Win a copy of JDBC Workbook this week in the JDBC and Relational Databases forum
or A Day in Code in the A Day in Code forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Jeanne Boyarsky
  • Junilu Lacar
  • Henry Wong
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Frits Walraven
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • salvin francis
  • fred rosenberger

Did you know that the bug search tools in Java code have bugs too?

 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Developers of the PVS-Studio static code analyzer, which until recently had been searching for errors and potential vulnerabilities in C, C++ and C# code, have released a new version of the product that is capable of detecting bugs in Java projects.
As usual, the author of the article gives some examples of bugs detected by PVS-Studio. Anticipating possible questions over whether the analyzer is able to find something in such projects as IntelliJ IDEA, SpotBugs and many other bug search tools for Java, the author proposes considering the examples of various errors found in these projects.

For example, here is an interesting typo found in IntelliJ IDEA:

public synchronized boolean isIdentifier(@NotNull String name,
                                        final Project project) {
 if (!StringUtil.startsWithChar(name,'\'') &&
     !StringUtil.startsWithChar(name,'\"')) {
   name = "\"" + name;
 }
 if (!StringUtil.endsWithChar(name,'"') &&
     !StringUtil.endsWithChar(name,'\"')) {
   name += "\"";
 }
....
}

This code fragment checks that the name is enclosed in either single or double quotation marks. If it's not so, double quotation marks are added automatically.

Due to a typo, the end of the name is checked only for the presence of double quotation marks. As a result, the name in single quotation marks will be processed incorrectly.

The name

'Abcd'

due to adding extra double quotes will turn into:

'Abcd'"

The analyzer can be integrated as a plugin in several build systems such as Maven, Gradle, IntelliJ IDEA. Neither could the developers ignore SonarQube, a platform for code quality control: they added support for Java to existing plugin from PVS-Studio. The analyzer warnings are classified not only according to the CWE, CERT but also MISRA. Support for these standards makes it more effective to use the analyzer for security improvement, program portability and reliability for build systems.

Another good news was that all the open source contributors hosting on GitHub or Bitbucket could use PVS-Studio for free.

Read more about the new version of PVS-Studio here - https://www.viva64.com/en/b/0602/

Read more about other errors in Java code here - https://www.viva64.com/en/b/0603/
 
To avoid criticism do nothing, say nothing, be nothing. -Elbert Hubbard. Please critique this tiny ad:
Devious Experiments for a Truly Passive Greenhouse!
https://www.kickstarter.com/projects/paulwheaton/greenhouse-1
    Bookmark Topic Watch Topic
  • New Topic