Comments (17)
The warning are still there in 3.1.12 on 03.2019.
Added example project to reproduce:
https://github.com/ati90ati/bugreport-spotbugs-gradle-plugin-logging
Maybe you can find a solution to fix this problem.
from spotbugs.
we should do a scan of other INVOKES and see what shows up, for instance
DismantleBytecode.isMethodCall() ignores invoke dynamic which would seem wrong.
from spotbugs.
With Java 17.0.4.1 and Gradle 7.5.1 and Spotbugs 4.7.2 (5.0.12 gradle plugin) I get the following when running spotbugs on the Desktop project github.com/pcnge/pcgen
Task :spotbugsMain
The following classes needed for analysis were missing:
makeConcatWithConstants
test
accept
run
newThread
equals
toString
hashCode
apply
applyAsInt
handleEvent
get
getAsInt
stateChanged
compare
execute
handle
processStatus
actionPerformed
allow
referenceChanged
changed
propertyChange
applyAsDouble
variableChanged
itemStateChanged
valueChanged
from spotbugs.
i know one of the detectors has FP because of INVOKEDYNAMIC, one of the useless variables one,... i'll have to find it.
from spotbugs.
@mebigfatguy do you mean UnreadFields?
I believe that one suffers the same issue described in #20, where even if detected, the priority is increased until it's discarded. This is taken from UnredFields
if (getThisClass().isPrivate() || getMethod().isPrivate()) {
priority++;
}
if (getClassName().indexOf('$') != -1 || BCELUtil.isSynthetic(getMethod()) || f.isSynthetic()
|| f.getName().indexOf('$') >= 0) {
priority++;
}
Lambda bodies are moved to a private static synthetic
or private synthetic
method (depending on if it's capturing the instance reference or not). Being private AND being synthetic increases the priority from low (2) to experimental (4).
The thing is, there is no definite way of identifying a lambda. They are private static? synthetic
, but they don't need to be the only ones (specially if the bytecode is being manipulated by tools such as AspectJ's compiler or RetroLambda).
The method names "conventionally" include the word "lambda", but there is no formal requirement for this on the Java spec, so I would advise against this method.
Therefore, lambda detection is limited to checking if a method is private synthetic, and this may produce FPs.
Thankfully, there will be no FPs with accessor methods, since those are always package-private.
from spotbugs.
@jsotuyod @mebigfatguy Do we have known problem in this topic? Can we release RC1 without closing this issue?
from spotbugs.
@KengoTODA I'm ok. This was more of an umbrella issue, the particular cases we were able to identify were fixed. Actually the changes in #21 probably resolved several related issues.
We can probably close this and just open particular issues as needed.
from spotbugs.
I think it's useless variables or something. You create a collection and then don't do anything with it. But you do use it with an invoke dynamic
from spotbugs.
@mebigfatguy good thinking!
from spotbugs.
What is the status of this issue? Can we release 3.1.0 without this?
from spotbugs.
i'm fine with releasing as is.
from spotbugs.
I guess SpotBugs itself cannot do anything about this, but I thought I'd mention it here for reference or if you actually can do something about it: find-sec-bugs/find-sec-bugs#332
from spotbugs.
Found another place, this time in SpotBugs itself edu.umd.cs.findbugs.ba.Hierarchy#resolveMethodCallTargets(org.apache.bcel.generic.InvokeInstruction, edu.umd.cs.findbugs.ba.type.TypeFrame, org.apache.bcel.generic.ConstantPoolGen)
calls typeFrame.getInstanceStackLocation(invokeInstruction, cpg)
which returns -1
. typeFrame.getStackValue(instanceStackLocation)
then of course throws an Error generating derefs for ... edu.umd.cs.findbugs.ba.DataflowAnalysisException: can't get position -1 of stack
.
I can reproduce this with the following file:
import java.io.File;
import java.util.ArrayList;
import java.util.List;
public class Test
{
public static void main(String[] args) throws Exception
{
List<String> notOkList = new ArrayList<>();
for (String fileName : new File("").list()) { }
notOkList.forEach(notOk -> System.out.println(notOk));
}
}
from spotbugs.
What's the progress on this?
I'm still getting errors in 2018 with 3.1.7
:
The following classes needed for analysis were missing:
accept
handle
get
apply
handleConnection
handleUserCheck
from spotbugs.
Still getting these warnings in 3.1.10
from spotbugs.
Hello everyone,
It is possible to know if this issue could be leading to False Positives detection?
SpotBug in combination with FindSecBug, generates different results depending on the Java bytecode version.
Using a Java version greater than 8 to generate the bytecode, the number of False positives increases considerably.
from spotbugs.
I remember one false positive when I upgraded from Java 8 to Java 11 (actually it wasn't a false positive).
I think it was in try with resources and auto closeable Java feature.
With Java 8 I didn't get the warning from Spotbugs, but with Java 11 I got some warnings in try with resources.
I investigated the bytecode generated in Java 8 vs bytecode of Java 11 and actually it was different.
If you decompile the class files you can see that there is a real issue in there and not a false positive and Spotbugs highlighted that issue from the generated bytecode.
Because I couldn't fix the generated bytecode I decided to suppress those warnings in Spotbugs.
from spotbugs.
Related Issues (20)
- Treat `@PostConstruct` methods as constructors for `UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR` HOT 1
- DLS_DEAD_LOCAL_STORE issue in Java 21 with pattern matching HOT 2
- Eclipse plug-in: false warning about not built project? HOT 1
- Nullness check FPs and FNs
- False positive: UMAC_UNCALLABLE_METHOD_OF_ANONYMOUS_CLASS HOT 1
- add an alternate version of EI_EXPOSE_REP HOT 4
- Rank value mismatch with the actual reported value HOT 2
- is it possible to make variable for checksyle version to let me run somthing like HOT 1
- update xsd namespace versions
- GHA for 4.8.4 on release failed to produce changelog. HOT 22
- Getting com.intellij.diagnostic.PluginException Randomly in the IntelliJ Plugin HOT 1
- False positive SING_SINGLETON_GETTER_NOT_SYNCHRONIZED with eager instances HOT 2
- False positive SING_SINGLETON_IMPLEMENTS_SERIALIZABLE with readResolve() present HOT 3
- False positive SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR with reused instances HOT 7
- SE_BAD_FIELD with records and spotbugs-4.8.4 HOT 4
- False Positive: IL_INFINITE_LOOP HOT 6
- Prefix matching behavior of SuppressFBWarnings makes it impossible to suppress just one warning HOT 2
- DataflowAnalysisException in 4.7.3 and 4.8.3 HOT 5
- Preview mode for new/enhanced detectors HOT 2
- How to get line number of method in Interface HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spotbugs.