Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1416)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: doc/Changes.html

Issue 594833004: Roll FindBugs from 2.0.3 to 3.0.0 (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/findbugs.git@master
Patch Set: Created 6 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « README.chromium ('k') | doc/FAQ.html » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: doc/Changes.html
diff --git a/doc/Changes.html b/doc/Changes.html
index 21b4551e1eab6bbf26e31f876a2faf62c2672315..c18d78ae58bcfa531c60c48b33796def478c657a 100644
--- a/doc/Changes.html
+++ b/doc/Changes.html
@@ -8,10 +8,10 @@
<body>
- <table width="100%">
- <tr>
+ <table width="100%">
+ <tr>
-
+
<td bgcolor="#b9b9fe" valign="top" align="left" width="20%">
<table width="100%" cellspacing="0" border="0">
<tr><td><a class="sidebar" href="index.html"><img src="umdFindbugs.png" alt="FindBugs"></a></td></tr>
@@ -19,18 +19,20 @@
<tr><td>&nbsp;</td></tr>
<tr><td><b>Docs and Info</b></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="findbugs2.html">FindBugs 2.0</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="demo.html">Demo and data</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="users.html">Users and supporters</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="http://findbugs.blogspot.com/">FindBugs blog</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="factSheet.html">Fact sheet</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="manual/index.html">Manual</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="ja/manual/index.html">Manual(ja/&#26085;&#26412;&#35486;)</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="FAQ.html">FAQ</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="bugDescriptions.html">Bug descriptions</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="mailingLists.html">Mailing lists</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="publications.html">Documents and Publications</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="links.html">Links</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="findbugs2.html">FindBugs 2.0</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="demo.html">Demo and data</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="users.html">Users and supporters</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="http://findbugs.blogspot.com/">FindBugs blog</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="factSheet.html">Fact sheet</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="manual/index.html">Manual</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="ja/manual/index.html">Manual(ja/&#26085;&#26412;&#35486;)</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="FAQ.html">FAQ</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="bugDescriptions.html">Bug descriptions</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="bugDescriptions_ja.html">Bug descriptions(ja/&#26085;&#26412;&#35486;)</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="bugDescriptions_fr.html">Bug descriptions(fr)</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="mailingLists.html">Mailing lists</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="publications.html">Documents and Publications</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="links.html">Links</a></font></td></tr>
<tr><td>&nbsp;</td></tr>
@@ -43,1444 +45,1497 @@
<tr><td>&nbsp;</td></tr>
<tr><td><b>Development</b></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/tracker/?group_id=96405">Open bugs</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="reportingBugs.html">Reporting bugs</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="contributing.html">Contributing</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="team.html">Dev team</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="api/index.html">API</a> <a class="sidebar" href="api/overview-summary.html">[no frames]</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="Changes.html">Change log</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/projects/findbugs">SF project page</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/browse/">Browse source</a></font></td></tr>
-<tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/list">Latest code changes</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="http://sourceforge.net/tracker/?group_id=96405">Open bugs</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="reportingBugs.html">Reporting bugs</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="contributing.html">Contributing</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="team.html">Dev team</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="api/index.html">API</a> <a class="sidebar" href="api/overview-summary.html">[no frames]</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="Changes.html">Change log</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="http://sourceforge.net/projects/findbugs">SF project page</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="http://code.google.com/p/findbugs/source/browse/">Browse source</a></font></td></tr>
+<tr><td><font size="-1">&nbsp;<a class="sidebar" href="http://code.google.com/p/findbugs/source/list">Latest code changes</a></font></td></tr>
</table>
</td>
- <td align="left" valign="top">
-
-
- <h1>FindBugs Change Log, Version 2.0.3</h1>
- <ul>
- <li>New Bug patterns: <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_BOXED_PRIMITIVE_FOR_PARSING">DM_BOXED_PRIMITIVE_FOR_PARSING</a>,
- <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_RETURN_RELAXING_ANNOTATION">NP_METHOD_RETURN_RELAXING_ANNOTATION</a>,
- and
- <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION">NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION</a>
- </li>
- <li>Add the ability in the GUI to save the currently viewable/filtered bugs to HTML output.
- <li>When dataflow does't terminate, make sure we continue with
- analysis.
-
- <li>Fix some problems that resulting in dataflow analysis not
- terminating
-
- <li>Get parameter annotations from default parameters
- annotations applied to the method.
- <li>Add subversion change number to eclipse plugin qualifier.
-
- <li>Disabled detector for <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#AM_CREATES_EMPTY_JAR_FILE_ENTRY">AM_CREATES_EMPTY_JAR_FILE_ENTRY</a>;
- it complaints inappropriately about code that creates directory
- entries.
-
- <li>Add warnings about incompatible types passed to
- org.testng.Assert.assertEquals</li>
- <li>Add logic that understands more of the Google Guava APIs.
- <li>Disable type qualifier validator execution within Eclipse plugin;
- too many problems with class loading and security manager (see #1154 Random obscure Eclipse failures)
- <li>Consistently check both access flags and attributes to see if something is synthetic. Compiler is
- inconsistent about where synthetic elements are marked.
-
- <li>Fixed false positives for the following bug patterns (17
- occurrences in findbugsTestCases):
- <ul>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC">BC</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_INSTANCEOF">BC_IMPOSSIBLE_INSTANCEOF</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE">INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#IS2_INCONSISTENT_SYNC">IS2_INCONSISTENT_SYNC</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS">NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#OBL_UNSATISFIED_OBLIGATION">OBL_UNSATISFIED_OBLIGATION</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE">RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a>
- </li>
- </ul>
- <li>Fixed false negatives for the following bug patterns (45
- occurrences in findbugsTestCases):
- <ul>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_NUMBER_CTOR">DM_NUMBER_CTOR</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_ARRAY_AND_NONARRAY">EC_ARRAY_AND_NONARRAY</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE">EC_INCOMPATIBLE_ARRAY_COMPARE</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#IS_FIELD_NOT_GUARDED">IS_FIELD_NOT_GUARDED</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#IT_NO_SUCH_ELEMENT">IT_NO_SUCH_ELEMENT</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS">JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH">NP_NULL_ON_SOME_PATH</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_PARAM_VIOLATION">NP_NONNULL_PARAM_VIOLATION</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE">NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_STORE_INTO_NONNULL_FIELD">NP_STORE_INTO_NONNULL_FIELD</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#RE_POSSIBLE_UNINTENDED_PATTERN">RE_POSSIBLE_UNINTENDED_PATTERN</a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a>
- </ul>
- </ul>
- <h1>FindBugs Change Log, Version 2.0.2</h1>
-
- <ul>
- <li>Fix false positions for <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a>
- - fixing <a
- href="https://sourceforge.net/tracker/?func=detail&aid=3547559&group_id=96405&atid=614693">Bug3547559</a>,
- <a
- href="https://sourceforge.net/tracker/?func=detail&aid=3555408&group_id=96405&atid=614693">Bug3555408</a>,
- <a
- href="https://sourceforge.net/tracker/?func=detail&aid=3580266&group_id=96405&atid=614693">Bug3580266</a>
- and <a
- href="https://sourceforge.net/tracker/?func=detail&aid=3587164&group_id=96405&atid=614693">Bug3587164</a>.
-
-
- </li>
- <li>Fix false positives for <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#SF_SWITCH_NO_DEFAULT">SF_SWITCH_NO_DEFAULT</a>
- <li>Inline access methods for private fields,
+ <td align="left" valign="top">
+
+
+ <h1>FindBugs Change Log, Version 3.0.0</h1>
+ <ul>
+ <li>FindBugs supports Java 8 now (both as runtime and target platform).
+ <li>FindBugs requires minimum Java 7 as runtime environment!
+ <li>FindBugs uses ASM 5 now which means that some 3rd party detectors based on FindBugs 2.x/ASM 3 has to be upgraded.
+ See details in <a href="http://download.forge.objectweb.org/asm/asm4-guide.pdf#chapter.5">ASM documentation</a>.
+ <li>New Bug patterns:
+ <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_OPTIONAL_RETURN_NULL">NP_OPTIONAL_RETURN_NULL</a>,
+ <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IIO_INEFFICIENT_INDEX_OF">IIO_INEFFICIENT_INDEX_OF</a>,
+ <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IIO_INEFFICIENT_LAST_INDEX_OF">IIO_INEFFICIENT_LAST_INDEX_OF</a>
+ <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#CNT_ROUGH_CONSTANT_VALUE">CNT_ROUGH_CONSTANT_VALUE</a>
+ </li>
+ <li>New "Source" filter which can be used to filter out classes generated from other languages:
+ <pre>
+ &lt;?xml version="1.0" encoding="UTF-8"?&gt;
+ &lt;FindBugsFilter&gt;
+ &lt;Match&gt;
+ &lt;Source name="~.*\.groovy" /&gt;
+ &lt;/Match&gt;
+ &lt;/FindBugsFilter&gt;
+ </pre>
+ </li>
+ <li>New "-auxclasspathFromFile" and "-analyzeFromFile" command line options.
+ </li>
+ <li>New "nested" ant task attribute.
+ </li>
+
+
+ <!--
+ <li>Fixed false positives for the following bug patterns (XXX occurrences in findbugsTestCases):
+ <ul>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#XXX">XXX</a>
+ </ul>
+ </li>
+
+ <li>Fixed false negatives for the following bug patterns (XXX occurrences in findbugsTestCases):
+ <ul>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#XXX">XXX</a>
+ </ul>
+ </li>
+ -->
+
+ <li>Various bug fixes, also many patches from community. Thanks for your contributions!
+ </li>
+ </ul>
+
+
+ <h1>FindBugs Change Log, Version 2.0.3</h1>
+ <ul>
+ <li>New Bug patterns: <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_BOXED_PRIMITIVE_FOR_PARSING">DM_BOXED_PRIMITIVE_FOR_PARSING</a>,
+ <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_RETURN_RELAXING_ANNOTATION">NP_METHOD_RETURN_RELAXING_ANNOTATION</a>,
+ and
+ <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION">NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION</a>
+ </li>
+ <li>Add the ability in the GUI to save the currently viewable/filtered bugs to HTML output.
+ <li>When dataflow does't terminate, make sure we continue with
+ analysis.
+
+ <li>Fix some problems that resulting in dataflow analysis not
+ terminating
+
+ <li>Get parameter annotations from default parameters
+ annotations applied to the method.
+ <li>Add subversion change number to eclipse plugin qualifier.
+
+ <li>Disabled detector for <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#AM_CREATES_EMPTY_JAR_FILE_ENTRY">AM_CREATES_EMPTY_JAR_FILE_ENTRY</a>;
+ it complaints inappropriately about code that creates directory
+ entries.
+
+ <li>Add warnings about incompatible types passed to
+ org.testng.Assert.assertEquals</li>
+ <li>Add logic that understands more of the Google Guava APIs.
+ <li>Disable type qualifier validator execution within Eclipse plugin;
+ too many problems with class loading and security manager (see #1154 Random obscure Eclipse failures)
+ <li>Consistently check both access flags and attributes to see if something is synthetic. Compiler is
+ inconsistent about where synthetic elements are marked.
+
+ <li>Fixed false positives for the following bug patterns (17
+ occurrences in findbugsTestCases):
+ <ul>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC">BC</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_INSTANCEOF">BC_IMPOSSIBLE_INSTANCEOF</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE">INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IS2_INCONSISTENT_SYNC">IS2_INCONSISTENT_SYNC</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS">NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#OBL_UNSATISFIED_OBLIGATION">OBL_UNSATISFIED_OBLIGATION</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE">RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a>
+ </li>
+ </ul>
+ <li>Fixed false negatives for the following bug patterns (45
+ occurrences in findbugsTestCases):
+ <ul>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_NUMBER_CTOR">DM_NUMBER_CTOR</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_ARRAY_AND_NONARRAY">EC_ARRAY_AND_NONARRAY</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE">EC_INCOMPATIBLE_ARRAY_COMPARE</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IS_FIELD_NOT_GUARDED">IS_FIELD_NOT_GUARDED</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#IT_NO_SUCH_ELEMENT">IT_NO_SUCH_ELEMENT</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS">JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH">NP_NULL_ON_SOME_PATH</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_PARAM_VIOLATION">NP_NONNULL_PARAM_VIOLATION</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE">NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_STORE_INTO_NONNULL_FIELD">NP_STORE_INTO_NONNULL_FIELD</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RE_POSSIBLE_UNINTENDED_PATTERN">RE_POSSIBLE_UNINTENDED_PATTERN</a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a>
+ </ul>
+ </ul>
+ <h1>FindBugs Change Log, Version 2.0.2</h1>
+
+ <ul>
+ <li>Fix false positions for <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a>
+ - fixing <a
+ href="https://sourceforge.net/tracker/?func=detail&aid=3547559&group_id=96405&atid=614693">Bug3547559</a>,
+ <a
+ href="https://sourceforge.net/tracker/?func=detail&aid=3555408&group_id=96405&atid=614693">Bug3555408</a>,
+ <a
+ href="https://sourceforge.net/tracker/?func=detail&aid=3580266&group_id=96405&atid=614693">Bug3580266</a>
+ and <a
+ href="https://sourceforge.net/tracker/?func=detail&aid=3587164&group_id=96405&atid=614693">Bug3587164</a>.
+
+
+ </li>
+ <li>Fix false positives for <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SF_SWITCH_NO_DEFAULT">SF_SWITCH_NO_DEFAULT</a>
+ <li>Inline access methods for private fields,
fixing false positive in <a
href="https://sourceforge.net/tracker/?func=detail&aid=3484713&group_id=96405&atid=614693">Bug3484713</a>.
-
+
<li>Type qualifier annotations, including nullness
- annotations, are now ignored on vararg parameters (including
- default and inherited annotations), awaiting JSR308.
- <li>Defined new bug pattern to give better explanations of
- issues involving strict type qualifiers <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a>
- <li>Adjusted analysis of type qualifiers, now giving warnings
- where a computed value is used in a place where a value with a
- strict type qualifier is required.
- <li>Complain about missing classes only if they are
- encountered while analyzing application classes; ignore missing
- classes that are encounted while analyzing classes loaded from the
- auxclasspath. Fix for <a
- href="https://sourceforge.net/tracker/?func=detail&aid=3588379&group_id=96405&atid=614693">Bug3588379</a>
- <li>Fixed false positive null pointer warning coming from
- synthetic bridge methods, fixing <a
- href="https://sourceforge.net/tracker/?func=detail&aid=3589328&group_id=96405&atid=614693">Bug3589328</a>
- <li>In general, suppress warnings in synthetic methods.
- <li>Fix some false positives involving <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>
- on classes that extend generic collection classes.
-
- </li>
- <li>Combine multiple identical warnings about
+ annotations, are now ignored on vararg parameters (including
+ default and inherited annotations), awaiting JSR308.
+ <li>Defined new bug pattern to give better explanations of
+ issues involving strict type qualifiers <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a>
+ <li>Adjusted analysis of type qualifiers, now giving warnings
+ where a computed value is used in a place where a value with a
+ strict type qualifier is required.
+ <li>Complain about missing classes only if they are
+ encountered while analyzing application classes; ignore missing
+ classes that are encounted while analyzing classes loaded from the
+ auxclasspath. Fix for <a
+ href="https://sourceforge.net/tracker/?func=detail&aid=3588379&group_id=96405&atid=614693">Bug3588379</a>
+ <li>Fixed false positive null pointer warning coming from
+ synthetic bridge methods, fixing <a
+ href="https://sourceforge.net/tracker/?func=detail&aid=3589328&group_id=96405&atid=614693">Bug3589328</a>
+ <li>In general, suppress warnings in synthetic methods.
+ <li>Fix some false positives involving <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>
+ on classes that extend generic collection classes.
+
+ </li>
+ <li>Combine multiple identical warnings about
<a
href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_DEFAULT_ENCODING">DM_DEFAULT_ENCODING</a>
that occur in the same method,
simplifying issue triage.
-
- <li>Changes by Andrey Loskutov
- <ul>
- <li>fixed job scheduling errors in 3.8/4.2 Eclipse <a
- href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=393748">bug
- report</a>
- <li>more realistic progress bar updates for jobs
- <li>added nullness annotations for some common Eclipse API
- methods known to usually return null values
- <li>Added support for org.eclipse.jdt.annotation.Nullable,
- NonNull and NonNullByDefault annotations (introduced with
- Eclipse 3.8/4.2)</li>
- </ul>
- <li>Documentation improvements
- <li><a href="http://code.google.com/p/findbugs/source/list">lots
- of other small changes</a>
- </ul>
- <h1>FindBugs Change Log, Version 2.0.1</h1>
-
- <ul>
- <li>New bug patterns; in some cases, bugs previous reported as
- other bug patterns are reported as instances of these new bug
- patterns in order to make it easier for developers to understand
- the bug reports
- <ul>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_RELATIVE_PATH_TRAVERSAL">PT_RELATIVE_PATH_TRAVERSAL</a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_REFACTORED_TO_BE_FINAL">MS_SHOULD_BE_REFACTORED_TO_BE_FINAL</a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST_OF_RETURN_VALUE">BC_UNCONFIRMED_CAST_OF_RETURN_VALUE</a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS">TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS</a></li>
- </ul>
- </li>
-
- <li>Changes to fix false negatives for the following bug
- patterns: <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>,
- <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_BAD_ARRAY_COMPARE">EC_BAD_ARRAY_COMPARE</a>,
- <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_UNUSUAL">EQ_UNUSUAL</a>,
- <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>,
- and <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>.
- </li>
-
- <li>Changes to fix false positions for the following bug
- patterns: <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_DOH">DMI_DOH</a>,
- <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>,
- and <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#SE_BAD_FIELD">SE_BAD_FIELD</a>.
- </li>
- </ul>
-
- <h1>FindBugs Change Log, Version 2.0.0</h1>
-
- <h2>Changes since version 1.3.8</h2>
- <ul>
- <li>New bug patterns; in some cases, bugs previous reported as
- other bug patterns are reported as instances of these new bug
- patterns in order to make it easier for developers to understand
- the bug reports
- <ul>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR
- </a></li>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED
- </a></li>
- </ul>
- </li>
- <li>Providing a bug rank (1-20), and the ability to filter by
- bug rank. Eventually, it will be possible to specify your own
- rules for ranking bugs, but the procedure for doing so hasn't been
- specified yet.</li>
- <li>Fixed about <a
- href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45
- bugs filed</a> through SourceForge
- </li>
- <li>Various reclassifications and priority tweaks</li>
- <li>Added more bug annotations to a variety of bug reports.
- This provides more context for understanding bug reports (e.g., if
- the value in question was is the return value of a method, the
- method is described as the source of the value in a bug
- annotation). This also provide more accurate tracking of issues
- across versions of the code being analyzed, but has the downside
- that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9
- on the same version of code being analyzed, FindBugs may think
- that mistakenly believe that the issue reported by 1.3.8 was fixed
- and a new issue was introduced that was reported by FindBugs
- 1.3.9. While annoying, it would be unusual for more than a dozen
- issues per million lines of codes to be mistracked.</li>
- <li>Lots of internal changes moving towards FindBugs 2.0, but
- these features are undocumented, not yet officially supported, and
- subject to radical changes before FindBugs 2.0 is released.</li>
- </ul>
-
- <p>Changes since version 1.3.8</p>
- <ul>
- <li>New bug patterns; in some cases, bugs previous reported as
- other bug patterns are reported as instances of these new bug
- patterns in order to make it easier for developers to understand
- the bug reports
- <ul>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR
- </a>
- <li><a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED
- </a>
- </ul>
- </li>
- <li>Providing a bug rank (1-20), and the ability to filter by
- bug rank. Eventually, it will be possible to specify your own
- rules for ranking bugs, but the procedure for doing so hasn't been
- specified yet.</li>
- <li>Fixed about <a
- href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45
- bugs filed</a> through SourceForge
- </li>
- <li>Various reclassifications and priority tweaks</li>
- <li>Added more bug annotations to a variety of bug reports.
- This provides more context for understanding bug reports (e.g., if
- the value in question was is the return value of a method, the
- method is described as the source of the value in a bug
- annotation). This also provide more accurate tracking of issues
- across versions of the code being analyzed, but has the downside
- that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9
- on the same version of code being analyzed, FindBugs may think
- that mistakenly believe that the issue reported by 1.3.8 was fixed
- and a new issue was introduced that was reported by FindBugs
- 1.3.9. While annoying, it would be unusual for more than a dozen
- issues per million lines of codes to be mistracked.</li>
- <li>Lots of internal changes moving towards FindBugs 2.0, but
- these features are undocumented, not yet officially supported, and
- subject to radical changes before FindBugs 2.0 is released.</li>
- </ul>
-
- <p>Changes since version 1.3.7</p>
- <ul>
- <li>Primarily another small bugfix release.</li>
- <li>FindBugs base:
- <ul>
- <li>New Reports:
- <ul>
- <li>SF_SWITCH_NO_DEFAULT: missing default case in switch
- statement.</li>
- <li>SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW:
- value ignored when switch fallthrough leads to thrown
- exception.</li>
- <li>INT_VACUOUS_BIT_OPERATION: bit operations that don't
- do any meaningful work.</li>
- <li>FB_UNEXPECTED_WARNING: warning generated that
- conflicts with @NoWarning FindBugs annotation.</li>
- <li>FB_MISSING_EXPECTED_WARNING: warning not generated
- despite presence of @ExpectedWarning FindBugs annotation.</li>
- <li>NOISE category: intended for use in data mining
- experiments.
- <ul>
- <li>NOISE_NULL_DEREFERENCE: fake null point dereference
- warning.</li>
- <li>NOISE_METHOD_CALL: fake method call warning.</li>
- <li>NOISE_FIELD_REFERENCE: fake field dereference
- warning.</li>
- <li>NOISE_OPERATION: fake operation warning.</li>
- </ul>
- </li>
- </ul>
- </li>
- <li>Other:
- <ul>
- <li>Garvin Leclaire has created a new Apache Maven
- repository for FindBugs at <a
- href="http://code.google.com/p/findbugs/">the Google Code
- FindBugs SVN repository</a>. (Thanks Garvin!)
- </li>
- </ul>
- </li>
- <li>Fixes:
- <ul>
- <li>[ 2317842 ] Highlighting broken in Windows</li>
- <li>[ 2515908 ] check for oddness should track sign of
- argument</li>
- <li>[ 2487936 ] &quot;L B GC&quot; false pos cast from
- Map.Entry.getKey() to Map.get()</li>
- <li>[ 2528264 ] Ant tasks not compatible with Ant 1.7.1</li>
- <li>[ 2539590 ] SF_SWITCH_FALLTHROUGH wrong message
- reported</li>
- <li>[ 2020066 ] Bug history displayed in fancy-hist.xsl is
- incorrect</li>
- <li>[ 2545098 ] Invalid character in analysis results file</li>
- <li>[ 2492673 ] Plugin sites should specify &quot;requires
- Eclipse 3.3 or newer&quot;</li>
- <li>[ 2588044 ] a tiny typing error</li>
- <li>[ 2589048 ] Documentation for convertXmlToText
- insufficient</li>
- <li>[ 2638739 ] NullPointerException when building</li>
- </ul>
- </li>
- <li>Patches:
- <ul>
- <li>[ 2538184 ] Make BugCollection implement
- Iterable&lt;BugInstance&gt; (thanks to Tomas Pollak)</li>
- <li>[ 2249771 ] Add Maven2 Findbugs plugin link to the
- Links page (thanks to Garvin Leclaire)</li>
- <li>[ 2609526 ] Japanese manual update (thanks to K.
- Hashimoto)</li>
- <li>[ 2119482 ] CheckBcel checks for nonexistent classes
- (thanks to Jerry James)</li>
- </ul>
- </li>
- </ul>
- </li>
- <li>FindBugs Eclipse plugin:
- <ul>
- <li>Major feature enhancements (thanks to Andrey Loskutov).
- See <a href="http://andrei.gmxhome.de/findbugs/index.html">this
- overview</a> for more information.
- </li>
- <li>Major test improvements (thanks to Tomas Pollak).</li>
- <li>Fixes:
- <ul>
- <li>[ 2532365 ] Compiler warning</li>
- <li>[ 2522989 ] Fix filter files selection</li>
- <li>[ 2504068 ] NullPointerException</li>
- <li>[ 2640849 ] NPE in Eclipse plugin 1.3.7 and Eclipse
- 3.5 M5</li>
- </ul>
- </li>
- <li>Patches:
- <ul>
- <li>[ 2143140 ] Unchecked conversion fixes for Eclipse
- plugin (thanks to Jerry James)
- </ul>
- </li>
- </ul>
- </li>
- </ul>
-
- <p>Changes since version 1.3.6</p>
- <ul>
- <li>Overall, a small bugfix release.
- <li>New detection of accidental vacuous/useless calls to
- EasyMock methods, and of generic signatures that proclaim the use
- of unhashable classes in ways that require that they be hashed.
- <li>Eliminate some false positives where we were warning about
- a useless call (e.g., comparing two incompatible types for
- equality), but the only thing the code was doing with the result
- was passing it to assertFalse.
- <li>Japanese localization and manual by K.Hashimoto. (Thanks!)
-
- <li>Added -exclude and -outputDir command line options to
- rejarForAnalysis
- <li>Extended -adjustPriorities option to FindBugs analysis
- textui so that you can modify the priorities of individual bug
- patterns as well as visitors, and also completely suppress
- individual bug patterns or visitors.
- <ul>
- <li>e.g., -adjustPriority
- MS_SHOULD_BE_FINAL=suppress,MS_PKGPROTECT=suppress,EI_EXPOSE_REP=suppress,EI_EXPOSE_REP2=suppress,PZLA_PREFER_ZERO_LENGTH_ARRAYS=raise
-
- </ul>
- </ul>
-
-
- <p>Changes since version 1.3.5</p>
- <ul>
- <li>Added fairly exhaustive static analysis of uses of format
- strings, checking for missing or extra arguements, invalid format
- specifiers, or mismatched format specifiers and arguments (e.g,
- passing a String value for a %d format specifier). The logic for
- doing so is derived from Sun's java.util.Formatter class, and
- available separately from FindBugs as part of the <a
- href="https://jformatstring.dev.java.net/">jFormatString</a>
- project.
- <li>More tuning of the unsatisfied obligation detector. Since
- this detector is still rather noisy and an unfinished research
- project, I've moved the generated issues to a new category:
- EXPERIMENTAL.
- <li>Added check for <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_ADD_OF_SIGNED_BYTE">BIT_ADD_OF_SIGNED_BYTE</a>;
- similar to <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_IOR_OF_SIGNED_BYTE">BIT_IOR_OF_SIGNED_BYTE</a>,
- except that addition is being used to combine shifted signed
- bytes.
- <li>Changed detection of EI_EXPOSE_REP2, so we only report it
- if the value stored is guaranteed to be the same value that was
- passed in as a parameter.
- <li>Added <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS">EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS</a>,
- a warning when an equals method checks to see if an operand is an
- instance of a class not compatible with itself. For example, if
- the Foo class checks to see if the argument is an instance of
- String. This is either a questionable design decision or a coding
- mistake.
- <li>Added <a
- href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_INVOKING_HASHCODE_ON_ARRAY">DMI_INVOKING_HASHCODE_ON_ARRAY</a>,
- which checks for invoking <code>hashCode()</code> on an array,
- which returns a hash code that ignores the contents of the array.
-
- <li>Added checks for using <code>x.removeAll(x)</code> to
- rather than <code>x.clear()</code> to clear an array.
- <li>Add checks for calls such as <code>x.contains(x)</code>, <code>x.remove(x)</code>
- and <code>x.containsAll(x)</code>.
- <li>Improvements to Eclipse plugin (thanks to Andrey
- Loskutov):
- <ul>
- <li>Report separate markers for each occurrence of an issue
- that appears multiple times in a method
- <li>fine tuning for reported markers: add only one marker
- for fields, add marker on right position
- <li>link bugs selected in bug explorer view to the opened
- editor and vice versa
- <li>select bugs selected in editor ruler in the opened bug
- explorer view
- <li>consistent abbreviations used in both bug explorer and
- bug details view
- <li>added "Expand All" button to the bug explorer view
- <li>added "Go Into/Go Up" buttons to the bug explorer view
- <li>added "Copy to clipboard" menu/functionality to the
- details view list widget
- <li>fix for CNF exception if loading the backup solution for
- broken browser widget
- </ul>
- </ul>
-
-
-
- <p>Changes since version 1.3.4</p>
- <ul>
- <li>Analysis about 15% faster
- <li><a
- href="http://sourceforge.net/tracker/?atid=614693&group_id=96405&func=browse&status=closed">38
- bugs closed</a></li>
- <li>New defect warnings:
- <ul>
- <li>calls to methods that always throw
- UnsupportedOperationException (DMI_UNSUPPORTED_METHOD)
- <li>repeated conditional tests (e.g., <code>if (x
- &lt; 0 || x &lt; 0) ...</code>) (RpC_REPEATED_CONDITIONAL_TEST)
- <li>Complete rewrite of detector for format string problems.
- More accurate, finds more problems, generates more descriptive
- reports, several different bug pattern
- (VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED,
- VA_FORMAT_STRING_ILLEGAL, VA_FORMAT_STRING_MISSING_ARGUMENT,
- VA_FORMAT_STRING_BAD_ARGUMENT,
- VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT)
- <li>Fairly complete implementation of JSR-305 custom type
- qualifier analysis (no support for custom validators yet).
- (TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK
- TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK
- TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK)
- <li>New detector for unsatisfied obligations such forgetting
- to close a file (OBL_UNSATISFIED_OBLIGATION).
- <li>Warning when a parameter is marked as nullable, but is
- always dereferenced.
- (NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE)
- <lI>Separate warning for dereference the result of readLine
- (NP_DEREFERENCE_OF_READLINE_VALUE)
- </ul>
- <li>When XML is generated with messages, the project stats now
- include &lt;FileStat&gt; elements. For each source file, this
- gives the path for the file, the total number of warnings for that
- file, and a bugHash for the file. While the instanceHash for a bug
- is intended to be version invariant (ignoring line numbers, etc),
- the bugHash for a file is intended to reflect all the information
- about the warnings in that file. The intended use case is that if
- the bugHash for a file is the same in two analysis runs, then <em>nothing</em>
- has changed about any of the warnings reported for that file
- between the two analysis runs.
- <li>More merging of similar issues within a method. For
- example, if the result of readLine() is dereferences multiple
- times within a method, it will be reported as a single warning
- with occurrences at multiple source lines.
- </ul>
- <p>Changes since version 1.3.3</p>
-
- <ul>
- <li>FindBugs base
- <ul>
- <li>New Reports:
- <ul>
- <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: equals method
- overrides equals in superclass and may not be symmetric</li>
- <li>EQ_ALWAYS_TRUE: equals method always returns true</li>
- <li>EQ_ALWAYS_FALSE: equals method always returns false</li>
- <li>EQ_COMPARING_CLASS_NAMES: equals method compares class
- names rather than class objects</li>
- <li>EQ_UNUSUAL: Unusual equals method</li>
- <li>EQ_GETCLASS_AND_CLASS_CONSTANT: equals method fails
- for subtypes</li>
- <li>SE_READ_RESOLVE_IS_STATIC: The readResolve method must
- not be declared as a static method.</li>
- <li>SE_PRIVATE_READ_RESOLVE_NOT_INHERITED: private
- readResolve method not inherited by subclasses</li>
- <li>MSF_MUTABLE_SERVLET_FIELD: Mutable servlet field</li>
- <li>XSS_REQUEST_PARAMETER_TO_SEND_ERROR: Servlet reflected
- cross site scripting vulnerability</li>
- <li>SKIPPED_CLASS_TOO_BIG: Class too big for analysis</li>
- </ul>
- </li>
- <li>Other:
- <ul>
- <li>Value-number analysis now more space-efficient</li>
- <li>Enhancements to reduce memory overhead when analyzing
- very large classes</li>
- <li>Now skips very large classes that would otherwise take
- too much time and memory to analyze</li>
- <li>Infrastructure for tracking effectively-constant/
- effectively-final fields</li>
- <li>Added more cweids</li>
- <li>Enhanced taint tracking for taint-based detectors</li>
- <li>Ignore doomed calls to equals if result is used as an
- argument to assertFalse</li>
- <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC handles compareTo</li>
- <li>Priority tweak for ICAST_INTEGER_MULTIPLY_CAST_TO_LONG
- (only low priority if multiplying by 1000)</li>
- <li>Improved tracking of fields across method calls</li>
- </ul>
- </li>
- <li>Fixes:
- <ul>
- <li>[ 1941450 ] DLS_DEAD_LOCAL_STORE not reported</li>
- <li>[ 1953323 ] Omitted break statement in
- SynchronizeAndNullCheckField</li>
- <li>[ 1942620 ] Source Directories selection dialog
- interface confusion (partial)</li>
- <li>[ 1948275 ] Unhelpful "Load of known null"</li>
- <li>[ 1933922 ] MWM error in findbugs</li>
- <li>[ 1934772 ] 1.3.3 appears to rely on JDK 1.6, JNLP
- still specifies 1.5</li>
- <li>[ 1933945 ] -loadbugs doesn't work</li>
- <li>Fixed problems for class names starting with '$'</li>
- <li>Fixed bugs and incomplete handling of annotations in
- VersionInsensitiveBugComparator</li>
- </ul>
- </li>
- <li>Patches:
- <ul>
- <li>[ 1955106 ] Javadoc fixes</li>
- <li>[ 1951930 ] Superfluous import statements (thanks to
- Jerry James)</li>
- <li>[ 1951907 ] Missing @Deprecated annotations (thanks to
- Jerry James)</li>
- <li>[ 1951876 ] Infonode Docking Windows compile fix
- (thanks to Jerry James)</li>
- <li>[ 1936055 ] bugfix for findbugs.de.comment not working
- (thanks to Peter Fokkinga)
- </ul>
- </li>
- </ul>
- <li>FindBugs BlueJ plugin
- <ul>
- <li>Updated to use FindBugs 1.3.4 (first new release since
- 1.1.3)</li>
- </ul>
- </li>
- </ul>
-
- <p>Changes since version 1.3.2</p>
-
- <ul>
- <li>FindBugs base
- <ul>
- <li>New Detectors:
- <ul>
- <li>FieldItemSummary: Produces summary information for
- what is stored into fields</li>
- <li>SynchronizeOnClassLiteralNotGetClass: Look for code
- that synchronizes on the results of getClass rather than on
- class literals</li>
- <li>SynchronizingOnContentsOfFieldToProtectField: This
- detector looks for code that seems to be synchronizing on a
- field in order to guard updates of that field</li>
- </ul>
- </li>
- <li>New BugCode:
- <ul>
- <li>HRS: HTTP Response splitting vulnerability</li>
- <li>WL: Possible locking on wrong object</li>
- </ul>
- </li>
- <li>New Reports:
- <ul>
- <li>DMI_CONSTANT_DB_PASSWORD: This code creates a database
- connect using a hard coded, constant password</li>
- <li>HRS_REQUEST_PARAMETER_TO_COOKIE: HTTP cookie formed
- from untrusted input</li>
- <li>HRS_REQUEST_PARAMETER_TO_HTTP_HEADER: HTTP parameter
- directly written to HTTP header output</li>
- <li>CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE: Class defines
- clone() but doesn't implement Cloneable</li>
- <li>DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE: Synchronization
- on boxed primitive could lead to deadlock</li>
- <li>DL_SYNCHRONIZATION_ON_BOOLEAN: Synchronization on
- Boolean could lead to deadlock</li>
- <li>ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD:
- Synchronization on field in futile attempt to guard that field
- </li>
- <li>DLS_DEAD_LOCAL_STORE_IN_RETURN: Useless assignment in
- return statement</li>
- <li>WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL:
- Synchronization on getClass rather than class literal</li>
- </ul>
- </li>
- <li>Other:
- <ul>
- <li>Many enhancements to cross-site scripting detector and
- its documentation</li>
- <li>Enhanced switch fall through handling</li>
- <li>Enhanced unread field handling (look for IF_ACMPEQ and
- IF_ACMPNE)</li>
- <li>Clarified documentation for @Nullable in manual</li>
- <li>Fewer DeadLocalStore false positives</li>
- <li>Fewer UnreadField false positives</li>
- <li>Fewer StaticCalendarDetector false positives</li>
- <li>Performance fix for slow file system IO e.g. Clearcase
- repositories (thanks, Andrei!)</li>
- <li>Other, general performance enhancements (thanks,
- Andrei!)</li>
- <li>Enhancements for using FindBugs scripts with MKS on
- Windows (thanks, Kelly O'Hair!)</li>
- <li>Noted in the manual that jsr305.jar must be present
- for annotations to compile</li>
- <li>Added and fine-tuned default-nullness annotations</li>
- <li>More CWE IDs added</li>
- <li>Check and warning for unexpected BCEL version in
- classpath</li>
- </ul>
- </li>
- <li>Fixes:
- <ul>
- <li>Bug fix to handling of local variable tables in BCEL</li>
- <li>Refined documentation for
- MTIA_SUSPECT_STRUTS_INSTANCE_FIELD</li>
- <li>[ 1927295 ] NPE when called on project root</li>
- <li>[ 1926405 ] Incorrect dead store warning</li>
- <li>[ 1926409 ] Incorrect redundant nullcheck warning</li>
- <li>[ 1926389 ] Wrong line number printed/highlighted in
- bug</li>
- <li>[ 1927040 ] typo in bug description</li>
- <li>[ 1926263 ] Minor glitch in HTML output</li>
- <li>[ 1926240 ] Minor error in standard options in manual</li>
- <li>[ 1926236 ] Minor bug in installation section of
- manual</li>
- <li>[ 1925539 ] ZIP is default file system code base</li>
- <li>[ 1894701 ] Livelock / memory leak in
- ObjectTypeFactory (thanks, Andrei!)</li>
- <li>[ 1867491 ] Doesn't reload annotations after code
- changes in IDE (thanks, Andrei!)</li>
- <li>[ 1921399 ] -project option not supported</li>
- <li>[ 1913834 ] "Dead" store to variable with method call</li>
- <li>[ 1917352 ] H B se:...field in serializable class</li>
- <li>[ 1911617 ] CloneIdiom relies on
- getNameConstantOperand for INSTANCEOF</li>
- <li>[ 1911620 ] False +: DLS predecrement before return</li>
- <li>[ 1871376 ] False negative: non-serializable Map field</li>
- <li>[ 1871051 ] non standard clone() method</li>
- <li>[ 1908854 ] Error in TestASM</li>
- <li>[ 1907539 ] 22 minor errors in bug checker
- documentation</li>
- <li>[ 1897323 ] EJB implementation class false positives</li>
- <li>[ 1899648 ] Crash on startup on Vista with Java
- 1.6.0_04</li>
- </ul>
- </li>
- </ul>
- </li>
- <li>FindBugs Eclipse plugin (change log by Andrey Loskutov)
- <ul>
- <li>new feature: export basic FindBugs numbers for projects
- via File-&gt;Export-&gt;Java-&gt;BugCounts (Andrey Loskutov)</li>
- <li>new feature: jobs for different projects will be run in
- parallel per default if running on a multi-core PC
- ("fb.allowParallelBuild" system property not used anymore)
- (Andrey Loskutov)</li>
- <li>fixed performance slowdown in the multi-threaded build,
- caused by workspace operation locks during assigning marker
- attributes (Andrey Loskutov)</li>
- </ul>
- </li>
- </ul>
-
- <p>Changes since version 1.3.1</p>
-
- <ul>
- <li>FindBugs base
- <ul>
- <li>New Bug Category:
- <ul>
- <li>SECURITY (Abbrev: S), A use of untrusted input in a
- way that could create a remotely exploitable security
- vulnerability</li>
- </ul>
- </li>
- <li>New Detectors:
- <ul>
- <li>CrossSiteScripting: This detector looks for
- obvious/blatant cases of cross site scripting vulnerabilities</li>
- </ul>
- </li>
- <li>New BugCode:
- <ul>
- <li>XSS: Cross site scripting</li>
- </ul>
- </li>
- <li>New Reports:
- <ul>
- <li>XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER: HTTP
- parameter directly written to Servlet output, giving XSS
- vulnerability</li>
- <li>XSS_REQUEST_PARAMETER_TO_JSP_WRITER: HTTP parameter
- directly written to JSP output, giving XSS vulnerability</li>
- <li>EQ_OTHER_USE_OBJECT: equals() method defined that
- doesn't override Object.equals(Object)</li>
- <li>EQ_OTHER_NO_OBJECT: equals() method inherits rather
- than overrides equals(Object)</li>
- <li>NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE: Possible
- null pointer dereference on path that might be infeasible</li>
- </ul>
- </li>
- <li>Other:
- <ul>
- <li>Added -noClassOk command-line parameter to
- command-line and ant interfaces; when -noClassOk is specified
- and no classfiles are given, FindBugs will print a warning
- message and output a well- formed file with no warnings</li>
- <li>Fewer false positives for null pointer bugs</li>
- <li>Suppress dead-local-store false positives in .jsp code</li>
- <li>Type fixes in warning messages</li>
- <li>Better warning message for NP_NULL_ON_SOME_PATH</li>
- <li>"WMI" bug code description renamed from "Wrong Map
- Iterator" to "Inefficient Map Iterator"</li>
- </ul>
- </li>
- <li>Fixes:
- <ul>
- <li>[ 1893048 ] FindBugs confused by a findbugs.xml file</li>
- <li>[ 1878528 ] XSL xforms don't support history features</li>
- <li>[ 1876584 ] two default.xsl flaws</li>
- <li>[ 1874856 ] Format string bug detector doesn't handle
- special operators</li>
- <li>[ 1872645 ] computeBugHistory -
- java.lang.IllegalArgumentException</li>
- <li>[ 1872237 ] Ant task fails when no .class files</li>
- <li>[ 1868670 ] Filters: include AND exclude don't allowed</li>
- <li>[ 1868666 ] check-for-oddness reported, but array
- length can never be negative</li>
- <li>[ 1866108 ] SetBugDatabaseInfoTask strips dir from
- output filename</li>
- <li>[ 1866021 ] MineBugHistoryTask strips dir of output
- filename</li>
- <li>[ 1865265 ] code doesn't handle
- StringBuffer.append([CII) right</li>
- <li>[ 1864793 ] Warning when casting a null reference
- compared to a String</li>
- <li>[ 1863376 ] Typo in manual chap 8: Filter Files</li>
- <li>[ 1862705 ] Transient fields that default to null</li>
- <li>[ 1842545 ] DLS on catch variable (with priority
- tweaking)</li>
- <li>[ 1816258 ] false positive BC_IMPOSSIBLE_CAST</li>
- <li>[ 1551732 ] Get erroneous DLS with while loop</li>
- </ul>
- </li>
- </ul>
- </li>
- <li>FindBugs Eclipse plugin (change log by Andrey Loskutov)
- <ul>
- <li>new feature: added Bug explorer view (replacing Bug tree
- view), based on Common Navigator framework (Andrey Loskutov)</li>
- <li>bug 1873860 fixed: empty projects are no longer shown in
- Bug tree view (Andrey Loskutov)</li>
- <li>new feature: bug counts decorators for projects, folders
- and files (has to be activated via Preferences -&gt; general
- -&gt; appearance -&gt; label decorations)(Andrey Loskutov)</li>
- <li>patch 1746499: better icons (Alessandro Nistico)</li>
- <li>patch 1893685: Find bug actions on change sets bug
- (Alessandro Nistico)</li>
- <li>fixed bug 1855384: Bug configuration is broken in
- Eclipse (Andrey Loskutov)</li>
- <li>refactored FindBugs properties page (Andrey Loskutov)</li>
- <li>refactored FindBugs worker/builder/run action (Andrey
- Loskutov)</li>
- <li>FB detects now only bugs from classes on project's
- classpath (no double work on duplicated class files) (Andrey
- Loskutov)</li>
- <li>fixed bug introduced by the bad patch for 1867951: FB
- cannot be executed incrementally on a folder of file (Andrey
- Loskutov)</li>
- <li>fixed job rule: now jobs for different projects may run
- in parallel if running on a multi-core PC and
- "fb.allowParallelBuild" system property is set to true (Andrey
- Loskutov)</li>
- <li>fixed FB auto-build not started if .fbprefs or
- .classpath was changed (Andrey Loskutov)</li>
- <li>fixed not reporting bugs on secondary types (classes
- defined in java files with different name) (Andrey Loskutov)</li>
- </ul>
- </li>
- </ul>
-
- <p>Changes since version 1.3.0</p>
- <ul>
- <li>New Reports
- <ul>
- <li>VA_FORMAT_STRING_ARG_MISMATCH: A format-string method
- with a variable number of arguments is called, but the number of
- arguments passed does not match with the number of %
- placeholders in the format string. This is probably not what the
- author intended.
- <li>IO_APPENDING_TO_OBJECT_OUTPUT_STREAM: This code opens a
- file in append mode and that wraps the result in an object
- output stream. This won't allow you to append to an existing
- object output stream stored in a file. If you want to be able to
- append to an object output stream, you need to keep the object
- output stream open. The only situation in which opening a file
- in append mode and the writing an object output stream could
- work is if on reading the file you plan to open it in random
- access mode and seek to the byte offset where the append
- started.
- <li>NP_BOOLEAN_RETURN_NULL: A method that returns either
- Boolean.TRUE, Boolean.FALSE or null is an accident waiting to
- happen. This method can be invoked as though it returned a value
- of type boolean, and the compiler will insert automatic unboxing
- of the Boolean value. If a null value is returned, this will
- result in a NullPointerException.
- </ul>
- </li>
- <li>Changes to Existing Reports
- <ul>
- <li>RV_DONT_JUST_NULL_CHECK_READLINE: CORRECTNESS -&gt;
- STYLE</li>
- <li>DMI_INVOKING_TOSTRING_ON_ARRAY: Long description
- mentions array name whenever possible</li>
- </ul>
- </li>
- <li>Fixes:
- <ul>
- <li>Updated manual to mention that Java 1.5 is now a
- requirement for running FindBugs
- <li>Applied patch 1840206 fixing issue "Ant task does not
- work when presetdef is used" - thanks to phejl
- <li>Applied patch 1778690 fixing issue "Ant task: tolerate
- but complain about invalid auxClasspath" - thanks to David
- Schmidt
- <li>Applied patch 1852125 adding a Chinese-language GUI
- bundle props file - thanks to fifi
- <li>Applied patch 1845903 adding ability to load XML results
- with the Eclipse plugin - thanks to Alex Mont
- <li>Fixed issue 1844671 - "FP for "reversed" null check in
- catch for stream close"
- <li>Fixed issue 1836050 - "-onlyAnalyze broken"
- <li>Fixed issue 1853011 - "Typo: Field names should start
- with aN lower case letter"
- <li>Fixed issue 1844181 - "JNLP file does not contain all
- necessary JARs"
- <li>Fixed issue 1840245 - "xxxException class does not
- derive from Exception"
- <li>Fixed issue 1840277 - "[M D EC] Typo in bug
- documentation"
- <li>Fixed issue 1782447 - "OutOfMemoryError if i activate
- Findbugs on my project"
- <li>Fixed issue 1830576 - "[regression] keySet/entrySet
- false positive"
- </ul>
- </li>
- <li>Other:
- <ul>
- <li>New bug code: "IO" (for
- IO_APPENDING_TO_OBJECT_OUTPUT_STREAM)</li>
- <li>Added "-onlyMostRecent" option for computeBugHistory
- script/ant task
- <li>More explicit language in
- RV_RETURN_VALUE_IGNORED_BAD_PRACTICE messages
- <li>Modified ResourceValueAnalysis to correctly identify
- null == X or null != X as a null check (for issue 1844671)
- <li>Modified DMI_HARDCODED_ABSOLUTE_FILENAME logic in
- DumbMethodInvocations to ignore files from /etc or /dev and
- increase priority of files from /home
- <li>Better bug details for infinite loop warnings
- <li>Modified unread-fields detector to reduce false
- positives from reflective fields
- <li>build.xml "classes" target now builds all sources in one
- step
- </ul>
- </li>
- </ul>
-
- <p>Changes since version 1.2.1</p>
- <ul>
- <li>New Detectors and Reports
- <ul>
- <li>SynchronizationOnSharedBuiltinConstant
- <ul>
- <li>DL_SYNCHRONIZATION_ON_SHARED_CONSTANT: The code
- synchronizes on a shared primitive constant, such as an
- interned String. Such constants are interned and shared across
- all other classes loaded by the JVM. Thus, this could be
- locking on something that other code might also be locking.
- This could result in very strange and hard to diagnose
- blocking and deadlock behavior. See <a
- href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a>
- and <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>.
-
- </ul>
- </li>
- <li>OverridingEqualsNotSymmetrical
- <ul>
- <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: Looks for equals
- methods that override equals methods in a superclass where the
- equivalence relationship might not be symmetrical.
- </ul>
- </li>
- <li>CheckTypeQualifiers
- <ul>
- <li>TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED: A value
- specified as carrying a type qualifier annotation is consumed
- in a location or locations requiring that the value not carry
- that annotation. More precisely, a value annotated with a type
- qualifier specifying when=ALWAYS is guaranteed to reach a use
- or uses where the same type qualifier specifies when=NEVER.</li>
- <li>TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED: A value
- specified as not carrying a type qualifier annotation is
- guaranteed to be consumed in a location or locations requiring
- that the value does carry that annotation. More precisely, a
- value annotated with a type qualifier specifying when=NEVER is
- guaranteed to reach a use or uses where the same type
- qualifier specifies when=ALWAYS.</li>
- <li>TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK: A value
- that might not carry a type qualifier annotation reaches a use
- which requires that annotation.</li>
- <li>TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK: A value
- which might carry a type qualifier annotation reaches a use
- which forbids values carrying that annotation.</li>
- </ul>
- </li>
- </ul>
- </li>
- <li>New Reports (existing detectors)
- <ul>
- <li>FindHEmismatch
- <ul>
- <li>EQ_DOESNT_OVERRIDE_EQUALS: This class extends a class
- that defines an equals method and adds fields, but doesn't
- define an equals method itself. Thus, equality on instances of
- this class will ignore the identity of the subclass and the
- added fields. Be sure this is what is intended, and that you
- don't need to override the equals method. Even if you don't
- need to override the equals method, consider overriding it
- anyway to document the fact that the equals method for the
- subclass just return the result of invoking super.equals(o).</li>
- </ul>
- </li>
- <li>Naming
- <ul>
- <li>NM_WRONG_PACKAGE, NM_WRONG_PACKAGE_INTENTIONAL: The
- method in the subclass doesn't override a similar method in a
- superclass because the type of a parameter doesn't exactly
- match the type of the corresponding parameter in the
- superclass.</li>
- <li>NM_SAME_SIMPLE_NAME_AS_SUPERCLASS: This class has a
- simple name that is identical to that of its superclass,
- except that its superclass is in a different package (e.g., <code>alpha.Foo</code>
- extends <code>beta.Foo</code>). This can be exceptionally
- confusing, create lots of situations in which you have to look
- at import statements to resolve references and creates many
- opportunities to accidently define methods that do not
- override methods in their superclasses.
- </li>
- <li>NM_SAME_SIMPLE_NAME_AS_INTERFACE: This class/interface
- has a simple name that is identical to that of an
- implemented/extended interface, except that the interface is
- in a different package (e.g., <code>alpha.Foo</code> extends <code>beta.Foo</code>).
- This can be exceptionally confusing, create lots of situations
- in which you have to look at import statements to resolve
- references and creates many opportunities to accidently define
- methods that do not override methods in their superclasses.
- </li>
- </ul>
- <li>FindRefComparison
- <ul>
- <li>EC_UNRELATED_TYPES_USING_POINTER_EQUALITY: This method
- uses using pointer equality to compare two references that
- seem to be of different types. The result of this comparison
- will always be false at runtime.</li>
- </ul>
- </li>
- <li>IncompatMask
- <ul>
- <li>BIT_SIGNED_CHECK, BIT_SIGNED_CHECK_HIGH_BIT: This
- method compares an expression such as <tt>((event.detail
- &amp; SWT.SELECTED) &gt; 0)</tt>. Using bit arithmetic and then
- comparing with the greater than operator can lead to
- unexpected results (of course depending on the value of
- SWT.SELECTED). If SWT.SELECTED is a negative number, this is a
- candidate for a bug. Even when SWT.SELECTED is not negative,
- it seems good practice to use '!= 0' instead of '&gt; 0'.
- </li>
- </ul>
- </li>
- <li>LazyInit
- <ul>
- <li>LI_LAZY_INIT_UPDATE_STATIC: This method contains an
- unsynchronized lazy initialization of a static field. After
- the field is set, the object stored into that location is
- further accessed. The setting of the field is visible to other
- threads as soon as it is set. If the further accesses in the
- method that set the field serve to initialize the object, then
- you have a <em>very serious</em> multithreading bug, unless
- something else prevents any other thread from accessing the
- stored object until it is fully initialized.
- </li>
- </ul>
- </li>
- <li>FindDeadLocalStores
- <ul>
- <li>DLS_DEAD_STORE_OF_CLASS_LITERAL: This instruction
- assigns a class literal to a variable and then never uses it.
- <a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">The
- behavior of this differs in Java 1.4 and in Java 5.</a> In Java
- 1.4 and earlier, a reference to <code>Foo.class</code> would
- force the static initializer for <code>Foo</code> to be
- executed, if it has not been executed already. In Java 5 and
- later, it does not. See Sun's <a
- href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">article
- on Java SE compatibility</a> for more details and examples, and
- suggestions on how to force class initialization in Java 5.
- </li>
- </ul>
- </li>
- <li>MethodReturnCheck
- <ul>
- <li>RV_RETURN_VALUE_IGNORED_BAD_PRACTICE: This method
- returns a value that is not checked. The return value should
- be checked since it can indication an unusual or unexpected
- function execution. For example, the <code>File.delete()</code>
- method returns false if the file could not be successfully
- deleted (rather than throwing an Exception). If you don't
- check the result, you won't notice if the method invocation
- signals unexpected behavior by returning an atypical return
- value.
- </li>
- <li>RV_EXCEPTION_NOT_THROWN: This code creates an
- exception (or error) object, but doesn't do anything with it.
- </li>
- </ul>
- </li>
- </ul>
- </li>
- <li>Changes to Existing Reports
- <ul>
- <li>NS_NON_SHORT_CIRCUIT: BAD_PRACTICE -&gt; STYLE</li>
- <li>NS_DANGEROUS_NON_SHORT_CIRCUIT: CORRECTNESS -&gt; STYLE</li>
- <li>RC_REF_COMPARISON: CORRECTNESS -&gt; BAD_PRACTICE</li>
- </ul>
- </li>
- <li>GUI Changes
- <ul>
- <li>Added importing and exporting of bug filters</li>
- <li>Better handling of failed analysis runs</li>
- <li>Added "-look" parameter for selecting look-and-feel</li>
- <li>Fixed incorrect package filtering</li>
- <li>Fixed issue where "synchronized" was not
- syntax-highlighted</li>
- </ul>
- </li>
- <li>Ant-task Changes
- <ul>
- <li>Refactored common ant-task code to AbstractFindBugsTask</li>
- <li>Added tasks for computeBugHistory, convertXmlToText,
- filterBugs, mineBugHistory, setBugDatabaseInfo</li>
- </ul>
- </li>
- <li>Manual
- <ul>
- <li>Updates to GUI section, including new screenshots</li>
- <li>Added description of rejarForAnalysis</li>
- <li>Revamp of data-mining section</li>
- </ul>
- </li>
- <li>Other Major
- <ul>
- <li>Internal restructuring for lower memory overhead</li>
- </ul>
- </li>
- <li>Other Minor
- <ul>
- <li>Fixed typo: was STCAL_STATIC_SIMPLE_DATA_FORMAT_INSTANCE
- now STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE</li>
- <li>-outputFile parameter became -output</li>
- <li>More sensitivity and specificity inLazyInit detector</li>
- <li>More sensitivity and specificity in Naming detector</li>
- <li>More sensitivity and specificity in UnreadFields
- detector</li>
- <li>More sensitivity in FindNullDeref detector</li>
- <li>More sensitivity in FindBadCast2 detector</li>
- <li>More specificity in FindReturnRef detector</li>
- <li>Many other tweaks and bug fixes</li>
- </ul>
- </li>
- </ul>
-
- <p>Changes since version 1.2.0</p>
- <ul>
- <li>Bug fixes:
- <ul>
- <li><a
- href="http://fisheye2.cenqua.com/changelog/findbugs/?cs=8219">Fix</a>
- <a
- href="http://sourceforge.net/tracker/index.php?func=detail&aid=1726946&group_id=96405&atid=614693">bug</a>
- with detectors that were requested to be disabled but were
- enabled due to requirements of other detectors.</li>
- <li>Fix bugs in incremental analysis within Eclipse plugin</li>
- <li>Fix some analysis errors</li>
- <li>Fix some threading bugs in GUI2</li>
- <li>Report version as version when it was compiled, not when
- it was run</li>
- <li>Copy analysis time stamp when filtering or transforming
- analysis files.</li>
- </ul>
- <li>Enabled StaticCalendarDetector</li>
- <li>Reworked GUI2 to use standard FindBugs filters
- <ul>
- <li>Allow a suppression filter to be stored in a project and
- persisted to the XML representation of a project.</li>
- </ul>
- </li>
-
- <li>Move away from old GUI2 save format (a directory
- containing an xml file and another file containing serialized
- filters).</li>
- <li>Support/recommend use of two new file extensions/formats:
- <dl>
- <dt>.fba - FindBugs Analysis File</dt>
- <dd>Exactly the same as an existing bug collection file
- stored in XML format, but using a distinct file extension to
- make it easier to figure out which xml files contain FindBugs
- results.</dd>
- <dt>.fbp - FindBugs Project File</dt>
- <dd>Contains just the information needed to run FindBugs and
- display the results (e.g., the files to be analyzed, the
- auxiliary class path and the location of source files)
- </dl>
- </li>
- </ul>
- <p>Changes since version 1.1.3</p>
- <ul>
- <li>Added -xml:withAbridgedMessages option to generate xml
- containing shorter messages. The messages will be shorted by doing
- things like eliding package names, and leaving off the source line
- from the LongMessage. These messages are appropriate if being used
- in a context where the non-message components of the bug
- annotations will be used to provide more information (e.g.,
- clicking on the message for a MethodAnnotation will display the
- source for the method).
- <ul>
- <li>FindBugsDisplayFeatures.setAbridgedMessages(true) can be
- used to generate abridged messages when FindBugs is being
- accessed directly (not via generated XML) from a GUI or IDE.</li>
- </ul>
- <li>In null pointer analysis, try to be better about always
- showing two locations: where it is known null and where it is
- dereferenced.
- <li>Interprocedural analysis of which methods return nonnull
- values
- <li>Use method calls to select order in which classes are
- analyzed, and order in which methods are analyzed, to improve
- interprocedural analysis results.
- <li>Significant improvements in memory footprint, memory
- allocation and CPU utilization (20-30% reduction in all three)
- <li>Added a project name, to provide better descriptions in
- the HTML output.
- <li>Added new bug pattern: Casting to char, or bit masking
- with nonnegative value, and then checking to see if the result is
- negative.
- <li>Stopped reporting transient fields of classes not marked
- as serializable. Transient is used by other persistence
- frameworks.
- <li>Improvements to detector for SQL injection (Thanks to <a
- href="http://www.clock.org/~matt">Matt Hargett</a> for his
- contributions
- <li>Changed open/save options in GUI2 to not distinguish
- between FindBugs projects and saved FindBugs analysis results.
- <li>Improvements to detection of serious non-short-circuit
- evaluation.
- <li>Updated Japanese localization (thanks to Ruimo Uno)
- <li>Eclipse plugin changes:
- <ul>
- <li>Created Bug User Annotations and Bug Tree Views
- <li>Use different icons for different bug priorities
- <li>Provide more information in Bug Details view
- </ul>
- </ul>
-
- <p>Changes since version 1.1.2:</p>
- <ul>
- <li>Fixed broken Ant task
- <li>Added running ant task to smoke test
- <li>Added validating xml and html output to smoke test
- <li>Fixed some (but not all) issues with html output
- validation
- <li>Added check for x.equals(x) and x.compareTo(x)
- <li>Various bug fixes
- </ul>
- <p>Changes since version 1.1.1:</p>
- <ul>
- <li>Added check for infinite iterative loops</li>
- <li>Added check for use of incompatible types in a collection
- (e.g., checking to see if a Set&lt;String&gt; contains a
- StringBuffer).</li>
- <li>Added check for invocations of equals or hashCode on a
- URL, which, <a
- href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">surprising
- many people</a>, requires DNS resolution.
- </li>
- <li>Added check for classes that define compareTo but not
- equals; such classes can exhibit some anomalous behavior (e.g.,
- they are treated differently by PriorityQueues in Java 5 and Java
- 6).</li>
- <li>Added a check for useless self operations (e.g., x &lt; x
- or x ^ x).</li>
- <li>Fixed a data race that could cause the GUI to fail on
- startup</li>
- <li>Partial internationalization of the new GUI</li>
- <li>Fix bug in "Redo analysis" option of new GUI</li>
- <li>Tuning to reduce false positives</li>
- <li>Fixed a bug in null pointer analysis that was generating
- false positive null pointer warnings on exception paths. Fixing
- this bug eliminates about 1/4 of the warnings on null pointer
- exceptions on exception paths.</li>
- <li>Fixed a bug in the processing of phi nodes for fields in
- the null pointer analysis</li>
- <li>Applied contributed patch that provides more quick fixes
- in Eclipse plugin.</li>
- <li>Fixed a number of bugs in the Eclipse auto update sites,
- and in the way date qualifiers were being used in the Eclipse
- plugin. You may need to manually disable your existing version of
- the plugin and download the 1.1.2 from the update site to get the
- automatic update function working correctly. The Eclipse update
- sites are described at <a
- href="http://findbugs.cs.umd.edu/eclipse/">http://findbugs.cs.umd.edu/eclipse/</a>.
-
- </li>
- <li>Fixed progress bar in Eclipse plugin</li>
- <li>A number of other bug fixes.</li>
- </ul>
-
- <p>Changes since version 1.1.0:</p>
- <ul>
- <li>less scanning of classes not on the analysis path (This
- was causing some performance problems.)</li>
- <li>no unread field warnings for fields annotated with
- javax.persistent or javax.ejb3</li>
- <li>Eclipse plugin
- <ul>
- <li>bug annotation info displayed in Bug Details tab</li>
- <li>.fbwarnings data file now stored in .metadata (not in
- the project itself)</li>
- </ul>
- </li>
- <li>new SE_BAD_FIELD_INNER_CLASS pattern</li>
- <li>updates to Japanese translation (ruimo)</li>
- <li>fix some internal slashed/dotted path confusion</li>
- <li>other minor improvements</li>
- </ul>
-
- <p>Changes since version 1.0.0:</p>
-
- <ul>
- <li>Overall, the change from FindBugs 1.0.0 to FindBugs 1.1.0
- has been a big change. We've done a lot of work in a lot of areas,
- and aren't even going to try to enumerate all the changes.</li>
- <li>We spent a lot of time reviewing the results generated by
- FindBugs for open source and commercial code bases, and made a
- number of changes, small and large, to minimize the number of
- false positives. Our primary focus for this was warnings reported
- as high and medium priority correctness warnings. Our internal
- evaluation is that we produce very few high/medium priority
- correctness warnings where the analysis is actually wrong, and
- that more than 75% of the high/medium priority correctness
- warnings correspond to real coding defects that need addressing in
- the source code. The remaining 25% are largely cases such as a
- branch or statement that if taken would lead to an error, but in
- fact is a dead branch or statement that can never be taken. Such
- coding is confusing and hard to maintain, so it should arguably be
- fixed, but it is unlikely to actually result in an error during
- execution. Thus, some might classify those warnings as false
- positives.</li>
- <li>We've substantially improved the analysis for errors that
- could result in null pointer dereferences. Overall, our experience
- has been that these changes have roughly doubled the number of
- null pointer errors we detect, without increasing the number of
- false positives (in fact, our false positive rate has gone down).
- The improvements are due to four factors:
- <ul>
- <li>By default, we now do some interprocedural analysis to
- determine methods that unconditionally dereference their
- parameters.</li>
- <li>FindBugs also comes with a model of which JDK methods
- unconditionally dereference their parameters.</li>
- <li>We do limited tracking of fields, so that we can detect
- null values stored in fields that lead to exceptions.</li>
- <li>We implemented a new analysis technique to find
- guaranteed dereferences. Consider the following example: <pre>public int f(Object x, boolean b) {
+
+ <li>Changes by Andrey Loskutov
+ <ul>
+ <li>fixed job scheduling errors in 3.8/4.2 Eclipse <a
+ href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=393748">bug
+ report</a>
+ <li>more realistic progress bar updates for jobs
+ <li>added nullness annotations for some common Eclipse API
+ methods known to usually return null values
+ <li>Added support for org.eclipse.jdt.annotation.Nullable,
+ NonNull and NonNullByDefault annotations (introduced with
+ Eclipse 3.8/4.2)</li>
+ </ul>
+ <li>Documentation improvements
+ <li><a href="http://code.google.com/p/findbugs/source/list">lots
+ of other small changes</a>
+ </ul>
+ <h1>FindBugs Change Log, Version 2.0.1</h1>
+
+ <ul>
+ <li>New bug patterns; in some cases, bugs previous reported as
+ other bug patterns are reported as instances of these new bug
+ patterns in order to make it easier for developers to understand
+ the bug reports
+ <ul>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_RELATIVE_PATH_TRAVERSAL">PT_RELATIVE_PATH_TRAVERSAL</a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_REFACTORED_TO_BE_FINAL">MS_SHOULD_BE_REFACTORED_TO_BE_FINAL</a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST_OF_RETURN_VALUE">BC_UNCONFIRMED_CAST_OF_RETURN_VALUE</a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS">TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS</a></li>
+ </ul>
+ </li>
+
+ <li>Changes to fix false negatives for the following bug
+ patterns: <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>,
+ <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_BAD_ARRAY_COMPARE">EC_BAD_ARRAY_COMPARE</a>,
+ <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_UNUSUAL">EQ_UNUSUAL</a>,
+ <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>,
+ and <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>.
+ </li>
+
+ <li>Changes to fix false positions for the following bug
+ patterns: <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_DOH">DMI_DOH</a>,
+ <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>,
+ and <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SE_BAD_FIELD">SE_BAD_FIELD</a>.
+ </li>
+ </ul>
+
+ <h1>FindBugs Change Log, Version 2.0.0</h1>
+
+ <h2>Changes since version 1.3.8</h2>
+ <ul>
+ <li>New bug patterns; in some cases, bugs previous reported as
+ other bug patterns are reported as instances of these new bug
+ patterns in order to make it easier for developers to understand
+ the bug reports
+ <ul>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR
+ </a></li>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED
+ </a></li>
+ </ul>
+ </li>
+ <li>Providing a bug rank (1-20), and the ability to filter by
+ bug rank. Eventually, it will be possible to specify your own
+ rules for ranking bugs, but the procedure for doing so hasn't been
+ specified yet.</li>
+ <li>Fixed about <a
+ href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45
+ bugs filed</a> through SourceForge
+ </li>
+ <li>Various reclassifications and priority tweaks</li>
+ <li>Added more bug annotations to a variety of bug reports.
+ This provides more context for understanding bug reports (e.g., if
+ the value in question was is the return value of a method, the
+ method is described as the source of the value in a bug
+ annotation). This also provide more accurate tracking of issues
+ across versions of the code being analyzed, but has the downside
+ that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9
+ on the same version of code being analyzed, FindBugs may think
+ that mistakenly believe that the issue reported by 1.3.8 was fixed
+ and a new issue was introduced that was reported by FindBugs
+ 1.3.9. While annoying, it would be unusual for more than a dozen
+ issues per million lines of codes to be mistracked.</li>
+ <li>Lots of internal changes moving towards FindBugs 2.0, but
+ these features are undocumented, not yet officially supported, and
+ subject to radical changes before FindBugs 2.0 is released.</li>
+ </ul>
+
+ <p>Changes since version 1.3.8</p>
+ <ul>
+ <li>New bug patterns; in some cases, bugs previous reported as
+ other bug patterns are reported as instances of these new bug
+ patterns in order to make it easier for developers to understand
+ the bug reports
+ <ul>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR
+ </a>
+ <li><a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED
+ </a>
+ </ul>
+ </li>
+ <li>Providing a bug rank (1-20), and the ability to filter by
+ bug rank. Eventually, it will be possible to specify your own
+ rules for ranking bugs, but the procedure for doing so hasn't been
+ specified yet.</li>
+ <li>Fixed about <a
+ href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45
+ bugs filed</a> through SourceForge
+ </li>
+ <li>Various reclassifications and priority tweaks</li>
+ <li>Added more bug annotations to a variety of bug reports.
+ This provides more context for understanding bug reports (e.g., if
+ the value in question was is the return value of a method, the
+ method is described as the source of the value in a bug
+ annotation). This also provide more accurate tracking of issues
+ across versions of the code being analyzed, but has the downside
+ that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9
+ on the same version of code being analyzed, FindBugs may think
+ that mistakenly believe that the issue reported by 1.3.8 was fixed
+ and a new issue was introduced that was reported by FindBugs
+ 1.3.9. While annoying, it would be unusual for more than a dozen
+ issues per million lines of codes to be mistracked.</li>
+ <li>Lots of internal changes moving towards FindBugs 2.0, but
+ these features are undocumented, not yet officially supported, and
+ subject to radical changes before FindBugs 2.0 is released.</li>
+ </ul>
+
+ <p>Changes since version 1.3.7</p>
+ <ul>
+ <li>Primarily another small bugfix release.</li>
+ <li>FindBugs base:
+ <ul>
+ <li>New Reports:
+ <ul>
+ <li>SF_SWITCH_NO_DEFAULT: missing default case in switch
+ statement.</li>
+ <li>SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW:
+ value ignored when switch fallthrough leads to thrown
+ exception.</li>
+ <li>INT_VACUOUS_BIT_OPERATION: bit operations that don't
+ do any meaningful work.</li>
+ <li>FB_UNEXPECTED_WARNING: warning generated that
+ conflicts with @NoWarning FindBugs annotation.</li>
+ <li>FB_MISSING_EXPECTED_WARNING: warning not generated
+ despite presence of @ExpectedWarning FindBugs annotation.</li>
+ <li>NOISE category: intended for use in data mining
+ experiments.
+ <ul>
+ <li>NOISE_NULL_DEREFERENCE: fake null point dereference
+ warning.</li>
+ <li>NOISE_METHOD_CALL: fake method call warning.</li>
+ <li>NOISE_FIELD_REFERENCE: fake field dereference
+ warning.</li>
+ <li>NOISE_OPERATION: fake operation warning.</li>
+ </ul>
+ </li>
+ </ul>
+ </li>
+ <li>Other:
+ <ul>
+ <li>Garvin Leclaire has created a new Apache Maven
+ repository for FindBugs at <a
+ href="http://code.google.com/p/findbugs/">the Google Code
+ FindBugs SVN repository</a>. (Thanks Garvin!)
+ </li>
+ </ul>
+ </li>
+ <li>Fixes:
+ <ul>
+ <li>[ 2317842 ] Highlighting broken in Windows</li>
+ <li>[ 2515908 ] check for oddness should track sign of
+ argument</li>
+ <li>[ 2487936 ] &quot;L B GC&quot; false pos cast from
+ Map.Entry.getKey() to Map.get()</li>
+ <li>[ 2528264 ] Ant tasks not compatible with Ant 1.7.1</li>
+ <li>[ 2539590 ] SF_SWITCH_FALLTHROUGH wrong message
+ reported</li>
+ <li>[ 2020066 ] Bug history displayed in fancy-hist.xsl is
+ incorrect</li>
+ <li>[ 2545098 ] Invalid character in analysis results file</li>
+ <li>[ 2492673 ] Plugin sites should specify &quot;requires
+ Eclipse 3.3 or newer&quot;</li>
+ <li>[ 2588044 ] a tiny typing error</li>
+ <li>[ 2589048 ] Documentation for convertXmlToText
+ insufficient</li>
+ <li>[ 2638739 ] NullPointerException when building</li>
+ </ul>
+ </li>
+ <li>Patches:
+ <ul>
+ <li>[ 2538184 ] Make BugCollection implement
+ Iterable&lt;BugInstance&gt; (thanks to Tomas Pollak)</li>
+ <li>[ 2249771 ] Add Maven2 Findbugs plugin link to the
+ Links page (thanks to Garvin Leclaire)</li>
+ <li>[ 2609526 ] Japanese manual update (thanks to K.
+ Hashimoto)</li>
+ <li>[ 2119482 ] CheckBcel checks for nonexistent classes
+ (thanks to Jerry James)</li>
+ </ul>
+ </li>
+ </ul>
+ </li>
+ <li>FindBugs Eclipse plugin:
+ <ul>
+ <li>Major feature enhancements (thanks to Andrey Loskutov).
+ See <a href="http://andrei.gmxhome.de/findbugs/index.html">this
+ overview</a> for more information.
+ </li>
+ <li>Major test improvements (thanks to Tomas Pollak).</li>
+ <li>Fixes:
+ <ul>
+ <li>[ 2532365 ] Compiler warning</li>
+ <li>[ 2522989 ] Fix filter files selection</li>
+ <li>[ 2504068 ] NullPointerException</li>
+ <li>[ 2640849 ] NPE in Eclipse plugin 1.3.7 and Eclipse
+ 3.5 M5</li>
+ </ul>
+ </li>
+ <li>Patches:
+ <ul>
+ <li>[ 2143140 ] Unchecked conversion fixes for Eclipse
+ plugin (thanks to Jerry James)
+ </ul>
+ </li>
+ </ul>
+ </li>
+ </ul>
+
+ <p>Changes since version 1.3.6</p>
+ <ul>
+ <li>Overall, a small bugfix release.
+ <li>New detection of accidental vacuous/useless calls to
+ EasyMock methods, and of generic signatures that proclaim the use
+ of unhashable classes in ways that require that they be hashed.
+ <li>Eliminate some false positives where we were warning about
+ a useless call (e.g., comparing two incompatible types for
+ equality), but the only thing the code was doing with the result
+ was passing it to assertFalse.
+ <li>Japanese localization and manual by K.Hashimoto. (Thanks!)
+
+ <li>Added -exclude and -outputDir command line options to
+ rejarForAnalysis
+ <li>Extended -adjustPriorities option to FindBugs analysis
+ textui so that you can modify the priorities of individual bug
+ patterns as well as visitors, and also completely suppress
+ individual bug patterns or visitors.
+ <ul>
+ <li>e.g., -adjustPriority
+ MS_SHOULD_BE_FINAL=suppress,MS_PKGPROTECT=suppress,EI_EXPOSE_REP=suppress,EI_EXPOSE_REP2=suppress,PZLA_PREFER_ZERO_LENGTH_ARRAYS=raise
+
+ </ul>
+ </ul>
+
+
+ <p>Changes since version 1.3.5</p>
+ <ul>
+ <li>Added fairly exhaustive static analysis of uses of format
+ strings, checking for missing or extra arguements, invalid format
+ specifiers, or mismatched format specifiers and arguments (e.g,
+ passing a String value for a %d format specifier). The logic for
+ doing so is derived from Sun's java.util.Formatter class, and
+ available separately from FindBugs as part of the <a
+ href="https://jformatstring.dev.java.net/">jFormatString</a>
+ project.
+ <li>More tuning of the unsatisfied obligation detector. Since
+ this detector is still rather noisy and an unfinished research
+ project, I've moved the generated issues to a new category:
+ EXPERIMENTAL.
+ <li>Added check for <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_ADD_OF_SIGNED_BYTE">BIT_ADD_OF_SIGNED_BYTE</a>;
+ similar to <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_IOR_OF_SIGNED_BYTE">BIT_IOR_OF_SIGNED_BYTE</a>,
+ except that addition is being used to combine shifted signed
+ bytes.
+ <li>Changed detection of EI_EXPOSE_REP2, so we only report it
+ if the value stored is guaranteed to be the same value that was
+ passed in as a parameter.
+ <li>Added <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS">EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS</a>,
+ a warning when an equals method checks to see if an operand is an
+ instance of a class not compatible with itself. For example, if
+ the Foo class checks to see if the argument is an instance of
+ String. This is either a questionable design decision or a coding
+ mistake.
+ <li>Added <a
+ href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_INVOKING_HASHCODE_ON_ARRAY">DMI_INVOKING_HASHCODE_ON_ARRAY</a>,
+ which checks for invoking <code>hashCode()</code> on an array,
+ which returns a hash code that ignores the contents of the array.
+
+ <li>Added checks for using <code>x.removeAll(x)</code> to
+ rather than <code>x.clear()</code> to clear an array.
+ <li>Add checks for calls such as <code>x.contains(x)</code>, <code>x.remove(x)</code>
+ and <code>x.containsAll(x)</code>.
+ <li>Improvements to Eclipse plugin (thanks to Andrey
+ Loskutov):
+ <ul>
+ <li>Report separate markers for each occurrence of an issue
+ that appears multiple times in a method
+ <li>fine tuning for reported markers: add only one marker
+ for fields, add marker on right position
+ <li>link bugs selected in bug explorer view to the opened
+ editor and vice versa
+ <li>select bugs selected in editor ruler in the opened bug
+ explorer view
+ <li>consistent abbreviations used in both bug explorer and
+ bug details view
+ <li>added "Expand All" button to the bug explorer view
+ <li>added "Go Into/Go Up" buttons to the bug explorer view
+ <li>added "Copy to clipboard" menu/functionality to the
+ details view list widget
+ <li>fix for CNF exception if loading the backup solution for
+ broken browser widget
+ </ul>
+ </ul>
+
+
+
+ <p>Changes since version 1.3.4</p>
+ <ul>
+ <li>Analysis about 15% faster
+ <li><a
+ href="http://sourceforge.net/tracker/?atid=614693&group_id=96405&func=browse&status=closed">38
+ bugs closed</a></li>
+ <li>New defect warnings:
+ <ul>
+ <li>calls to methods that always throw
+ UnsupportedOperationException (DMI_UNSUPPORTED_METHOD)
+ <li>repeated conditional tests (e.g., <code>if (x
+ &lt; 0 || x &lt; 0) ...</code>) (RpC_REPEATED_CONDITIONAL_TEST)
+ <li>Complete rewrite of detector for format string problems.
+ More accurate, finds more problems, generates more descriptive
+ reports, several different bug pattern
+ (VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED,
+ VA_FORMAT_STRING_ILLEGAL, VA_FORMAT_STRING_MISSING_ARGUMENT,
+ VA_FORMAT_STRING_BAD_ARGUMENT,
+ VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT)
+ <li>Fairly complete implementation of JSR-305 custom type
+ qualifier analysis (no support for custom validators yet).
+ (TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK
+ TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK
+ TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK)
+ <li>New detector for unsatisfied obligations such forgetting
+ to close a file (OBL_UNSATISFIED_OBLIGATION).
+ <li>Warning when a parameter is marked as nullable, but is
+ always dereferenced.
+ (NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE)
+ <lI>Separate warning for dereference the result of readLine
+ (NP_DEREFERENCE_OF_READLINE_VALUE)
+ </ul>
+ <li>When XML is generated with messages, the project stats now
+ include &lt;FileStat&gt; elements. For each source file, this
+ gives the path for the file, the total number of warnings for that
+ file, and a bugHash for the file. While the instanceHash for a bug
+ is intended to be version invariant (ignoring line numbers, etc),
+ the bugHash for a file is intended to reflect all the information
+ about the warnings in that file. The intended use case is that if
+ the bugHash for a file is the same in two analysis runs, then <em>nothing</em>
+ has changed about any of the warnings reported for that file
+ between the two analysis runs.
+ <li>More merging of similar issues within a method. For
+ example, if the result of readLine() is dereferences multiple
+ times within a method, it will be reported as a single warning
+ with occurrences at multiple source lines.
+ </ul>
+ <p>Changes since version 1.3.3</p>
+
+ <ul>
+ <li>FindBugs base
+ <ul>
+ <li>New Reports:
+ <ul>
+ <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: equals method
+ overrides equals in superclass and may not be symmetric</li>
+ <li>EQ_ALWAYS_TRUE: equals method always returns true</li>
+ <li>EQ_ALWAYS_FALSE: equals method always returns false</li>
+ <li>EQ_COMPARING_CLASS_NAMES: equals method compares class
+ names rather than class objects</li>
+ <li>EQ_UNUSUAL: Unusual equals method</li>
+ <li>EQ_GETCLASS_AND_CLASS_CONSTANT: equals method fails
+ for subtypes</li>
+ <li>SE_READ_RESOLVE_IS_STATIC: The readResolve method must
+ not be declared as a static method.</li>
+ <li>SE_PRIVATE_READ_RESOLVE_NOT_INHERITED: private
+ readResolve method not inherited by subclasses</li>
+ <li>MSF_MUTABLE_SERVLET_FIELD: Mutable servlet field</li>
+ <li>XSS_REQUEST_PARAMETER_TO_SEND_ERROR: Servlet reflected
+ cross site scripting vulnerability</li>
+ <li>SKIPPED_CLASS_TOO_BIG: Class too big for analysis</li>
+ </ul>
+ </li>
+ <li>Other:
+ <ul>
+ <li>Value-number analysis now more space-efficient</li>
+ <li>Enhancements to reduce memory overhead when analyzing
+ very large classes</li>
+ <li>Now skips very large classes that would otherwise take
+ too much time and memory to analyze</li>
+ <li>Infrastructure for tracking effectively-constant/
+ effectively-final fields</li>
+ <li>Added more cweids</li>
+ <li>Enhanced taint tracking for taint-based detectors</li>
+ <li>Ignore doomed calls to equals if result is used as an
+ argument to assertFalse</li>
+ <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC handles compareTo</li>
+ <li>Priority tweak for ICAST_INTEGER_MULTIPLY_CAST_TO_LONG
+ (only low priority if multiplying by 1000)</li>
+ <li>Improved tracking of fields across method calls</li>
+ </ul>
+ </li>
+ <li>Fixes:
+ <ul>
+ <li>[ 1941450 ] DLS_DEAD_LOCAL_STORE not reported</li>
+ <li>[ 1953323 ] Omitted break statement in
+ SynchronizeAndNullCheckField</li>
+ <li>[ 1942620 ] Source Directories selection dialog
+ interface confusion (partial)</li>
+ <li>[ 1948275 ] Unhelpful "Load of known null"</li>
+ <li>[ 1933922 ] MWM error in findbugs</li>
+ <li>[ 1934772 ] 1.3.3 appears to rely on JDK 1.6, JNLP
+ still specifies 1.5</li>
+ <li>[ 1933945 ] -loadbugs doesn't work</li>
+ <li>Fixed problems for class names starting with '$'</li>
+ <li>Fixed bugs and incomplete handling of annotations in
+ VersionInsensitiveBugComparator</li>
+ </ul>
+ </li>
+ <li>Patches:
+ <ul>
+ <li>[ 1955106 ] Javadoc fixes</li>
+ <li>[ 1951930 ] Superfluous import statements (thanks to
+ Jerry James)</li>
+ <li>[ 1951907 ] Missing @Deprecated annotations (thanks to
+ Jerry James)</li>
+ <li>[ 1951876 ] Infonode Docking Windows compile fix
+ (thanks to Jerry James)</li>
+ <li>[ 1936055 ] bugfix for findbugs.de.comment not working
+ (thanks to Peter Fokkinga)
+ </ul>
+ </li>
+ </ul>
+ <li>FindBugs BlueJ plugin
+ <ul>
+ <li>Updated to use FindBugs 1.3.4 (first new release since
+ 1.1.3)</li>
+ </ul>
+ </li>
+ </ul>
+
+ <p>Changes since version 1.3.2</p>
+
+ <ul>
+ <li>FindBugs base
+ <ul>
+ <li>New Detectors:
+ <ul>
+ <li>FieldItemSummary: Produces summary information for
+ what is stored into fields</li>
+ <li>SynchronizeOnClassLiteralNotGetClass: Look for code
+ that synchronizes on the results of getClass rather than on
+ class literals</li>
+ <li>SynchronizingOnContentsOfFieldToProtectField: This
+ detector looks for code that seems to be synchronizing on a
+ field in order to guard updates of that field</li>
+ </ul>
+ </li>
+ <li>New BugCode:
+ <ul>
+ <li>HRS: HTTP Response splitting vulnerability</li>
+ <li>WL: Possible locking on wrong object</li>
+ </ul>
+ </li>
+ <li>New Reports:
+ <ul>
+ <li>DMI_CONSTANT_DB_PASSWORD: This code creates a database
+ connect using a hard coded, constant password</li>
+ <li>HRS_REQUEST_PARAMETER_TO_COOKIE: HTTP cookie formed
+ from untrusted input</li>
+ <li>HRS_REQUEST_PARAMETER_TO_HTTP_HEADER: HTTP parameter
+ directly written to HTTP header output</li>
+ <li>CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE: Class defines
+ clone() but doesn't implement Cloneable</li>
+ <li>DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE: Synchronization
+ on boxed primitive could lead to deadlock</li>
+ <li>DL_SYNCHRONIZATION_ON_BOOLEAN: Synchronization on
+ Boolean could lead to deadlock</li>
+ <li>ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD:
+ Synchronization on field in futile attempt to guard that field
+ </li>
+ <li>DLS_DEAD_LOCAL_STORE_IN_RETURN: Useless assignment in
+ return statement</li>
+ <li>WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL:
+ Synchronization on getClass rather than class literal</li>
+ </ul>
+ </li>
+ <li>Other:
+ <ul>
+ <li>Many enhancements to cross-site scripting detector and
+ its documentation</li>
+ <li>Enhanced switch fall through handling</li>
+ <li>Enhanced unread field handling (look for IF_ACMPEQ and
+ IF_ACMPNE)</li>
+ <li>Clarified documentation for @Nullable in manual</li>
+ <li>Fewer DeadLocalStore false positives</li>
+ <li>Fewer UnreadField false positives</li>
+ <li>Fewer StaticCalendarDetector false positives</li>
+ <li>Performance fix for slow file system IO e.g. Clearcase
+ repositories (thanks, Andrei!)</li>
+ <li>Other, general performance enhancements (thanks,
+ Andrei!)</li>
+ <li>Enhancements for using FindBugs scripts with MKS on
+ Windows (thanks, Kelly O'Hair!)</li>
+ <li>Noted in the manual that jsr305.jar must be present
+ for annotations to compile</li>
+ <li>Added and fine-tuned default-nullness annotations</li>
+ <li>More CWE IDs added</li>
+ <li>Check and warning for unexpected BCEL version in
+ classpath</li>
+ </ul>
+ </li>
+ <li>Fixes:
+ <ul>
+ <li>Bug fix to handling of local variable tables in BCEL</li>
+ <li>Refined documentation for
+ MTIA_SUSPECT_STRUTS_INSTANCE_FIELD</li>
+ <li>[ 1927295 ] NPE when called on project root</li>
+ <li>[ 1926405 ] Incorrect dead store warning</li>
+ <li>[ 1926409 ] Incorrect redundant nullcheck warning</li>
+ <li>[ 1926389 ] Wrong line number printed/highlighted in
+ bug</li>
+ <li>[ 1927040 ] typo in bug description</li>
+ <li>[ 1926263 ] Minor glitch in HTML output</li>
+ <li>[ 1926240 ] Minor error in standard options in manual</li>
+ <li>[ 1926236 ] Minor bug in installation section of
+ manual</li>
+ <li>[ 1925539 ] ZIP is default file system code base</li>
+ <li>[ 1894701 ] Livelock / memory leak in
+ ObjectTypeFactory (thanks, Andrei!)</li>
+ <li>[ 1867491 ] Doesn't reload annotations after code
+ changes in IDE (thanks, Andrei!)</li>
+ <li>[ 1921399 ] -project option not supported</li>
+ <li>[ 1913834 ] "Dead" store to variable with method call</li>
+ <li>[ 1917352 ] H B se:...field in serializable class</li>
+ <li>[ 1911617 ] CloneIdiom relies on
+ getNameConstantOperand for INSTANCEOF</li>
+ <li>[ 1911620 ] False +: DLS predecrement before return</li>
+ <li>[ 1871376 ] False negative: non-serializable Map field</li>
+ <li>[ 1871051 ] non standard clone() method</li>
+ <li>[ 1908854 ] Error in TestASM</li>
+ <li>[ 1907539 ] 22 minor errors in bug checker
+ documentation</li>
+ <li>[ 1897323 ] EJB implementation class false positives</li>
+ <li>[ 1899648 ] Crash on startup on Vista with Java
+ 1.6.0_04</li>
+ </ul>
+ </li>
+ </ul>
+ </li>
+ <li>FindBugs Eclipse plugin (change log by Andrey Loskutov)
+ <ul>
+ <li>new feature: export basic FindBugs numbers for projects
+ via File-&gt;Export-&gt;Java-&gt;BugCounts (Andrey Loskutov)</li>
+ <li>new feature: jobs for different projects will be run in
+ parallel per default if running on a multi-core PC
+ ("fb.allowParallelBuild" system property not used anymore)
+ (Andrey Loskutov)</li>
+ <li>fixed performance slowdown in the multi-threaded build,
+ caused by workspace operation locks during assigning marker
+ attributes (Andrey Loskutov)</li>
+ </ul>
+ </li>
+ </ul>
+
+ <p>Changes since version 1.3.1</p>
+
+ <ul>
+ <li>FindBugs base
+ <ul>
+ <li>New Bug Category:
+ <ul>
+ <li>SECURITY (Abbrev: S), A use of untrusted input in a
+ way that could create a remotely exploitable security
+ vulnerability</li>
+ </ul>
+ </li>
+ <li>New Detectors:
+ <ul>
+ <li>CrossSiteScripting: This detector looks for
+ obvious/blatant cases of cross site scripting vulnerabilities</li>
+ </ul>
+ </li>
+ <li>New BugCode:
+ <ul>
+ <li>XSS: Cross site scripting</li>
+ </ul>
+ </li>
+ <li>New Reports:
+ <ul>
+ <li>XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER: HTTP
+ parameter directly written to Servlet output, giving XSS
+ vulnerability</li>
+ <li>XSS_REQUEST_PARAMETER_TO_JSP_WRITER: HTTP parameter
+ directly written to JSP output, giving XSS vulnerability</li>
+ <li>EQ_OTHER_USE_OBJECT: equals() method defined that
+ doesn't override Object.equals(Object)</li>
+ <li>EQ_OTHER_NO_OBJECT: equals() method inherits rather
+ than overrides equals(Object)</li>
+ <li>NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE: Possible
+ null pointer dereference on path that might be infeasible</li>
+ </ul>
+ </li>
+ <li>Other:
+ <ul>
+ <li>Added -noClassOk command-line parameter to
+ command-line and ant interfaces; when -noClassOk is specified
+ and no classfiles are given, FindBugs will print a warning
+ message and output a well- formed file with no warnings</li>
+ <li>Fewer false positives for null pointer bugs</li>
+ <li>Suppress dead-local-store false positives in .jsp code</li>
+ <li>Type fixes in warning messages</li>
+ <li>Better warning message for NP_NULL_ON_SOME_PATH</li>
+ <li>"WMI" bug code description renamed from "Wrong Map
+ Iterator" to "Inefficient Map Iterator"</li>
+ </ul>
+ </li>
+ <li>Fixes:
+ <ul>
+ <li>[ 1893048 ] FindBugs confused by a findbugs.xml file</li>
+ <li>[ 1878528 ] XSL xforms don't support history features</li>
+ <li>[ 1876584 ] two default.xsl flaws</li>
+ <li>[ 1874856 ] Format string bug detector doesn't handle
+ special operators</li>
+ <li>[ 1872645 ] computeBugHistory -
+ java.lang.IllegalArgumentException</li>
+ <li>[ 1872237 ] Ant task fails when no .class files</li>
+ <li>[ 1868670 ] Filters: include AND exclude don't allowed</li>
+ <li>[ 1868666 ] check-for-oddness reported, but array
+ length can never be negative</li>
+ <li>[ 1866108 ] SetBugDatabaseInfoTask strips dir from
+ output filename</li>
+ <li>[ 1866021 ] MineBugHistoryTask strips dir of output
+ filename</li>
+ <li>[ 1865265 ] code doesn't handle
+ StringBuffer.append([CII) right</li>
+ <li>[ 1864793 ] Warning when casting a null reference
+ compared to a String</li>
+ <li>[ 1863376 ] Typo in manual chap 8: Filter Files</li>
+ <li>[ 1862705 ] Transient fields that default to null</li>
+ <li>[ 1842545 ] DLS on catch variable (with priority
+ tweaking)</li>
+ <li>[ 1816258 ] false positive BC_IMPOSSIBLE_CAST</li>
+ <li>[ 1551732 ] Get erroneous DLS with while loop</li>
+ </ul>
+ </li>
+ </ul>
+ </li>
+ <li>FindBugs Eclipse plugin (change log by Andrey Loskutov)
+ <ul>
+ <li>new feature: added Bug explorer view (replacing Bug tree
+ view), based on Common Navigator framework (Andrey Loskutov)</li>
+ <li>bug 1873860 fixed: empty projects are no longer shown in
+ Bug tree view (Andrey Loskutov)</li>
+ <li>new feature: bug counts decorators for projects, folders
+ and files (has to be activated via Preferences -&gt; general
+ -&gt; appearance -&gt; label decorations)(Andrey Loskutov)</li>
+ <li>patch 1746499: better icons (Alessandro Nistico)</li>
+ <li>patch 1893685: Find bug actions on change sets bug
+ (Alessandro Nistico)</li>
+ <li>fixed bug 1855384: Bug configuration is broken in
+ Eclipse (Andrey Loskutov)</li>
+ <li>refactored FindBugs properties page (Andrey Loskutov)</li>
+ <li>refactored FindBugs worker/builder/run action (Andrey
+ Loskutov)</li>
+ <li>FB detects now only bugs from classes on project's
+ classpath (no double work on duplicated class files) (Andrey
+ Loskutov)</li>
+ <li>fixed bug introduced by the bad patch for 1867951: FB
+ cannot be executed incrementally on a folder of file (Andrey
+ Loskutov)</li>
+ <li>fixed job rule: now jobs for different projects may run
+ in parallel if running on a multi-core PC and
+ "fb.allowParallelBuild" system property is set to true (Andrey
+ Loskutov)</li>
+ <li>fixed FB auto-build not started if .fbprefs or
+ .classpath was changed (Andrey Loskutov)</li>
+ <li>fixed not reporting bugs on secondary types (classes
+ defined in java files with different name) (Andrey Loskutov)</li>
+ </ul>
+ </li>
+ </ul>
+
+ <p>Changes since version 1.3.0</p>
+ <ul>
+ <li>New Reports
+ <ul>
+ <li>VA_FORMAT_STRING_ARG_MISMATCH: A format-string method
+ with a variable number of arguments is called, but the number of
+ arguments passed does not match with the number of %
+ placeholders in the format string. This is probably not what the
+ author intended.
+ <li>IO_APPENDING_TO_OBJECT_OUTPUT_STREAM: This code opens a
+ file in append mode and that wraps the result in an object
+ output stream. This won't allow you to append to an existing
+ object output stream stored in a file. If you want to be able to
+ append to an object output stream, you need to keep the object
+ output stream open. The only situation in which opening a file
+ in append mode and the writing an object output stream could
+ work is if on reading the file you plan to open it in random
+ access mode and seek to the byte offset where the append
+ started.
+ <li>NP_BOOLEAN_RETURN_NULL: A method that returns either
+ Boolean.TRUE, Boolean.FALSE or null is an accident waiting to
+ happen. This method can be invoked as though it returned a value
+ of type boolean, and the compiler will insert automatic unboxing
+ of the Boolean value. If a null value is returned, this will
+ result in a NullPointerException.
+ </ul>
+ </li>
+ <li>Changes to Existing Reports
+ <ul>
+ <li>RV_DONT_JUST_NULL_CHECK_READLINE: CORRECTNESS -&gt;
+ STYLE</li>
+ <li>DMI_INVOKING_TOSTRING_ON_ARRAY: Long description
+ mentions array name whenever possible</li>
+ </ul>
+ </li>
+ <li>Fixes:
+ <ul>
+ <li>Updated manual to mention that Java 1.5 is now a
+ requirement for running FindBugs
+ <li>Applied patch 1840206 fixing issue "Ant task does not
+ work when presetdef is used" - thanks to phejl
+ <li>Applied patch 1778690 fixing issue "Ant task: tolerate
+ but complain about invalid auxClasspath" - thanks to David
+ Schmidt
+ <li>Applied patch 1852125 adding a Chinese-language GUI
+ bundle props file - thanks to fifi
+ <li>Applied patch 1845903 adding ability to load XML results
+ with the Eclipse plugin - thanks to Alex Mont
+ <li>Fixed issue 1844671 - "FP for "reversed" null check in
+ catch for stream close"
+ <li>Fixed issue 1836050 - "-onlyAnalyze broken"
+ <li>Fixed issue 1853011 - "Typo: Field names should start
+ with aN lower case letter"
+ <li>Fixed issue 1844181 - "JNLP file does not contain all
+ necessary JARs"
+ <li>Fixed issue 1840245 - "xxxException class does not
+ derive from Exception"
+ <li>Fixed issue 1840277 - "[M D EC] Typo in bug
+ documentation"
+ <li>Fixed issue 1782447 - "OutOfMemoryError if i activate
+ Findbugs on my project"
+ <li>Fixed issue 1830576 - "[regression] keySet/entrySet
+ false positive"
+ </ul>
+ </li>
+ <li>Other:
+ <ul>
+ <li>New bug code: "IO" (for
+ IO_APPENDING_TO_OBJECT_OUTPUT_STREAM)</li>
+ <li>Added "-onlyMostRecent" option for computeBugHistory
+ script/ant task
+ <li>More explicit language in
+ RV_RETURN_VALUE_IGNORED_BAD_PRACTICE messages
+ <li>Modified ResourceValueAnalysis to correctly identify
+ null == X or null != X as a null check (for issue 1844671)
+ <li>Modified DMI_HARDCODED_ABSOLUTE_FILENAME logic in
+ DumbMethodInvocations to ignore files from /etc or /dev and
+ increase priority of files from /home
+ <li>Better bug details for infinite loop warnings
+ <li>Modified unread-fields detector to reduce false
+ positives from reflective fields
+ <li>build.xml "classes" target now builds all sources in one
+ step
+ </ul>
+ </li>
+ </ul>
+
+ <p>Changes since version 1.2.1</p>
+ <ul>
+ <li>New Detectors and Reports
+ <ul>
+ <li>SynchronizationOnSharedBuiltinConstant
+ <ul>
+ <li>DL_SYNCHRONIZATION_ON_SHARED_CONSTANT: The code
+ synchronizes on a shared primitive constant, such as an
+ interned String. Such constants are interned and shared across
+ all other classes loaded by the JVM. Thus, this could be
+ locking on something that other code might also be locking.
+ This could result in very strange and hard to diagnose
+ blocking and deadlock behavior. See <a
+ href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a>
+ and <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>.
+
+ </ul>
+ </li>
+ <li>OverridingEqualsNotSymmetrical
+ <ul>
+ <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: Looks for equals
+ methods that override equals methods in a superclass where the
+ equivalence relationship might not be symmetrical.
+ </ul>
+ </li>
+ <li>CheckTypeQualifiers
+ <ul>
+ <li>TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED: A value
+ specified as carrying a type qualifier annotation is consumed
+ in a location or locations requiring that the value not carry
+ that annotation. More precisely, a value annotated with a type
+ qualifier specifying when=ALWAYS is guaranteed to reach a use
+ or uses where the same type qualifier specifies when=NEVER.</li>
+ <li>TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED: A value
+ specified as not carrying a type qualifier annotation is
+ guaranteed to be consumed in a location or locations requiring
+ that the value does carry that annotation. More precisely, a
+ value annotated with a type qualifier specifying when=NEVER is
+ guaranteed to reach a use or uses where the same type
+ qualifier specifies when=ALWAYS.</li>
+ <li>TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK: A value
+ that might not carry a type qualifier annotation reaches a use
+ which requires that annotation.</li>
+ <li>TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK: A value
+ which might carry a type qualifier annotation reaches a use
+ which forbids values carrying that annotation.</li>
+ </ul>
+ </li>
+ </ul>
+ </li>
+ <li>New Reports (existing detectors)
+ <ul>
+ <li>FindHEmismatch
+ <ul>
+ <li>EQ_DOESNT_OVERRIDE_EQUALS: This class extends a class
+ that defines an equals method and adds fields, but doesn't
+ define an equals method itself. Thus, equality on instances of
+ this class will ignore the identity of the subclass and the
+ added fields. Be sure this is what is intended, and that you
+ don't need to override the equals method. Even if you don't
+ need to override the equals method, consider overriding it
+ anyway to document the fact that the equals method for the
+ subclass just return the result of invoking super.equals(o).</li>
+ </ul>
+ </li>
+ <li>Naming
+ <ul>
+ <li>NM_WRONG_PACKAGE, NM_WRONG_PACKAGE_INTENTIONAL: The
+ method in the subclass doesn't override a similar method in a
+ superclass because the type of a parameter doesn't exactly
+ match the type of the corresponding parameter in the
+ superclass.</li>
+ <li>NM_SAME_SIMPLE_NAME_AS_SUPERCLASS: This class has a
+ simple name that is identical to that of its superclass,
+ except that its superclass is in a different package (e.g., <code>alpha.Foo</code>
+ extends <code>beta.Foo</code>). This can be exceptionally
+ confusing, create lots of situations in which you have to look
+ at import statements to resolve references and creates many
+ opportunities to accidently define methods that do not
+ override methods in their superclasses.
+ </li>
+ <li>NM_SAME_SIMPLE_NAME_AS_INTERFACE: This class/interface
+ has a simple name that is identical to that of an
+ implemented/extended interface, except that the interface is
+ in a different package (e.g., <code>alpha.Foo</code> extends <code>beta.Foo</code>).
+ This can be exceptionally confusing, create lots of situations
+ in which you have to look at import statements to resolve
+ references and creates many opportunities to accidently define
+ methods that do not override methods in their superclasses.
+ </li>
+ </ul>
+ <li>FindRefComparison
+ <ul>
+ <li>EC_UNRELATED_TYPES_USING_POINTER_EQUALITY: This method
+ uses using pointer equality to compare two references that
+ seem to be of different types. The result of this comparison
+ will always be false at runtime.</li>
+ </ul>
+ </li>
+ <li>IncompatMask
+ <ul>
+ <li>BIT_SIGNED_CHECK, BIT_SIGNED_CHECK_HIGH_BIT: This
+ method compares an expression such as <tt>((event.detail
+ &amp; SWT.SELECTED) &gt; 0)</tt>. Using bit arithmetic and then
+ comparing with the greater than operator can lead to
+ unexpected results (of course depending on the value of
+ SWT.SELECTED). If SWT.SELECTED is a negative number, this is a
+ candidate for a bug. Even when SWT.SELECTED is not negative,
+ it seems good practice to use '!= 0' instead of '&gt; 0'.
+ </li>
+ </ul>
+ </li>
+ <li>LazyInit
+ <ul>
+ <li>LI_LAZY_INIT_UPDATE_STATIC: This method contains an
+ unsynchronized lazy initialization of a static field. After
+ the field is set, the object stored into that location is
+ further accessed. The setting of the field is visible to other
+ threads as soon as it is set. If the further accesses in the
+ method that set the field serve to initialize the object, then
+ you have a <em>very serious</em> multithreading bug, unless
+ something else prevents any other thread from accessing the
+ stored object until it is fully initialized.
+ </li>
+ </ul>
+ </li>
+ <li>FindDeadLocalStores
+ <ul>
+ <li>DLS_DEAD_STORE_OF_CLASS_LITERAL: This instruction
+ assigns a class literal to a variable and then never uses it.
+ <a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">The
+ behavior of this differs in Java 1.4 and in Java 5.</a> In Java
+ 1.4 and earlier, a reference to <code>Foo.class</code> would
+ force the static initializer for <code>Foo</code> to be
+ executed, if it has not been executed already. In Java 5 and
+ later, it does not. See Sun's <a
+ href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">article
+ on Java SE compatibility</a> for more details and examples, and
+ suggestions on how to force class initialization in Java 5.
+ </li>
+ </ul>
+ </li>
+ <li>MethodReturnCheck
+ <ul>
+ <li>RV_RETURN_VALUE_IGNORED_BAD_PRACTICE: This method
+ returns a value that is not checked. The return value should
+ be checked since it can indication an unusual or unexpected
+ function execution. For example, the <code>File.delete()</code>
+ method returns false if the file could not be successfully
+ deleted (rather than throwing an Exception). If you don't
+ check the result, you won't notice if the method invocation
+ signals unexpected behavior by returning an atypical return
+ value.
+ </li>
+ <li>RV_EXCEPTION_NOT_THROWN: This code creates an
+ exception (or error) object, but doesn't do anything with it.
+ </li>
+ </ul>
+ </li>
+ </ul>
+ </li>
+ <li>Changes to Existing Reports
+ <ul>
+ <li>NS_NON_SHORT_CIRCUIT: BAD_PRACTICE -&gt; STYLE</li>
+ <li>NS_DANGEROUS_NON_SHORT_CIRCUIT: CORRECTNESS -&gt; STYLE</li>
+ <li>RC_REF_COMPARISON: CORRECTNESS -&gt; BAD_PRACTICE</li>
+ </ul>
+ </li>
+ <li>GUI Changes
+ <ul>
+ <li>Added importing and exporting of bug filters</li>
+ <li>Better handling of failed analysis runs</li>
+ <li>Added "-look" parameter for selecting look-and-feel</li>
+ <li>Fixed incorrect package filtering</li>
+ <li>Fixed issue where "synchronized" was not
+ syntax-highlighted</li>
+ </ul>
+ </li>
+ <li>Ant-task Changes
+ <ul>
+ <li>Refactored common ant-task code to AbstractFindBugsTask</li>
+ <li>Added tasks for computeBugHistory, convertXmlToText,
+ filterBugs, mineBugHistory, setBugDatabaseInfo</li>
+ </ul>
+ </li>
+ <li>Manual
+ <ul>
+ <li>Updates to GUI section, including new screenshots</li>
+ <li>Added description of rejarForAnalysis</li>
+ <li>Revamp of data-mining section</li>
+ </ul>
+ </li>
+ <li>Other Major
+ <ul>
+ <li>Internal restructuring for lower memory overhead</li>
+ </ul>
+ </li>
+ <li>Other Minor
+ <ul>
+ <li>Fixed typo: was STCAL_STATIC_SIMPLE_DATA_FORMAT_INSTANCE
+ now STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE</li>
+ <li>-outputFile parameter became -output</li>
+ <li>More sensitivity and specificity inLazyInit detector</li>
+ <li>More sensitivity and specificity in Naming detector</li>
+ <li>More sensitivity and specificity in UnreadFields
+ detector</li>
+ <li>More sensitivity in FindNullDeref detector</li>
+ <li>More sensitivity in FindBadCast2 detector</li>
+ <li>More specificity in FindReturnRef detector</li>
+ <li>Many other tweaks and bug fixes</li>
+ </ul>
+ </li>
+ </ul>
+
+ <p>Changes since version 1.2.0</p>
+ <ul>
+ <li>Bug fixes:
+ <ul>
+ <li><a
+ href="http://fisheye2.cenqua.com/changelog/findbugs/?cs=8219">Fix</a>
+ <a
+ href="http://sourceforge.net/tracker/index.php?func=detail&aid=1726946&group_id=96405&atid=614693">bug</a>
+ with detectors that were requested to be disabled but were
+ enabled due to requirements of other detectors.</li>
+ <li>Fix bugs in incremental analysis within Eclipse plugin</li>
+ <li>Fix some analysis errors</li>
+ <li>Fix some threading bugs in GUI2</li>
+ <li>Report version as version when it was compiled, not when
+ it was run</li>
+ <li>Copy analysis time stamp when filtering or transforming
+ analysis files.</li>
+ </ul>
+ <li>Enabled StaticCalendarDetector</li>
+ <li>Reworked GUI2 to use standard FindBugs filters
+ <ul>
+ <li>Allow a suppression filter to be stored in a project and
+ persisted to the XML representation of a project.</li>
+ </ul>
+ </li>
+
+ <li>Move away from old GUI2 save format (a directory
+ containing an xml file and another file containing serialized
+ filters).</li>
+ <li>Support/recommend use of two new file extensions/formats:
+ <dl>
+ <dt>.fba - FindBugs Analysis File</dt>
+ <dd>Exactly the same as an existing bug collection file
+ stored in XML format, but using a distinct file extension to
+ make it easier to figure out which xml files contain FindBugs
+ results.</dd>
+ <dt>.fbp - FindBugs Project File</dt>
+ <dd>Contains just the information needed to run FindBugs and
+ display the results (e.g., the files to be analyzed, the
+ auxiliary class path and the location of source files)
+ </dl>
+ </li>
+ </ul>
+ <p>Changes since version 1.1.3</p>
+ <ul>
+ <li>Added -xml:withAbridgedMessages option to generate xml
+ containing shorter messages. The messages will be shorted by doing
+ things like eliding package names, and leaving off the source line
+ from the LongMessage. These messages are appropriate if being used
+ in a context where the non-message components of the bug
+ annotations will be used to provide more information (e.g.,
+ clicking on the message for a MethodAnnotation will display the
+ source for the method).
+ <ul>
+ <li>FindBugsDisplayFeatures.setAbridgedMessages(true) can be
+ used to generate abridged messages when FindBugs is being
+ accessed directly (not via generated XML) from a GUI or IDE.</li>
+ </ul>
+ <li>In null pointer analysis, try to be better about always
+ showing two locations: where it is known null and where it is
+ dereferenced.
+ <li>Interprocedural analysis of which methods return nonnull
+ values
+ <li>Use method calls to select order in which classes are
+ analyzed, and order in which methods are analyzed, to improve
+ interprocedural analysis results.
+ <li>Significant improvements in memory footprint, memory
+ allocation and CPU utilization (20-30% reduction in all three)
+ <li>Added a project name, to provide better descriptions in
+ the HTML output.
+ <li>Added new bug pattern: Casting to char, or bit masking
+ with nonnegative value, and then checking to see if the result is
+ negative.
+ <li>Stopped reporting transient fields of classes not marked
+ as serializable. Transient is used by other persistence
+ frameworks.
+ <li>Improvements to detector for SQL injection (Thanks to <a
+ href="http://www.clock.org/~matt">Matt Hargett</a> for his
+ contributions
+ <li>Changed open/save options in GUI2 to not distinguish
+ between FindBugs projects and saved FindBugs analysis results.
+ <li>Improvements to detection of serious non-short-circuit
+ evaluation.
+ <li>Updated Japanese localization (thanks to Ruimo Uno)
+ <li>Eclipse plugin changes:
+ <ul>
+ <li>Created Bug User Annotations and Bug Tree Views
+ <li>Use different icons for different bug priorities
+ <li>Provide more information in Bug Details view
+ </ul>
+ </ul>
+
+ <p>Changes since version 1.1.2:</p>
+ <ul>
+ <li>Fixed broken Ant task
+ <li>Added running ant task to smoke test
+ <li>Added validating xml and html output to smoke test
+ <li>Fixed some (but not all) issues with html output
+ validation
+ <li>Added check for x.equals(x) and x.compareTo(x)
+ <li>Various bug fixes
+ </ul>
+ <p>Changes since version 1.1.1:</p>
+ <ul>
+ <li>Added check for infinite iterative loops</li>
+ <li>Added check for use of incompatible types in a collection
+ (e.g., checking to see if a Set&lt;String&gt; contains a
+ StringBuffer).</li>
+ <li>Added check for invocations of equals or hashCode on a
+ URL, which, <a
+ href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">surprising
+ many people</a>, requires DNS resolution.
+ </li>
+ <li>Added check for classes that define compareTo but not
+ equals; such classes can exhibit some anomalous behavior (e.g.,
+ they are treated differently by PriorityQueues in Java 5 and Java
+ 6).</li>
+ <li>Added a check for useless self operations (e.g., x &lt; x
+ or x ^ x).</li>
+ <li>Fixed a data race that could cause the GUI to fail on
+ startup</li>
+ <li>Partial internationalization of the new GUI</li>
+ <li>Fix bug in "Redo analysis" option of new GUI</li>
+ <li>Tuning to reduce false positives</li>
+ <li>Fixed a bug in null pointer analysis that was generating
+ false positive null pointer warnings on exception paths. Fixing
+ this bug eliminates about 1/4 of the warnings on null pointer
+ exceptions on exception paths.</li>
+ <li>Fixed a bug in the processing of phi nodes for fields in
+ the null pointer analysis</li>
+ <li>Applied contributed patch that provides more quick fixes
+ in Eclipse plugin.</li>
+ <li>Fixed a number of bugs in the Eclipse auto update sites,
+ and in the way date qualifiers were being used in the Eclipse
+ plugin. You may need to manually disable your existing version of
+ the plugin and download the 1.1.2 from the update site to get the
+ automatic update function working correctly. The Eclipse update
+ sites are described at <a
+ href="http://findbugs.cs.umd.edu/eclipse/">http://findbugs.cs.umd.edu/eclipse/</a>.
+
+ </li>
+ <li>Fixed progress bar in Eclipse plugin</li>
+ <li>A number of other bug fixes.</li>
+ </ul>
+
+ <p>Changes since version 1.1.0:</p>
+ <ul>
+ <li>less scanning of classes not on the analysis path (This
+ was causing some performance problems.)</li>
+ <li>no unread field warnings for fields annotated with
+ javax.persistent or javax.ejb3</li>
+ <li>Eclipse plugin
+ <ul>
+ <li>bug annotation info displayed in Bug Details tab</li>
+ <li>.fbwarnings data file now stored in .metadata (not in
+ the project itself)</li>
+ </ul>
+ </li>
+ <li>new SE_BAD_FIELD_INNER_CLASS pattern</li>
+ <li>updates to Japanese translation (ruimo)</li>
+ <li>fix some internal slashed/dotted path confusion</li>
+ <li>other minor improvements</li>
+ </ul>
+
+ <p>Changes since version 1.0.0:</p>
+
+ <ul>
+ <li>Overall, the change from FindBugs 1.0.0 to FindBugs 1.1.0
+ has been a big change. We've done a lot of work in a lot of areas,
+ and aren't even going to try to enumerate all the changes.</li>
+ <li>We spent a lot of time reviewing the results generated by
+ FindBugs for open source and commercial code bases, and made a
+ number of changes, small and large, to minimize the number of
+ false positives. Our primary focus for this was warnings reported
+ as high and medium priority correctness warnings. Our internal
+ evaluation is that we produce very few high/medium priority
+ correctness warnings where the analysis is actually wrong, and
+ that more than 75% of the high/medium priority correctness
+ warnings correspond to real coding defects that need addressing in
+ the source code. The remaining 25% are largely cases such as a
+ branch or statement that if taken would lead to an error, but in
+ fact is a dead branch or statement that can never be taken. Such
+ coding is confusing and hard to maintain, so it should arguably be
+ fixed, but it is unlikely to actually result in an error during
+ execution. Thus, some might classify those warnings as false
+ positives.</li>
+ <li>We've substantially improved the analysis for errors that
+ could result in null pointer dereferences. Overall, our experience
+ has been that these changes have roughly doubled the number of
+ null pointer errors we detect, without increasing the number of
+ false positives (in fact, our false positive rate has gone down).
+ The improvements are due to four factors:
+ <ul>
+ <li>By default, we now do some interprocedural analysis to
+ determine methods that unconditionally dereference their
+ parameters.</li>
+ <li>FindBugs also comes with a model of which JDK methods
+ unconditionally dereference their parameters.</li>
+ <li>We do limited tracking of fields, so that we can detect
+ null values stored in fields that lead to exceptions.</li>
+ <li>We implemented a new analysis technique to find
+ guaranteed dereferences. Consider the following example: <pre>public int f(Object x, boolean b) {
int result = 0;
if (x == null) result++;
else result--;
@@ -1497,1299 +1552,1299 @@
}
</pre>
- <p>
- FindBugs 1.0 used forward dataflow analysis to determine
- whether each value is definitely null, null on a simple path,
- possible null on a complex path, or definitely nonnull. Thus,
- at the statement where
- <code> result </code>
- is decremented, we know that
- <code> x </code>
- is definitely null, and at the point before
- <code> if (b) </code>
- , we know that
- <code> x </code>
- is null on a simple path. If
- <code> x </code>
- were to be dereferenced here, we would generate a warning,
- because if the else branch of the
- <code> if (x == null) </code>
- were ever taken, a null pointer exception would result.
- </p>
-
- <p>
- However, in both the then and else branches of the
- <code> if (b) </code>
- statement,
- <code> x </code>
- is only null on a complex path that may be infeasible. It might
- be that the program logic is such that if
- <code> x </code>
- is null, then
- <code> b </code>
- is never true, so generating a warning about the dereference in
- the then clause might be a false positive. We could try to
- analyze the program to determine whether it is possible for
- <code> x </code>
- to be null and
- <code> b </code>
- to be true, but that can be a hard analysis problem.
- </p>
-
- <p>
- However,
- <code> x </code>
- is dereferenced in both the then <em>and</em> else branches of
- the
- <code> if (b) </code>
- statement. So at the point immediately before
- <code> if (b) </code>
- , we know that
- <code> x </code>
- is null on a simple path <em>and</em> that
- <code> x </code>
- is guaranteed to be dereferenced on all paths from this point
- forward. FindBugs 1.1 performs a backwards data flow analysis
- to determine the values that are guaranteed to be dereferenced,
- and will generate a warning in this case.
- </p>
- </li>
- </ul>
- <p>
- The following screen shot of our new GUI shows an example of this
- analysis, as well as showing off our new GUI and points out a
- limitation of our current plugins for Eclipse and NetBeans. The
- screen shot shows a null pointer bug in HelpDisplay.java. The
- test for
- <code> href!=null </code>
- on line 78 suggests that
- <code> href </code>
- could be null. If it is, then
- <code> href </code>
- will be dereferenced on either line 87 or on line 90, generating
- a NPE. Note that our analysis here also understands that passing
- <code> href </code>
- to
- <code> URLEncoder.encode </code>
- will deference it, and thus treats line 87 as a dereference, even
- though
- <code> href </code>
- is not actually dereferenced at that line. Within our new GUI,
- all of these locations are highlighted and listed in the summary
- panel. In the original GUI (and in HTML output) we list all of
- the locations, but only the primary location is highlighted by
- the original GUI. In the Eclipse and NetBeans plugins, only the
- primary location is displayed; fixing this is on our todo list
- (contributions welcome).
- </p>
- <p>
- <img src="guaranteedDereference.png" alt="">
-
-
- </p>
-
- </li>
- <li>Preliminary support for detectors using the frameworks
- other than BCEL, such as the <a href="http://asm.objectweb.org/">ASM</a>
- bytecode framework. You may experiment with writing ASM-based
- detectors, but beware the API may still change (which could
- possibly also affect BCEL-based detectors). In general, we've
- started trying to move away from a deep dependence on BCEL, but
- that change is only partially complete. Probably best to just
- avoid this until we complete more work on this. This change is
- only visible to FindBugs plugin developers, and shouldn't be
- visible to FindBugs users.
- </li>
- <li>
- <p>Bug categories (CORRECTNESS, MT_CORRECTNESS, etc.) are no
- longer hard-coded, but rather defined in xml files associated
- with plugins, including the core plugin which defines the
- standard categories. Third-party plugins can define their own
- categories.</p>
- </li>
- <li>
- <p>Several bug patterns have been moved from CORRECTNESS and
- STYLE into a new category, BAD_PRACTICE. The English localization
- of STYLE has changed from "Style" to "Dodgy."</p>
- <p>In general, we've worked very hard to limit CORRECTNESS
- bugs to be real programming errors and sins of commission. We
- have reclassified as BAD_PRACTICE a number of bad design
- practices that result in overly fragile code, such as defining an
- equals method that doesn't accept null or defining class with a
- equals method that inherits hashCode from class Object.</p>
- <p>In general, our guidelines for deciding whether a bug
- should be classified as CORRECTNESS, BAD_PRACTICE or STYLE are:</p>
- <dl>
- <dt>CORRECTNESS</dt>
- <dd>A problem that we can recognize with high confidence and
- is an issue that we believe almost all developers would want to
- examine and address. We recommend that software teams review all
- high and medium priority warnings in their entire code base.</dd>
- <dt>BAD_PRACTICE</dt>
- <dd>A problem that we can recognize with high confidence and
- represents a clear violation of recommended and standard coding
- practice. We believe each software team should decide which bad
- practices identified by FindBugs it wants to prohibit in the
- team's coding standard, and take action to remedy violations of
- those coding standards.</dd>
- <dt>STYLE</dt>
- <dd>These are places where something strange or dodgy is
- going on, such as a dead store to a local variable. Typically,
- less than half of these represent actionable programming
- defects. Reviewing these warnings in any code under active
- development is probably a good idea, but reviewing all such
- warnings in your entire code base might be appropriate only in
- some situations. Individual or team programming styles can
- substantially influence the effectiveness of each of these
- warnings (e.g., you might have a coding practice or style in
- your group that confuses one of the detectors into generating a
- lot of STYLE warnings); you will likely want to selectively
- suppress or report the STYLE warnings that are effective for
- your group.</dd>
- </dl>
- </li>
- <li>Released a preliminary version of a new GUI (known
- internally as GUI2 -- not very creative, huh?)</li>
- <li>Provided standard ways to mark user designations of bug
- warnings (e.g., as NOT_A_BUG or SHOULD_FIX). The internal logic
- now records this, it is represented in the XML file, and GUI2
- allows the designations to be applied (along with free-form user
- annotations about each warning). The user designations and
- annotations are not yet supported by the Eclipse plugin, but we
- clearly want to support it in Eclipse shortly.</li>
- <li>Added a check for a bad comparison with a signed byte with
- a value not in the range -128..127. For example: <pre>boolean find200(byte b[]) {
+ <p>
+ FindBugs 1.0 used forward dataflow analysis to determine
+ whether each value is definitely null, null on a simple path,
+ possible null on a complex path, or definitely nonnull. Thus,
+ at the statement where
+ <code> result </code>
+ is decremented, we know that
+ <code> x </code>
+ is definitely null, and at the point before
+ <code> if (b) </code>
+ , we know that
+ <code> x </code>
+ is null on a simple path. If
+ <code> x </code>
+ were to be dereferenced here, we would generate a warning,
+ because if the else branch of the
+ <code> if (x == null) </code>
+ were ever taken, a null pointer exception would result.
+ </p>
+
+ <p>
+ However, in both the then and else branches of the
+ <code> if (b) </code>
+ statement,
+ <code> x </code>
+ is only null on a complex path that may be infeasible. It might
+ be that the program logic is such that if
+ <code> x </code>
+ is null, then
+ <code> b </code>
+ is never true, so generating a warning about the dereference in
+ the then clause might be a false positive. We could try to
+ analyze the program to determine whether it is possible for
+ <code> x </code>
+ to be null and
+ <code> b </code>
+ to be true, but that can be a hard analysis problem.
+ </p>
+
+ <p>
+ However,
+ <code> x </code>
+ is dereferenced in both the then <em>and</em> else branches of
+ the
+ <code> if (b) </code>
+ statement. So at the point immediately before
+ <code> if (b) </code>
+ , we know that
+ <code> x </code>
+ is null on a simple path <em>and</em> that
+ <code> x </code>
+ is guaranteed to be dereferenced on all paths from this point
+ forward. FindBugs 1.1 performs a backwards data flow analysis
+ to determine the values that are guaranteed to be dereferenced,
+ and will generate a warning in this case.
+ </p>
+ </li>
+ </ul>
+ <p>
+ The following screen shot of our new GUI shows an example of this
+ analysis, as well as showing off our new GUI and points out a
+ limitation of our current plugins for Eclipse and NetBeans. The
+ screen shot shows a null pointer bug in HelpDisplay.java. The
+ test for
+ <code> href!=null </code>
+ on line 78 suggests that
+ <code> href </code>
+ could be null. If it is, then
+ <code> href </code>
+ will be dereferenced on either line 87 or on line 90, generating
+ a NPE. Note that our analysis here also understands that passing
+ <code> href </code>
+ to
+ <code> URLEncoder.encode </code>
+ will deference it, and thus treats line 87 as a dereference, even
+ though
+ <code> href </code>
+ is not actually dereferenced at that line. Within our new GUI,
+ all of these locations are highlighted and listed in the summary
+ panel. In the original GUI (and in HTML output) we list all of
+ the locations, but only the primary location is highlighted by
+ the original GUI. In the Eclipse and NetBeans plugins, only the
+ primary location is displayed; fixing this is on our todo list
+ (contributions welcome).
+ </p>
+ <p>
+ <img src="guaranteedDereference.png" alt="">
+
+
+ </p>
+
+ </li>
+ <li>Preliminary support for detectors using the frameworks
+ other than BCEL, such as the <a href="http://asm.objectweb.org/">ASM</a>
+ bytecode framework. You may experiment with writing ASM-based
+ detectors, but beware the API may still change (which could
+ possibly also affect BCEL-based detectors). In general, we've
+ started trying to move away from a deep dependence on BCEL, but
+ that change is only partially complete. Probably best to just
+ avoid this until we complete more work on this. This change is
+ only visible to FindBugs plugin developers, and shouldn't be
+ visible to FindBugs users.
+ </li>
+ <li>
+ <p>Bug categories (CORRECTNESS, MT_CORRECTNESS, etc.) are no
+ longer hard-coded, but rather defined in xml files associated
+ with plugins, including the core plugin which defines the
+ standard categories. Third-party plugins can define their own
+ categories.</p>
+ </li>
+ <li>
+ <p>Several bug patterns have been moved from CORRECTNESS and
+ STYLE into a new category, BAD_PRACTICE. The English localization
+ of STYLE has changed from "Style" to "Dodgy."</p>
+ <p>In general, we've worked very hard to limit CORRECTNESS
+ bugs to be real programming errors and sins of commission. We
+ have reclassified as BAD_PRACTICE a number of bad design
+ practices that result in overly fragile code, such as defining an
+ equals method that doesn't accept null or defining class with a
+ equals method that inherits hashCode from class Object.</p>
+ <p>In general, our guidelines for deciding whether a bug
+ should be classified as CORRECTNESS, BAD_PRACTICE or STYLE are:</p>
+ <dl>
+ <dt>CORRECTNESS</dt>
+ <dd>A problem that we can recognize with high confidence and
+ is an issue that we believe almost all developers would want to
+ examine and address. We recommend that software teams review all
+ high and medium priority warnings in their entire code base.</dd>
+ <dt>BAD_PRACTICE</dt>
+ <dd>A problem that we can recognize with high confidence and
+ represents a clear violation of recommended and standard coding
+ practice. We believe each software team should decide which bad
+ practices identified by FindBugs it wants to prohibit in the
+ team's coding standard, and take action to remedy violations of
+ those coding standards.</dd>
+ <dt>STYLE</dt>
+ <dd>These are places where something strange or dodgy is
+ going on, such as a dead store to a local variable. Typically,
+ less than half of these represent actionable programming
+ defects. Reviewing these warnings in any code under active
+ development is probably a good idea, but reviewing all such
+ warnings in your entire code base might be appropriate only in
+ some situations. Individual or team programming styles can
+ substantially influence the effectiveness of each of these
+ warnings (e.g., you might have a coding practice or style in
+ your group that confuses one of the detectors into generating a
+ lot of STYLE warnings); you will likely want to selectively
+ suppress or report the STYLE warnings that are effective for
+ your group.</dd>
+ </dl>
+ </li>
+ <li>Released a preliminary version of a new GUI (known
+ internally as GUI2 -- not very creative, huh?)</li>
+ <li>Provided standard ways to mark user designations of bug
+ warnings (e.g., as NOT_A_BUG or SHOULD_FIX). The internal logic
+ now records this, it is represented in the XML file, and GUI2
+ allows the designations to be applied (along with free-form user
+ annotations about each warning). The user designations and
+ annotations are not yet supported by the Eclipse plugin, but we
+ clearly want to support it in Eclipse shortly.</li>
+ <li>Added a check for a bad comparison with a signed byte with
+ a value not in the range -128..127. For example: <pre>boolean find200(byte b[]) {
for(int i = 0; i &lt; b.length; i++) if (b[i] == 200) return i;
return -1;
}
</pre>
- </li>
- <li>Added a checking for testing if a value is equal to
- Double.NaN (no value is equal to NaN, not even NaN).</li>
- <li>Added a check for using a class with an equals method but
- no hashCode method in a hashed data structure.</li>
- <li>Added check for uncallable method of an anonymous inner
- class. For example, in the following code, it is impossible to
- invoke the initalValue method (because the name is misspelled and
- as a result is doesn't override a method in ThreadLocal). <pre>private static ThreadLocal serialNum = new ThreadLocal() {
+ </li>
+ <li>Added a checking for testing if a value is equal to
+ Double.NaN (no value is equal to NaN, not even NaN).</li>
+ <li>Added a check for using a class with an equals method but
+ no hashCode method in a hashed data structure.</li>
+ <li>Added check for uncallable method of an anonymous inner
+ class. For example, in the following code, it is impossible to
+ invoke the initalValue method (because the name is misspelled and
+ as a result is doesn't override a method in ThreadLocal). <pre>private static ThreadLocal serialNum = new ThreadLocal() {
protected synchronized Object initalValue() {
return new Integer(nextSerialNum++);
}
};
</pre>
- </li>
- <li>Added check for a dead local store caused by a switch
- statement fall through</li>
- <li>Added check for computing the absolute value of a random
- 32 bit integer or of a hashcode. This is broken because <code>
- Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE </code> , and thus
- result of calling Math.abs, which is expected to be nonnegative,
- will in fact be negative one time out of 2 <sup> 32 </sup> , which
- will invariably be the time your boss is demoing the software to
- your customers.
-
- </li>
- <li>More careful resolution of inherited methods and fields.
- Some of the shortcuts we were taking in FindBugs 1.0.0 were
- leading to inaccurate results, and it was fairly easy to address
- this by making the analysis more accurate.</li>
- <li>Overall, analysis times are about 1.6 times longer in
- FindBugs 1.1.0 than in FindBugs 1.0.0. This is because we have
- enabled substantial additional analysis at the default effort
- level (the actual analysis engine is significantly faster than in
- FindBugs 1.0). On a recent AMD Athlon processor, analyzing
- JDK1.6.0 (about 1 million lines of code) requires about 15 minutes
- of wall clock time.</li>
- <li>Provided class and script (printClass) to print classfile
- in the human readable format produced by BCEL</li>
- <li>Provided -findSource option to setBugDatabaseInfo</li>
- </ul>
-
-
- <p>Changes since version 0.9.7:</p>
-
- <ul>
- <li>fix ObjectTypeFactory bug that was suppressing some bugs</li>
- <li>opcode stack may determine definite zeros on some paths</li>
- <li>opcode stack can track some constant string concatenations
- (dbrosius)</li>
- <li>default effort performs iterative opcode analysis (but min
- effort does not)</li>
- <li>default heap size upped to 384m</li>
- <li>schema for XML output available: bugcollection.xsd</li>
- <li>fixed some internal confusion between dotted and slashed
- class names</li>
- <li>New detectors
- <ul>
- <li>CheckImmutableAnnotation.java: checks JCIP annotations</li>
- </ul>
- </li>
- <li>Updated detectors
- <ul>
- <li>BadRegEx.java: understands Pattern.LITERAL, warns about
- "."</li>
- <li>FindUnreleasedLock.java: fewer false positives</li>
- <li>DumbMethods.java: check for vacuous comparisons to
- MAX_INTEGER or MIN_INTEGER, fix bugs detecting
- DM_NEXTINT_VIA_NEXTDOUBLE</li>
- <li>FindPuzzlers.java: detect <tt>n%2==1</tt>, detect
- toString() on array types
- </li>
- <li>FindInconsistentSync2.java: detects IS_FIELD_NOT_GUARDED
- </li>
- <li>MethodReturnCheck.java: add check for discarded newly
- constructed values, increase priority of some ignored
- constructed exceptions, better handling of bytecode compiled by
- Eclipse</li>
- <li>FindEmptySynchronizedBlock.java: better handling of
- bytecode compiled by Eclipse</li>
- <li>DoInsideDoPrivileged.java: warn if call to setAccessible
- isn't in doPriviledged, don't report private methods</li>
- <li>LoadOfKnownNullValue.java: fix bug that was reporting
- false positives on <code> finally </code> blocks
- </li>
- <li>CheckReturnAnnotationDatabase.java: better checks for
- unstarted threads</li>
- <li>ConfusionBetweenInheritedAndOuterMethod.java: fewer
- false positives, fixed a package-handling bug</li>
- <li>BadResultSetAccess.java: separate bug pattern for
- PreparedStatements, <code> BRZA </code> category folded into <code>
- SQL </code> category
- </li>
- <li>FindDeadLocalStores.java, FindBadCast2.java,
- DumbMethods.java, RuntimeExceptionCapture.java: coalesce similar
- bugs within a method into a single bug instance with multiple
- source lines</li>
- </ul>
- </li>
- <li>Eclipse plugin
- <ul>
- <li>plugin ID changed from <tt>de.tobject.findbugs</tt> to <tt>edu.umd.cs.findbugs.plugin.eclipse</tt>
- </li>
- <li>support for findbugs eclipse auto-update site</li>
- </ul>
- </li>
- <li>Updated test case files
- <ul>
- <li>BadRegEx.java</li>
- <li>JSR166.java</li>
- <li>ConcurrentModificationBug.java</li>
- <li>DeadStore.java</li>
- <li>InstanceOf.java</li>
- <li>LoadKnownNull.java</li>
- <li>NeedsToCheckReturnValue.java</li>
- <li>BadResultSetAccessTest.java</li>
- <li>DeadStore.java</li>
- <li>TestNonNull2.java</li>
- <li>TestImmutable.java</li>
- <li>TestGuardedBy.java</li>
- <li>BadRandomInt.java</li>
- <li>six test cases added to new <code> TigerTraps </code>
- directory
- </li>
- </ul>
- </li>
- <li>fix bug that was generating duplicate uids</li>
- <li>fix bug with <code> -onlyAnalyze some.package.* </code> on
- jdk1.4
- </li>
- <li>fix regression bug in
- DismantleByteCode.getRefConstantOperand()</li>
- <li>fix some minor bugs with the Swing GUI</li>
- <li>reordered some bugInstances so that source line
- annotations come last</li>
- <li>removed references to unused java system properties</li>
- <li>French translation updates (David Cotton)</li>
- <li>Japanese translation updates (Hanai Shisei)</li>
- <li>content cleanup for findbugs.xml and messages.xml</li>
- <li>references to cvs hostname updated to
- findbugs.cvs.sourceforge.net</li>
- <li>documented xdoc output options, new
- mineBugHistory/computeBugHistory options</li>
- </ul>
-
- <p>Changes since version 0.9.6:</p>
-
- <ul>
- <li>performance improvements</li>
- <li>ObjectType instances are cached to reduce memory footprint
- </li>
- <li>for performance and memory reasons stateless detectors are
- no longer cloned, must clear their own state between .class files
- </li>
- <li>fixed bug in bytecode-set lookup for methods (was causing
- bad results for IS2, perhaps others)</li>
- <li>fix some OpcodeStack bugs with integer and long
- operations, perform iterative analysis when effort is <tt>max</tt>
- </li>
- <li>HTML output includes LongMessage text again (regression in
- 0.95 - 0.96)</li>
- <li>New detectors
- <ul>
- <li>CalledMethods.java: builds a list of invoked methods for
- other detectors to consult (non-reporting)</li>
- <li>UncallableMethodOfAnonymousClass.java: detect anonymous
- inner classes that define methods that are probably intended to
- but do not override methods in a superclass.</li>
- </ul>
- </li>
- <li>Updated detectors
- <ul>
- <li>FindFieldSelfAssignment.java: recognize separate fields
- with the same name (one from superclass)</li>
- <li>FindLocalSelfAssignment2.java: handles backward branches
- better (Dave Brosius)</li>
- <li>FindBadCast2.java: BC_NULL_INSTANCEOF changed to
- NP_NULL_INSTANCEOF</li>
- <li>FindPuzzlers.java: eliminate false positive on setDate()
- (Dave Brosius)</li>
- </ul>
- </li>
- <li>Eclipse plugin
- <ul>
- <li>fix serious threading bug</li>
- <li>preferences for Filters and effort (Peter Hendriks)</li>
- <li>French localization (David Cotton)</li>
- <li>fix bug when reporting inner classes (Peter Friese)</li>
- </ul>
- </li>
- <li>Updated test case files
- <ul>
- <li>Mwn.java (Carl Burke/Dave Brosius)</li>
- <li>DumbMethodInvocations.java (Anto paul/Dave Brosius)</li>
- <!--sic-->
- </ul>
- </li>
- <li>XML output includes garbage collection duration</li>
- <li>French messages updated (David Cotton)</li>
- <li>Swing GUI shows file name after Load Bugs command</li>
- <li>Ant task to launch the findbugs frame (Mark McKay)</li>
- <li>miscellaneous code cleanup</li>
- </ul>
-
- <p>Changes since version 0.9.5:</p>
-
- <ul>
- <li>Updated detectors
- <ul>
- <li>FindNullDeref.java: respect NonNull and CheckForNull
- field annotations</li>
- <li>SerializableIdiom.java: detect non-private readObject
- and writeObject methods</li>
- <li>FindRefComparison.java: smarter array comparison
- detection</li>
- <li>IsNullValueAnalysis.java: detect <tt>null
- instanceof</tt>
- </li>
- <li>FindLocalSelfAssignment2.java: suppress some false
- positives (Dave Brosius)</li>
- <li>FindUnreleasedLock.java: don't waste time processing
- classes that don't refer to java.util.concurrent.locks</li>
- <li>MutableStaticFields.java: report the source line (Dave
- Brosius)</li>
- <li>SwitchFallthrough.java: better handling of System.exit()
- (Dave Brosius)</li>
- <li>MultithreadedInstanceAccess.java: better handling of
- Servlet.init() (Dave Brosius)</li>
- <li>ConfusionBetweenInheritedAndOuterMethod.java: now
- enabled</li>
- </ul>
- </li>
- <li>Eclipse plugin
- <ul>
- <li>background processing (Peter Friese)</li>
- <li>internationalization, Japanese localization (Takashi
- Okamoto)</li>
- </ul>
- </li>
- <li>findbugs <tt>-onlyAnalyze</tt> option now works on windows
- platforms
- </li>
- <li>mineBugHistory <tt>-noTabs</tt> option for better
- alignment of output columns
- </li>
- <li>filterBugs <tt>-fixed</tt> option (also: will now
- recognize the most recent version string)
- </li>
- <li>XML output includes running time and memory usage data</li>
- <li>miscellaneous minor corrections to the manual</li>
- <li>better bytecode analysis of the <tt>iinc</tt> instruction
- </li>
- <li>fix bug in null pointer analysis</li>
- <li>improved catch block heuristics</li>
- <li>some type analysis tweaks</li>
- <li>Bug priority changes
- <ul>
- <li>DumbMethodInvocations.java: decrease priority of
- hard-coded <tt>/tmp</tt> filenames
- </li>
- <li>ComparatorIdiom.java: decrease priority of
- non-serializable anonymous comparators</li>
- <li>FindSqlInjection.java: decrease priority of appending a
- constant or a static</li>
- </ul>
- </li>
- <li>Updated bug explanations
- <ul>
- <li>NM_VERY_CONFUSING (Dave Brosius)</li>
- </ul>
- </li>
- <li>Updated test case files
- <ul>
- <li>BadStoreOfNonSerializableObject.java</li>
- <li>BadRandomInt.java</li>
- <li>TestFieldAnnotations.java</li>
- <li>UseInitCause.java</li>
- <li>SqlInjection.java</li>
- <li>ArrayEquality.java</li>
- <li>BadIntegerOperations.java</li>
- <li>Pilhuhn.java</li>
- <li>InstanceOf.java</li>
- <li>SwitchFallthrough.java (Dave Brosius)</li>
- </ul>
- </li>
- <li>fix URL decoding bug when running under Java Web Start
- (Dave Brosius)</li>
- <li>distribution includes <tt>project.xml</tt> file for
- NetBeans
- </li>
- </ul>
-
- <p>Changes since version 0.9.4:</p>
- <ul>
- <li>New detectors
- <ul>
- <li>VarArgsProblems.java</li>
- <li>FindSqlInjection.java: now enabled</li>
- <li>ComparatorIdiom.java: comparators usually implement
- serializable</li>
- <li>Naming.java: detect methods not overridden due to
- eponymously typed args from different packages</li>
- </ul>
- </li>
- <li>Updated detectors
- <ul>
- <li>SwitchFallthrough.java: surpress some false positives</li>
- <li>DuplicateBranches.java: surpress some false positives</li>
- <li>IteratorIdioms.java: surpress some false positives</li>
- <li>FindHEmismatch.java: surpress some false positives</li>
- <li>QuestionableBooleanAssignment.java: finds more cases of
- <tt>if (b=true)</tt> ilk
- </li>
- <li>DumbMethods.java: detect int remainder by 1, delayed gc
- errors</li>
- <li>SerializableIdiom.java: detect store of nonserializable
- object into field of serializable class</li>
- <li>FindNullDeref.java: fix potential exception</li>
- <li>IsNullValue.java: fix potential exception</li>
- <li>MultithreadedInstanceAccess.java: fix potential
- exception</li>
- <li>PreferZeroLengthArrays.java: flag the method, not the
- line</li>
- </ul>
- </li>
- <li>Remove some inadvertent dependencies on JDK 1.5</li>
- <li>Sort order should be more consistent</li>
- <li>XML output changes
- <ul>
- <li>Option to sort XML bug output</li>
- <li>Now contains instance IDs</li>
- <li>uid no longer missing (was causing problems with fancy
- HTML output)</li>
- <li>Typo fixed</li>
- </ul>
- </li>
- <li>Internal changes to track source files, <tt>-sourceInfo</tt>
- option
- </li>
- <li>Bug matching: first try exact bug pattern matching, option
- to compare priorities, option to disable package moves</li>
- <li>Architecture documentation in <tt>design/architecture</tt>
- </li>
- <li>Test cases move into their own CVS project</li>
- <li>Don't report warnings that occur outside the analyzed
- classes</li>
- <li>Fixes to the build.xml files</li>
- <li>Better handling of @CheckReturnValue and @CheckForNull
- annotations (also, some additional methods searched for check
- return value and check for null)</li>
- <li>Fixed some stream-closing bugs (one by <tt>z-fb-user</tt>/Dave
- Brosius)
- </li>
- <li>Bug priority changes
- <ul>
- <li>increase priority of ignoring return value of
- java.sql.Connection methods</li>
- <li>increase priority of comparing classes like Integer
- using <tt>==</tt>
- </li>
- <li>decrease priority of IT_NO_SUCH_ELEMENT if we see any
- call to <tt>next()</tt>
- </li>
- <li>tweak priority of NM_METHOD_CONSTRUCTOR_CONFUSION</li>
- <li>decrease priority of RV_RETURN_VALUE_IGNORED for an
- inherited annotation that doesn't return same type as class</li>
- </ul>
- </li>
- <li>Updated bug explanations
- <ul>
- <li>RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE</li>
- <li>DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED</li>
- <li>IMA_INEFFICIENT_MEMBER_ACCESS (Dave Brosius)</li>
- <li>some Japanese improvements to messages_ja.xml ( <tt>ruimo</tt>)
- </li>
- <li>some German improvements to findbugs_de.properties (Dave
- Brosius, <tt>dvholten</tt>)
- </li>
- </ul>
- </li>
- <li>Updated test case files
- <ul>
- <li>BadIntegerOperations.java</li>
- <li>SecondKaboom.java</li>
- <li>OpenDatabase.java (Dave Brosius)</li>
- <li>FindOpenStream.java (Dave Brosius)</li>
- <li>BadRandomInt.java</li>
- </ul>
- </li>
- <li>Source-lines info maintained for methods (handy for
- abstract and native methods)</li>
- <li>Remove surrounding opcodes from source line annotations</li>
- <li>Better error when can't read file</li>
- <li>Swing GUI: removed console pane from FindBugsFrame, fix
- missing classes bug</li>
- <li>Fixes to OpcodeStack.java</li>
- <li>Detectors may attach a custom value to an OpcodeStack.Item
- (Dave Brosius)</li>
- <li>Filter.java: ability to add text messages to XML output,
- fix bug with <tt>-withMessages</tt>
- </li>
- <li>SourceInfoMap supports ranges of source lines</li>
- <li>Ant task supports the <tt>timestampNow</tt> attribute
- </li>
- </ul>
-
- <p>Changes since version 0.9.3:</p>
- <ul>
- <li>Substantial rework of datamining code</li>
- <li>Removed bogus warnings about await on things other than
- Condition not being in a loop</li>
- <li>Fixed bug in OpcodeStack handling of dup2 of long/double
- values</li>
- <li>Don't report array types as missing classes</li>
- <li>Adjustment of some warnings on ignored return values</li>
- <li>Added thread safety annotations from Java Concurrency in
- Practice (no detectors written for these yet)</li>
- <li>Added annotation for methods that, if overridden, should
- be invoked by overriding methods via a call to super</li>
- <li>Updated -html:fancy.xsl (Etienne Giraudy)</li>
- </ul>
-
- <p>Note: there was no version 0.9.2</p>
-
- <p>Changes since version 0.9.1:</p>
- <ul>
- <!-- New detectors -->
- <li>Embellish USM to find abstract methods that implement an
- interface method (Dave Brosius)</li>
- <li>New detector to find stores of literal booleans inside if
- or while expressions (Dave Brosius)</li>
- <li>New style detector to find final classes that declare
- protected fields (Dave Brosius)</li>
- <li>New detector to find subclass methods that simply forward,
- verbatim, to the super class (Dave Brosius)</li>
- <li>Detector to find instances where code is attempting to
- write an object out via an implementation of DataOutput, but the
- object is not guaranteed to be Serializable (Jon Christiansen,
- Bill Pugh)</li>
-
- <!-- Feature enhancements -->
- <li>Large (35%) analysis speedup (Bill Pugh)</li>
- <li>Add line numbers to Swing GUI code panel (Dave Brosius)</li>
- <li>Added effort options to Swing GUI (Dave Brosius)</li>
- <li>Add ability to specify bugs file to open from command line
- for GUI version, through -loadbugs (Phillip Martin)</li>
- <li>New stylesheet for generating HTML: use option <tt>-html:plain.xsl</tt>
- (Chris Nappin)
- </li>
- <li>New stylesheet for generating HTML: use option <tt>-html:fancy.xsl</tt>
- (Etienne Giraudy)
- </li>
- <li>Updated Japanese bug message translations (Shisei Hanai)</li>
-
- <!-- Bug fixes -->
- <li>XHTML compliance fixes for bug details (Etienne Giraudy)</li>
- <li>Various detector fixes (Shisei Hanai)</li>
- <li>Fixed bugs in the project preferences dialog int the
- Eclipse plugin (Takashi Okamoto, Thomas Einwaller)</li>
- <li>Lowered priority of analysis thread in Swing GUI (David
- Hovemeyer, suggested by Shisei Hanai and Jeffrey W. Badorek)</li>
- <li>Fixed EclipsePlugin to correctly pick up auxclasspath
- entries (Jon Christiansen)</li>
- </ul>
-
- <p>Changes since version 0.9.0:</p>
- <ul>
- <li>Fixed dependence on JRE 1.5: all features should work on
- JRE 1.4 again</li>
- <li>Fixed -effort command line option handling for Swing GUI</li>
- <li>Fixed conserveSpace and workHard attributes int Ant task</li>
- <li>Added support for effort attribute in Ant task</li>
- </ul>
-
- <p>Changes since version 0.8.8:</p>
- <ul>
- <!-- New detectors and bug patterns -->
- <li>XMLFactoryBypass detector to find direct allocation of xml
- class implementations (Dave Brosius)</li>
- <li>InefficientMemberAccess detector to find accesses to
- owning class private members (Dave Brosius)</li>
- <li>DuplicateBranches detector checks switch statements too
- (Dave Brosius)</li>
-
- <!-- Feature enhancements -->
- <li>FindBugs available from findbugs.sourceforge.net as Java
- Web Start application (Dave Brosius)</li>
- <li>Updated Japanese bug message translations (Shisei Hanai)</li>
- <li>Improved bug detail message for covariant equals() (Shisei
- Hanai)</li>
- <li>Modeling of instanceof checks is now enabled by default,
- making the bad cast detector much more useful (Bill Pugh, David
- Hovemeyer)</li>
- <li>Support for detector ordering constraints in plugin
- descriptor (David Hovemeyer)</li>
- <li>Simpler option to control analysis effort: -effort: <i>value</i>,
- where <i>value</i> is one of <code> min </code> , <code>
- default </code> , or <code> max </code> (David Hovemeyer)
- </li>
- <li>Using -effort:max, FindNullDeref checks for null arguments
- passed to methods which dereference them unconditionally (David
- Hovemeyer)</li>
- <li>FindNullDeref checks @Null and @NonNull annotations for
- parameters and return values (David Hovemeyer)</li>
-
- <!-- Bug fixes -->
- </ul>
-
- <p>Changes since version 0.8.7:</p>
-
- <ul>
- <!-- New detectors and bug patterns -->
- <li>New detector to find duplicate code in if/else statements
- (Dave Brosius)</li>
- <li>Look for calls to wait() on Condition objects (David
- Hovemeyer)</li>
- <li>Look for java.util.concurrent.Lock objects not released on
- every path out of method (David Hovemeyer)</li>
- <li>Look for calls to Thread.sleep() with a lock held (David
- Hovemeyer)</li>
- <li>More accurate detection of impossible casts (Bill Pugh,
- David Hovemeyer)</li>
-
- <!-- Feature enhancements -->
- <li>Saved XML now contains project statistics (Jay Dunning)</li>
- <li>Filter files can select by bug pattern type and warning
- priority (David Hovemeyer)</li>
-
- <!-- Bug fixes -->
- <li>Restored some files inadvertently omitted from previous
- release (Rohan Lloyd, David Hovemeyer)</li>
- <li>Make sure detectors requiring JDK 1.5 runtime classes are
- only executed if those classes are available (David Hovemeyer)</li>
- <li>Don't display analysis error dialog unless there is really
- an error (David Hovemeyer)</li>
- <li>Updated and expanded French translations of bug patterns
- and Swing GUI (Olivier Parent)</li>
- <li>Fixed invalid character encoding in German Swing GUI
- translation (Olivier Parent)</li>
- <li>Fix locale used for date format in project stats (K.
- Hashimoto)</li>
- <li>Fixed LongDescription elements in xml:withMessages output
- format (K. Hashimoto)</li>
- </ul>
-
- <p>Changes since version 0.8.6:</p>
-
- <ul>
- <!-- new detectors -->
- <li>Extend Naming detector to look for classes that are named
- XXXException but that are not Exceptions (Dave Brosius)</li>
- <li>New detector to find classes that expose semaphores in the
- public implementation through the 'this' reference. (Dave Brosius)
- </li>
- <li>New Style detector to find Struts Action/Servlet derived
- classes that reference instance member variable not in
- synchronized blocks. (Dave Brosius)</li>
- <li>New Style detector to find classes that declare
- implementation of interfaces that are already implemented by super
- classes (Dave Brosius)</li>
- <li>New Style detector to find circular dependencies between
- classes (Dave Brosius)</li>
- <li>New Style detector to find unnecessary math on constants
- (Dave Brosius)</li>
- <li>New detector to find equality comparisons using floating
- point math (Jay Dunning)</li>
- <li>New faster detector to find local self assignments (Bill
- Pugh)</li>
- <li>New detector to find infinite recursive loops (Bill Pugh)
- </li>
- <li>New detector to find for loops with an incorrect increment
- (Bill Pugh)</li>
- <li>New detector to find suspicious uses of
- BufferedReader.readLine() and String.indexOf() (Bill Pugh)</li>
- <li>New detector to find suspicious integer to double casts
- (David Hovemeyer, Bill Pugh)</li>
- <li>New detector to find invalid regular expression patterns
- (Bill Pugh)</li>
- <li>New detector to find Bloch/Gafter Java puzzlers (Bill
- Pugh)</li>
-
- <!-- feature enhancements -->
- <li>New system property to suppress reporting of DLS based on
- local variable name (Glenn Boysko)</li>
- <li>Enhancements to configuration dialog in Eclipse plugin,
- allow for saving enabled detectors in Eclipse projects (Phil
- Crosby)</li>
- <li>Sortable columns in detector dialog (Dave Brosius)</li>
- <li>New tab in gui for showing bugs grouped by category (Dave
- Brosius)</li>
- <li>Improved German translation of Swing GUI (Thomas Kuehne)</li>
- <li>Improved source file reporting in Emacs output format (Len
- Trigg)</li>
- <li>Improvements to redundant null comparison detector (Bill
- Pugh)</li>
- <li>Localization of run analysis and analysis error dialogs in
- Swing GUI (K. Hashimoto)</li>
-
- <!-- Bug fixes -->
- <li>Don't scan equals methods in FindHEMismatch if code is
- native (Greg Bentz)</li>
- <li>French translation fixes (David Cotton)</li>
- <li>Internationalization report fixes (K. Hashimoto)</li>
- <li>Japanese translations updates (SHISEI Hanai)</li>
- </ul>
-
- <p>Changes since version 0.8.5:</p>
- <ul>
- <!-- new detectors -->
- <li>New detector to find catch blocks that may inadvertently
- catch runtime exceptions (Brian Goetz)</li>
- <li>New detector to find objects that are instantiated based
- on classes that only have static methods and fields, using the
- synthesized constructor (Dave Brosius)</li>
- <li>New detector to find calls to Thread.interrupted() in a
- non static context, and especially with non currentThread()
- threads (Dave Brosius)</li>
- <li>New detector to find calls to equals() methods that use
- Object's version. (Dave Brosius)</li>
- <li>New detector to find Applets that call methods in the
- constructor refering to the AppletStub (Dave Brosius)</li>
- <li>New detector to find some cases of infinite recursion
- (Bill Pugh)</li>
- <li>New detector to find dead stores to local variables (David
- Hovemeyer, Bill Pugh)</li>
- <li>Extend Dumb Method detector for toUpperCase(),
- toLowerCase() without a locale, new Integer(1).toString(), new
- XXX().getClass(), and new Thread() without a run implementation
- (Dave Brosius) <!-- feature enhancements -->
- </li>
- <li>Ant task supports "errorProperty" attribute, which sets an
- Ant property to "true" if an error occurs running FindBugs
- (Michael Tamm)</li>
- <li>Eclipse plugin allows filtering of warnings by bug
- category, priority (David Hovemeyer)</li>
- <li>Swing GUI allows filtering of warnings by bug category
- (David Hovemeyer)</li>
- <li>Ability to annotate methods using Java 1.5 annotations
- that suppress FindBugs warnings (Bill Pugh)</li>
- <li>New -adjustExperimental for lowering priority of
- BugPatterns that are experimental (Dave Brosius)</li>
- <li>Allow for command line options 'files' using the @ symbol
- (David Hovemeyer)</li>
- <li>New -adjustPriority command line option to for adjusting
- bug priorites (David Hovemeyer)</li>
- <li>Added an Edit menu (cut/copy/paste) to Swing GUI (Dave
- Brosius)</li>
- <li>French translation supplied (David Cotton) <!-- Bug fixes -->
- </li>
- </ul>
-
- <p>Changes since version 0.8.4:</p>
- <ul>
- <!-- new detectors -->
- <li>New detector for volatile references to arrays (Bill Pugh)
- </li>
- <li>New detector to find instanceof usage where inheritance
- can be determined statically (Dave Brosius)</li>
- <li>New detector to find ResultSet.getXXX updateXXX calls
- using index 0 (Dave Brosius)</li>
- <li>New detector to find empty zip or jar entries (Bill Pugh)
-
- <!-- feature enhancements -->
- </li>
- <li>HTML output generation using built-in XSLT stylesheet or
- user-defined stylesheet (David Hovemeyer)</li>
- <li>Allow URLs to be specified to analyze zip/jar files, local
- directories, and single classfiles (David Hovemeyer)</li>
- <li>New command line option -onlyAnalyze restricts analysis to
- selected classes and packages without reducing accuracy (David
- Hovemeyer)</li>
- <li>Allow Swing GUI to show source code in jar files on
- Windows systems (Dave Brosius) <!-- Bug fixes -->
- </li>
- <li>Fix the Switch Fall Thru detector (Dave Brosius, David
- Hovemeyer, Bill Pugh)</li>
- <li>MacOS GUI fixes (Rohan Lloyd)</li>
- <li>Fix false positive in BOA in case where method is
- correctly and 'incorrectly' overridden (Dave Brosius)</li>
- <li>Fixed memory blowup when analyzing methods which access a
- large number of fields (David Hovemeyer)</li>
- </ul>
-
- <p>Changes since version 0.8.3:</p>
- <ul>
- <li>Initial and preliminary localization of the Swing
- GUI.&nbsp; Translations by:
- <ul>
- <li>German - Peter D. Stout, Holger Stenzhorn</li>
- <li>Finnish - Juha Knuutila</li>
- <li>Estonian - Tanel Lebedev</li>
- <li>Japanese - Hanai Shisei</li>
- </ul>
- </li>
- <li>Eliminated debug print statements inadvertently left
- enabled</li>
- <li>Reverted some changes in the open stream detector: this
- should fix some false positives that were introduced in the
- previous release</li>
- <li>Fixed a couple missing class reports</li>
- </ul>
-
- <p>Changes since version 0.8.2:</p>
- <ul>
-
- <!-- New detectors -->
- <li>New detector to find improperly overridden GUI Adapter
- classes (Dave Brosius)</li>
- <li>New detector to find improperly setup JUnit TestCases
- (Dave Brosius)</li>
- <li>New detector to find variables that mask class level
- fields (Dave Brosius)</li>
- <li>New detector to find comparisons of values computed with
- bitwise operators that always yield the same result (Tom Truscott)
- </li>
- <li>New detector to find unsafe getClass().getResource() calls
- (Bill Pugh)</li>
- <li>New detector to find GUI changes not in GUI thread but in
- static main (Bill Pugh)</li>
- <li>New detector to find calls to Collection.toArray() with
- zero-length array argument; it is more efficient to pass an array
- the size of the collection, which can be populated and returned as
- the result (Dave Brosius) <!-- Analysis improvements -->
- </li>
- <li>Better suppression of false warnings in various detectors
- (Bill Pugh, David Hovemeyer)</li>
- <li>Enhancement to ReadReturnShouldBeChecked detector for
- skip() (Dave Brosius)</li>
- <li>Enhancement to DumbMethods detector (Dave Brosius)</li>
- <li>Open stream detector does not report wrappers of streams
- passed as method parameters (David Hovemeyer) <!-- Feature enhancements -->
- </li>
- <li>Cancel confirmation dialog in Swing GUI (Pete Angstadt)</li>
- <li>Better relative path saving in Project file (Dave Brosius)
- </li>
- <li>Detector Priority in GUI is now saved in prefs file (Dave
- Brosius)</li>
- <li>Controls in GUI to reorder source and classpath entries,
- and ability to flip between Project details and bugs pages (Dave
- Brosius)</li>
- <li>In Swing GUI, analysis error dialog supports "Select All"
- and "Copy" operations for easy generation of error reports (Dave
- Brosius)</li>
- <li>Complete translation of bug descriptions and messages into
- Japanese (Hanai Shisei) <!-- Bug fixes -->
- </li>
- <li>Fixed bug in DroppedException detector (Dave Brosius) <!-- Development stuff -->
- </li>
- <li>The source distribution defaults to using JDK 1.5 javac to
- compile, but support for compiling with JSR-14 prototype is still
- supported</li>
- </ul>
-
- <p>Changes since version 0.8.1:</p>
- <ul>
- <li>Fixed a critical ClassCastException bug (triggered if the
- -workHard option was used, and an exception type was merged with
- an array type during type inference)</li>
- </ul>
-
- <p>Changes since version 0.8.0:</p>
- <ul>
- <li>Disabled SwitchFallthrough detector to work around
- NullPointerExceptions</li>
- <li>Added some additional false positive suppression
- heuristics</li>
- </ul>
-
- <p>Also, two contributors to the 0.8.0 release were
- inadvertently left out of the credits:</p>
- <ul>
- <li>Pete Angstadt fixed several problems in the Swing GUI</li>
- <li>Francis Lalonde provided a task resource file for the
- FindBugs Ant task</li>
- </ul>
-
- <p>Changes since version 0.7.4:</p>
- <ul>
- <li>New detector to look for uses of "+" operator to
- concatenate String objects in a loop (Dave Brosius)</li>
- <li>Reference comparison detector looks for places where the
- argument passed to the equals(Object) method isn't the same type
- as the receiver object</li>
- <li>Better suppression of false warnings in many detectors</li>
- <li>Many improvements to Eclipse plugin (Andrey Loskutov,
- Peter Friese)</li>
- <li>Fixed problem with building Eclipse plugin on Windows
- (Thomas Klaeger)</li>
- <li>Open stream detector looks for unclosed PreparedStatement
- objects (Thomas Klaeger, Rohan Lloyd)</li>
- <li>Fix for open stream detector: it wasn't detecting close()
- methods called through an invokeinterface instruction (Thomas
- Klaeger)</li>
- <li>Refactoring of visitor classes to enforce use of accessors
- for visited class features (Brian Goetz)</li>
- </ul>
-
- <p>Changes since version 0.7.3:</p>
- <ul>
- <li>Experimental modification of open stream detector to look
- for non-escaping JDBC resources (connections and statements) that
- aren't closed on all paths out of method</li>
- <li>Eclipse plugin fixed so it compiles and runs on Eclipse
- 2.1.x (Peter Friese)</li>
- <li>Option to Swing GUI and command line to generate project
- file using relative paths for archives, source directories, and
- aux classpath entries (Dave Brosius)</li>
- <li>Improvements to findbugs.bat script for launching FindBugs
- on Windows (Dave Brosius)</li>
- <li>Updated Japanese message translations (Hiroshi Okugawa)</li>
- <li>Uncalled private methods are now reported as low priority,
- unless they have the same name as another method in the class
- (which is more likely to indicate an actual bug)</li>
- <li>Added some missing data in the bug messages XML files</li>
- <li>Fixed some problems building from source on Windows
- systems</li>
- <li>Various minor bug fixes</li>
- </ul>
-
- <p>Changes since version 0.7.2:</p>
- <ul>
- <li>Enhanced Eclipse plugin, which displays the detailed bug
- description in a view (Phil Crosby)</li>
- <li>Various tweaks to existing detectors to reduce false
- warnings</li>
- <li>New command line option <code> -workHard </code> enables
- pruning of infeasible or unlikely exception edges, which results
- in better accuracy in the open stream detector, at the expense of
- a 30%-100% slowdown
- </li>
- <li>New website and HTML documentation design</li>
- <li>Documentation includes an HTML document with descriptions
- of all bug patterns reported by FindBugs</li>
- <li>Web page has a link to a <a
- href="http://www.simeji.com/findbugs/doc/manual_ja/index.html">Japanese
- translation</a> of the FindBugs manual, contributed by Hiroshi
- Okugawa
- </li>
- <li>Changed the Inconsistent Synchronization detector so that
- fields synchronized 50% of the time (or more) are reported as
- medium priority bugs (previously they were reported as low)</li>
- <li>New detector to find code that catches
- IllegalMonitorStateException</li>
- <li>New detector to find private methods that are never called
- </li>
- <li>New detector to find suspicious uses of
- non-short-circuiting boolean operators ( <code> &amp; </code> and
- <code> | </code> , rather than <code> &amp;&amp; </code> and <code>
- || </code> )
- </li>
- </ul>
-
- <p>Changes since version 0.7.1:</p>
- <ul>
- <li>Incorporated patched version of BCEL, which allows classes
- compiled with JDK 1.5.0 beta to be analyzed</li>
- <li>Fixed some bugs related to lookups of array classes</li>
- <li>Fixed bug that prevented GUI from loading XML result files
- when running under JDK 1.5.0 beta</li>
- <li>Added new experimental bug detector, LazyInit, which looks
- for potentially buggy lazy initializations of static fields</li>
- <li>Because of long filenames, switched to distributing the
- source archive as a zip file rather than a tar file</li>
- <li>The 0.7.1 source tarfile was botched - 0.7.2 has a valid
- source archive</li>
- <li>Fixed some problems in the Ant build script</li>
- <li>Fixed NullPointerException when checking Class-Path
- attribute for Jar files without manifests</li>
- <li>Generate version numbers for the core and UI Eclipse
- plugins using the Version class; all version numbers are now in a
- common location</li>
- </ul>
-
- <p>Changes since version 0.7.0:</p>
- <ul>
- <li>Eclipse plugin (contributed by Peter Friese)</li>
- <li>Source package structure rearranged: all source (other
- than Eclipse plugin UI) is in the edu.umd.cs.findbugs package, or
- a subpackage</li>
- <li>Class-Path attributes of manifests of analyzed jar files
- are used to set the aux classpath automatically (Peter D. Stout)</li>
- <li>GUI starts in directory specified by user.home property
- (Peter D. Stout)</li>
- <li>Added -project option to GUI (Mikko T.)</li>
- <li>Added -look:{plastic,gtk,native} option to GUI, for
- setting look and feel (Mikko T.)</li>
- <li>Fixed DataflowAnalysisException in inconsistent
- synchronization detector</li>
- <li>Ant task supports failOnError parameter (Rohan Lloyd)</li>
- <li>Serializable class warnings are downgraded to low priority
- for GUI classes</li>
- <li>MWN detector will only report calls to wait(), notify(),
- and notifyAll() methods that have the correct signature</li>
- <li>FindBugs works with latest CVS version of BCEL</li>
- <li>Zip and Jar files may be added to the source path</li>
- <li>The GUI will automatically find source files residing in
- analyzed Zip or Jar files</li>
- </ul>
-
- <p>Note that the version number jumped from 0.6.6 to 0.6.9;
- there were no 0.6.7 or 0.6.8 releases.</p>
- <p>Changes since version 0.6.9:</p>
- <ul>
- <li>Added -conserveSpace option to reduce memory use at the
- expense of analysis precision</li>
- <li>Bug fixes in findbugs.bat script: JAVA_HOME handling,
- autodetection of FINDBUGS_HOME, missing output with -textui</li>
- <li>Fixed NullPointerException when a missing class is
- encountered</li>
- </ul>
-
- <p>Changes since version 0.6.6:</p>
- <ul>
- <li>The null pointer dereference detector is more powerful</li>
- <li>Significantly improved heuristics and bug fixes in
- inconsistent synchronization detector</li>
- <li>Improved heuristics in open stream and dropped exception
- detectors; fewer false positives should be reported</li>
- <li>Save HTML summary in XML results files, rather than
- recomputing; this makes loading results in GUI much faster</li>
- <li>Report at most one String comparison using == or != per
- method</li>
- <li>The findbugs.bat script on Windows autodetects
- FINDBUGS_HOME, and doesn't open a DOS window when launching the
- GUI (contributed by TJSB)</li>
- <li>Emacs reporting format (contributed by David Li)</li>
- <li>Various bug fixes</li>
- </ul>
-
- <p>Changes since 0.6.5:</p>
- <ul>
- <li>Rewritten inconsistent synchronization detector; accuracy
- is significantly improved, and bug reports are prioritized</li>
- <li>New detector to find self assignment (x=x) of local
- variables (suggested by Jeff Martin)</li>
- <li>New detector to find calls to wait(), notify(), and
- notifyAll() on an object which is not obviously locked</li>
- <li>Open stream detector now reports Readers and Writers</li>
- <li>Fixed bug in finalizer idioms detector which caused
- spurious warnings about failure to call super.finalize() (reported
- by Jim Menard)</li>
- <li>Fixed bug where output stream was not closed using non-XML
- output (reported by Sigiswald Madou)</li>
- <li>Fixed corrupted HTML bug detail message (reported by
- Trevor Harmon)</li>
- </ul>
-
- <p>Changes since version 0.6.4:</p>
- <ul>
- <li>For redundant comparison of reference values, fixed false
- positives resulting from duplication of code in finally blocks</li>
- <li>Fixed false positives resulting from wrapped byte array
- streams left open</li>
- <li>Fixed bug in Ant task preventing output file from working
- properly if a relative path was used</li>
- </ul>
-
- <p>Changes since version 0.6.3:</p>
- <ul>
- <li>Fixed bug in Ant task where output would be corrupted, and
- added a <code> timeout </code> attribute
- </li>
- <li>Added -outputFile option to text UI, for explicitly
- specifying an output file</li>
- <li>GUI has a summary window, for statistics about overall bug
- densities (contributed by Mike Fagan)</li>
- <li>Find redundant comparisons of reference values</li>
- <li>More accurate detection of Strings compared with == and !=
- operators</li>
- <li>Detection of other reference types which should generally
- not be compared with == and != operators; Boolean, Integer, etc.</li>
- <li>Find non-transient non-serializable instance fields in
- Serializable classes</li>
- <li>Source code may be compiled with latest early access
- generics-enabled javac (version 2.2)</li>
- </ul>
-
- <p>Changes since version 0.6.2:</p>
- <ul>
- <li>GUI supports filtering bugs by priority</li>
- <li>Ant task rewritten; supports all functionality offered by
- Text UI (contributed by Mike Fagan)</li>
- <li>Ant task is fully documented in the manual</li>
- <li>Classes in nested archives are analyzed; this allows full
- support for analyzing .ear and .war files (contributed by Mike
- Fagan)</li>
- <li>DepthFirstSearch changed to use non-recursive
- implementation; this should fix the StackOverflowErrors that
- several users reported</li>
- <li>Various minor bugfixes and improvements</li>
- </ul>
-
- <p>Changes since version 0.6.1:</p>
- <ul>
- <li>New detector to look for useless control flow (suggested
- by Richard P. King and Mike Fagan)</li>
- <li>Look for places where return value of
- java.io.File.createNewFile() is ignored (suggested by Richard P.
- King)</li>
- <li>Fixed bug in resolution of source files (only the first
- source directory was searched)</li>
- <li>Fixed a NullPointerException in the bytecode pattern
- matching code</li>
- <li>Ant task supports project files (contributed by Mike
- Fagan)</li>
- <li>Unix findbugs script honors the <code> JAVA_HOME </code>
- environment variable (contributed by Pedro Morais)
- </li>
- <li>Allow .war and .ear files to be analyzed</li>
- </ul>
-
- <p>Changes since version 0.6.0:</p>
- <ul>
- <li>New bug pattern detector which looks for places where a
- null pointer might be dereferenced</li>
- <li>New bug pattern detector which looks for IO streams that
- are opened, do not escape the method, and are not closed on all
- paths out of the method</li>
- <li>New bug pattern detector to find methods that can return
- null instead of a zero-length array</li>
- <li>New bug pattern detector to find places where the == or !=
- operators are used to compare String objects</li>
- <li>Command line interface can save bugs as XML</li>
- <li>GUI can save bugs to and load bugs from XML</li>
- <li>An "Annotations" window in the GUI allows the user to add
- textual annotations to bug reports; these annotations are
- preserved when bugs are saved as XML</li>
- <li>In this release, the Japanese bug summary translations by
- Germano Leichsenring are really included (they were inadvertently
- omitted in the previous release)</li>
- <li>Completely rewrote the control flow graph builder,
- hopefully for the last time</li>
- <li>Simplified implementation of control flow graphs, which
- should reduce memory use and possibly improve performance</li>
- <li>Improvements to command line interface (list bug
- priorities, filter by priority, specify aux classpath, specify
- project to analyze)</li>
- <li>Various bug fixes and enhancements</li>
- </ul>
-
- <p>Changes since version 0.5.4</p>
- <ul>
- <li>Added an <a href="http://ant.apache.org/">Ant</a> task for
- FindBugs, contributed by Mike Fagan.
- </li>
- <li>Added a GUI dialog which allows individual bug pattern
- detectors to be enabled or disabled.&nbsp; Disabling certain slow
- detectors can greatly speed up analysis of large programs, at the
- expense of reducing the number of potential bugs found.</li>
- <li>Added a new detector for finding improperly ignored return
- values for methods such as <code> String.trim() </code> .&nbsp;
- Suggested by Andreas Mandel.
- </li>
- <li>Japanese translations of the bug summaries, contributed by
- Germano Leichsenring.</li>
- <li>Filtering of results is supported in command line
- interface. See the <a href="manual/index.html">FindBugs manual</a>
- for details.
- </li>
- <li>Added "byte code patterns", a general pattern matching
- infrastructure for bytecode instructions.&nbsp; This feature
- significantly reduces the complexity of implementing new bug
- pattern detectors.</li>
- <li>Enabled a new general dataflow analysis to track values in
- methods.</li>
- <li>Switched to new control-flow graph builder implementation.
- </li>
- </ul>
-
- <p>Changes since version 0.5.3</p>
- <ul>
- <li>Fixed a bug in the script used to launch FindBugs on
- Windows platforms.</li>
- <li>Fixed crashes when analyzing class files without source
- line information.</li>
- <li>All major errors are reported using an error dialog; file
- not found errors are more informative.</li>
- <li>Minor GUI improvements.</li>
- </ul>
-
- <p>Changes since version 0.5.2</p>
- <ul>
- <li>All of the source code and related files are in a single
- directory tree.</li>
- <li>Updated some of the detectors to produce source line
- information.</li>
- <li><a href="http://ant.apache.org/">Ant</a> build script and
- several GUI enhancements and fixes contributed by Mike Fagan.</li>
- <li>Converted to use a <a href="AddingDetectors.txt">plugin
- architecture</a> for loading bug detectors.
- </li>
- <li>Eliminated generics-related compiler warnings.</li>
- <li>More complete documentation has been added.</li>
- </ul>
-
- <p>Changes since version 0.5.1:</p>
- <ul>
- <li>Fixed a large number of bugs in the BCEL Repository and
- FindBugs's use of the Repository.&nbsp; With these changes,
- FindBugs should <em>never</em> crash or otherwise misbehave
- because of Repository lookup failures.&nbsp; Because of these
- changes, you must use a modified version of <code> bcel.jar
- </code> with FindBugs.&nbsp; This jar file is included in the FindBugs
- 0.5.2 binary release.&nbsp; A complete patch containing the <a
- href="http://faculty.ycp.edu/~dhovemey/bcel-30-April-2003.patch">modifications
- against the BCEL CVS main branch as of April 30, 2003</a> is also
- available.
- </li>
- <li>Implemented the "auxiliary classpath entry list".&nbsp;
- Aux classpath entries can be added to a project to provide classes
- that are referenced by the analyzed application, but should not
- themselves be analyzed.&nbsp; Having all referenced classes
- available allows FindBugs to produce more accurate results.</li>
- </ul>
-
- <p>Changes since version 0.5.0:</p>
- <ul>
- <li>Many user interface bugs have been fixed.</li>
- <li>Upgraded to a recent CVS version of BCEL, with some bug
- fixes.&nbsp; This should prevent FindBugs from crashing when there
- is a failure to find a class on the classpath.</li>
- <li>Added support for Plastic look and feel from <a
- href="http://www.jgoodies.com/">jgoodies.com</a>.
- </li>
- <li>Major overhaul of infrastructure for doing dataflow
- analysis.</li>
- </ul>
+ </li>
+ <li>Added check for a dead local store caused by a switch
+ statement fall through</li>
+ <li>Added check for computing the absolute value of a random
+ 32 bit integer or of a hashcode. This is broken because <code>
+ Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE </code> , and thus
+ result of calling Math.abs, which is expected to be nonnegative,
+ will in fact be negative one time out of 2 <sup> 32 </sup> , which
+ will invariably be the time your boss is demoing the software to
+ your customers.
+
+ </li>
+ <li>More careful resolution of inherited methods and fields.
+ Some of the shortcuts we were taking in FindBugs 1.0.0 were
+ leading to inaccurate results, and it was fairly easy to address
+ this by making the analysis more accurate.</li>
+ <li>Overall, analysis times are about 1.6 times longer in
+ FindBugs 1.1.0 than in FindBugs 1.0.0. This is because we have
+ enabled substantial additional analysis at the default effort
+ level (the actual analysis engine is significantly faster than in
+ FindBugs 1.0). On a recent AMD Athlon processor, analyzing
+ JDK1.6.0 (about 1 million lines of code) requires about 15 minutes
+ of wall clock time.</li>
+ <li>Provided class and script (printClass) to print classfile
+ in the human readable format produced by BCEL</li>
+ <li>Provided -findSource option to setBugDatabaseInfo</li>
+ </ul>
+
+
+ <p>Changes since version 0.9.7:</p>
+
+ <ul>
+ <li>fix ObjectTypeFactory bug that was suppressing some bugs</li>
+ <li>opcode stack may determine definite zeros on some paths</li>
+ <li>opcode stack can track some constant string concatenations
+ (dbrosius)</li>
+ <li>default effort performs iterative opcode analysis (but min
+ effort does not)</li>
+ <li>default heap size upped to 384m</li>
+ <li>schema for XML output available: bugcollection.xsd</li>
+ <li>fixed some internal confusion between dotted and slashed
+ class names</li>
+ <li>New detectors
+ <ul>
+ <li>CheckImmutableAnnotation.java: checks JCIP annotations</li>
+ </ul>
+ </li>
+ <li>Updated detectors
+ <ul>
+ <li>BadRegEx.java: understands Pattern.LITERAL, warns about
+ "."</li>
+ <li>FindUnreleasedLock.java: fewer false positives</li>
+ <li>DumbMethods.java: check for vacuous comparisons to
+ MAX_INTEGER or MIN_INTEGER, fix bugs detecting
+ DM_NEXTINT_VIA_NEXTDOUBLE</li>
+ <li>FindPuzzlers.java: detect <tt>n%2==1</tt>, detect
+ toString() on array types
+ </li>
+ <li>FindInconsistentSync2.java: detects IS_FIELD_NOT_GUARDED
+ </li>
+ <li>MethodReturnCheck.java: add check for discarded newly
+ constructed values, increase priority of some ignored
+ constructed exceptions, better handling of bytecode compiled by
+ Eclipse</li>
+ <li>FindEmptySynchronizedBlock.java: better handling of
+ bytecode compiled by Eclipse</li>
+ <li>DoInsideDoPrivileged.java: warn if call to setAccessible
+ isn't in doPriviledged, don't report private methods</li>
+ <li>LoadOfKnownNullValue.java: fix bug that was reporting
+ false positives on <code> finally </code> blocks
+ </li>
+ <li>CheckReturnAnnotationDatabase.java: better checks for
+ unstarted threads</li>
+ <li>ConfusionBetweenInheritedAndOuterMethod.java: fewer
+ false positives, fixed a package-handling bug</li>
+ <li>BadResultSetAccess.java: separate bug pattern for
+ PreparedStatements, <code> BRZA </code> category folded into <code>
+ SQL </code> category
+ </li>
+ <li>FindDeadLocalStores.java, FindBadCast2.java,
+ DumbMethods.java, RuntimeExceptionCapture.java: coalesce similar
+ bugs within a method into a single bug instance with multiple
+ source lines</li>
+ </ul>
+ </li>
+ <li>Eclipse plugin
+ <ul>
+ <li>plugin ID changed from <tt>de.tobject.findbugs</tt> to <tt>edu.umd.cs.findbugs.plugin.eclipse</tt>
+ </li>
+ <li>support for findbugs eclipse auto-update site</li>
+ </ul>
+ </li>
+ <li>Updated test case files
+ <ul>
+ <li>BadRegEx.java</li>
+ <li>JSR166.java</li>
+ <li>ConcurrentModificationBug.java</li>
+ <li>DeadStore.java</li>
+ <li>InstanceOf.java</li>
+ <li>LoadKnownNull.java</li>
+ <li>NeedsToCheckReturnValue.java</li>
+ <li>BadResultSetAccessTest.java</li>
+ <li>DeadStore.java</li>
+ <li>TestNonNull2.java</li>
+ <li>TestImmutable.java</li>
+ <li>TestGuardedBy.java</li>
+ <li>BadRandomInt.java</li>
+ <li>six test cases added to new <code> TigerTraps </code>
+ directory
+ </li>
+ </ul>
+ </li>
+ <li>fix bug that was generating duplicate uids</li>
+ <li>fix bug with <code> -onlyAnalyze some.package.* </code> on
+ jdk1.4
+ </li>
+ <li>fix regression bug in
+ DismantleByteCode.getRefConstantOperand()</li>
+ <li>fix some minor bugs with the Swing GUI</li>
+ <li>reordered some bugInstances so that source line
+ annotations come last</li>
+ <li>removed references to unused java system properties</li>
+ <li>French translation updates (David Cotton)</li>
+ <li>Japanese translation updates (Hanai Shisei)</li>
+ <li>content cleanup for findbugs.xml and messages.xml</li>
+ <li>references to cvs hostname updated to
+ findbugs.cvs.sourceforge.net</li>
+ <li>documented xdoc output options, new
+ mineBugHistory/computeBugHistory options</li>
+ </ul>
+
+ <p>Changes since version 0.9.6:</p>
+
+ <ul>
+ <li>performance improvements</li>
+ <li>ObjectType instances are cached to reduce memory footprint
+ </li>
+ <li>for performance and memory reasons stateless detectors are
+ no longer cloned, must clear their own state between .class files
+ </li>
+ <li>fixed bug in bytecode-set lookup for methods (was causing
+ bad results for IS2, perhaps others)</li>
+ <li>fix some OpcodeStack bugs with integer and long
+ operations, perform iterative analysis when effort is <tt>max</tt>
+ </li>
+ <li>HTML output includes LongMessage text again (regression in
+ 0.95 - 0.96)</li>
+ <li>New detectors
+ <ul>
+ <li>CalledMethods.java: builds a list of invoked methods for
+ other detectors to consult (non-reporting)</li>
+ <li>UncallableMethodOfAnonymousClass.java: detect anonymous
+ inner classes that define methods that are probably intended to
+ but do not override methods in a superclass.</li>
+ </ul>
+ </li>
+ <li>Updated detectors
+ <ul>
+ <li>FindFieldSelfAssignment.java: recognize separate fields
+ with the same name (one from superclass)</li>
+ <li>FindLocalSelfAssignment2.java: handles backward branches
+ better (Dave Brosius)</li>
+ <li>FindBadCast2.java: BC_NULL_INSTANCEOF changed to
+ NP_NULL_INSTANCEOF</li>
+ <li>FindPuzzlers.java: eliminate false positive on setDate()
+ (Dave Brosius)</li>
+ </ul>
+ </li>
+ <li>Eclipse plugin
+ <ul>
+ <li>fix serious threading bug</li>
+ <li>preferences for Filters and effort (Peter Hendriks)</li>
+ <li>French localization (David Cotton)</li>
+ <li>fix bug when reporting inner classes (Peter Friese)</li>
+ </ul>
+ </li>
+ <li>Updated test case files
+ <ul>
+ <li>Mwn.java (Carl Burke/Dave Brosius)</li>
+ <li>DumbMethodInvocations.java (Anto paul/Dave Brosius)</li>
+ <!--sic-->
+ </ul>
+ </li>
+ <li>XML output includes garbage collection duration</li>
+ <li>French messages updated (David Cotton)</li>
+ <li>Swing GUI shows file name after Load Bugs command</li>
+ <li>Ant task to launch the findbugs frame (Mark McKay)</li>
+ <li>miscellaneous code cleanup</li>
+ </ul>
+
+ <p>Changes since version 0.9.5:</p>
+
+ <ul>
+ <li>Updated detectors
+ <ul>
+ <li>FindNullDeref.java: respect NonNull and CheckForNull
+ field annotations</li>
+ <li>SerializableIdiom.java: detect non-private readObject
+ and writeObject methods</li>
+ <li>FindRefComparison.java: smarter array comparison
+ detection</li>
+ <li>IsNullValueAnalysis.java: detect <tt>null
+ instanceof</tt>
+ </li>
+ <li>FindLocalSelfAssignment2.java: suppress some false
+ positives (Dave Brosius)</li>
+ <li>FindUnreleasedLock.java: don't waste time processing
+ classes that don't refer to java.util.concurrent.locks</li>
+ <li>MutableStaticFields.java: report the source line (Dave
+ Brosius)</li>
+ <li>SwitchFallthrough.java: better handling of System.exit()
+ (Dave Brosius)</li>
+ <li>MultithreadedInstanceAccess.java: better handling of
+ Servlet.init() (Dave Brosius)</li>
+ <li>ConfusionBetweenInheritedAndOuterMethod.java: now
+ enabled</li>
+ </ul>
+ </li>
+ <li>Eclipse plugin
+ <ul>
+ <li>background processing (Peter Friese)</li>
+ <li>internationalization, Japanese localization (Takashi
+ Okamoto)</li>
+ </ul>
+ </li>
+ <li>findbugs <tt>-onlyAnalyze</tt> option now works on windows
+ platforms
+ </li>
+ <li>mineBugHistory <tt>-noTabs</tt> option for better
+ alignment of output columns
+ </li>
+ <li>filterBugs <tt>-fixed</tt> option (also: will now
+ recognize the most recent version string)
+ </li>
+ <li>XML output includes running time and memory usage data</li>
+ <li>miscellaneous minor corrections to the manual</li>
+ <li>better bytecode analysis of the <tt>iinc</tt> instruction
+ </li>
+ <li>fix bug in null pointer analysis</li>
+ <li>improved catch block heuristics</li>
+ <li>some type analysis tweaks</li>
+ <li>Bug priority changes
+ <ul>
+ <li>DumbMethodInvocations.java: decrease priority of
+ hard-coded <tt>/tmp</tt> filenames
+ </li>
+ <li>ComparatorIdiom.java: decrease priority of
+ non-serializable anonymous comparators</li>
+ <li>FindSqlInjection.java: decrease priority of appending a
+ constant or a static</li>
+ </ul>
+ </li>
+ <li>Updated bug explanations
+ <ul>
+ <li>NM_VERY_CONFUSING (Dave Brosius)</li>
+ </ul>
+ </li>
+ <li>Updated test case files
+ <ul>
+ <li>BadStoreOfNonSerializableObject.java</li>
+ <li>BadRandomInt.java</li>
+ <li>TestFieldAnnotations.java</li>
+ <li>UseInitCause.java</li>
+ <li>SqlInjection.java</li>
+ <li>ArrayEquality.java</li>
+ <li>BadIntegerOperations.java</li>
+ <li>Pilhuhn.java</li>
+ <li>InstanceOf.java</li>
+ <li>SwitchFallthrough.java (Dave Brosius)</li>
+ </ul>
+ </li>
+ <li>fix URL decoding bug when running under Java Web Start
+ (Dave Brosius)</li>
+ <li>distribution includes <tt>project.xml</tt> file for
+ NetBeans
+ </li>
+ </ul>
+
+ <p>Changes since version 0.9.4:</p>
+ <ul>
+ <li>New detectors
+ <ul>
+ <li>VarArgsProblems.java</li>
+ <li>FindSqlInjection.java: now enabled</li>
+ <li>ComparatorIdiom.java: comparators usually implement
+ serializable</li>
+ <li>Naming.java: detect methods not overridden due to
+ eponymously typed args from different packages</li>
+ </ul>
+ </li>
+ <li>Updated detectors
+ <ul>
+ <li>SwitchFallthrough.java: surpress some false positives</li>
+ <li>DuplicateBranches.java: surpress some false positives</li>
+ <li>IteratorIdioms.java: surpress some false positives</li>
+ <li>FindHEmismatch.java: surpress some false positives</li>
+ <li>QuestionableBooleanAssignment.java: finds more cases of
+ <tt>if (b=true)</tt> ilk
+ </li>
+ <li>DumbMethods.java: detect int remainder by 1, delayed gc
+ errors</li>
+ <li>SerializableIdiom.java: detect store of nonserializable
+ object into field of serializable class</li>
+ <li>FindNullDeref.java: fix potential exception</li>
+ <li>IsNullValue.java: fix potential exception</li>
+ <li>MultithreadedInstanceAccess.java: fix potential
+ exception</li>
+ <li>PreferZeroLengthArrays.java: flag the method, not the
+ line</li>
+ </ul>
+ </li>
+ <li>Remove some inadvertent dependencies on JDK 1.5</li>
+ <li>Sort order should be more consistent</li>
+ <li>XML output changes
+ <ul>
+ <li>Option to sort XML bug output</li>
+ <li>Now contains instance IDs</li>
+ <li>uid no longer missing (was causing problems with fancy
+ HTML output)</li>
+ <li>Typo fixed</li>
+ </ul>
+ </li>
+ <li>Internal changes to track source files, <tt>-sourceInfo</tt>
+ option
+ </li>
+ <li>Bug matching: first try exact bug pattern matching, option
+ to compare priorities, option to disable package moves</li>
+ <li>Architecture documentation in <tt>design/architecture</tt>
+ </li>
+ <li>Test cases move into their own CVS project</li>
+ <li>Don't report warnings that occur outside the analyzed
+ classes</li>
+ <li>Fixes to the build.xml files</li>
+ <li>Better handling of @CheckReturnValue and @CheckForNull
+ annotations (also, some additional methods searched for check
+ return value and check for null)</li>
+ <li>Fixed some stream-closing bugs (one by <tt>z-fb-user</tt>/Dave
+ Brosius)
+ </li>
+ <li>Bug priority changes
+ <ul>
+ <li>increase priority of ignoring return value of
+ java.sql.Connection methods</li>
+ <li>increase priority of comparing classes like Integer
+ using <tt>==</tt>
+ </li>
+ <li>decrease priority of IT_NO_SUCH_ELEMENT if we see any
+ call to <tt>next()</tt>
+ </li>
+ <li>tweak priority of NM_METHOD_CONSTRUCTOR_CONFUSION</li>
+ <li>decrease priority of RV_RETURN_VALUE_IGNORED for an
+ inherited annotation that doesn't return same type as class</li>
+ </ul>
+ </li>
+ <li>Updated bug explanations
+ <ul>
+ <li>RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE</li>
+ <li>DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED</li>
+ <li>IMA_INEFFICIENT_MEMBER_ACCESS (Dave Brosius)</li>
+ <li>some Japanese improvements to messages_ja.xml ( <tt>ruimo</tt>)
+ </li>
+ <li>some German improvements to findbugs_de.properties (Dave
+ Brosius, <tt>dvholten</tt>)
+ </li>
+ </ul>
+ </li>
+ <li>Updated test case files
+ <ul>
+ <li>BadIntegerOperations.java</li>
+ <li>SecondKaboom.java</li>
+ <li>OpenDatabase.java (Dave Brosius)</li>
+ <li>FindOpenStream.java (Dave Brosius)</li>
+ <li>BadRandomInt.java</li>
+ </ul>
+ </li>
+ <li>Source-lines info maintained for methods (handy for
+ abstract and native methods)</li>
+ <li>Remove surrounding opcodes from source line annotations</li>
+ <li>Better error when can't read file</li>
+ <li>Swing GUI: removed console pane from FindBugsFrame, fix
+ missing classes bug</li>
+ <li>Fixes to OpcodeStack.java</li>
+ <li>Detectors may attach a custom value to an OpcodeStack.Item
+ (Dave Brosius)</li>
+ <li>Filter.java: ability to add text messages to XML output,
+ fix bug with <tt>-withMessages</tt>
+ </li>
+ <li>SourceInfoMap supports ranges of source lines</li>
+ <li>Ant task supports the <tt>timestampNow</tt> attribute
+ </li>
+ </ul>
+
+ <p>Changes since version 0.9.3:</p>
+ <ul>
+ <li>Substantial rework of datamining code</li>
+ <li>Removed bogus warnings about await on things other than
+ Condition not being in a loop</li>
+ <li>Fixed bug in OpcodeStack handling of dup2 of long/double
+ values</li>
+ <li>Don't report array types as missing classes</li>
+ <li>Adjustment of some warnings on ignored return values</li>
+ <li>Added thread safety annotations from Java Concurrency in
+ Practice (no detectors written for these yet)</li>
+ <li>Added annotation for methods that, if overridden, should
+ be invoked by overriding methods via a call to super</li>
+ <li>Updated -html:fancy.xsl (Etienne Giraudy)</li>
+ </ul>
+
+ <p>Note: there was no version 0.9.2</p>
+
+ <p>Changes since version 0.9.1:</p>
+ <ul>
+ <!-- New detectors -->
+ <li>Embellish USM to find abstract methods that implement an
+ interface method (Dave Brosius)</li>
+ <li>New detector to find stores of literal booleans inside if
+ or while expressions (Dave Brosius)</li>
+ <li>New style detector to find final classes that declare
+ protected fields (Dave Brosius)</li>
+ <li>New detector to find subclass methods that simply forward,
+ verbatim, to the super class (Dave Brosius)</li>
+ <li>Detector to find instances where code is attempting to
+ write an object out via an implementation of DataOutput, but the
+ object is not guaranteed to be Serializable (Jon Christiansen,
+ Bill Pugh)</li>
+
+ <!-- Feature enhancements -->
+ <li>Large (35%) analysis speedup (Bill Pugh)</li>
+ <li>Add line numbers to Swing GUI code panel (Dave Brosius)</li>
+ <li>Added effort options to Swing GUI (Dave Brosius)</li>
+ <li>Add ability to specify bugs file to open from command line
+ for GUI version, through -loadbugs (Phillip Martin)</li>
+ <li>New stylesheet for generating HTML: use option <tt>-html:plain.xsl</tt>
+ (Chris Nappin)
+ </li>
+ <li>New stylesheet for generating HTML: use option <tt>-html:fancy.xsl</tt>
+ (Etienne Giraudy)
+ </li>
+ <li>Updated Japanese bug message translations (Shisei Hanai)</li>
+
+ <!-- Bug fixes -->
+ <li>XHTML compliance fixes for bug details (Etienne Giraudy)</li>
+ <li>Various detector fixes (Shisei Hanai)</li>
+ <li>Fixed bugs in the project preferences dialog int the
+ Eclipse plugin (Takashi Okamoto, Thomas Einwaller)</li>
+ <li>Lowered priority of analysis thread in Swing GUI (David
+ Hovemeyer, suggested by Shisei Hanai and Jeffrey W. Badorek)</li>
+ <li>Fixed EclipsePlugin to correctly pick up auxclasspath
+ entries (Jon Christiansen)</li>
+ </ul>
+
+ <p>Changes since version 0.9.0:</p>
+ <ul>
+ <li>Fixed dependence on JRE 1.5: all features should work on
+ JRE 1.4 again</li>
+ <li>Fixed -effort command line option handling for Swing GUI</li>
+ <li>Fixed conserveSpace and workHard attributes int Ant task</li>
+ <li>Added support for effort attribute in Ant task</li>
+ </ul>
+
+ <p>Changes since version 0.8.8:</p>
+ <ul>
+ <!-- New detectors and bug patterns -->
+ <li>XMLFactoryBypass detector to find direct allocation of xml
+ class implementations (Dave Brosius)</li>
+ <li>InefficientMemberAccess detector to find accesses to
+ owning class private members (Dave Brosius)</li>
+ <li>DuplicateBranches detector checks switch statements too
+ (Dave Brosius)</li>
+
+ <!-- Feature enhancements -->
+ <li>FindBugs available from findbugs.sourceforge.net as Java
+ Web Start application (Dave Brosius)</li>
+ <li>Updated Japanese bug message translations (Shisei Hanai)</li>
+ <li>Improved bug detail message for covariant equals() (Shisei
+ Hanai)</li>
+ <li>Modeling of instanceof checks is now enabled by default,
+ making the bad cast detector much more useful (Bill Pugh, David
+ Hovemeyer)</li>
+ <li>Support for detector ordering constraints in plugin
+ descriptor (David Hovemeyer)</li>
+ <li>Simpler option to control analysis effort: -effort: <i>value</i>,
+ where <i>value</i> is one of <code> min </code> , <code>
+ default </code> , or <code> max </code> (David Hovemeyer)
+ </li>
+ <li>Using -effort:max, FindNullDeref checks for null arguments
+ passed to methods which dereference them unconditionally (David
+ Hovemeyer)</li>
+ <li>FindNullDeref checks @Null and @NonNull annotations for
+ parameters and return values (David Hovemeyer)</li>
+
+ <!-- Bug fixes -->
+ </ul>
+
+ <p>Changes since version 0.8.7:</p>
+
+ <ul>
+ <!-- New detectors and bug patterns -->
+ <li>New detector to find duplicate code in if/else statements
+ (Dave Brosius)</li>
+ <li>Look for calls to wait() on Condition objects (David
+ Hovemeyer)</li>
+ <li>Look for java.util.concurrent.Lock objects not released on
+ every path out of method (David Hovemeyer)</li>
+ <li>Look for calls to Thread.sleep() with a lock held (David
+ Hovemeyer)</li>
+ <li>More accurate detection of impossible casts (Bill Pugh,
+ David Hovemeyer)</li>
+
+ <!-- Feature enhancements -->
+ <li>Saved XML now contains project statistics (Jay Dunning)</li>
+ <li>Filter files can select by bug pattern type and warning
+ priority (David Hovemeyer)</li>
+
+ <!-- Bug fixes -->
+ <li>Restored some files inadvertently omitted from previous
+ release (Rohan Lloyd, David Hovemeyer)</li>
+ <li>Make sure detectors requiring JDK 1.5 runtime classes are
+ only executed if those classes are available (David Hovemeyer)</li>
+ <li>Don't display analysis error dialog unless there is really
+ an error (David Hovemeyer)</li>
+ <li>Updated and expanded French translations of bug patterns
+ and Swing GUI (Olivier Parent)</li>
+ <li>Fixed invalid character encoding in German Swing GUI
+ translation (Olivier Parent)</li>
+ <li>Fix locale used for date format in project stats (K.
+ Hashimoto)</li>
+ <li>Fixed LongDescription elements in xml:withMessages output
+ format (K. Hashimoto)</li>
+ </ul>
+
+ <p>Changes since version 0.8.6:</p>
+
+ <ul>
+ <!-- new detectors -->
+ <li>Extend Naming detector to look for classes that are named
+ XXXException but that are not Exceptions (Dave Brosius)</li>
+ <li>New detector to find classes that expose semaphores in the
+ public implementation through the 'this' reference. (Dave Brosius)
+ </li>
+ <li>New Style detector to find Struts Action/Servlet derived
+ classes that reference instance member variable not in
+ synchronized blocks. (Dave Brosius)</li>
+ <li>New Style detector to find classes that declare
+ implementation of interfaces that are already implemented by super
+ classes (Dave Brosius)</li>
+ <li>New Style detector to find circular dependencies between
+ classes (Dave Brosius)</li>
+ <li>New Style detector to find unnecessary math on constants
+ (Dave Brosius)</li>
+ <li>New detector to find equality comparisons using floating
+ point math (Jay Dunning)</li>
+ <li>New faster detector to find local self assignments (Bill
+ Pugh)</li>
+ <li>New detector to find infinite recursive loops (Bill Pugh)
+ </li>
+ <li>New detector to find for loops with an incorrect increment
+ (Bill Pugh)</li>
+ <li>New detector to find suspicious uses of
+ BufferedReader.readLine() and String.indexOf() (Bill Pugh)</li>
+ <li>New detector to find suspicious integer to double casts
+ (David Hovemeyer, Bill Pugh)</li>
+ <li>New detector to find invalid regular expression patterns
+ (Bill Pugh)</li>
+ <li>New detector to find Bloch/Gafter Java puzzlers (Bill
+ Pugh)</li>
+
+ <!-- feature enhancements -->
+ <li>New system property to suppress reporting of DLS based on
+ local variable name (Glenn Boysko)</li>
+ <li>Enhancements to configuration dialog in Eclipse plugin,
+ allow for saving enabled detectors in Eclipse projects (Phil
+ Crosby)</li>
+ <li>Sortable columns in detector dialog (Dave Brosius)</li>
+ <li>New tab in gui for showing bugs grouped by category (Dave
+ Brosius)</li>
+ <li>Improved German translation of Swing GUI (Thomas Kuehne)</li>
+ <li>Improved source file reporting in Emacs output format (Len
+ Trigg)</li>
+ <li>Improvements to redundant null comparison detector (Bill
+ Pugh)</li>
+ <li>Localization of run analysis and analysis error dialogs in
+ Swing GUI (K. Hashimoto)</li>
+
+ <!-- Bug fixes -->
+ <li>Don't scan equals methods in FindHEMismatch if code is
+ native (Greg Bentz)</li>
+ <li>French translation fixes (David Cotton)</li>
+ <li>Internationalization report fixes (K. Hashimoto)</li>
+ <li>Japanese translations updates (SHISEI Hanai)</li>
+ </ul>
+
+ <p>Changes since version 0.8.5:</p>
+ <ul>
+ <!-- new detectors -->
+ <li>New detector to find catch blocks that may inadvertently
+ catch runtime exceptions (Brian Goetz)</li>
+ <li>New detector to find objects that are instantiated based
+ on classes that only have static methods and fields, using the
+ synthesized constructor (Dave Brosius)</li>
+ <li>New detector to find calls to Thread.interrupted() in a
+ non static context, and especially with non currentThread()
+ threads (Dave Brosius)</li>
+ <li>New detector to find calls to equals() methods that use
+ Object's version. (Dave Brosius)</li>
+ <li>New detector to find Applets that call methods in the
+ constructor refering to the AppletStub (Dave Brosius)</li>
+ <li>New detector to find some cases of infinite recursion
+ (Bill Pugh)</li>
+ <li>New detector to find dead stores to local variables (David
+ Hovemeyer, Bill Pugh)</li>
+ <li>Extend Dumb Method detector for toUpperCase(),
+ toLowerCase() without a locale, new Integer(1).toString(), new
+ XXX().getClass(), and new Thread() without a run implementation
+ (Dave Brosius) <!-- feature enhancements -->
+ </li>
+ <li>Ant task supports "errorProperty" attribute, which sets an
+ Ant property to "true" if an error occurs running FindBugs
+ (Michael Tamm)</li>
+ <li>Eclipse plugin allows filtering of warnings by bug
+ category, priority (David Hovemeyer)</li>
+ <li>Swing GUI allows filtering of warnings by bug category
+ (David Hovemeyer)</li>
+ <li>Ability to annotate methods using Java 1.5 annotations
+ that suppress FindBugs warnings (Bill Pugh)</li>
+ <li>New -adjustExperimental for lowering priority of
+ BugPatterns that are experimental (Dave Brosius)</li>
+ <li>Allow for command line options 'files' using the @ symbol
+ (David Hovemeyer)</li>
+ <li>New -adjustPriority command line option to for adjusting
+ bug priorites (David Hovemeyer)</li>
+ <li>Added an Edit menu (cut/copy/paste) to Swing GUI (Dave
+ Brosius)</li>
+ <li>French translation supplied (David Cotton) <!-- Bug fixes -->
+ </li>
+ </ul>
+
+ <p>Changes since version 0.8.4:</p>
+ <ul>
+ <!-- new detectors -->
+ <li>New detector for volatile references to arrays (Bill Pugh)
+ </li>
+ <li>New detector to find instanceof usage where inheritance
+ can be determined statically (Dave Brosius)</li>
+ <li>New detector to find ResultSet.getXXX updateXXX calls
+ using index 0 (Dave Brosius)</li>
+ <li>New detector to find empty zip or jar entries (Bill Pugh)
+
+ <!-- feature enhancements -->
+ </li>
+ <li>HTML output generation using built-in XSLT stylesheet or
+ user-defined stylesheet (David Hovemeyer)</li>
+ <li>Allow URLs to be specified to analyze zip/jar files, local
+ directories, and single classfiles (David Hovemeyer)</li>
+ <li>New command line option -onlyAnalyze restricts analysis to
+ selected classes and packages without reducing accuracy (David
+ Hovemeyer)</li>
+ <li>Allow Swing GUI to show source code in jar files on
+ Windows systems (Dave Brosius) <!-- Bug fixes -->
+ </li>
+ <li>Fix the Switch Fall Thru detector (Dave Brosius, David
+ Hovemeyer, Bill Pugh)</li>
+ <li>MacOS GUI fixes (Rohan Lloyd)</li>
+ <li>Fix false positive in BOA in case where method is
+ correctly and 'incorrectly' overridden (Dave Brosius)</li>
+ <li>Fixed memory blowup when analyzing methods which access a
+ large number of fields (David Hovemeyer)</li>
+ </ul>
+
+ <p>Changes since version 0.8.3:</p>
+ <ul>
+ <li>Initial and preliminary localization of the Swing
+ GUI.&nbsp; Translations by:
+ <ul>
+ <li>German - Peter D. Stout, Holger Stenzhorn</li>
+ <li>Finnish - Juha Knuutila</li>
+ <li>Estonian - Tanel Lebedev</li>
+ <li>Japanese - Hanai Shisei</li>
+ </ul>
+ </li>
+ <li>Eliminated debug print statements inadvertently left
+ enabled</li>
+ <li>Reverted some changes in the open stream detector: this
+ should fix some false positives that were introduced in the
+ previous release</li>
+ <li>Fixed a couple missing class reports</li>
+ </ul>
+
+ <p>Changes since version 0.8.2:</p>
+ <ul>
+
+ <!-- New detectors -->
+ <li>New detector to find improperly overridden GUI Adapter
+ classes (Dave Brosius)</li>
+ <li>New detector to find improperly setup JUnit TestCases
+ (Dave Brosius)</li>
+ <li>New detector to find variables that mask class level
+ fields (Dave Brosius)</li>
+ <li>New detector to find comparisons of values computed with
+ bitwise operators that always yield the same result (Tom Truscott)
+ </li>
+ <li>New detector to find unsafe getClass().getResource() calls
+ (Bill Pugh)</li>
+ <li>New detector to find GUI changes not in GUI thread but in
+ static main (Bill Pugh)</li>
+ <li>New detector to find calls to Collection.toArray() with
+ zero-length array argument; it is more efficient to pass an array
+ the size of the collection, which can be populated and returned as
+ the result (Dave Brosius) <!-- Analysis improvements -->
+ </li>
+ <li>Better suppression of false warnings in various detectors
+ (Bill Pugh, David Hovemeyer)</li>
+ <li>Enhancement to ReadReturnShouldBeChecked detector for
+ skip() (Dave Brosius)</li>
+ <li>Enhancement to DumbMethods detector (Dave Brosius)</li>
+ <li>Open stream detector does not report wrappers of streams
+ passed as method parameters (David Hovemeyer) <!-- Feature enhancements -->
+ </li>
+ <li>Cancel confirmation dialog in Swing GUI (Pete Angstadt)</li>
+ <li>Better relative path saving in Project file (Dave Brosius)
+ </li>
+ <li>Detector Priority in GUI is now saved in prefs file (Dave
+ Brosius)</li>
+ <li>Controls in GUI to reorder source and classpath entries,
+ and ability to flip between Project details and bugs pages (Dave
+ Brosius)</li>
+ <li>In Swing GUI, analysis error dialog supports "Select All"
+ and "Copy" operations for easy generation of error reports (Dave
+ Brosius)</li>
+ <li>Complete translation of bug descriptions and messages into
+ Japanese (Hanai Shisei) <!-- Bug fixes -->
+ </li>
+ <li>Fixed bug in DroppedException detector (Dave Brosius) <!-- Development stuff -->
+ </li>
+ <li>The source distribution defaults to using JDK 1.5 javac to
+ compile, but support for compiling with JSR-14 prototype is still
+ supported</li>
+ </ul>
+
+ <p>Changes since version 0.8.1:</p>
+ <ul>
+ <li>Fixed a critical ClassCastException bug (triggered if the
+ -workHard option was used, and an exception type was merged with
+ an array type during type inference)</li>
+ </ul>
+
+ <p>Changes since version 0.8.0:</p>
+ <ul>
+ <li>Disabled SwitchFallthrough detector to work around
+ NullPointerExceptions</li>
+ <li>Added some additional false positive suppression
+ heuristics</li>
+ </ul>
+
+ <p>Also, two contributors to the 0.8.0 release were
+ inadvertently left out of the credits:</p>
+ <ul>
+ <li>Pete Angstadt fixed several problems in the Swing GUI</li>
+ <li>Francis Lalonde provided a task resource file for the
+ FindBugs Ant task</li>
+ </ul>
+
+ <p>Changes since version 0.7.4:</p>
+ <ul>
+ <li>New detector to look for uses of "+" operator to
+ concatenate String objects in a loop (Dave Brosius)</li>
+ <li>Reference comparison detector looks for places where the
+ argument passed to the equals(Object) method isn't the same type
+ as the receiver object</li>
+ <li>Better suppression of false warnings in many detectors</li>
+ <li>Many improvements to Eclipse plugin (Andrey Loskutov,
+ Peter Friese)</li>
+ <li>Fixed problem with building Eclipse plugin on Windows
+ (Thomas Klaeger)</li>
+ <li>Open stream detector looks for unclosed PreparedStatement
+ objects (Thomas Klaeger, Rohan Lloyd)</li>
+ <li>Fix for open stream detector: it wasn't detecting close()
+ methods called through an invokeinterface instruction (Thomas
+ Klaeger)</li>
+ <li>Refactoring of visitor classes to enforce use of accessors
+ for visited class features (Brian Goetz)</li>
+ </ul>
+
+ <p>Changes since version 0.7.3:</p>
+ <ul>
+ <li>Experimental modification of open stream detector to look
+ for non-escaping JDBC resources (connections and statements) that
+ aren't closed on all paths out of method</li>
+ <li>Eclipse plugin fixed so it compiles and runs on Eclipse
+ 2.1.x (Peter Friese)</li>
+ <li>Option to Swing GUI and command line to generate project
+ file using relative paths for archives, source directories, and
+ aux classpath entries (Dave Brosius)</li>
+ <li>Improvements to findbugs.bat script for launching FindBugs
+ on Windows (Dave Brosius)</li>
+ <li>Updated Japanese message translations (Hiroshi Okugawa)</li>
+ <li>Uncalled private methods are now reported as low priority,
+ unless they have the same name as another method in the class
+ (which is more likely to indicate an actual bug)</li>
+ <li>Added some missing data in the bug messages XML files</li>
+ <li>Fixed some problems building from source on Windows
+ systems</li>
+ <li>Various minor bug fixes</li>
+ </ul>
+
+ <p>Changes since version 0.7.2:</p>
+ <ul>
+ <li>Enhanced Eclipse plugin, which displays the detailed bug
+ description in a view (Phil Crosby)</li>
+ <li>Various tweaks to existing detectors to reduce false
+ warnings</li>
+ <li>New command line option <code> -workHard </code> enables
+ pruning of infeasible or unlikely exception edges, which results
+ in better accuracy in the open stream detector, at the expense of
+ a 30%-100% slowdown
+ </li>
+ <li>New website and HTML documentation design</li>
+ <li>Documentation includes an HTML document with descriptions
+ of all bug patterns reported by FindBugs</li>
+ <li>Web page has a link to a <a
+ href="http://www.simeji.com/findbugs/doc/manual_ja/index.html">Japanese
+ translation</a> of the FindBugs manual, contributed by Hiroshi
+ Okugawa
+ </li>
+ <li>Changed the Inconsistent Synchronization detector so that
+ fields synchronized 50% of the time (or more) are reported as
+ medium priority bugs (previously they were reported as low)</li>
+ <li>New detector to find code that catches
+ IllegalMonitorStateException</li>
+ <li>New detector to find private methods that are never called
+ </li>
+ <li>New detector to find suspicious uses of
+ non-short-circuiting boolean operators ( <code> &amp; </code> and
+ <code> | </code> , rather than <code> &amp;&amp; </code> and <code>
+ || </code> )
+ </li>
+ </ul>
+
+ <p>Changes since version 0.7.1:</p>
+ <ul>
+ <li>Incorporated patched version of BCEL, which allows classes
+ compiled with JDK 1.5.0 beta to be analyzed</li>
+ <li>Fixed some bugs related to lookups of array classes</li>
+ <li>Fixed bug that prevented GUI from loading XML result files
+ when running under JDK 1.5.0 beta</li>
+ <li>Added new experimental bug detector, LazyInit, which looks
+ for potentially buggy lazy initializations of static fields</li>
+ <li>Because of long filenames, switched to distributing the
+ source archive as a zip file rather than a tar file</li>
+ <li>The 0.7.1 source tarfile was botched - 0.7.2 has a valid
+ source archive</li>
+ <li>Fixed some problems in the Ant build script</li>
+ <li>Fixed NullPointerException when checking Class-Path
+ attribute for Jar files without manifests</li>
+ <li>Generate version numbers for the core and UI Eclipse
+ plugins using the Version class; all version numbers are now in a
+ common location</li>
+ </ul>
+
+ <p>Changes since version 0.7.0:</p>
+ <ul>
+ <li>Eclipse plugin (contributed by Peter Friese)</li>
+ <li>Source package structure rearranged: all source (other
+ than Eclipse plugin UI) is in the edu.umd.cs.findbugs package, or
+ a subpackage</li>
+ <li>Class-Path attributes of manifests of analyzed jar files
+ are used to set the aux classpath automatically (Peter D. Stout)</li>
+ <li>GUI starts in directory specified by user.home property
+ (Peter D. Stout)</li>
+ <li>Added -project option to GUI (Mikko T.)</li>
+ <li>Added -look:{plastic,gtk,native} option to GUI, for
+ setting look and feel (Mikko T.)</li>
+ <li>Fixed DataflowAnalysisException in inconsistent
+ synchronization detector</li>
+ <li>Ant task supports failOnError parameter (Rohan Lloyd)</li>
+ <li>Serializable class warnings are downgraded to low priority
+ for GUI classes</li>
+ <li>MWN detector will only report calls to wait(), notify(),
+ and notifyAll() methods that have the correct signature</li>
+ <li>FindBugs works with latest CVS version of BCEL</li>
+ <li>Zip and Jar files may be added to the source path</li>
+ <li>The GUI will automatically find source files residing in
+ analyzed Zip or Jar files</li>
+ </ul>
+
+ <p>Note that the version number jumped from 0.6.6 to 0.6.9;
+ there were no 0.6.7 or 0.6.8 releases.</p>
+ <p>Changes since version 0.6.9:</p>
+ <ul>
+ <li>Added -conserveSpace option to reduce memory use at the
+ expense of analysis precision</li>
+ <li>Bug fixes in findbugs.bat script: JAVA_HOME handling,
+ autodetection of FINDBUGS_HOME, missing output with -textui</li>
+ <li>Fixed NullPointerException when a missing class is
+ encountered</li>
+ </ul>
+
+ <p>Changes since version 0.6.6:</p>
+ <ul>
+ <li>The null pointer dereference detector is more powerful</li>
+ <li>Significantly improved heuristics and bug fixes in
+ inconsistent synchronization detector</li>
+ <li>Improved heuristics in open stream and dropped exception
+ detectors; fewer false positives should be reported</li>
+ <li>Save HTML summary in XML results files, rather than
+ recomputing; this makes loading results in GUI much faster</li>
+ <li>Report at most one String comparison using == or != per
+ method</li>
+ <li>The findbugs.bat script on Windows autodetects
+ FINDBUGS_HOME, and doesn't open a DOS window when launching the
+ GUI (contributed by TJSB)</li>
+ <li>Emacs reporting format (contributed by David Li)</li>
+ <li>Various bug fixes</li>
+ </ul>
+
+ <p>Changes since 0.6.5:</p>
+ <ul>
+ <li>Rewritten inconsistent synchronization detector; accuracy
+ is significantly improved, and bug reports are prioritized</li>
+ <li>New detector to find self assignment (x=x) of local
+ variables (suggested by Jeff Martin)</li>
+ <li>New detector to find calls to wait(), notify(), and
+ notifyAll() on an object which is not obviously locked</li>
+ <li>Open stream detector now reports Readers and Writers</li>
+ <li>Fixed bug in finalizer idioms detector which caused
+ spurious warnings about failure to call super.finalize() (reported
+ by Jim Menard)</li>
+ <li>Fixed bug where output stream was not closed using non-XML
+ output (reported by Sigiswald Madou)</li>
+ <li>Fixed corrupted HTML bug detail message (reported by
+ Trevor Harmon)</li>
+ </ul>
+
+ <p>Changes since version 0.6.4:</p>
+ <ul>
+ <li>For redundant comparison of reference values, fixed false
+ positives resulting from duplication of code in finally blocks</li>
+ <li>Fixed false positives resulting from wrapped byte array
+ streams left open</li>
+ <li>Fixed bug in Ant task preventing output file from working
+ properly if a relative path was used</li>
+ </ul>
+
+ <p>Changes since version 0.6.3:</p>
+ <ul>
+ <li>Fixed bug in Ant task where output would be corrupted, and
+ added a <code> timeout </code> attribute
+ </li>
+ <li>Added -outputFile option to text UI, for explicitly
+ specifying an output file</li>
+ <li>GUI has a summary window, for statistics about overall bug
+ densities (contributed by Mike Fagan)</li>
+ <li>Find redundant comparisons of reference values</li>
+ <li>More accurate detection of Strings compared with == and !=
+ operators</li>
+ <li>Detection of other reference types which should generally
+ not be compared with == and != operators; Boolean, Integer, etc.</li>
+ <li>Find non-transient non-serializable instance fields in
+ Serializable classes</li>
+ <li>Source code may be compiled with latest early access
+ generics-enabled javac (version 2.2)</li>
+ </ul>
+
+ <p>Changes since version 0.6.2:</p>
+ <ul>
+ <li>GUI supports filtering bugs by priority</li>
+ <li>Ant task rewritten; supports all functionality offered by
+ Text UI (contributed by Mike Fagan)</li>
+ <li>Ant task is fully documented in the manual</li>
+ <li>Classes in nested archives are analyzed; this allows full
+ support for analyzing .ear and .war files (contributed by Mike
+ Fagan)</li>
+ <li>DepthFirstSearch changed to use non-recursive
+ implementation; this should fix the StackOverflowErrors that
+ several users reported</li>
+ <li>Various minor bugfixes and improvements</li>
+ </ul>
+
+ <p>Changes since version 0.6.1:</p>
+ <ul>
+ <li>New detector to look for useless control flow (suggested
+ by Richard P. King and Mike Fagan)</li>
+ <li>Look for places where return value of
+ java.io.File.createNewFile() is ignored (suggested by Richard P.
+ King)</li>
+ <li>Fixed bug in resolution of source files (only the first
+ source directory was searched)</li>
+ <li>Fixed a NullPointerException in the bytecode pattern
+ matching code</li>
+ <li>Ant task supports project files (contributed by Mike
+ Fagan)</li>
+ <li>Unix findbugs script honors the <code> JAVA_HOME </code>
+ environment variable (contributed by Pedro Morais)
+ </li>
+ <li>Allow .war and .ear files to be analyzed</li>
+ </ul>
+
+ <p>Changes since version 0.6.0:</p>
+ <ul>
+ <li>New bug pattern detector which looks for places where a
+ null pointer might be dereferenced</li>
+ <li>New bug pattern detector which looks for IO streams that
+ are opened, do not escape the method, and are not closed on all
+ paths out of the method</li>
+ <li>New bug pattern detector to find methods that can return
+ null instead of a zero-length array</li>
+ <li>New bug pattern detector to find places where the == or !=
+ operators are used to compare String objects</li>
+ <li>Command line interface can save bugs as XML</li>
+ <li>GUI can save bugs to and load bugs from XML</li>
+ <li>An "Annotations" window in the GUI allows the user to add
+ textual annotations to bug reports; these annotations are
+ preserved when bugs are saved as XML</li>
+ <li>In this release, the Japanese bug summary translations by
+ Germano Leichsenring are really included (they were inadvertently
+ omitted in the previous release)</li>
+ <li>Completely rewrote the control flow graph builder,
+ hopefully for the last time</li>
+ <li>Simplified implementation of control flow graphs, which
+ should reduce memory use and possibly improve performance</li>
+ <li>Improvements to command line interface (list bug
+ priorities, filter by priority, specify aux classpath, specify
+ project to analyze)</li>
+ <li>Various bug fixes and enhancements</li>
+ </ul>
+
+ <p>Changes since version 0.5.4</p>
+ <ul>
+ <li>Added an <a href="http://ant.apache.org/">Ant</a> task for
+ FindBugs, contributed by Mike Fagan.
+ </li>
+ <li>Added a GUI dialog which allows individual bug pattern
+ detectors to be enabled or disabled.&nbsp; Disabling certain slow
+ detectors can greatly speed up analysis of large programs, at the
+ expense of reducing the number of potential bugs found.</li>
+ <li>Added a new detector for finding improperly ignored return
+ values for methods such as <code> String.trim() </code> .&nbsp;
+ Suggested by Andreas Mandel.
+ </li>
+ <li>Japanese translations of the bug summaries, contributed by
+ Germano Leichsenring.</li>
+ <li>Filtering of results is supported in command line
+ interface. See the <a href="manual/index.html">FindBugs manual</a>
+ for details.
+ </li>
+ <li>Added "byte code patterns", a general pattern matching
+ infrastructure for bytecode instructions.&nbsp; This feature
+ significantly reduces the complexity of implementing new bug
+ pattern detectors.</li>
+ <li>Enabled a new general dataflow analysis to track values in
+ methods.</li>
+ <li>Switched to new control-flow graph builder implementation.
+ </li>
+ </ul>
+
+ <p>Changes since version 0.5.3</p>
+ <ul>
+ <li>Fixed a bug in the script used to launch FindBugs on
+ Windows platforms.</li>
+ <li>Fixed crashes when analyzing class files without source
+ line information.</li>
+ <li>All major errors are reported using an error dialog; file
+ not found errors are more informative.</li>
+ <li>Minor GUI improvements.</li>
+ </ul>
+
+ <p>Changes since version 0.5.2</p>
+ <ul>
+ <li>All of the source code and related files are in a single
+ directory tree.</li>
+ <li>Updated some of the detectors to produce source line
+ information.</li>
+ <li><a href="http://ant.apache.org/">Ant</a> build script and
+ several GUI enhancements and fixes contributed by Mike Fagan.</li>
+ <li>Converted to use a <a href="AddingDetectors.txt">plugin
+ architecture</a> for loading bug detectors.
+ </li>
+ <li>Eliminated generics-related compiler warnings.</li>
+ <li>More complete documentation has been added.</li>
+ </ul>
+
+ <p>Changes since version 0.5.1:</p>
+ <ul>
+ <li>Fixed a large number of bugs in the BCEL Repository and
+ FindBugs's use of the Repository.&nbsp; With these changes,
+ FindBugs should <em>never</em> crash or otherwise misbehave
+ because of Repository lookup failures.&nbsp; Because of these
+ changes, you must use a modified version of <code> bcel.jar
+ </code> with FindBugs.&nbsp; This jar file is included in the FindBugs
+ 0.5.2 binary release.&nbsp; A complete patch containing the <a
+ href="http://faculty.ycp.edu/~dhovemey/bcel-30-April-2003.patch">modifications
+ against the BCEL CVS main branch as of April 30, 2003</a> is also
+ available.
+ </li>
+ <li>Implemented the "auxiliary classpath entry list".&nbsp;
+ Aux classpath entries can be added to a project to provide classes
+ that are referenced by the analyzed application, but should not
+ themselves be analyzed.&nbsp; Having all referenced classes
+ available allows FindBugs to produce more accurate results.</li>
+ </ul>
+
+ <p>Changes since version 0.5.0:</p>
+ <ul>
+ <li>Many user interface bugs have been fixed.</li>
+ <li>Upgraded to a recent CVS version of BCEL, with some bug
+ fixes.&nbsp; This should prevent FindBugs from crashing when there
+ is a failure to find a class on the classpath.</li>
+ <li>Added support for Plastic look and feel from <a
+ href="http://www.jgoodies.com/">jgoodies.com</a>.
+ </li>
+ <li>Major overhaul of infrastructure for doing dataflow
+ analysis.</li>
+ </ul>
<hr> <p>
<script language="JavaScript" type="text/javascript">
<!---//hide script from old browsers
@@ -2800,10 +2855,10 @@ document.write( "Last updated "+ document.lastModified + "." );
<p>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=96405&amp;type=5" width="210" height="62" border="0" alt="SourceForge.net Logo" /></A>
- </td>
+ </td>
- </tr>
- </table>
+ </tr>
+ </table>
</body>
« no previous file with comments | « README.chromium ('k') | doc/FAQ.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698