1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> 2 <html> 3 <head> 4 <title>FindBugs Change Log</title> 5 <link rel="stylesheet" type="text/css" href="findbugs.css"> 6 7 </head> 8 9 <body> 10 11 <table width="100%"> 12 <tr> 13 14 15 <td bgcolor="#b9b9fe" valign="top" align="left" width="20%"> 16 <table width="100%" cellspacing="0" border="0"> 17 <tr><td><a class="sidebar" href="index.html"><img src="umdFindbugs.png" alt="FindBugs"></a></td></tr> 18 19 <tr><td> </td></tr> 20 21 <tr><td><b>Docs and Info</b></td></tr> 22 <tr><td><font size="-1"><a class="sidebar" href="findbugs2.html">FindBugs 2.0</a></font></td></tr> 23 <tr><td><font size="-1"><a class="sidebar" href="demo.html">Demo and data</a></font></td></tr> 24 <tr><td><font size="-1"><a class="sidebar" href="users.html">Users and supporters</a></font></td></tr> 25 <tr><td><font size="-1"><a class="sidebar" href="http://findbugs.blogspot.com/">FindBugs blog</a></font></td></tr> 26 <tr><td><font size="-1"><a class="sidebar" href="factSheet.html">Fact sheet</a></font></td></tr> 27 <tr><td><font size="-1"><a class="sidebar" href="manual/index.html">Manual</a></font></td></tr> 28 <tr><td><font size="-1"><a class="sidebar" href="ja/manual/index.html">Manual(ja/日本語)</a></font></td></tr> 29 <tr><td><font size="-1"><a class="sidebar" href="FAQ.html">FAQ</a></font></td></tr> 30 <tr><td><font size="-1"><a class="sidebar" href="bugDescriptions.html">Bug descriptions</a></font></td></tr> 31 <tr><td><font size="-1"><a class="sidebar" href="mailingLists.html">Mailing lists</a></font></td></tr> 32 <tr><td><font size="-1"><a class="sidebar" href="publications.html">Documents and Publications</a></font></td></tr> 33 <tr><td><font size="-1"><a class="sidebar" href="links.html">Links</a></font></td></tr> 34 35 <tr><td> </td></tr> 36 37 <tr><td><a class="sidebar" href="downloads.html"><b>Downloads</b></a></td></tr> 38 39 <tr><td> </td></tr> 40 41 <tr><td><a class="sidebar" href="http://www.cafeshops.com/findbugs"><b>FindBugs Swag</b></a></td></tr> 42 43 <tr><td> </td></tr> 44 45 <tr><td><b>Development</b></td></tr> 46 <tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/tracker/?group_id=96405">Open bugs</a></font></td></tr> 47 <tr><td><font size="-1"><a class="sidebar" href="reportingBugs.html">Reporting bugs</a></font></td></tr> 48 <tr><td><font size="-1"><a class="sidebar" href="contributing.html">Contributing</a></font></td></tr> 49 <tr><td><font size="-1"><a class="sidebar" href="team.html">Dev team</a></font></td></tr> 50 <tr><td><font size="-1"><a class="sidebar" href="api/index.html">API</a> <a class="sidebar" href="api/overview-summary.html">[no frames]</a></font></td></tr> 51 <tr><td><font size="-1"><a class="sidebar" href="Changes.html">Change log</a></font></td></tr> 52 <tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/projects/findbugs">SF project page</a></font></td></tr> 53 <tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/browse/">Browse source</a></font></td></tr> 54 <tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/list">Latest code changes</a></font></td></tr> 55 </table> 56 </td> 57 58 <td align="left" valign="top"> 59 60 61 <h1>FindBugs Change Log, Version 2.0.3</h1> 62 <ul> 63 <li>New Bug patterns: <a 64 href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_BOXED_PRIMITIVE_FOR_PARSING">DM_BOXED_PRIMITIVE_FOR_PARSING</a>, 65 <a 66 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_RETURN_RELAXING_ANNOTATION">NP_METHOD_RETURN_RELAXING_ANNOTATION</a>, 67 and 68 <a 69 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION">NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION</a> 70 </li> 71 <li>Add the ability in the GUI to save the currently viewable/filtered bugs to HTML output. 72 <li>When dataflow does't terminate, make sure we continue with 73 analysis. 74 75 <li>Fix some problems that resulting in dataflow analysis not 76 terminating 77 78 <li>Get parameter annotations from default parameters 79 annotations applied to the method. 80 <li>Add subversion change number to eclipse plugin qualifier. 81 82 <li>Disabled detector for <a 83 href="http://findbugs.sourceforge.net/bugDescriptions.html#AM_CREATES_EMPTY_JAR_FILE_ENTRY">AM_CREATES_EMPTY_JAR_FILE_ENTRY</a>; 84 it complaints inappropriately about code that creates directory 85 entries. 86 87 <li>Add warnings about incompatible types passed to 88 org.testng.Assert.assertEquals</li> 89 <li>Add logic that understands more of the Google Guava APIs. 90 <li>Disable type qualifier validator execution within Eclipse plugin; 91 too many problems with class loading and security manager (see #1154 Random obscure Eclipse failures) 92 <li>Consistently check both access flags and attributes to see if something is synthetic. Compiler is 93 inconsistent about where synthetic elements are marked. 94 95 <li>Fixed false positives for the following bug patterns (17 96 occurrences in findbugsTestCases): 97 <ul> 98 <li><a 99 href="http://findbugs.sourceforge.net/bugDescriptions.html#BC">BC</a> 100 <li><a 101 href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_INSTANCEOF">BC_IMPOSSIBLE_INSTANCEOF</a> 102 <li><a 103 href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a> 104 <li><a 105 href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a> 106 <li><a 107 href="http://findbugs.sourceforge.net/bugDescriptions.html#INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE">INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE</a> 108 <li><a 109 href="http://findbugs.sourceforge.net/bugDescriptions.html#IS2_INCONSISTENT_SYNC">IS2_INCONSISTENT_SYNC</a> 110 <li><a 111 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS">NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS</a> 112 <li><a 113 href="http://findbugs.sourceforge.net/bugDescriptions.html#OBL_UNSATISFIED_OBLIGATION">OBL_UNSATISFIED_OBLIGATION</a> 114 <li><a 115 href="http://findbugs.sourceforge.net/bugDescriptions.html#RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE">RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE</a> 116 <li><a 117 href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a> 118 <li><a 119 href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a> 120 </li> 121 </ul> 122 <li>Fixed false negatives for the following bug patterns (45 123 occurrences in findbugsTestCases): 124 <ul> 125 <li><a 126 href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a> 127 <li><a 128 href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_NUMBER_CTOR">DM_NUMBER_CTOR</a> 129 <li><a 130 href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_ARRAY_AND_NONARRAY">EC_ARRAY_AND_NONARRAY</a> 131 <li><a 132 href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE">EC_INCOMPATIBLE_ARRAY_COMPARE</a> 133 <li><a 134 href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a> 135 <li><a 136 href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a> 137 <li><a 138 href="http://findbugs.sourceforge.net/bugDescriptions.html#IS_FIELD_NOT_GUARDED">IS_FIELD_NOT_GUARDED</a> 139 <li><a 140 href="http://findbugs.sourceforge.net/bugDescriptions.html#IT_NO_SUCH_ELEMENT">IT_NO_SUCH_ELEMENT</a> 141 <li><a 142 href="http://findbugs.sourceforge.net/bugDescriptions.html#JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS">JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS</a> 143 <li><a 144 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH">NP_NULL_ON_SOME_PATH</a> 145 <li><a 146 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_PARAM_VIOLATION">NP_NONNULL_PARAM_VIOLATION</a> 147 <li><a 148 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE">NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE</a> 149 <li><a 150 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a> 151 <li><a 152 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_STORE_INTO_NONNULL_FIELD">NP_STORE_INTO_NONNULL_FIELD</a> 153 <li><a 154 href="http://findbugs.sourceforge.net/bugDescriptions.html#RE_POSSIBLE_UNINTENDED_PATTERN">RE_POSSIBLE_UNINTENDED_PATTERN</a> 155 <li><a 156 href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a> 157 </ul> 158 </ul> 159 <h1>FindBugs Change Log, Version 2.0.2</h1> 160 161 <ul> 162 <li>Fix false positions for <a 163 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a> 164 - fixing <a 165 href="https://sourceforge.net/tracker/?func=detail&aid=3547559&group_id=96405&atid=614693">Bug3547559</a>, 166 <a 167 href="https://sourceforge.net/tracker/?func=detail&aid=3555408&group_id=96405&atid=614693">Bug3555408</a>, 168 <a 169 href="https://sourceforge.net/tracker/?func=detail&aid=3580266&group_id=96405&atid=614693">Bug3580266</a> 170 and <a 171 href="https://sourceforge.net/tracker/?func=detail&aid=3587164&group_id=96405&atid=614693">Bug3587164</a>. 172 173 174 </li> 175 <li>Fix false positives for <a 176 href="http://findbugs.sourceforge.net/bugDescriptions.html#SF_SWITCH_NO_DEFAULT">SF_SWITCH_NO_DEFAULT</a> 177 <li>Inline access methods for private fields, 178 fixing false positive in <a 179 href="https://sourceforge.net/tracker/?func=detail&aid=3484713&group_id=96405&atid=614693">Bug3484713</a>. 180 181 <li>Type qualifier annotations, including nullness 182 annotations, are now ignored on vararg parameters (including 183 default and inherited annotations), awaiting JSR308. 184 <li>Defined new bug pattern to give better explanations of 185 issues involving strict type qualifiers <a 186 href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a> 187 <li>Adjusted analysis of type qualifiers, now giving warnings 188 where a computed value is used in a place where a value with a 189 strict type qualifier is required. 190 <li>Complain about missing classes only if they are 191 encountered while analyzing application classes; ignore missing 192 classes that are encounted while analyzing classes loaded from the 193 auxclasspath. Fix for <a 194 href="https://sourceforge.net/tracker/?func=detail&aid=3588379&group_id=96405&atid=614693">Bug3588379</a> 195 <li>Fixed false positive null pointer warning coming from 196 synthetic bridge methods, fixing <a 197 href="https://sourceforge.net/tracker/?func=detail&aid=3589328&group_id=96405&atid=614693">Bug3589328</a> 198 <li>In general, suppress warnings in synthetic methods. 199 <li>Fix some false positives involving <a 200 href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a> 201 on classes that extend generic collection classes. 202 203 </li> 204 <li>Combine multiple identical warnings about 205 <a 206 href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_DEFAULT_ENCODING">DM_DEFAULT_ENCODING</a> 207 that occur in the same method, 208 simplifying issue triage. 209 210 <li>Changes by Andrey Loskutov 211 <ul> 212 <li>fixed job scheduling errors in 3.8/4.2 Eclipse <a 213 href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=393748">bug 214 report</a> 215 <li>more realistic progress bar updates for jobs 216 <li>added nullness annotations for some common Eclipse API 217 methods known to usually return null values 218 <li>Added support for org.eclipse.jdt.annotation.Nullable, 219 NonNull and NonNullByDefault annotations (introduced with 220 Eclipse 3.8/4.2)</li> 221 </ul> 222 <li>Documentation improvements 223 <li><a href="http://code.google.com/p/findbugs/source/list">lots 224 of other small changes</a> 225 </ul> 226 <h1>FindBugs Change Log, Version 2.0.1</h1> 227 228 <ul> 229 <li>New bug patterns; in some cases, bugs previous reported as 230 other bug patterns are reported as instances of these new bug 231 patterns in order to make it easier for developers to understand 232 the bug reports 233 <ul> 234 <li><a 235 href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li> 236 <li><a 237 href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_RELATIVE_PATH_TRAVERSAL">PT_RELATIVE_PATH_TRAVERSAL</a></li> 238 <li><a 239 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a></li> 240 <li><a 241 href="http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_REFACTORED_TO_BE_FINAL">MS_SHOULD_BE_REFACTORED_TO_BE_FINAL</a></li> 242 <li><a 243 href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST_OF_RETURN_VALUE">BC_UNCONFIRMED_CAST_OF_RETURN_VALUE</a></li> 244 <li><a 245 href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li> 246 <li><a 247 href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS">TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS</a></li> 248 </ul> 249 </li> 250 251 <li>Changes to fix false negatives for the following bug 252 patterns: <a 253 href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>, 254 <a 255 href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_BAD_ARRAY_COMPARE">EC_BAD_ARRAY_COMPARE</a>, 256 <a 257 href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_UNUSUAL">EQ_UNUSUAL</a>, 258 <a 259 href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>, 260 and <a 261 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>. 262 </li> 263 264 <li>Changes to fix false positions for the following bug 265 patterns: <a 266 href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_DOH">DMI_DOH</a>, 267 <a 268 href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>, 269 and <a 270 href="http://findbugs.sourceforge.net/bugDescriptions.html#SE_BAD_FIELD">SE_BAD_FIELD</a>. 271 </li> 272 </ul> 273 274 <h1>FindBugs Change Log, Version 2.0.0</h1> 275 276 <h2>Changes since version 1.3.8</h2> 277 <ul> 278 <li>New bug patterns; in some cases, bugs previous reported as 279 other bug patterns are reported as instances of these new bug 280 patterns in order to make it easier for developers to understand 281 the bug reports 282 <ul> 283 <li><a 284 href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST 285 </a></li> 286 <li><a 287 href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY 288 </a></li> 289 <li><a 290 href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE 291 </a></li> 292 <li><a 293 href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER 294 </a></li> 295 <li><a 296 href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE 297 </a></li> 298 <li><a 299 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL 300 </a></li> 301 <li><a 302 href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE 303 </a></li> 304 <li><a 305 href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN 306 </a></li> 307 <li><a 308 href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED 309 </a></li> 310 <li><a 311 href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE 312 </a></li> 313 <li><a 314 href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR 315 </a></li> 316 <li><a 317 href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED 318 </a></li> 319 </ul> 320 </li> 321 <li>Providing a bug rank (1-20), and the ability to filter by 322 bug rank. Eventually, it will be possible to specify your own 323 rules for ranking bugs, but the procedure for doing so hasn't been 324 specified yet.</li> 325 <li>Fixed about <a 326 href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45 327 bugs filed</a> through SourceForge 328 </li> 329 <li>Various reclassifications and priority tweaks</li> 330 <li>Added more bug annotations to a variety of bug reports. 331 This provides more context for understanding bug reports (e.g., if 332 the value in question was is the return value of a method, the 333 method is described as the source of the value in a bug 334 annotation). This also provide more accurate tracking of issues 335 across versions of the code being analyzed, but has the downside 336 that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9 337 on the same version of code being analyzed, FindBugs may think 338 that mistakenly believe that the issue reported by 1.3.8 was fixed 339 and a new issue was introduced that was reported by FindBugs 340 1.3.9. While annoying, it would be unusual for more than a dozen 341 issues per million lines of codes to be mistracked.</li> 342 <li>Lots of internal changes moving towards FindBugs 2.0, but 343 these features are undocumented, not yet officially supported, and 344 subject to radical changes before FindBugs 2.0 is released.</li> 345 </ul> 346 347 <p>Changes since version 1.3.8</p> 348 <ul> 349 <li>New bug patterns; in some cases, bugs previous reported as 350 other bug patterns are reported as instances of these new bug 351 patterns in order to make it easier for developers to understand 352 the bug reports 353 <ul> 354 <li><a 355 href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST 356 </a> 357 <li><a 358 href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY 359 </a> 360 <li><a 361 href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE 362 </a> 363 <li><a 364 href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER 365 </a> 366 <li><a 367 href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE 368 </a> 369 <li><a 370 href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL 371 </a> 372 <li><a 373 href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE 374 </a> 375 <li><a 376 href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN 377 </a> 378 <li><a 379 href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED 380 </a> 381 <li><a 382 href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE 383 </a> 384 <li><a 385 href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR 386 </a> 387 <li><a 388 href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED 389 </a> 390 </ul> 391 </li> 392 <li>Providing a bug rank (1-20), and the ability to filter by 393 bug rank. Eventually, it will be possible to specify your own 394 rules for ranking bugs, but the procedure for doing so hasn't been 395 specified yet.</li> 396 <li>Fixed about <a 397 href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45 398 bugs filed</a> through SourceForge 399 </li> 400 <li>Various reclassifications and priority tweaks</li> 401 <li>Added more bug annotations to a variety of bug reports. 402 This provides more context for understanding bug reports (e.g., if 403 the value in question was is the return value of a method, the 404 method is described as the source of the value in a bug 405 annotation). This also provide more accurate tracking of issues 406 across versions of the code being analyzed, but has the downside 407 that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9 408 on the same version of code being analyzed, FindBugs may think 409 that mistakenly believe that the issue reported by 1.3.8 was fixed 410 and a new issue was introduced that was reported by FindBugs 411 1.3.9. While annoying, it would be unusual for more than a dozen 412 issues per million lines of codes to be mistracked.</li> 413 <li>Lots of internal changes moving towards FindBugs 2.0, but 414 these features are undocumented, not yet officially supported, and 415 subject to radical changes before FindBugs 2.0 is released.</li> 416 </ul> 417 418 <p>Changes since version 1.3.7</p> 419 <ul> 420 <li>Primarily another small bugfix release.</li> 421 <li>FindBugs base: 422 <ul> 423 <li>New Reports: 424 <ul> 425 <li>SF_SWITCH_NO_DEFAULT: missing default case in switch 426 statement.</li> 427 <li>SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW: 428 value ignored when switch fallthrough leads to thrown 429 exception.</li> 430 <li>INT_VACUOUS_BIT_OPERATION: bit operations that don't 431 do any meaningful work.</li> 432 <li>FB_UNEXPECTED_WARNING: warning generated that 433 conflicts with @NoWarning FindBugs annotation.</li> 434 <li>FB_MISSING_EXPECTED_WARNING: warning not generated 435 despite presence of @ExpectedWarning FindBugs annotation.</li> 436 <li>NOISE category: intended for use in data mining 437 experiments. 438 <ul> 439 <li>NOISE_NULL_DEREFERENCE: fake null point dereference 440 warning.</li> 441 <li>NOISE_METHOD_CALL: fake method call warning.</li> 442 <li>NOISE_FIELD_REFERENCE: fake field dereference 443 warning.</li> 444 <li>NOISE_OPERATION: fake operation warning.</li> 445 </ul> 446 </li> 447 </ul> 448 </li> 449 <li>Other: 450 <ul> 451 <li>Garvin Leclaire has created a new Apache Maven 452 repository for FindBugs at <a 453 href="http://code.google.com/p/findbugs/">the Google Code 454 FindBugs SVN repository</a>. (Thanks Garvin!) 455 </li> 456 </ul> 457 </li> 458 <li>Fixes: 459 <ul> 460 <li>[ 2317842 ] Highlighting broken in Windows</li> 461 <li>[ 2515908 ] check for oddness should track sign of 462 argument</li> 463 <li>[ 2487936 ] "L B GC" false pos cast from 464 Map.Entry.getKey() to Map.get()</li> 465 <li>[ 2528264 ] Ant tasks not compatible with Ant 1.7.1</li> 466 <li>[ 2539590 ] SF_SWITCH_FALLTHROUGH wrong message 467 reported</li> 468 <li>[ 2020066 ] Bug history displayed in fancy-hist.xsl is 469 incorrect</li> 470 <li>[ 2545098 ] Invalid character in analysis results file</li> 471 <li>[ 2492673 ] Plugin sites should specify "requires 472 Eclipse 3.3 or newer"</li> 473 <li>[ 2588044 ] a tiny typing error</li> 474 <li>[ 2589048 ] Documentation for convertXmlToText 475 insufficient</li> 476 <li>[ 2638739 ] NullPointerException when building</li> 477 </ul> 478 </li> 479 <li>Patches: 480 <ul> 481 <li>[ 2538184 ] Make BugCollection implement 482 Iterable<BugInstance> (thanks to Tomas Pollak)</li> 483 <li>[ 2249771 ] Add Maven2 Findbugs plugin link to the 484 Links page (thanks to Garvin Leclaire)</li> 485 <li>[ 2609526 ] Japanese manual update (thanks to K. 486 Hashimoto)</li> 487 <li>[ 2119482 ] CheckBcel checks for nonexistent classes 488 (thanks to Jerry James)</li> 489 </ul> 490 </li> 491 </ul> 492 </li> 493 <li>FindBugs Eclipse plugin: 494 <ul> 495 <li>Major feature enhancements (thanks to Andrey Loskutov). 496 See <a href="http://andrei.gmxhome.de/findbugs/index.html">this 497 overview</a> for more information. 498 </li> 499 <li>Major test improvements (thanks to Tomas Pollak).</li> 500 <li>Fixes: 501 <ul> 502 <li>[ 2532365 ] Compiler warning</li> 503 <li>[ 2522989 ] Fix filter files selection</li> 504 <li>[ 2504068 ] NullPointerException</li> 505 <li>[ 2640849 ] NPE in Eclipse plugin 1.3.7 and Eclipse 506 3.5 M5</li> 507 </ul> 508 </li> 509 <li>Patches: 510 <ul> 511 <li>[ 2143140 ] Unchecked conversion fixes for Eclipse 512 plugin (thanks to Jerry James) 513 </ul> 514 </li> 515 </ul> 516 </li> 517 </ul> 518 519 <p>Changes since version 1.3.6</p> 520 <ul> 521 <li>Overall, a small bugfix release. 522 <li>New detection of accidental vacuous/useless calls to 523 EasyMock methods, and of generic signatures that proclaim the use 524 of unhashable classes in ways that require that they be hashed. 525 <li>Eliminate some false positives where we were warning about 526 a useless call (e.g., comparing two incompatible types for 527 equality), but the only thing the code was doing with the result 528 was passing it to assertFalse. 529 <li>Japanese localization and manual by K.Hashimoto. (Thanks!) 530 531 <li>Added -exclude and -outputDir command line options to 532 rejarForAnalysis 533 <li>Extended -adjustPriorities option to FindBugs analysis 534 textui so that you can modify the priorities of individual bug 535 patterns as well as visitors, and also completely suppress 536 individual bug patterns or visitors. 537 <ul> 538 <li>e.g., -adjustPriority 539 MS_SHOULD_BE_FINAL=suppress,MS_PKGPROTECT=suppress,EI_EXPOSE_REP=suppress,EI_EXPOSE_REP2=suppress,PZLA_PREFER_ZERO_LENGTH_ARRAYS=raise 540 541 </ul> 542 </ul> 543 544 545 <p>Changes since version 1.3.5</p> 546 <ul> 547 <li>Added fairly exhaustive static analysis of uses of format 548 strings, checking for missing or extra arguements, invalid format 549 specifiers, or mismatched format specifiers and arguments (e.g, 550 passing a String value for a %d format specifier). The logic for 551 doing so is derived from Sun's java.util.Formatter class, and 552 available separately from FindBugs as part of the <a 553 href="https://jformatstring.dev.java.net/">jFormatString</a> 554 project. 555 <li>More tuning of the unsatisfied obligation detector. Since 556 this detector is still rather noisy and an unfinished research 557 project, I've moved the generated issues to a new category: 558 EXPERIMENTAL. 559 <li>Added check for <a 560 href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_ADD_OF_SIGNED_BYTE">BIT_ADD_OF_SIGNED_BYTE</a>; 561 similar to <a 562 href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_IOR_OF_SIGNED_BYTE">BIT_IOR_OF_SIGNED_BYTE</a>, 563 except that addition is being used to combine shifted signed 564 bytes. 565 <li>Changed detection of EI_EXPOSE_REP2, so we only report it 566 if the value stored is guaranteed to be the same value that was 567 passed in as a parameter. 568 <li>Added <a 569 href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS">EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS</a>, 570 a warning when an equals method checks to see if an operand is an 571 instance of a class not compatible with itself. For example, if 572 the Foo class checks to see if the argument is an instance of 573 String. This is either a questionable design decision or a coding 574 mistake. 575 <li>Added <a 576 href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_INVOKING_HASHCODE_ON_ARRAY">DMI_INVOKING_HASHCODE_ON_ARRAY</a>, 577 which checks for invoking <code>hashCode()</code> on an array, 578 which returns a hash code that ignores the contents of the array. 579 580 <li>Added checks for using <code>x.removeAll(x)</code> to 581 rather than <code>x.clear()</code> to clear an array. 582 <li>Add checks for calls such as <code>x.contains(x)</code>, <code>x.remove(x)</code> 583 and <code>x.containsAll(x)</code>. 584 <li>Improvements to Eclipse plugin (thanks to Andrey 585 Loskutov): 586 <ul> 587 <li>Report separate markers for each occurrence of an issue 588 that appears multiple times in a method 589 <li>fine tuning for reported markers: add only one marker 590 for fields, add marker on right position 591 <li>link bugs selected in bug explorer view to the opened 592 editor and vice versa 593 <li>select bugs selected in editor ruler in the opened bug 594 explorer view 595 <li>consistent abbreviations used in both bug explorer and 596 bug details view 597 <li>added "Expand All" button to the bug explorer view 598 <li>added "Go Into/Go Up" buttons to the bug explorer view 599 <li>added "Copy to clipboard" menu/functionality to the 600 details view list widget 601 <li>fix for CNF exception if loading the backup solution for 602 broken browser widget 603 </ul> 604 </ul> 605 606 607 608 <p>Changes since version 1.3.4</p> 609 <ul> 610 <li>Analysis about 15% faster 611 <li><a 612 href="http://sourceforge.net/tracker/?atid=614693&group_id=96405&func=browse&status=closed">38 613 bugs closed</a></li> 614 <li>New defect warnings: 615 <ul> 616 <li>calls to methods that always throw 617 UnsupportedOperationException (DMI_UNSUPPORTED_METHOD) 618 <li>repeated conditional tests (e.g., <code>if (x 619 < 0 || x < 0) ...</code>) (RpC_REPEATED_CONDITIONAL_TEST) 620 <li>Complete rewrite of detector for format string problems. 621 More accurate, finds more problems, generates more descriptive 622 reports, several different bug pattern 623 (VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED, 624 VA_FORMAT_STRING_ILLEGAL, VA_FORMAT_STRING_MISSING_ARGUMENT, 625 VA_FORMAT_STRING_BAD_ARGUMENT, 626 VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT) 627 <li>Fairly complete implementation of JSR-305 custom type 628 qualifier analysis (no support for custom validators yet). 629 (TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK 630 TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK 631 TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK) 632 <li>New detector for unsatisfied obligations such forgetting 633 to close a file (OBL_UNSATISFIED_OBLIGATION). 634 <li>Warning when a parameter is marked as nullable, but is 635 always dereferenced. 636 (NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE) 637 <lI>Separate warning for dereference the result of readLine 638 (NP_DEREFERENCE_OF_READLINE_VALUE) 639 </ul> 640 <li>When XML is generated with messages, the project stats now 641 include <FileStat> elements. For each source file, this 642 gives the path for the file, the total number of warnings for that 643 file, and a bugHash for the file. While the instanceHash for a bug 644 is intended to be version invariant (ignoring line numbers, etc), 645 the bugHash for a file is intended to reflect all the information 646 about the warnings in that file. The intended use case is that if 647 the bugHash for a file is the same in two analysis runs, then <em>nothing</em> 648 has changed about any of the warnings reported for that file 649 between the two analysis runs. 650 <li>More merging of similar issues within a method. For 651 example, if the result of readLine() is dereferences multiple 652 times within a method, it will be reported as a single warning 653 with occurrences at multiple source lines. 654 </ul> 655 <p>Changes since version 1.3.3</p> 656 657 <ul> 658 <li>FindBugs base 659 <ul> 660 <li>New Reports: 661 <ul> 662 <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: equals method 663 overrides equals in superclass and may not be symmetric</li> 664 <li>EQ_ALWAYS_TRUE: equals method always returns true</li> 665 <li>EQ_ALWAYS_FALSE: equals method always returns false</li> 666 <li>EQ_COMPARING_CLASS_NAMES: equals method compares class 667 names rather than class objects</li> 668 <li>EQ_UNUSUAL: Unusual equals method</li> 669 <li>EQ_GETCLASS_AND_CLASS_CONSTANT: equals method fails 670 for subtypes</li> 671 <li>SE_READ_RESOLVE_IS_STATIC: The readResolve method must 672 not be declared as a static method.</li> 673 <li>SE_PRIVATE_READ_RESOLVE_NOT_INHERITED: private 674 readResolve method not inherited by subclasses</li> 675 <li>MSF_MUTABLE_SERVLET_FIELD: Mutable servlet field</li> 676 <li>XSS_REQUEST_PARAMETER_TO_SEND_ERROR: Servlet reflected 677 cross site scripting vulnerability</li> 678 <li>SKIPPED_CLASS_TOO_BIG: Class too big for analysis</li> 679 </ul> 680 </li> 681 <li>Other: 682 <ul> 683 <li>Value-number analysis now more space-efficient</li> 684 <li>Enhancements to reduce memory overhead when analyzing 685 very large classes</li> 686 <li>Now skips very large classes that would otherwise take 687 too much time and memory to analyze</li> 688 <li>Infrastructure for tracking effectively-constant/ 689 effectively-final fields</li> 690 <li>Added more cweids</li> 691 <li>Enhanced taint tracking for taint-based detectors</li> 692 <li>Ignore doomed calls to equals if result is used as an 693 argument to assertFalse</li> 694 <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC handles compareTo</li> 695 <li>Priority tweak for ICAST_INTEGER_MULTIPLY_CAST_TO_LONG 696 (only low priority if multiplying by 1000)</li> 697 <li>Improved tracking of fields across method calls</li> 698 </ul> 699 </li> 700 <li>Fixes: 701 <ul> 702 <li>[ 1941450 ] DLS_DEAD_LOCAL_STORE not reported</li> 703 <li>[ 1953323 ] Omitted break statement in 704 SynchronizeAndNullCheckField</li> 705 <li>[ 1942620 ] Source Directories selection dialog 706 interface confusion (partial)</li> 707 <li>[ 1948275 ] Unhelpful "Load of known null"</li> 708 <li>[ 1933922 ] MWM error in findbugs</li> 709 <li>[ 1934772 ] 1.3.3 appears to rely on JDK 1.6, JNLP 710 still specifies 1.5</li> 711 <li>[ 1933945 ] -loadbugs doesn't work</li> 712 <li>Fixed problems for class names starting with '$'</li> 713 <li>Fixed bugs and incomplete handling of annotations in 714 VersionInsensitiveBugComparator</li> 715 </ul> 716 </li> 717 <li>Patches: 718 <ul> 719 <li>[ 1955106 ] Javadoc fixes</li> 720 <li>[ 1951930 ] Superfluous import statements (thanks to 721 Jerry James)</li> 722 <li>[ 1951907 ] Missing @Deprecated annotations (thanks to 723 Jerry James)</li> 724 <li>[ 1951876 ] Infonode Docking Windows compile fix 725 (thanks to Jerry James)</li> 726 <li>[ 1936055 ] bugfix for findbugs.de.comment not working 727 (thanks to Peter Fokkinga) 728 </ul> 729 </li> 730 </ul> 731 <li>FindBugs BlueJ plugin 732 <ul> 733 <li>Updated to use FindBugs 1.3.4 (first new release since 734 1.1.3)</li> 735 </ul> 736 </li> 737 </ul> 738 739 <p>Changes since version 1.3.2</p> 740 741 <ul> 742 <li>FindBugs base 743 <ul> 744 <li>New Detectors: 745 <ul> 746 <li>FieldItemSummary: Produces summary information for 747 what is stored into fields</li> 748 <li>SynchronizeOnClassLiteralNotGetClass: Look for code 749 that synchronizes on the results of getClass rather than on 750 class literals</li> 751 <li>SynchronizingOnContentsOfFieldToProtectField: This 752 detector looks for code that seems to be synchronizing on a 753 field in order to guard updates of that field</li> 754 </ul> 755 </li> 756 <li>New BugCode: 757 <ul> 758 <li>HRS: HTTP Response splitting vulnerability</li> 759 <li>WL: Possible locking on wrong object</li> 760 </ul> 761 </li> 762 <li>New Reports: 763 <ul> 764 <li>DMI_CONSTANT_DB_PASSWORD: This code creates a database 765 connect using a hard coded, constant password</li> 766 <li>HRS_REQUEST_PARAMETER_TO_COOKIE: HTTP cookie formed 767 from untrusted input</li> 768 <li>HRS_REQUEST_PARAMETER_TO_HTTP_HEADER: HTTP parameter 769 directly written to HTTP header output</li> 770 <li>CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE: Class defines 771 clone() but doesn't implement Cloneable</li> 772 <li>DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE: Synchronization 773 on boxed primitive could lead to deadlock</li> 774 <li>DL_SYNCHRONIZATION_ON_BOOLEAN: Synchronization on 775 Boolean could lead to deadlock</li> 776 <li>ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD: 777 Synchronization on field in futile attempt to guard that field 778 </li> 779 <li>DLS_DEAD_LOCAL_STORE_IN_RETURN: Useless assignment in 780 return statement</li> 781 <li>WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL: 782 Synchronization on getClass rather than class literal</li> 783 </ul> 784 </li> 785 <li>Other: 786 <ul> 787 <li>Many enhancements to cross-site scripting detector and 788 its documentation</li> 789 <li>Enhanced switch fall through handling</li> 790 <li>Enhanced unread field handling (look for IF_ACMPEQ and 791 IF_ACMPNE)</li> 792 <li>Clarified documentation for @Nullable in manual</li> 793 <li>Fewer DeadLocalStore false positives</li> 794 <li>Fewer UnreadField false positives</li> 795 <li>Fewer StaticCalendarDetector false positives</li> 796 <li>Performance fix for slow file system IO e.g. Clearcase 797 repositories (thanks, Andrei!)</li> 798 <li>Other, general performance enhancements (thanks, 799 Andrei!)</li> 800 <li>Enhancements for using FindBugs scripts with MKS on 801 Windows (thanks, Kelly O'Hair!)</li> 802 <li>Noted in the manual that jsr305.jar must be present 803 for annotations to compile</li> 804 <li>Added and fine-tuned default-nullness annotations</li> 805 <li>More CWE IDs added</li> 806 <li>Check and warning for unexpected BCEL version in 807 classpath</li> 808 </ul> 809 </li> 810 <li>Fixes: 811 <ul> 812 <li>Bug fix to handling of local variable tables in BCEL</li> 813 <li>Refined documentation for 814 MTIA_SUSPECT_STRUTS_INSTANCE_FIELD</li> 815 <li>[ 1927295 ] NPE when called on project root</li> 816 <li>[ 1926405 ] Incorrect dead store warning</li> 817 <li>[ 1926409 ] Incorrect redundant nullcheck warning</li> 818 <li>[ 1926389 ] Wrong line number printed/highlighted in 819 bug</li> 820 <li>[ 1927040 ] typo in bug description</li> 821 <li>[ 1926263 ] Minor glitch in HTML output</li> 822 <li>[ 1926240 ] Minor error in standard options in manual</li> 823 <li>[ 1926236 ] Minor bug in installation section of 824 manual</li> 825 <li>[ 1925539 ] ZIP is default file system code base</li> 826 <li>[ 1894701 ] Livelock / memory leak in 827 ObjectTypeFactory (thanks, Andrei!)</li> 828 <li>[ 1867491 ] Doesn't reload annotations after code 829 changes in IDE (thanks, Andrei!)</li> 830 <li>[ 1921399 ] -project option not supported</li> 831 <li>[ 1913834 ] "Dead" store to variable with method call</li> 832 <li>[ 1917352 ] H B se:...field in serializable class</li> 833 <li>[ 1911617 ] CloneIdiom relies on 834 getNameConstantOperand for INSTANCEOF</li> 835 <li>[ 1911620 ] False +: DLS predecrement before return</li> 836 <li>[ 1871376 ] False negative: non-serializable Map field</li> 837 <li>[ 1871051 ] non standard clone() method</li> 838 <li>[ 1908854 ] Error in TestASM</li> 839 <li>[ 1907539 ] 22 minor errors in bug checker 840 documentation</li> 841 <li>[ 1897323 ] EJB implementation class false positives</li> 842 <li>[ 1899648 ] Crash on startup on Vista with Java 843 1.6.0_04</li> 844 </ul> 845 </li> 846 </ul> 847 </li> 848 <li>FindBugs Eclipse plugin (change log by Andrey Loskutov) 849 <ul> 850 <li>new feature: export basic FindBugs numbers for projects 851 via File->Export->Java->BugCounts (Andrey Loskutov)</li> 852 <li>new feature: jobs for different projects will be run in 853 parallel per default if running on a multi-core PC 854 ("fb.allowParallelBuild" system property not used anymore) 855 (Andrey Loskutov)</li> 856 <li>fixed performance slowdown in the multi-threaded build, 857 caused by workspace operation locks during assigning marker 858 attributes (Andrey Loskutov)</li> 859 </ul> 860 </li> 861 </ul> 862 863 <p>Changes since version 1.3.1</p> 864 865 <ul> 866 <li>FindBugs base 867 <ul> 868 <li>New Bug Category: 869 <ul> 870 <li>SECURITY (Abbrev: S), A use of untrusted input in a 871 way that could create a remotely exploitable security 872 vulnerability</li> 873 </ul> 874 </li> 875 <li>New Detectors: 876 <ul> 877 <li>CrossSiteScripting: This detector looks for 878 obvious/blatant cases of cross site scripting vulnerabilities</li> 879 </ul> 880 </li> 881 <li>New BugCode: 882 <ul> 883 <li>XSS: Cross site scripting</li> 884 </ul> 885 </li> 886 <li>New Reports: 887 <ul> 888 <li>XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER: HTTP 889 parameter directly written to Servlet output, giving XSS 890 vulnerability</li> 891 <li>XSS_REQUEST_PARAMETER_TO_JSP_WRITER: HTTP parameter 892 directly written to JSP output, giving XSS vulnerability</li> 893 <li>EQ_OTHER_USE_OBJECT: equals() method defined that 894 doesn't override Object.equals(Object)</li> 895 <li>EQ_OTHER_NO_OBJECT: equals() method inherits rather 896 than overrides equals(Object)</li> 897 <li>NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE: Possible 898 null pointer dereference on path that might be infeasible</li> 899 </ul> 900 </li> 901 <li>Other: 902 <ul> 903 <li>Added -noClassOk command-line parameter to 904 command-line and ant interfaces; when -noClassOk is specified 905 and no classfiles are given, FindBugs will print a warning 906 message and output a well- formed file with no warnings</li> 907 <li>Fewer false positives for null pointer bugs</li> 908 <li>Suppress dead-local-store false positives in .jsp code</li> 909 <li>Type fixes in warning messages</li> 910 <li>Better warning message for NP_NULL_ON_SOME_PATH</li> 911 <li>"WMI" bug code description renamed from "Wrong Map 912 Iterator" to "Inefficient Map Iterator"</li> 913 </ul> 914 </li> 915 <li>Fixes: 916 <ul> 917 <li>[ 1893048 ] FindBugs confused by a findbugs.xml file</li> 918 <li>[ 1878528 ] XSL xforms don't support history features</li> 919 <li>[ 1876584 ] two default.xsl flaws</li> 920 <li>[ 1874856 ] Format string bug detector doesn't handle 921 special operators</li> 922 <li>[ 1872645 ] computeBugHistory - 923 java.lang.IllegalArgumentException</li> 924 <li>[ 1872237 ] Ant task fails when no .class files</li> 925 <li>[ 1868670 ] Filters: include AND exclude don't allowed</li> 926 <li>[ 1868666 ] check-for-oddness reported, but array 927 length can never be negative</li> 928 <li>[ 1866108 ] SetBugDatabaseInfoTask strips dir from 929 output filename</li> 930 <li>[ 1866021 ] MineBugHistoryTask strips dir of output 931 filename</li> 932 <li>[ 1865265 ] code doesn't handle 933 StringBuffer.append([CII) right</li> 934 <li>[ 1864793 ] Warning when casting a null reference 935 compared to a String</li> 936 <li>[ 1863376 ] Typo in manual chap 8: Filter Files</li> 937 <li>[ 1862705 ] Transient fields that default to null</li> 938 <li>[ 1842545 ] DLS on catch variable (with priority 939 tweaking)</li> 940 <li>[ 1816258 ] false positive BC_IMPOSSIBLE_CAST</li> 941 <li>[ 1551732 ] Get erroneous DLS with while loop</li> 942 </ul> 943 </li> 944 </ul> 945 </li> 946 <li>FindBugs Eclipse plugin (change log by Andrey Loskutov) 947 <ul> 948 <li>new feature: added Bug explorer view (replacing Bug tree 949 view), based on Common Navigator framework (Andrey Loskutov)</li> 950 <li>bug 1873860 fixed: empty projects are no longer shown in 951 Bug tree view (Andrey Loskutov)</li> 952 <li>new feature: bug counts decorators for projects, folders 953 and files (has to be activated via Preferences -> general 954 -> appearance -> label decorations)(Andrey Loskutov)</li> 955 <li>patch 1746499: better icons (Alessandro Nistico)</li> 956 <li>patch 1893685: Find bug actions on change sets bug 957 (Alessandro Nistico)</li> 958 <li>fixed bug 1855384: Bug configuration is broken in 959 Eclipse (Andrey Loskutov)</li> 960 <li>refactored FindBugs properties page (Andrey Loskutov)</li> 961 <li>refactored FindBugs worker/builder/run action (Andrey 962 Loskutov)</li> 963 <li>FB detects now only bugs from classes on project's 964 classpath (no double work on duplicated class files) (Andrey 965 Loskutov)</li> 966 <li>fixed bug introduced by the bad patch for 1867951: FB 967 cannot be executed incrementally on a folder of file (Andrey 968 Loskutov)</li> 969 <li>fixed job rule: now jobs for different projects may run 970 in parallel if running on a multi-core PC and 971 "fb.allowParallelBuild" system property is set to true (Andrey 972 Loskutov)</li> 973 <li>fixed FB auto-build not started if .fbprefs or 974 .classpath was changed (Andrey Loskutov)</li> 975 <li>fixed not reporting bugs on secondary types (classes 976 defined in java files with different name) (Andrey Loskutov)</li> 977 </ul> 978 </li> 979 </ul> 980 981 <p>Changes since version 1.3.0</p> 982 <ul> 983 <li>New Reports 984 <ul> 985 <li>VA_FORMAT_STRING_ARG_MISMATCH: A format-string method 986 with a variable number of arguments is called, but the number of 987 arguments passed does not match with the number of % 988 placeholders in the format string. This is probably not what the 989 author intended. 990 <li>IO_APPENDING_TO_OBJECT_OUTPUT_STREAM: This code opens a 991 file in append mode and that wraps the result in an object 992 output stream. This won't allow you to append to an existing 993 object output stream stored in a file. If you want to be able to 994 append to an object output stream, you need to keep the object 995 output stream open. The only situation in which opening a file 996 in append mode and the writing an object output stream could 997 work is if on reading the file you plan to open it in random 998 access mode and seek to the byte offset where the append 999 started. 1000 <li>NP_BOOLEAN_RETURN_NULL: A method that returns either 1001 Boolean.TRUE, Boolean.FALSE or null is an accident waiting to 1002 happen. This method can be invoked as though it returned a value 1003 of type boolean, and the compiler will insert automatic unboxing 1004 of the Boolean value. If a null value is returned, this will 1005 result in a NullPointerException. 1006 </ul> 1007 </li> 1008 <li>Changes to Existing Reports 1009 <ul> 1010 <li>RV_DONT_JUST_NULL_CHECK_READLINE: CORRECTNESS -> 1011 STYLE</li> 1012 <li>DMI_INVOKING_TOSTRING_ON_ARRAY: Long description 1013 mentions array name whenever possible</li> 1014 </ul> 1015 </li> 1016 <li>Fixes: 1017 <ul> 1018 <li>Updated manual to mention that Java 1.5 is now a 1019 requirement for running FindBugs 1020 <li>Applied patch 1840206 fixing issue "Ant task does not 1021 work when presetdef is used" - thanks to phejl 1022 <li>Applied patch 1778690 fixing issue "Ant task: tolerate 1023 but complain about invalid auxClasspath" - thanks to David 1024 Schmidt 1025 <li>Applied patch 1852125 adding a Chinese-language GUI 1026 bundle props file - thanks to fifi 1027 <li>Applied patch 1845903 adding ability to load XML results 1028 with the Eclipse plugin - thanks to Alex Mont 1029 <li>Fixed issue 1844671 - "FP for "reversed" null check in 1030 catch for stream close" 1031 <li>Fixed issue 1836050 - "-onlyAnalyze broken" 1032 <li>Fixed issue 1853011 - "Typo: Field names should start 1033 with aN lower case letter" 1034 <li>Fixed issue 1844181 - "JNLP file does not contain all 1035 necessary JARs" 1036 <li>Fixed issue 1840245 - "xxxException class does not 1037 derive from Exception" 1038 <li>Fixed issue 1840277 - "[M D EC] Typo in bug 1039 documentation" 1040 <li>Fixed issue 1782447 - "OutOfMemoryError if i activate 1041 Findbugs on my project" 1042 <li>Fixed issue 1830576 - "[regression] keySet/entrySet 1043 false positive" 1044 </ul> 1045 </li> 1046 <li>Other: 1047 <ul> 1048 <li>New bug code: "IO" (for 1049 IO_APPENDING_TO_OBJECT_OUTPUT_STREAM)</li> 1050 <li>Added "-onlyMostRecent" option for computeBugHistory 1051 script/ant task 1052 <li>More explicit language in 1053 RV_RETURN_VALUE_IGNORED_BAD_PRACTICE messages 1054 <li>Modified ResourceValueAnalysis to correctly identify 1055 null == X or null != X as a null check (for issue 1844671) 1056 <li>Modified DMI_HARDCODED_ABSOLUTE_FILENAME logic in 1057 DumbMethodInvocations to ignore files from /etc or /dev and 1058 increase priority of files from /home 1059 <li>Better bug details for infinite loop warnings 1060 <li>Modified unread-fields detector to reduce false 1061 positives from reflective fields 1062 <li>build.xml "classes" target now builds all sources in one 1063 step 1064 </ul> 1065 </li> 1066 </ul> 1067 1068 <p>Changes since version 1.2.1</p> 1069 <ul> 1070 <li>New Detectors and Reports 1071 <ul> 1072 <li>SynchronizationOnSharedBuiltinConstant 1073 <ul> 1074 <li>DL_SYNCHRONIZATION_ON_SHARED_CONSTANT: The code 1075 synchronizes on a shared primitive constant, such as an 1076 interned String. Such constants are interned and shared across 1077 all other classes loaded by the JVM. Thus, this could be 1078 locking on something that other code might also be locking. 1079 This could result in very strange and hard to diagnose 1080 blocking and deadlock behavior. See <a 1081 href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a> 1082 and <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>. 1083 1084 </ul> 1085 </li> 1086 <li>OverridingEqualsNotSymmetrical 1087 <ul> 1088 <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: Looks for equals 1089 methods that override equals methods in a superclass where the 1090 equivalence relationship might not be symmetrical. 1091 </ul> 1092 </li> 1093 <li>CheckTypeQualifiers 1094 <ul> 1095 <li>TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED: A value 1096 specified as carrying a type qualifier annotation is consumed 1097 in a location or locations requiring that the value not carry 1098 that annotation. More precisely, a value annotated with a type 1099 qualifier specifying when=ALWAYS is guaranteed to reach a use 1100 or uses where the same type qualifier specifies when=NEVER.</li> 1101 <li>TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED: A value 1102 specified as not carrying a type qualifier annotation is 1103 guaranteed to be consumed in a location or locations requiring 1104 that the value does carry that annotation. More precisely, a 1105 value annotated with a type qualifier specifying when=NEVER is 1106 guaranteed to reach a use or uses where the same type 1107 qualifier specifies when=ALWAYS.</li> 1108 <li>TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK: A value 1109 that might not carry a type qualifier annotation reaches a use 1110 which requires that annotation.</li> 1111 <li>TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK: A value 1112 which might carry a type qualifier annotation reaches a use 1113 which forbids values carrying that annotation.</li> 1114 </ul> 1115 </li> 1116 </ul> 1117 </li> 1118 <li>New Reports (existing detectors) 1119 <ul> 1120 <li>FindHEmismatch 1121 <ul> 1122 <li>EQ_DOESNT_OVERRIDE_EQUALS: This class extends a class 1123 that defines an equals method and adds fields, but doesn't 1124 define an equals method itself. Thus, equality on instances of 1125 this class will ignore the identity of the subclass and the 1126 added fields. Be sure this is what is intended, and that you 1127 don't need to override the equals method. Even if you don't 1128 need to override the equals method, consider overriding it 1129 anyway to document the fact that the equals method for the 1130 subclass just return the result of invoking super.equals(o).</li> 1131 </ul> 1132 </li> 1133 <li>Naming 1134 <ul> 1135 <li>NM_WRONG_PACKAGE, NM_WRONG_PACKAGE_INTENTIONAL: The 1136 method in the subclass doesn't override a similar method in a 1137 superclass because the type of a parameter doesn't exactly 1138 match the type of the corresponding parameter in the 1139 superclass.</li> 1140 <li>NM_SAME_SIMPLE_NAME_AS_SUPERCLASS: This class has a 1141 simple name that is identical to that of its superclass, 1142 except that its superclass is in a different package (e.g., <code>alpha.Foo</code> 1143 extends <code>beta.Foo</code>). This can be exceptionally 1144 confusing, create lots of situations in which you have to look 1145 at import statements to resolve references and creates many 1146 opportunities to accidently define methods that do not 1147 override methods in their superclasses. 1148 </li> 1149 <li>NM_SAME_SIMPLE_NAME_AS_INTERFACE: This class/interface 1150 has a simple name that is identical to that of an 1151 implemented/extended interface, except that the interface is 1152 in a different package (e.g., <code>alpha.Foo</code> extends <code>beta.Foo</code>). 1153 This can be exceptionally confusing, create lots of situations 1154 in which you have to look at import statements to resolve 1155 references and creates many opportunities to accidently define 1156 methods that do not override methods in their superclasses. 1157 </li> 1158 </ul> 1159 <li>FindRefComparison 1160 <ul> 1161 <li>EC_UNRELATED_TYPES_USING_POINTER_EQUALITY: This method 1162 uses using pointer equality to compare two references that 1163 seem to be of different types. The result of this comparison 1164 will always be false at runtime.</li> 1165 </ul> 1166 </li> 1167 <li>IncompatMask 1168 <ul> 1169 <li>BIT_SIGNED_CHECK, BIT_SIGNED_CHECK_HIGH_BIT: This 1170 method compares an expression such as <tt>((event.detail 1171 & SWT.SELECTED) > 0)</tt>. Using bit arithmetic and then 1172 comparing with the greater than operator can lead to 1173 unexpected results (of course depending on the value of 1174 SWT.SELECTED). If SWT.SELECTED is a negative number, this is a 1175 candidate for a bug. Even when SWT.SELECTED is not negative, 1176 it seems good practice to use '!= 0' instead of '> 0'. 1177 </li> 1178 </ul> 1179 </li> 1180 <li>LazyInit 1181 <ul> 1182 <li>LI_LAZY_INIT_UPDATE_STATIC: This method contains an 1183 unsynchronized lazy initialization of a static field. After 1184 the field is set, the object stored into that location is 1185 further accessed. The setting of the field is visible to other 1186 threads as soon as it is set. If the further accesses in the 1187 method that set the field serve to initialize the object, then 1188 you have a <em>very serious</em> multithreading bug, unless 1189 something else prevents any other thread from accessing the 1190 stored object until it is fully initialized. 1191 </li> 1192 </ul> 1193 </li> 1194 <li>FindDeadLocalStores 1195 <ul> 1196 <li>DLS_DEAD_STORE_OF_CLASS_LITERAL: This instruction 1197 assigns a class literal to a variable and then never uses it. 1198 <a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">The 1199 behavior of this differs in Java 1.4 and in Java 5.</a> In Java 1200 1.4 and earlier, a reference to <code>Foo.class</code> would 1201 force the static initializer for <code>Foo</code> to be 1202 executed, if it has not been executed already. In Java 5 and 1203 later, it does not. See Sun's <a 1204 href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">article 1205 on Java SE compatibility</a> for more details and examples, and 1206 suggestions on how to force class initialization in Java 5. 1207 </li> 1208 </ul> 1209 </li> 1210 <li>MethodReturnCheck 1211 <ul> 1212 <li>RV_RETURN_VALUE_IGNORED_BAD_PRACTICE: This method 1213 returns a value that is not checked. The return value should 1214 be checked since it can indication an unusual or unexpected 1215 function execution. For example, the <code>File.delete()</code> 1216 method returns false if the file could not be successfully 1217 deleted (rather than throwing an Exception). If you don't 1218 check the result, you won't notice if the method invocation 1219 signals unexpected behavior by returning an atypical return 1220 value. 1221 </li> 1222 <li>RV_EXCEPTION_NOT_THROWN: This code creates an 1223 exception (or error) object, but doesn't do anything with it. 1224 </li> 1225 </ul> 1226 </li> 1227 </ul> 1228 </li> 1229 <li>Changes to Existing Reports 1230 <ul> 1231 <li>NS_NON_SHORT_CIRCUIT: BAD_PRACTICE -> STYLE</li> 1232 <li>NS_DANGEROUS_NON_SHORT_CIRCUIT: CORRECTNESS -> STYLE</li> 1233 <li>RC_REF_COMPARISON: CORRECTNESS -> BAD_PRACTICE</li> 1234 </ul> 1235 </li> 1236 <li>GUI Changes 1237 <ul> 1238 <li>Added importing and exporting of bug filters</li> 1239 <li>Better handling of failed analysis runs</li> 1240 <li>Added "-look" parameter for selecting look-and-feel</li> 1241 <li>Fixed incorrect package filtering</li> 1242 <li>Fixed issue where "synchronized" was not 1243 syntax-highlighted</li> 1244 </ul> 1245 </li> 1246 <li>Ant-task Changes 1247 <ul> 1248 <li>Refactored common ant-task code to AbstractFindBugsTask</li> 1249 <li>Added tasks for computeBugHistory, convertXmlToText, 1250 filterBugs, mineBugHistory, setBugDatabaseInfo</li> 1251 </ul> 1252 </li> 1253 <li>Manual 1254 <ul> 1255 <li>Updates to GUI section, including new screenshots</li> 1256 <li>Added description of rejarForAnalysis</li> 1257 <li>Revamp of data-mining section</li> 1258 </ul> 1259 </li> 1260 <li>Other Major 1261 <ul> 1262 <li>Internal restructuring for lower memory overhead</li> 1263 </ul> 1264 </li> 1265 <li>Other Minor 1266 <ul> 1267 <li>Fixed typo: was STCAL_STATIC_SIMPLE_DATA_FORMAT_INSTANCE 1268 now STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE</li> 1269 <li>-outputFile parameter became -output</li> 1270 <li>More sensitivity and specificity inLazyInit detector</li> 1271 <li>More sensitivity and specificity in Naming detector</li> 1272 <li>More sensitivity and specificity in UnreadFields 1273 detector</li> 1274 <li>More sensitivity in FindNullDeref detector</li> 1275 <li>More sensitivity in FindBadCast2 detector</li> 1276 <li>More specificity in FindReturnRef detector</li> 1277 <li>Many other tweaks and bug fixes</li> 1278 </ul> 1279 </li> 1280 </ul> 1281 1282 <p>Changes since version 1.2.0</p> 1283 <ul> 1284 <li>Bug fixes: 1285 <ul> 1286 <li><a 1287 href="http://fisheye2.cenqua.com/changelog/findbugs/?cs=8219">Fix</a> 1288 <a 1289 href="http://sourceforge.net/tracker/index.php?func=detail&aid=1726946&group_id=96405&atid=614693">bug</a> 1290 with detectors that were requested to be disabled but were 1291 enabled due to requirements of other detectors.</li> 1292 <li>Fix bugs in incremental analysis within Eclipse plugin</li> 1293 <li>Fix some analysis errors</li> 1294 <li>Fix some threading bugs in GUI2</li> 1295 <li>Report version as version when it was compiled, not when 1296 it was run</li> 1297 <li>Copy analysis time stamp when filtering or transforming 1298 analysis files.</li> 1299 </ul> 1300 <li>Enabled StaticCalendarDetector</li> 1301 <li>Reworked GUI2 to use standard FindBugs filters 1302 <ul> 1303 <li>Allow a suppression filter to be stored in a project and 1304 persisted to the XML representation of a project.</li> 1305 </ul> 1306 </li> 1307 1308 <li>Move away from old GUI2 save format (a directory 1309 containing an xml file and another file containing serialized 1310 filters).</li> 1311 <li>Support/recommend use of two new file extensions/formats: 1312 <dl> 1313 <dt>.fba - FindBugs Analysis File</dt> 1314 <dd>Exactly the same as an existing bug collection file 1315 stored in XML format, but using a distinct file extension to 1316 make it easier to figure out which xml files contain FindBugs 1317 results.</dd> 1318 <dt>.fbp - FindBugs Project File</dt> 1319 <dd>Contains just the information needed to run FindBugs and 1320 display the results (e.g., the files to be analyzed, the 1321 auxiliary class path and the location of source files) 1322 </dl> 1323 </li> 1324 </ul> 1325 <p>Changes since version 1.1.3</p> 1326 <ul> 1327 <li>Added -xml:withAbridgedMessages option to generate xml 1328 containing shorter messages. The messages will be shorted by doing 1329 things like eliding package names, and leaving off the source line 1330 from the LongMessage. These messages are appropriate if being used 1331 in a context where the non-message components of the bug 1332 annotations will be used to provide more information (e.g., 1333 clicking on the message for a MethodAnnotation will display the 1334 source for the method). 1335 <ul> 1336 <li>FindBugsDisplayFeatures.setAbridgedMessages(true) can be 1337 used to generate abridged messages when FindBugs is being 1338 accessed directly (not via generated XML) from a GUI or IDE.</li> 1339 </ul> 1340 <li>In null pointer analysis, try to be better about always 1341 showing two locations: where it is known null and where it is 1342 dereferenced. 1343 <li>Interprocedural analysis of which methods return nonnull 1344 values 1345 <li>Use method calls to select order in which classes are 1346 analyzed, and order in which methods are analyzed, to improve 1347 interprocedural analysis results. 1348 <li>Significant improvements in memory footprint, memory 1349 allocation and CPU utilization (20-30% reduction in all three) 1350 <li>Added a project name, to provide better descriptions in 1351 the HTML output. 1352 <li>Added new bug pattern: Casting to char, or bit masking 1353 with nonnegative value, and then checking to see if the result is 1354 negative. 1355 <li>Stopped reporting transient fields of classes not marked 1356 as serializable. Transient is used by other persistence 1357 frameworks. 1358 <li>Improvements to detector for SQL injection (Thanks to <a 1359 href="http://www.clock.org/~matt">Matt Hargett</a> for his 1360 contributions 1361 <li>Changed open/save options in GUI2 to not distinguish 1362 between FindBugs projects and saved FindBugs analysis results. 1363 <li>Improvements to detection of serious non-short-circuit 1364 evaluation. 1365 <li>Updated Japanese localization (thanks to Ruimo Uno) 1366 <li>Eclipse plugin changes: 1367 <ul> 1368 <li>Created Bug User Annotations and Bug Tree Views 1369 <li>Use different icons for different bug priorities 1370 <li>Provide more information in Bug Details view 1371 </ul> 1372 </ul> 1373 1374 <p>Changes since version 1.1.2:</p> 1375 <ul> 1376 <li>Fixed broken Ant task 1377 <li>Added running ant task to smoke test 1378 <li>Added validating xml and html output to smoke test 1379 <li>Fixed some (but not all) issues with html output 1380 validation 1381 <li>Added check for x.equals(x) and x.compareTo(x) 1382 <li>Various bug fixes 1383 </ul> 1384 <p>Changes since version 1.1.1:</p> 1385 <ul> 1386 <li>Added check for infinite iterative loops</li> 1387 <li>Added check for use of incompatible types in a collection 1388 (e.g., checking to see if a Set<String> contains a 1389 StringBuffer).</li> 1390 <li>Added check for invocations of equals or hashCode on a 1391 URL, which, <a 1392 href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">surprising 1393 many people</a>, requires DNS resolution. 1394 </li> 1395 <li>Added check for classes that define compareTo but not 1396 equals; such classes can exhibit some anomalous behavior (e.g., 1397 they are treated differently by PriorityQueues in Java 5 and Java 1398 6).</li> 1399 <li>Added a check for useless self operations (e.g., x < x 1400 or x ^ x).</li> 1401 <li>Fixed a data race that could cause the GUI to fail on 1402 startup</li> 1403 <li>Partial internationalization of the new GUI</li> 1404 <li>Fix bug in "Redo analysis" option of new GUI</li> 1405 <li>Tuning to reduce false positives</li> 1406 <li>Fixed a bug in null pointer analysis that was generating 1407 false positive null pointer warnings on exception paths. Fixing 1408 this bug eliminates about 1/4 of the warnings on null pointer 1409 exceptions on exception paths.</li> 1410 <li>Fixed a bug in the processing of phi nodes for fields in 1411 the null pointer analysis</li> 1412 <li>Applied contributed patch that provides more quick fixes 1413 in Eclipse plugin.</li> 1414 <li>Fixed a number of bugs in the Eclipse auto update sites, 1415 and in the way date qualifiers were being used in the Eclipse 1416 plugin. You may need to manually disable your existing version of 1417 the plugin and download the 1.1.2 from the update site to get the 1418 automatic update function working correctly. The Eclipse update 1419 sites are described at <a 1420 href="http://findbugs.cs.umd.edu/eclipse/">http://findbugs.cs.umd.edu/eclipse/</a>. 1421 1422 </li> 1423 <li>Fixed progress bar in Eclipse plugin</li> 1424 <li>A number of other bug fixes.</li> 1425 </ul> 1426 1427 <p>Changes since version 1.1.0:</p> 1428 <ul> 1429 <li>less scanning of classes not on the analysis path (This 1430 was causing some performance problems.)</li> 1431 <li>no unread field warnings for fields annotated with 1432 javax.persistent or javax.ejb3</li> 1433 <li>Eclipse plugin 1434 <ul> 1435 <li>bug annotation info displayed in Bug Details tab</li> 1436 <li>.fbwarnings data file now stored in .metadata (not in 1437 the project itself)</li> 1438 </ul> 1439 </li> 1440 <li>new SE_BAD_FIELD_INNER_CLASS pattern</li> 1441 <li>updates to Japanese translation (ruimo)</li> 1442 <li>fix some internal slashed/dotted path confusion</li> 1443 <li>other minor improvements</li> 1444 </ul> 1445 1446 <p>Changes since version 1.0.0:</p> 1447 1448 <ul> 1449 <li>Overall, the change from FindBugs 1.0.0 to FindBugs 1.1.0 1450 has been a big change. We've done a lot of work in a lot of areas, 1451 and aren't even going to try to enumerate all the changes.</li> 1452 <li>We spent a lot of time reviewing the results generated by 1453 FindBugs for open source and commercial code bases, and made a 1454 number of changes, small and large, to minimize the number of 1455 false positives. Our primary focus for this was warnings reported 1456 as high and medium priority correctness warnings. Our internal 1457 evaluation is that we produce very few high/medium priority 1458 correctness warnings where the analysis is actually wrong, and 1459 that more than 75% of the high/medium priority correctness 1460 warnings correspond to real coding defects that need addressing in 1461 the source code. The remaining 25% are largely cases such as a 1462 branch or statement that if taken would lead to an error, but in 1463 fact is a dead branch or statement that can never be taken. Such 1464 coding is confusing and hard to maintain, so it should arguably be 1465 fixed, but it is unlikely to actually result in an error during 1466 execution. Thus, some might classify those warnings as false 1467 positives.</li> 1468 <li>We've substantially improved the analysis for errors that 1469 could result in null pointer dereferences. Overall, our experience 1470 has been that these changes have roughly doubled the number of 1471 null pointer errors we detect, without increasing the number of 1472 false positives (in fact, our false positive rate has gone down). 1473 The improvements are due to four factors: 1474 <ul> 1475 <li>By default, we now do some interprocedural analysis to 1476 determine methods that unconditionally dereference their 1477 parameters.</li> 1478 <li>FindBugs also comes with a model of which JDK methods 1479 unconditionally dereference their parameters.</li> 1480 <li>We do limited tracking of fields, so that we can detect 1481 null values stored in fields that lead to exceptions.</li> 1482 <li>We implemented a new analysis technique to find 1483 guaranteed dereferences. Consider the following example: <pre>public int f(Object x, boolean b) { 1484 int result = 0; 1485 if (x == null) result++; 1486 else result--; 1487 // at this point, we know x is null on a simple path 1488 if (b) { 1489 // at this point, x is only null on a complex path 1490 // we don't know if the path in which x is null and b is true is feasible 1491 return result + x.hashCode(); 1492 } 1493 else { 1494 // at this point, x is only null on a complex path 1495 // we don't know if the path in which x is null and b is false is feasible 1496 return result - x.hashCode(); 1497 } 1498 </pre> 1499 1500 <p> 1501 FindBugs 1.0 used forward dataflow analysis to determine 1502 whether each value is definitely null, null on a simple path, 1503 possible null on a complex path, or definitely nonnull. Thus, 1504 at the statement where 1505 <code> result </code> 1506 is decremented, we know that 1507 <code> x </code> 1508 is definitely null, and at the point before 1509 <code> if (b) </code> 1510 , we know that 1511 <code> x </code> 1512 is null on a simple path. If 1513 <code> x </code> 1514 were to be dereferenced here, we would generate a warning, 1515 because if the else branch of the 1516 <code> if (x == null) </code> 1517 were ever taken, a null pointer exception would result. 1518 </p> 1519 1520 <p> 1521 However, in both the then and else branches of the 1522 <code> if (b) </code> 1523 statement, 1524 <code> x </code> 1525 is only null on a complex path that may be infeasible. It might 1526 be that the program logic is such that if 1527 <code> x </code> 1528 is null, then 1529 <code> b </code> 1530 is never true, so generating a warning about the dereference in 1531 the then clause might be a false positive. We could try to 1532 analyze the program to determine whether it is possible for 1533 <code> x </code> 1534 to be null and 1535 <code> b </code> 1536 to be true, but that can be a hard analysis problem. 1537 </p> 1538 1539 <p> 1540 However, 1541 <code> x </code> 1542 is dereferenced in both the then <em>and</em> else branches of 1543 the 1544 <code> if (b) </code> 1545 statement. So at the point immediately before 1546 <code> if (b) </code> 1547 , we know that 1548 <code> x </code> 1549 is null on a simple path <em>and</em> that 1550 <code> x </code> 1551 is guaranteed to be dereferenced on all paths from this point 1552 forward. FindBugs 1.1 performs a backwards data flow analysis 1553 to determine the values that are guaranteed to be dereferenced, 1554 and will generate a warning in this case. 1555 </p> 1556 </li> 1557 </ul> 1558 <p> 1559 The following screen shot of our new GUI shows an example of this 1560 analysis, as well as showing off our new GUI and points out a 1561 limitation of our current plugins for Eclipse and NetBeans. The 1562 screen shot shows a null pointer bug in HelpDisplay.java. The 1563 test for 1564 <code> href!=null </code> 1565 on line 78 suggests that 1566 <code> href </code> 1567 could be null. If it is, then 1568 <code> href </code> 1569 will be dereferenced on either line 87 or on line 90, generating 1570 a NPE. Note that our analysis here also understands that passing 1571 <code> href </code> 1572 to 1573 <code> URLEncoder.encode </code> 1574 will deference it, and thus treats line 87 as a dereference, even 1575 though 1576 <code> href </code> 1577 is not actually dereferenced at that line. Within our new GUI, 1578 all of these locations are highlighted and listed in the summary 1579 panel. In the original GUI (and in HTML output) we list all of 1580 the locations, but only the primary location is highlighted by 1581 the original GUI. In the Eclipse and NetBeans plugins, only the 1582 primary location is displayed; fixing this is on our todo list 1583 (contributions welcome). 1584 </p> 1585 <p> 1586 <img src="guaranteedDereference.png" alt=""> 1587 1588 1589 </p> 1590 1591 </li> 1592 <li>Preliminary support for detectors using the frameworks 1593 other than BCEL, such as the <a href="http://asm.objectweb.org/">ASM</a> 1594 bytecode framework. You may experiment with writing ASM-based 1595 detectors, but beware the API may still change (which could 1596 possibly also affect BCEL-based detectors). In general, we've 1597 started trying to move away from a deep dependence on BCEL, but 1598 that change is only partially complete. Probably best to just 1599 avoid this until we complete more work on this. This change is 1600 only visible to FindBugs plugin developers, and shouldn't be 1601 visible to FindBugs users. 1602 </li> 1603 <li> 1604 <p>Bug categories (CORRECTNESS, MT_CORRECTNESS, etc.) are no 1605 longer hard-coded, but rather defined in xml files associated 1606 with plugins, including the core plugin which defines the 1607 standard categories. Third-party plugins can define their own 1608 categories.</p> 1609 </li> 1610 <li> 1611 <p>Several bug patterns have been moved from CORRECTNESS and 1612 STYLE into a new category, BAD_PRACTICE. The English localization 1613 of STYLE has changed from "Style" to "Dodgy."</p> 1614 <p>In general, we've worked very hard to limit CORRECTNESS 1615 bugs to be real programming errors and sins of commission. We 1616 have reclassified as BAD_PRACTICE a number of bad design 1617 practices that result in overly fragile code, such as defining an 1618 equals method that doesn't accept null or defining class with a 1619 equals method that inherits hashCode from class Object.</p> 1620 <p>In general, our guidelines for deciding whether a bug 1621 should be classified as CORRECTNESS, BAD_PRACTICE or STYLE are:</p> 1622 <dl> 1623 <dt>CORRECTNESS</dt> 1624 <dd>A problem that we can recognize with high confidence and 1625 is an issue that we believe almost all developers would want to 1626 examine and address. We recommend that software teams review all 1627 high and medium priority warnings in their entire code base.</dd> 1628 <dt>BAD_PRACTICE</dt> 1629 <dd>A problem that we can recognize with high confidence and 1630 represents a clear violation of recommended and standard coding 1631 practice. We believe each software team should decide which bad 1632 practices identified by FindBugs it wants to prohibit in the 1633 team's coding standard, and take action to remedy violations of 1634 those coding standards.</dd> 1635 <dt>STYLE</dt> 1636 <dd>These are places where something strange or dodgy is 1637 going on, such as a dead store to a local variable. Typically, 1638 less than half of these represent actionable programming 1639 defects. Reviewing these warnings in any code under active 1640 development is probably a good idea, but reviewing all such 1641 warnings in your entire code base might be appropriate only in 1642 some situations. Individual or team programming styles can 1643 substantially influence the effectiveness of each of these 1644 warnings (e.g., you might have a coding practice or style in 1645 your group that confuses one of the detectors into generating a 1646 lot of STYLE warnings); you will likely want to selectively 1647 suppress or report the STYLE warnings that are effective for 1648 your group.</dd> 1649 </dl> 1650 </li> 1651 <li>Released a preliminary version of a new GUI (known 1652 internally as GUI2 -- not very creative, huh?)</li> 1653 <li>Provided standard ways to mark user designations of bug 1654 warnings (e.g., as NOT_A_BUG or SHOULD_FIX). The internal logic 1655 now records this, it is represented in the XML file, and GUI2 1656 allows the designations to be applied (along with free-form user 1657 annotations about each warning). The user designations and 1658 annotations are not yet supported by the Eclipse plugin, but we 1659 clearly want to support it in Eclipse shortly.</li> 1660 <li>Added a check for a bad comparison with a signed byte with 1661 a value not in the range -128..127. For example: <pre>boolean find200(byte b[]) { 1662 for(int i = 0; i < b.length; i++) if (b[i] == 200) return i; 1663 return -1; 1664 } 1665 </pre> 1666 </li> 1667 <li>Added a checking for testing if a value is equal to 1668 Double.NaN (no value is equal to NaN, not even NaN).</li> 1669 <li>Added a check for using a class with an equals method but 1670 no hashCode method in a hashed data structure.</li> 1671 <li>Added check for uncallable method of an anonymous inner 1672 class. For example, in the following code, it is impossible to 1673 invoke the initalValue method (because the name is misspelled and 1674 as a result is doesn't override a method in ThreadLocal). <pre>private static ThreadLocal serialNum = new ThreadLocal() { 1675 protected synchronized Object initalValue() { 1676 return new Integer(nextSerialNum++); 1677 } 1678 }; 1679 </pre> 1680 </li> 1681 <li>Added check for a dead local store caused by a switch 1682 statement fall through</li> 1683 <li>Added check for computing the absolute value of a random 1684 32 bit integer or of a hashcode. This is broken because <code> 1685 Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE </code> , and thus 1686 result of calling Math.abs, which is expected to be nonnegative, 1687 will in fact be negative one time out of 2 <sup> 32 </sup> , which 1688 will invariably be the time your boss is demoing the software to 1689 your customers. 1690 1691 </li> 1692 <li>More careful resolution of inherited methods and fields. 1693 Some of the shortcuts we were taking in FindBugs 1.0.0 were 1694 leading to inaccurate results, and it was fairly easy to address 1695 this by making the analysis more accurate.</li> 1696 <li>Overall, analysis times are about 1.6 times longer in 1697 FindBugs 1.1.0 than in FindBugs 1.0.0. This is because we have 1698 enabled substantial additional analysis at the default effort 1699 level (the actual analysis engine is significantly faster than in 1700 FindBugs 1.0). On a recent AMD Athlon processor, analyzing 1701 JDK1.6.0 (about 1 million lines of code) requires about 15 minutes 1702 of wall clock time.</li> 1703 <li>Provided class and script (printClass) to print classfile 1704 in the human readable format produced by BCEL</li> 1705 <li>Provided -findSource option to setBugDatabaseInfo</li> 1706 </ul> 1707 1708 1709 <p>Changes since version 0.9.7:</p> 1710 1711 <ul> 1712 <li>fix ObjectTypeFactory bug that was suppressing some bugs</li> 1713 <li>opcode stack may determine definite zeros on some paths</li> 1714 <li>opcode stack can track some constant string concatenations 1715 (dbrosius)</li> 1716 <li>default effort performs iterative opcode analysis (but min 1717 effort does not)</li> 1718 <li>default heap size upped to 384m</li> 1719 <li>schema for XML output available: bugcollection.xsd</li> 1720 <li>fixed some internal confusion between dotted and slashed 1721 class names</li> 1722 <li>New detectors 1723 <ul> 1724 <li>CheckImmutableAnnotation.java: checks JCIP annotations</li> 1725 </ul> 1726 </li> 1727 <li>Updated detectors 1728 <ul> 1729 <li>BadRegEx.java: understands Pattern.LITERAL, warns about 1730 "."</li> 1731 <li>FindUnreleasedLock.java: fewer false positives</li> 1732 <li>DumbMethods.java: check for vacuous comparisons to 1733 MAX_INTEGER or MIN_INTEGER, fix bugs detecting 1734 DM_NEXTINT_VIA_NEXTDOUBLE</li> 1735 <li>FindPuzzlers.java: detect <tt>n%2==1</tt>, detect 1736 toString() on array types 1737 </li> 1738 <li>FindInconsistentSync2.java: detects IS_FIELD_NOT_GUARDED 1739 </li> 1740 <li>MethodReturnCheck.java: add check for discarded newly 1741 constructed values, increase priority of some ignored 1742 constructed exceptions, better handling of bytecode compiled by 1743 Eclipse</li> 1744 <li>FindEmptySynchronizedBlock.java: better handling of 1745 bytecode compiled by Eclipse</li> 1746 <li>DoInsideDoPrivileged.java: warn if call to setAccessible 1747 isn't in doPriviledged, don't report private methods</li> 1748 <li>LoadOfKnownNullValue.java: fix bug that was reporting 1749 false positives on <code> finally </code> blocks 1750 </li> 1751 <li>CheckReturnAnnotationDatabase.java: better checks for 1752 unstarted threads</li> 1753 <li>ConfusionBetweenInheritedAndOuterMethod.java: fewer 1754 false positives, fixed a package-handling bug</li> 1755 <li>BadResultSetAccess.java: separate bug pattern for 1756 PreparedStatements, <code> BRZA </code> category folded into <code> 1757 SQL </code> category 1758 </li> 1759 <li>FindDeadLocalStores.java, FindBadCast2.java, 1760 DumbMethods.java, RuntimeExceptionCapture.java: coalesce similar 1761 bugs within a method into a single bug instance with multiple 1762 source lines</li> 1763 </ul> 1764 </li> 1765 <li>Eclipse plugin 1766 <ul> 1767 <li>plugin ID changed from <tt>de.tobject.findbugs</tt> to <tt>edu.umd.cs.findbugs.plugin.eclipse</tt> 1768 </li> 1769 <li>support for findbugs eclipse auto-update site</li> 1770 </ul> 1771 </li> 1772 <li>Updated test case files 1773 <ul> 1774 <li>BadRegEx.java</li> 1775 <li>JSR166.java</li> 1776 <li>ConcurrentModificationBug.java</li> 1777 <li>DeadStore.java</li> 1778 <li>InstanceOf.java</li> 1779 <li>LoadKnownNull.java</li> 1780 <li>NeedsToCheckReturnValue.java</li> 1781 <li>BadResultSetAccessTest.java</li> 1782 <li>DeadStore.java</li> 1783 <li>TestNonNull2.java</li> 1784 <li>TestImmutable.java</li> 1785 <li>TestGuardedBy.java</li> 1786 <li>BadRandomInt.java</li> 1787 <li>six test cases added to new <code> TigerTraps </code> 1788 directory 1789 </li> 1790 </ul> 1791 </li> 1792 <li>fix bug that was generating duplicate uids</li> 1793 <li>fix bug with <code> -onlyAnalyze some.package.* </code> on 1794 jdk1.4 1795 </li> 1796 <li>fix regression bug in 1797 DismantleByteCode.getRefConstantOperand()</li> 1798 <li>fix some minor bugs with the Swing GUI</li> 1799 <li>reordered some bugInstances so that source line 1800 annotations come last</li> 1801 <li>removed references to unused java system properties</li> 1802 <li>French translation updates (David Cotton)</li> 1803 <li>Japanese translation updates (Hanai Shisei)</li> 1804 <li>content cleanup for findbugs.xml and messages.xml</li> 1805 <li>references to cvs hostname updated to 1806 findbugs.cvs.sourceforge.net</li> 1807 <li>documented xdoc output options, new 1808 mineBugHistory/computeBugHistory options</li> 1809 </ul> 1810 1811 <p>Changes since version 0.9.6:</p> 1812 1813 <ul> 1814 <li>performance improvements</li> 1815 <li>ObjectType instances are cached to reduce memory footprint 1816 </li> 1817 <li>for performance and memory reasons stateless detectors are 1818 no longer cloned, must clear their own state between .class files 1819 </li> 1820 <li>fixed bug in bytecode-set lookup for methods (was causing 1821 bad results for IS2, perhaps others)</li> 1822 <li>fix some OpcodeStack bugs with integer and long 1823 operations, perform iterative analysis when effort is <tt>max</tt> 1824 </li> 1825 <li>HTML output includes LongMessage text again (regression in 1826 0.95 - 0.96)</li> 1827 <li>New detectors 1828 <ul> 1829 <li>CalledMethods.java: builds a list of invoked methods for 1830 other detectors to consult (non-reporting)</li> 1831 <li>UncallableMethodOfAnonymousClass.java: detect anonymous 1832 inner classes that define methods that are probably intended to 1833 but do not override methods in a superclass.</li> 1834 </ul> 1835 </li> 1836 <li>Updated detectors 1837 <ul> 1838 <li>FindFieldSelfAssignment.java: recognize separate fields 1839 with the same name (one from superclass)</li> 1840 <li>FindLocalSelfAssignment2.java: handles backward branches 1841 better (Dave Brosius)</li> 1842 <li>FindBadCast2.java: BC_NULL_INSTANCEOF changed to 1843 NP_NULL_INSTANCEOF</li> 1844 <li>FindPuzzlers.java: eliminate false positive on setDate() 1845 (Dave Brosius)</li> 1846 </ul> 1847 </li> 1848 <li>Eclipse plugin 1849 <ul> 1850 <li>fix serious threading bug</li> 1851 <li>preferences for Filters and effort (Peter Hendriks)</li> 1852 <li>French localization (David Cotton)</li> 1853 <li>fix bug when reporting inner classes (Peter Friese)</li> 1854 </ul> 1855 </li> 1856 <li>Updated test case files 1857 <ul> 1858 <li>Mwn.java (Carl Burke/Dave Brosius)</li> 1859 <li>DumbMethodInvocations.java (Anto paul/Dave Brosius)</li> 1860 <!--sic--> 1861 </ul> 1862 </li> 1863 <li>XML output includes garbage collection duration</li> 1864 <li>French messages updated (David Cotton)</li> 1865 <li>Swing GUI shows file name after Load Bugs command</li> 1866 <li>Ant task to launch the findbugs frame (Mark McKay)</li> 1867 <li>miscellaneous code cleanup</li> 1868 </ul> 1869 1870 <p>Changes since version 0.9.5:</p> 1871 1872 <ul> 1873 <li>Updated detectors 1874 <ul> 1875 <li>FindNullDeref.java: respect NonNull and CheckForNull 1876 field annotations</li> 1877 <li>SerializableIdiom.java: detect non-private readObject 1878 and writeObject methods</li> 1879 <li>FindRefComparison.java: smarter array comparison 1880 detection</li> 1881 <li>IsNullValueAnalysis.java: detect <tt>null 1882 instanceof</tt> 1883 </li> 1884 <li>FindLocalSelfAssignment2.java: suppress some false 1885 positives (Dave Brosius)</li> 1886 <li>FindUnreleasedLock.java: don't waste time processing 1887 classes that don't refer to java.util.concurrent.locks</li> 1888 <li>MutableStaticFields.java: report the source line (Dave 1889 Brosius)</li> 1890 <li>SwitchFallthrough.java: better handling of System.exit() 1891 (Dave Brosius)</li> 1892 <li>MultithreadedInstanceAccess.java: better handling of 1893 Servlet.init() (Dave Brosius)</li> 1894 <li>ConfusionBetweenInheritedAndOuterMethod.java: now 1895 enabled</li> 1896 </ul> 1897 </li> 1898 <li>Eclipse plugin 1899 <ul> 1900 <li>background processing (Peter Friese)</li> 1901 <li>internationalization, Japanese localization (Takashi 1902 Okamoto)</li> 1903 </ul> 1904 </li> 1905 <li>findbugs <tt>-onlyAnalyze</tt> option now works on windows 1906 platforms 1907 </li> 1908 <li>mineBugHistory <tt>-noTabs</tt> option for better 1909 alignment of output columns 1910 </li> 1911 <li>filterBugs <tt>-fixed</tt> option (also: will now 1912 recognize the most recent version string) 1913 </li> 1914 <li>XML output includes running time and memory usage data</li> 1915 <li>miscellaneous minor corrections to the manual</li> 1916 <li>better bytecode analysis of the <tt>iinc</tt> instruction 1917 </li> 1918 <li>fix bug in null pointer analysis</li> 1919 <li>improved catch block heuristics</li> 1920 <li>some type analysis tweaks</li> 1921 <li>Bug priority changes 1922 <ul> 1923 <li>DumbMethodInvocations.java: decrease priority of 1924 hard-coded <tt>/tmp</tt> filenames 1925 </li> 1926 <li>ComparatorIdiom.java: decrease priority of 1927 non-serializable anonymous comparators</li> 1928 <li>FindSqlInjection.java: decrease priority of appending a 1929 constant or a static</li> 1930 </ul> 1931 </li> 1932 <li>Updated bug explanations 1933 <ul> 1934 <li>NM_VERY_CONFUSING (Dave Brosius)</li> 1935 </ul> 1936 </li> 1937 <li>Updated test case files 1938 <ul> 1939 <li>BadStoreOfNonSerializableObject.java</li> 1940 <li>BadRandomInt.java</li> 1941 <li>TestFieldAnnotations.java</li> 1942 <li>UseInitCause.java</li> 1943 <li>SqlInjection.java</li> 1944 <li>ArrayEquality.java</li> 1945 <li>BadIntegerOperations.java</li> 1946 <li>Pilhuhn.java</li> 1947 <li>InstanceOf.java</li> 1948 <li>SwitchFallthrough.java (Dave Brosius)</li> 1949 </ul> 1950 </li> 1951 <li>fix URL decoding bug when running under Java Web Start 1952 (Dave Brosius)</li> 1953 <li>distribution includes <tt>project.xml</tt> file for 1954 NetBeans 1955 </li> 1956 </ul> 1957 1958 <p>Changes since version 0.9.4:</p> 1959 <ul> 1960 <li>New detectors 1961 <ul> 1962 <li>VarArgsProblems.java</li> 1963 <li>FindSqlInjection.java: now enabled</li> 1964 <li>ComparatorIdiom.java: comparators usually implement 1965 serializable</li> 1966 <li>Naming.java: detect methods not overridden due to 1967 eponymously typed args from different packages</li> 1968 </ul> 1969 </li> 1970 <li>Updated detectors 1971 <ul> 1972 <li>SwitchFallthrough.java: surpress some false positives</li> 1973 <li>DuplicateBranches.java: surpress some false positives</li> 1974 <li>IteratorIdioms.java: surpress some false positives</li> 1975 <li>FindHEmismatch.java: surpress some false positives</li> 1976 <li>QuestionableBooleanAssignment.java: finds more cases of 1977 <tt>if (b=true)</tt> ilk 1978 </li> 1979 <li>DumbMethods.java: detect int remainder by 1, delayed gc 1980 errors</li> 1981 <li>SerializableIdiom.java: detect store of nonserializable 1982 object into field of serializable class</li> 1983 <li>FindNullDeref.java: fix potential exception</li> 1984 <li>IsNullValue.java: fix potential exception</li> 1985 <li>MultithreadedInstanceAccess.java: fix potential 1986 exception</li> 1987 <li>PreferZeroLengthArrays.java: flag the method, not the 1988 line</li> 1989 </ul> 1990 </li> 1991 <li>Remove some inadvertent dependencies on JDK 1.5</li> 1992 <li>Sort order should be more consistent</li> 1993 <li>XML output changes 1994 <ul> 1995 <li>Option to sort XML bug output</li> 1996 <li>Now contains instance IDs</li> 1997 <li>uid no longer missing (was causing problems with fancy 1998 HTML output)</li> 1999 <li>Typo fixed</li> 2000 </ul> 2001 </li> 2002 <li>Internal changes to track source files, <tt>-sourceInfo</tt> 2003 option 2004 </li> 2005 <li>Bug matching: first try exact bug pattern matching, option 2006 to compare priorities, option to disable package moves</li> 2007 <li>Architecture documentation in <tt>design/architecture</tt> 2008 </li> 2009 <li>Test cases move into their own CVS project</li> 2010 <li>Don't report warnings that occur outside the analyzed 2011 classes</li> 2012 <li>Fixes to the build.xml files</li> 2013 <li>Better handling of @CheckReturnValue and @CheckForNull 2014 annotations (also, some additional methods searched for check 2015 return value and check for null)</li> 2016 <li>Fixed some stream-closing bugs (one by <tt>z-fb-user</tt>/Dave 2017 Brosius) 2018 </li> 2019 <li>Bug priority changes 2020 <ul> 2021 <li>increase priority of ignoring return value of 2022 java.sql.Connection methods</li> 2023 <li>increase priority of comparing classes like Integer 2024 using <tt>==</tt> 2025 </li> 2026 <li>decrease priority of IT_NO_SUCH_ELEMENT if we see any 2027 call to <tt>next()</tt> 2028 </li> 2029 <li>tweak priority of NM_METHOD_CONSTRUCTOR_CONFUSION</li> 2030 <li>decrease priority of RV_RETURN_VALUE_IGNORED for an 2031 inherited annotation that doesn't return same type as class</li> 2032 </ul> 2033 </li> 2034 <li>Updated bug explanations 2035 <ul> 2036 <li>RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE</li> 2037 <li>DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED</li> 2038 <li>IMA_INEFFICIENT_MEMBER_ACCESS (Dave Brosius)</li> 2039 <li>some Japanese improvements to messages_ja.xml ( <tt>ruimo</tt>) 2040 </li> 2041 <li>some German improvements to findbugs_de.properties (Dave 2042 Brosius, <tt>dvholten</tt>) 2043 </li> 2044 </ul> 2045 </li> 2046 <li>Updated test case files 2047 <ul> 2048 <li>BadIntegerOperations.java</li> 2049 <li>SecondKaboom.java</li> 2050 <li>OpenDatabase.java (Dave Brosius)</li> 2051 <li>FindOpenStream.java (Dave Brosius)</li> 2052 <li>BadRandomInt.java</li> 2053 </ul> 2054 </li> 2055 <li>Source-lines info maintained for methods (handy for 2056 abstract and native methods)</li> 2057 <li>Remove surrounding opcodes from source line annotations</li> 2058 <li>Better error when can't read file</li> 2059 <li>Swing GUI: removed console pane from FindBugsFrame, fix 2060 missing classes bug</li> 2061 <li>Fixes to OpcodeStack.java</li> 2062 <li>Detectors may attach a custom value to an OpcodeStack.Item 2063 (Dave Brosius)</li> 2064 <li>Filter.java: ability to add text messages to XML output, 2065 fix bug with <tt>-withMessages</tt> 2066 </li> 2067 <li>SourceInfoMap supports ranges of source lines</li> 2068 <li>Ant task supports the <tt>timestampNow</tt> attribute 2069 </li> 2070 </ul> 2071 2072 <p>Changes since version 0.9.3:</p> 2073 <ul> 2074 <li>Substantial rework of datamining code</li> 2075 <li>Removed bogus warnings about await on things other than 2076 Condition not being in a loop</li> 2077 <li>Fixed bug in OpcodeStack handling of dup2 of long/double 2078 values</li> 2079 <li>Don't report array types as missing classes</li> 2080 <li>Adjustment of some warnings on ignored return values</li> 2081 <li>Added thread safety annotations from Java Concurrency in 2082 Practice (no detectors written for these yet)</li> 2083 <li>Added annotation for methods that, if overridden, should 2084 be invoked by overriding methods via a call to super</li> 2085 <li>Updated -html:fancy.xsl (Etienne Giraudy)</li> 2086 </ul> 2087 2088 <p>Note: there was no version 0.9.2</p> 2089 2090 <p>Changes since version 0.9.1:</p> 2091 <ul> 2092 <!-- New detectors --> 2093 <li>Embellish USM to find abstract methods that implement an 2094 interface method (Dave Brosius)</li> 2095 <li>New detector to find stores of literal booleans inside if 2096 or while expressions (Dave Brosius)</li> 2097 <li>New style detector to find final classes that declare 2098 protected fields (Dave Brosius)</li> 2099 <li>New detector to find subclass methods that simply forward, 2100 verbatim, to the super class (Dave Brosius)</li> 2101 <li>Detector to find instances where code is attempting to 2102 write an object out via an implementation of DataOutput, but the 2103 object is not guaranteed to be Serializable (Jon Christiansen, 2104 Bill Pugh)</li> 2105 2106 <!-- Feature enhancements --> 2107 <li>Large (35%) analysis speedup (Bill Pugh)</li> 2108 <li>Add line numbers to Swing GUI code panel (Dave Brosius)</li> 2109 <li>Added effort options to Swing GUI (Dave Brosius)</li> 2110 <li>Add ability to specify bugs file to open from command line 2111 for GUI version, through -loadbugs (Phillip Martin)</li> 2112 <li>New stylesheet for generating HTML: use option <tt>-html:plain.xsl</tt> 2113 (Chris Nappin) 2114 </li> 2115 <li>New stylesheet for generating HTML: use option <tt>-html:fancy.xsl</tt> 2116 (Etienne Giraudy) 2117 </li> 2118 <li>Updated Japanese bug message translations (Shisei Hanai)</li> 2119 2120 <!-- Bug fixes --> 2121 <li>XHTML compliance fixes for bug details (Etienne Giraudy)</li> 2122 <li>Various detector fixes (Shisei Hanai)</li> 2123 <li>Fixed bugs in the project preferences dialog int the 2124 Eclipse plugin (Takashi Okamoto, Thomas Einwaller)</li> 2125 <li>Lowered priority of analysis thread in Swing GUI (David 2126 Hovemeyer, suggested by Shisei Hanai and Jeffrey W. Badorek)</li> 2127 <li>Fixed EclipsePlugin to correctly pick up auxclasspath 2128 entries (Jon Christiansen)</li> 2129 </ul> 2130 2131 <p>Changes since version 0.9.0:</p> 2132 <ul> 2133 <li>Fixed dependence on JRE 1.5: all features should work on 2134 JRE 1.4 again</li> 2135 <li>Fixed -effort command line option handling for Swing GUI</li> 2136 <li>Fixed conserveSpace and workHard attributes int Ant task</li> 2137 <li>Added support for effort attribute in Ant task</li> 2138 </ul> 2139 2140 <p>Changes since version 0.8.8:</p> 2141 <ul> 2142 <!-- New detectors and bug patterns --> 2143 <li>XMLFactoryBypass detector to find direct allocation of xml 2144 class implementations (Dave Brosius)</li> 2145 <li>InefficientMemberAccess detector to find accesses to 2146 owning class private members (Dave Brosius)</li> 2147 <li>DuplicateBranches detector checks switch statements too 2148 (Dave Brosius)</li> 2149 2150 <!-- Feature enhancements --> 2151 <li>FindBugs available from findbugs.sourceforge.net as Java 2152 Web Start application (Dave Brosius)</li> 2153 <li>Updated Japanese bug message translations (Shisei Hanai)</li> 2154 <li>Improved bug detail message for covariant equals() (Shisei 2155 Hanai)</li> 2156 <li>Modeling of instanceof checks is now enabled by default, 2157 making the bad cast detector much more useful (Bill Pugh, David 2158 Hovemeyer)</li> 2159 <li>Support for detector ordering constraints in plugin 2160 descriptor (David Hovemeyer)</li> 2161 <li>Simpler option to control analysis effort: -effort: <i>value</i>, 2162 where <i>value</i> is one of <code> min </code> , <code> 2163 default </code> , or <code> max </code> (David Hovemeyer) 2164 </li> 2165 <li>Using -effort:max, FindNullDeref checks for null arguments 2166 passed to methods which dereference them unconditionally (David 2167 Hovemeyer)</li> 2168 <li>FindNullDeref checks @Null and @NonNull annotations for 2169 parameters and return values (David Hovemeyer)</li> 2170 2171 <!-- Bug fixes --> 2172 </ul> 2173 2174 <p>Changes since version 0.8.7:</p> 2175 2176 <ul> 2177 <!-- New detectors and bug patterns --> 2178 <li>New detector to find duplicate code in if/else statements 2179 (Dave Brosius)</li> 2180 <li>Look for calls to wait() on Condition objects (David 2181 Hovemeyer)</li> 2182 <li>Look for java.util.concurrent.Lock objects not released on 2183 every path out of method (David Hovemeyer)</li> 2184 <li>Look for calls to Thread.sleep() with a lock held (David 2185 Hovemeyer)</li> 2186 <li>More accurate detection of impossible casts (Bill Pugh, 2187 David Hovemeyer)</li> 2188 2189 <!-- Feature enhancements --> 2190 <li>Saved XML now contains project statistics (Jay Dunning)</li> 2191 <li>Filter files can select by bug pattern type and warning 2192 priority (David Hovemeyer)</li> 2193 2194 <!-- Bug fixes --> 2195 <li>Restored some files inadvertently omitted from previous 2196 release (Rohan Lloyd, David Hovemeyer)</li> 2197 <li>Make sure detectors requiring JDK 1.5 runtime classes are 2198 only executed if those classes are available (David Hovemeyer)</li> 2199 <li>Don't display analysis error dialog unless there is really 2200 an error (David Hovemeyer)</li> 2201 <li>Updated and expanded French translations of bug patterns 2202 and Swing GUI (Olivier Parent)</li> 2203 <li>Fixed invalid character encoding in German Swing GUI 2204 translation (Olivier Parent)</li> 2205 <li>Fix locale used for date format in project stats (K. 2206 Hashimoto)</li> 2207 <li>Fixed LongDescription elements in xml:withMessages output 2208 format (K. Hashimoto)</li> 2209 </ul> 2210 2211 <p>Changes since version 0.8.6:</p> 2212 2213 <ul> 2214 <!-- new detectors --> 2215 <li>Extend Naming detector to look for classes that are named 2216 XXXException but that are not Exceptions (Dave Brosius)</li> 2217 <li>New detector to find classes that expose semaphores in the 2218 public implementation through the 'this' reference. (Dave Brosius) 2219 </li> 2220 <li>New Style detector to find Struts Action/Servlet derived 2221 classes that reference instance member variable not in 2222 synchronized blocks. (Dave Brosius)</li> 2223 <li>New Style detector to find classes that declare 2224 implementation of interfaces that are already implemented by super 2225 classes (Dave Brosius)</li> 2226 <li>New Style detector to find circular dependencies between 2227 classes (Dave Brosius)</li> 2228 <li>New Style detector to find unnecessary math on constants 2229 (Dave Brosius)</li> 2230 <li>New detector to find equality comparisons using floating 2231 point math (Jay Dunning)</li> 2232 <li>New faster detector to find local self assignments (Bill 2233 Pugh)</li> 2234 <li>New detector to find infinite recursive loops (Bill Pugh) 2235 </li> 2236 <li>New detector to find for loops with an incorrect increment 2237 (Bill Pugh)</li> 2238 <li>New detector to find suspicious uses of 2239 BufferedReader.readLine() and String.indexOf() (Bill Pugh)</li> 2240 <li>New detector to find suspicious integer to double casts 2241 (David Hovemeyer, Bill Pugh)</li> 2242 <li>New detector to find invalid regular expression patterns 2243 (Bill Pugh)</li> 2244 <li>New detector to find Bloch/Gafter Java puzzlers (Bill 2245 Pugh)</li> 2246 2247 <!-- feature enhancements --> 2248 <li>New system property to suppress reporting of DLS based on 2249 local variable name (Glenn Boysko)</li> 2250 <li>Enhancements to configuration dialog in Eclipse plugin, 2251 allow for saving enabled detectors in Eclipse projects (Phil 2252 Crosby)</li> 2253 <li>Sortable columns in detector dialog (Dave Brosius)</li> 2254 <li>New tab in gui for showing bugs grouped by category (Dave 2255 Brosius)</li> 2256 <li>Improved German translation of Swing GUI (Thomas Kuehne)</li> 2257 <li>Improved source file reporting in Emacs output format (Len 2258 Trigg)</li> 2259 <li>Improvements to redundant null comparison detector (Bill 2260 Pugh)</li> 2261 <li>Localization of run analysis and analysis error dialogs in 2262 Swing GUI (K. Hashimoto)</li> 2263 2264 <!-- Bug fixes --> 2265 <li>Don't scan equals methods in FindHEMismatch if code is 2266 native (Greg Bentz)</li> 2267 <li>French translation fixes (David Cotton)</li> 2268 <li>Internationalization report fixes (K. Hashimoto)</li> 2269 <li>Japanese translations updates (SHISEI Hanai)</li> 2270 </ul> 2271 2272 <p>Changes since version 0.8.5:</p> 2273 <ul> 2274 <!-- new detectors --> 2275 <li>New detector to find catch blocks that may inadvertently 2276 catch runtime exceptions (Brian Goetz)</li> 2277 <li>New detector to find objects that are instantiated based 2278 on classes that only have static methods and fields, using the 2279 synthesized constructor (Dave Brosius)</li> 2280 <li>New detector to find calls to Thread.interrupted() in a 2281 non static context, and especially with non currentThread() 2282 threads (Dave Brosius)</li> 2283 <li>New detector to find calls to equals() methods that use 2284 Object's version. (Dave Brosius)</li> 2285 <li>New detector to find Applets that call methods in the 2286 constructor refering to the AppletStub (Dave Brosius)</li> 2287 <li>New detector to find some cases of infinite recursion 2288 (Bill Pugh)</li> 2289 <li>New detector to find dead stores to local variables (David 2290 Hovemeyer, Bill Pugh)</li> 2291 <li>Extend Dumb Method detector for toUpperCase(), 2292 toLowerCase() without a locale, new Integer(1).toString(), new 2293 XXX().getClass(), and new Thread() without a run implementation 2294 (Dave Brosius) <!-- feature enhancements --> 2295 </li> 2296 <li>Ant task supports "errorProperty" attribute, which sets an 2297 Ant property to "true" if an error occurs running FindBugs 2298 (Michael Tamm)</li> 2299 <li>Eclipse plugin allows filtering of warnings by bug 2300 category, priority (David Hovemeyer)</li> 2301 <li>Swing GUI allows filtering of warnings by bug category 2302 (David Hovemeyer)</li> 2303 <li>Ability to annotate methods using Java 1.5 annotations 2304 that suppress FindBugs warnings (Bill Pugh)</li> 2305 <li>New -adjustExperimental for lowering priority of 2306 BugPatterns that are experimental (Dave Brosius)</li> 2307 <li>Allow for command line options 'files' using the @ symbol 2308 (David Hovemeyer)</li> 2309 <li>New -adjustPriority command line option to for adjusting 2310 bug priorites (David Hovemeyer)</li> 2311 <li>Added an Edit menu (cut/copy/paste) to Swing GUI (Dave 2312 Brosius)</li> 2313 <li>French translation supplied (David Cotton) <!-- Bug fixes --> 2314 </li> 2315 </ul> 2316 2317 <p>Changes since version 0.8.4:</p> 2318 <ul> 2319 <!-- new detectors --> 2320 <li>New detector for volatile references to arrays (Bill Pugh) 2321 </li> 2322 <li>New detector to find instanceof usage where inheritance 2323 can be determined statically (Dave Brosius)</li> 2324 <li>New detector to find ResultSet.getXXX updateXXX calls 2325 using index 0 (Dave Brosius)</li> 2326 <li>New detector to find empty zip or jar entries (Bill Pugh) 2327 2328 <!-- feature enhancements --> 2329 </li> 2330 <li>HTML output generation using built-in XSLT stylesheet or 2331 user-defined stylesheet (David Hovemeyer)</li> 2332 <li>Allow URLs to be specified to analyze zip/jar files, local 2333 directories, and single classfiles (David Hovemeyer)</li> 2334 <li>New command line option -onlyAnalyze restricts analysis to 2335 selected classes and packages without reducing accuracy (David 2336 Hovemeyer)</li> 2337 <li>Allow Swing GUI to show source code in jar files on 2338 Windows systems (Dave Brosius) <!-- Bug fixes --> 2339 </li> 2340 <li>Fix the Switch Fall Thru detector (Dave Brosius, David 2341 Hovemeyer, Bill Pugh)</li> 2342 <li>MacOS GUI fixes (Rohan Lloyd)</li> 2343 <li>Fix false positive in BOA in case where method is 2344 correctly and 'incorrectly' overridden (Dave Brosius)</li> 2345 <li>Fixed memory blowup when analyzing methods which access a 2346 large number of fields (David Hovemeyer)</li> 2347 </ul> 2348 2349 <p>Changes since version 0.8.3:</p> 2350 <ul> 2351 <li>Initial and preliminary localization of the Swing 2352 GUI. Translations by: 2353 <ul> 2354 <li>German - Peter D. Stout, Holger Stenzhorn</li> 2355 <li>Finnish - Juha Knuutila</li> 2356 <li>Estonian - Tanel Lebedev</li> 2357 <li>Japanese - Hanai Shisei</li> 2358 </ul> 2359 </li> 2360 <li>Eliminated debug print statements inadvertently left 2361 enabled</li> 2362 <li>Reverted some changes in the open stream detector: this 2363 should fix some false positives that were introduced in the 2364 previous release</li> 2365 <li>Fixed a couple missing class reports</li> 2366 </ul> 2367 2368 <p>Changes since version 0.8.2:</p> 2369 <ul> 2370 2371 <!-- New detectors --> 2372 <li>New detector to find improperly overridden GUI Adapter 2373 classes (Dave Brosius)</li> 2374 <li>New detector to find improperly setup JUnit TestCases 2375 (Dave Brosius)</li> 2376 <li>New detector to find variables that mask class level 2377 fields (Dave Brosius)</li> 2378 <li>New detector to find comparisons of values computed with 2379 bitwise operators that always yield the same result (Tom Truscott) 2380 </li> 2381 <li>New detector to find unsafe getClass().getResource() calls 2382 (Bill Pugh)</li> 2383 <li>New detector to find GUI changes not in GUI thread but in 2384 static main (Bill Pugh)</li> 2385 <li>New detector to find calls to Collection.toArray() with 2386 zero-length array argument; it is more efficient to pass an array 2387 the size of the collection, which can be populated and returned as 2388 the result (Dave Brosius) <!-- Analysis improvements --> 2389 </li> 2390 <li>Better suppression of false warnings in various detectors 2391 (Bill Pugh, David Hovemeyer)</li> 2392 <li>Enhancement to ReadReturnShouldBeChecked detector for 2393 skip() (Dave Brosius)</li> 2394 <li>Enhancement to DumbMethods detector (Dave Brosius)</li> 2395 <li>Open stream detector does not report wrappers of streams 2396 passed as method parameters (David Hovemeyer) <!-- Feature enhancements --> 2397 </li> 2398 <li>Cancel confirmation dialog in Swing GUI (Pete Angstadt)</li> 2399 <li>Better relative path saving in Project file (Dave Brosius) 2400 </li> 2401 <li>Detector Priority in GUI is now saved in prefs file (Dave 2402 Brosius)</li> 2403 <li>Controls in GUI to reorder source and classpath entries, 2404 and ability to flip between Project details and bugs pages (Dave 2405 Brosius)</li> 2406 <li>In Swing GUI, analysis error dialog supports "Select All" 2407 and "Copy" operations for easy generation of error reports (Dave 2408 Brosius)</li> 2409 <li>Complete translation of bug descriptions and messages into 2410 Japanese (Hanai Shisei) <!-- Bug fixes --> 2411 </li> 2412 <li>Fixed bug in DroppedException detector (Dave Brosius) <!-- Development stuff --> 2413 </li> 2414 <li>The source distribution defaults to using JDK 1.5 javac to 2415 compile, but support for compiling with JSR-14 prototype is still 2416 supported</li> 2417 </ul> 2418 2419 <p>Changes since version 0.8.1:</p> 2420 <ul> 2421 <li>Fixed a critical ClassCastException bug (triggered if the 2422 -workHard option was used, and an exception type was merged with 2423 an array type during type inference)</li> 2424 </ul> 2425 2426 <p>Changes since version 0.8.0:</p> 2427 <ul> 2428 <li>Disabled SwitchFallthrough detector to work around 2429 NullPointerExceptions</li> 2430 <li>Added some additional false positive suppression 2431 heuristics</li> 2432 </ul> 2433 2434 <p>Also, two contributors to the 0.8.0 release were 2435 inadvertently left out of the credits:</p> 2436 <ul> 2437 <li>Pete Angstadt fixed several problems in the Swing GUI</li> 2438 <li>Francis Lalonde provided a task resource file for the 2439 FindBugs Ant task</li> 2440 </ul> 2441 2442 <p>Changes since version 0.7.4:</p> 2443 <ul> 2444 <li>New detector to look for uses of "+" operator to 2445 concatenate String objects in a loop (Dave Brosius)</li> 2446 <li>Reference comparison detector looks for places where the 2447 argument passed to the equals(Object) method isn't the same type 2448 as the receiver object</li> 2449 <li>Better suppression of false warnings in many detectors</li> 2450 <li>Many improvements to Eclipse plugin (Andrey Loskutov, 2451 Peter Friese)</li> 2452 <li>Fixed problem with building Eclipse plugin on Windows 2453 (Thomas Klaeger)</li> 2454 <li>Open stream detector looks for unclosed PreparedStatement 2455 objects (Thomas Klaeger, Rohan Lloyd)</li> 2456 <li>Fix for open stream detector: it wasn't detecting close() 2457 methods called through an invokeinterface instruction (Thomas 2458 Klaeger)</li> 2459 <li>Refactoring of visitor classes to enforce use of accessors 2460 for visited class features (Brian Goetz)</li> 2461 </ul> 2462 2463 <p>Changes since version 0.7.3:</p> 2464 <ul> 2465 <li>Experimental modification of open stream detector to look 2466 for non-escaping JDBC resources (connections and statements) that 2467 aren't closed on all paths out of method</li> 2468 <li>Eclipse plugin fixed so it compiles and runs on Eclipse 2469 2.1.x (Peter Friese)</li> 2470 <li>Option to Swing GUI and command line to generate project 2471 file using relative paths for archives, source directories, and 2472 aux classpath entries (Dave Brosius)</li> 2473 <li>Improvements to findbugs.bat script for launching FindBugs 2474 on Windows (Dave Brosius)</li> 2475 <li>Updated Japanese message translations (Hiroshi Okugawa)</li> 2476 <li>Uncalled private methods are now reported as low priority, 2477 unless they have the same name as another method in the class 2478 (which is more likely to indicate an actual bug)</li> 2479 <li>Added some missing data in the bug messages XML files</li> 2480 <li>Fixed some problems building from source on Windows 2481 systems</li> 2482 <li>Various minor bug fixes</li> 2483 </ul> 2484 2485 <p>Changes since version 0.7.2:</p> 2486 <ul> 2487 <li>Enhanced Eclipse plugin, which displays the detailed bug 2488 description in a view (Phil Crosby)</li> 2489 <li>Various tweaks to existing detectors to reduce false 2490 warnings</li> 2491 <li>New command line option <code> -workHard </code> enables 2492 pruning of infeasible or unlikely exception edges, which results 2493 in better accuracy in the open stream detector, at the expense of 2494 a 30%-100% slowdown 2495 </li> 2496 <li>New website and HTML documentation design</li> 2497 <li>Documentation includes an HTML document with descriptions 2498 of all bug patterns reported by FindBugs</li> 2499 <li>Web page has a link to a <a 2500 href="http://www.simeji.com/findbugs/doc/manual_ja/index.html">Japanese 2501 translation</a> of the FindBugs manual, contributed by Hiroshi 2502 Okugawa 2503 </li> 2504 <li>Changed the Inconsistent Synchronization detector so that 2505 fields synchronized 50% of the time (or more) are reported as 2506 medium priority bugs (previously they were reported as low)</li> 2507 <li>New detector to find code that catches 2508 IllegalMonitorStateException</li> 2509 <li>New detector to find private methods that are never called 2510 </li> 2511 <li>New detector to find suspicious uses of 2512 non-short-circuiting boolean operators ( <code> & </code> and 2513 <code> | </code> , rather than <code> && </code> and <code> 2514 || </code> ) 2515 </li> 2516 </ul> 2517 2518 <p>Changes since version 0.7.1:</p> 2519 <ul> 2520 <li>Incorporated patched version of BCEL, which allows classes 2521 compiled with JDK 1.5.0 beta to be analyzed</li> 2522 <li>Fixed some bugs related to lookups of array classes</li> 2523 <li>Fixed bug that prevented GUI from loading XML result files 2524 when running under JDK 1.5.0 beta</li> 2525 <li>Added new experimental bug detector, LazyInit, which looks 2526 for potentially buggy lazy initializations of static fields</li> 2527 <li>Because of long filenames, switched to distributing the 2528 source archive as a zip file rather than a tar file</li> 2529 <li>The 0.7.1 source tarfile was botched - 0.7.2 has a valid 2530 source archive</li> 2531 <li>Fixed some problems in the Ant build script</li> 2532 <li>Fixed NullPointerException when checking Class-Path 2533 attribute for Jar files without manifests</li> 2534 <li>Generate version numbers for the core and UI Eclipse 2535 plugins using the Version class; all version numbers are now in a 2536 common location</li> 2537 </ul> 2538 2539 <p>Changes since version 0.7.0:</p> 2540 <ul> 2541 <li>Eclipse plugin (contributed by Peter Friese)</li> 2542 <li>Source package structure rearranged: all source (other 2543 than Eclipse plugin UI) is in the edu.umd.cs.findbugs package, or 2544 a subpackage</li> 2545 <li>Class-Path attributes of manifests of analyzed jar files 2546 are used to set the aux classpath automatically (Peter D. Stout)</li> 2547 <li>GUI starts in directory specified by user.home property 2548 (Peter D. Stout)</li> 2549 <li>Added -project option to GUI (Mikko T.)</li> 2550 <li>Added -look:{plastic,gtk,native} option to GUI, for 2551 setting look and feel (Mikko T.)</li> 2552 <li>Fixed DataflowAnalysisException in inconsistent 2553 synchronization detector</li> 2554 <li>Ant task supports failOnError parameter (Rohan Lloyd)</li> 2555 <li>Serializable class warnings are downgraded to low priority 2556 for GUI classes</li> 2557 <li>MWN detector will only report calls to wait(), notify(), 2558 and notifyAll() methods that have the correct signature</li> 2559 <li>FindBugs works with latest CVS version of BCEL</li> 2560 <li>Zip and Jar files may be added to the source path</li> 2561 <li>The GUI will automatically find source files residing in 2562 analyzed Zip or Jar files</li> 2563 </ul> 2564 2565 <p>Note that the version number jumped from 0.6.6 to 0.6.9; 2566 there were no 0.6.7 or 0.6.8 releases.</p> 2567 <p>Changes since version 0.6.9:</p> 2568 <ul> 2569 <li>Added -conserveSpace option to reduce memory use at the 2570 expense of analysis precision</li> 2571 <li>Bug fixes in findbugs.bat script: JAVA_HOME handling, 2572 autodetection of FINDBUGS_HOME, missing output with -textui</li> 2573 <li>Fixed NullPointerException when a missing class is 2574 encountered</li> 2575 </ul> 2576 2577 <p>Changes since version 0.6.6:</p> 2578 <ul> 2579 <li>The null pointer dereference detector is more powerful</li> 2580 <li>Significantly improved heuristics and bug fixes in 2581 inconsistent synchronization detector</li> 2582 <li>Improved heuristics in open stream and dropped exception 2583 detectors; fewer false positives should be reported</li> 2584 <li>Save HTML summary in XML results files, rather than 2585 recomputing; this makes loading results in GUI much faster</li> 2586 <li>Report at most one String comparison using == or != per 2587 method</li> 2588 <li>The findbugs.bat script on Windows autodetects 2589 FINDBUGS_HOME, and doesn't open a DOS window when launching the 2590 GUI (contributed by TJSB)</li> 2591 <li>Emacs reporting format (contributed by David Li)</li> 2592 <li>Various bug fixes</li> 2593 </ul> 2594 2595 <p>Changes since 0.6.5:</p> 2596 <ul> 2597 <li>Rewritten inconsistent synchronization detector; accuracy 2598 is significantly improved, and bug reports are prioritized</li> 2599 <li>New detector to find self assignment (x=x) of local 2600 variables (suggested by Jeff Martin)</li> 2601 <li>New detector to find calls to wait(), notify(), and 2602 notifyAll() on an object which is not obviously locked</li> 2603 <li>Open stream detector now reports Readers and Writers</li> 2604 <li>Fixed bug in finalizer idioms detector which caused 2605 spurious warnings about failure to call super.finalize() (reported 2606 by Jim Menard)</li> 2607 <li>Fixed bug where output stream was not closed using non-XML 2608 output (reported by Sigiswald Madou)</li> 2609 <li>Fixed corrupted HTML bug detail message (reported by 2610 Trevor Harmon)</li> 2611 </ul> 2612 2613 <p>Changes since version 0.6.4:</p> 2614 <ul> 2615 <li>For redundant comparison of reference values, fixed false 2616 positives resulting from duplication of code in finally blocks</li> 2617 <li>Fixed false positives resulting from wrapped byte array 2618 streams left open</li> 2619 <li>Fixed bug in Ant task preventing output file from working 2620 properly if a relative path was used</li> 2621 </ul> 2622 2623 <p>Changes since version 0.6.3:</p> 2624 <ul> 2625 <li>Fixed bug in Ant task where output would be corrupted, and 2626 added a <code> timeout </code> attribute 2627 </li> 2628 <li>Added -outputFile option to text UI, for explicitly 2629 specifying an output file</li> 2630 <li>GUI has a summary window, for statistics about overall bug 2631 densities (contributed by Mike Fagan)</li> 2632 <li>Find redundant comparisons of reference values</li> 2633 <li>More accurate detection of Strings compared with == and != 2634 operators</li> 2635 <li>Detection of other reference types which should generally 2636 not be compared with == and != operators; Boolean, Integer, etc.</li> 2637 <li>Find non-transient non-serializable instance fields in 2638 Serializable classes</li> 2639 <li>Source code may be compiled with latest early access 2640 generics-enabled javac (version 2.2)</li> 2641 </ul> 2642 2643 <p>Changes since version 0.6.2:</p> 2644 <ul> 2645 <li>GUI supports filtering bugs by priority</li> 2646 <li>Ant task rewritten; supports all functionality offered by 2647 Text UI (contributed by Mike Fagan)</li> 2648 <li>Ant task is fully documented in the manual</li> 2649 <li>Classes in nested archives are analyzed; this allows full 2650 support for analyzing .ear and .war files (contributed by Mike 2651 Fagan)</li> 2652 <li>DepthFirstSearch changed to use non-recursive 2653 implementation; this should fix the StackOverflowErrors that 2654 several users reported</li> 2655 <li>Various minor bugfixes and improvements</li> 2656 </ul> 2657 2658 <p>Changes since version 0.6.1:</p> 2659 <ul> 2660 <li>New detector to look for useless control flow (suggested 2661 by Richard P. King and Mike Fagan)</li> 2662 <li>Look for places where return value of 2663 java.io.File.createNewFile() is ignored (suggested by Richard P. 2664 King)</li> 2665 <li>Fixed bug in resolution of source files (only the first 2666 source directory was searched)</li> 2667 <li>Fixed a NullPointerException in the bytecode pattern 2668 matching code</li> 2669 <li>Ant task supports project files (contributed by Mike 2670 Fagan)</li> 2671 <li>Unix findbugs script honors the <code> JAVA_HOME </code> 2672 environment variable (contributed by Pedro Morais) 2673 </li> 2674 <li>Allow .war and .ear files to be analyzed</li> 2675 </ul> 2676 2677 <p>Changes since version 0.6.0:</p> 2678 <ul> 2679 <li>New bug pattern detector which looks for places where a 2680 null pointer might be dereferenced</li> 2681 <li>New bug pattern detector which looks for IO streams that 2682 are opened, do not escape the method, and are not closed on all 2683 paths out of the method</li> 2684 <li>New bug pattern detector to find methods that can return 2685 null instead of a zero-length array</li> 2686 <li>New bug pattern detector to find places where the == or != 2687 operators are used to compare String objects</li> 2688 <li>Command line interface can save bugs as XML</li> 2689 <li>GUI can save bugs to and load bugs from XML</li> 2690 <li>An "Annotations" window in the GUI allows the user to add 2691 textual annotations to bug reports; these annotations are 2692 preserved when bugs are saved as XML</li> 2693 <li>In this release, the Japanese bug summary translations by 2694 Germano Leichsenring are really included (they were inadvertently 2695 omitted in the previous release)</li> 2696 <li>Completely rewrote the control flow graph builder, 2697 hopefully for the last time</li> 2698 <li>Simplified implementation of control flow graphs, which 2699 should reduce memory use and possibly improve performance</li> 2700 <li>Improvements to command line interface (list bug 2701 priorities, filter by priority, specify aux classpath, specify 2702 project to analyze)</li> 2703 <li>Various bug fixes and enhancements</li> 2704 </ul> 2705 2706 <p>Changes since version 0.5.4</p> 2707 <ul> 2708 <li>Added an <a href="http://ant.apache.org/">Ant</a> task for 2709 FindBugs, contributed by Mike Fagan. 2710 </li> 2711 <li>Added a GUI dialog which allows individual bug pattern 2712 detectors to be enabled or disabled. Disabling certain slow 2713 detectors can greatly speed up analysis of large programs, at the 2714 expense of reducing the number of potential bugs found.</li> 2715 <li>Added a new detector for finding improperly ignored return 2716 values for methods such as <code> String.trim() </code> . 2717 Suggested by Andreas Mandel. 2718 </li> 2719 <li>Japanese translations of the bug summaries, contributed by 2720 Germano Leichsenring.</li> 2721 <li>Filtering of results is supported in command line 2722 interface. See the <a href="manual/index.html">FindBugs manual</a> 2723 for details. 2724 </li> 2725 <li>Added "byte code patterns", a general pattern matching 2726 infrastructure for bytecode instructions. This feature 2727 significantly reduces the complexity of implementing new bug 2728 pattern detectors.</li> 2729 <li>Enabled a new general dataflow analysis to track values in 2730 methods.</li> 2731 <li>Switched to new control-flow graph builder implementation. 2732 </li> 2733 </ul> 2734 2735 <p>Changes since version 0.5.3</p> 2736 <ul> 2737 <li>Fixed a bug in the script used to launch FindBugs on 2738 Windows platforms.</li> 2739 <li>Fixed crashes when analyzing class files without source 2740 line information.</li> 2741 <li>All major errors are reported using an error dialog; file 2742 not found errors are more informative.</li> 2743 <li>Minor GUI improvements.</li> 2744 </ul> 2745 2746 <p>Changes since version 0.5.2</p> 2747 <ul> 2748 <li>All of the source code and related files are in a single 2749 directory tree.</li> 2750 <li>Updated some of the detectors to produce source line 2751 information.</li> 2752 <li><a href="http://ant.apache.org/">Ant</a> build script and 2753 several GUI enhancements and fixes contributed by Mike Fagan.</li> 2754 <li>Converted to use a <a href="AddingDetectors.txt">plugin 2755 architecture</a> for loading bug detectors. 2756 </li> 2757 <li>Eliminated generics-related compiler warnings.</li> 2758 <li>More complete documentation has been added.</li> 2759 </ul> 2760 2761 <p>Changes since version 0.5.1:</p> 2762 <ul> 2763 <li>Fixed a large number of bugs in the BCEL Repository and 2764 FindBugs's use of the Repository. With these changes, 2765 FindBugs should <em>never</em> crash or otherwise misbehave 2766 because of Repository lookup failures. Because of these 2767 changes, you must use a modified version of <code> bcel.jar 2768 </code> with FindBugs. This jar file is included in the FindBugs 2769 0.5.2 binary release. A complete patch containing the <a 2770 href="http://faculty.ycp.edu/~dhovemey/bcel-30-April-2003.patch">modifications 2771 against the BCEL CVS main branch as of April 30, 2003</a> is also 2772 available. 2773 </li> 2774 <li>Implemented the "auxiliary classpath entry list". 2775 Aux classpath entries can be added to a project to provide classes 2776 that are referenced by the analyzed application, but should not 2777 themselves be analyzed. Having all referenced classes 2778 available allows FindBugs to produce more accurate results.</li> 2779 </ul> 2780 2781 <p>Changes since version 0.5.0:</p> 2782 <ul> 2783 <li>Many user interface bugs have been fixed.</li> 2784 <li>Upgraded to a recent CVS version of BCEL, with some bug 2785 fixes. This should prevent FindBugs from crashing when there 2786 is a failure to find a class on the classpath.</li> 2787 <li>Added support for Plastic look and feel from <a 2788 href="http://www.jgoodies.com/">jgoodies.com</a>. 2789 </li> 2790 <li>Major overhaul of infrastructure for doing dataflow 2791 analysis.</li> 2792 </ul> 2793 <hr> <p> 2794 <script language="JavaScript" type="text/javascript"> 2795 <!---//hide script from old browsers 2796 document.write( "Last updated "+ document.lastModified + "." ); 2797 //end hiding contents ---> 2798 </script> 2799 <p> Send comments to <a class="sidebar" href="mailto:findbugs (a] cs.umd.edu">findbugs (a] cs.umd.edu</a> 2800 <p> 2801 <A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=96405&type=5" width="210" height="62" border="0" alt="SourceForge.net Logo" /></A> 2802 2803 </td> 2804 2805 </tr> 2806 </table> 2807 2808 </body> 2809 2810 </html> 2811