Win a copy of Fixing your Scrum this week in the Agile forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Rob Spoor
  • Liutauras Vilda
Sheriffs:
  • Jeanne Boyarsky
  • Junilu Lacar
  • Tim Cooke
Saloon Keepers:
  • Tim Holloway
  • Piet Souris
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Frits Walraven
  • Himai Minh

Did you know that the bug search tools in Java code have bugs too?

 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Developers of the PVS-Studio static code analyzer, which until recently had been searching for errors and potential vulnerabilities in C, C++ and C# code, have released a new version of the product that is capable of detecting bugs in Java projects.
As usual, the author of the article gives some examples of bugs detected by PVS-Studio. Anticipating possible questions over whether the analyzer is able to find something in such projects as IntelliJ IDEA, SpotBugs and many other bug search tools for Java, the author proposes considering the examples of various errors found in these projects.

For example, here is an interesting typo found in IntelliJ IDEA:

public synchronized boolean isIdentifier(@NotNull String name,
                                        final Project project) {
 if (!StringUtil.startsWithChar(name,'\'') &&
     !StringUtil.startsWithChar(name,'\"')) {
   name = "\"" + name;
 }
 if (!StringUtil.endsWithChar(name,'"') &&
     !StringUtil.endsWithChar(name,'\"')) {
   name += "\"";
 }
....
}

This code fragment checks that the name is enclosed in either single or double quotation marks. If it's not so, double quotation marks are added automatically.

Due to a typo, the end of the name is checked only for the presence of double quotation marks. As a result, the name in single quotation marks will be processed incorrectly.

The name

'Abcd'

due to adding extra double quotes will turn into:

'Abcd'"

The analyzer can be integrated as a plugin in several build systems such as Maven, Gradle, IntelliJ IDEA. Neither could the developers ignore SonarQube, a platform for code quality control: they added support for Java to existing plugin from PVS-Studio. The analyzer warnings are classified not only according to the CWE, CERT but also MISRA. Support for these standards makes it more effective to use the analyzer for security improvement, program portability and reliability for build systems.

Another good news was that all the open source contributors hosting on GitHub or Bitbucket could use PVS-Studio for free.

Read more about the new version of PVS-Studio here - https://www.viva64.com/en/b/0602/

Read more about other errors in Java code here - https://www.viva64.com/en/b/0603/
 
Legend has it that if you rub the right tiny ad, a genie comes out.
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic