALUE)

+ </ul>

+ <li>When XML is generated with messages, the project stats now

+ include <FileStat> elements. For each source file, this

+ gives the path for the file, the total number of warnings for that

+ file, and a bugHash for the file. While the instanceHash for a bug

+ is intended to be version invariant (ignoring line numbers, etc),

+ the bugHash for a file is intended to reflect all the information

+ about the warnings in that file. The intended use case is that if

+ the bugHash for a file is the same in two analysis runs, then nothing

+ has changed about any of the warnings reported for that file

+ between the two analysis runs.

+ <li>More merging of similar issues within a method. For

+ example, if the result of readLine() is dereferences multiple

+ times within a method, it will be reported as a single warning

with occurrences at multiple source lines.

- </ul>

- Changes since version 1.3.3

- <ul>

- <li>FindBugs base

- <ul>

- <li>New Reports:</li>

- <ul>

- <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC:

- equals method overrides equals in superclass and may not be symmetric</li>

- <li>EQ_ALWAYS_TRUE:

- equals method always returns true</li>

- <li>EQ_ALWAYS_FALSE:

- equals method always returns false</li>

- <li>EQ_COMPARING_CLASS_NAMES:

- equals method compares class names rather than class objects</li>

- <li>EQ_UNUSUAL: Unusual equals method</li>

- <li>EQ_GETCLASS_AND_CLASS_CONSTANT:

- equals method fails for subtypes</li>

- <li>SE_READ_RESOLVE_IS_STATIC:

- The readResolve method must not be declared as a static method.</li>

- <li>SE_PRIVATE_READ_RESOLVE_NOT_INHERITED:

- private readResolve method not inherited by subclasses</li>

- <li>MSF_MUTABLE_SERVLET_FIELD: Mutable servlet field</li>

- <li>XSS_REQUEST_PARAMETER_TO_SEND_ERROR:

- Servlet reflected cross site scripting vulnerability</li>

- <li>SKIPPED_CLASS_TOO_BIG: Class too big for analysis</li>

- </ul>

- <li>Other:</li>

- <ul>

- <li>Value-number analysis now more space-efficient</li>

- <li>Enhancements to reduce memory overhead when

- analyzing very large classes</li>

- <li>Now skips very large classes that would otherwise

- take too much time and memory to analyze</li>

- <li>Infrastructure for tracking effectively-constant/

- effectively-final fields</li>

- <li>Added more cweids</li>

- <li>Enhanced taint tracking for taint-based detectors</li>

- <li>Ignore doomed calls to equals if result is used

- as an argument to assertFalse</li>

- <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC handles compareTo</li>

- <li>Priority tweak for ICAST_INTEGER_MULTIPLY_CAST_TO_LONG

- (only low priority if multiplying by 1000)</li>

- <li>Improved tracking of fields across method calls</li>

- </ul>

- <li>Fixes:</li>

- <ul>

- <li>[ 1941450 ] DLS_DEAD_LOCAL_STORE not reported</li>

- <li>[ 1953323 ] Omitted break statement in SynchronizeAndNullCheckField</li>

- <li>[ 1942620 ] Source Directories selection dialog interface confusion (partial)</li>

- <li>[ 1948275 ] Unhelpful "Load of known null"</li>

- <li>[ 1933922 ] MWM error in findbugs</li>

- <li>[ 1934772 ] 1.3.3 appears to rely on JDK 1.6, JNLP still specifies 1.5</li>

- <li>[ 1933945 ] -loadbugs doesn't work</li>

- <li>Fixed problems for class names starting with '$'</li>

- <li>Fixed bugs and incomplete handling of annotations in

- VersionInsensitiveBugComparator</li>

- </ul>

- <li>Patches:</li>

- <ul>

- <li>[ 1955106 ] Javadoc fixes</li>

- <li>[ 1951930 ] Superfluous import statements (thanks to Jerry James)</li>

- <li>[ 1951907 ] Missing @Deprecated annotations (thanks to Jerry James)</li>

- <li>[ 1951876 ] Infonode Docking Windows compile fix (thanks to Jerry James)</li>

- <li>[ 1936055 ] bugfix for findbugs.de.comment not working (thanks to Peter Fokkinga)

- </ul>

- <li>FindBugs BlueJ plugin</li>

- <ul>

- <li>Updated to use FindBugs 1.3.4 (first new release since 1.1.3)</li>

- </ul>

- Changes since version 1.3.2

- <ul>

- <li>FindBugs base</li>

- <ul>

- <li>New Detectors:</li>

- <ul>

- <li>FieldItemSummary: Produces summary information

- for what is stored into fields </li>

- <li>SynchronizeOnClassLiteralNotGetClass: Look for

- code that synchronizes on the results of getClass

- rather than on class literals</li>

- <li>SynchronizingOnContentsOfFieldToProtectField: This

- detector looks for code that seems to be

- synchronizing on a field in order to guard updates

- of that field </li>

- </ul>

- <li>New BugCode:</li>

- <ul>

- <li> HRS: HTTP Response splitting vulnerability </li>

- <li> WL: Possible locking on wrong object </li>

- </ul>

- <li>New Reports:</li>

- <ul>

- <li>DMI_CONSTANT_DB_PASSWORD:

- This code creates a database connect using a hard coded, constant password </li>

- <li>HRS_REQUEST_PARAMETER_TO_COOKIE:

- HTTP cookie formed from untrusted input </li>

- <li>HRS_REQUEST_PARAMETER_TO_HTTP_HEADER:

- HTTP parameter directly written to HTTP header output </li>

- <li>CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE:

- Class defines clone() but doesn't implement Cloneable </li>

- <li>DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE:

- Synchronization on boxed primitive could lead to deadlock </li>

- <li> DL_SYNCHRONIZATION_ON_BOOLEAN:

- Synchronization on Boolean could lead to deadlock </li>

- <li> ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD:

- Synchronization on field in futile attempt to guard that field </li>

- <li> DLS_DEAD_LOCAL_STORE_IN_RETURN:

- Useless assignment in return statement </li>

- <li> WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL:

- Synchronization on getClass rather than class literal </li>

- </ul>

- <li>Other:</li>

- <ul>

- <li>Many enhancements to cross-site scripting detector and its documentation</li>

- <li> Enhanced switch fall through handling </li>

- <li> Enhanced unread field handling (look for IF_ACMPEQ and IF_ACMPNE) </li>

- <li> Clarified documentation for @Nullable in manual </li>

- <li> Fewer DeadLocalStore false positives </li>

- <li> Fewer UnreadField false positives </li>

- <li> Fewer StaticCalendarDetector false positives </li>

- <li> Performance fix for slow file system IO e.g. Clearcase repositories (thanks, Andrei!) </li>

- <li> Other, general performance enhancements (thanks, Andrei!) </li>

- <li> Enhancements for using FindBugs scripts with MKS on Windows (thanks, Kelly O'Hair!) </li>

- <li> Noted in the manual that jsr305.jar must be present for annotations to compile </li>

- <li> Added and fine-tuned default-nullness annotations </li>

- <li> More CWE IDs added </li>

- <li> Check and warning for unexpected BCEL version in classpath </li>

- </ul>

- <li>Fixes:</li>

- <ul>

- <li>Bug fix to handling of local variable tables in BCEL</li>

- <li>Refined documentation for MTIA_SUSPECT_STRUTS_INSTANCE_FIELD</li>

- <li>[ 1927295 ] NPE when called on project root</li>

- <li>[ 1926405 ] Incorrect dead store warning</li>

- <li>[ 1926409 ] Incorrect redundant nullcheck warning</li>

- <li>[ 1926389 ] Wrong line number printed/highlighted in bug</li>

- <li>[ 1927040 ] typo in bug description</li>

- <li>[ 1926263 ] Minor glitch in HTML output</li>

- <li>[ 1926240 ] Minor error in standard options in manual</li>

- <li>[ 1926236 ] Minor bug in installation section of manual</li>

- <li>[ 1925539 ] ZIP is default file system code base</li>

- <li>[ 1894701 ] Livelock / memory leak in ObjectTypeFactory (thanks, Andrei!)</li>

- <li>[ 1867491 ] Doesn't reload annotations after code changes in IDE (thanks, Andrei!)</li>

- <li>[ 1921399 ] -project option not supported</li>

- <li>[ 1913834 ] "Dead" store to variable with method call</li>

- <li>[ 1917352 ] H B se:...field in serializable class</li>

- <li>[ 1911617 ] CloneIdiom relies on getNameConstantOperand for INSTANCEOF</li>

- <li>[ 1911620 ] False +: DLS predecrement before return</li>

- <li>[ 1871376 ] False negative: non-serializable Map field</li>

- <li>[ 1871051 ] non standard clone() method</li>

- <li>[ 1908854 ] Error in TestASM</li>

- <li>[ 1907539 ] 22 minor errors in bug checker documentation</li>

- <li>[ 1897323 ] EJB implementation class false positives</li>

- <li>[ 1899648 ] Crash on startup on Vista with Java 1.6.0_04</li>

- </ul>

- <li>FindBugs Eclipse plugin (change log by Andrey Loskutov)</li>

- <ul>

- <li> new feature: export basic FindBugs numbers for projects via File->Export->Java->BugCounts (Andrey Loskutov) </li>

- <li> new feature: jobs for different projects will be run in parallel per default if running on a

- multi-core PC ("fb.allowParallelBuild" system property not used anymore) (Andrey Loskutov) </li>

- <li> fixed performance slowdown in the multi-threaded build, caused by workspace operation locks during

- assigning marker attributes (Andrey Loskutov)</li>

- </ul>

- Changes since version 1.3.1

- <ul>

- <li>FindBugs base</li>

- <ul>

- <li>New Bug Category:</li>

- <ul>

- <li>SECURITY (Abbrev: S), A use of untrusted input in

- a way that could create a remotely exploitable

- security vulnerability</li>

- </ul>

- <li>New Detectors:</li>

- <ul>

- <li>CrossSiteScripting: This detector looks for

- obvious/blatant cases of cross site scripting

- vulnerabilities</li>

- </ul>

- <li>New BugCode:</li>

- <ul>

- <li>XSS: Cross site scripting</li>

- </ul>

- <li>New Reports:</li>

- <ul>

- <li>XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER: HTTP

- parameter directly written to Servlet output,

- giving XSS vulnerability</li>

- <li>XSS_REQUEST_PARAMETER_TO_JSP_WRITER: HTTP

- parameter directly written to JSP output, giving

- XSS vulnerability</li>

- <li>EQ_OTHER_USE_OBJECT: equals() method defined that

- doesn't override Object.equals(Object)</li>

- <li>EQ_OTHER_NO_OBJECT: equals() method inherits

- rather than overrides equals(Object)</li>

- <li>NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE:

- Possible null pointer dereference on path that

- might be infeasible</li>

- </ul>

- <li>Other:</li>

- <ul>

- <li>Added -noClassOk command-line parameter to

- command-line and ant interfaces; when -noClassOk

- is specified and no classfiles are given, FindBugs

- will print a warning message and output a well-

- formed file with no warnings</li>

- <li>Fewer false positives for null pointer bugs</li>

- <li>Suppress dead-local-store false positives in .jsp

- code</li>

- <li>Type fixes in warning messages</li>

- <li>Better warning message for

- NP_NULL_ON_SOME_PATH</li>

- <li>"WMI" bug code description renamed from "Wrong

- Map Iterator" to "Inefficient Map Iterator"</li>

- </ul>

- <li>Fixes:</li>

- <ul>

- <li>[ 1893048 ] FindBugs confused by a findbugs.xml file</li>

- <li>[ 1878528 ] XSL xforms don't support history features</li>

- <li>[ 1876584 ] two default.xsl flaws</li>

- <li>[ 1874856 ] Format string bug detector doesn't handle special operators</li>

- <li>[ 1872645 ] computeBugHistory - java.lang.IllegalArgumentException</li>

- <li>[ 1872237 ] Ant task fails when no .class files</li>

- <li>[ 1868670 ] Filters: include AND exclude don't allowed</li>

- <li>[ 1868666 ] check-for-oddness reported, but array length can never be negative</li>

- <li>[ 1866108 ] SetBugDatabaseInfoTask strips dir from output filename</li>

- <li>[ 1866021 ] MineBugHistoryTask strips dir of output filename</li>

- <li>[ 1865265 ] code doesn't handle StringBuffer.append([CII) right</li>

- <li>[ 1864793 ] Warning when casting a null reference compared to a String</li>

- <li>[ 1863376 ] Typo in manual chap 8: Filter Files</li>

- <li>[ 1862705 ] Transient fields that default to null</li>

- <li>[ 1842545 ] DLS on catch variable (with priority tweaking)</li>

- <li>[ 1816258 ] false positive BC_IMPOSSIBLE_CAST</li>

- <li>[ 1551732 ] Get erroneous DLS with while loop</li>

- </ul>

- <li>FindBugs Eclipse plugin (change log by Andrey Loskutov)</li>

- <ul>

- <li>new feature: added Bug explorer view (replacing Bug tree view), based on Common Navigator framework (Andrey Loskutov)</li>

- <li>bug 1873860 fixed: empty projects are no longer shown in Bug tree view (Andrey Loskutov)</li>

- <li>new feature: bug counts decorators for projects, folders and files (has to be activated

- via Preferences -> general -> appearance -> label decorations)(Andrey Loskutov)</li>

- <li>patch 1746499: better icons (Alessandro Nistico)</li>

- <li>patch 1893685: Find bug actions on change sets bug (Alessandro Nistico)</li>

- <li>fixed bug 1855384: Bug configuration is broken in Eclipse (Andrey Loskutov)</li>

- <li>refactored FindBugs properties page (Andrey Loskutov)</li>

- <li>refactored FindBugs worker/builder/run action (Andrey Loskutov)</li>

- <li>FB detects now only bugs from classes on project's classpath (no double work on

- duplicated class files) (Andrey Loskutov)</li>

- <li>fixed bug introduced by the bad patch for 1867951: FB cannot be executed incrementally

- on a folder of file (Andrey Loskutov)</li>

- <li>fixed job rule: now jobs for different projects may run in parallel if running on a

- multi-core PC and "fb.allowParallelBuild" system property is set to true (Andrey Loskutov)</li>

- <li>fixed FB auto-build not started if .fbprefs or .classpath was changed (Andrey Loskutov)</li>

- <li>fixed not reporting bugs on secondary types (classes defined in java files with

- different name) (Andrey Loskutov) </li>

- </ul>

- Changes since version 1.3.0

- <ul>

- <li>New Reports</li>

- <ul>

- <li>VA_FORMAT_STRING_ARG_MISMATCH:

- A format-string method with a variable number of arguments is called,

- but the number of arguments passed does not match with the number of

- % placeholders in the format string. This is probably not what the

- author intended.

- <li>IO_APPENDING_TO_OBJECT_OUTPUT_STREAM:

- This code opens a file in append mode and that wraps the result in an object output stream.

- This won't allow you to append to an existing object output stream stored in a file. If you want to be

- able to append to an object output stream, you need to keep the object output stream open.

- The only situation in which opening a file in append mode and the writing an object output stream

- could work is if on reading the file you plan to open it in random access mode and seek to the byte offset

- where the append started.

- <li>NP_BOOLEAN_RETURN_NULL:

- A method that returns either Boolean.TRUE, Boolean.FALSE or null is an accident waiting to happen.

- This method can be invoked as though it returned a value of type boolean, and

- the compiler will insert automatic unboxing of the Boolean value. If a null value is returned,

- this will result in a NullPointerException.

- </ul>

- <li>Changes to Existing Reports</li>

- <ul>

- <li>RV_DONT_JUST_NULL_CHECK_READLINE: CORRECTNESS -> STYLE</li>

- <li>DMI_INVOKING_TOSTRING_ON_ARRAY: Long description mentions array name whenever possible</li>

- </ul>

- <li>Fixes:</li>

- <ul>

- <li>Updated manual to mention that Java 1.5 is now a requirement for running FindBugs

- <li>Applied patch 1840206 fixing issue "Ant task does not work when presetdef is used" - thanks to phejl

- <li>Applied patch 1778690 fixing issue "Ant task: tolerate but complain about invalid auxClasspath" - thanks to David Schmidt

- <li>Applied patch 1852125 adding a Chinese-language GUI bundle props file - thanks to fifi

- <li>Applied patch 1845903 adding ability to load XML results with the Eclipse plugin - thanks to Alex Mont

- <li>Fixed issue 1844671 - "FP for "reversed" null check in catch for stream close"

- <li>Fixed issue 1836050 - "-onlyAnalyze broken"

- <li>Fixed issue 1853011 - "Typo: Field names should start with aN lower case letter"

- <li>Fixed issue 1844181 - "JNLP file does not contain all necessary JARs"

- <li>Fixed issue 1840245 - "xxxException class does not derive from Exception"

- <li>Fixed issue 1840277 - "[M D EC] Typo in bug documentation"

- <li>Fixed issue 1782447 - "OutOfMemoryError if i activate Findbugs on my project"

- <li>Fixed issue 1830576 - "[regression] keySet/entrySet false positive"

- </ul>

- <li>Other:</li>

- <ul>

- <li>New bug code: "IO" (for IO_APPENDING_TO_OBJECT_OUTPUT_STREAM)</li>

- <li>Added "-onlyMostRecent" option for computeBugHistory script/ant task

- <li>More explicit language in RV_RETURN_VALUE_IGNORED_BAD_PRACTICE messages

- <li>Modified ResourceValueAnalysis to correctly identify null == X or null != X as a null check (for issue 1844671)

- <li>Modified DMI_HARDCODED_ABSOLUTE_FILENAME logic in DumbMethodInvocations to ignore files from /etc or /dev and increase priority of files from /home

- <li>Better bug details for infinite loop warnings

- <li>Modified unread-fields detector to reduce false positives from reflective fields

- <li>build.xml "classes" target now builds all sources in one step

- </ul>

- Changes since version 1.2.1

- <ul>

- <li>New Detectors and Reports</li>

- <ul>

- <li>SynchronizationOnSharedBuiltinConstant</li>

- <ul>

- <li>DL_SYNCHRONIZATION_ON_SHARED_CONSTANT:

- The code synchronizes on a shared primitive

- constant, such as an interned String. Such

- constants are interned and shared across all other

- classes loaded by the JVM. Thus, this could be

- locking on something that other code might also be

- locking. This could result in very strange and hard

- to diagnose blocking and deadlock behavior. See

- <a href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a>

- and

- <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>.

- </ul>

- <li>OverridingEqualsNotSymmetrical</li>

- <ul>

- <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC:

- Looks for equals methods that override equals

- methods in a superclass where the equivalence

- relationship might not be symmetrical.

- </ul>

- <li>CheckTypeQualifiers</li>

- <ul>

- <li>TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED:

- A value specified as carrying a type qualifier

- annotation is consumed in a location or locations

- requiring that the value not carry that annotation.

- More precisely, a value annotated with a type

- qualifier specifying when=ALWAYS is guaranteed to reach

- a use or uses where the same type qualifier specifies

- when=NEVER.

- </li>

- <li>TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED:

- A value specified as not carrying a type qualifier

- annotation is guaranteed to be consumed in a location

- or locations requiring that the value does carry that

- annotation. More precisely, a value annotated with a

- type qualifier specifying when=NEVER is guaranteed to

- reach a use or uses where the same type qualifier

- specifies when=ALWAYS.

- </li>

- <li>TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK:

- A value that might not carry a type qualifier

- annotation reaches a use which requires that

- annotation.

- </li>

- <li>TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK:

- A value which might carry a type qualifier annotation

- reaches a use which forbids values carrying that

- annotation.

- </li>

- </ul>

- <li>New Reports (existing detectors)</li>

- <ul>

- <li>FindHEmismatch</li>

- <ul>

- <li>EQ_DOESNT_OVERRIDE_EQUALS:

- This class extends a class that defines an equals

- method and adds fields, but doesn't define an equals

- method itself. Thus, equality on instances of this

- class will ignore the identity of the subclass and the

- added fields. Be sure this is what is intended, and

- that you don't need to override the equals method. Even

- if you don't need to override the equals method,

- consider overriding it anyway to document the fact that

- the equals method for the subclass just return the

- result of invoking super.equals(o).

- </li>

- </ul>

- <li>Naming

- <ul>

- <li>NM_WRONG_PACKAGE, NM_WRONG_PACKAGE_INTENTIONAL:

- The method in the subclass doesn't override a similar

- method in a superclass because the type of a parameter

- doesn't exactly match the type of the corresponding

- parameter in the superclass.

- </li>

- <li>NM_SAME_SIMPLE_NAME_AS_SUPERCLASS:

- This class has a simple name that is identical to that

- of its superclass, except that its superclass is in a

- different package (e.g., <code>alpha.Foo</code>

- extends <code>beta.Foo</code>). This can be

- exceptionally confusing, create lots of situations in

- which you have to look at import statements to resolve

- references and creates many opportunities to

- accidently define methods that do not override methods

- in their superclasses.

- </li>

- <li>NM_SAME_SIMPLE_NAME_AS_INTERFACE:

- This class/interface has a simple name that is

- identical to that of an implemented/extended

- interface, except that the interface is in a different

- package (e.g., <code>alpha.Foo</code> extends

- <code>beta.Foo</code>). This can be exceptionally

- confusing, create lots of situations in which you have

- to look at import statements to resolve references and

- creates many opportunities to accidently define methods

- that do not override methods in their superclasses.

- </li>

- </ul>

- <li>FindRefComparison</li>

- <ul>

- <li>EC_UNRELATED_TYPES_USING_POINTER_EQUALITY:

- This method uses using pointer equality to compare two

- references that seem to be of different types. The

- result of this comparison will always be false at

- runtime.

- </li>

- </ul>

- <li>IncompatMask</li>

- <ul>

- <li>BIT_SIGNED_CHECK, BIT_SIGNED_CHECK_HIGH_BIT:

- This method compares an expression such as

- <tt>((event.detail & SWT.SELECTED) > 0)</tt>. Using

- bit arithmetic and then comparing with the greater than

- operator can lead to unexpected results (of course

- depending on the value of SWT.SELECTED). If

- SWT.SELECTED is a negative number, this is a candidate

- for a bug. Even when SWT.SELECTED is not negative, it

- seems good practice to use '!= 0' instead of '> 0'.

- </li>

- </ul>

- <li>LazyInit</li>

- <ul>

- <li>LI_LAZY_INIT_UPDATE_STATIC:

- This method contains an unsynchronized lazy

- initialization of a static field. After the field is

- set, the object stored into that location is further

- accessed. The setting of the field is visible to other

- threads as soon as it is set. If the further accesses in

- the method that set the field serve to initialize the

- object, then you have a very serious

- multithreading bug, unless something else prevents any

- other thread from accessing the stored object until it

- is fully initialized.

- </li>

- </ul>

- <li>FindDeadLocalStores</li>

- <ul>

- <li>DLS_DEAD_STORE_OF_CLASS_LITERAL:

- This instruction assigns a class literal to a variable

- and then never uses it.

- <a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">The behavior of this differs in Java 1.4 and in Java 5.</a>

- In Java 1.4 and earlier, a reference to

- <code>Foo.class</code> would force the static

- initializer for <code>Foo</code> to be executed, if it

- has not been executed already. In Java 5 and later, it

- does not. See Sun's

- <a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">article on Java SE compatibility</a>

- for more details and examples, and suggestions on how

- to force class initialization in Java 5.

- </li>

- </ul>

- <li>MethodReturnCheck</li>

- <ul>

- <li>RV_RETURN_VALUE_IGNORED_BAD_PRACTICE:

- This method returns a value that is not checked. The

- return value should be checked since it can indication

- an unusual or unexpected function execution. For

- example, the <code>File.delete()</code> method returns

- false if the file could not be successfully deleted

- (rather than throwing an Exception). If you don't

- check the result, you won't notice if the method

- invocation signals unexpected behavior by returning an

- atypical return value.

- </li>

- <li>RV_EXCEPTION_NOT_THROWN:

- This code creates an exception (or error) object, but

- doesn't do anything with it.

- </li>

- </ul>

- <li>Changes to Existing Reports</li>

- <ul>

- <li>NS_NON_SHORT_CIRCUIT: BAD_PRACTICE -> STYLE</li>

- <li>NS_DANGEROUS_NON_SHORT_CIRCUIT: CORRECTNESS -> STYLE</li>

- <li>RC_REF_COMPARISON: CORRECTNESS -> BAD_PRACTICE</li>

- </ul>

- <li>GUI Changes</li>

- <ul>

- <li>Added importing and exporting of bug filters</li>

- <li>Better handling of failed analysis runs</li>

- <li>Added "-look" parameter for selecting look-and-feel</li>

- <li>Fixed incorrect package filtering</li>

- <li>Fixed issue where "synchronized" was not syntax-highlighted</li>

- </ul>

- <li>Ant-task Changes</li>

- <ul>

- <li>Refactored common ant-task code to AbstractFindBugsTask</li>

- <li>Added tasks for computeBugHistory, convertXmlToText, filterBugs, mineBugHistory, setBugDatabaseInfo</li>

- </ul>

- <li>Manual</li>

- <ul>

- <li>Updates to GUI section, including new screenshots</li>

- <li>Added description of rejarForAnalysis</li>

- <li>Revamp of data-mining section</li>

- </ul>

- <li>Other Major</li>

- <ul>

- <li>Internal restructuring for lower memory overhead</li>

- </ul>

- <li>Other Minor</li>

- <ul>

- <li>Fixed typo: was STCAL_STATIC_SIMPLE_DATA_FORMAT_INSTANCE now STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE</li>

- <li>-outputFile parameter became -output</li>

- <li>More sensitivity and specificity inLazyInit detector</li>

- <li>More sensitivity and specificity in Naming detector</li>

- <li>More sensitivity and specificity in UnreadFields detector</li>

- <li>More sensitivity in FindNullDeref detector</li>

- <li>More sensitivity in FindBadCast2 detector</li>

- <li>More specificity in FindReturnRef detector</li>

- <li>Many other tweaks and bug fixes</li>

- </ul>

- Changes since version 1.2.0

- <ul>

- <li>Bug fixes:

- <ul>

- <li><a href="http://fisheye2.cenqua.com/changelog/findbugs/?cs=8219">Fix</a> <a href="http://sourceforge.net/tracker/index.php?func=detail&aid=1726946&group_id=96405&atid=614693">bug</a> with detectors that were requested to be disabled but were enabled due to requirements of other detectors.</li>

- <li>Fix bugs in incremental analysis within Eclipse plugin</li>

- <li>Fix some analysis errors</li>

- <li>Fix some threading bugs in GUI2</li>

- <li>Report version as version when it was compiled, not when it was run</li>

- <li>Copy analysis time stamp when filtering or transforming analysis files.</li>

- </ul>

- <li>Enabled StaticCalendarDetector

+ </ul>

+ Changes since version 1.3.3

+ <ul>

+ <li>FindBugs base

+ <ul>

+ <li>New Reports:

+ <ul>

+ <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: equals method

+ overrides equals in superclass and may not be symmetric</li>

+ <li>EQ_ALWAYS_TRUE: equals method always returns true</li>

+ <li>EQ_ALWAYS_FALSE: equals method always returns false</li>

+ <li>EQ_COMPARING_CLASS_NAMES: equals method compares class

+ names rather than class objects</li>

+ <li>EQ_UNUSUAL: Unusual equals method</li>

+ <li>EQ_GETCLASS_AND_CLASS_CONSTANT: equals method fails

+ for subtypes</li>

+ <li>SE_READ_RESOLVE_IS_STATIC: The readResolve method must

+ not be declared as a static method.</li>

+ <li>SE_PRIVATE_READ_RESOLVE_NOT_INHERITED: private

+ readResolve method not inherited by subclasses</li>

+ <li>MSF_MUTABLE_SERVLET_FIELD: Mutable servlet field</li>

+ <li>XSS_REQUEST_PARAMETER_TO_SEND_ERROR: Servlet reflected

+ cross site scripting vulnerability</li>

+ <li>SKIPPED_CLASS_TOO_BIG: Class too big for analysis</li>

+ </ul>

+ </li>

+ <li>Other:

+ <ul>

+ <li>Value-number analysis now more space-efficient</li>

+ <li>Enhancements to reduce memory overhead when analyzing

+ very large classes</li>

+ <li>Now skips very large classes that would otherwise take

+ too much time and memory to analyze</li>

+ <li>Infrastructure for tracking effectively-constant/

+ effectively-final fields</li>

+ <li>Added more cweids</li>

+ <li>Enhanced taint tracking for taint-based detectors</li>

+ <li>Ignore doomed calls to equals if result is used as an

+ argument to assertFalse</li>

+ <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC handles compareTo</li>

+ <li>Priority tweak for ICAST_INTEGER_MULTIPLY_CAST_TO_LONG

+ (only low priority if multiplying by 1000)</li>

+ <li>Improved tracking of fields across method calls</li>

+ </ul>

+ </li>

+ <li>Fixes:

+ <ul>

+ <li>[ 1941450 ] DLS_DEAD_LOCAL_STORE not reported</li>

+ <li>[ 1953323 ] Omitted break statement in

+ SynchronizeAndNullCheckField</li>

+ <li>[ 1942620 ] Source Directories selection dialog

+ interface confusion (partial)</li>

+ <li>[ 1948275 ] Unhelpful "Load of known null"</li>

+ <li>[ 1933922 ] MWM error in findbugs</li>

+ <li>[ 1934772 ] 1.3.3 appears to rely on JDK 1.6, JNLP

+ still specifies 1.5</li>

+ <li>[ 1933945 ] -loadbugs doesn't work</li>

+ <li>Fixed problems for class names starting with '$'</li>

+ <li>Fixed bugs and incomplete handling of annotations in

+ VersionInsensitiveBugComparator</li>

+ </ul>

+ </li>

+ <li>Patches:

+ <ul>

+ <li>[ 1955106 ] Javadoc fixes</li>

+ <li>[ 1951930 ] Superfluous import statements (thanks to

+ Jerry James)</li>

+ <li>[ 1951907 ] Missing @Deprecated annotations (thanks to

+ Jerry James)</li>

+ <li>[ 1951876 ] Infonode Docking Windows compile fix

+ (thanks to Jerry James)</li>

+ <li>[ 1936055 ] bugfix for findbugs.de.comment not working

+ (thanks to Peter Fokkinga)

+ </ul>

+ </li>

+ </ul>

+ <li>FindBugs BlueJ plugin

+ <ul>

+ <li>Updated to use FindBugs 1.3.4 (first new release since

+ 1.1.3)</li>

+ </ul>

</li>

- <li>Reworked GUI2 to use standard FindBugs filters

+ </ul>

+ Changes since version 1.3.2

+ <ul>

+ <li>FindBugs base

+ <ul>

+ <li>New Detectors:

+ <ul>

+ <li>FieldItemSummary: Produces summary information for

+ what is stored into fields</li>

+ <li>SynchronizeOnClassLiteralNotGetClass: Look for code

+ that synchronizes on the results of getClass rather than on

+ class literals</li>

+ <li>SynchronizingOnContentsOfFieldToProtectField: This

+ detector looks for code that seems to be synchronizing on a

+ field in order to guard updates of that field</li>

+ </ul>

+ </li>

+ <li>New BugCode:

+ <ul>

+ <li>HRS: HTTP Response splitting vulnerability</li>

+ <li>WL: Possible locking on wrong object</li>

+ </ul>

+ </li>

+ <li>New Reports:

+ <ul>

+ <li>DMI_CONSTANT_DB_PASSWORD: This code creates a database

+ connect using a hard coded, constant password</li>

+ <li>HRS_REQUEST_PARAMETER_TO_COOKIE: HTTP cookie formed

+ from untrusted input</li>

+ <li>HRS_REQUEST_PARAMETER_TO_HTTP_HEADER: HTTP parameter

+ directly written to HTTP header output</li>

+ <li>CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE: Class defines

+ clone() but doesn't implement Cloneable</li>

+ <li>DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE: Synchronization

+ on boxed primitive could lead to deadlock</li>

+ <li>DL_SYNCHRONIZATION_ON_BOOLEAN: Synchronization on

+ Boolean could lead to deadlock</li>

+ <li>ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD:

+ Synchronization on field in futile attempt to guard that field

+ </li>

+ <li>DLS_DEAD_LOCAL_STORE_IN_RETURN: Useless assignment in

+ return statement</li>

+ <li>WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL:

+ Synchronization on getClass rather than class literal</li>

+ </ul>

+ </li>

+ <li>Other:

+ <ul>

+ <li>Many enhancements to cross-site scripting detector and

+ its documentation</li>

+ <li>Enhanced switch fall through handling</li>

+ <li>Enhanced unread field handling (look for IF_ACMPEQ and

+ IF_ACMPNE)</li>

+ <li>Clarified documentation for @Nullable in manual</li>

+ <li>Fewer DeadLocalStore false positives</li>

+ <li>Fewer UnreadField false positives</li>

+ <li>Fewer StaticCalendarDetector false positives</li>

+ <li>Performance fix for slow file system IO e.g. Clearcase

+ repositories (thanks, Andrei!)</li>

+ <li>Other, general performance enhancements (thanks,

+ Andrei!)</li>

+ <li>Enhancements for using FindBugs scripts with MKS on

+ Windows (thanks, Kelly O'Hair!)</li>

+ <li>Noted in the manual that jsr305.jar must be present

+ for annotations to compile</li>

+ <li>Added and fine-tuned default-nullness annotations</li>

+ <li>More CWE IDs added</li>

+ <li>Check and warning for unexpected BCEL version in

+ classpath</li>

+ </ul>

+ </li>

+ <li>Fixes:

+ <ul>

+ <li>Bug fix to handling of local variable tables in BCEL</li>

+ <li>Refined documentation for

+ MTIA_SUSPECT_STRUTS_INSTANCE_FIELD</li>

+ <li>[ 1927295 ] NPE when called on project root</li>

+ <li>[ 1926405 ] Incorrect dead store warning</li>

+ <li>[ 1926409 ] Incorrect redundant nullcheck warning</li>

+ <li>[ 1926389 ] Wrong line number printed/highlighted in

+ bug</li>

+ <li>[ 1927040 ] typo in bug description</li>

+ <li>[ 1926263 ] Minor glitch in HTML output</li>

+ <li>[ 1926240 ] Minor error in standard options in manual</li>

+ <li>[ 1926236 ] Minor bug in installation section of

+ manual</li>

+ <li>[ 1925539 ] ZIP is default file system code base</li>

+ <li>[ 1894701 ] Livelock / memory leak in

+ ObjectTypeFactory (thanks, Andrei!)</li>

+ <li>[ 1867491 ] Doesn't reload annotations after code

+ changes in IDE (thanks, Andrei!)</li>

+ <li>[ 1921399 ] -project option not supported</li>

+ <li>[ 1913834 ] "Dead" store to variable with method call</li>

+ <li>[ 1917352 ] H B se:...field in serializable class</li>

+ <li>[ 1911617 ] CloneIdiom relies on

+ getNameConstantOperand for INSTANCEOF</li>

+ <li>[ 1911620 ] False +: DLS predecrement before return</li>

+ <li>[ 1871376 ] False negative: non-serializable Map field</li>

+ <li>[ 1871051 ] non standard clone() method</li>

+ <li>[ 1908854 ] Error in TestASM</li>

+ <li>[ 1907539 ] 22 minor errors in bug checker

+ documentation</li>

+ <li>[ 1897323 ] EJB implementation class false positives</li>

+ <li>[ 1899648 ] Crash on startup on Vista with Java

+ 1.6.0_04</li>

+ </ul>

+ </li>

+ </ul>

</li>

- <ul>

- <li>Allow a suppression filter to be stored in a project and persisted to the XML representation of a project.

+ <li>FindBugs Eclipse plugin (change log by Andrey Loskutov)

+ <ul>

+ <li>new feature: export basic FindBugs numbers for projects

+ via File->Export->Java->BugCounts (Andrey Loskutov)</li>

+ <li>new feature: jobs for different projects will be run in

+ parallel per default if running on a multi-core PC

+ ("fb.allowParallelBuild" system property not used anymore)

+ (Andrey Loskutov)</li>

+ <li>fixed performance slowdown in the multi-threaded build,

+ caused by workspace operation locks during assigning marker

+ attributes (Andrey Loskutov)</li>

+ </ul>

</li>

- </ul>

- <li>Move away from old GUI2 save format (a directory containing an xml file and another file containing serialized filters).

+ </ul>

+ Changes since version 1.3.1

+ <ul>

+ <li>FindBugs base

+ <ul>

+ <li>New Bug Category:

+ <ul>

+ <li>SECURITY (Abbrev: S), A use of untrusted input in a

+ way that could create a remotely exploitable security

+ vulnerability</li>

+ </ul>

+ </li>

+ <li>New Detectors:

+ <ul>

+ <li>CrossSiteScripting: This detector looks for

+ obvious/blatant cases of cross site scripting vulnerabilities</li>

+ </ul>

+ </li>

+ <li>New BugCode:

+ <ul>

+ <li>XSS: Cross site scripting</li>

+ </ul>

+ </li>

+ <li>New Reports:

+ <ul>

+ <li>XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER: HTTP

+ parameter directly written to Servlet output, giving XSS

+ vulnerability</li>

+ <li>XSS_REQUEST_PARAMETER_TO_JSP_WRITER: HTTP parameter

+ directly written to JSP output, giving XSS vulnerability</li>

+ <li>EQ_OTHER_USE_OBJECT: equals() method defined that

+ doesn't override Object.equals(Object)</li>

+ <li>EQ_OTHER_NO_OBJECT: equals() method inherits rather

+ than overrides equals(Object)</li>

+ <li>NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE: Possible

+ null pointer dereference on path that might be infeasible</li>

+ </ul>

+ </li>

+ <li>Other:

+ <ul>

+ <li>Added -noClassOk command-line parameter to

+ command-line and ant interfaces; when -noClassOk is specified

+ and no classfiles are given, FindBugs will print a warning

+ message and output a well- formed file with no warnings</li>

+ <li>Fewer false positives for null pointer bugs</li>

+ <li>Suppress dead-local-store false positives in .jsp code</li>

+ <li>Type fixes in warning messages</li>

+ <li>Better warning message for NP_NULL_ON_SOME_PATH</li>

+ <li>"WMI" bug code description renamed from "Wrong Map

+ Iterator" to "Inefficient Map Iterator"</li>

+ </ul>

+ </li>

+ <li>Fixes:

+ <ul>

+ <li>[ 1893048 ] FindBugs confused by a findbugs.xml file</li>

+ <li>[ 1878528 ] XSL xforms don't support history features</li>

+ <li>[ 1876584 ] two default.xsl flaws</li>

+ <li>[ 1874856 ] Format string bug detector doesn't handle

+ special operators</li>

+ <li>[ 1872645 ] computeBugHistory -

+ java.lang.IllegalArgumentException</li>

+ <li>[ 1872237 ] Ant task fails when no .class files</li>

+ <li>[ 1868670 ] Filters: include AND exclude don't allowed</li>

+ <li>[ 1868666 ] check-for-oddness reported, but array

+ length can never be negative</li>

+ <li>[ 1866108 ] SetBugDatabaseInfoTask strips dir from

+ output filename</li>

+ <li>[ 1866021 ] MineBugHistoryTask strips dir of output

+ filename</li>

+ <li>[ 1865265 ] code doesn't handle

+ StringBuffer.append([CII) right</li>

+ <li>[ 1864793 ] Warning when casting a null reference

+ compared to a String</li>

+ <li>[ 1863376 ] Typo in manual chap 8: Filter Files</li>

+ <li>[ 1862705 ] Transient fields that default to null</li>

+ <li>[ 1842545 ] DLS on catch variable (with priority

+ tweaking)</li>

+ <li>[ 1816258 ] false positive BC_IMPOSSIBLE_CAST</li>

+ <li>[ 1551732 ] Get erroneous DLS with while loop</li>

+ </ul>

+ </li>

+ </ul>

+ </li>

+ <li>FindBugs Eclipse plugin (change log by Andrey Loskutov)

+ <ul>

+ <li>new feature: added Bug explorer view (replacing Bug tree

+ view), based on Common Navigator framework (Andrey Loskutov)</li>

+ <li>bug 1873860 fixed: empty projects are no longer shown in

+ Bug tree view (Andrey Loskutov)</li>

+ <li>new feature: bug counts decorators for projects, folders

+ and files (has to be activated via Preferences -> general

+ -> appearance -> label decorations)(Andrey Loskutov)</li>

+ <li>patch 1746499: better icons (Alessandro Nistico)</li>

+ <li>patch 1893685: Find bug actions on change sets bug

+ (Alessandro Nistico)</li>

+ <li>fixed bug 1855384: Bug configuration is broken in

+ Eclipse (Andrey Loskutov)</li>

+ <li>refactored FindBugs properties page (Andrey Loskutov)</li>

+ <li>refactored FindBugs worker/builder/run action (Andrey

+ Loskutov)</li>

+ <li>FB detects now only bugs from classes on project's

+ classpath (no double work on duplicated class files) (Andrey

+ Loskutov)</li>

+ <li>fixed bug introduced by the bad patch for 1867951: FB

+ cannot be executed incrementally on a folder of file (Andrey

+ Loskutov)</li>

+ <li>fixed job rule: now jobs for different projects may run

+ in parallel if running on a multi-core PC and

+ "fb.allowParallelBuild" system property is set to true (Andrey

+ Loskutov)</li>

+ <li>fixed FB auto-build not started if .fbprefs or

+ .classpath was changed (Andrey Loskutov)</li>

+ <li>fixed not reporting bugs on secondary types (classes

+ defined in java files with different name) (Andrey Loskutov)</li>

+ </ul>

+ </li>

+ </ul>

+ Changes since version 1.3.0

+ <ul>

+ <li>New Reports

+ <ul>

+ <li>VA_FORMAT_STRING_ARG_MISMATCH: A format-string method

+ with a variable number of arguments is called, but the number of

+ arguments passed does not match with the number of %

+ placeholders in the format string. This is probably not what the

+ author intended.

+ <li>IO_APPENDING_TO_OBJECT_OUTPUT_STREAM: This code opens a

+ file in append mode and that wraps the result in an object

+ output stream. This won't allow you to append to an existing

+ object output stream stored in a file. If you want to be able to

+ append to an object output stream, you need to keep the object

+ output stream open. The only situation in which opening a file

+ in append mode and the writing an object output stream could

+ work is if on reading the file you plan to open it in random

+ access mode and seek to the byte offset where the append

+ started.

+ <li>NP_BOOLEAN_RETURN_NULL: A method that returns either

+ Boolean.TRUE, Boolean.FALSE or null is an accident waiting to

+ happen. This method can be invoked as though it returned a value

+ of type boolean, and the compiler will insert automatic unboxing

+ of the Boolean value. If a null value is returned, this will

+ result in a NullPointerException.

+ </ul>

+ </li>

+ <li>Changes to Existing Reports

+ <ul>

+ <li>RV_DONT_JUST_NULL_CHECK_READLINE: CORRECTNESS ->

+ STYLE</li>

+ <li>DMI_INVOKING_TOSTRING_ON_ARRAY: Long description

+ mentions array name whenever possible</li>

+ </ul>

+ </li>

+ <li>Fixes:

+ <ul>

+ <li>Updated manual to mention that Java 1.5 is now a

+ requirement for running FindBugs

+ <li>Applied patch 1840206 fixing issue "Ant task does not

+ work when presetdef is used" - thanks to phejl

+ <li>Applied patch 1778690 fixing issue "Ant task: tolerate

+ but complain about invalid auxClasspath" - thanks to David

+ Schmidt

+ <li>Applied patch 1852125 adding a Chinese-language GUI

+ bundle props file - thanks to fifi

+ <li>Applied patch 1845903 adding ability to load XML results

+ with the Eclipse plugin - thanks to Alex Mont

+ <li>Fixed issue 1844671 - "FP for "reversed" null check in

+ catch for stream close"

+ <li>Fixed issue 1836050 - "-onlyAnalyze broken"

+ <li>Fixed issue 1853011 - "Typo: Field names should start

+ with aN lower case letter"

+ <li>Fixed issue 1844181 - "JNLP file does not contain all

+ necessary JARs"

+ <li>Fixed issue 1840245 - "xxxException class does not

+ derive from Exception"

+ <li>Fixed issue 1840277 - "[M D EC] Typo in bug

+ documentation"

+ <li>Fixed issue 1782447 - "OutOfMemoryError if i activate

+ Findbugs on my project"

+ <li>Fixed issue 1830576 - "[regression] keySet/entrySet

+ false positive"

+ </ul>

+ </li>

+ <li>Other:

+ <ul>

+ <li>New bug code: "IO" (for

+ IO_APPENDING_TO_OBJECT_OUTPUT_STREAM)</li>

+ <li>Added "-onlyMostRecent" option for computeBugHistory

+ script/ant task

+ <li>More explicit language in

+ RV_RETURN_VALUE_IGNORED_BAD_PRACTICE messages

+ <li>Modified ResourceValueAnalysis to correctly identify

+ null == X or null != X as a null check (for issue 1844671)

+ <li>Modified DMI_HARDCODED_ABSOLUTE_FILENAME logic in

+ DumbMethodInvocations to ignore files from /etc or /dev and

+ increase priority of files from /home

+ <li>Better bug details for infinite loop warnings

+ <li>Modified unread-fields detector to reduce false

+ positives from reflective fields

+ <li>build.xml "classes" target now builds all sources in one

+ step

+ </ul>

+ </li>

+ </ul>

+ Changes since version 1.2.1

+ <ul>

+ <li>New Detectors and Reports

+ <ul>

+ <li>SynchronizationOnSharedBuiltinConstant

+ <ul>

+ <li>DL_SYNCHRONIZATION_ON_SHARED_CONSTANT: The code

+ synchronizes on a shared primitive constant, such as an

+ interned String. Such constants are interned and shared across

+ all other classes loaded by the JVM. Thus, this could be

+ locking on something that other code might also be locking.

+ This could result in very strange and hard to diagnose

+ blocking and deadlock behavior. See <a

+ href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a>

+ and <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>.

+ </ul>

+ </li>

+ <li>OverridingEqualsNotSymmetrical

+ <ul>

+ <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: Looks for equals

+ methods that override equals methods in a superclass where the

+ equivalence relationship might not be symmetrical.

+ </ul>

+ </li>

+ <li>CheckTypeQualifiers

+ <ul>

+ <li>TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED: A value

+ specified as carrying a type qualifier annotation is consumed

+ in a location or locations requiring that the value not carry

+ that annotation. More precisely, a value annotated with a type

+ qualifier specifying when=ALWAYS is guaranteed to reach a use

+ or uses where the same type qualifier specifies when=NEVER.</li>

+ <li>TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED: A value

+ specified as not carrying a type qualifier annotation is

+ guaranteed to be consumed in a location or locations requiring

+ that the value does carry that annotation. More precisely, a

+ value annotated with a type qualifier specifying when=NEVER is

+ guaranteed to reach a use or uses where the same type

+ qualifier specifies when=ALWAYS.</li>

+ <li>TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK: A value

+ that might not carry a type qualifier annotation reaches a use

+ which requires that annotation.</li>

+ <li>TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK: A value

+ which might carry a type qualifier annotation reaches a use

+ which forbids values carrying that annotation.</li>

+ </ul>

+ </li>

+ </ul>

+ </li>

+ <li>New Reports (existing detectors)

+ <ul>

+ <li>FindHEmismatch

+ <ul>

+ <li>EQ_DOESNT_OVERRIDE_EQUALS: This class extends a class

+ that defines an equals method and adds fields, but doesn't

+ define an equals method itself. Thus, equality on instances of

+ this class will ignore the identity of the subclass and the

+ added fields. Be sure this is what is intended, and that you

+ don't need to override the equals method. Even if you don't

+ need to override the equals method, consider overriding it

+ anyway to document the fact that the equals method for the

+ subclass just return the result of invoking super.equals(o).</li>

+ </ul>

+ </li>

+ <li>Naming

+ <ul>

+ <li>NM_WRONG_PACKAGE, NM_WRONG_PACKAGE_INTENTIONAL: The

+ method in the subclass doesn't override a similar method in a

+ superclass because the type of a parameter doesn't exactly

+ match the type of the corresponding parameter in the

+ superclass.</li>

+ <li>NM_SAME_SIMPLE_NAME_AS_SUPERCLASS: This class has a

+ simple name that is identical to that of its superclass,

+ except that its superclass is in a different package (e.g., <code>alpha.Foo</code>

+ extends <code>beta.Foo</code>). This can be exceptionally

+ confusing, create lots of situations in which you have to look

+ at import statements to resolve references and creates many

+ opportunities to accidently define methods that do not

+ override methods in their superclasses.

+ </li>

+ <li>NM_SAME_SIMPLE_NAME_AS_INTERFACE: This class/interface

+ has a simple name that is identical to that of an

+ implemented/extended interface, except that the interface is

+ in a different package (e.g., <code>alpha.Foo</code> extends <code>beta.Foo</code>).

+ This can be exceptionally confusing, create lots of situations

+ in which you have to look at import statements to resolve

+ references and creates many opportunities to accidently define

+ methods that do not override methods in their superclasses.

+ </li>

+ </ul>

+ <li>FindRefComparison

+ <ul>

+ <li>EC_UNRELATED_TYPES_USING_POINTER_EQUALITY: This method

+ uses using pointer equality to compare two references that

+ seem to be of different types. The result of this comparison

+ will always be false at runtime.</li>

+ </ul>

+ </li>

+ <li>IncompatMask

+ <ul>

+ <li>BIT_SIGNED_CHECK, BIT_SIGNED_CHECK_HIGH_BIT: This

+ method compares an expression such as <tt>((event.detail

+ & SWT.SELECTED) > 0)</tt>. Using bit arithmetic and then

+ comparing with the greater than operator can lead to

+ unexpected results (of course depending on the value of

+ SWT.SELECTED). If SWT.SELECTED is a negative number, this is a

+ candidate for a bug. Even when SWT.SELECTED is not negative,

+ it seems good practice to use '!= 0' instead of '> 0'.

+ </li>

+ </ul>

+ </li>

+ <li>LazyInit

+ <ul>

+ <li>LI_LAZY_INIT_UPDATE_STATIC: This method contains an

+ unsynchronized lazy initialization of a static field. After

+ the field is set, the object stored into that location is

+ further accessed. The setting of the field is visible to other

+ threads as soon as it is set. If the further accesses in the

+ method that set the field serve to initialize the object, then

+ you have a very serious multithreading bug, unless

+ something else prevents any other thread from accessing the

+ stored object until it is fully initialized.

+ </li>

+ </ul>

+ </li>

+ <li>FindDeadLocalStores

+ <ul>

+ <li>DLS_DEAD_STORE_OF_CLASS_LITERAL: This instruction

+ assigns a class literal to a variable and then never uses it.

+ <a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">The

+ behavior of this differs in Java 1.4 and in Java 5.</a> In Java

+ 1.4 and earlier, a reference to <code>Foo.class</code> would

+ force the static initializer for <code>Foo</code> to be

+ executed, if it has not been executed already. In Java 5 and

+ later, it does not. See Sun's <a

+ href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">article

+ on Java SE compatibility</a> for more details and examples, and

+ suggestions on how to force class initialization in Java 5.

+ </li>

+ </ul>

+ </li>

+ <li>MethodReturnCheck

+ <ul>

+ <li>RV_RETURN_VALUE_IGNORED_BAD_PRACTICE: This method

+ returns a value that is not checked. The return value should

+ be checked since it can indication an unusual or unexpected

+ function execution. For example, the <code>File.delete()</code>

+ method returns false if the file could not be successfully

+ deleted (rather than throwing an Exception). If you don't

+ check the result, you won't notice if the method invocation

+ signals unexpected behavior by returning an atypical return

+ value.

+ </li>

+ <li>RV_EXCEPTION_NOT_THROWN: This code creates an

+ exception (or error) object, but doesn't do anything with it.

+ </li>

+ </ul>

+ </li>

+ </ul>

+ </li>

+ <li>Changes to Existing Reports

+ <ul>

+ <li>NS_NON_SHORT_CIRCUIT: BAD_PRACTICE -> STYLE</li>

+ <li>NS_DANGEROUS_NON_SHORT_CIRCUIT: CORRECTNESS -> STYLE</li>

+ <li>RC_REF_COMPARISON: CORRECTNESS -> BAD_PRACTICE</li>

+ </ul>

+ </li>

+ <li>GUI Changes

+ <ul>

+ <li>Added importing and exporting of bug filters</li>

+ <li>Better handling of failed analysis runs</li>

+ <li>Added "-look" parameter for selecting look-and-feel</li>

+ <li>Fixed incorrect package filtering</li>

+ <li>Fixed issue where "synchronized" was not

+ syntax-highlighted</li>

+ </ul>

+ </li>

+ <li>Ant-task Changes

+ <ul>

+ <li>Refactored common ant-task code to AbstractFindBugsTask</li>

+ <li>Added tasks for computeBugHistory, convertXmlToText,

+ filterBugs, mineBugHistory, setBugDatabaseInfo</li>

+ </ul>

+ </li>

+ <li>Manual

+ <ul>

+ <li>Updates to GUI section, including new screenshots</li>

+ <li>Added description of rejarForAnalysis</li>

+ <li>Revamp of data-mining section</li>

+ </ul>

+ </li>

+ <li>Other Major

+ <ul>

+ <li>Internal restructuring for lower memory overhead</li>

+ </ul>

+ </li>

+ <li>Other Minor

+ <ul>

+ <li>Fixed typo: was STCAL_STATIC_SIMPLE_DATA_FORMAT_INSTANCE

+ now STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE</li>

+ <li>-outputFile parameter became -output</li>

+ <li>More sensitivity and specificity inLazyInit detector</li>

+ <li>More sensitivity and specificity in Naming detector</li>

+ <li>More sensitivity and specificity in UnreadFields

+ detector</li>

+ <li>More sensitivity in FindNullDeref detector</li>

+ <li>More sensitivity in FindBadCast2 detector</li>

+ <li>More specificity in FindReturnRef detector</li>

+ <li>Many other tweaks and bug fixes</li>

+ </ul>

</li>

+ </ul>

+ Changes since version 1.2.0

+ <ul>

+ <li>Bug fixes:

+ <ul>

+ <li><a

+ href="http://fisheye2.cenqua.com/changelog/findbugs/?cs=8219">Fix</a>

+ <a

+ href="http://sourceforge.net/tracker/index.php?func=detail&aid=1726946&group_id=96405&atid=614693">bug</a>

+ with detectors that were requested to be disabled but were

+ enabled due to requirements of other detectors.</li>

+ <li>Fix bugs in incremental analysis within Eclipse plugin</li>

+ <li>Fix some analysis errors</li>

+ <li>Fix some threading bugs in GUI2</li>

+ <li>Report version as version when it was compiled, not when

+ it was run</li>

+ <li>Copy analysis time stamp when filtering or transforming

+ analysis files.</li>

+ </ul>

+ <li>Enabled StaticCalendarDetector</li>

+ <li>Reworked GUI2 to use standard FindBugs filters

+ <ul>

+ <li>Allow a suppression filter to be stored in a project and

+ persisted to the XML representation of a project.</li>

+ </ul>

+ </li>

+ <li>Move away from old GUI2 save format (a directory

+ containing an xml file and another file containing serialized

+ filters).</li>

<li>Support/recommend use of two new file extensions/formats:

- <dl><dt>.fba - FindBugs Analysis File</dt>

- <dd>Exactly the same as an existing bug collection file stored in XML format, but using a distinct file extension

- to make it easier to figure out which xml files contain FindBugs results.</dd>

- <dt>.fbp - FindBugs Project File</dt><dd>Contains just the information needed to run FindBugs and display the results (e.g., the files to be analyzed, the auxiliary class path and the location of source files)</dl></li>

- </ul>

- Changes since version 1.1.3

- <ul>

- <li>Added -xml:withAbridgedMessages option to generate xml containing shorter messages.

- The messages will be shorted by doing things like eliding package names, and leaving off

- the source line from the LongMessage.

- These messages are appropriate if being used in a context where

- the non-message components of the bug annotations will be used to provide more information

- (e.g., clicking on the message for a MethodAnnotation will display the source for the method).

- <ul><li>FindBugsDisplayFeatures.setAbridgedMessages(true) can be used to generate abridged messages

- when FindBugs is being accessed directly (not via generated XML) from a GUI or IDE.

- </li>

- </ul>

- <li>In null pointer analysis, try to be better about always showing two locations: where it is known null and

- where it is dereferenced.

- <li>Interprocedural analysis of which methods return nonnull values

- <li>Use method calls to select order in which classes are analyzed, and order in which methods

- are analyzed, to improve interprocedural analysis results.

- <li>Significant improvements in memory footprint, memory allocation and CPU utilization

- (20-30% reduction in all three)

- <li>Added a project name, to provide better descriptions in the HTML output.

- <li>Added new bug pattern: Casting to char, or bit masking with nonnegative value, and then checking to see

- if the result is negative.

- <li>Stopped reporting transient fields

- of classes not marked as serializable. Transient is used by other persistence frameworks.

- <li>Improvements to detector for SQL injection (Thanks to <a href="http://www.clock.org/~matt">Matt Hargett</a> for

- his contributions

- <li>Changed open/save options in GUI2 to not distinguish between FindBugs projects

- and saved FindBugs analysis results.

- <li>Improvements to detection of serious non-short-circuit evaluation.

+ <dl>

+ <dt>.fba - FindBugs Analysis File</dt>

+ <dd>Exactly the same as an existing bug collection file

+ stored in XML format, but using a distinct file extension to

+ make it easier to figure out which xml files contain FindBugs

+ results.</dd>

+ <dt>.fbp - FindBugs Project File</dt>

+ <dd>Contains just the information needed to run FindBugs and

+ display the results (e.g., the files to be analyzed, the

+ auxiliary class path and the location of source files)

+ </dl>

+ </li>

+ </ul>

+ Changes since version 1.1.3

+ <ul>

+ <li>Added -xml:withAbridgedMessages option to generate xml

+ containing shorter messages. The messages will be shorted by doing

+ things like eliding package names, and leaving off the source line

+ from the LongMessage. These messages are appropriate if being used

+ in a context where the non-message components of the bug

+ annotations will be used to provide more information (e.g.,

+ clicking on the message for a MethodAnnotation will display the

+ source for the method).

+ <ul>

+ <li>FindBugsDisplayFeatures.setAbridgedMessages(true) can be

+ used to generate abridged messages when FindBugs is being

+ accessed directly (not via generated XML) from a GUI or IDE.</li>

+ </ul>

+ <li>In null pointer analysis, try to be better about always

+ showing two locations: where it is known null and where it is

+ dereferenced.

+ <li>Interprocedural analysis of which methods return nonnull

+ values

+ <li>Use method calls to select order in which classes are

+ analyzed, and order in which methods are analyzed, to improve

+ interprocedural analysis results.

+ <li>Significant improvements in memory footprint, memory

+ allocation and CPU utilization (20-30% reduction in all three)

+ <li>Added a project name, to provide better descriptions in

+ the HTML output.

+ <li>Added new bug pattern: Casting to char, or bit masking

+ with nonnegative value, and then checking to see if the result is

+ negative.

+ <li>Stopped reporting transient fields of classes not marked

+ as serializable. Transient is used by other persistence

+ frameworks.

+ <li>Improvements to detector for SQL injection (Thanks to <a

+ href="http://www.clock.org/~matt">Matt Hargett</a> for his

+ contributions

+ <li>Changed open/save options in GUI2 to not distinguish

+ between FindBugs projects and saved FindBugs analysis results.

+ <li>Improvements to detection of serious non-short-circuit

+ evaluation.

<li>Updated Japanese localization (thanks to Ruimo Uno)

<li>Eclipse plugin changes:

- <ul>

- <li>Created Bug User Annotations and Bug Tree Views

- <li>Use different icons for different bug priorities

- <li>Provide more information in Bug Details view

- </ul>

-

- Changes since version 1.1.2:

-

- <ul>

+ <ul>

+ <li>Created Bug User Annotations and Bug Tree Views

+ <li>Use different icons for different bug priorities

+ <li>Provide more information in Bug Details view

+ </ul>

+ Changes since version 1.1.2:

+ <ul>

<li>Fixed broken Ant task

<li>Added running ant task to smoke test

<li>Added validating xml and html output to smoke test

- <li>Fixed some (but not all) issues with html output validation

+ <li>Fixed some (but not all) issues with html output

+ validation

<li>Added check for x.equals(x) and x.compareTo(x)

<li>Various bug fixes

- </ul>

-

- Changes since version 1.1.1:

-

- <ul>

- <li>

- Added check for infinite iterative loops

- </li>

- <li>

- Added check for use of incompatible types in a collection (e.g.,

- checking to see if a Set<String> contains a StringBuffer).

- </li>

- <li>

- Added check for invocations of equals or hashCode on a URL,

- which,

- <a

- href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">surprising

- many people</a>, requires DNS resolution.

- </li>

- <li>

- Added check for classes that define compareTo but not equals;

- such classes can exhibit some anomalous behavior (e.g., they are

- treated differently by PriorityQueues in Java 5 and Java 6).

- </li>

- <li>

- Added a check for useless self operations (e.g., x < x or x ^ x).

- </li>

- <li>

- Fixed a data race that could cause the GUI to fail on startup

- </li>

- <li>

- Partial internationalization of the new GUI

- </li>

- <li>

- Fix bug in "Redo analysis" option of new GUI

- </li>

- <li>

- Tuning to reduce false positives

- </li>

- <li>

- Fixed a bug in null pointer analysis that was generating false

- positive null pointer warnings on exception paths. Fixing this

- bug eliminates about 1/4 of the warnings on null pointer

- exceptions on exception paths.

- </li>

- <li>

- Fixed a bug in the processing of phi nodes for fields in the null

- pointer analysis

- </li>

- <li>

- Applied contributed patch that provides more quick fixes in

- Eclipse plugin.

- </li>

- <li>

- Fixed a number of bugs in the Eclipse auto update sites, and in the way

- date qualifiers were being used in the Eclipse plugin. You may need to manually

- disable your existing version of the plugin and download the 1.1.2 from the update

- site to get the automatic update function working correctly.

- The Eclipse update sites are described at <a href="http://findbugs.cs.umd.edu/eclipse/">http://findbugs.cs.umd.edu/eclipse/</a>.

- </li>

- <li>

- Fixed progress bar in Eclipse plugin

- </li>

- <li>

- A number of other bug fixes.

- </li>

- </ul>

-

- Changes since version 1.1.0:

-

- <ul>

- <li>

- less scanning of classes not on the analysis path (This was

- causing some performance problems.)

- </li>

- <li>

- no unread field warnings for fields annotated with

- javax.persistent or javax.ejb3

- </li>

- <li>

- Eclipse plugin

- <ul>

- <li>

- bug annotation info displayed in Bug Details tab

- </li>

- <li>

- .fbwarnings data file now stored in .metadata (not in the

- project itself)

- </li>

- </ul>

- </li>

- <li>

- new SE_BAD_FIELD_INNER_CLASS pattern

- </li>

- <li>

- updates to Japanese translation (ruimo)

- </li>

- <li>

- fix some internal slashed/dotted path confusion

- </li>

- <li>

- other minor improvements

- </li>

- </ul>

-

- Changes since version 1.0.0:

-

- <ul>

- <li>

- Overall, the change from FindBugs 1.0.0 to FindBugs 1.1.0 has

- been a big change. We've done a lot of work in a lot of areas,

- and aren't even going to try to enumerate all the changes.

- </li>

- <li>

- We spent a lot of time reviewing the results generated by

- FindBugs for open source and commercial code bases, and made a

- number of changes, small and large, to minimize the number of

- false positives. Our primary focus for this was warnings reported

- as high and medium priority correctness warnings. Our internal

- evaluation is that we produce very few high/medium priority

- correctness warnings where the analysis is actually wrong, and

- that more than 75% of the high/medium priority correctness

- warnings correspond to real coding defects that need addressing

- in the source code. The remaining 25% are largely cases such as a

- branch or statement that if taken would lead to an error, but in

- fact is a dead branch or statement that can never be taken. Such

- coding is confusing and hard to maintain, so it should arguably

- be fixed, but it is unlikely to actually result in an error

- during execution. Thus, some might classify those warnings as

- false positives.

- </li>

- <li>

- We've substantially improved the analysis for errors that could

- result in null pointer dereferences. Overall, our experience has

- been that these changes have roughly doubled the number of null

- pointer errors we detect, without increasing the number of false

- positives (in fact, our false positive rate has gone down). The

- improvements are due to four factors:

- <ul>

- <li>

- By default, we now do some interprocedural analysis to

- determine methods that unconditionally dereference their

- parameters.

- </li>

- <li>

- FindBugs also comes with a model of which JDK methods

- unconditionally dereference their parameters.

- </li>

- <li>

- We do limited tracking of fields, so that we can detect null

- values stored in fields that lead to exceptions.

- </li>

- <li>

- We implemented a new analysis technique to find guaranteed

- dereferences. Consider the following example:

- <code>

- <pre>public int f(Object x, boolean b) {

+ </ul>

+ Changes since version 1.1.1:

+ <ul>

+ <li>Added check for infinite iterative loops</li>

+ <li>Added check for use of incompatible types in a collection

+ (e.g., checking to see if a Set<String> contains a

+ StringBuffer).</li>

+ <li>Added check for invocations of equals or hashCode on a

+ URL, which, <a

+ href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">surprising

+ many people</a>, requires DNS resolution.

+ </li>

+ <li>Added check for classes that define compareTo but not

+ equals; such classes can exhibit some anomalous behavior (e.g.,

+ they are treated differently by PriorityQueues in Java 5 and Java

+ 6).</li>

+ <li>Added a check for useless self operations (e.g., x < x

+ or x ^ x).</li>

+ <li>Fixed a data race that could cause the GUI to fail on

+ startup</li>

+ <li>Partial internationalization of the new GUI</li>

+ <li>Fix bug in "Redo analysis" option of new GUI</li>

+ <li>Tuning to reduce false positives</li>

+ <li>Fixed a bug in null pointer analysis that was generating

+ false positive null pointer warnings on exception paths. Fixing

+ this bug eliminates about 1/4 of the warnings on null pointer

+ exceptions on exception paths.</li>

+ <li>Fixed a bug in the processing of phi nodes for fields in

+ the null pointer analysis</li>

+ <li>Applied contributed patch that provides more quick fixes

+ in Eclipse plugin.</li>

+ <li>Fixed a number of bugs in the Eclipse auto update sites,

+ and in the way date qualifiers were being used in the Eclipse

+ plugin. You may need to manually disable your existing version of

+ the plugin and download the 1.1.2 from the update site to get the

+ automatic update function working correctly. The Eclipse update

+ sites are described at <a

+ href="http://findbugs.cs.umd.edu/eclipse/">http://findbugs.cs.umd.edu/eclipse/</a>.

+ </li>

+ <li>Fixed progress bar in Eclipse plugin</li>

+ <li>A number of other bug fixes.</li>

+ </ul>

+ Changes since version 1.1.0:

+ <ul>

+ <li>less scanning of classes not on the analysis path (This

+ was causing some performance problems.)</li>

+ <li>no unread field warnings for fields annotated with

+ javax.persistent or javax.ejb3</li>

+ <li>Eclipse plugin

+ <ul>

+ <li>bug annotation info displayed in Bug Details tab</li>

+ <li>.fbwarnings data file now stored in .metadata (not in

+ the project itself)</li>

+ </ul>

+ </li>

+ <li>new SE_BAD_FIELD_INNER_CLASS pattern</li>

+ <li>updates to Japanese translation (ruimo)</li>

+ <li>fix some internal slashed/dotted path confusion</li>

+ <li>other minor improvements</li>

+ </ul>

+ Changes since version 1.0.0:

+ <ul>

+ <li>Overall, the change from FindBugs 1.0.0 to FindBugs 1.1.0

+ has been a big change. We've done a lot of work in a lot of areas,

+ and aren't even going to try to enumerate all the changes.</li>

+ <li>We spent a lot of time reviewing the results generated by

+ FindBugs for open source and commercial code bases, and made a

+ number of changes, small and large, to minimize the number of

+ false positives. Our primary focus for this was warnings reported

+ as high and medium priority correctness warnings. Our internal

+ evaluation is that we produce very few high/medium priority

+ correctness warnings where the analysis is actually wrong, and

+ that more than 75% of the high/medium priority correctness

+ warnings correspond to real coding defects that need addressing in

+ the source code. The remaining 25% are largely cases such as a

+ branch or statement that if taken would lead to an error, but in

+ fact is a dead branch or statement that can never be taken. Such

+ coding is confusing and hard to maintain, so it should arguably be

+ fixed, but it is unlikely to actually result in an error during

+ execution. Thus, some might classify those warnings as false

+ positives.</li>

+ <li>We've substantially improved the analysis for errors that

+ could result in null pointer dereferences. Overall, our experience

+ has been that these changes have roughly doubled the number of

+ null pointer errors we detect, without increasing the number of

+ false positives (in fact, our false positive rate has gone down).

+ The improvements are due to four factors:

+ <ul>

+ <li>By default, we now do some interprocedural analysis to

+ determine methods that unconditionally dereference their

+ parameters.</li>

+ <li>FindBugs also comes with a model of which JDK methods

+ unconditionally dereference their parameters.</li>

+ <li>We do limited tracking of fields, so that we can detect

+ null values stored in fields that lead to exceptions.</li>

+ <li>We implemented a new analysis technique to find

+ guaranteed dereferences. Consider the following example: <pre>public int f(Object x, boolean b) {

int result = 0;

if (x == null) result++;

else result--;

@@ -1168,2368 +1496,1300 @@

return result - x.hashCode();

}

</pre>

- </code>

-

- FindBugs 1.0 used forward dataflow analysis to determine

- whether each value is definitely null, null on a simple path,

- possible null on a complex path, or definitely nonnull. Thus,

- at the statement where

- <code>

- result

- </code>

- is decremented, we know that

- <code>

- x

- </code>

- is definitely null, and at the point before

- <code>

- if (b)

- </code>

- , we know that

- <code>

- x

- </code>

- is null on a simple path. If

- <code>

- x

- </code>

- were to be dereferenced here, we would generate a warning,

- because if the else branch of the

- <code>

- if (x == null)

- </code>

- were ever taken, a null pointer exception would result.

-

-

- However, in both the then and else branches of the

- <code>

- if (b)

- </code>

- statement,

- <code>

- x

- </code>

- is only null on a complex path that may be infeasible. It

- might be that the program logic is such that if

- <code>

- x

- </code>

- is null, then

- <code>

- b

- </code>

- is never true, so generating a warning about the dereference

- in the then clause might be a false positive. We could try to

- analyze the program to determine whether it is possible for

- <code>

- x

- </code>

- to be null and

- <code>

- b

- </code>

- to be true, but that can be a hard analysis problem.

-

-

- However,

- <code>

- x

- </code>

- is dereferenced in both the then

- and else branches of the

- <code>

- if (b)

- </code>

- statement. So at the point immediately before

- <code>

- if (b)

- </code>

- , we know that

- <code>

- x

- </code>

- is null on a simple path

- and that

- <code>

- x

- </code>

- is guaranteed to be dereferenced on all paths from this point

- forward. FindBugs 1.1 performs a backwards data flow analysis

- to determine the values that are guaranteed to be

- dereferenced, and will generate a warning in this case.

-

- </li>

- </ul>

-

- The following screen shot of our new GUI shows an example of

- this analysis, as well as showing off our new GUI and points out

- a limitation of our current plugins for Eclipse and NetBeans.

- The screen shot shows a null pointer bug in HelpDisplay.java.

- The test for

- <code>

- href!=null

- </code>

- on line 78 suggests that

- <code>

- href

- </code>

- could be null. If it is, then

- <code>

- href

- </code>

- will be dereferenced on either line 87 or on line 90, generating

- a NPE. Note that our analysis here also understands that passing

- <code>

- href

- </code>

- to

- <code>

- URLEncoder.encode

- </code>

- will deference it, and thus treats line 87 as a dereference,

- even though

- <code>

- href

- </code>

- is not actually dereferenced at that line. Within our new GUI,

- all of these locations are highlighted and listed in the summary

- panel. In the original GUI (and in HTML output) we list all of

- the locations, but only the primary location is highlighted by

- the original GUI. In the Eclipse and NetBeans plugins, only the

- primary location is displayed; fixing this is on our todo list

- (contributions welcome).

-

-

- <img src="guaranteedDereference.png" alt="">

-

- </li>

- <li>

- Preliminary support for detectors using the frameworks other than

- BCEL, such as the

- <a href="http://asm.objectweb.org/">ASM</a> bytecode framework.

- You may experiment with writing ASM-based detectors, but beware

- the API may still change (which could possibly also affect

- BCEL-based detectors). In general, we've started trying to move

- away from a deep dependence on BCEL, but that change is only

- partially complete. Probably best to just avoid this until we

- complete more work on this. This change is only visible to

- FindBugs plugin developers, and shouldn't be visible to FindBugs

- users.

- </li>

- <li>

-

- Bug categories (CORRECTNESS, MT_CORRECTNESS, etc.) are no longer

- hard-coded, but rather defined in xml files associated with

- plugins, including the core plugin which defines the standard

- categories. Third-party plugins can define their own categories.

-

- </li>

- <li>

-

- Several bug patterns have been moved from CORRECTNESS and STYLE

- into a new category, BAD_PRACTICE. The English localization of

- STYLE has changed from "Style" to "Dodgy."

-

-

- In general, we've worked very hard to limit CORRECTNESS bugs to

- be real programming errors and sins of commission. We have

- reclassified as BAD_PRACTICE a number of bad design practices

- that result in overly fragile code, such as defining an equals

- method that doesn't accept null or defining class with a equals

- method that inherits hashCode from class Object.

-

-

- In general, our guidelines for deciding whether a bug should be

- classified as CORRECTNESS, BAD_PRACTICE or STYLE are:

-

- <dl>

- <dt>

- CORRECTNESS

- </dt>

- <dd>

- A problem that we can recognize with high confidence and is an

- issue that we believe almost all developers would want to

- examine and address. We recommend that software teams review

- all high and medium priority warnings in their entire code

- base.

- </dd>

- <dt>

- BAD_PRACTICE

- </dt>

- <dd>

- A problem that we can recognize with high confidence and

- represents a clear violation of recommended and standard coding

- practice. We believe each software team should decide which bad

- practices identified by FindBugs it wants to prohibit in the

- team's coding standard, and take action to remedy violations of

- those coding standards.

- </dd>

- <dt>

- STYLE

- </dt>

- <dd>

- These are places where something strange or dodgy is going on,

- such as a dead store to a local variable. Typically, less than

- half of these represent actionable programming defects.

- Reviewing these warnings in any code under active development

- is probably a good idea, but reviewing all such warnings in

- your entire code base might be appropriate only in some

- situations. Individual or team programming styles can

- substantially influence the effectiveness of each of these

- warnings (e.g., you might have a coding practice or style in

- your group that confuses one of the detectors into generating a

- lot of STYLE warnings); you will likely want to selectively

- suppress or report the STYLE warnings that are effective for

- your group.

- </dd>

- </dl>

- </li>

- <li>

- Released a preliminary version of a new GUI (known internally as

- GUI2 -- not very creative, huh?)

- </li>

- <li>

- Provided standard ways to mark user designations of bug warnings

- (e.g., as NOT_A_BUG or SHOULD_FIX). The internal logic now

- records this, it is represented in the XML file, and GUI2 allows

- the designations to be applied (along with free-form user

- annotations about each warning). The user designations and

- annotations are not yet supported by the Eclipse plugin, but we

- clearly want to support it in Eclipse shortly.

- </li>

- <li>

- Added a check for a bad comparison with a signed byte with a

- value not in the range -128..127. For example:

- <code>

- <pre>boolean find200(byte b[]) {

+

+ FindBugs 1.0 used forward dataflow analysis to determine

+ whether each value is definitely null, null on a simple path,

+ possible null on a complex path, or definitely nonnull. Thus,

+ at the statement where

+ <code> result </code>

+ is decremented, we know that

+ <code> x </code>

+ is definitely null, and at the point before

+ <code> if (b) </code>

+ , we know that

+ <code> x </code>

+ is null on a simple path. If

+ <code> x </code>

+ were to be dereferenced here, we would generate a warning,

+ because if the else branch of the

+ <code> if (x == null) </code>

+ were ever taken, a null pointer exception would result.

+

+

+ However, in both the then and else branches of the

+ <code> if (b) </code>

+ statement,

+ <code> x </code>

+ is only null on a complex path that may be infeasible. It might

+ be that the program logic is such that if

+ <code> x </code>

+ is null, then

+ <code> b </code>

+ is never true, so generating a warning about the dereference in

+ the then clause might be a false positive. We could try to

+ analyze the program to determine whether it is possible for

+ <code> x </code>

+ to be null and

+ <code> b </code>

+ to be true, but that can be a hard analysis problem.

+

+

+ However,

+ <code> x </code>

+ is dereferenced in both the then and else branches of

+ the

+ <code> if (b) </code>

+ statement. So at the point immediately before

+ <code> if (b) </code>

+ , we know that

+ <code> x </code>

+ is null on a simple path and that

+ <code> x </code>

+ is guaranteed to be dereferenced on all paths from this point

+ forward. FindBugs 1.1 performs a backwards data flow analysis

+ to determine the values that are guaranteed to be dereferenced,

+ and will generate a warning in this case.

+

+ </li>

+ </ul>

+

+ The following screen shot of our new GUI shows an example of this

+ analysis, as well as showing off our new GUI and points out a

+ limitation of our current plugins for Eclipse and NetBeans. The

+ screen shot shows a null pointer bug in HelpDisplay.java. The

+ test for

+ <code> href!=null </code>

+ on line 78 suggests that

+ <code> href </code>

+ could be null. If it is, then

+ <code> href </code>

+ will be dereferenced on either line 87 or on line 90, generating

+ a NPE. Note that our analysis here also understands that passing

+ <code> href </code>

+ to

+ <code> URLEncoder.encode </code>

+ will deference it, and thus treats line 87 as a dereference, even

+ though

+ <code> href </code>

+ is not actually dereferenced at that line. Within our new GUI,

+ all of these locations are highlighted and listed in the summary

+ panel. In the original GUI (and in HTML output) we list all of

+ the locations, but only the primary location is highlighted by

+ the original GUI. In the Eclipse and NetBeans plugins, only the

+ primary location is displayed; fixing this is on our todo list

+ (contributions welcome).

+

+

+ <img src="guaranteedDereference.png" alt="">

+

+ </li>

+ <li>Preliminary support for detectors using the frameworks

+ other than BCEL, such as the <a href="http://asm.objectweb.org/">ASM</a>

+ bytecode framework. You may experiment with writing ASM-based

+ detectors, but beware the API may still change (which could

+ possibly also affect BCEL-based detectors). In general, we've

+ started trying to move away from a deep dependence on BCEL, but

+ that change is only partially complete. Probably best to just

+ avoid this until we complete more work on this. This change is

+ only visible to FindBugs plugin developers, and shouldn't be

+ visible to FindBugs users.

+ </li>

+ <li>

+ Bug categories (CORRECTNESS, MT_CORRECTNESS, etc.) are no

+ longer hard-coded, but rather defined in xml files associated

+ with plugins, including the core plugin which defines the

+ standard categories. Third-party plugins can define their own

+ categories.

+ </li>

+ <li>

+ Several bug patterns have been moved from CORRECTNESS and

+ STYLE into a new category, BAD_PRACTICE. The English localization

+ of STYLE has changed from "Style" to "Dodgy."

+ In general, we've worked very hard to limit CORRECTNESS

+ bugs to be real programming errors and sins of commission. We

+ have reclassified as BAD_PRACTICE a number of bad design

+ practices that result in overly fragile code, such as defining an

+ equals method that doesn't accept null or defining class with a

+ equals method that inherits hashCode from class Object.

+ In general, our guidelines for deciding whether a bug

+ should be classified as CORRECTNESS, BAD_PRACTICE or STYLE are:

+ <dl>

+ <dt>CORRECTNESS</dt>

+ <dd>A problem that we can recognize with high confidence and

+ is an issue that we believe almost all developers would want to

+ examine and address. We recommend that software teams review all

+ high and medium priority warnings in their entire code base.</dd>

+ <dt>BAD_PRACTICE</dt>

+ <dd>A problem that we can recognize with high confidence and

+ represents a clear violation of recommended and standard coding

+ practice. We believe each software team should decide which bad

+ practices identified by FindBugs it wants to prohibit in the

+ team's coding standard, and take action to remedy violations of

+ those coding standards.</dd>

+ <dt>STYLE</dt>

+ <dd>These are places where something strange or dodgy is

+ going on, such as a dead store to a local variable. Typically,

+ less than half of these represent actionable programming

+ defects. Reviewing these warnings in any code under active

+ development is probably a good idea, but reviewing all such

+ warnings in your entire code base might be appropriate only in

+ some situations. Individual or team programming styles can

+ substantially influence the effectiveness of each of these

+ warnings (e.g., you might have a coding practice or style in

+ your group that confuses one of the detectors into generating a

+ lot of STYLE warnings); you will likely want to selectively

+ suppress or report the STYLE warnings that are effective for

+ your group.</dd>

+ </dl>

+ </li>

+ <li>Released a preliminary version of a new GUI (known

+ internally as GUI2 -- not very creative, huh?)</li>

+ <li>Provided standard ways to mark user designations of bug

+ warnings (e.g., as NOT_A_BUG or SHOULD_FIX). The internal logic

+ now records this, it is represented in the XML file, and GUI2

+ allows the designations to be applied (along with free-form user

+ annotations about each warning). The user designations and

+ annotations are not yet supported by the Eclipse plugin, but we

+ clearly want to support it in Eclipse shortly.</li>

+ <li>Added a check for a bad comparison with a signed byte with

+ a value not in the range -128..127. For example: <pre>boolean find200(byte b[]) {

for(int i = 0; i < b.length; i++) if (b[i] == 200) return i;

return -1;

}

</pre>

- </code>

- </li>

- <li>

- Added a checking for testing if a value is equal to Double.NaN

- (no value is equal to NaN, not even NaN).

- </li>

- <li>

- Added a check for using a class with an equals method but no

- hashCode method in a hashed data structure.

- </li>

- <li>

- Added check for uncallable method of an anonymous inner class.

- For example, in the following code, it is impossible to invoke

- the initalValue method (because the name is misspelled and as a

- result is doesn't override a method in ThreadLocal).

- <code>

- <pre>private static ThreadLocal serialNum = new ThreadLocal() {

+ </li>

+ <li>Added a checking for testing if a value is equal to

+ Double.NaN (no value is equal to NaN, not even NaN).</li>

+ <li>Added a check for using a class with an equals method but

+ no hashCode method in a hashed data structure.</li>

+ <li>Added check for uncallable method of an anonymous inner

+ class. For example, in the following code, it is impossible to

+ invoke the initalValue method (because the name is misspelled and

+ as a result is doesn't override a method in ThreadLocal). <pre>private static ThreadLocal serialNum = new ThreadLocal() {

protected synchronized Object initalValue() {

return new Integer(nextSerialNum++);

}

};

</pre>

- </code>

- </li>

- <li>

- Added check for a dead local store caused by a switch statement

- fall through

- </li>

- <li>

- Added check for computing the absolute value of a random 32 bit

- integer or of a hashcode. This is broken because

- <code>

- Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE

- </code>

- , and thus result of calling Math.abs, which is expected to be

- nonnegative, will in fact be negative one time out of 2

-

- 32

-

- , which will invariably be the time your boss is demoing the

- software to your customers.

- </li>

- <li>

- More careful resolution of inherited methods and fields. Some of

- the shortcuts we were taking in FindBugs 1.0.0 were leading to

- inaccurate results, and it was fairly easy to address this by

- making the analysis more accurate.

- </li>

- <li>

- Overall, analysis times are about 1.6 times longer in FindBugs

- 1.1.0 than in FindBugs 1.0.0. This is because we have enabled

- substantial additional analysis at the default effort level (the

- actual analysis engine is significantly faster than in FindBugs

- 1.0). On a recent AMD Athlon processor, analyzing JDK1.6.0 (about

- 1 million lines of code) requires about 15 minutes of wall clock

- time.

- </li>

- <li>

- Provided class and script (printClass) to print classfile in the

- human readable format produced by BCEL

- </li>

- <li>

- Provided -findSource option to setBugDatabaseInfo

- </li>

- </ul>

-

- Changes since version 0.9.7:

-

- <ul>

- <li>

- fix ObjectTypeFactory bug that was suppressing some bugs

- </li>

- <li>

- opcode stack may determine definite zeros on some paths

- </li>

- <li>

- opcode stack can track some constant string concatenations

- (dbrosius)

- </li>

- <li>

- default effort performs iterative opcode analysis (but min effort

- does not)

- </li>

- <li>

- default heap size upped to 384m

- </li>

- <li>

- schema for XML output available: bugcollection.xsd

- </li>

- <li>

- fixed some internal confusion between dotted and slashed class

- names

- </li>

- <li>

- New detectors

- <ul>

- <li>

- CheckImmutableAnnotation.java: checks JCIP annotations

- </li>

- </ul>

- </li>

- <li>

- Updated detectors

- <ul>

- <li>

- BadRegEx.java: understands Pattern.LITERAL, warns about "."

- </li>

- <li>

- FindUnreleasedLock.java: fewer false positives

- </li>

- <li>

- DumbMethods.java: check for vacuous comparisons to MAX_INTEGER

- or MIN_INTEGER, fix bugs detecting DM_NEXTINT_VIA_NEXTDOUBLE

- </li>

- <li>

- FindPuzzlers.java: detect

- <tt>n%2==1</tt>, detect toString() on array types

- </li>

- <li>

- FindInconsistentSync2.java: detects IS_FIELD_NOT_GUARDED

- </li>

- <li>

- MethodReturnCheck.java: add check for discarded newly

- constructed values, increase priority of some ignored

- constructed exceptions, better handling of bytecode compiled by

- Eclipse

- </li>

- <li>

- FindEmptySynchronizedBlock.java: better handling of bytecode

- compiled by Eclipse

- </li>

- <li>

- DoInsideDoPrivileged.java: warn if call to setAccessible isn't

- in doPriviledged, don't report private methods

- </li>

- <li>

- LoadOfKnownNullValue.java: fix bug that was reporting false

- positives on

- <code>

- finally

- </code>

- blocks

- </li>

- <li>

- CheckReturnAnnotationDatabase.java: better checks for unstarted

- threads

- </li>

- <li>

- ConfusionBetweenInheritedAndOuterMethod.java: fewer false

- positives, fixed a package-handling bug

- </li>

- <li>

- BadResultSetAccess.java: separate bug pattern for

- PreparedStatements,

- <code>

- BRZA

- </code>

- category folded into

- <code>

- SQL

- </code>

- category

- </li>

- <li>

- FindDeadLocalStores.java, FindBadCast2.java, DumbMethods.java,

- RuntimeExceptionCapture.java: coalesce similar bugs within a

- method into a single bug instance with multiple source lines

- </li>

- </ul>

- </li>

- <li>

- Eclipse plugin

- <ul>

- <li>

- plugin ID changed from

- <tt>de.tobject.findbugs</tt> to

- <tt>edu.umd.cs.findbugs.plugin.eclipse</tt>

- </li>

- <li>

- support for findbugs eclipse auto-update site

- </li>

- </ul>

- </li>

- <li>

- Updated test case files

- <ul>

- <li>

- BadRegEx.java

- </li>

- <li>

- JSR166.java

- </li>

- <li>

- ConcurrentModificationBug.java

- </li>

- <li>

- DeadStore.java

- </li>

- <li>

- InstanceOf.java

- </li>

- <li>

- LoadKnownNull.java

- </li>

- <li>

- NeedsToCheckReturnValue.java

- </li>

- <li>

- BadResultSetAccessTest.java

- </li>

- <li>

- DeadStore.java

- </li>

- <li>

- TestNonNull2.java

- </li>

- <li>

- TestImmutable.java

- </li>

- <li>

- TestGuardedBy.java

- </li>

- <li>

- BadRandomInt.java

- </li>

- <li>

- six test cases added to new

- <code>

- TigerTraps

- </code>

- directory

- </li>

- </ul>

- </li>

- <li>

- fix bug that was generating duplicate uids

- </li>

- <li>

- fix bug with

- <code>

- -onlyAnalyze some.package.*

- </code>

- on jdk1.4

- </li>

- <li>

- fix regression bug in DismantleByteCode.getRefConstantOperand()

- </li>

- <li>

- fix some minor bugs with the Swing GUI

- </li>

- <li>

- reordered some bugInstances so that source line annotations come

- last

- </li>

- <li>

- removed references to unused java system properties

- </li>

- <li>

- French translation updates (David Cotton)

- </li>

- <li>

- Japanese translation updates (Hanai Shisei)

- </li>

- <li>

- content cleanup for findbugs.xml and messages.xml

- </li>

- <li>

- references to cvs hostname updated to

- findbugs.cvs.sourceforge.net

- </li>

- <li>

- documented xdoc output options, new

- mineBugHistory/computeBugHistory options

- </li>

- </ul>

-

- Changes since version 0.9.6:

-

- <ul>

- <li>

- performance improvements

- </li>

- <li>

- ObjectType instances are cached to reduce memory footprint

- </li>

- <li>

- for performance and memory reasons stateless detectors are no

- longer cloned, must clear their own state between .class files

- </li>

- <li>

- fixed bug in bytecode-set lookup for methods (was causing bad

- results for IS2, perhaps others)

- </li>

- <li>

- fix some OpcodeStack bugs with integer and long operations,

- perform iterative analysis when effort is

- <tt>max</tt>

- </li>

- <li>

- HTML output includes LongMessage text again (regression in 0.95 -

- 0.96)

- </li>

- <li>

- New detectors

- <ul>

- <li>

- CalledMethods.java: builds a list of invoked methods for other

- detectors to consult (non-reporting)

- </li>

- <li>

- UncallableMethodOfAnonymousClass.java: detect anonymous inner

- classes that define methods that are probably intended to but

- do not override methods in a superclass.

- </li>

- </ul>

- </li>

- <li>

- Updated detectors

- <ul>

- <li>

- FindFieldSelfAssignment.java: recognize separate fields with

- the same name (one from superclass)

- </li>

- <li>

- FindLocalSelfAssignment2.java: handles backward branches better

- (Dave Brosius)

- </li>

- <li>

- FindBadCast2.java: BC_NULL_INSTANCEOF changed to

- NP_NULL_INSTANCEOF

- </li>

- <li>

- FindPuzzlers.java: eliminate false positive on setDate() (Dave

- Brosius)

- </li>

- </ul>

- </li>

- <li>

- Eclipse plugin

- <ul>

- <li>

- fix serious threading bug

- </li>

- <li>

- preferences for Filters and effort (Peter Hendriks)

- </li>

- <li>

- French localization (David Cotton)

- </li>

- <li>

- fix bug when reporting inner classes (Peter Friese)

- </li>

- </ul>

- </li>

- <li>

- Updated test case files

- <ul>

- <li>

- Mwn.java (Carl Burke/Dave Brosius)

- </li>

- <li>

- DumbMethodInvocations.java (Anto paul/Dave Brosius)

- </li>

-

- </ul>

- </li>

- <li>

- XML output includes garbage collection duration

- </li>

- <li>

- French messages updated (David Cotton)

- </li>

- <li>

- Swing GUI shows file name after Load Bugs command

- </li>

- <li>

- Ant task to launch the findbugs frame (Mark McKay)

- </li>

- <li>

- miscellaneous code cleanup

- </li>

- </ul>

-

- Changes since version 0.9.5:

-

- <ul>

- <li>

- Updated detectors

- <ul>

- <li>

- FindNullDeref.java: respect NonNull and CheckForNull field

- annotations

- </li>

- <li>

- SerializableIdiom.java: detect non-private readObject and

- writeObject methods

- </li>

- <li>

- FindRefComparison.java: smarter array comparison detection

- </li>

- <li>

- IsNullValueAnalysis.java: detect

- <tt>null instanceof</tt>

- </li>

- <li>

- FindLocalSelfAssignment2.java: suppress some false positives

- (Dave Brosius)

- </li>

- <li>

- FindUnreleasedLock.java: don't waste time processing classes

- that don't refer to java.util.concurrent.locks

- </li>

- <li>

- MutableStaticFields.java: report the source line (Dave Brosius)

- </li>

- <li>

- SwitchFallthrough.java: better handling of System.exit() (Dave

- Brosius)

- </li>

- <li>

- MultithreadedInstanceAccess.java: better handling of

- Servlet.init() (Dave Brosius)

- </li>

- <li>

- ConfusionBetweenInheritedAndOuterMethod.java: now enabled

- </li>

- </ul>

- </li>

- <li>

- Eclipse plugin

- <ul>

- <li>

- background processing (Peter Friese)

- </li>

- <li>

- internationalization, Japanese localization (Takashi Okamoto)

- </li>

- </ul>

- </li>

- <li>

- findbugs

- <tt>-onlyAnalyze</tt> option now works on windows platforms

- </li>

- <li>

- mineBugHistory

- <tt>-noTabs</tt> option for better alignment of output columns

- </li>

- <li>

- filterBugs

- <tt>-fixed</tt> option (also: will now recognize the most recent

- version string)

- </li>

- <li>

- XML output includes running time and memory usage data

- </li>

- <li>

- miscellaneous minor corrections to the manual

- </li>

- <li>

- better bytecode analysis of the

- <tt>iinc</tt> instruction

- </li>

- <li>

- fix bug in null pointer analysis

- </li>

- <li>

- improved catch block heuristics

- </li>

- <li>

- some type analysis tweaks

- </li>

- <li>

- Bug priority changes

- <ul>

- <li>

- DumbMethodInvocations.java: decrease priority of hard-coded

- <tt>/tmp</tt> filenames

- </li>

- <li>

- ComparatorIdiom.java: decrease priority of non-serializable

- anonymous comparators

- </li>

- <li>

- FindSqlInjection.java: decrease priority of appending a

- constant or a static

- </li>

- </ul>

- </li>

- <li>

- Updated bug explanations

- <ul>

- <li>

- NM_VERY_CONFUSING (Dave Brosius)

- </li>

- </ul>

- </li>

- <li>

- Updated test case files

- <ul>

- <li>

- BadStoreOfNonSerializableObject.java

- </li>

- <li>

- BadRandomInt.java

- </li>

- <li>

- TestFieldAnnotations.java

- </li>

- <li>

- UseInitCause.java

- </li>

- <li>

- SqlInjection.java

- </li>

- <li>

- ArrayEquality.java

- </li>

- <li>

- BadIntegerOperations.java

- </li>

- <li>

- Pilhuhn.java

- </li>

- <li>

- InstanceOf.java

- </li>

- <li>

- SwitchFallthrough.java (Dave Brosius)

- </li>

- </ul>

- </li>

- <li>

- fix URL decoding bug when running under Java Web Start (Dave

- Brosius)

- </li>

- <li>

- distribution includes

- <tt>project.xml</tt> file for NetBeans

- </li>

- </ul>

-

- Changes since version 0.9.4:

-

- <ul>

- <li>

- New detectors

- <ul>

- <li>

- VarArgsProblems.java

- </li>

- <li>

- FindSqlInjection.java: now enabled

- </li>

- <li>

- ComparatorIdiom.java: comparators usually implement

- serializable

- </li>

- <li>

- Naming.java: detect methods not overridden due to eponymously

- typed args from different packages

- </li>

- </ul>

- </li>

- <li>

- Updated detectors

- <ul>

- <li>

- SwitchFallthrough.java: surpress some false positives

- </li>

- <li>

- DuplicateBranches.java: surpress some false positives

- </li>

- <li>

- IteratorIdioms.java: surpress some false positives

- </li>

- <li>

- FindHEmismatch.java: surpress some false positives

- </li>

- <li>

- QuestionableBooleanAssignment.java: finds more cases of

- <tt>if (b=true)</tt> ilk

- </li>

- <li>

- DumbMethods.java: detect int remainder by 1, delayed gc errors

- </li>

- <li>

- SerializableIdiom.java: detect store of nonserializable object

- into field of serializable class

- </li>

- <li>

- FindNullDeref.java: fix potential exception

- </li>

- <li>

- IsNullValue.java: fix potential exception

- </li>

- <li>

- MultithreadedInstanceAccess.java: fix potential exception

- </li>

- <li>

- PreferZeroLengthArrays.java: flag the method, not the line

- </li>

- </ul>

- </li>

- <li>

- Remove some inadvertent dependencies on JDK 1.5

- </li>

- <li>

- Sort order should be more consistent

- </li>

- <li>

- XML output changes

- <ul>

- <li>

- Option to sort XML bug output

- </li>

- <li>

- Now contains instance IDs

- </li>

- <li>

- uid no longer missing (was causing problems with fancy HTML

- output)

- </li>

- <li>

- Typo fixed

- </li>

- </ul>

- </li>

- <li>

- Internal changes to track source files,

- <tt>-sourceInfo</tt> option

- </li>

- <li>

- Bug matching: first try exact bug pattern matching, option to

- compare priorities, option to disable package moves

- </li>

- <li>

- Architecture documentation in

- <tt>design/architecture</tt>

- </li>

- <li>

- Test cases move into their own CVS project

- </li>

- <li>

- Don't report warnings that occur outside the analyzed classes

- </li>

- <li>

- Fixes to the build.xml files

- </li>

- <li>

- Better handling of @CheckReturnValue and @CheckForNull

- annotations (also, some additional methods searched for check

- return value and check for null)

- </li>

- <li>

- Fixed some stream-closing bugs (one by

- <tt>z-fb-user</tt>/Dave Brosius)

- </li>

- <li>

- Bug priority changes

- <ul>

- <li>

- increase priority of ignoring return value of

- java.sql.Connection methods

- </li>

- <li>

- increase priority of comparing classes like Integer using

- <tt>==</tt>

- </li>

- <li>

- decrease priority of IT_NO_SUCH_ELEMENT if we see any call to

- <tt>next()</tt>

- </li>

- <li>

- tweak priority of NM_METHOD_CONSTRUCTOR_CONFUSION

- </li>

- <li>

- decrease priority of RV_RETURN_VALUE_IGNORED for an inherited

- annotation that doesn't return same type as class

- </li>

- </ul>

- </li>

- <li>

- Updated bug explanations

- <ul>

- <li>

- RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE

- </li>

- <li>

- DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED

- </li>

- <li>

- IMA_INEFFICIENT_MEMBER_ACCESS (Dave Brosius)

- </li>

- <li>

- some Japanese improvements to messages_ja.xml (

- <tt>ruimo</tt>)

- </li>

- <li>

- some German improvements to findbugs_de.properties (Dave

- Brosius,

- <tt>dvholten</tt>)

- </li>

- </ul>

- </li>

- <li>

- Updated test case files

- <ul>

- <li>

- BadIntegerOperations.java

- </li>

- <li>

- SecondKaboom.java

- </li>

- <li>

- OpenDatabase.java (Dave Brosius)

- </li>

- <li>

- FindOpenStream.java (Dave Brosius)

- </li>

- <li>

- BadRandomInt.java

- </li>

- </ul>

- </li>

- <li>

- Source-lines info maintained for methods (handy for abstract and

- native methods)

- </li>

- <li>

- Remove surrounding opcodes from source line annotations

- </li>

- <li>

- Better error when can't read file

- </li>

- <li>

- Swing GUI: removed console pane from FindBugsFrame, fix missing

- classes bug

- </li>

- <li>

- Fixes to OpcodeStack.java

- </li>

- <li>

- Detectors may attach a custom value to an OpcodeStack.Item (Dave

- Brosius)

- </li>

- <li>

- Filter.java: ability to add text messages to XML output, fix bug

- with

- <tt>-withMessages</tt>

- </li>

- <li>

- SourceInfoMap supports ranges of source lines

- </li>

- <li>

- Ant task supports the

- <tt>timestampNow</tt> attribute

- </li>

- </ul>

-

- Changes since version 0.9.3:

-

- <ul>

- <li>

- Substantial rework of datamining code

- </li>

- <li>

- Removed bogus warnings about await on things other than Condition

- not being in a loop

- </li>

- <li>

- Fixed bug in OpcodeStack handling of dup2 of long/double values

- </li>

- <li>

- Don't report array types as missing classes

- </li>

- <li>

- Adjustment of some warnings on ignored return values

- </li>

- <li>

- Added thread safety annotations from Java Concurrency in Practice

- (no detectors written for these yet)

- </li>

- <li>

- Added annotation for methods that, if overridden, should be

- invoked by overriding methods via a call to super

- </li>

- <li>

- Updated -html:fancy.xsl (Etienne Giraudy)

- </li>

- </ul>

-

- Note: there was no version 0.9.2

-

-

- Changes since version 0.9.1:

-

- <ul>

-

- <li>

- Embellish USM to find abstract methods that implement an

- interface method (Dave Brosius)

- </li>

- <li>

- New detector to find stores of literal booleans inside if or

- while expressions (Dave Brosius)

- </li>

- <li>

- New style detector to find final classes that declare protected

- fields (Dave Brosius)

- </li>

- <li>

- New detector to find subclass methods that simply forward,

- verbatim, to the super class (Dave Brosius)

- </li>

- <li>

- Detector to find instances where code is attempting to write an

- object out via an implementation of DataOutput, but the object is

- not guaranteed to be Serializable (Jon Christiansen, Bill Pugh)

- </li>

-

- <li>

- Large (35%) analysis speedup (Bill Pugh)

- </li>

- <li>

- Add line numbers to Swing GUI code panel (Dave Brosius)

- </li>

- <li>

- Added effort options to Swing GUI (Dave Brosius)

- </li>

- <li>

- Add ability to specify bugs file to open from command line for

- GUI version, through -loadbugs (Phillip Martin)

- </li>

- <li>

- New stylesheet for generating HTML: use option

- <tt>-html:plain.xsl</tt> (Chris Nappin)

- </li>

- <li>

- New stylesheet for generating HTML: use option

- <tt>-html:fancy.xsl</tt> (Etienne Giraudy)

- </li>

- <li>

- Updated Japanese bug message translations (Shisei Hanai)

- </li>

-

- <li>

- XHTML compliance fixes for bug details (Etienne Giraudy)

- </li>

- <li>

- Various detector fixes (Shisei Hanai)

- </li>

- <li>

- Fixed bugs in the project preferences dialog int the Eclipse

- plugin (Takashi Okamoto, Thomas Einwaller)

- </li>

- <li>

- Lowered priority of analysis thread in Swing GUI (David

- Hovemeyer, suggested by Shisei Hanai and Jeffrey W. Badorek)

- </li>

- <li>

- Fixed EclipsePlugin to correctly pick up auxclasspath entries

- (Jon Christiansen)

- </li>

- </ul>

-

- Changes since version 0.9.0:

-

- <ul>

- <li>

- Fixed dependence on JRE 1.5: all features should work on JRE 1.4

- again

- </li>

- <li>

- Fixed -effort command line option handling for Swing GUI

- </li>

- <li>

- Fixed conserveSpace and workHard attributes int Ant task

- </li>

- <li>

- Added support for effort attribute in Ant task

- </li>

- </ul>

-

- Changes since version 0.8.8:

-

- <ul>

-

- <li>

- XMLFactoryBypass detector to find direct allocation of xml class

- implementations (Dave Brosius)

- </li>

- <li>

- InefficientMemberAccess detector to find accesses to owning class

- private members (Dave Brosius)

- </li>

- <li>

- DuplicateBranches detector checks switch statements too (Dave

- Brosius)

- </li>

-

- <li>

- FindBugs available from findbugs.sourceforge.net as Java Web

- Start application (Dave Brosius)

- </li>

- <li>

- Updated Japanese bug message translations (Shisei Hanai)

- </li>

- <li>

- Improved bug detail message for covariant equals() (Shisei Hanai)

- </li>

- <li>

- Modeling of instanceof checks is now enabled by default, making

- the bad cast detector much more useful (Bill Pugh, David

- Hovemeyer)

- </li>

- <li>

- Support for detector ordering constraints in plugin descriptor

- (David Hovemeyer)

- </li>

- <li>

- Simpler option to control analysis effort: -effort:

- value, where

- value is one of

- <code>

- min

- </code>

- ,

- <code>

- default

- </code>

- , or

- <code>

- max

- </code>

- (David Hovemeyer)

- </li>

- <li>

- Using -effort:max, FindNullDeref checks for null arguments passed

- to methods which dereference them unconditionally (David

- Hovemeyer)

- </li>

- <li>

- FindNullDeref checks @Null and @NonNull annotations for

- parameters and return values (David Hovemeyer)

- </li>

-

- </ul>

-

- Changes since version 0.8.7:

-

- <ul>

-

- <li>

- New detector to find duplicate code in if/else statements (Dave

- Brosius)

- </li>

- <li>

- Look for calls to wait() on Condition objects (David Hovemeyer)

- </li>

- <li>

- Look for java.util.concurrent.Lock objects not released on every

- path out of method (David Hovemeyer)

- </li>

- <li>

- Look for calls to Thread.sleep() with a lock held (David

- Hovemeyer)

- </li>

- <li>

- More accurate detection of impossible casts (Bill Pugh, David

- Hovemeyer)

- </li>

-

- <li>

- Saved XML now contains project statistics (Jay Dunning)

- </li>

- <li>

- Filter files can select by bug pattern type and warning priority

- (David Hovemeyer)

- </li>

-

- <li>

- Restored some files inadvertently omitted from previous release

- (Rohan Lloyd, David Hovemeyer)

- </li>

- <li>

- Make sure detectors requiring JDK 1.5 runtime classes are only

- executed if those classes are available (David Hovemeyer)

- </li>

- <li>

- Don't display analysis error dialog unless there is really an

- error (David Hovemeyer)

- </li>

- <li>

- Updated and expanded French translations of bug patterns and

- Swing GUI (Olivier Parent)

- </li>

- <li>

- Fixed invalid character encoding in German Swing GUI translation

- (Olivier Parent)

- </li>

- <li>

- Fix locale used for date format in project stats (K. Hashimoto)

- </li>

- <li>

- Fixed LongDescription elements in xml:withMessages output format

- (K. Hashimoto)

- </li>

- </ul>

-

- Changes since version 0.8.6:

-

- <ul>

-

- <li>

- Extend Naming detector to look for classes that are named

- XXXException but that are not Exceptions (Dave Brosius)

- </li>

- <li>

- New detector to find classes that expose semaphores in the public

- implementation through the 'this' reference. (Dave Brosius)

- </li>

- <li>

- New Style detector to find Struts Action/Servlet derived classes

- that reference instance member variable not in synchronized

- blocks. (Dave Brosius)

- </li>

- <li>

- New Style detector to find classes that declare implementation of

- interfaces that are already implemented by super classes (Dave

- Brosius)

- </li>

- <li>

- New Style detector to find circular dependencies between classes

- (Dave Brosius)

- </li>

- <li>

- New Style detector to find unnecessary math on constants (Dave

- Brosius)

- </li>

- <li>

- New detector to find equality comparisons using floating point

- math (Jay Dunning)

- </li>

- <li>

- New faster detector to find local self assignments (Bill Pugh)

- </li>

- <li>

- New detector to find infinite recursive loops (Bill Pugh)

- </li>

- <li>

- New detector to find for loops with an incorrect increment (Bill

- Pugh)

- </li>

- <li>

- New detector to find suspicious uses of BufferedReader.readLine()

- and String.indexOf() (Bill Pugh)

- </li>

- <li>

- New detector to find suspicious integer to double casts (David

- Hovemeyer, Bill Pugh)

- </li>

- <li>

- New detector to find invalid regular expression patterns (Bill

- Pugh)

- </li>

- <li>

- New detector to find Bloch/Gafter Java puzzlers (Bill Pugh)

- </li>

+ </li>

+ <li>Added check for a dead local store caused by a switch

+ statement fall through</li>

+ <li>Added check for computing the absolute value of a random

+ 32 bit integer or of a hashcode. This is broken because <code>

+ Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE </code> , and thus

+ result of calling Math.abs, which is expected to be nonnegative,

+ will in fact be negative one time out of 2 32 , which

+ will invariably be the time your boss is demoing the software to

+ your customers.

-

- <li>

- New system property to suppress reporting of DLS based on local

- variable name (Glenn Boysko)

- </li>

- <li>

- Enhancements to configuration dialog in Eclipse plugin, allow for

- saving enabled detectors in Eclipse projects (Phil Crosby)

- </li>

- <li>

- Sortable columns in detector dialog (Dave Brosius)

- </li>

- <li>

- New tab in gui for showing bugs grouped by category (Dave

- Brosius)

- </li>

- <li>

- Improved German translation of Swing GUI (Thomas Kuehne)

- </li>

- <li>

- Improved source file reporting in Emacs output format (Len Trigg)

- </li>

- <li>

- Improvements to redundant null comparison detector (Bill Pugh)

- </li>

- <li>

- Localization of run analysis and analysis error dialogs in Swing

- GUI (K. Hashimoto)

- </li>

-

- <li>

- Don't scan equals methods in FindHEMismatch if code is native

- (Greg Bentz)

- </li>

- <li>

- French translation fixes (David Cotton)

- </li>

- <li>

- Internationalization report fixes (K. Hashimoto)

- </li>

- <li>

- Japanese translations updates (SHISEI Hanai)

- </li>

- </ul>

-

- Changes since version 0.8.5:

-

- <ul>

-

- <li>

- New detector to find catch blocks that may inadvertently catch

- runtime exceptions (Brian Goetz)

- </li>

- <li>

- New detector to find objects that are instantiated based on

- classes that only have static methods and fields, using the

- synthesized constructor (Dave Brosius)

- </li>

- <li>

- New detector to find calls to Thread.interrupted() in a non

- static context, and especially with non currentThread() threads

- (Dave Brosius)

- </li>

- <li>

- New detector to find calls to equals() methods that use Object's

- version. (Dave Brosius)

- </li>

- <li>

- New detector to find Applets that call methods in the constructor

- refering to the AppletStub (Dave Brosius)

- </li>

- <li>

- New detector to find some cases of infinite recursion (Bill Pugh)

- </li>

- <li>

- New detector to find dead stores to local variables (David

- Hovemeyer, Bill Pugh)

- </li>

- <li>

- Extend Dumb Method detector for toUpperCase(), toLowerCase()

- without a locale, new Integer(1).toString(), new

- XXX().getClass(), and new Thread() without a run implementation

- (Dave Brosius)

-

- </li>

- <li>

- Ant task supports "errorProperty" attribute, which sets an Ant

- property to "true" if an error occurs running FindBugs (Michael

- Tamm)

- </li>

- <li>

- Eclipse plugin allows filtering of warnings by bug category,

- priority (David Hovemeyer)

- </li>

- <li>

- Swing GUI allows filtering of warnings by bug category (David

- Hovemeyer)

- </li>

- <li>

- Ability to annotate methods using Java 1.5 annotations that

- suppress FindBugs warnings (Bill Pugh)

- </li>

- <li>

- New -adjustExperimental for lowering priority of BugPatterns that

- are experimental (Dave Brosius)

- </li>

- <li>

- Allow for command line options 'files' using the @ symbol (David

- Hovemeyer)

- </li>

- <li>

- New -adjustPriority command line option to for adjusting bug

- priorites (David Hovemeyer)

- </li>

- <li>

- Added an Edit menu (cut/copy/paste) to Swing GUI (Dave Brosius)

- </li>

- <li>

- French translation supplied (David Cotton)

-

- </li>

- </ul>

-

- Changes since version 0.8.4:

-

- <ul>

-

- <li>

- New detector for volatile references to arrays (Bill Pugh)

- </li>

- <li>

- New detector to find instanceof usage where inheritance can be

- determined statically (Dave Brosius)

- </li>

- <li>

- New detector to find ResultSet.getXXX updateXXX calls using index

- 0 (Dave Brosius)

- </li>

- <li>

- New detector to find empty zip or jar entries (Bill Pugh)

-

- </li>

- <li>

- HTML output generation using built-in XSLT stylesheet or

- user-defined stylesheet (David Hovemeyer)

- </li>

- <li>

- Allow URLs to be specified to analyze zip/jar files, local

- directories, and single classfiles (David Hovemeyer)

- </li>

- <li>

- New command line option -onlyAnalyze restricts analysis to

- selected classes and packages without reducing accuracy (David

- Hovemeyer)

- </li>

- <li>

- Allow Swing GUI to show source code in jar files on Windows

- systems (Dave Brosius)

-

- </li>

- <li>

- Fix the Switch Fall Thru detector (Dave Brosius, David Hovemeyer,

- Bill Pugh)

- </li>

- <li>

- MacOS GUI fixes (Rohan Lloyd)

- </li>

- <li>

- Fix false positive in BOA in case where method is correctly and

- 'incorrectly' overridden (Dave Brosius)

- </li>

- <li>

- Fixed memory blowup when analyzing methods which access a large

- number of fields (David Hovemeyer)

- </li>

- </ul>

-

- Changes since version 0.8.3:

-

- <ul>

- <li>

- Initial and preliminary localization of the Swing GUI. 

- Translations by:

- <ul>

- <li>

- German - Peter D. Stout, Holger Stenzhorn

- </li>

- <li>

- Finnish - Juha Knuutila

- </li>

- <li>

- Estonian - Tanel Lebedev

- </li>

- <li>

- Japanese - Hanai Shisei

- </li>

- </ul>

- </li>

- <li>

- Eliminated debug print statements inadvertently left enabled

- </li>

- <li>

- Reverted some changes in the open stream detector: this should

- fix some false positives that were introduced in the previous

- release

- </li>

- <li>

- Fixed a couple missing class reports

- </li>

- </ul>

-

- Changes since version 0.8.2:

-

- <ul>

-

- <li>

- New detector to find improperly overridden GUI Adapter classes

- (Dave Brosius)

- </li>

- <li>

- New detector to find improperly setup JUnit TestCases (Dave

- Brosius)

- </li>

- <li>

- New detector to find variables that mask class level fields (Dave

- Brosius)

- </li>

- <li>

- New detector to find comparisons of values computed with bitwise

- operators that always yield the same result (Tom Truscott)

- </li>

- <li>

- New detector to find unsafe getClass().getResource() calls (Bill

- Pugh)

- </li>

- <li>

- New detector to find GUI changes not in GUI thread but in static

- main (Bill Pugh)

- </li>

- <li>

- New detector to find calls to Collection.toArray() with

- zero-length array argument; it is more efficient to pass an array

- the size of the collection, which can be populated and returned

- as the result (Dave Brosius)

-

- </li>

- <li>

- Better suppression of false warnings in various detectors (Bill

- Pugh, David Hovemeyer)

- </li>

- <li>

- Enhancement to ReadReturnShouldBeChecked detector for skip()

- (Dave Brosius)

- </li>

- <li>

- Enhancement to DumbMethods detector (Dave Brosius)

- </li>

- <li>

- Open stream detector does not report wrappers of streams passed

- as method parameters (David Hovemeyer)

-

- </li>

- <li>

- Cancel confirmation dialog in Swing GUI (Pete Angstadt)

- </li>

- <li>

- Better relative path saving in Project file (Dave Brosius)

- </li>

- <li>

- Detector Priority in GUI is now saved in prefs file (Dave

- Brosius)

- </li>

- <li>

- Controls in GUI to reorder source and classpath entries, and

- ability to flip between Project details and bugs pages (Dave

- Brosius)

- </li>

- <li>

- In Swing GUI, analysis error dialog supports "Select All" and

- "Copy" operations for easy generation of error reports (Dave

- Brosius)

- </li>

- <li>

- Complete translation of bug descriptions and messages into

- Japanese (Hanai Shisei)

-

- </li>

- <li>

- Fixed bug in DroppedException detector (Dave Brosius)

-

- </li>

- <li>

- The source distribution defaults to using JDK 1.5 javac to

- compile, but support for compiling with JSR-14 prototype is still

- supported

- </li>

- </ul>

-

- Changes since version 0.8.1:

-

- <ul>

- <li>

- Fixed a critical ClassCastException bug (triggered if the

- -workHard option was used, and an exception type was merged with

- an array type during type inference)

- </li>

- </ul>

-

- Changes since version 0.8.0:

-

- <ul>

- <li>

- Disabled SwitchFallthrough detector to work around

- NullPointerExceptions

- </li>

- <li>

- Added some additional false positive suppression heuristics

- </li>

- </ul>

-

- Also, two contributors to the 0.8.0 release were inadvertently

- left out of the credits:

-

- <ul>

- <li>

- Pete Angstadt fixed several problems in the Swing GUI

- </li>

- <li>

- Francis Lalonde provided a task resource file for the FindBugs

- Ant task

- </li>

- </ul>

-

- Changes since version 0.7.4:

-

- <ul>

- <li>

- New detector to look for uses of "+" operator to concatenate

- String objects in a loop (Dave Brosius)

- </li>

- <li>

- Reference comparison detector looks for places where the argument

- passed to the equals(Object) method isn't the same type as the

- receiver object

- </li>

- <li>

- Better suppression of false warnings in many detectors

- </li>

- <li>

- Many improvements to Eclipse plugin (Andrey Loskutov, Peter

- Friese)

- </li>

- <li>

- Fixed problem with building Eclipse plugin on Windows (Thomas

- Klaeger)

- </li>

- <li>

- Open stream detector looks for unclosed PreparedStatement objects

- (Thomas Klaeger, Rohan Lloyd)

- </li>

- <li>

- Fix for open stream detector: it wasn't detecting close() methods

- called through an invokeinterface instruction (Thomas Klaeger)

- </li>

- <li>

- Refactoring of visitor classes to enforce use of accessors for

- visited class features (Brian Goetz)

- </li>

- </ul>

-

- Changes since version 0.7.3:

-

- <ul>

- <li>

- Experimental modification of open stream detector to look for

- non-escaping JDBC resources (connections and statements) that

- aren't closed on all paths out of method

- </li>

- <li>

- Eclipse plugin fixed so it compiles and runs on Eclipse 2.1.x

- (Peter Friese)

- </li>

- <li>

- Option to Swing GUI and command line to generate project file

- using relative paths for archives, source directories, and aux

- classpath entries (Dave Brosius)

- </li>

- <li>

- Improvements to findbugs.bat script for launching FindBugs on

- Windows (Dave Brosius)

- </li>

- <li>

- Updated Japanese message translations (Hiroshi Okugawa)

- </li>

- <li>

- Uncalled private methods are now reported as low priority, unless

- they have the same name as another method in the class (which is

- more likely to indicate an actual bug)

- </li>

- <li>

- Added some missing data in the bug messages XML files

- </li>

- <li>

- Fixed some problems building from source on Windows systems

- </li>

- <li>

- Various minor bug fixes

- </li>

- </ul>

-

- Changes since version 0.7.2:

-

- <ul>

- <li>

- Enhanced Eclipse plugin, which displays the detailed bug

- description in a view (Phil Crosby)

- </li>

- <li>

- Various tweaks to existing detectors to reduce false warnings

- </li>

- <li>

- New command line option

- <code>

- -workHard

- </code>

- enables pruning of infeasible or unlikely exception edges, which

- results in better accuracy in the open stream detector, at the

- expense of a 30%-100% slowdown

- </li>

- <li>

- New website and HTML documentation design

- </li>

- <li>

- Documentation includes an HTML document with descriptions of all

- bug patterns reported by FindBugs

- </li>

- <li>

- Web page has a link to a

- <a href="http://www.simeji.com/findbugs/doc/manual_ja/index.html">Japanese

- translation</a> of the FindBugs manual, contributed by Hiroshi

- Okugawa

- </li>

- <li>

- Changed the Inconsistent Synchronization detector so that fields

- synchronized 50% of the time (or more) are reported as medium

- priority bugs (previously they were reported as low)

- </li>

- <li>

- New detector to find code that catches

- IllegalMonitorStateException

- </li>

- <li>

- New detector to find private methods that are never called

- </li>

- <li>

- New detector to find suspicious uses of non-short-circuiting

- boolean operators (

- <code>

- &

- </code>

- and

- <code>

- |

- </code>

- , rather than

- <code>

- &&

- </code>

- and

- <code>

- ||

- </code>

- )

- </li>

- </ul>

-

- Changes since version 0.7.1:

-

- <ul>

- <li>

- Incorporated patched version of BCEL, which allows classes

- compiled with JDK 1.5.0 beta to be analyzed

- </li>

- <li>

- Fixed some bugs related to lookups of array classes

- </li>

- <li>

- Fixed bug that prevented GUI from loading XML result files when

- running under JDK 1.5.0 beta

- </li>

- <li>

- Added new experimental bug detector, LazyInit, which looks for

- potentially buggy lazy initializations of static fields

- </li>

- <li>

- Because of long filenames, switched to distributing the source

- archive as a zip file rather than a tar file

- </li>

- <li>

- The 0.7.1 source tarfile was botched - 0.7.2 has a valid source

- archive

- </li>

- <li>

- Fixed some problems in the Ant build script

- </li>

- <li>

- Fixed NullPointerException when checking Class-Path attribute for

- Jar files without manifests

- </li>

- <li>

- Generate version numbers for the core and UI Eclipse plugins

- using the Version class; all version numbers are now in a common

- location

- </li>

- </ul>

-

- Changes since version 0.7.0:

-

- <ul>

- <li>

- Eclipse plugin (contributed by Peter Friese)

- </li>

- <li>

- Source package structure rearranged: all source (other than

- Eclipse plugin UI) is in the edu.umd.cs.findbugs package, or a

- subpackage

- </li>

- <li>

- Class-Path attributes of manifests of analyzed jar files are used

- to set the aux classpath automatically (Peter D. Stout)

- </li>

- <li>

- GUI starts in directory specified by user.home property (Peter D.

- Stout)

- </li>

- <li>

- Added -project option to GUI (Mikko T.)

- </li>

- <li>

- Added -look:{plastic,gtk,native} option to GUI, for setting look

- and feel (Mikko T.)

- </li>

- <li>

- Fixed DataflowAnalysisException in inconsistent synchronization

- detector

- </li>

- <li>

- Ant task supports failOnError parameter (Rohan Lloyd)

- </li>

- <li>

- Serializable class warnings are downgraded to low priority for

- GUI classes

- </li>

- <li>

- MWN detector will only report calls to wait(), notify(), and

- notifyAll() methods that have the correct signature

- </li>

- <li>

- FindBugs works with latest CVS version of BCEL

- </li>

- <li>

- Zip and Jar files may be added to the source path

- </li>

- <li>

- The GUI will automatically find source files residing in analyzed

- Zip or Jar files

- </li>

- </ul>

-

- Note that the version number jumped from 0.6.6 to 0.6.9; there

- were no 0.6.7 or 0.6.8 releases.

-

-

- Changes since version 0.6.9:

-

- <ul>

- <li>

- Added -conserveSpace option to reduce memory use at the expense

- of analysis precision

- </li>

- <li>

- Bug fixes in findbugs.bat script: JAVA_HOME handling,

- autodetection of FINDBUGS_HOME, missing output with -textui

- </li>

- <li>

- Fixed NullPointerException when a missing class is encountered

- </li>

- </ul>

-

- Changes since version 0.6.6:

-

- <ul>

- <li>

- The null pointer dereference detector is more powerful

- </li>

- <li>

- Significantly improved heuristics and bug fixes in inconsistent

- synchronization detector

- </li>

- <li>

- Improved heuristics in open stream and dropped exception

- detectors; fewer false positives should be reported

- </li>

- <li>

- Save HTML summary in XML results files, rather than recomputing;

- this makes loading results in GUI much faster

- </li>

- <li>

- Report at most one String comparison using == or != per method

- </li>

- <li>

- The findbugs.bat script on Windows autodetects FINDBUGS_HOME, and

- doesn't open a DOS window when launching the GUI (contributed by

- TJSB)

- </li>

- <li>

- Emacs reporting format (contributed by David Li)

- </li>

- <li>

- Various bug fixes

- </li>

- </ul>

-

- Changes since 0.6.5:

-

- <ul>

- <li>

- Rewritten inconsistent synchronization detector; accuracy is

- significantly improved, and bug reports are prioritized

- </li>

- <li>

- New detector to find self assignment (x=x) of local variables

- (suggested by Jeff Martin)

- </li>

- <li>

- New detector to find calls to wait(), notify(), and notifyAll()

- on an object which is not obviously locked

- </li>

- <li>

- Open stream detector now reports Readers and Writers

- </li>

- <li>

- Fixed bug in finalizer idioms detector which caused spurious

- warnings about failure to call super.finalize() (reported by Jim

- Menard)

- </li>

- <li>

- Fixed bug where output stream was not closed using non-XML output

- (reported by Sigiswald Madou)

- </li>

- <li>

- Fixed corrupted HTML bug detail message (reported by Trevor

- Harmon)

- </li>

- </ul>

-

- Changes since version 0.6.4:

-

- <ul>

- <li>

- For redundant comparison of reference values, fixed false

- positives resulting from duplication of code in finally blocks

- </li>

- <li>

- Fixed false positives resulting from wrapped byte array streams

- left open

- </li>

- <li>

- Fixed bug in Ant task preventing output file from working

- properly if a relative path was used

- </li>

- </ul>

-

- Changes since version 0.6.3:

-

- <ul>

- <li>

- Fixed bug in Ant task where output would be corrupted, and added

- a

- <code>

- timeout

- </code>

- attribute

- </li>

- <li>

- Added -outputFile option to text UI, for explicitly specifying an

- output file

- </li>

- <li>

- GUI has a summary window, for statistics about overall bug

- densities (contributed by Mike Fagan)

- </li>

- <li>

- Find redundant comparisons of reference values

- </li>

- <li>

- More accurate detection of Strings compared with == and !=

- operators

- </li>

- <li>

- Detection of other reference types which should generally not be

- compared with == and != operators; Boolean, Integer, etc.

- </li>

- <li>

- Find non-transient non-serializable instance fields in

- Serializable classes

- </li>

- <li>

- Source code may be compiled with latest early access

- generics-enabled javac (version 2.2)

- </li>

- </ul>

-

- Changes since version 0.6.2:

-

- <ul>

- <li>

- GUI supports filtering bugs by priority

- </li>

- <li>

- Ant task rewritten; supports all functionality offered by Text UI

- (contributed by Mike Fagan)

- </li>

- <li>

- Ant task is fully documented in the manual

- </li>

- <li>

- Classes in nested archives are analyzed; this allows full support

- for analyzing .ear and .war files (contributed by Mike Fagan)

- </li>

- <li>

- DepthFirstSearch changed to use non-recursive implementation;

- this should fix the StackOverflowErrors that several users

- reported

- </li>

- <li>

- Various minor bugfixes and improvements

- </li>

- </ul>

-

- Changes since version 0.6.1:

-

- <ul>

- <li>

- New detector to look for useless control flow (suggested by

- Richard P. King and Mike Fagan)

- </li>

- <li>

- Look for places where return value of

- java.io.File.createNewFile() is ignored (suggested by Richard P.

- King)

- </li>

- <li>

- Fixed bug in resolution of source files (only the first source

- directory was searched)

- </li>

- <li>

- Fixed a NullPointerException in the bytecode pattern matching

- code

- </li>

- <li>

- Ant task supports project files (contributed by Mike Fagan)

- </li>

- <li>

- Unix findbugs script honors the

- <code>

- JAVA_HOME

- </code>

- environment variable (contributed by Pedro Morais)

- </li>

- <li>

- Allow .war and .ear files to be analyzed

- </li>

- </ul>

-

- Changes since version 0.6.0:

-

- <ul>

- <li>

- New bug pattern detector which looks for places where a null

- pointer might be dereferenced

- </li>

- <li>

- New bug pattern detector which looks for IO streams that are

- opened, do not escape the method, and are not closed on all paths

- out of the method

- </li>

- <li>

- New bug pattern detector to find methods that can return null

- instead of a zero-length array

- </li>

- <li>

- New bug pattern detector to find places where the == or !=

- operators are used to compare String objects

- </li>

- <li>

- Command line interface can save bugs as XML

- </li>

- <li>

- GUI can save bugs to and load bugs from XML

- </li>

- <li>

- An "Annotations" window in the GUI allows the user to add textual

- annotations to bug reports; these annotations are preserved when

- bugs are saved as XML

- </li>

- <li>

- In this release, the Japanese bug summary translations by Germano

- Leichsenring are really included (they were inadvertently omitted

- in the previous release)

- </li>

- <li>

- Completely rewrote the control flow graph builder, hopefully for

- the last time

- </li>

- <li>

- Simplified implementation of control flow graphs, which should

- reduce memory use and possibly improve performance

- </li>

- <li>

- Improvements to command line interface (list bug priorities,

- filter by priority, specify aux classpath, specify project to

- analyze)

- </li>

- <li>

- Various bug fixes and enhancements

- </li>

- </ul>

-

- Changes since version 0.5.4

-

- <ul>

- <li>

- Added an

- <a href="http://ant.apache.org/">Ant</a> task for FindBugs,

- contributed by Mike Fagan.

- </li>

- <li>

- Added a GUI dialog which allows individual bug pattern detectors

- to be enabled or disabled.  Disabling certain slow detectors

- can greatly speed up analysis of large programs, at the expense

- of reducing the number of potential bugs found.

- </li>

- <li>

- Added a new detector for finding improperly ignored return values

- for methods such as

- <code>

- String.trim()

- </code>

- .  Suggested by Andreas Mandel.

- </li>

- <li>

- Japanese translations of the bug summaries, contributed by

- Germano Leichsenring.

- </li>

- <li>

- Filtering of results is supported in command line interface. See

- the

- <a href="manual/index.html">FindBugs manual</a> for details.

- </li>

- <li>

- Added "byte code patterns", a general pattern matching

- infrastructure for bytecode instructions.  This feature

- significantly reduces the complexity of implementing new bug

- pattern detectors.

- </li>

- <li>

- Enabled a new general dataflow analysis to track values in

- methods.

- </li>

- <li>

- Switched to new control-flow graph builder implementation.

- </li>

- </ul>

-

- Changes since version 0.5.3

-

- <ul>

- <li>

- Fixed a bug in the script used to launch FindBugs on Windows

- platforms.

- </li>

- <li>

- Fixed crashes when analyzing class files without source line

- information.

- </li>

- <li>

- All major errors are reported using an error dialog; file not

- found errors are more informative.

- </li>

- <li>

- Minor GUI improvements.

- </li>

- </ul>

-

- Changes since version 0.5.2

-

- <ul>

- <li>

- All of the source code and related files are in a single

- directory tree.

- </li>

- <li>

- Updated some of the detectors to produce source line information.

- </li>

- <li>

- <a href="http://ant.apache.org/">Ant</a> build script and several

- GUI enhancements and fixes contributed by Mike Fagan.

- </li>

- <li>

- Converted to use a

- <a href="AddingDetectors.txt">plugin architecture</a> for loading

- bug detectors.

- </li>

- <li>

- Eliminated generics-related compiler warnings.

- </li>

- <li>

- More complete documentation has been added.

- </li>

- </ul>

-

- Changes since version 0.5.1:

-

- <ul>

- <li>

- Fixed a large number of bugs in the BCEL Repository and

- FindBugs's use of the Repository.  With these changes,

- FindBugs should

- never crash or otherwise misbehave because of Repository

- lookup failures.  Because of these changes, you must use a

- modified version of

- <code>

- bcel.jar

- </code>

- with FindBugs.  This jar file is included in the FindBugs

- 0.5.2 binary release.  A complete patch containing the

- <a

- href="http://faculty.ycp.edu/~dhovemey/bcel-30-April-2003.patch">modifications

- against the BCEL CVS main branch as of April 30, 2003</a> is also

- available.

- </li>

- <li>

- Implemented the "auxiliary classpath entry list".  Aux

- classpath entries can be added to a project to provide classes

- that are referenced by the analyzed application, but should not

- themselves be analyzed.  Having all referenced classes

- available allows FindBugs to produce more accurate results.

- </li>

- </ul>

-

- Changes since version 0.5.0:

-

- <ul>

- <li>

- Many user interface bugs have been fixed.

- </li>

- <li>

- Upgraded to a recent CVS version of BCEL, with some bug

- fixes.  This should prevent FindBugs from crashing when

- there is a failure to find a class on the classpath.

- </li>

- <li>

- Added support for Plastic look and feel from

- <a href="http://www.jgoodies.com/">jgoodies.com</a>.

- </li>

- <li>

- Major overhaul of infrastructure for doing dataflow analysis.

- </li>

- </ul>

+ </li>

+ <li>More careful resolution of inherited methods and fields.

+ Some of the shortcuts we were taking in FindBugs 1.0.0 were

+ leading to inaccurate results, and it was fairly easy to address

+ this by making the analysis more accurate.</li>

+ <li>Overall, analysis times are about 1.6 times longer in

+ FindBugs 1.1.0 than in FindBugs 1.0.0. This is because we have

+ enabled substantial additional analysis at the default effort

+ level (the actual analysis engine is significantly faster than in

+ FindBugs 1.0). On a recent AMD Athlon processor, analyzing

+ JDK1.6.0 (about 1 million lines of code) requires about 15 minutes

+ of wall clock time.</li>

+ <li>Provided class and script (printClass) to print classfile

+ in the human readable format produced by BCEL</li>

+ <li>Provided -findSource option to setBugDatabaseInfo</li>

+ </ul>

+ Changes since version 0.9.7:

+ <ul>

+ <li>fix ObjectTypeFactory bug that was suppressing some bugs</li>

+ <li>opcode stack may determine definite zeros on some paths</li>

+ <li>opcode stack can track some constant string concatenations

+ (dbrosius)</li>

+ <li>default effort performs iterative opcode analysis (but min

+ effort does not)</li>

+ <li>default heap size upped to 384m</li>

+ <li>schema for XML output available: bugcollection.xsd</li>

+ <li>fixed some internal confusion between dotted and slashed

+ class names</li>

+ <li>New detectors

+ <ul>

+ <li>CheckImmutableAnnotation.java: checks JCIP annotations</li>

+ </ul>

+ </li>

+ <li>Updated detectors

+ <ul>

+ <li>BadRegEx.java: understands Pattern.LITERAL, warns about

+ "."</li>

+ <li>FindUnreleasedLock.java: fewer false positives</li>

+ <li>DumbMethods.java: check for vacuous comparisons to

+ MAX_INTEGER or MIN_INTEGER, fix bugs detecting

+ DM_NEXTINT_VIA_NEXTDOUBLE</li>

+ <li>FindPuzzlers.java: detect <tt>n%2==1</tt>, detect

+ toString() on array types

+ </li>

+ <li>FindInconsistentSync2.java: detects IS_FIELD_NOT_GUARDED

+ </li>

+ <li>MethodReturnCheck.java: add check for discarded newly

+ constructed values, increase priority of some ignored

+ constructed exceptions, better handling of bytecode compiled by

+ Eclipse</li>

+ <li>FindEmptySynchronizedBlock.java: better handling of

+ bytecode compiled by Eclipse</li>

+ <li>DoInsideDoPrivileged.java: warn if call to setAccessible

+ isn't in doPriviledged, don't report private methods</li>

+ <li>LoadOfKnownNullValue.java: fix bug that was reporting

+ false positives on <code> finally </code> blocks

+ </li>

+ <li>CheckReturnAnnotationDatabase.java: better checks for

+ unstarted threads</li>

+ <li>ConfusionBetweenInheritedAndOuterMethod.java: fewer

+ false positives, fixed a package-handling bug</li>

+ <li>BadResultSetAccess.java: separate bug pattern for

+ PreparedStatements, <code> BRZA </code> category folded into <code>

+ SQL </code> category

+ </li>

+ <li>FindDeadLocalStores.java, FindBadCast2.java,

+ DumbMethods.java, RuntimeExceptionCapture.java: coalesce similar

+ bugs within a method into a single bug instance with multiple

+ source lines</li>

+ </ul>

+ </li>

+ <li>Eclipse plugin

+ <ul>

+ <li>plugin ID changed from <tt>de.tobject.findbugs</tt> to <tt>edu.umd.cs.findbugs.plugin.eclipse</tt>

+ </li>

+ <li>support for findbugs eclipse auto-update site</li>

+ </ul>

+ </li>

+ <li>Updated test case files

+ <ul>

+ <li>BadRegEx.java</li>

+ <li>JSR166.java</li>

+ <li>ConcurrentModificationBug.java</li>

+ <li>DeadStore.java</li>

+ <li>InstanceOf.java</li>

+ <li>LoadKnownNull.java</li>

+ <li>NeedsToCheckReturnValue.java</li>

+ <li>BadResultSetAccessTest.java</li>

+ <li>DeadStore.java</li>

+ <li>TestNonNull2.java</li>

+ <li>TestImmutable.java</li>

+ <li>TestGuardedBy.java</li>

+ <li>BadRandomInt.java</li>

+ <li>six test cases added to new <code> TigerTraps </code>

+ directory

+ </li>

+ </ul>

+ </li>

+ <li>fix bug that was generating duplicate uids</li>

+ <li>fix bug with <code> -onlyAnalyze some.package.* </code> on

+ jdk1.4

+ </li>

+ <li>fix regression bug in

+ DismantleByteCode.getRefConstantOperand()</li>

+ <li>fix some minor bugs with the Swing GUI</li>

+ <li>reordered some bugInstances so that source line

+ annotations come last</li>

+ <li>removed references to unused java system properties</li>

+ <li>French translation updates (David Cotton)</li>

+ <li>Japanese translation updates (Hanai Shisei)</li>

+ <li>content cleanup for findbugs.xml and messages.xml</li>

+ <li>references to cvs hostname updated to

+ findbugs.cvs.sourceforge.net</li>

+ <li>documented xdoc output options, new

+ mineBugHistory/computeBugHistory options</li>

+ </ul>

+ Changes since version 0.9.6:

+ <ul>

+ <li>performance improvements</li>

+ <li>ObjectType instances are cached to reduce memory footprint

+ </li>

+ <li>for performance and memory reasons stateless detectors are

+ no longer cloned, must clear their own state between .class files

+ </li>

+ <li>fixed bug in bytecode-set lookup for methods (was causing

+ bad results for IS2, perhaps others)</li>

+ <li>fix some OpcodeStack bugs with integer and long

+ operations, perform iterative analysis when effort is <tt>max</tt>

+ </li>

+ <li>HTML output includes LongMessage text again (regression in

+ 0.95 - 0.96)</li>

+ <li>New detectors

+ <ul>

+ <li>CalledMethods.java: builds a list of invoked methods for

+ other detectors to consult (non-reporting)</li>

+ <li>UncallableMethodOfAnonymousClass.java: detect anonymous

+ inner classes that define methods that are probably intended to

+ but do not override methods in a superclass.</li>

+ </ul>

+ </li>

+ <li>Updated detectors

+ <ul>

+ <li>FindFieldSelfAssignment.java: recognize separate fields

+ with the same name (one from superclass)</li>

+ <li>FindLocalSelfAssignment2.java: handles backward branches

+ better (Dave Brosius)</li>

+ <li>FindBadCast2.java: BC_NULL_INSTANCEOF changed to

+ NP_NULL_INSTANCEOF</li>

+ <li>FindPuzzlers.java: eliminate false positive on setDate()

+ (Dave Brosius)</li>

+ </ul>

+ </li>

+ <li>Eclipse plugin

+ <ul>

+ <li>fix serious threading bug</li>

+ <li>preferences for Filters and effort (Peter Hendriks)</li>

+ <li>French localization (David Cotton)</li>

+ <li>fix bug when reporting inner classes (Peter Friese)</li>

+ </ul>

+ </li>

+ <li>Updated test case files

+ <ul>

+ <li>Mwn.java (Carl Burke/Dave Brosius)</li>

+ <li>DumbMethodInvocations.java (Anto paul/Dave Brosius)</li>

+

+ </ul>

+ </li>

+ <li>XML output includes garbage collection duration</li>

+ <li>French messages updated (David Cotton)</li>

+ <li>Swing GUI shows file name after Load Bugs command</li>

+ <li>Ant task to launch the findbugs frame (Mark McKay)</li>

+ <li>miscellaneous code cleanup</li>

+ </ul>

+ Changes since version 0.9.5:

+ <ul>

+ <li>Updated detectors

+ <ul>

+ <li>FindNullDeref.java: respect NonNull and CheckForNull

+ field annotations</li>

+ <li>SerializableIdiom.java: detect non-private readObject

+ and writeObject methods</li>

+ <li>FindRefComparison.java: smarter array comparison

+ detection</li>

+ <li>IsNullValueAnalysis.java: detect <tt>null

+ instanceof</tt>

+ </li>

+ <li>FindLocalSelfAssignment2.java: suppress some false

+ positives (Dave Brosius)</li>

+ <li>FindUnreleasedLock.java: don't waste time processing

+ classes that don't refer to java.util.concurrent.locks</li>

+ <li>MutableStaticFields.java: report the source line (Dave

+ Brosius)</li>

+ <li>SwitchFallthrough.java: better handling of System.exit()

+ (Dave Brosius)</li>

+ <li>MultithreadedInstanceAccess.java: better handling of

+ Servlet.init() (Dave Brosius)</li>

+ <li>ConfusionBetweenInheritedAndOuterMethod.java: now

+ enabled</li>

+ </ul>

+ </li>

+ <li>Eclipse plugin

+ <ul>

+ <li>background processing (Peter Friese)</li>

+ <li>internationalization, Japanese localization (Takashi

+ Okamoto)</li>

+ </ul>

+ </li>

+ <li>findbugs <tt>-onlyAnalyze</tt> option now works on windows

+ platforms

+ </li>

+ <li>mineBugHistory <tt>-noTabs</tt> option for better

+ alignment of output columns

+ </li>

+ <li>filterBugs <tt>-fixed</tt> option (also: will now

+ recognize the most recent version string)

+ </li>

+ <li>XML output includes running time and memory usage data</li>

+ <li>miscellaneous minor corrections to the manual</li>

+ <li>better bytecode analysis of the <tt>iinc</tt> instruction

+ </li>

+ <li>fix bug in null pointer analysis</li>

+ <li>improved catch block heuristics</li>

+ <li>some type analysis tweaks</li>

+ <li>Bug priority changes

+ <ul>

+ <li>DumbMethodInvocations.java: decrease priority of

+ hard-coded <tt>/tmp</tt> filenames

+ </li>

+ <li>ComparatorIdiom.java: decrease priority of

+ non-serializable anonymous comparators</li>

+ <li>FindSqlInjection.java: decrease priority of appending a

+ constant or a static</li>

+ </ul>

+ </li>

+ <li>Updated bug explanations

+ <ul>

+ <li>NM_VERY_CONFUSING (Dave Brosius)</li>

+ </ul>

+ </li>

+ <li>Updated test case files

+ <ul>

+ <li>BadStoreOfNonSerializableObject.java</li>

+ <li>BadRandomInt.java</li>

+ <li>TestFieldAnnotations.java</li>

+ <li>UseInitCause.java</li>

+ <li>SqlInjection.java</li>

+ <li>ArrayEquality.java</li>

+ <li>BadIntegerOperations.java</li>

+ <li>Pilhuhn.java</li>

+ <li>InstanceOf.java</li>

+ <li>SwitchFallthrough.java (Dave Brosius)</li>

+ </ul>

+ </li>

+ <li>fix URL decoding bug when running under Java Web Start

+ (Dave Brosius)</li>

+ <li>distribution includes <tt>project.xml</tt> file for

+ NetBeans

+ </li>

+ </ul>

+ Changes since version 0.9.4:

+ <ul>

+ <li>New detectors

+ <ul>

+ <li>VarArgsProblems.java</li>

+ <li>FindSqlInjection.java: now enabled</li>

+ <li>ComparatorIdiom.java: comparators usually implement

+ serializable</li>

+ <li>Naming.java: detect methods not overridden due to

+ eponymously typed args from different packages</li>

+ </ul>

+ </li>

+ <li>Updated detectors

+ <ul>

+ <li>SwitchFallthrough.java: surpress some false positives</li>

+ <li>DuplicateBranches.java: surpress some false positives</li>

+ <li>IteratorIdioms.java: surpress some false positives</li>

+ <li>FindHEmismatch.java: surpress some false positives</li>

+ <li>QuestionableBooleanAssignment.java: finds more cases of

+ <tt>if (b=true)</tt> ilk

+ </li>

+ <li>DumbMethods.java: detect int remainder by 1, delayed gc

+ errors</li>

+ <li>SerializableIdiom.java: detect store of nonserializable

+ object into field of serializable class</li>

+ <li>FindNullDeref.java: fix potential exception</li>

+ <li>IsNullValue.java: fix potential exception</li>

+ <li>MultithreadedInstanceAccess.java: fix potential

+ exception</li>

+ <li>PreferZeroLengthArrays.java: flag the method, not the

+ line</li>

+ </ul>

+ </li>

+ <li>Remove some inadvertent dependencies on JDK 1.5</li>

+ <li>Sort order should be more consistent</li>

+ <li>XML output changes

+ <ul>

+ <li>Option to sort XML bug output</li>

+ <li>Now contains instance IDs</li>

+ <li>uid no longer missing (was causing problems with fancy

+ HTML output)</li>

+ <li>Typo fixed</li>

+ </ul>

+ </li>

+ <li>Internal changes to track source files, <tt>-sourceInfo</tt>

+ option

+ </li>

+ <li>Bug matching: first try exact bug pattern matching, option

+ to compare priorities, option to disable package moves</li>

+ <li>Architecture documentation in <tt>design/architecture</tt>

+ </li>

+ <li>Test cases move into their own CVS project</li>

+ <li>Don't report warnings that occur outside the analyzed

+ classes</li>

+ <li>Fixes to the build.xml files</li>

+ <li>Better handling of @CheckReturnValue and @CheckForNull

+ annotations (also, some additional methods searched for check

+ return value and check for null)</li>

+ <li>Fixed some stream-closing bugs (one by <tt>z-fb-user</tt>/Dave

+ Brosius)

+ </li>

+ <li>Bug priority changes

+ <ul>

+ <li>increase priority of ignoring return value of

+ java.sql.Connection methods</li>

+ <li>increase priority of comparing classes like Integer

+ using <tt>==</tt>

+ </li>

+ <li>decrease priority of IT_NO_SUCH_ELEMENT if we see any

+ call to <tt>next()</tt>

+ </li>

+ <li>tweak priority of NM_METHOD_CONSTRUCTOR_CONFUSION</li>

+ <li>decrease priority of RV_RETURN_VALUE_IGNORED for an

+ inherited annotation that doesn't return same type as class</li>

+ </ul>

+ </li>

+ <li>Updated bug explanations

+ <ul>

+ <li>RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE</li>

+ <li>DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED</li>

+ <li>IMA_INEFFICIENT_MEMBER_ACCESS (Dave Brosius)</li>

+ <li>some Japanese improvements to messages_ja.xml ( <tt>ruimo</tt>)

+ </li>

+ <li>some German improvements to findbugs_de.properties (Dave

+ Brosius, <tt>dvholten</tt>)

+ </li>

+ </ul>

+ </li>

+ <li>Updated test case files

+ <ul>

+ <li>BadIntegerOperations.java</li>

+ <li>SecondKaboom.java</li>

+ <li>OpenDatabase.java (Dave Brosius)</li>

+ <li>FindOpenStream.java (Dave Brosius)</li>

+ <li>BadRandomInt.java</li>

+ </ul>

+ </li>

+ <li>Source-lines info maintained for methods (handy for

+ abstract and native methods)</li>

+ <li>Remove surrounding opcodes from source line annotations</li>

+ <li>Better error when can't read file</li>

+ <li>Swing GUI: removed console pane from FindBugsFrame, fix

+ missing classes bug</li>

+ <li>Fixes to OpcodeStack.java</li>

+ <li>Detectors may attach a custom value to an OpcodeStack.Item

+ (Dave Brosius)</li>

+ <li>Filter.java: ability to add text messages to XML output,

+ fix bug with <tt>-withMessages</tt>

+ </li>

+ <li>SourceInfoMap supports ranges of source lines</li>

+ <li>Ant task supports the <tt>timestampNow</tt> attribute

+ </li>

+ </ul>

+ Changes since version 0.9.3:

+ <ul>

+ <li>Substantial rework of datamining code</li>

+ <li>Removed bogus warnings about await on things other than

+ Condition not being in a loop</li>

+ <li>Fixed bug in OpcodeStack handling of dup2 of long/double

+ values</li>

+ <li>Don't report array types as missing classes</li>

+ <li>Adjustment of some warnings on ignored return values</li>

+ <li>Added thread safety annotations from Java Concurrency in

+ Practice (no detectors written for these yet)</li>

+ <li>Added annotation for methods that, if overridden, should

+ be invoked by overriding methods via a call to super</li>

+ <li>Updated -html:fancy.xsl (Etienne Giraudy)</li>

+ </ul>

+ Note: there was no version 0.9.2

+ Changes since version 0.9.1:

+ <ul>

+

+ <li>Embellish USM to find abstract methods that implement an

+ interface method (Dave Brosius)</li>

+ <li>New detector to find stores of literal booleans inside if

+ or while expressions (Dave Brosius)</li>

+ <li>New style detector to find final classes that declare

+ protected fields (Dave Brosius)</li>

+ <li>New detector to find subclass methods that simply forward,

+ verbatim, to the super class (Dave Brosius)</li>

+ <li>Detector to find instances where code is attempting to

+ write an object out via an implementation of DataOutput, but the

+ object is not guaranteed to be Serializable (Jon Christiansen,

+ Bill Pugh)</li>

+

+ <li>Large (35%) analysis speedup (Bill Pugh)</li>

+ <li>Add line numbers to Swing GUI code panel (Dave Brosius)</li>

+ <li>Added effort options to Swing GUI (Dave Brosius)</li>

+ <li>Add ability to specify bugs file to open from command line

+ for GUI version, through -loadbugs (Phillip Martin)</li>

+ <li>New stylesheet for generating HTML: use option <tt>-html:plain.xsl</tt>

+ (Chris Nappin)

+ </li>

+ <li>New stylesheet for generating HTML: use option <tt>-html:fancy.xsl</tt>

+ (Etienne Giraudy)

+ </li>

+ <li>Updated Japanese bug message translations (Shisei Hanai)</li>

+

+ <li>XHTML compliance fixes for bug details (Etienne Giraudy)</li>

+ <li>Various detector fixes (Shisei Hanai)</li>

+ <li>Fixed bugs in the project preferences dialog int the

+ Eclipse plugin (Takashi Okamoto, Thomas Einwaller)</li>

+ <li>Lowered priority of analysis thread in Swing GUI (David

+ Hovemeyer, suggested by Shisei Hanai and Jeffrey W. Badorek)</li>

+ <li>Fixed EclipsePlugin to correctly pick up auxclasspath

+ entries (Jon Christiansen)</li>

+ </ul>

+ Changes since version 0.9.0:

+ <ul>

+ <li>Fixed dependence on JRE 1.5: all features should work on

+ JRE 1.4 again</li>

+ <li>Fixed -effort command line option handling for Swing GUI</li>

+ <li>Fixed conserveSpace and workHard attributes int Ant task</li>

+ <li>Added support for effort attribute in Ant task</li>

+ </ul>

+ Changes since version 0.8.8:

+ <ul>

+

+ <li>XMLFactoryBypass detector to find direct allocation of xml

+ class implementations (Dave Brosius)</li>

+ <li>InefficientMemberAccess detector to find accesses to

+ owning class private members (Dave Brosius)</li>

+ <li>DuplicateBranches detector checks switch statements too

+ (Dave Brosius)</li>

+

+ <li>FindBugs available from findbugs.sourceforge.net as Java

+ Web Start application (Dave Brosius)</li>

+ <li>Updated Japanese bug message translations (Shisei Hanai)</li>

+ <li>Improved bug detail message for covariant equals() (Shisei

+ Hanai)</li>

+ <li>Modeling of instanceof checks is now enabled by default,

+ making the bad cast detector much more useful (Bill Pugh, David

+ Hovemeyer)</li>

+ <li>Support for detector ordering constraints in plugin

+ descriptor (David Hovemeyer)</li>

+ <li>Simpler option to control analysis effort: -effort: value,

+ where value is one of <code> min </code> , <code>

+ default </code> , or <code> max </code> (David Hovemeyer)

+ </li>

+ <li>Using -effort:max, FindNullDeref checks for null arguments

+ passed to methods which dereference them unconditionally (David

+ Hovemeyer)</li>

+ <li>FindNullDeref checks @Null and @NonNull annotations for

+ parameters and return values (David Hovemeyer)</li>

+

+ </ul>

+ Changes since version 0.8.7:

+ <ul>

+

+ <li>New detector to find duplicate code in if/else statements

+ (Dave Brosius)</li>

+ <li>Look for calls to wait() on Condition objects (David

+ Hovemeyer)</li>

+ <li>Look for java.util.concurrent.Lock objects not released on

+ every path out of method (David Hovemeyer)</li>

+ <li>Look for calls to Thread.sleep() with a lock held (David

+ Hovemeyer)</li>

+ <li>More accurate detection of impossible casts (Bill Pugh,

+ David Hovemeyer)</li>

+

+ <li>Saved XML now contains project statistics (Jay Dunning)</li>

+ <li>Filter files can select by bug pattern type and warning

+ priority (David Hovemeyer)</li>

+

+ <li>Restored some files inadvertently omitted from previous

+ release (Rohan Lloyd, David Hovemeyer)</li>

+ <li>Make sure detectors requiring JDK 1.5 runtime classes are

+ only executed if those classes are available (David Hovemeyer)</li>

+ <li>Don't display analysis error dialog unless there is really

+ an error (David Hovemeyer)</li>

+ <li>Updated and expanded French translations of bug patterns

+ and Swing GUI (Olivier Parent)</li>

+ <li>Fixed invalid character encoding in German Swing GUI

+ translation (Olivier Parent)</li>

+ <li>Fix locale used for date format in project stats (K.

+ Hashimoto)</li>

+ <li>Fixed LongDescription elements in xml:withMessages output

+ format (K. Hashimoto)</li>

+ </ul>

+ Changes since version 0.8.6:

+ <ul>

+

+ <li>Extend Naming detector to look for classes that are named

+ XXXException but that are not Exceptions (Dave Brosius)</li>

+ <li>New detector to find classes that expose semaphores in the

+ public implementation through the 'this' reference. (Dave Brosius)

+ </li>

+ <li>New Style detector to find Struts Action/Servlet derived

+ classes that reference instance member variable not in

+ synchronized blocks. (Dave Brosius)</li>

+ <li>New Style detector to find classes that declare

+ implementation of interfaces that are already implemented by super

+ classes (Dave Brosius)</li>

+ <li>New Style detector to find circular dependencies between

+ classes (Dave Brosius)</li>

+ <li>New Style detector to find unnecessary math on constants

+ (Dave Brosius)</li>

+ <li>New detector to find equality comparisons using floating

+ point math (Jay Dunning)</li>

+ <li>New faster detector to find local self assignments (Bill

+ Pugh)</li>

+ <li>New detector to find infinite recursive loops (Bill Pugh)

+ </li>

+ <li>New detector to find for loops with an incorrect increment

+ (Bill Pugh)</li>

+ <li>New detector to find suspicious uses of

+ BufferedReader.readLine() and String.indexOf() (Bill Pugh)</li>

+ <li>New detector to find suspicious integer to double casts

+ (David Hovemeyer, Bill Pugh)</li>

+ <li>New detector to find invalid regular expression patterns

+ (Bill Pugh)</li>

+ <li>New detector to find Bloch/Gafter Java puzzlers (Bill

+ Pugh)</li>

+

+ <li>New system property to suppress reporting of DLS based on

+ local variable name (Glenn Boysko)</li>

+ <li>Enhancements to configuration dialog in Eclipse plugin,

+ allow for saving enabled detectors in Eclipse projects (Phil

+ Crosby)</li>

+ <li>Sortable columns in detector dialog (Dave Brosius)</li>

+ <li>New tab in gui for showing bugs grouped by category (Dave

+ Brosius)</li>

+ <li>Improved German translation of Swing GUI (Thomas Kuehne)</li>

+ <li>Improved source file reporting in Emacs output format (Len

+ Trigg)</li>

+ <li>Improvements to redundant null comparison detector (Bill

+ Pugh)</li>

+ <li>Localization of run analysis and analysis error dialogs in

+ Swing GUI (K. Hashimoto)</li>

+

+ <li>Don't scan equals methods in FindHEMismatch if code is

+ native (Greg Bentz)</li>

+ <li>French translation fixes (David Cotton)</li>

+ <li>Internationalization report fixes (K. Hashimoto)</li>

+ <li>Japanese translations updates (SHISEI Hanai)</li>

+ </ul>

+ Changes since version 0.8.5:

+ <ul>

+

+ <li>New detector to find catch blocks that may inadvertently

+ catch runtime exceptions (Brian Goetz)</li>

+ <li>New detector to find objects that are instantiated based

+ on classes that only have static methods and fields, using the

+ synthesized constructor (Dave Brosius)</li>

+ <li>New detector to find calls to Thread.interrupted() in a

+ non static context, and especially with non currentThread()

+ threads (Dave Brosius)</li>

+ <li>New detector to find calls to equals() methods that use

+ Object's version. (Dave Brosius)</li>

+ <li>New detector to find Applets that call methods in the

+ constructor refering to the AppletStub (Dave Brosius)</li>

+ <li>New detector to find some cases of infinite recursion

+ (Bill Pugh)</li>

+ <li>New detector to find dead stores to local variables (David

+ Hovemeyer, Bill Pugh)</li>

+ <li>Extend Dumb Method detector for toUpperCase(),

+ toLowerCase() without a locale, new Integer(1).toString(), new

+ XXX().getClass(), and new Thread() without a run implementation

+ (Dave Brosius)

+ </li>

+ <li>Ant task supports "errorProperty" attribute, which sets an

+ Ant property to "true" if an error occurs running FindBugs

+ (Michael Tamm)</li>

+ <li>Eclipse plugin allows filtering of warnings by bug

+ category, priority (David Hovemeyer)</li>

+ <li>Swing GUI allows filtering of warnings by bug category

+ (David Hovemeyer)</li>

+ <li>Ability to annotate methods using Java 1.5 annotations

+ that suppress FindBugs warnings (Bill Pugh)</li>

+ <li>New -adjustExperimental for lowering priority of

+ BugPatterns that are experimental (Dave Brosius)</li>

+ <li>Allow for command line options 'files' using the @ symbol

+ (David Hovemeyer)</li>

+ <li>New -adjustPriority command line option to for adjusting

+ bug priorites (David Hovemeyer)</li>

+ <li>Added an Edit menu (cut/copy/paste) to Swing GUI (Dave

+ Brosius)</li>

+ <li>French translation supplied (David Cotton)

+ </li>

+ </ul>

+ Changes since version 0.8.4:

+ <ul>

+

+ <li>New detector for volatile references to arrays (Bill Pugh)

+ </li>

+ <li>New detector to find instanceof usage where inheritance

+ can be determined statically (Dave Brosius)</li>

+ <li>New detector to find ResultSet.getXXX updateXXX calls

+ using index 0 (Dave Brosius)</li>

+ <li>New detector to find empty zip or jar entries (Bill Pugh)

+

+ </li>

+ <li>HTML output generation using built-in XSLT stylesheet or

+ user-defined stylesheet (David Hovemeyer)</li>

+ <li>Allow URLs to be specified to analyze zip/jar files, local

+ directories, and single classfiles (David Hovemeyer)</li>

+ <li>New command line option -onlyAnalyze restricts analysis to

+ selected classes and packages without reducing accuracy (David

+ Hovemeyer)</li>

+ <li>Allow Swing GUI to show source code in jar files on

+ Windows systems (Dave Brosius)

+ </li>

+ <li>Fix the Switch Fall Thru detector (Dave Brosius, David

+ Hovemeyer, Bill Pugh)</li>

+ <li>MacOS GUI fixes (Rohan Lloyd)</li>

+ <li>Fix false positive in BOA in case where method is

+ correctly and 'incorrectly' overridden (Dave Brosius)</li>

+ <li>Fixed memory blowup when analyzing methods which access a

+ large number of fields (David Hovemeyer)</li>

+ </ul>

+ Changes since version 0.8.3:

+ <ul>

+ <li>Initial and preliminary localization of the Swing

+ GUI.  Translations by:

+ <ul>

+ <li>German - Peter D. Stout, Holger Stenzhorn</li>

+ <li>Finnish - Juha Knuutila</li>

+ <li>Estonian - Tanel Lebedev</li>

+ <li>Japanese - Hanai Shisei</li>

+ </ul>

+ </li>

+ <li>Eliminated debug print statements inadvertently left

+ enabled</li>

+ <li>Reverted some changes in the open stream detector: this

+ should fix some false positives that were introduced in the

+ previous release</li>

+ <li>Fixed a couple missing class reports</li>

+ </ul>

+ Changes since version 0.8.2:

+ <ul>

+

+ <li>New detector to find improperly overridden GUI Adapter

+ classes (Dave Brosius)</li>

+ <li>New detector to find improperly setup JUnit TestCases

+ (Dave Brosius)</li>

+ <li>New detector to find variables that mask class level

+ fields (Dave Brosius)</li>

+ <li>New detector to find comparisons of values computed with

+ bitwise operators that always yield the same result (Tom Truscott)

+ </li>

+ <li>New detector to find unsafe getClass().getResource() calls

+ (Bill Pugh)</li>

+ <li>New detector to find GUI changes not in GUI thread but in

+ static main (Bill Pugh)</li>

+ <li>New detector to find calls to Collection.toArray() with

+ zero-length array argument; it is more efficient to pass an array

+ the size of the collection, which can be populated and returned as

+ the result (Dave Brosius)

+ </li>

+ <li>Better suppression of false warnings in various detectors

+ (Bill Pugh, David Hovemeyer)</li>

+ <li>Enhancement to ReadReturnShouldBeChecked detector for

+ skip() (Dave Brosius)</li>

+ <li>Enhancement to DumbMethods detector (Dave Brosius)</li>

+ <li>Open stream detector does not report wrappers of streams

+ passed as method parameters (David Hovemeyer)

+ </li>

+ <li>Cancel confirmation dialog in Swing GUI (Pete Angstadt)</li>

+ <li>Better relative path saving in Project file (Dave Brosius)

+ </li>

+ <li>Detector Priority in GUI is now saved in prefs file (Dave

+ Brosius)</li>

+ <li>Controls in GUI to reorder source and classpath entries,

+ and ability to flip between Project details and bugs pages (Dave

+ Brosius)</li>

+ <li>In Swing GUI, analysis error dialog supports "Select All"

+ and "Copy" operations for easy generation of error reports (Dave

+ Brosius)</li>

+ <li>Complete translation of bug descriptions and messages into

+ Japanese (Hanai Shisei)

+ </li>

+ <li>Fixed bug in DroppedException detector (Dave Brosius)

+ </li>

+ <li>The source distribution defaults to using JDK 1.5 javac to

+ compile, but support for compiling with JSR-14 prototype is still

+ supported</li>

+ </ul>

+ Changes since version 0.8.1:

+ <ul>

+ <li>Fixed a critical ClassCastException bug (triggered if the

+ -workHard option was used, and an exception type was merged with

+ an array type during type inference)</li>

+ </ul>

+ Changes since version 0.8.0:

+ <ul>

+ <li>Disabled SwitchFallthrough detector to work around

+ NullPointerExceptions</li>

+ <li>Added some additional false positive suppression

+ heuristics</li>

+ </ul>

+ Also, two contributors to the 0.8.0 release were

+ inadvertently left out of the credits:

+ <ul>

+ <li>Pete Angstadt fixed several problems in the Swing GUI</li>

+ <li>Francis Lalonde provided a task resource file for the

+ FindBugs Ant task</li>

+ </ul>

+ Changes since version 0.7.4:

+ <ul>

+ <li>New detector to look for uses of "+" operator to

+ concatenate String objects in a loop (Dave Brosius)</li>

+ <li>Reference comparison detector looks for places where the

+ argument passed to the equals(Object) method isn't the same type

+ as the receiver object</li>

+ <li>Better suppression of false warnings in many detectors</li>

+ <li>Many improvements to Eclipse plugin (Andrey Loskutov,

+ Peter Friese)</li>

+ <li>Fixed problem with building Eclipse plugin on Windows

+ (Thomas Klaeger)</li>

+ <li>Open stream detector looks for unclosed PreparedStatement

+ objects (Thomas Klaeger, Rohan Lloyd)</li>

+ <li>Fix for open stream detector: it wasn't detecting close()

+ methods called through an invokeinterface instruction (Thomas

+ Klaeger)</li>

+ <li>Refactoring of visitor classes to enforce use of accessors

+ for visited class features (Brian Goetz)</li>

+ </ul>

+ Changes since version 0.7.3:

+ <ul>

+ <li>Experimental modification of open stream detector to look

+ for non-escaping JDBC resources (connections and statements) that

+ aren't closed on all paths out of method</li>

+ <li>Eclipse plugin fixed so it compiles and runs on Eclipse

+ 2.1.x (Peter Friese)</li>

+ <li>Option to Swing GUI and command line to generate project

+ file using relative paths for archives, source directories, and

+ aux classpath entries (Dave Brosius)</li>

+ <li>Improvements to findbugs.bat script for launching FindBugs

+ on Windows (Dave Brosius)</li>

+ <li>Updated Japanese message translations (Hiroshi Okugawa)</li>

+ <li>Uncalled private methods are now reported as low priority,

+ unless they have the same name as another method in the class

+ (which is more likely to indicate an actual bug)</li>

+ <li>Added some missing data in the bug messages XML files</li>

+ <li>Fixed some problems building from source on Windows

+ systems</li>

+ <li>Various minor bug fixes</li>

+ </ul>

+ Changes since version 0.7.2:

+ <ul>

+ <li>Enhanced Eclipse plugin, which displays the detailed bug

+ description in a view (Phil Crosby)</li>

+ <li>Various tweaks to existing detectors to reduce false

+ warnings</li>

+ <li>New command line option <code> -workHard </code> enables

+ pruning of infeasible or unlikely exception edges, which results

+ in better accuracy in the open stream detector, at the expense of

+ a 30%-100% slowdown

+ </li>

+ <li>New website and HTML documentation design</li>

+ <li>Documentation includes an HTML document with descriptions

+ of all bug patterns reported by FindBugs</li>

+ <li>Web page has a link to a <a

+ href="http://www.simeji.com/findbugs/doc/manual_ja/index.html">Japanese

+ translation</a> of the FindBugs manual, contributed by Hiroshi

+ Okugawa

+ </li>

+ <li>Changed the Inconsistent Synchronization detector so that

+ fields synchronized 50% of the time (or more) are reported as

+ medium priority bugs (previously they were reported as low)</li>

+ <li>New detector to find code that catches

+ IllegalMonitorStateException</li>

+ <li>New detector to find private methods that are never called

+ </li>

+ <li>New detector to find suspicious uses of

+ non-short-circuiting boolean operators ( <code> & </code> and

+ <code> | </code> , rather than <code> && </code> and <code>

+ || </code> )

+ </li>

+ </ul>

+ Changes since version 0.7.1:

+ <ul>

+ <li>Incorporated patched version of BCEL, which allows classes

+ compiled with JDK 1.5.0 beta to be analyzed</li>

+ <li>Fixed some bugs related to lookups of array classes</li>

+ <li>Fixed bug that prevented GUI from loading XML result files

+ when running under JDK 1.5.0 beta</li>

+ <li>Added new experimental bug detector, LazyInit, which looks

+ for potentially buggy lazy initializations of static fields</li>

+ <li>Because of long filenames, switched to distributing the

+ source archive as a zip file rather than a tar file</li>

+ <li>The 0.7.1 source tarfile was botched - 0.7.2 has a valid

+ source archive</li>

+ <li>Fixed some problems in the Ant build script</li>

+ <li>Fixed NullPointerException when checking Class-Path

+ attribute for Jar files without manifests</li>

+ <li>Generate version numbers for the core and UI Eclipse

+ plugins using the Version class; all version numbers are now in a

+ common location</li>

+ </ul>

+ Changes since version 0.7.0:

+ <ul>

+ <li>Eclipse plugin (contributed by Peter Friese)</li>

+ <li>Source package structure rearranged: all source (other

+ than Eclipse plugin UI) is in the edu.umd.cs.findbugs package, or

+ a subpackage</li>

+ <li>Class-Path attributes of manifests of analyzed jar files

+ are used to set the aux classpath automatically (Peter D. Stout)</li>

+ <li>GUI starts in directory specified by user.home property

+ (Peter D. Stout)</li>

+ <li>Added -project option to GUI (Mikko T.)</li>

+ <li>Added -look:{plastic,gtk,native} option to GUI, for

+ setting look and feel (Mikko T.)</li>

+ <li>Fixed DataflowAnalysisException in inconsistent

+ synchronization detector</li>

+ <li>Ant task supports failOnError parameter (Rohan Lloyd)</li>

+ <li>Serializable class warnings are downgraded to low priority

+ for GUI classes</li>

+ <li>MWN detector will only report calls to wait(), notify(),

+ and notifyAll() methods that have the correct signature</li>

+ <li>FindBugs works with latest CVS version of BCEL</li>

+ <li>Zip and Jar files may be added to the source path</li>

+ <li>The GUI will automatically find source files residing in

+ analyzed Zip or Jar files</li>

+ </ul>

+ Note that the version number jumped from 0.6.6 to 0.6.9;

+ there were no 0.6.7 or 0.6.8 releases.

+ Changes since version 0.6.9:

+ <ul>

+ <li>Added -conserveSpace option to reduce memory use at the

+ expense of analysis precision</li>

+ <li>Bug fixes in findbugs.bat script: JAVA_HOME handling,

+ autodetection of FINDBUGS_HOME, missing output with -textui</li>

+ <li>Fixed NullPointerException when a missing class is

+ encountered</li>

+ </ul>

+ Changes since version 0.6.6:

+ <ul>

+ <li>The null pointer dereference detector is more powerful</li>

+ <li>Significantly improved heuristics and bug fixes in

+ inconsistent synchronization detector</li>

+ <li>Improved heuristics in open stream and dropped exception

+ detectors; fewer false positives should be reported</li>

+ <li>Save HTML summary in XML results files, rather than

+ recomputing; this makes loading results in GUI much faster</li>

+ <li>Report at most one String comparison using == or != per

+ method</li>

+ <li>The findbugs.bat script on Windows autodetects

+ FINDBUGS_HOME, and doesn't open a DOS window when launching the

+ GUI (contributed by TJSB)</li>

+ <li>Emacs reporting format (contributed by David Li)</li>

+ <li>Various bug fixes</li>

+ </ul>

+ Changes since 0.6.5:

+ <ul>

+ <li>Rewritten inconsistent synchronization detector; accuracy

+ is significantly improved, and bug reports are prioritized</li>

+ <li>New detector to find self assignment (x=x) of local

+ variables (suggested by Jeff Martin)</li>

+ <li>New detector to find calls to wait(), notify(), and

+ notifyAll() on an object which is not obviously locked</li>

+ <li>Open stream detector now reports Readers and Writers</li>

+ <li>Fixed bug in finalizer idioms detector which caused

+ spurious warnings about failure to call super.finalize() (reported

+ by Jim Menard)</li>

+ <li>Fixed bug where output stream was not closed using non-XML

+ output (reported by Sigiswald Madou)</li>

+ <li>Fixed corrupted HTML bug detail message (reported by

+ Trevor Harmon)</li>

+ </ul>

+ Changes since version 0.6.4:

+ <ul>

+ <li>For redundant comparison of reference values, fixed false

+ positives resulting from duplication of code in finally blocks</li>

+ <li>Fixed false positives resulting from wrapped byte array

+ streams left open</li>

+ <li>Fixed bug in Ant task preventing output file from working

+ properly if a relative path was used</li>

+ </ul>

+ Changes since version 0.6.3:

+ <ul>

+ <li>Fixed bug in Ant task where output would be corrupted, and

+ added a <code> timeout </code> attribute

+ </li>

+ <li>Added -outputFile option to text UI, for explicitly

+ specifying an output file</li>

+ <li>GUI has a summary window, for statistics about overall bug

+ densities (contributed by Mike Fagan)</li>

+ <li>Find redundant comparisons of reference values</li>

+ <li>More accurate detection of Strings compared with == and !=

+ operators</li>

+ <li>Detection of other reference types which should generally

+ not be compared with == and != operators; Boolean, Integer, etc.</li>

+ <li>Find non-transient non-serializable instance fields in

+ Serializable classes</li>

+ <li>Source code may be compiled with latest early access

+ generics-enabled javac (version 2.2)</li>

+ </ul>

+ Changes since version 0.6.2:

+ <ul>

+ <li>GUI supports filtering bugs by priority</li>

+ <li>Ant task rewritten; supports all functionality offered by

+ Text UI (contributed by Mike Fagan)</li>

+ <li>Ant task is fully documented in the manual</li>

+ <li>Classes in nested archives are analyzed; this allows full

+ support for analyzing .ear and .war files (contributed by Mike

+ Fagan)</li>

+ <li>DepthFirstSearch changed to use non-recursive

+ implementation; this should fix the StackOverflowErrors that

+ several users reported</li>

+ <li>Various minor bugfixes and improvements</li>

+ </ul>

+ Changes since version 0.6.1:

+ <ul>

+ <li>New detector to look for useless control flow (suggested

+ by Richard P. King and Mike Fagan)</li>

+ <li>Look for places where return value of

+ java.io.File.createNewFile() is ignored (suggested by Richard P.

+ King)</li>

+ <li>Fixed bug in resolution of source files (only the first

+ source directory was searched)</li>

+ <li>Fixed a NullPointerException in the bytecode pattern

+ matching code</li>

+ <li>Ant task supports project files (contributed by Mike

+ Fagan)</li>

+ <li>Unix findbugs script honors the <code> JAVA_HOME </code>

+ environment variable (contributed by Pedro Morais)

+ </li>

+ <li>Allow .war and .ear files to be analyzed</li>

+ </ul>

+ Changes since version 0.6.0:

+ <ul>

+ <li>New bug pattern detector which looks for places where a

+ null pointer might be dereferenced</li>

+ <li>New bug pattern detector which looks for IO streams that

+ are opened, do not escape the method, and are not closed on all

+ paths out of the method</li>

+ <li>New bug pattern detector to find methods that can return

+ null instead of a zero-length array</li>

+ <li>New bug pattern detector to find places where the == or !=

+ operators are used to compare String objects</li>

+ <li>Command line interface can save bugs as XML</li>

+ <li>GUI can save bugs to and load bugs from XML</li>

+ <li>An "Annotations" window in the GUI allows the user to add

+ textual annotations to bug reports; these annotations are

+ preserved when bugs are saved as XML</li>

+ <li>In this release, the Japanese bug summary translations by

+ Germano Leichsenring are really included (they were inadvertently

+ omitted in the previous release)</li>

+ <li>Completely rewrote the control flow graph builder,

+ hopefully for the last time</li>

+ <li>Simplified implementation of control flow graphs, which

+ should reduce memory use and possibly improve performance</li>

+ <li>Improvements to command line interface (list bug

+ priorities, filter by priority, specify aux classpath, specify

+ project to analyze)</li>

+ <li>Various bug fixes and enhancements</li>

+ </ul>

+ Changes since version 0.5.4

+ <ul>

+ <li>Added an <a href="http://ant.apache.org/">Ant</a> task for

+ FindBugs, contributed by Mike Fagan.

+ </li>

+ <li>Added a GUI dialog which allows individual bug pattern

+ detectors to be enabled or disabled.  Disabling certain slow

+ detectors can greatly speed up analysis of large programs, at the

+ expense of reducing the number of potential bugs found.</li>

+ <li>Added a new detector for finding improperly ignored return

+ values for methods such as <code> String.trim() </code> .

+ Suggested by Andreas Mandel.

+ </li>

+ <li>Japanese translations of the bug summaries, contributed by

+ Germano Leichsenring.</li>

+ <li>Filtering of results is supported in command line

+ interface. See the <a href="manual/index.html">FindBugs manual</a>

+ for details.

+ </li>

+ <li>Added "byte code patterns", a general pattern matching

+ infrastructure for bytecode instructions.  This feature

+ significantly reduces the complexity of implementing new bug

+ pattern detectors.</li>

+ <li>Enabled a new general dataflow analysis to track values in

+ methods.</li>

+ <li>Switched to new control-flow graph builder implementation.

+ </li>

+ </ul>

+ Changes since version 0.5.3

+ <ul>

+ <li>Fixed a bug in the script used to launch FindBugs on

+ Windows platforms.</li>

+ <li>Fixed crashes when analyzing class files without source

+ line information.</li>

+ <li>All major errors are reported using an error dialog; file

+ not found errors are more informative.</li>

+ <li>Minor GUI improvements.</li>

+ </ul>

+ Changes since version 0.5.2

+ <ul>

+ <li>All of the source code and related files are in a single

+ directory tree.</li>

+ <li>Updated some of the detectors to produce source line

+ information.</li>

+ <li><a href="http://ant.apache.org/">Ant</a> build script and

+ several GUI enhancements and fixes contributed by Mike Fagan.</li>

+ <li>Converted to use a <a href="AddingDetectors.txt">plugin

+ architecture</a> for loading bug detectors.

+ </li>

+ <li>Eliminated generics-related compiler warnings.</li>

+ <li>More complete documentation has been added.</li>

+ </ul>

+ Changes since version 0.5.1:

+ <ul>

+ <li>Fixed a large number of bugs in the BCEL Repository and

+ FindBugs's use of the Repository.  With these changes,

+ FindBugs should never crash or otherwise misbehave

+ because of Repository lookup failures.  Because of these

+ changes, you must use a modified version of <code> bcel.jar

+ </code> with FindBugs.  This jar file is included in the FindBugs

+ 0.5.2 binary release.  A complete patch containing the <a

+ href="http://faculty.ycp.edu/~dhovemey/bcel-30-April-2003.patch">modifications

+ against the BCEL CVS main branch as of April 30, 2003</a> is also

+ available.

+ </li>

+ <li>Implemented the "auxiliary classpath entry list".

+ Aux classpath entries can be added to a project to provide classes

+ that are referenced by the analyzed application, but should not

+ themselves be analyzed.  Having all referenced classes

+ available allows FindBugs to produce more accurate results.</li>

+ </ul>

+ Changes since version 0.5.0:

+ <ul>

+ <li>Many user interface bugs have been fixed.</li>

+ <li>Upgraded to a recent CVS version of BCEL, with some bug

+ fixes.  This should prevent FindBugs from crashing when there

+ is a failure to find a class on the classpath.</li>

+ <li>Added support for Plastic look and feel from <a

+ href="http://www.jgoodies.com/">jgoodies.com</a>.

+ </li>

+ <li>Major overhaul of infrastructure for doing dataflow

+ analysis.</li>

+ </ul>

<hr>

<!---//hide script from old browsers

@@ -3540,11 +2800,11 @@ document.write( "Last updated "+ document.lastModified + "." );

- </td>

+ </td>

- </tr>

- </table>

+ </tr>

+ </table>

- </body>

+</body>

</html>

« no previous file with comments | « README.chromium ('k') | doc/FAQ.html » ('j') | no next file with comments »