Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Tim Cooke
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Knute Snortum
  • paul wheaton
  • Devaka Cooray
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Ron McLeod
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Tim Holloway
  • Carey Brown
  • salvin francis

Did you know that the bug search tools in Java code have bugs too?

 
Greenhorn
Posts: 6
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Developers of the PVS-Studio static code analyzer, which until recently had been searching for errors and potential vulnerabilities in C, C++ and C# code, have released a new version of the product that is capable of detecting bugs in Java projects.
As usual, the author of the article gives some examples of bugs detected by PVS-Studio. Anticipating possible questions over whether the analyzer is able to find something in such projects as IntelliJ IDEA, SpotBugs and many other bug search tools for Java, the author proposes considering the examples of various errors found in these projects.

For example, here is an interesting typo found in IntelliJ IDEA:

public synchronized boolean isIdentifier(@NotNull String name,
                                        final Project project) {
 if (!StringUtil.startsWithChar(name,'\'') &&
     !StringUtil.startsWithChar(name,'\"')) {
   name = "\"" + name;
 }
 if (!StringUtil.endsWithChar(name,'"') &&
     !StringUtil.endsWithChar(name,'\"')) {
   name += "\"";
 }
....
}

This code fragment checks that the name is enclosed in either single or double quotation marks. If it's not so, double quotation marks are added automatically.

Due to a typo, the end of the name is checked only for the presence of double quotation marks. As a result, the name in single quotation marks will be processed incorrectly.

The name

'Abcd'

due to adding extra double quotes will turn into:

'Abcd'"

The analyzer can be integrated as a plugin in several build systems such as Maven, Gradle, IntelliJ IDEA. Neither could the developers ignore SonarQube, a platform for code quality control: they added support for Java to existing plugin from PVS-Studio. The analyzer warnings are classified not only according to the CWE, CERT but also MISRA. Support for these standards makes it more effective to use the analyzer for security improvement, program portability and reliability for build systems.

Another good news was that all the open source contributors hosting on GitHub or Bitbucket could use PVS-Studio for free.

Read more about the new version of PVS-Studio here - https://www.viva64.com/en/b/0602/

Read more about other errors in Java code here - https://www.viva64.com/en/b/0603/
 
Wink, wink, nudge, nudge, say no more, it's a tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!