otbugs.spotbugs.4.8.4.source-code.messages.xml Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of spotbugs Show documentation
Show all versions of spotbugs Show documentation
SpotBugs: Because it's easy!
<?xml version="1.0" encoding="UTF-8"?> <MessageCollection xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="messagecollection.xsd"> <!-- ********************************************************************** Plugin information ********************************************************************** --> <Plugin> <ShortDescription>Core SpotBugs plugin</ShortDescription> <Details> <![CDATA[ <p> This plugin contains all of the standard SpotBugs detectors. </p> ]]> </Details> <BugsUrl>https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html</BugsUrl> <AllBugsUrl>https://spotbugs.readthedocs.io/en/latest/bugDescriptions.html</AllBugsUrl> </Plugin> <FindBugsMain cmd="addMessages" class="edu.umd.cs.findbugs.AddMessages"> <Description>Add msgs (e.g., textual descriptions of bugs) to analysis results</Description> </FindBugsMain> <FindBugsMain cmd="analyze" class="edu.umd.cs.findbugs.FindBugs2"> <Description>Perform SpotBugs Analysis</Description> </FindBugsMain> <FindBugsMain cmd="gui" class="edu.umd.cs.findbugs.gui2.Driver"> <Description>Launch SpotBugs GUI</Description> </FindBugsMain> <FindBugsMain cmd="list" class="edu.umd.cs.findbugs.PrintingBugReporter"> <Description>Convert analysis results to textual form</Description> </FindBugsMain> <FindBugsMain cmd="help" class="edu.umd.cs.findbugs.ShowHelp"> <Description>Provide help for commands</Description> </FindBugsMain> <FindBugsMain cmd="version" class="edu.umd.cs.findbugs.Version"> <Description>List SpotBugs version</Description> </FindBugsMain> <FindBugsMain cmd="filter" class="edu.umd.cs.findbugs.workflow.Filter"> <Description>Filter analysis results</Description> </FindBugsMain> <FindBugsMain cmd="set" class="edu.umd.cs.findbugs.workflow.SetBugDatabaseInfo"> <Description>Set project configuration/options</Description> </FindBugsMain> <FindBugsMain cmd="history" class="edu.umd.cs.findbugs.workflow.MineBugHistory"> <Description>List details from multi-version analysis results</Description> </FindBugsMain> <FindBugsMain cmd="union" class="edu.umd.cs.findbugs.workflow.UnionResults"> <Description>Merge analysis results from disjoint components</Description> </FindBugsMain> <FindBugsMain cmd="merge" class="edu.umd.cs.findbugs.workflow.Update"> <Description>Combine analysis results from different versions of software to produce multi-version analysis results</Description> </FindBugsMain> <FindBugsMain cmd="dis" class="edu.umd.cs.findbugs.workflow.PrintClass"> <Description>Disassemble a class file</Description> </FindBugsMain> <FindBugsMain cmd="errors" class="edu.umd.cs.findbugs.workflowListErrors"> <Description>List analysis errors stored in results file</Description> </FindBugsMain> <!-- On changing this, please also update default cloud id in FindbugsPlugin --> <Cloud id="edu.umd.cs.findbugs.cloud.doNothingCloud"> <Description>(cloud disabled)</Description> <Details>Bug reviews are disabled when using this plugin.</Details> </Cloud> <PluginComponent id="edu.umd.cs.findbugs.bugReporter.SuppressMultithreaded"> <Description>Suppress multithreaded correctness issues</Description> <Details>Suppress all multithreaded correctness issues</Details> </PluginComponent> <PluginComponent id="edu.umd.cs.findbugs.bugReporter.SuppressI18N"> <Description>Suppress internationalization issues</Description> <Details>Suppress all internationalization issues</Details> </PluginComponent> <PluginComponent id="edu.umd.cs.findbugs.bugReporter.SelectivelySuppressI18N"> <Description>Suppress internationalization issues in all but selected packages</Description> <Details>Suppress all internationalization issues except those specified in the i18n.properties resource</Details> </PluginComponent> <PluginComponent id="edu.umd.cs.findbugs.bugReporter.MaxRank14"> <Description>Suppress all issues with rank higher than 14</Description> <Details>Suppress all issues with rank higher than 14</Details> </PluginComponent> <PluginComponent id="edu.umd.cs.findbugs.bugReporter.SuppressMalicious"> <Description>Suppress warnings about vulnerabilities to malicious code</Description> <Details>Suppress warnings about vulnerabilities to malicious code</Details> </PluginComponent> <!-- ********************************************************************** Categories (replacing the BugCategoryDescriptions.properties file) ********************************************************************** --> <BugCategory category="CORRECTNESS"> <Description>Correctness</Description> <Abbreviation>C</Abbreviation> <Details>Probable bug - an apparent coding mistake resulting in code that was probably not what the developer intended. We strive for a low false positive rate.</Details> </BugCategory> <BugCategory category="NOISE"> <Description>Bogus random noise</Description> <Abbreviation>N</Abbreviation> <Details>Bogus random noise: intended to be useful as a control in data mining experiments, not in finding actual bugs in software </Details> </BugCategory> <BugCategory category="SECURITY"> <Description>Security</Description> <Abbreviation>S</Abbreviation> <Details>A use of untrusted input in a way that could create a remotely exploitable security vulnerability. </Details> </BugCategory> <BugCategory category="BAD_PRACTICE"> <Description>Bad practice</Description> <Abbreviation>B</Abbreviation> <Details>Violations of recommended and essential coding practice. Examples include hash code and equals problems, cloneable idiom, dropped exceptions, Serializable problems, and misuse of finalize. We strive to make this analysis accurate, although some groups may not care about some of the bad practices.</Details> </BugCategory> <BugCategory category="STYLE"> <Description>Dodgy code</Description> <Abbreviation>D</Abbreviation> <Details>Code that is confusing, anomalous, or written in a way that leads itself to errors. Examples include dead local stores, switch fall through, unconfirmed casts, and redundant null check of value known to be null. More false positives accepted. In previous versions of SpotBugs, this category was known as Style. </Details> </BugCategory> <BugCategory category="PERFORMANCE"> <Description>Performance</Description> <Abbreviation>P</Abbreviation> <Details>Code that is not necessarily incorrect but may be inefficient</Details> </BugCategory> <BugCategory category="MALICIOUS_CODE"> <Description>Malicious code vulnerability</Description> <Abbreviation>V</Abbreviation> <Details>Code that is vulnerable to attacks from untrusted code</Details> </BugCategory> <BugCategory category="MT_CORRECTNESS"> <Description>Multithreaded correctness</Description> <Abbreviation>M</Abbreviation> <Details>Code flaws having to do with threads, locks, and volatiles</Details> </BugCategory> <BugCategory category="I18N"> <Description>Internationalization</Description> <Abbreviation>I</Abbreviation> <Details>Code flaws having to do with internationalization and locale</Details> </BugCategory> <BugCategory category="EXPERIMENTAL"> <Description>Experimental</Description> <Abbreviation>X</Abbreviation> <Details>Experimental and not fully vetted bug patterns</Details> </BugCategory> <!-- ********************************************************************** Detectors ********************************************************************** --> <Detector class="edu.umd.cs.findbugs.detect.ConstructorThrow"> <Details> <![CDATA[ <p> Finds constructors that throw exceptions. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.OverridingMethodsMustInvokeSuperDetector"> <Details> <![CDATA[ <p> Finds overriding methods that must call super. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindRoughConstants"> <Details> <![CDATA[ <p> Finds constants which roughly (but not precisely) equal to known values like Math.PI. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InitializeNonnullFieldsInConstructor"> <Details> <![CDATA[ <p> Finds non-null fields that are not written to in constructors. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.IntCast2LongAsInstant"> <Details> <![CDATA[ <p> Finds uses of 32-bit values to describe milliseconds since the epoch. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.TrainLongInstantfParams"> <Details> <![CDATA[ <p> Builds database of parameters that take a 64 bit value describing milliseconds since the epoch.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InconsistentAnnotations"> <Details> <![CDATA[ <p> This detector finds inconsistencies between type qualifiers directly applied to method parameters and uses of those method parameters. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.AtomicityProblem"> <Details> <![CDATA[ <p> Finds sequences of operations (e.g., get/put) on a concurrent abstraction that will not be executed atomically. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.SynchronizationOnSharedBuiltinConstant"> <Details> <![CDATA[ <p> This detector looks for synchronization on a shared built-in constant (such as a String).</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.SynchronizeAndNullCheckField"> <Details> <![CDATA[ <p> This detector looks for a field that is synchronized on and then null checked.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.CheckImmutableAnnotation"> <Details> <![CDATA[ <p> Looks for violations of the rules for classes annotated as net.jcip.annotations.Immutable or javax.annotation.concurrent.Immutable.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.VarArgsProblems"> <Details> <![CDATA[ <p> Looks for problems with arising from Java 5 varargs.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NoteJCIPAnnotation"> <Details> <![CDATA[ <p> Record annotations from the net.jcip.annotations package.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NoteDirectlyRelevantTypeQualifiers"> <Details> <![CDATA[ <p> Note the type qualifiers relevant to analyzing a method.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.BuildInterproceduralCallGraph"> <Details> <![CDATA[ <p>Builds the interprocedural call graph.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.BuildObligationPolicyDatabase"> <Details> <![CDATA[ <p>Builds the database of obligation types and methods used by the FindUnsatisfiedObligation detector. ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NoteSuppressedWarnings"> <Details> <![CDATA[ <p> Suppresses warnings based on use of the edu.umd.cs.findbugs.annotations.NoteSuppressWarnings annotation.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NoteAnnotationRetention"> <Details> <![CDATA[ <p> Records annotation retention.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NoteSyntheticElements"> <Details> <![CDATA[ <p>Records synthetic classes, methods, fields, etc.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.Methods"> <Details> <![CDATA[ <p> Builds a database of all methods defined in analyzed classes, for use by other detectors.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ReflectiveClasses"> <Details> <![CDATA[ <p> Try to determine which classes have constant references to their .class objects. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.CalledMethods"> <Details> <![CDATA[ <p> Builds a database of all methods invoked in analyzed classes, for use by other detectors.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindNoSideEffectMethods"> <Details> <![CDATA[ <p> Looks for the methods which have no side effect, just return some value.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.BuildStringPassthruGraph"> <Details> <![CDATA[ <p> Builds the database of string parameters passed from method to method unchanged.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FunctionsThatMightBeMistakenForProcedures"> <Details> <![CDATA[ <p> Looks for immutable classes with methods that return new instances of that class, where people might accidentally think those methods mutate the instance they are invoked on. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ConfusionBetweenInheritedAndOuterMethod"> <Details> <![CDATA[ <p> Looks for potential confusion between inherited and outer methods.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NoteCheckReturnValueAnnotations"> <Details> <![CDATA[ <p> Looks for annotations to check return values of a method. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.SynchronizeOnClassLiteralNotGetClass"> <Details> <![CDATA[ <p> Looks for code that synchronizes on the results of getClass rather than on class literals. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FieldItemSummary"> <Details> <![CDATA[ <p> This detector produces summary information for what is stored into fields. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NoteNonNullAnnotations"> <Details> <![CDATA[ <p> Looks for @Nonnull annotations on methods, fields, and parameters. These can be used by the FindNullDeref detector to generate warnings when a possibly-null value is used in a context where only non-null values should be used. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NoteUnconditionalParamDerefs"> <Details> <![CDATA[ <p> Analyze all methods in the application to determine which dereference parameters unconditionally. This information is used in a later analysis pass to find call sites where null values may be passed to those methods. </p> <p> This is a slow detector. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NoteNonnullReturnValues"> <Details> <![CDATA[ <p> Analyze all methods in the application to determine which methods always return non-null values. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.BooleanReturnNull"> <Details> <![CDATA[ <p> Looks for methods with Boolean return type that return explicit null values.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.OptionalReturnNull"> <Details> <![CDATA[ <p> Looks for methods with Optional return type that return explicit null values.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindUselessObjects"> <Details> <![CDATA[ <p> Looks for useless objects.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.MutableEnum"> <Details> <![CDATA[ <p> Looks and warns about mutable enum fields.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.BadUseOfReturnValue"> <Details> <![CDATA[ <p> Looks for cases where the return value of a function is discarded after being checked for non-null. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InheritanceUnsafeGetResource"> <Details> <![CDATA[ <p> Looks for uses of this.getClass().getResource(...), which can give unexpected results if the class is extended by a class in another package. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InfiniteRecursiveLoop"> <Details> <![CDATA[ <p> Looks for an infinite recursive loop. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InfiniteLoop"> <Details> <![CDATA[ <p> Looks for an infinite loop. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.VolatileUsage"> <Details> <![CDATA[ <p> Looks for bug patterns in the usage of volatile fields. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.EmptyZipFileEntry"> <Details> <![CDATA[ <p> This looks for creation of empty ZIP file entries. It is a moderately fast detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.UncallableMethodOfAnonymousClass"> <Details> <![CDATA[ <p> This detector looks for anonymous inner classes that define methods that are probably intended to but do not override methods in a superclass. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DontUseEnum"> <Details> <![CDATA[ <p>Checks that fields and methods don't use the name assert or enum as they are keywords in Java 5.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.URLProblems"> <Details> <![CDATA[ <p> The equals and hashCode method on <code>java.net.URL</code> resolve the domain name. As a result, these operations can be very expensive, and this detector looks for places where those methods might be invoked. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FinalizerNullsFields"> <Details> <![CDATA[ <p> This detector looks for finalizers that null out fields of a class. This does not help the garbage collector in any way, the nulling out of fields has no effect. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.CrossSiteScripting"> <Details> <![CDATA[ <p> This detector looks for obvious/blatant cases of cross site scripting vulnerabilities.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.RepeatedConditionals"> <Details> <![CDATA[ <p> This detector looks for code containing repeated conditional tests, such as (x == 5 || x == 5). ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.RedundantConditions"> <Details> <![CDATA[ <p> This detector looks for code containing useless conditions like the second condition in this expression: (x >= 10 && x >= 5). ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.CallToUnsupportedMethod"> <Details> <![CDATA[ <p> This detector looks for calls to methods that are unsupported. ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FormatStringChecker"> <Details> <![CDATA[ <p> Checks for incorrect format strings. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.EqualsOperandShouldHaveClassCompatibleWithThis"> <Details> <![CDATA[ <p> Checks for equals methods that check for their operand being an instance of a class that is not compatible with the class defining the equals method. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.TestingGround"> <Details> <![CDATA[ <p> This detector is just a hook for testing new detectors. Normally, this detector does nothing.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.TestingGround2"> <Details> <![CDATA[ <p> This detector is just a hook for testing new detectors. Normally, this detector does nothing.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.LostLoggerDueToWeakReference"> <Details> <![CDATA[ <p> This detector finds code that behaves differently under OpenJDK 6, where weak references are used to hold onto Loggers. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.TestingGround2"> <Details> <![CDATA[ <p> This detector is just a hook for testing new detectors. Normally, this detector does nothing.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.Noise"> <Details> <![CDATA[ <p> This detector generates a random signal: warnings that are just based on hash values of the operations performed by methods. These warnings are bogus random noise, intended to be useful as a control in data mining experiments, not in finding actual bugs in software. This detector is just a hook for testing new detectors. Normally, this detector does nothing.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NoiseNullDeref"> <Details> <![CDATA[ <p> Noisy detector for null dereferences. Intended to be used as a control in experiments about the validity or predictive ability of warnings, not as a way to find problems in code. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.HugeSharedStringConstants"> <Details> <![CDATA[ <p> This detector looks for string constants that are duplicated across multiple classfiles. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DoInsideDoPrivileged"> <Details> <![CDATA[ <p> Looks for code that should be executed inside doPrivileged blocks.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ResolveAllReferences"> <Details> <![CDATA[ <p> Checks that all references call be resolved. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.SwitchFallthrough"> <Details> <![CDATA[ <p> This detector looks for switch statements containing fall through. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindFieldSelfAssignment"> <Details> <![CDATA[ <p> This detector looks for places where a field is assigned by reading the value of the same field. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindSelfComparison"> <Details> <![CDATA[ <p> This detector looks for places where a value is compared with itself.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindSelfComparison2"> <Details> <![CDATA[ <p> This detector looks for places where a value is compared with itself.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindNonShortCircuit"> <Details> <![CDATA[ <p> This detector looks for suspicious uses of non-short-circuiting boolean operators (<code>|</code> and <code>&</code> instead of <code>||</code> and <code>&&</code>).</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DontCatchIllegalMonitorStateException"> <Details> <![CDATA[ <p> This detector looks for try-catch blocks that catch an IllegalMonitorStateException.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindFloatMath"> <Details> <![CDATA[ <p> This detector looks for uses of floating point math. It is a moderately fast detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.CloneIdiom"> <Details> <![CDATA[ <p> This detector looks for violations of the idioms for writing cloneable classes. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.MultipleInstantiationsOfSingletons"> <Details> <![CDATA[ <p> This detector looks for violations of the idioms for writing classes using singleton design pattern. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ThrowingExceptions"> <Details> <![CDATA[ <p> This detector looks for methods throwing RuntimeException and methods that have Exception or Throwable in their throws clause. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ComparatorIdiom"> <Details> <![CDATA[ <p> This detector looks for violations of the idioms for writing classes that implement <code>Comparator</code>. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DroppedException"> <Details> <![CDATA[ <p> This detector looks for code where an exception is caught, but nothing is done to handle the exception. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.LoadOfKnownNullValue"> <Details> <![CDATA[ <p> Looks for loads of values known to be null. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DumbMethodInvocations"> <Details> <![CDATA[ <p> This detector looks for bad arguments being passed to methods (e.g., substring(0)). </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DumbMethods"> <Details> <![CDATA[ <p> This detector looks for calls to pointless methods, such as the no-argument String constructor. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.CovariantArrayAssignment"> <Details> <![CDATA[ <p> This detector looks for covariant array assignments like Object[] array = new String[10] which may cause ArrayStoreException at runtime. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.NumberConstructor"> <Details> <![CDATA[ <p> Looks for calls to Number constructors with primitive arguments. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindDoubleCheck"> <Details> <![CDATA[ <p> This detector looks for instances of double-checked locking. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindFinalizeInvocations"> <Details> <![CDATA[ <p> This detector looks for calls to finalize() and other finalizer-related issues. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindHEmismatch"> <Details> <![CDATA[ <p> This detector looks for problems in the definition of the hashCode() and equals() methods. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.OverridingEqualsNotSymmetrical"> <Details> <![CDATA[ <p> Looks for equals methods that override equals methods in a superclass where the equivalence relationship might not be symmetrical. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindNakedNotify"> <Details> <![CDATA[ <p> This detector looks for calls to notify() that don't seem to modify mutable object state. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindReturnRef"> <Details> <![CDATA[ <p> This detector looks for methods that return mutable static data. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindRunInvocations"> <Details> <![CDATA[ <p> This detector looks for calls to Thread.run(). It is a fast detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindSpinLoop"> <Details> <![CDATA[ <p> This detector looks for loops that spin reading from a field. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindTwoLockWait"> <Details> <![CDATA[ <p> This detector looks for calls to wait() with two (or more) locks held. It is a slow detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindUnconditionalWait"> <Details> <![CDATA[ <p> This detector looks for calls to wait() not in a conditional or loop. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindUninitializedGet"> <Details> <![CDATA[ <p> This detector looks for reads of uninitialized fields in constructors. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindUnsyncGet"> <Details> <![CDATA[ <p> This detector looks for get and set methods where the get is unsynchronized while the set is synchronized. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InitializationChain"> <Details> <![CDATA[ <p> This detector looks for potentially circular class initialization dependencies. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.IteratorIdioms"> <Details> <![CDATA[ <p> This detector looks for problems in how Iterator classes are defined. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.LockedFields"> <Details> <![CDATA[ <p> This detector looks for fields that are accessed in an inconsistent manner with respect to locking. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.EqStringTest"> <Details> <![CDATA[ <p> This detector looks for comparisons of String objects using the == or != operators. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.MutableLock"> <Details> <![CDATA[ <p> This detector looks for synchronization on objects read from modified fields. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.SynchronizingOnContentsOfFieldToProtectField"> <Details> <![CDATA[ <p> This detector looks for code that seems to be synchronizing on a field in order to guard updates of that field. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.MutableStaticFields"> <Details> <![CDATA[ <p> This detector looks for static fields that may be modified by malicious code. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.Naming"> <Details> <![CDATA[ <p> This detector looks for suspiciously-named methods. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ReadReturnShouldBeChecked"> <Details> <![CDATA[ <p> This detector looks for calls to InputStream.read() or InputStream.skip() where the return value is ignored. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.SerializableIdiom"> <Details> <![CDATA[ <p> This detector looks for potential problems in the implementation of Serializable classes. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.StartInConstructor"> <Details> <![CDATA[ <p> This detector looks for constructors that start threads. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindBadForLoop"> <Details> <![CDATA[ <p> This detector looks for incorrect for loops. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ExplicitSerialization"> <Details> <![CDATA[ <p> Looks for explicit serialization via readObject and writeObject as evidence that this class is, indeed, serialized. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.UnreadFields"> <Details> <![CDATA[ <p> This detector looks for fields whose value is never read. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.WaitInLoop"> <Details> <![CDATA[ <p> This detector looks for calls to wait() that are not in a loop. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.BCPMethodReturnCheck"> <Details> <![CDATA[ <p> This detector looks for calls to methods where the return value is suspiciously ignored. It is a slow detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindComparatorProblems"> <Details> <![CDATA[ <p> This detector looks for problems in Comparator.compare or Comparable.compareTo implementation.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindNullDeref"> <Details> <![CDATA[ <p> This detector looks for places where a null pointer exception might occur. It also looks for redundant comparisons of reference values against null. It is a slow detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindNullDerefsInvolvingNonShortCircuitEvaluation"> <Details> <![CDATA[ <p> This detector looks for places where a null pointer exception might occur, and the use of non-short-circuit evaluation causes the usual techniques to fail. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindOpenStream"> <Details> <![CDATA[ <p> This detector looks for IO stream objects which do not escape the method and do not appear to be closed on all paths out of the method. It is a slow detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.PreferZeroLengthArrays"> <Details> <![CDATA[ <p> This detector looks for methods that return either arrays or an explicit null reference. Returning a zero length array is generally preferred in this context to returning a null reference. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindUselessControlFlow"> <Details> <![CDATA[ <p> This detector looks for control flow statements which have no effect. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindUnreleasedLock"> <Details> <![CDATA[ <p> This detector looks for JSR-166 (<code>java.util.concurrent</code>) locks which are acquired, but not released on all paths out of the method. It is a moderately fast detector. Note that in order to use this detector, you need to have the <code>java.util.concurrent</code> package in the auxiliary classpath (or be analyzing the package itself).</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindRefComparison"> <Details> <![CDATA[ <p> This detector looks for places where two reference values are compared with the == or != operator, and the class is of a type (such as <code>java.lang.String</code>) where comparing reference values is generally an error. It is a slow detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindMismatchedWaitOrNotify"> <Details> <![CDATA[ <p> This detector looks for calls to wait(), notify(), or notifyAll() which do not appear to be made on an object which is currently locked. It is a moderately fast detector. <b>This detector is disabled because it is still under development, and produces too many false positives.</b></p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindEmptySynchronizedBlock"> <Details> <![CDATA[ <p> This detector looks for empty synchronized blocks.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindInconsistentSync2"> <Details> <![CDATA[ <p> This detector looks for fields that are accessed in an inconsistent manner with respect to locking. It is a slow detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindLocalSelfAssignment2"> <Details> <![CDATA[ <p> This detector looks for self assignments of local variables. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.IncompatMask"> <Details> <![CDATA[ <p> This detector looks for suspicious bitwise logical expressions. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.LazyInit"> <Details> <![CDATA[ <p> This detector looks for lazy field initialization where the field is not volatile. It is a moderately fast detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindJSR166LockMonitorenter"> <Details> <![CDATA[ <p> This detector looks for ordinary synchronization performed on JSR166 locks. It is a moderately fast detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindUncalledPrivateMethods"> <Details> <![CDATA[ <p> This detector looks for private methods that are never called. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.StringConcatenation"> <Details> <![CDATA[ <p> This detector looks for String concatenation in loops using +. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InefficientInitializationInsideLoop"> <Details> <![CDATA[ <p> This detector looks for objects initialized within loop which can be moved outside for better performance. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InefficientIndexOf"> <Details> <![CDATA[ <p> This detector looks for code that uses String.indexOf(String) or String.lastIndexOf(String), passing a constant string of length 1. It is recommended to use the more efficient integer implementations. A fast detector. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InefficientToArray"> <Details> <![CDATA[ <p> This detector looks for code that converts Collections to arrays using the toArray() method that takes a prototype array, passing an array argument which is zero-length. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InvalidJUnitTest"> <Details> <![CDATA[ <p> This detector looks for JUnit tests that are malformed. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.BadlyOverriddenAdapter"> <Details> <![CDATA[ <p> This detector looks for code that extends an Adapter class and overrides a Listener method with the wrong signature. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.BadResultSetAccess"> <Details> <![CDATA[ <p> This detector looks for calls to getXXX or setXXX methods of a result set where the field index is 0. As ResultSet fields start at index 1, this is always a mistake. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.SuperfluousInstanceOf"> <Details> <![CDATA[ <p> This detector looks for type checks using the instanceof operator where the determination can be done statically. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.BadAppletConstructor"> <Details> <![CDATA[ <p> This detector looks for Applet constructors that call methods in the parent Applet that rely on the Applet stub. Since this stub isn't initialized until just before the init() method, these methods will fail in the constructor. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.SuspiciousThreadInterrupted"> <Details> <![CDATA[ <p> This detector looks for calls to Thread.interrupted() from a non-static context. If it is called from Thread.currentThread().interrupted(), then it is just a useless exercise, just use Thread.interrupted(). However if it is called on an arbitrary thread object, it is most probably an error, as interrupted() is always called on the current thread. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindSqlInjection"> <Details> <![CDATA[ <p> This detector uses data flow analysis to look for invocations of execute methods on SQL statements in which something other than a constant string is passed as an argument. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindDeadLocalStores"> <Details> <![CDATA[ <p> This detector looks for assignments to local variables that are never subsequently read. It is a moderately fast detector. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindMaskedFields"> <Details> <![CDATA[ <p> This detector looks for class level fields that are masked by local fields defined in methods. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.WrongMapIterator"> <Details> <![CDATA[ <p> This detector looks for accessing the value of a Map entry, using a key that was retrieved from a keySet iterator. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InstantiateStaticClass"> <Details> <![CDATA[ <p> This detector looks for code that creates objects based on classes that only define static methods. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.RuntimeExceptionCapture"> <Details> <![CDATA[ <p> This detector looks for catch clauses that catch Exception, when no code in the block throws Exception. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DontCatchNullPointerException"> <Details> <![CDATA[ <p>Nullpointer exceptions should not be caught.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindFloatEquality"> <Details> <![CDATA[ <p> Looks for floating point equality expressions. A fast detector. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindUnsatisfiedObligation"> <Details> <![CDATA[ <p>This detector looks for I/O streams and database resources that are not cleaned up on all paths out of a method. This is a slow detector.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.UnnecessaryMath"> <Details> <![CDATA[ <p>This detector looks for code that calls java.lang.Math static methods on constant values, where the resultant value is a statically known constant. It is faster, and sometimes more accurate, to use the constant instead.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindCircularDependencies"> <Details> <![CDATA[ <p>This detector looks for circular dependencies among classes. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.RedundantInterfaces"> <Details> <![CDATA[ <p>This detector looks for classes that declare they implement the same interface as a super class. This is redundant, if a superclass implements an interface, so does the subclass.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.MultithreadedInstanceAccess"> <Details> <![CDATA[ <p>This detector looks for potential problems in implementing the Struts framework. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.PublicSemaphores"> <Details> <![CDATA[ <p>This detector looks for public classes that synchronize and use wait(), notify() or notifyAll() on <b>this</b>. This exposes a synchronization implementation as a public artifact of the class. Clients of the class may use an instance of the class as its own synchronizing object, and cause havoc to the base implementation. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.MethodReturnCheck"> <Details> <![CDATA[ <p> This detector looks for calls to methods where the return value is suspiciously ignored. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.IDivResultCastToDouble"> <Details> <![CDATA[ <p> This detector looks for places where the result of integer division is cast to double. Often, what was meant was to cast the integer operands to double and then perform the division. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindBadCast2"> <Details> <![CDATA[ <p> This detector looks for bad casts of object references using data flow analysis. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindNonSerializableStoreIntoSession"> <Details> <![CDATA[ <p> This detector looks for stores of non Serializable objects into HTTP sessions. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindUseOfNonSerializableValue"> <Details> <![CDATA[ <p> This detector looks for uses of non Serializable objects in contexts that require them to be serializable. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindNonSerializableValuePassedToWriteObject"> <Details> <![CDATA[ <p> This detector looks for non Serializable objects passed to the writeObject method of an ObjectOutput. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.BadSyntaxForRegularExpression"> <Details> <![CDATA[ <p> This detector looks for regular expressions that have invalid syntax. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindPuzzlers"> <Details> <![CDATA[ <p> This detector looks for miscellaneous small errors mentioned by Joshua Bloch and Neal Gafter in their work on Programming Puzzlers. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindSleepWithLockHeld"> <Details> <![CDATA[ <p> This detector looks for calls to Thread.sleep() made with a lock held. It is a slow detector. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DuplicateBranches"> <Details> <![CDATA[ <p> This detector looks for if/else or switch statements that have the same code for two branches, thus rendering the test useless. This often is caused by copying and pasting the two branches, causing incorrect logic for the one branch.</p><p></p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.InefficientMemberAccess"> <Details> <![CDATA[ <p> This detector looks for internal classes that write to member variables of the owning class, when that member variable is private. In this case, a special compiler generated accessor method needs to be used to write to this variable. Relaxing the visibility to protected will allow the field to be directly written.</p> <p></p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.XMLFactoryBypass"> <Details> <![CDATA[ <p> This detector looks for direct allocations of implementations of XML interfaces. This ties the code to a specific implementation, rather than using the supplied factory pattern to create these objects.</p> <p></p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.UselessSubclassMethod"> <Details> <![CDATA[ <p> This detector looks for subclasses that implement methods defined in the super class, that only pass the parameters untouched to the parent class method. These methods can just be removed. </p> <p></p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ConfusedInheritance"> <Details> <![CDATA[ <p> This detector looks for final classes that declare protected members. As this class cannot be derived from, the use of protected access for members is incorrect. The access should be changed to public or private to represent the correct intention of the field. This was probably caused by a change in use for this class, without completely changing all of the class to the new paradigm. </p> <p></p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.QuestionableBooleanAssignment"> <Details> <![CDATA[ <p> This detector looks for simple assignments of literal boolean values to variables in conditional expressions. </p> <p></p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.TrainNullReturnValues"> <Details> <![CDATA[ <p> TrainNullReturnValues determines which methods may return null and saves them to a file. The resulting file may be used in a subsequent pass to improve the precision of the null-dereference detector. Since this is just a training pass, no warnings are reported. </p> <p> This is a slow detector. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.TrainUnconditionalDerefParams"> <Details> <![CDATA[ <p> TrainUnconditionalParamDerefs determines which methods may unconditionally dereference parameters and saves them to a file. The resulting file may be used in a subsequent pass to improve the precision of the null-dereference detector. Since this is just a training pass, no warnings are reported. </p> <p> This is a slow detector. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.TrainFieldStoreTypes"> <Details> <![CDATA[ <p> TrainFieldStoreTypes analyzes the types stored into fields and stores them to a database. The database may be used in a later pass to make type analysis more precise. </p> <p> This is a slow detector. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.TrainNonNullAnnotations"> <Details> <![CDATA[ <p> TrainNonNullAnnotations collects @Nonnull and @PossiblyNull annotations and stores them to database files. This is a fast detector. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.CheckCalls"> <Details> <![CDATA[ <p>This detector is just for debugging method call resolution in SpotBugs. Don't enable it.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindBugsSummaryStats"> <Details> <![CDATA[ <p> This detector just collects summary statistics information about the analysis process. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.TestASM"> <Details> <![CDATA[ <p> This detector is a code example showing how to write a SpotBugs detector using the ASM bytecode analysis framework. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ViewCFG"> <Details> <![CDATA[ <p> Generate DOT files from the CFGs. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindUnrelatedTypesInGenericContainer"> <Details> <![CDATA[ <p> This detector looks at the arguments of calls to generic collection methods that receive a <code>java.lang.Object</code> to see if the argument's type is related to the collection's parameter. Arguments with unrelated class types are never going to be in the collection. For example, if <code>foo</code> is a <code>List<String></code> and <code>bar</code> is a <code>StringBuffer</code>, the call <code>foo.contains(bar)</code> will always return false. This is a fast detector. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.StaticCalendarDetector"> <Details> <![CDATA[ <p>This detector warns about static fields of type java.util.Calendar or java.text.DateFormat (and subclasses) because Calendars are inherently unsafe for multithreaded use. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.TestDataflowAnalysis"> <Details> <![CDATA[ <p>This is an internal detector used only for testing dataflow analyses. It is not enabled by default.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.CheckTypeQualifiers"> <Details> <![CDATA[ <p>Check for violations of properties specified by JSR-305 type qualifier annotations.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.AppendingToAnObjectOutputStream"> <Details> <![CDATA[ <p>Looks for an attempt to append to an object output stream.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.CheckExpectedWarnings"> <Details> <![CDATA[ <p>Checks @ExpectedWarning and @NoWarning annotations. This detector is used only for testing SpotBugs.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DontIgnoreResultOfPutIfAbsent"> <Details> <![CDATA[ <p>Checks that if the result of putIfAbsent is ignored, the value passed as the second argument is not reused. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ReadOfInstanceFieldInMethodInvokedByConstructorInSuperclass"> <Details> <![CDATA[ <p>Checks for methods invoked from constructors for superclasses. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DefaultEncodingDetector"> <Details> <![CDATA[ <p> Checks for calls to methods which perform a byte to String (or String to byte) conversion using the user's default platform encoding. This can cause the application behavior to vary between platforms. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.CheckRelaxingNullnessAnnotation"> <Details> <![CDATA[ <p>Checks that overriding methods do not relax @Nonnull (made @CheckForNull) on return values or @CheckForNull (made @Nonnull) on parameters.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DontAssertInstanceofInTests"> <Details> <![CDATA[ <p>Detector for patterns in JUnit tests where the type of an object is checked by asserting the instanceof operator.</p> <p> This should be avoided as the ClassCastException that would result from an improper cast may provide more information regarding the cause of the error than a "false is not true" message which would result from asserting the result of the instanceof operator. </p> <p>It is a fast detector</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindBadEndOfStreamCheck"> <Details> <![CDATA[ <p>Detector for patterns where the return value of java.io.FileInputStream.read() or java.io.FileReader.read() is converted before checking against -1.</p> <p> Both methods return an int. If this int is converted to byte (in the case of FileInputStream.read()) then -1 and the byte 0xFF become indistinguishable. If it is converted to char (in the case of FileReader.read()) then -1 becomes 0xFFFF which is Character.MAX_VALUE since characters are unsigned in Java. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.ReflectionIncreaseAccessibility"> <Details> <![CDATA[ <p>Detector for public methods instantiating a class they get in their parameter.</p> <p> An attacker may invoke this method with a class that has no public constructor. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindOverridableMethodCall"> <Details> <![CDATA[ <p> Detector for patterns where a constructor, a clone(), or a readObject() method calls an overridable method. </p> <p> Calling an overridable method from a constructor may result in the use of uninitialized data. Calling such method from a clone(), or readObject() method is insecure. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindInstanceLockOnSharedStaticData"> <Details> <![CDATA[ <p> Detector for patterns where a shared static data is modified by either an instance level non-static synchronized method, or inside a synchronized block, which used a non-static lock object. </p> <p> Programs must not use instance locks to protect static shared data because instance locks are ineffective when two or more instances of the class are created. Consequently, failure to use a static lock object leaves the shared state unprotected against concurrent access. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DontUseFloatsAsLoopCounters"> <Details> <![CDATA[ <p>Checks for floats in loop counters.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.PermissionsSuper"> <Details> <![CDATA[ <p>Checks method getPermissions() of classes implementing interface java.security.SecureClassLoader. The methods must always call super.getPermissions() to get the initial value of the object which they return at the end. </p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindPotentialSecurityCheckBasedOnUntrustedSource"> <Details> <![CDATA[ <p>Looks for potential security checks on an untrusted source before entering a doPrivileged block.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindAssertionsWithSideEffects"> <Details> <![CDATA[ <p>Finds assertions with side effects.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindPublicAttributes"> <Details> <![CDATA[ <p>This detector looks for public attributes that are also written by the methods of the class.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindVulnerableSecurityCheckMethods"> <Details> <![CDATA[ <p> Methods that perform security checks should be prevented from being overridden, so they must be declared as private or final. Otherwise, these methods can be compromised when a malicious subclass overrides them and omits the checks. </p>]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.FindArgumentAssertions"> <Details> <![CDATA[ <p>Finds assertions that validate public method arguments.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.DontReusePublicIdentifiers"> <Details> <![CDATA[ <p>Checks for reuse of public identifiers, public utility classes, interfaces, or packages in the Java Standard Library.</p> ]]> </Details> </Detector> <Detector class="edu.umd.cs.findbugs.detect.UnnecessaryEnvUsage"> <Details> <![CDATA[ <p>Checks for calls of System.getenv(), where the variable has an equivalent Java property too. </p> ]]> </Details> </Detector> <!-- ********************************************************************** BugPatterns ********************************************************************** --> <BugPattern type="CT_CONSTRUCTOR_THROW"> <ShortDescription>Be wary of letting constructors throw exceptions.</ShortDescription> <LongDescription>Exception thrown in class {0} at {1} will leave the constructor. The object under construction remains partially initialized and may be vulnerable to Finalizer attacks.</LongDescription> <Details> <![CDATA[ <p>Classes that throw exceptions in their constructors are vulnerable to Finalizer attacks</p> <p>A finalizer attack can be prevented, by declaring the class final, using an empty finalizer declared as final, or by a clever use of a private constructor.</p> <p>See <a href="https://wiki.sei.cmu.edu/confluence/display/java/OBJ11-J.+Be+wary+of+letting+constructors+throw+exceptions"><code>SEI CERT Rule OBJ-11</code></a> for more information. </p> ]]> </Details> </BugPattern> <BugPattern type="JUA_DONT_ASSERT_INSTANCEOF_IN_TESTS"> <ShortDescription> Asserting value of instanceof in tests is not recommended. </ShortDescription> <LongDescription> Assertion of type {0} in {2} at {3} may hide useful information about why a cast may have failed.</LongDescription> <Details> <![CDATA[ <p>Asserting type checks in tests is not recommended as a class cast exception message could better indicate the cause of an instance of the wrong class being used than an instanceof assertion.</p> <p>When debugging tests that fail due to bad casts, it may be more useful to observe the output of the resulting ClassCastException which could provide information about the actual encountered type. Asserting the type before casting would instead result in a less informative <code>"false is not true"</code> message.</p> <p>If JUnit is used with hamcrest, the <a href="https://junit.org/junit4/javadoc/latest/index.html?org/hamcrest/core/IsInstanceOf.html"><code>IsInstanceOf</code></a> class from hamcrest could be used instead.</p> ]]> </Details> </BugPattern> <BugPattern type="OVERRIDING_METHODS_MUST_INVOKE_SUPER"> <ShortDescription>Super method is annotated with @OverridingMethodsMustInvokeSuper, but the overriding method isn't calling the super method.</ShortDescription> <LongDescription>Super method is annotated with @OverridingMethodsMustInvokeSuper, but {1} isn't calling the super method.</LongDescription> <Details> <![CDATA[ <p>Super method is annotated with @OverridingMethodsMustInvokeSuper, but the overriding method isn't calling the super method.</p> ]]> </Details> </BugPattern> <BugPattern type="CNT_ROUGH_CONSTANT_VALUE"> <ShortDescription>Rough value of known constant found</ShortDescription> <LongDescription>Rough value of {3} found: {2}</LongDescription> <Details> <![CDATA[ <p>It's recommended to use the predefined library constant for code clarity and better precision.</p> ]]> </Details> </BugPattern> <BugPattern type="SKIPPED_CLASS_TOO_BIG"> <ShortDescription>Class too big for analysis</ShortDescription> <LongDescription>{0} is too big for analysis</LongDescription> <Details> <![CDATA[ <p>This class is bigger than can be effectively handled, and was not fully analyzed for errors. </p> ]]> </Details> </BugPattern> <BugPattern type="NOISE_NULL_DEREFERENCE"> <ShortDescription>Bogus warning about a null pointer dereference</ShortDescription> <LongDescription>Bogus warning about a null pointer dereference in {1}</LongDescription> <Details> <![CDATA[ <p>Bogus warning.</p> ]]> </Details> </BugPattern> <BugPattern type="NOISE_METHOD_CALL"> <ShortDescription>Bogus warning about a method call</ShortDescription> <LongDescription>Bogus warning about a method call {2} in {1}</LongDescription> <Details> <![CDATA[ <p>Bogus warning.</p> ]]> </Details> </BugPattern> <BugPattern type="NOISE_FIELD_REFERENCE"> <ShortDescription>Bogus warning about a field reference</ShortDescription> <LongDescription>Bogus warning about a reference to {2} in {1}</LongDescription> <Details> <![CDATA[ <p>Bogus warning.</p> ]]> </Details> </BugPattern> <BugPattern type="NOISE_OPERATION"> <ShortDescription>Bogus warning about an operation</ShortDescription> <LongDescription>Bogus warning about an operation {1}</LongDescription> <Details> <![CDATA[ <p>Bogus warning.</p> ]]> </Details> </BugPattern> <BugPattern type="DMI_BIGDECIMAL_CONSTRUCTED_FROM_DOUBLE"> <ShortDescription>BigDecimal constructed from double that isn't represented precisely</ShortDescription> <LongDescription>BigDecimal constructed from {4} in {1}</LongDescription> <Details> <![CDATA[ <p> This code creates a BigDecimal from a double value that doesn't translate well to a decimal number. For example, one might assume that writing new BigDecimal(0.1) in Java creates a BigDecimal which is exactly equal to 0.1 (an unscaled value of 1, with a scale of 1), but it is actually equal to 0.1000000000000000055511151231257827021181583404541015625. You probably want to use the BigDecimal.valueOf(double d) method, which uses the String representation of the double to create the BigDecimal (e.g., BigDecimal.valueOf(0.1) gives 0.1). </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_DOH"> <ShortDescription>D'oh! A nonsensical method invocation</ShortDescription> <LongDescription>D'oh! A nonsensical invocation of {2.nameAndSignature} in {1}</LongDescription> <Details> <![CDATA[ <p> This particular method invocation doesn't make sense, for reasons that should be apparent from inspection. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_VACUOUS_CALL_TO_EASYMOCK_METHOD"> <ShortDescription>Useless/vacuous call to EasyMock method</ShortDescription> <LongDescription>Useless/vacuous call to {2} in {1}</LongDescription> <Details> <![CDATA[ <p>This call doesn't pass any objects to the EasyMock method, so the call doesn't do anything. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_SCHEDULED_THREAD_POOL_EXECUTOR_WITH_ZERO_CORE_THREADS"> <ShortDescription>Creation of ScheduledThreadPoolExecutor with zero core threads</ShortDescription> <LongDescription>Creation of ScheduledThreadPoolExecutor with zero core threads in {1}</LongDescription> <Details> <![CDATA[ <p>(<a href="https://docs.oracle.com/javase/8/docs/api/java/util/concurrent/ScheduledThreadPoolExecutor.html#ScheduledThreadPoolExecutor-int-">Javadoc</a>) A ScheduledThreadPoolExecutor with zero core threads will never execute anything; changes to the max pool size are ignored. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_FUTILE_ATTEMPT_TO_CHANGE_MAXPOOL_SIZE_OF_SCHEDULED_THREAD_POOL_EXECUTOR"> <ShortDescription>Futile attempt to change max pool size of ScheduledThreadPoolExecutor</ShortDescription> <LongDescription>Futile attempt to change max pool size of ScheduledThreadPoolExecutor in {1}</LongDescription> <Details> <![CDATA[ <p>(<a href="https://docs.oracle.com/javase/8/docs/api/java/util/concurrent/ScheduledThreadPoolExecutor.html">Javadoc</a>) While ScheduledThreadPoolExecutor inherits from ThreadPoolExecutor, a few of the inherited tuning methods are not useful for it. In particular, because it acts as a fixed-sized pool using corePoolSize threads and an unbounded queue, adjustments to maximumPoolSize have no useful effect. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_UNSUPPORTED_METHOD"> <ShortDescription>Call to unsupported method</ShortDescription> <LongDescription>Call to unsupported method {2} in {1}</LongDescription> <Details> <![CDATA[ <p>All targets of this method invocation throw an UnsupportedOperationException. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_EMPTY_DB_PASSWORD"> <ShortDescription>Empty database password</ShortDescription> <LongDescription>Empty database password in {1}</LongDescription> <Details> <![CDATA[ <p>This code creates a database connect using a blank or empty password. This indicates that the database is not protected by a password. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_CONSTANT_DB_PASSWORD"> <ShortDescription>Hardcoded constant database password</ShortDescription> <LongDescription>Hardcoded constant database password in {1}</LongDescription> <Details> <![CDATA[ <p>This code creates a database connect using a hardcoded, constant password. Anyone with access to either the source code or the compiled code can easily learn the password. </p> ]]> </Details> </BugPattern> <BugPattern type="HRS_REQUEST_PARAMETER_TO_COOKIE"> <ShortDescription>HTTP cookie formed from untrusted input</ShortDescription> <LongDescription>HTTP cookie formed from untrusted input in {1}</LongDescription> <Details> <![CDATA[ <p>This code constructs an HTTP Cookie using an untrusted HTTP parameter. If this cookie is added to an HTTP response, it will allow an HTTP response splitting vulnerability. See <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">http://en.wikipedia.org/wiki/HTTP_response_splitting</a> for more information.</p> <p>SpotBugs looks only for the most blatant, obvious cases of HTTP response splitting. If SpotBugs found <em>any</em>, you <em>almost certainly</em> have more vulnerabilities that SpotBugs doesn't report. If you are concerned about HTTP response splitting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> ]]> </Details> </BugPattern> <BugPattern type="HRS_REQUEST_PARAMETER_TO_HTTP_HEADER"> <ShortDescription>HTTP Response splitting vulnerability</ShortDescription> <LongDescription>HTTP parameter directly written to HTTP header output in {1}</LongDescription> <Details> <![CDATA[ <p>This code directly writes an HTTP parameter to an HTTP header, which allows for an HTTP response splitting vulnerability. See <a href="http://en.wikipedia.org/wiki/HTTP_response_splitting">http://en.wikipedia.org/wiki/HTTP_response_splitting</a> for more information.</p> <p>SpotBugs looks only for the most blatant, obvious cases of HTTP response splitting. If SpotBugs found <em>any</em>, you <em>almost certainly</em> have more vulnerabilities that SpotBugs doesn't report. If you are concerned about HTTP response splitting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> ]]> </Details> </BugPattern> <BugPattern type="PT_RELATIVE_PATH_TRAVERSAL"> <ShortDescription>Relative path traversal in servlet</ShortDescription> <LongDescription>Relative path traversal in {1}</LongDescription> <Details> <![CDATA[ <p>The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. See <a href="http://cwe.mitre.org/data/definitions/23.html">http://cwe.mitre.org/data/definitions/23.html</a> for more information.</p> <p>SpotBugs looks only for the most blatant, obvious cases of relative path traversal. If SpotBugs found <em>any</em>, you <em>almost certainly</em> have more vulnerabilities that SpotBugs doesn't report. If you are concerned about relative path traversal, you should seriously consider using a commercial static analysis or pen-testing tool. </p> ]]> </Details> </BugPattern> <BugPattern type="PT_ABSOLUTE_PATH_TRAVERSAL"> <ShortDescription>Absolute path traversal in servlet</ShortDescription> <LongDescription>Absolute path traversal in {1}</LongDescription> <Details> <![CDATA[ <p>The software uses an HTTP request parameter to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. See <a href="http://cwe.mitre.org/data/definitions/36.html">http://cwe.mitre.org/data/definitions/36.html</a> for more information.</p> <p>SpotBugs looks only for the most blatant, obvious cases of absolute path traversal. If SpotBugs found <em>any</em>, you <em>almost certainly</em> have more vulnerabilities that SpotBugs doesn't report. If you are concerned about absolute path traversal, you should seriously consider using a commercial static analysis or pen-testing tool. </p> ]]> </Details> </BugPattern> <BugPattern type="XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER"> <ShortDescription>Servlet reflected cross site scripting vulnerability</ShortDescription> <LongDescription>HTTP parameter written to Servlet output in {1}</LongDescription> <Details> <![CDATA[ <p>This code directly writes an HTTP parameter to Servlet output, which allows for a reflected cross site scripting vulnerability. See <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">http://en.wikipedia.org/wiki/Cross-site_scripting</a> for more information.</p> <p>SpotBugs looks only for the most blatant, obvious cases of cross site scripting. If SpotBugs found <em>any</em>, you <em>almost certainly</em> have more cross site scripting vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> ]]> </Details> </BugPattern> <BugPattern type="XSS_REQUEST_PARAMETER_TO_SEND_ERROR"> <ShortDescription>Servlet reflected cross site scripting vulnerability in error page</ShortDescription> <LongDescription>HTTP parameter written to Servlet error page in {1}</LongDescription> <Details> <![CDATA[ <p>This code directly writes an HTTP parameter to a Server error page (using HttpServletResponse.sendError). Echoing this untrusted input allows for a reflected cross site scripting vulnerability. See <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">http://en.wikipedia.org/wiki/Cross-site_scripting</a> for more information.</p> <p>SpotBugs looks only for the most blatant, obvious cases of cross site scripting. If SpotBugs found <em>any</em>, you <em>almost certainly</em> have more cross site scripting vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> ]]> </Details> </BugPattern> <BugPattern type="XSS_REQUEST_PARAMETER_TO_JSP_WRITER"> <ShortDescription>JSP reflected cross site scripting vulnerability</ShortDescription> <LongDescription>HTTP parameter directly written to JSP output, giving reflected XSS vulnerability in {1.class}</LongDescription> <Details> <![CDATA[ <p>This code directly writes an HTTP parameter to JSP output, which allows for a cross site scripting vulnerability. See <a href="http://en.wikipedia.org/wiki/Cross-site_scripting">http://en.wikipedia.org/wiki/Cross-site_scripting</a> for more information.</p> <p>SpotBugs looks only for the most blatant, obvious cases of cross site scripting. If SpotBugs found <em>any</em>, you <em>almost certainly</em> have more cross site scripting vulnerabilities that SpotBugs doesn't report. If you are concerned about cross site scripting, you should seriously consider using a commercial static analysis or pen-testing tool. </p> ]]> </Details> </BugPattern> <BugPattern type="SW_SWING_METHODS_INVOKED_IN_SWING_THREAD"> <ShortDescription>Certain swing methods need to be invoked in Swing thread</ShortDescription> <LongDescription>Call to swing method in {1} needs to be performed in Swing event thread</LongDescription> <Details> <![CDATA[ <p>(<a href="http://web.archive.org/web/20090526170426/http://java.sun.com/developer/JDCTechTips/2003/tt1208.html">From JDC Tech Tip</a>): The Swing methods show(), setVisible(), and pack() will create the associated peer for the frame. With the creation of the peer, the system creates the event dispatch thread. This makes things problematic because the event dispatch thread could be notifying listeners while pack and validate are still processing. This situation could result in two threads going through the Swing component-based GUI -- it's a serious flaw that could result in deadlocks or other related threading issues. A pack call causes components to be realized. As they are being realized (that is, not necessarily visible), they could trigger listener notification on the event dispatch thread.</p> ]]> </Details> </BugPattern> <BugPattern type="IL_INFINITE_LOOP"> <ShortDescription>An apparent infinite loop</ShortDescription> <LongDescription>There is an apparent infinite loop in {1}</LongDescription> <Details> <![CDATA[ <p>This loop doesn't seem to have a way to terminate (other than by perhaps throwing an exception).</p> ]]> </Details> </BugPattern> <BugPattern type="IL_INFINITE_RECURSIVE_LOOP"> <ShortDescription>An apparent infinite recursive loop</ShortDescription> <LongDescription>There is an apparent infinite recursive loop in {1}</LongDescription> <Details> <![CDATA[ <p>This method unconditionally invokes itself. This would seem to indicate an infinite recursive loop that will result in a stack overflow.</p> ]]> </Details> </BugPattern> <BugPattern type="IL_CONTAINER_ADDED_TO_ITSELF"> <ShortDescription>A collection is added to itself</ShortDescription> <LongDescription>A collection is added to itself in {1}</LongDescription> <Details> <![CDATA[ <p>A collection is added to itself. As a result, computing the hashCode of this set will throw a StackOverflowException. </p> ]]> </Details> </BugPattern> <BugPattern type="VO_VOLATILE_REFERENCE_TO_ARRAY"> <ShortDescription>A volatile reference to an array doesn't treat the array elements as volatile</ShortDescription> <LongDescription>{1} is a volatile reference to an array; the array elements are non-volatile</LongDescription> <Details> <![CDATA[ <p>This declares a volatile reference to an array, which might not be what you want. With a volatile reference to an array, reads and writes of the reference to the array are treated as volatile, but the array elements are non-volatile. To get volatile array elements, you will need to use one of the atomic array classes in java.util.concurrent (provided in Java 5.0).</p> ]]> </Details> </BugPattern> <BugPattern type="VO_VOLATILE_INCREMENT"> <ShortDescription>An increment to a volatile field isn't atomic</ShortDescription> <LongDescription>Increment of volatile field {2} in {1}</LongDescription> <Details> <![CDATA[ <p>This code increments/decrements a volatile field. Increments/Decrements of volatile fields aren't atomic. If more than one thread is incrementing/decrementing the field at the same time, increments/decrements could be lost. </p> ]]> </Details> </BugPattern> <BugPattern type="UI_INHERITANCE_UNSAFE_GETRESOURCE"> <ShortDescription>Usage of GetResource may be unsafe if class is extended</ShortDescription> <LongDescription>Usage of GetResource in {1} may be unsafe if class is extended</LongDescription> <Details> <![CDATA[ <p>Calling <code>this.getClass().getResource(...)</code> could give results other than expected if this class is extended by a class in another package.</p> ]]> </Details> </BugPattern> <BugPattern type="NP_BOOLEAN_RETURN_NULL"> <ShortDescription>Method with Boolean return type returns explicit null</ShortDescription> <LongDescription>{1} has Boolean return type and returns explicit null</LongDescription> <Details> <![CDATA[ <p> A method that returns either Boolean.TRUE, Boolean.FALSE or null is an accident waiting to happen. This method can be invoked as though it returned a value of type boolean, and the compiler will insert automatic unboxing of the Boolean value. If a null value is returned, this will result in a NullPointerException. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_OPTIONAL_RETURN_NULL"> <ShortDescription>Method with Optional return type returns explicit null</ShortDescription> <LongDescription>{1} has Optional return type and returns explicit null</LongDescription> <Details> <![CDATA[ <p> The usage of Optional return type (java.util.Optional or com.google.common.base.Optional) always means that explicit null returns were not desired by design. Returning a null value in such case is a contract violation and will most likely break client code. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR"> <ShortDescription>Non-null field is not initialized</ShortDescription> <LongDescription>Non-null field {2.name} is not initialized by {1}</LongDescription> <Details> <![CDATA[ <p> The field is marked as non-null, but isn't written to by the constructor. The field might be initialized elsewhere during constructor, or might always be initialized before use. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_SYNC_AND_NULL_CHECK_FIELD"> <ShortDescription>Synchronize and null check on the same field.</ShortDescription> <LongDescription>In {1} the field {2.givenClass} is synchronized on and then checked if null.</LongDescription> <Details> <![CDATA[ <p>Since the field is synchronized on, it seems not likely to be null. If it is null and then synchronized on a NullPointerException will be thrown and the check would be pointless. Better to synchronize on another field.</p> ]]> </Details> </BugPattern> <BugPattern type="RpC_REPEATED_CONDITIONAL_TEST"> <ShortDescription>Repeated conditional tests</ShortDescription> <LongDescription>Repeated conditional test in {1}</LongDescription> <Details> <![CDATA[ <p>The code contains a conditional test is performed twice, one right after the other (e.g., <code>x == 0 || x == 0</code>). Perhaps the second occurrence is intended to be something else (e.g., <code>x == 0 || y == 0</code>). </p> ]]> </Details> </BugPattern> <BugPattern type="TESTING"> <ShortDescription>Testing</ShortDescription> <LongDescription>Test warning generated in {1}</LongDescription> <Details> <![CDATA[ <p>This bug pattern is only generated by new, incompletely implemented bug detectors.</p> ]]> </Details> </BugPattern> <BugPattern type="TESTING1"> <ShortDescription>Testing 1</ShortDescription> <LongDescription>Test warning 1 generated in {1}</LongDescription> <Details> <![CDATA[ <p>This bug pattern is only generated by new, incompletely implemented bug detectors.</p> ]]> </Details> </BugPattern> <BugPattern type="TESTING2"> <ShortDescription>Testing 2</ShortDescription> <LongDescription>Test warning 2 generated in {1}</LongDescription> <Details> <![CDATA[ <p>This bug pattern is only generated by new, incompletely implemented bug detectors.</p> ]]> </Details> </BugPattern> <BugPattern type="TESTING3"> <ShortDescription>Testing 3</ShortDescription> <LongDescription>Test warning 3 generated in {1}</LongDescription> <Details> <![CDATA[ <p>This bug pattern is only generated by new, incompletely implemented bug detectors.</p> ]]> </Details> </BugPattern> <BugPattern type="UNKNOWN"> <ShortDescription>Unknown bug pattern</ShortDescription> <LongDescription>Unknown bug pattern BUG_PATTERN in {1}</LongDescription> <Details> <![CDATA[ <p>A warning was recorded, but SpotBugs cannot find the description of this bug pattern and so cannot describe it. This should occur only in cases of a bug in SpotBugs or its configuration, or perhaps if an analysis was generated using a plugin, but that plugin is not currently loaded. .</p> ]]> </Details> </BugPattern> <BugPattern type="AM_CREATES_EMPTY_ZIP_FILE_ENTRY"> <ShortDescription>Creates an empty zip file entry</ShortDescription> <LongDescription>Empty zip file entry created in {1}</LongDescription> <Details> <![CDATA[ <p>The code calls <code>putNextEntry()</code>, immediately followed by a call to <code>closeEntry()</code>. This results in an empty ZipFile entry. The contents of the entry should be written to the ZipFile between the calls to <code>putNextEntry()</code> and <code>closeEntry()</code>.</p> ]]> </Details> </BugPattern> <BugPattern type="AM_CREATES_EMPTY_JAR_FILE_ENTRY"> <ShortDescription>Creates an empty jar file entry</ShortDescription> <LongDescription>Empty jar file entry created in {1}</LongDescription> <Details> <![CDATA[ <p>The code calls <code>putNextEntry()</code>, immediately followed by a call to <code>closeEntry()</code>. This results in an empty JarFile entry. The contents of the entry should be written to the JarFile between the calls to <code>putNextEntry()</code> and <code>closeEntry()</code>.</p> ]]> </Details> </BugPattern> <BugPattern type="IMSE_DONT_CATCH_IMSE"> <ShortDescription>Dubious catching of IllegalMonitorStateException</ShortDescription> <LongDescription>Dubious catching of IllegalMonitorStateException in {1}</LongDescription> <Details> <![CDATA[ <p>IllegalMonitorStateException is generally only thrown in case of a design flaw in your code (calling wait or notify on an object you do not hold a lock on).</p> ]]> </Details> </BugPattern> <BugPattern type="FL_MATH_USING_FLOAT_PRECISION"> <ShortDescription>Method performs math using floating point precision</ShortDescription> <LongDescription>{1} performs math using floating point precision</LongDescription> <Details> <![CDATA[ <p> The method performs math operations using floating point precision. Floating point precision is very imprecise. For example, 16777216.0f + 1.0f = 16777216.0f. Consider using double math instead.</p> ]]> </Details> </BugPattern> <BugPattern type="CAA_COVARIANT_ARRAY_FIELD"> <ShortDescription>Covariant array assignment to a field</ShortDescription> <LongDescription>Array of type {2} is assigned to the field of type {3}</LongDescription> <Details> <![CDATA[ <p>Array of covariant type is assigned to a field. This is confusing and may lead to ArrayStoreException at runtime if the reference of some other type will be stored in this array later like in the following code: </p> <pre><code>Number[] arr = new Integer[10]; arr[0] = 1.0; </code></pre> <p>Consider changing the type of created array or the field type.</p> ]]> </Details> </BugPattern> <BugPattern type="CAA_COVARIANT_ARRAY_LOCAL"> <ShortDescription>Covariant array assignment to a local variable</ShortDescription> <LongDescription>Array of type {2} is assigned to the variable of type {3}</LongDescription> <Details> <![CDATA[ <p>Array of covariant type is assigned to a local variable. This is confusing and may lead to ArrayStoreException at runtime if the reference of some other type will be stored in this array later like in the following code: </p> <pre><code>Number[] arr = new Integer[10]; arr[0] = 1.0; </code></pre> <p>Consider changing the type of created array or the local variable type.</p> ]]> </Details> </BugPattern> <BugPattern type="CAA_COVARIANT_ARRAY_RETURN"> <ShortDescription>Covariant array is returned from the method</ShortDescription> <LongDescription>Array of type {2} is returned from the method which return type is {3}</LongDescription> <Details> <![CDATA[ <p>Array of covariant type is returned from the method. This is confusing and may lead to ArrayStoreException at runtime if the calling code will try to store the reference of some other type in the returned array. </p> <p>Consider changing the type of created array or the method return type.</p> ]]> </Details> </BugPattern> <BugPattern type="CAA_COVARIANT_ARRAY_ELEMENT_STORE"> <ShortDescription>Possibly incompatible element is stored in covariant array</ShortDescription> <LongDescription>Value of type {2} is stored into array which element type is {3}</LongDescription> <Details> <![CDATA[ <p>Value is stored into the array and the value type doesn't match the array type. It's known from the analysis that actual array type is narrower than the declared type of its variable or field and this assignment doesn't satisfy the original array type. This assignment may cause ArrayStoreException at runtime. </p> ]]> </Details> </BugPattern> <BugPattern type="CN_IDIOM"> <ShortDescription>Class implements Cloneable but does not define or use clone method</ShortDescription> <LongDescription>Class {0} implements Cloneable but does not define or use clone method</LongDescription> <Details> <![CDATA[ <p> Class implements Cloneable but does not define or use the clone method.</p> ]]> </Details> </BugPattern> <BugPattern type="CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE"> <ShortDescription>Class defines clone() but doesn't implement Cloneable</ShortDescription> <LongDescription>{0} defines clone() but doesn't implement Cloneable</LongDescription> <Details> <![CDATA[ <p> This class defines a clone() method but the class doesn't implement Cloneable. There are some situations in which this is OK (e.g., you want to control how subclasses can clone themselves), but just make sure that this is what you intended. </p> ]]> </Details> </BugPattern> <BugPattern type="CN_IDIOM_NO_SUPER_CALL"> <ShortDescription>clone method does not call super.clone()</ShortDescription> <LongDescription>{1} does not call super.clone()</LongDescription> <Details> <![CDATA[ <p> This non-final class defines a clone() method that does not call super.clone(). If this class ("<i>A</i>") is extended by a subclass ("<i>B</i>"), and the subclass <i>B</i> calls super.clone(), then it is likely that <i>B</i>'s clone() method will return an object of type <i>A</i>, which violates the standard contract for clone().</p> <p> If all clone() methods call super.clone(), then they are guaranteed to use Object.clone(), which always returns an object of the correct type.</p> ]]> </Details> </BugPattern> <BugPattern type="NM_FUTURE_KEYWORD_USED_AS_IDENTIFIER"> <ShortDescription>Use of identifier that is a keyword in later versions of Java</ShortDescription> <LongDescription>{1} uses {2} for a variable name, which is a keyword in later versions of Java</LongDescription> <Details> <![CDATA[ <p>The identifier is a word that is reserved as a keyword in later versions of Java, and your code will need to be changed in order to compile it in later versions of Java.</p> ]]> </Details> </BugPattern> <BugPattern type="NM_FUTURE_KEYWORD_USED_AS_MEMBER_IDENTIFIER"> <ShortDescription>Use of identifier that is a keyword in later versions of Java</ShortDescription> <LongDescription>{1} conflicts with a keyword in a more recent version of Java</LongDescription> <Details> <![CDATA[ <p>This identifier is used as a keyword in later versions of Java. This code, and any code that references this API, will need to be changed in order to compile it in later versions of Java.</p> ]]> </Details> </BugPattern> <BugPattern type="DE_MIGHT_DROP"> <ShortDescription>Method might drop exception</ShortDescription> <LongDescription>{1} might drop {2}</LongDescription> <Details> <![CDATA[ <p> This method might drop an exception. In general, exceptions should be handled or reported in some way, or they should be thrown out of the method.</p> ]]> </Details> </BugPattern> <BugPattern type="DE_MIGHT_IGNORE"> <ShortDescription>Method might ignore exception</ShortDescription> <LongDescription>{1} might ignore {2}</LongDescription> <Details> <![CDATA[ <p> This method might ignore an exception. In general, exceptions should be handled or reported in some way, or they should be thrown out of the method.</p> ]]> </Details> </BugPattern> <BugPattern type="DP_DO_INSIDE_DO_PRIVILEGED"> <ShortDescription>Method invoked that should be only be invoked inside a doPrivileged block</ShortDescription> <LongDescription>Invocation of {2}, which should be invoked from within a doPrivileged block, in {1}</LongDescription> <Details> <![CDATA[ <p> This code invokes a method that requires a security permission check. If this code will be granted security permissions, but might be invoked by code that does not have security permissions, then the invocation needs to occur inside a doPrivileged block.</p> ]]> </Details> </BugPattern> <BugPattern type="DP_DO_INSIDE_DO_PRIVILEDGED"> <!-- misspelled for backward compatibility --> <ShortDescription>Method invoked that should be only be invoked inside a doPrivileged block</ShortDescription> <LongDescription>Invocation of {2}, which should be invoked from within a doPrivileged block, in {1}</LongDescription> <Details> <![CDATA[ <p> This code invokes a method that requires a security permission check. If this code will be granted security permissions, but might be invoked by code that does not have security permissions, then the invocation needs to occur inside a doPrivileged block.</p> ]]> </Details> </BugPattern> <BugPattern type="DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED"> <ShortDescription>Classloaders should only be created inside doPrivileged block</ShortDescription> <LongDescription>{1} creates a {2} classloader, which should be performed within a doPrivileged block</LongDescription> <Details> <![CDATA[ <p> This code creates a classloader, which needs permission if a security manage is installed. If this code might be invoked by code that does not have security permissions, then the classloader creation needs to occur inside a doPrivileged block.</p> ]]> </Details> </BugPattern> <BugPattern type="JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS"> <ShortDescription>Fields of immutable classes should be final</ShortDescription> <LongDescription>{1.givenClass} should be final since {0} is marked as Immutable.</LongDescription> <Details> <![CDATA[ <p> The class is annotated with net.jcip.annotations.Immutable or javax.annotation.concurrent.Immutable, and the rules for those annotations require that all fields are final. .</p> ]]> </Details> </BugPattern> <BugPattern type="DMI_THREAD_PASSED_WHERE_RUNNABLE_EXPECTED"> <ShortDescription>Thread passed where Runnable expected</ShortDescription> <LongDescription>Thread passed where Runnable expected in {1}</LongDescription> <Details> <![CDATA[ <p> A Thread object is passed as a parameter to a method where a Runnable is expected. This is rather unusual, and may indicate a logic error or cause unexpected behavior. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_COLLECTION_OF_URLS"> <ShortDescription>Maps and sets of URLs can be performance hogs</ShortDescription> <LongDescription>{1} is or uses a map or set of URLs, which can be a performance hog</LongDescription> <Details> <![CDATA[ <p> This method or field is or uses a Map or Set of URLs. Since both the equals and hashCode method of URL perform domain name resolution, this can result in a big performance hit. See <a href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html</a> for more information. Consider using <code>java.net.URI</code> instead. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_BLOCKING_METHODS_ON_URL"> <ShortDescription>The equals and hashCode methods of URL are blocking</ShortDescription> <LongDescription>Invocation of {2}, which blocks to do domain name resolution, in {1}</LongDescription> <Details> <![CDATA[ <p> The equals and hashCode method of URL perform domain name resolution, this can result in a big performance hit. See <a href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html</a> for more information. Consider using <code>java.net.URI</code> instead. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_ANNOTATION_IS_NOT_VISIBLE_TO_REFLECTION"> <ShortDescription>Cannot use reflection to check for presence of annotation without runtime retention</ShortDescription> <LongDescription>Use of reflection to check for the presence the annotation {3} which doesn't have runtime retention, in {1}</LongDescription> <Details> <![CDATA[ <p> Unless an annotation has itself been annotated with @Retention(RetentionPolicy.RUNTIME), the annotation cannot be observed using reflection (e.g., by using the isAnnotationPresent method). .</p> ]]> </Details> </BugPattern> <BugPattern type="DM_EXIT"> <ShortDescription>Method invokes System.exit(...)</ShortDescription> <LongDescription>{1} invokes System.exit(...), which shuts down the entire virtual machine</LongDescription> <Details> <![CDATA[ <p> Invoking System.exit shuts down the entire Java virtual machine. This should only been done when it is appropriate. Such calls make it hard or impossible for your code to be invoked by other code. Consider throwing a RuntimeException instead.</p> ]]> </Details> </BugPattern> <BugPattern type="DM_RUN_FINALIZERS_ON_EXIT"> <ShortDescription>Method invokes dangerous method runFinalizersOnExit</ShortDescription> <LongDescription>{1} invokes dangerous method runFinalizersOnExit</LongDescription> <Details> <![CDATA[ <p> <em>Never call System.runFinalizersOnExit or Runtime.runFinalizersOnExit for any reason: they are among the most dangerous methods in the Java libraries.</em> -- Joshua Bloch</p> ]]> </Details> </BugPattern> <BugPattern type="DM_STRING_CTOR"> <ShortDescription>Method invokes inefficient new String(String) constructor</ShortDescription> <LongDescription>{1} invokes inefficient new String(String) constructor</LongDescription> <Details> <![CDATA[ <p> Using the <code>java.lang.String(String)</code> constructor wastes memory because the object so constructed will be functionally indistinguishable from the <code>String</code> passed as a parameter. Just use the argument <code>String</code> directly.</p> ]]> </Details> </BugPattern> <BugPattern type="DM_STRING_VOID_CTOR"> <ShortDescription>Method invokes inefficient new String() constructor</ShortDescription> <LongDescription>{1} invokes inefficient new String() constructor</LongDescription> <Details> <![CDATA[ <p> Creating a new <code>java.lang.String</code> object using the no-argument constructor wastes memory because the object so created will be functionally indistinguishable from the empty string constant <code>""</code>. Java guarantees that identical string constants will be represented by the same <code>String</code> object. Therefore, you should just use the empty string constant directly.</p> ]]> </Details> </BugPattern> <BugPattern type="DM_STRING_TOSTRING"> <ShortDescription>Method invokes toString() method on a String</ShortDescription> <LongDescription>{1} invokes toString() method on a String</LongDescription> <Details> <![CDATA[ <p> Calling <code>String.toString()</code> is a redundant operation. Just use the String.</p> ]]> </Details> </BugPattern> <BugPattern type="DM_GC"> <ShortDescription>Explicit garbage collection; extremely dubious except in benchmarking code</ShortDescription> <LongDescription>{1} forces garbage collection; extremely dubious except in benchmarking code</LongDescription> <Details> <![CDATA[ <p> Code explicitly invokes garbage collection. Except for specific use in benchmarking, this is very dubious.</p> <p>In the past, situations where people have explicitly invoked the garbage collector in routines such as close or finalize methods has led to huge performance black holes. Garbage collection can be expensive. Any situation that forces hundreds or thousands of garbage collections will bring the machine to a crawl.</p> ]]> </Details> </BugPattern> <BugPattern type="DM_BOOLEAN_CTOR"> <ShortDescription>Method invokes inefficient Boolean constructor; use Boolean.valueOf(...) instead</ShortDescription> <LongDescription>{1} invokes inefficient Boolean constructor; use Boolean.valueOf(...) instead</LongDescription> <Details> <![CDATA[ <p> Creating new instances of <code>java.lang.Boolean</code> wastes memory, since <code>Boolean</code> objects are immutable and there are only two useful values of this type. Use the <code>Boolean.valueOf()</code> method (or Java 5 autoboxing) to create <code>Boolean</code> objects instead.</p> ]]> </Details> </BugPattern> <BugPattern type="DM_NUMBER_CTOR"> <ShortDescription>Method invokes inefficient Number constructor; use static valueOf instead</ShortDescription> <LongDescription>{1} invokes inefficient {2} constructor; use {3} instead</LongDescription> <Details> <![CDATA[ <p> Using <code>new Integer(int)</code> is guaranteed to always result in a new object whereas <code>Integer.valueOf(int)</code> allows caching of values to be done by the compiler, class library, or JVM. Using of cached values avoids object allocation and the code will be faster. </p> <p> Values between -128 and 127 are guaranteed to have corresponding cached instances and using <code>valueOf</code> is approximately 3.5 times faster than using constructor. For values outside the constant range the performance of both styles is the same. </p> <p> Unless the class must be compatible with JVMs predating Java 5, use either autoboxing or the <code>valueOf()</code> method when creating instances of <code>Long</code>, <code>Integer</code>, <code>Short</code>, <code>Character</code>, and <code>Byte</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="DM_FP_NUMBER_CTOR"> <ShortDescription>Method invokes inefficient floating-point Number constructor; use static valueOf instead</ShortDescription> <LongDescription>{1} invokes inefficient {2} constructor; use {3} instead</LongDescription> <Details> <![CDATA[ <p> Using <code>new Double(double)</code> is guaranteed to always result in a new object whereas <code>Double.valueOf(double)</code> allows caching of values to be done by the compiler, class library, or JVM. Using of cached values avoids object allocation and the code will be faster. </p> <p> Unless the class must be compatible with JVMs predating Java 5, use either autoboxing or the <code>valueOf()</code> method when creating instances of <code>Double</code> and <code>Float</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="DM_CONVERT_CASE"> <ShortDescription>Consider using Locale parameterized version of invoked method</ShortDescription> <LongDescription>Use of non-localized String.toUpperCase() or String.toLowerCase() in {1}</LongDescription> <Details> <![CDATA[ <p> A String is being converted to upper or lowercase, using the platform's default encoding. This may result in improper conversions when used with international characters. Use the </p> <ul> <li>String.toUpperCase( Locale l )</li> <li>String.toLowerCase( Locale l )</li> </ul> <p>versions instead.</p> ]]> </Details> </BugPattern> <BugPattern type="BX_UNBOXED_AND_COERCED_FOR_TERNARY_OPERATOR"> <ShortDescription>Primitive value is unboxed and coerced for ternary operator</ShortDescription> <LongDescription>Primitive value is unboxed and coerced for ternary operator in {1}</LongDescription> <Details> <![CDATA[ <p>A wrapped primitive value is unboxed and converted to another primitive type as part of the evaluation of a conditional ternary operator (the <code> b ? e1 : e2</code> operator). The semantics of Java mandate that if <code>e1</code> and <code>e2</code> are wrapped numeric values, the values are unboxed and converted/coerced to their common type (e.g, if <code>e1</code> is of type <code>Integer</code> and <code>e2</code> is of type <code>Float</code>, then <code>e1</code> is unboxed, converted to a floating point value, and boxed. See JLS Section 15.25. </p> ]]> </Details> </BugPattern> <BugPattern type="BX_BOXING_IMMEDIATELY_UNBOXED"> <ShortDescription>Primitive value is boxed and then immediately unboxed</ShortDescription> <LongDescription>Primitive value is boxed and then immediately unboxed in {1}</LongDescription> <Details> <![CDATA[ <p>A primitive is boxed, and then immediately unboxed. This probably is due to a manual boxing in a place where an unboxed value is required, thus forcing the compiler to immediately undo the work of the boxing. </p> ]]> </Details> </BugPattern> <BugPattern type="BX_UNBOXING_IMMEDIATELY_REBOXED"> <ShortDescription>Boxed value is unboxed and then immediately reboxed</ShortDescription> <LongDescription>Boxed value is unboxed and then immediately reboxed in {1}</LongDescription> <Details> <![CDATA[ <p>A boxed value is unboxed and then immediately reboxed. </p> ]]> </Details> </BugPattern> <BugPattern type="BX_BOXING_IMMEDIATELY_UNBOXED_TO_PERFORM_COERCION"> <ShortDescription>Primitive value is boxed then unboxed to perform primitive coercion</ShortDescription> <LongDescription>Primitive value is boxed then unboxed to perform primitive coercion in {1}</LongDescription> <Details> <![CDATA[ <p>A primitive boxed value constructed and then immediately converted into a different primitive type (e.g., <code>new Double(d).intValue()</code>). Just perform direct primitive coercion (e.g., <code>(int) d</code>).</p> ]]> </Details> </BugPattern> <BugPattern type="DM_BOXED_PRIMITIVE_TOSTRING"> <ShortDescription>Method allocates a boxed primitive just to call toString</ShortDescription> <LongDescription>Primitive boxed just to call toString in {1}</LongDescription> <Details> <![CDATA[ <p>A boxed primitive is allocated just to call toString(). It is more effective to just use the static form of toString which takes the primitive value. So,</p> <table> <tr><th>Replace...</th><th>With this...</th></tr> <tr><td>new Integer(1).toString()</td><td>Integer.toString(1)</td></tr> <tr><td>new Long(1).toString()</td><td>Long.toString(1)</td></tr> <tr><td>new Float(1.0).toString()</td><td>Float.toString(1.0)</td></tr> <tr><td>new Double(1.0).toString()</td><td>Double.toString(1.0)</td></tr> <tr><td>new Byte(1).toString()</td><td>Byte.toString(1)</td></tr> <tr><td>new Short(1).toString()</td><td>Short.toString(1)</td></tr> <tr><td>new Boolean(true).toString()</td><td>Boolean.toString(true)</td></tr> </table> ]]> </Details> </BugPattern> <BugPattern type="DM_BOXED_PRIMITIVE_FOR_PARSING"> <ShortDescription>Boxing/unboxing to parse a primitive</ShortDescription> <LongDescription>Boxing/unboxing to parse a primitive {1}</LongDescription> <Details> <![CDATA[ <p>A boxed primitive is created from a String, just to extract the unboxed primitive value. It is more efficient to just call the static parseXXX method.</p> ]]> </Details> </BugPattern> <BugPattern type="DM_BOXED_PRIMITIVE_FOR_COMPARE"> <ShortDescription>Boxing a primitive to compare</ShortDescription> <LongDescription>Primitive is boxed to call {2}: use {3} instead</LongDescription> <Details> <![CDATA[ <p>A boxed primitive is created just to call <code>compareTo()</code> method. It's more efficient to use static compare method (for double and float since Java 1.4, for other primitive types since Java 7) which works on primitives directly. </p> ]]> </Details> </BugPattern> <BugPattern type="DM_NEW_FOR_GETCLASS"> <ShortDescription>Method allocates an object, only to get the class object</ShortDescription> <LongDescription>{1} allocates an object, only to get the class object</LongDescription> <Details> <![CDATA[ <p>This method allocates an object just to call getClass() on it, in order to retrieve the Class object for it. It is simpler to just access the .class property of the class.</p> ]]> </Details> </BugPattern> <BugPattern type="DM_MONITOR_WAIT_ON_CONDITION"> <ShortDescription>Monitor wait() called on Condition</ShortDescription> <LongDescription>Monitor wait() called on a Condition in {1}</LongDescription> <Details> <![CDATA[ <p> This method calls <code>wait()</code> on a <code>java.util.concurrent.locks.Condition</code> object. Waiting for a <code>Condition</code> should be done using one of the <code>await()</code> methods defined by the <code>Condition</code> interface. </p> ]]> </Details> </BugPattern> <BugPattern type="RV_01_TO_INT"> <ShortDescription>Random value from 0 to 1 is coerced to the integer 0</ShortDescription> <LongDescription>{1} uses generates a random value from 0 to 1 and then coerces that value to the integer 0</LongDescription> <Details> <![CDATA[ <p>A random value from 0 to 1 is being coerced to the integer value 0. You probably want to multiply the random value by something else before coercing it to an integer, or use the <code>Random.nextInt(n)</code> method. </p> ]]> </Details> </BugPattern> <BugPattern type="DM_INVALID_MIN_MAX"> <ShortDescription>Incorrect combination of Math.max and Math.min</ShortDescription> <LongDescription>Incorrect combination of Math.max and Math.min: this code always returns {2}</LongDescription> <Details> <![CDATA[ <p>This code tries to limit the value bounds using the construct like Math.min(0, Math.max(100, value)). However the order of the constants is incorrect: it should be Math.min(100, Math.max(0, value)). As the result this code always produces the same result (or NaN if the value is NaN).</p> ]]> </Details> </BugPattern> <BugPattern type="DM_NEXTINT_VIA_NEXTDOUBLE"> <ShortDescription>Use the nextInt method of Random rather than nextDouble to generate a random integer</ShortDescription> <LongDescription>{1} uses the nextDouble method of Random to generate a random integer; using nextInt is more efficient</LongDescription> <Details> <![CDATA[ <p>If <code>r</code> is a <code>java.util.Random</code>, you can generate a random number from <code>0</code> to <code>n-1</code> using <code>r.nextInt(n)</code>, rather than using <code>(int)(r.nextDouble() * n)</code>. </p> <p>The argument to nextInt must be positive. If, for example, you want to generate a random value from -99 to 0, use <code>-r.nextInt(100)</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE"> <ShortDescription>Nonconstant string passed to execute or addBatch method on an SQL statement</ShortDescription> <LongDescription>{1} passes a nonconstant String to an execute or addBatch method on an SQL statement</LongDescription> <Details> <![CDATA[ <p>The method invokes the execute or addBatch method on an SQL statement with a String that seems to be dynamically generated. Consider using a prepared statement instead. It is more efficient and less vulnerable to SQL injection attacks. </p> ]]> </Details> </BugPattern> <BugPattern type="SQL_PREPARED_STATEMENT_GENERATED_FROM_NONCONSTANT_STRING"> <ShortDescription>A prepared statement is generated from a nonconstant String</ShortDescription> <LongDescription>A prepared statement is generated from a nonconstant String in {1}</LongDescription> <Details> <![CDATA[ <p>The code creates an SQL prepared statement from a nonconstant String. If unchecked, tainted data from a user is used in building this String, SQL injection could be used to make the prepared statement do something unexpected and undesirable. </p> ]]> </Details> </BugPattern> <BugPattern type="DM_USELESS_THREAD"> <ShortDescription>A thread was created using the default empty run method</ShortDescription> <LongDescription>{1} creates a thread using the default empty run method</LongDescription> <Details> <![CDATA[ <p>This method creates a thread without specifying a run method either by deriving from the Thread class, or by passing a Runnable object. This thread, then, does nothing but waste time. </p> ]]> </Details> </BugPattern> <BugPattern type="DC_DOUBLECHECK"> <ShortDescription>Possible double-check of field</ShortDescription> <LongDescription>Possible double-check on {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method may contain an instance of double-checked locking. This idiom is not correct according to the semantics of the Java memory model. For more information, see the web page <a href="http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html" >http://www.cs.umd.edu/~pugh/java/memoryModel/DoubleCheckedLocking.html</a>.</p> ]]> </Details> </BugPattern> <BugPattern type="DC_PARTIALLY_CONSTRUCTED"> <ShortDescription>Possible exposure of partially initialized object</ShortDescription> <LongDescription>Possible exposure of partially initialized object in {1}</LongDescription> <Details> <![CDATA[ <p>Looks like this method uses lazy field initialization with double-checked locking. While the field is correctly declared as volatile, it's possible that the internal structure of the object is changed after the field assignment, thus another thread may see the partially initialized object.</p> <p>To fix this problem consider storing the object into the local variable first and save it to the volatile field only after it's fully constructed. </p> ]]> </Details> </BugPattern> <BugPattern type="FI_FINALIZER_NULLS_FIELDS"> <ShortDescription>Finalizer nulls fields</ShortDescription> <LongDescription>{3} is set to null inside finalize method in {1.class}</LongDescription> <Details> <![CDATA[ <p> This finalizer nulls out fields. This is usually an error, as it does not aid garbage collection, and the object is going to be garbage collected anyway.</p> ]]> </Details> </BugPattern> <BugPattern type="FI_FINALIZER_ONLY_NULLS_FIELDS"> <ShortDescription>Finalizer only nulls fields</ShortDescription> <LongDescription>{1} only nulls fields</LongDescription> <Details> <![CDATA[ <p> This finalizer does nothing except null out fields. This is completely pointless, and requires that the object be garbage collected, finalized, and then garbage collected again. You should just remove the finalize method.</p> ]]> </Details> </BugPattern> <BugPattern type="FI_PUBLIC_SHOULD_BE_PROTECTED"> <ShortDescription>Finalizer should be protected, not public</ShortDescription> <LongDescription>{1} is public; should be protected</LongDescription> <Details> <![CDATA[ <p> A class's <code>finalize()</code> method should have protected access, not public.</p> ]]> </Details> </BugPattern> <BugPattern type="FI_EMPTY"> <ShortDescription>Empty finalizer should be deleted</ShortDescription> <LongDescription>{1} is empty and should be deleted</LongDescription> <Details> <![CDATA[ <p> Empty <code>finalize()</code> methods are useless, so they should be deleted.</p> ]]> </Details> </BugPattern> <BugPattern type="FI_NULLIFY_SUPER"> <ShortDescription>Finalizer nullifies superclass finalizer</ShortDescription> <LongDescription>{1} is nullifying {2}.finalize(); is this intended?</LongDescription> <Details> <![CDATA[ <p> This empty <code>finalize()</code> method explicitly negates the effect of any finalizer defined by its superclass. Any finalizer actions defined for the superclass will not be performed. Unless this is intended, delete this method.</p> ]]> </Details> </BugPattern> <BugPattern type="FI_USELESS"> <ShortDescription>Finalizer does nothing but call superclass finalizer</ShortDescription> <LongDescription>{1} does nothing except call super.finalize(); delete it</LongDescription> <Details> <![CDATA[ <p> The only thing this <code>finalize()</code> method does is call the superclass's <code>finalize()</code> method, making it redundant. Delete it.</p> ]]> </Details> </BugPattern> <BugPattern type="FI_MISSING_SUPER_CALL"> <ShortDescription>Finalizer does not call superclass finalizer</ShortDescription> <LongDescription>{1} missing call to super.finalize(), so {2}.finalize() doesn't get called</LongDescription> <Details> <![CDATA[ <p> This <code>finalize()</code> method does not make a call to its superclass's <code>finalize()</code> method. So, any finalizer actions defined for the superclass will not be performed. Add a call to <code>super.finalize()</code>.</p> ]]> </Details> </BugPattern> <BugPattern type="FI_EXPLICIT_INVOCATION"> <ShortDescription>Explicit invocation of finalizer</ShortDescription> <LongDescription>Explicit invocation of {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains an explicit invocation of the <code>finalize()</code> method on an object. Because finalizer methods are supposed to be executed once, and only by the VM, this is a bad idea.</p> <p>If a connected set of objects beings finalizable, then the VM will invoke the finalize method on all the finalizable object, possibly at the same time in different threads. Thus, it is a particularly bad idea, in the finalize method for a class X, invoke finalize on objects referenced by X, because they may already be getting finalized in a separate thread.</p> ]]> </Details> </BugPattern> <BugPattern type="EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS"> <ShortDescription>Equals checks for incompatible operand</ShortDescription> <LongDescription>{1} checks for operand being a {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> This equals method is checking to see if the argument is some incompatible type (i.e., a class that is neither a supertype nor subtype of the class that defines the equals method). For example, the Foo class might have an equals method that looks like: </p> <pre><code>public boolean equals(Object o) { if (o instanceof Foo) return name.equals(((Foo)o).name); else if (o instanceof String) return name.equals(o); else return false; } </code></pre> <p>This is considered bad practice, as it makes it very hard to implement an equals method that is symmetric and transitive. Without those properties, very unexpected behaviors are possible. </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_DONT_DEFINE_EQUALS_FOR_ENUM"> <ShortDescription>Covariant equals() method defined for enum</ShortDescription> <LongDescription>Enum {0} defines equals({0.givenClass})</LongDescription> <Details> <![CDATA[ <p> This class defines an enumeration, and equality on enumerations are defined using object identity. Defining a covariant equals method for an enumeration value is exceptionally bad practice, since it would likely result in having two different enumeration values that compare as equals using the covariant enum method, and as not equal when compared normally. Don't do it. </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_SELF_USE_OBJECT"> <ShortDescription>Covariant equals() method defined, Object.equals(Object) inherited</ShortDescription> <LongDescription>{0} defines equals({0.givenClass}) method and uses Object.equals(Object)</LongDescription> <Details> <![CDATA[ <p> This class defines a covariant version of the <code>equals()</code> method, but inherits the normal <code>equals(Object)</code> method defined in the base <code>java.lang.Object</code> class. The class should probably define a <code>boolean equals(Object)</code> method. </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_OTHER_USE_OBJECT"> <ShortDescription>equals() method defined that doesn't override Object.equals(Object)</ShortDescription> <LongDescription>{0} defines {1.givenClass} method and uses Object.equals(Object)</LongDescription> <Details> <![CDATA[ <p> This class defines an <code>equals()</code> method, that doesn't override the normal <code>equals(Object)</code> method defined in the base <code>java.lang.Object</code> class. The class should probably define a <code>boolean equals(Object)</code> method. </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_OTHER_NO_OBJECT"> <ShortDescription>equals() method defined that doesn't override equals(Object)</ShortDescription> <LongDescription>{0} defines {1.givenClass} method that doesn't override equals(Object)</LongDescription> <Details> <![CDATA[ <p> This class defines an <code>equals()</code> method, that doesn't override the normal <code>equals(Object)</code> method defined in the base <code>java.lang.Object</code> class. Instead, it inherits an <code>equals(Object)</code> method from a superclass. The class should probably define a <code>boolean equals(Object)</code> method. </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_DOESNT_OVERRIDE_EQUALS"> <ShortDescription>Class doesn't override equals in superclass</ShortDescription> <LongDescription>{0} doesn't override {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> This class extends a class that defines an equals method and adds fields, but doesn't define an equals method itself. Thus, equality on instances of this class will ignore the identity of the subclass and the added fields. Be sure this is what is intended, and that you don't need to override the equals method. Even if you don't need to override the equals method, consider overriding it anyway to document the fact that the equals method for the subclass just return the result of invoking super.equals(o). </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_SELF_NO_OBJECT"> <ShortDescription>Covariant equals() method defined</ShortDescription> <LongDescription>{0} defines equals({0.givenClass}) method but not equals(Object)</LongDescription> <Details> <![CDATA[ <p> This class defines a covariant version of <code>equals()</code>. To correctly override the <code>equals()</code> method in <code>java.lang.Object</code>, the parameter of <code>equals()</code> must have type <code>java.lang.Object</code>.</p> ]]> </Details> </BugPattern> <BugPattern type="EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC"> <ShortDescription>equals method overrides equals in superclass and may not be symmetric</ShortDescription> <LongDescription>{1.class} overrides equals in {2.class.givenClass} and may not be symmetric</LongDescription> <Details> <![CDATA[ <p> This class defines an equals method that overrides an equals method in a superclass. Both equals methods use <code>instanceof</code> in the determination of whether two objects are equal. This is fraught with peril, since it is important that the equals method is symmetrical (in other words, <code>a.equals(b) == b.equals(a)</code>). If B is a subtype of A, and A's equals method checks that the argument is an instanceof A, and B's equals method checks that the argument is an instanceof B, it is quite likely that the equivalence relation defined by these methods is not symmetric. </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_GETCLASS_AND_CLASS_CONSTANT"> <ShortDescription>equals method fails for subtypes</ShortDescription> <LongDescription>{1} fails for subtypes</LongDescription> <Details> <![CDATA[ <p> This class has an equals method that will be broken if it is inherited by subclasses. It compares a class literal with the class of the argument (e.g., in class <code>Foo</code> it might check if <code>Foo.class == o.getClass()</code>). It is better to check if <code>this.getClass() == o.getClass()</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_UNUSUAL"> <ShortDescription>Unusual equals method</ShortDescription> <LongDescription>{1} is unusual</LongDescription> <Details> <![CDATA[ <p> This class doesn't do any of the patterns we recognize for checking that the type of the argument is compatible with the type of the <code>this</code> object. There might not be anything wrong with this code, but it is worth reviewing. </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_COMPARING_CLASS_NAMES"> <ShortDescription>equals method compares class names rather than class objects</ShortDescription> <LongDescription>{1} compares class names rather than class objects</LongDescription> <Details> <![CDATA[ <p> This class defines an equals method that checks to see if two objects are the same class by checking to see if the names of their classes are equal. You can have different classes with the same name if they are loaded by different class loaders. Just check to see if the class objects are the same. </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_ALWAYS_TRUE"> <ShortDescription>equals method always returns true</ShortDescription> <LongDescription>{1} always returns true</LongDescription> <Details> <![CDATA[ <p> This class defines an equals method that always returns true. This is imaginative, but not very smart. Plus, it means that the equals method is not symmetric. </p> ]]> </Details> </BugPattern> <BugPattern type="EQ_ALWAYS_FALSE"> <ShortDescription>equals method always returns false</ShortDescription> <LongDescription>{1} always returns false</LongDescription> <Details> <![CDATA[ <p> This class defines an equals method that always returns false. This means that an object is not equal to itself, and it is impossible to create useful Maps or Sets of this class. More fundamentally, it means that equals is not reflexive, one of the requirements of the equals method.</p> <p>The likely intended semantics are object identity: that an object is equal to itself. This is the behavior inherited from class <code>Object</code>. If you need to override an equals inherited from a different superclass, you can use:</p> <pre><code>public boolean equals(Object o) { return this == o; } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="HSC_HUGE_SHARED_STRING_CONSTANT"> <ShortDescription>Huge string constants is duplicated across multiple class files</ShortDescription> <LongDescription>{1} is initialized to a string constant {2} characters long that is duplicated in {3} other class files</LongDescription> <Details> <![CDATA[ <p> A large String constant is duplicated across multiple class files. This is likely because a final field is initialized to a String constant, and the Java language mandates that all references to a final field from other classes be inlined into that classfile. See <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6447475">JDK bug 6447475</a> for a description of an occurrence of this bug in the JDK and how resolving it reduced the size of the JDK by 1 megabyte. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_ARGUMENT_MIGHT_BE_NULL"> <ShortDescription>Method does not check for null argument</ShortDescription> <LongDescription>{1} does not check for null argument</LongDescription> <Details> <![CDATA[ <p> A parameter to this method has been identified as a value that should always be checked to see whether or not it is null, but it is being dereferenced without a preceding null check. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_EQUALS_SHOULD_HANDLE_NULL_ARGUMENT"> <ShortDescription>equals() method does not check for null argument</ShortDescription> <LongDescription>{1} does not check for null argument</LongDescription> <Details> <![CDATA[ <p> This implementation of equals(Object) violates the contract defined by java.lang.Object.equals() because it does not check for null being passed as the argument. All equals() methods should return false if passed a null value. </p> ]]> </Details> </BugPattern> <BugPattern type="RV_NEGATING_RESULT_OF_COMPARETO"> <ShortDescription>Negating the result of compareTo()/compare()</ShortDescription> <LongDescription>{1} negates the return value of {2}</LongDescription> <Details> <![CDATA[ <p> This code negates the return value of a compareTo or compare method. This is a questionable or bad programming practice, since if the return value is Integer.MIN_VALUE, negating the return value won't negate the sign of the result. You can achieve the same intended result by reversing the order of the operands rather than by negating the results. </p> ]]> </Details> </BugPattern> <BugPattern type="CO_COMPARETO_RESULTS_MIN_VALUE"> <ShortDescription>compareTo()/compare() returns Integer.MIN_VALUE</ShortDescription> <LongDescription>{1} returns Integer.MIN_VALUE, which cannot be negated</LongDescription> <Details> <![CDATA[ <p> In some situation, this compareTo or compare method returns the constant Integer.MIN_VALUE, which is an exceptionally bad practice. The only thing that matters about the return value of compareTo is the sign of the result. But people will sometimes negate the return value of compareTo, expecting that this will negate the sign of the result. And it will, except in the case where the value returned is Integer.MIN_VALUE. So just return -1 rather than Integer.MIN_VALUE. ]]> </Details> </BugPattern> <BugPattern type="CO_COMPARETO_INCORRECT_FLOATING"> <ShortDescription>compareTo()/compare() incorrectly handles float or double value</ShortDescription> <LongDescription>{1} incorrectly handles {2} value</LongDescription> <Details> <![CDATA[ <p>This method compares double or float values using pattern like this: val1 > val2 ? 1 : val1 < val2 ? -1 : 0. This pattern works incorrectly for -0.0 and NaN values which may result in incorrect sorting result or broken collection (if compared values are used as keys). Consider using Double.compare or Float.compare static methods which handle all the special cases correctly.</p> ]]> </Details> </BugPattern> <BugPattern type="CO_SELF_NO_OBJECT"> <ShortDescription>Covariant compareTo() method defined</ShortDescription> <LongDescription>{0} defines compareTo({0.givenClass}) method but not compareTo(Object)</LongDescription> <Details> <![CDATA[ <p> This class defines a covariant version of <code>compareTo()</code>. To correctly override the <code>compareTo()</code> method in the <code>Comparable</code> interface, the parameter of <code>compareTo()</code> must have type <code>java.lang.Object</code>.</p> ]]> </Details> </BugPattern> <BugPattern type="HE_SIGNATURE_DECLARES_HASHING_OF_UNHASHABLE_CLASS"> <ShortDescription>Signature declares use of unhashable class in hashed construct</ShortDescription> <LongDescription>{2} doesn't define a hashCode() method but it is used in a hashed context in {1}</LongDescription> <Details> <![CDATA[ <p> A method, field or class declares a generic signature where a non-hashable class is used in context where a hashable class is required. A class that declares an equals method but inherits a hashCode() method from Object is unhashable, since it doesn't fulfill the requirement that equal objects have equal hashCodes. </p> ]]> </Details> </BugPattern> <BugPattern type="HE_USE_OF_UNHASHABLE_CLASS"> <ShortDescription>Use of class without a hashCode() method in a hashed data structure</ShortDescription> <LongDescription>{2} doesn't define a hashCode() method but is used in a hashed data structure in {1}</LongDescription> <Details> <![CDATA[ <p> A class defines an equals(Object) method but not a hashCode() method, and thus doesn't fulfill the requirement that equal objects have equal hashCodes. An instance of this class is used in a hash data structure, making the need to fix this problem of highest importance. ]]> </Details> </BugPattern> <BugPattern type="HE_HASHCODE_USE_OBJECT_EQUALS"> <ShortDescription>Class defines hashCode() and uses Object.equals()</ShortDescription> <LongDescription>{0} defines hashCode and uses Object.equals()</LongDescription> <Details> <![CDATA[ <p> This class defines a <code>hashCode()</code> method but inherits its <code>equals()</code> method from <code>java.lang.Object</code> (which defines equality by comparing object references). Although this will probably satisfy the contract that equal objects must have equal hashcodes, it is probably not what was intended by overriding the <code>hashCode()</code> method. (Overriding <code>hashCode()</code> implies that the object's identity is based on criteria more complicated than simple reference equality.)</p> <p>If you don't think instances of this class will ever be inserted into a HashMap/HashTable, the recommended <code>hashCode</code> implementation to use is:</p> <pre><code>public int hashCode() { assert false : "hashCode not designed"; return 42; // any arbitrary constant will do } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="EQ_COMPARETO_USE_OBJECT_EQUALS"> <ShortDescription>Class defines compareTo(...) and uses Object.equals()</ShortDescription> <LongDescription>{0} defines {1.givenClass} and uses Object.equals()</LongDescription> <Details> <![CDATA[ <p> This class defines a <code>compareTo(...)</code> method but inherits its <code>equals()</code> method from <code>java.lang.Object</code>. Generally, the value of compareTo should return zero if and only if equals returns true. If this is violated, weird and unpredictable failures will occur in classes such as PriorityQueue. In Java 5 the PriorityQueue.remove method uses the compareTo method, while in Java 6 it uses the equals method.</p> <p>From the JavaDoc for the compareTo method in the Comparable interface: <blockquote> It is strongly recommended, but not strictly required that <code>(x.compareTo(y)==0) == (x.equals(y))</code>. Generally speaking, any class that implements the Comparable interface and violates this condition should clearly indicate this fact. The recommended language is "Note: this class has a natural ordering that is inconsistent with equals." </blockquote></p> ]]> </Details> </BugPattern> <BugPattern type="HE_HASHCODE_NO_EQUALS"> <ShortDescription>Class defines hashCode() but not equals()</ShortDescription> <LongDescription>{0} defines hashCode but not equals</LongDescription> <Details> <![CDATA[ <p> This class defines a <code>hashCode()</code> method but not an <code>equals()</code> method. Therefore, the class may violate the invariant that equal objects must have equal hashcodes.</p> ]]> </Details> </BugPattern> <BugPattern type="HE_EQUALS_USE_HASHCODE"> <ShortDescription>Class defines equals() and uses Object.hashCode()</ShortDescription> <LongDescription>{0} defines equals and uses Object.hashCode()</LongDescription> <Details> <![CDATA[ <p> This class overrides <code>equals(Object)</code>, but does not override <code>hashCode()</code>, and inherits the implementation of <code>hashCode()</code> from <code>java.lang.Object</code> (which returns the identity hash code, an arbitrary value assigned to the object by the VM). Therefore, the class is very likely to violate the invariant that equal objects must have equal hashcodes.</p> <p>If you don't think instances of this class will ever be inserted into a HashMap/HashTable, the recommended <code>hashCode</code> implementation to use is:</p> <pre><code>public int hashCode() { assert false : "hashCode not designed"; return 42; // any arbitrary constant will do } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="HE_INHERITS_EQUALS_USE_HASHCODE"> <ShortDescription>Class inherits equals() and uses Object.hashCode()</ShortDescription> <LongDescription>{0} inherits equals and uses Object.hashCode()</LongDescription> <Details> <![CDATA[ <p> This class inherits <code>equals(Object)</code> from an abstract superclass, and <code>hashCode()</code> from <code>java.lang.Object</code> (which returns the identity hash code, an arbitrary value assigned to the object by the VM). Therefore, the class is very likely to violate the invariant that equal objects must have equal hashcodes.</p> <p>If you don't want to define a hashCode method, and/or don't believe the object will ever be put into a HashMap/Hashtable, define the <code>hashCode()</code> method to throw <code>UnsupportedOperationException</code>.</p> ]]> </Details> </BugPattern> <BugPattern type="HE_EQUALS_NO_HASHCODE"> <ShortDescription>Class defines equals() but not hashCode()</ShortDescription> <LongDescription>{0} defines equals but not hashCode</LongDescription> <Details> <![CDATA[ <p> This class overrides <code>equals(Object)</code>, but does not override <code>hashCode()</code>. Therefore, the class may violate the invariant that equal objects must have equal hashcodes.</p> ]]> </Details> </BugPattern> <BugPattern type="EQ_ABSTRACT_SELF"> <ShortDescription>Abstract class defines covariant equals() method</ShortDescription> <LongDescription>Abstract {0} defines equals({0.givenClass}) method</LongDescription> <Details> <![CDATA[ <p> This class defines a covariant version of <code>equals()</code>. To correctly override the <code>equals()</code> method in <code>java.lang.Object</code>, the parameter of <code>equals()</code> must have type <code>java.lang.Object</code>.</p> ]]> </Details> </BugPattern> <BugPattern type="ES_COMPARING_STRINGS_WITH_EQ"> <ShortDescription>Comparison of String objects using == or !=</ShortDescription> <LongDescription>Comparison of String objects using == or != in {1}</LongDescription> <Details> <![CDATA[ <p>This code compares <code>java.lang.String</code> objects for reference equality using the == or != operators. Unless both strings are either constants in a source file, or have been interned using the <code>String.intern()</code> method, the same string value may be represented by two different String objects. Consider using the <code>equals(Object)</code> method instead.</p> ]]> </Details> </BugPattern> <BugPattern type="ES_COMPARING_PARAMETER_STRING_WITH_EQ"> <ShortDescription>Comparison of String parameter using == or !=</ShortDescription> <LongDescription>Comparison of String parameter using == or != in {1}</LongDescription> <Details> <![CDATA[ <p>This code compares a <code>java.lang.String</code> parameter for reference equality using the == or != operators. Requiring callers to pass only String constants or interned strings to a method is unnecessarily fragile, and rarely leads to measurable performance gains. Consider using the <code>equals(Object)</code> method instead.</p> ]]> </Details> </BugPattern> <BugPattern type="CO_ABSTRACT_SELF"> <ShortDescription>Abstract class defines covariant compareTo() method</ShortDescription> <LongDescription>Abstract {0} defines compareTo({0.givenClass}) method</LongDescription> <Details> <![CDATA[ <p> This class defines a covariant version of <code>compareTo()</code>. To correctly override the <code>compareTo()</code> method in the <code>Comparable</code> interface, the parameter of <code>compareTo()</code> must have type <code>java.lang.Object</code>.</p> ]]> </Details> </BugPattern> <BugPattern type="IS_FIELD_NOT_GUARDED"> <ShortDescription>Field not guarded against concurrent access</ShortDescription> <LongDescription>{1.givenClass} not guarded against concurrent access; locked {2}% of time</LongDescription> <Details> <![CDATA[ <p> This field is annotated with net.jcip.annotations.GuardedBy or javax.annotation.concurrent.GuardedBy, but can be accessed in a way that seems to violate those annotations.</p> ]]> </Details> </BugPattern> <BugPattern type="MSF_MUTABLE_SERVLET_FIELD"> <ShortDescription>Mutable servlet field</ShortDescription> <LongDescription>{1} is a mutable servlet field</LongDescription> <Details> <![CDATA[ <p>A web server generally only creates one instance of servlet or JSP class (i.e., treats the class as a Singleton), and will have multiple threads invoke methods on that instance to service multiple simultaneous requests. Thus, having a mutable instance field generally creates race conditions. ]]> </Details> </BugPattern> <BugPattern type="IS2_INCONSISTENT_SYNC"> <ShortDescription>Inconsistent synchronization</ShortDescription> <LongDescription>Inconsistent synchronization of {1}; locked {2}% of time</LongDescription> <Details> <![CDATA[ <p> The fields of this class appear to be accessed inconsistently with respect to synchronization. This bug report indicates that the bug pattern detector judged that </p> <ul> <li> The class contains a mix of locked and unlocked accesses,</li> <li> The class is <b>not</b> annotated as javax.annotation.concurrent.NotThreadSafe,</li> <li> At least one locked access was performed by one of the class's own methods, and</li> <li> The number of unsynchronized field accesses (reads and writes) was no more than one third of all accesses, with writes being weighed twice as high as reads</li> </ul> <p> A typical bug matching this bug pattern is forgetting to synchronize one of the methods in a class that is intended to be thread-safe.</p> <p> You can select the nodes labeled "Unsynchronized access" to show the code locations where the detector believed that a field was accessed without synchronization.</p> <p> Note that there are various sources of inaccuracy in this detector; for example, the detector cannot statically detect all situations in which a lock is held. Also, even when the detector is accurate in distinguishing locked vs. unlocked accesses, the code in question may still be correct.</p> ]]> </Details> </BugPattern> <BugPattern type="NN_NAKED_NOTIFY"> <ShortDescription>Naked notify</ShortDescription> <LongDescription>Naked notify in {1}</LongDescription> <Details> <![CDATA[ <p> A call to <code>notify()</code> or <code>notifyAll()</code> was made without any (apparent) accompanying modification to mutable object state. In general, calling a notify method on a monitor is done because some condition another thread is waiting for has become true. However, for the condition to be meaningful, it must involve a heap object that is visible to both threads.</p> <p> This bug does not necessarily indicate an error, since the change to mutable object state may have taken place in a method which then called the method containing the notification.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_EXPOSE_REP"> <ShortDescription>Public static method may expose internal representation by returning a mutable object or array</ShortDescription> <LongDescription>Public static {1} may expose internal representation by returning {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> A public static method returns a reference to a mutable object or an array that is part of the static state of the class. Any code that calls this method can freely modify the underlying array. One fix is to return a copy of the array.</p> ]]> </Details> </BugPattern> <BugPattern type="EI_EXPOSE_REP"> <ShortDescription>May expose internal representation by returning reference to mutable object</ShortDescription> <LongDescription>{1} may expose internal representation by returning {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.</p> ]]> </Details> </BugPattern> <BugPattern type="EI_EXPOSE_REP2"> <ShortDescription>May expose internal representation by incorporating reference to mutable object</ShortDescription> <LongDescription>{1} may expose internal representation by storing an externally mutable object into {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> This code stores a reference to an externally mutable object into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.</p> ]]> </Details> </BugPattern> <BugPattern type="EI_EXPOSE_STATIC_REP2"> <ShortDescription>May expose internal static state by storing a mutable object into a static field</ShortDescription> <LongDescription>{1} may expose internal static state by storing a mutable object into a static field {2}</LongDescription> <Details> <![CDATA[ <p> This code stores a reference to an externally mutable object into a static field. If unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_EXPOSE_BUF"> <ShortDescription>May expose internal representation by returning a buffer sharing non-public data</ShortDescription> <LongDescription>{1} may expose internal representation by returning {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> A public static method either returns a buffer (java.nio.*Buffer) which wraps an array that is part of the static state of the class by holding a reference only to this same array or it returns a shallow-copy of a buffer that is part of the static stat of the class which shares its reference with the original buffer. Any code that calls this method can freely modify the underlying array. One fix is to return a read-only buffer or a new buffer with a copy of the array.</p> ]]> </Details> </BugPattern> <BugPattern type="EI_EXPOSE_BUF"> <ShortDescription>May expose internal representation by returning a buffer sharing non-public data</ShortDescription> <LongDescription>{1} may expose internal representation by returning {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> Returning a reference to a buffer (java.nio.*Buffer) which wraps an array stored in one of the object's fields exposes the internal representation of the array elements because the buffer only stores a reference to the array instead of copying its content. Similarly, returning a shallow-copy of such a buffer (using its duplicate() method) stored in one of the object's fields also exposes the internal representation of the buffer. If instances are accessed by untrusted code, and unchecked changes to the array would compromise security or other important properties, you will need to do something different. Returning a read-only buffer (using its asReadOnly() method) or copying the array to a new buffer (using its put() method) is a better approach in many situations.</p> ]]> </Details> </BugPattern> <BugPattern type="EI_EXPOSE_BUF2"> <ShortDescription>May expose internal representation by creating a buffer which incorporates reference to array</ShortDescription> <LongDescription>{1} may expose internal representation by creating a buffer which contains an external array into {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> This code creates a buffer which stores a reference to an external array or the array of an external buffer into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the array would compromise security or other important properties, you will need to do something different. Storing a copy of the array is a better approach in many situations.</p> ]]> </Details> </BugPattern> <BugPattern type="EI_EXPOSE_STATIC_BUF2"> <ShortDescription>May expose internal static state by creating a buffer which stores an external array into a static field</ShortDescription> <LongDescription>{1} may expose internal static state by creating a buffer which stores an external array into static field {2}</LongDescription> <Details> <![CDATA[ <p> This code creates a buffer which stores a reference to an external array or the array of an external buffer into a static field. If unchecked changes to the array would compromise security or other important properties, you will need to do something different. Storing a copy of the array is a better approach in many situations.</p> ]]> </Details> </BugPattern> <BugPattern type="RU_INVOKE_RUN"> <ShortDescription>Invokes run on a thread (did you mean to start it instead?)</ShortDescription> <LongDescription>{1} explicitly invokes run on a thread (did you mean to start it instead?)</LongDescription> <Details> <![CDATA[ <p> This method explicitly invokes <code>run()</code> on an object. In general, classes implement the <code>Runnable</code> interface because they are going to have their <code>run()</code> method invoked in a new thread, in which case <code>Thread.start()</code> is the right method to call.</p> ]]> </Details> </BugPattern> <BugPattern type="SP_SPIN_ON_FIELD"> <ShortDescription>Method spins on field</ShortDescription> <LongDescription>Spinning on {2.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> This method spins in a loop which reads a field. The compiler may legally hoist the read out of the loop, turning the code into an infinite loop. The class should be changed so it uses proper synchronization (including wait and notify calls).</p> ]]> </Details> </BugPattern> <BugPattern type="NS_DANGEROUS_NON_SHORT_CIRCUIT"> <ShortDescription>Potentially dangerous use of non-short-circuit logic</ShortDescription> <LongDescription>Potentially dangerous use of non-short-circuit logic in {1}</LongDescription> <Details> <![CDATA[ <p> This code seems to be using non-short-circuit logic (e.g., & or |) rather than short-circuit logic (&& or ||). In addition, it seems possible that, depending on the value of the left hand side, you might not want to evaluate the right hand side (because it would have side effects, could cause an exception or could be expensive.</p> <p> Non-short-circuit logic causes both sides of the expression to be evaluated even when the result can be inferred from knowing the left-hand side. This can be less efficient and can result in errors if the left-hand side guards cases when evaluating the right-hand side can generate an error. </p> <p>See <a href="https://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.22.2">the Java Language Specification</a> for details. </p> ]]> </Details> </BugPattern> <BugPattern type="NS_NON_SHORT_CIRCUIT"> <ShortDescription>Questionable use of non-short-circuit logic</ShortDescription> <LongDescription>Questionable use of non-short-circuit logic in {1}</LongDescription> <Details> <![CDATA[ <p> This code seems to be using non-short-circuit logic (e.g., & or |) rather than short-circuit logic (&& or ||). Non-short-circuit logic causes both sides of the expression to be evaluated even when the result can be inferred from knowing the left-hand side. This can be less efficient and can result in errors if the left-hand side guards cases when evaluating the right-hand side can generate an error. <p>See <a href="https://docs.oracle.com/javase/specs/jls/se7/html/jls-15.html#jls-15.22.2">the Java Language Specification</a> for details. </p> ]]> </Details> </BugPattern> <BugPattern type="TLW_TWO_LOCK_WAIT"> <ShortDescription>Wait with two locks held</ShortDescription> <LongDescription>wait() with two locks held in {1}</LongDescription> <Details> <![CDATA[ <p>Waiting on a monitor while two locks are held may cause deadlock. Performing a wait only releases the lock on the object being waited on, not any other locks. This not necessarily a bug, but is worth examining closely.</p> ]]> </Details> </BugPattern> <BugPattern type="TLW_TWO_LOCK_NOTIFY" deprecated="true"> <!-- never generated --> <ShortDescription>Notify with two locks held</ShortDescription> <LongDescription>notify() or notifyAll*() with two locks held in {1}</LongDescription> <Details> <![CDATA[ <p> The code calls notify() or notifyAll() while two locks are held. If this notification is intended to wake up a wait() that is holding the same locks, it may deadlock, since the wait will only give up one lock and the notify will be unable to get both locks, and thus the notify will not succeed. If there is also a warning about a two lock wait, the probability of a bug is quite high. </p> ]]> </Details> </BugPattern> <BugPattern type="UW_UNCOND_WAIT"> <ShortDescription>Unconditional wait</ShortDescription> <LongDescription>Unconditional wait in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a call to <code>java.lang.Object.wait()</code> which is not guarded by conditional control flow. The code should verify that condition it intends to wait for is not already satisfied before calling wait; any previous notifications will be ignored. </p> ]]> </Details> </BugPattern> <BugPattern type="UR_UNINIT_READ"> <ShortDescription>Uninitialized read of field in constructor</ShortDescription> <LongDescription>Uninitialized read of {2.name} in {1}</LongDescription> <Details> <![CDATA[ <p> This constructor reads a field which has not yet been assigned a value. This is often caused when the programmer mistakenly uses the field instead of one of the constructor's parameters.</p> ]]> </Details> </BugPattern> <BugPattern type="UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR"> <ShortDescription>Uninitialized read of field method called from constructor of superclass</ShortDescription> <LongDescription>{2.name} isn't initialized in {1} when invoked from constructor for superclass</LongDescription> <Details> <![CDATA[ <p> This method is invoked in the constructor of the superclass. At this point, the fields of the class have not yet initialized.</p> <p>To make this more concrete, consider the following classes:</p> <pre><code>abstract class A { int hashCode; abstract Object getValue(); A() { hashCode = getValue().hashCode(); } } class B extends A { Object value; B(Object v) { this.value = v; } Object getValue() { return value; } } </code></pre> <p>When a <code>B</code> is constructed, the constructor for the <code>A</code> class is invoked <em>before</em> the constructor for <code>B</code> sets <code>value</code>. Thus, when the constructor for <code>A</code> invokes <code>getValue</code>, an uninitialized value is read for <code>value</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="UG_SYNC_SET_UNSYNC_GET"> <ShortDescription>Unsynchronized get method, synchronized set method</ShortDescription> <LongDescription>{1} is unsynchronized, {2} is synchronized</LongDescription> <Details> <![CDATA[ <p> This class contains similarly-named get and set methods where the set method is synchronized and the get method is not. This may result in incorrect behavior at runtime, as callers of the get method will not necessarily see a consistent state for the object. The get method should be made synchronized.</p> ]]> </Details> </BugPattern> <BugPattern type="IC_INIT_CIRCULARITY"> <ShortDescription>Initialization circularity</ShortDescription> <LongDescription>Initialization circularity between {0} and {1}</LongDescription> <Details> <![CDATA[ <p> A circularity was detected in the static initializers of the two classes referenced by the bug instance. Many kinds of unexpected behavior may arise from such circularity.</p> ]]> </Details> </BugPattern> <BugPattern type="IC_SUPERCLASS_USES_SUBCLASS_DURING_INITIALIZATION"> <ShortDescription>Superclass uses subclass during initialization</ShortDescription> <LongDescription>Initialization of {0} accesses class {2}, which isn't initialized yet</LongDescription> <Details> <![CDATA[ <p> During the initialization of a class, the class makes an active use of a subclass. That subclass will not yet be initialized at the time of this use. For example, in the following code, <code>foo</code> will be null.</p> <pre><code>public class CircularClassInitialization { static class InnerClassSingleton extends CircularClassInitialization { static InnerClassSingleton singleton = new InnerClassSingleton(); } static CircularClassInitialization foo = InnerClassSingleton.singleton; } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="IT_NO_SUCH_ELEMENT"> <ShortDescription>Iterator next() method cannot throw NoSuchElementException</ShortDescription> <LongDescription>{1} cannot throw NoSuchElementException</LongDescription> <Details> <![CDATA[ <p> This class implements the <code>java.util.Iterator</code> interface. However, its <code>next()</code> method is not capable of throwing <code>java.util.NoSuchElementException</code>. The <code>next()</code> method should be changed so it throws <code>NoSuchElementException</code> if is called when there are no more elements to return.</p> ]]> </Details> </BugPattern> <BugPattern type="DL_SYNCHRONIZATION_ON_SHARED_CONSTANT"> <ShortDescription>Synchronization on String literal</ShortDescription> <LongDescription>Synchronization on String literal in {1}</LongDescription> <Details> <![CDATA[ <p> The code synchronizes on String literal.</p> <pre><code>private static String LOCK = "LOCK"; ... synchronized(LOCK) { ... } ... </code></pre> <p>Constant Strings are interned and shared across all other classes loaded by the JVM. Thus, this code is locking on something that other code might also be locking. This could result in very strange and hard to diagnose blocking and deadlock behavior. See <a href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a> and <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>. </p> <p>See CERT <a href="https://wiki.sei.cmu.edu/confluence/display/java/LCK01-J.+Do+not+synchronize+on+objects+that+may+be+reused">LCK01-J. Do not synchronize on objects that may be reused</a> for more information.</p> ]]> </Details> </BugPattern> <BugPattern type="DL_SYNCHRONIZATION_ON_INTERNED_STRING"> <ShortDescription>Synchronization on interned String</ShortDescription> <LongDescription>Synchronization on interned String in {1}</LongDescription> <Details> <![CDATA[ <p> The code synchronizes on interned String.</p> <pre><code>private static String LOCK = new String("LOCK").intern(); ... synchronized(LOCK) { ... } ... </code></pre> <p>Constant Strings are interned and shared across all other classes loaded by the JVM. Thus, this code is locking on something that other code might also be locking. This could result in very strange and hard to diagnose blocking and deadlock behavior. See <a href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a> and <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>. </p> <p>See CERT <a href="https://wiki.sei.cmu.edu/confluence/display/java/LCK01-J.+Do+not+synchronize+on+objects+that+may+be+reused">LCK01-J. Do not synchronize on objects that may be reused</a> for more information.</p> ]]> </Details> </BugPattern> <BugPattern type="DL_SYNCHRONIZATION_ON_BOOLEAN"> <ShortDescription>Synchronization on Boolean</ShortDescription> <LongDescription>Synchronization on Boolean in {1}</LongDescription> <Details> <![CDATA[ <p> The code synchronizes on a boxed primitive constant, such as a Boolean.</p> <pre><code>private static Boolean inited = Boolean.FALSE; ... synchronized(inited) { if (!inited) { init(); inited = Boolean.TRUE; } } ... </code></pre> <p>Since there normally exist only two Boolean objects, this code could be synchronizing on the same object as other, unrelated code, leading to unresponsiveness and possible deadlock.</p> <p>See CERT <a href="https://wiki.sei.cmu.edu/confluence/display/java/LCK01-J.+Do+not+synchronize+on+objects+that+may+be+reused">LCK01-J. Do not synchronize on objects that may be reused</a> for more information.</p> ]]> </Details> </BugPattern> <BugPattern type="DL_SYNCHRONIZATION_ON_UNSHARED_BOXED_PRIMITIVE"> <ShortDescription>Synchronization on boxed primitive values</ShortDescription> <LongDescription>Synchronization on {2} in {1}</LongDescription> <Details> <![CDATA[ <p> The code synchronizes on an apparently unshared boxed primitive, such as an Integer.</p> <pre><code>private static final Integer fileLock = new Integer(1); ... synchronized(fileLock) { .. do something .. } ... </code></pre> <p>It would be much better, in this code, to redeclare fileLock as</p> <pre><code>private static final Object fileLock = new Object(); </code></pre> <p> The existing code might be OK, but it is confusing and a future refactoring, such as the "Remove Boxing" refactoring in IntelliJ, might replace this with the use of an interned Integer object shared throughout the JVM, leading to very confusing behavior and potential deadlock. </p> ]]> </Details> </BugPattern> <BugPattern type="DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE"> <ShortDescription>Synchronization on boxed primitive</ShortDescription> <LongDescription>Synchronization on {2} in {1}</LongDescription> <Details> <![CDATA[ <p> The code synchronizes on a boxed primitive constant, such as an Integer.</p> <pre><code>private static Integer count = 0; ... synchronized(count) { count++; } ... </code></pre> <p>Since Integer objects can be cached and shared, this code could be synchronizing on the same object as other, unrelated code, leading to unresponsiveness and possible deadlock.</p> <p>See CERT <a href="https://wiki.sei.cmu.edu/confluence/display/java/LCK01-J.+Do+not+synchronize+on+objects+that+may+be+reused">LCK01-J. Do not synchronize on objects that may be reused</a> for more information.</p> ]]> </Details> </BugPattern> <BugPattern type="ESync_EMPTY_SYNC"> <ShortDescription>Empty synchronized block</ShortDescription> <LongDescription>Empty synchronized block in {1}</LongDescription> <Details> <![CDATA[ <p> The code contains an empty synchronized block:</p> <pre><code>synchronized() { } </code></pre> <p>Empty synchronized blocks are far more subtle and hard to use correctly than most people recognize, and empty synchronized blocks are almost never a better solution than less contrived solutions. </p> ]]> </Details> </BugPattern> <BugPattern type="IS_INCONSISTENT_SYNC"> <ShortDescription>Inconsistent synchronization</ShortDescription> <LongDescription>Inconsistent synchronization of {1}; locked {2}% of the time</LongDescription> <Details> <![CDATA[ <p> The fields of this class appear to be accessed inconsistently with respect to synchronization. This bug report indicates that the bug pattern detector judged that </p> <ul> <li> The class contains a mix of locked and unlocked accesses,</li> <li> At least one locked access was performed by one of the class's own methods, and</li> <li> The number of unsynchronized field accesses (reads and writes) was no more than one third of all accesses, with writes being weighed twice as high as reads</li> </ul> <p> A typical bug matching this bug pattern is forgetting to synchronize one of the methods in a class that is intended to be thread-safe.</p> <p> Note that there are various sources of inaccuracy in this detector; for example, the detector cannot statically detect all situations in which a lock is held. Also, even when the detector is accurate in distinguishing locked vs. unlocked accesses, the code in question may still be correct.</p> ]]> </Details> </BugPattern> <BugPattern type="ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD"> <ShortDescription>Synchronization on field in futile attempt to guard that field</ShortDescription> <LongDescription>Synchronization on {2.givenClass} in futile attempt to guard it</LongDescription> <Details> <![CDATA[ <p> This method synchronizes on a field in what appears to be an attempt to guard against simultaneous updates to that field. But guarding a field gets a lock on the referenced object, not on the field. This may not provide the mutual exclusion you need, and other threads might be obtaining locks on the referenced objects (for other purposes). An example of this pattern would be:</p> <pre><code>private Long myNtfSeqNbrCounter = new Long(0); private Long getNotificationSequenceNumber() { Long result = null; synchronized(myNtfSeqNbrCounter) { result = new Long(myNtfSeqNbrCounter.longValue() + 1); myNtfSeqNbrCounter = new Long(result.longValue()); } return result; } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="ML_SYNC_ON_UPDATED_FIELD"> <ShortDescription>Method synchronizes on an updated field</ShortDescription> <LongDescription>{1} synchronizes on updated field {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> This method synchronizes on an object referenced from a mutable field. This is unlikely to have useful semantics, since different threads may be synchronizing on different objects.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_OOI_PKGPROTECT"> <ShortDescription>Field should be moved out of an interface and made package protected</ShortDescription> <LongDescription>{1} should be moved out of an interface and made package protected</LongDescription> <Details> <![CDATA[ <p> A final static field that is defined in an interface references a mutable object such as an array or hashtable. This mutable object could be changed by malicious code or by accident from another package. To solve this, the field needs to be moved to a class and made package protected to avoid this vulnerability.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_FINAL_PKGPROTECT"> <ShortDescription>Field should be both final and package protected</ShortDescription> <LongDescription>{1} should be both final and package protected</LongDescription> <Details> <![CDATA[ <p> A mutable static field could be changed by malicious code or by accident from another package. The field could be made package protected and/or made final to avoid this vulnerability.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_SHOULD_BE_REFACTORED_TO_BE_FINAL"> <ShortDescription>Field isn't final but should be refactored to be so</ShortDescription> <LongDescription>{1} isn't final but should be refactored to be so</LongDescription> <Details> <![CDATA[ <p> This <code>public static</code> or <code>protected static</code> field is not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability. However, the static initializer contains more than one write to the field, so doing so will require some refactoring. </p> ]]> </Details> </BugPattern> <BugPattern type="MS_SHOULD_BE_FINAL"> <ShortDescription>Field isn't final but should be</ShortDescription> <LongDescription>{1} isn't final but should be</LongDescription> <Details> <![CDATA[ <p> This <code>public static</code> or <code>protected static</code> field is not final, and could be changed by malicious code or by accident from another package. The field could be made final to avoid this vulnerability.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_PKGPROTECT"> <ShortDescription>Field should be package protected</ShortDescription> <LongDescription>{1} should be package protected</LongDescription> <Details> <![CDATA[ <p> A mutable static field could be changed by malicious code or by accident. The field could be made package protected to avoid this vulnerability.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_MUTABLE_HASHTABLE"> <ShortDescription>Field is a mutable Hashtable</ShortDescription> <LongDescription>{1} is a mutable Hashtable</LongDescription> <Details> <![CDATA[ <p>A final static field references a Hashtable and can be accessed by malicious code or by accident from another package. This code can freely modify the contents of the Hashtable.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_MUTABLE_COLLECTION"> <ShortDescription>Field is a mutable collection</ShortDescription> <LongDescription>{1} is a mutable collection</LongDescription> <Details> <![CDATA[ <p>A mutable collection instance is assigned to a final static field, thus can be changed by malicious code or by accident from another package. Consider wrapping this field into Collections.unmodifiableSet/List/Map/etc. to avoid this vulnerability.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_MUTABLE_COLLECTION_PKGPROTECT"> <ShortDescription>Field is a mutable collection which should be package protected</ShortDescription> <LongDescription>{1} is a mutable collection which should be package protected</LongDescription> <Details> <![CDATA[ <p>A mutable collection instance is assigned to a final static field, thus can be changed by malicious code or by accident from another package. The field could be made package protected to avoid this vulnerability. Alternatively you may wrap this field into Collections.unmodifiableSet/List/Map/etc. to avoid this vulnerability.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_MUTABLE_ARRAY"> <ShortDescription>Field is a mutable array</ShortDescription> <LongDescription>{1} is a mutable array</LongDescription> <Details> <![CDATA[ <p> A final static field references an array and can be accessed by malicious code or by accident from another package. This code can freely modify the contents of the array.</p> ]]> </Details> </BugPattern> <BugPattern type="MS_CANNOT_BE_FINAL"> <ShortDescription>Field isn't final and cannot be protected from malicious code</ShortDescription> <LongDescription>{1} isn't final and cannot be protected from malicious code</LongDescription> <Details> <![CDATA[ <p> A mutable static field could be changed by malicious code or by accident from another package. Unfortunately, the way the field is used doesn't allow any easy fix to this problem.</p> ]]> </Details> </BugPattern> <BugPattern type="ME_MUTABLE_ENUM_FIELD"> <ShortDescription>Enum field is public and mutable</ShortDescription> <LongDescription>{1} field is public and mutable</LongDescription> <Details> <![CDATA[ <p>A mutable public field is defined inside a public enum, thus can be changed by malicious code or by accident from another package. Though mutable enum fields may be used for lazy initialization, it's a bad practice to expose them to the outer world. Consider declaring this field final and/or package-private.</p> ]]> </Details> </BugPattern> <BugPattern type="ME_ENUM_FIELD_SETTER"> <ShortDescription>Public enum method unconditionally sets its field</ShortDescription> <LongDescription>{1} unconditionally sets the field {2.name}</LongDescription> <Details> <![CDATA[ <p>This public method declared in public enum unconditionally sets enum field, thus this field can be changed by malicious code or by accident from another package. Though mutable enum fields may be used for lazy initialization, it's a bad practice to expose them to the outer world. Consider removing this method or declaring it package-private.</p> ]]> </Details> </BugPattern> <BugPattern type="IA_AMBIGUOUS_INVOCATION_OF_INHERITED_OR_OUTER_METHOD"> <ShortDescription>Potentially ambiguous invocation of either an inherited or outer method</ShortDescription> <LongDescription>Potentially ambiguous invocation of either an outer or inherited method {2} in {1}</LongDescription> <Details> <![CDATA[ <p> An inner class is invoking a method that could be resolved to either an inherited method or a method defined in an outer class. For example, you invoke <code>foo(17)</code>, which is defined in both a superclass and in an outer method. By the Java semantics, it will be resolved to invoke the inherited method, but this may not be what you intend. </p> <p>If you really intend to invoke the inherited method, invoke it by invoking the method on super (e.g., invoke super.foo(17)), and thus it will be clear to other readers of your code and to SpotBugs that you want to invoke the inherited method, not the method in the outer class. </p> <p>If you call <code>this.foo(17)</code>, then the inherited method will be invoked. However, since SpotBugs only looks at classfiles, it cannot tell the difference between an invocation of <code>this.foo(17)</code> and <code>foo(17)</code>, it will still complain about a potential ambiguous invocation. </p> ]]> </Details> </BugPattern> <BugPattern type="NM_SAME_SIMPLE_NAME_AS_SUPERCLASS"> <ShortDescription>Class names shouldn't shadow simple name of superclass</ShortDescription> <LongDescription>The class name {0} shadows the simple name of the superclass {1}</LongDescription> <Details> <![CDATA[ <p> This class has a simple name that is identical to that of its superclass, except that its superclass is in a different package (e.g., <code>alpha.Foo</code> extends <code>beta.Foo</code>). This can be exceptionally confusing, create lots of situations in which you have to look at import statements to resolve references and creates many opportunities to accidentally define methods that do not override methods in their superclasses. </p> ]]> </Details> </BugPattern> <BugPattern type="NM_SAME_SIMPLE_NAME_AS_INTERFACE"> <ShortDescription>Class names shouldn't shadow simple name of implemented interface</ShortDescription> <LongDescription>The class name {0} shadows the simple name of implemented interface {1}</LongDescription> <Details> <![CDATA[ <p> This class/interface has a simple name that is identical to that of an implemented/extended interface, except that the interface is in a different package (e.g., <code>alpha.Foo</code> extends <code>beta.Foo</code>). This can be exceptionally confusing, create lots of situations in which you have to look at import statements to resolve references and creates many opportunities to accidentally define methods that do not override methods in their superclasses. </p> ]]> </Details> </BugPattern> <BugPattern type="NM_CLASS_NAMING_CONVENTION"> <ShortDescription>Class names should start with an upper case letter</ShortDescription> <LongDescription>The class name {0} doesn't start with an upper case letter</LongDescription> <Details> <![CDATA[ <p> Class names should be nouns, in mixed case with the first letter of each internal word capitalized. Try to keep your class names simple and descriptive. Use whole words-avoid acronyms and abbreviations (unless the abbreviation is much more widely used than the long form, such as URL or HTML). </p> ]]> </Details> </BugPattern> <BugPattern type="NM_METHOD_NAMING_CONVENTION"> <ShortDescription>Method names should start with a lower case letter</ShortDescription> <LongDescription>The method name {1} doesn't start with a lower case letter</LongDescription> <Details> <![CDATA[ <p> Methods should be verbs, in mixed case with the first letter lowercase, with the first letter of each internal word capitalized. </p> ]]> </Details> </BugPattern> <BugPattern type="NM_FIELD_NAMING_CONVENTION"> <ShortDescription>Non-final field names should start with a lower case letter, final fields should be uppercase with words separated by underscores</ShortDescription> <LongDescription>The field name {1} is not conform to the naming convention. If final, it should be ALL_CAPS, otherwise lowerCamelCase.</LongDescription> <Details> <![CDATA[ <p> Names of fields that are not final should be in mixed case with a lowercase first letter and the first letters of subsequent words capitalized. Names of final fields should be all uppercase with words separated by underscores ('_'). </p> ]]> </Details> </BugPattern> <BugPattern type="NM_VERY_CONFUSING"> <ShortDescription>Very confusing method names</ShortDescription> <LongDescription>VERY confusing to have methods {1} and {3}</LongDescription> <Details> <![CDATA[ <p> The referenced methods have names that differ only by capitalization. This is very confusing because if the capitalization were identical then one of the methods would override the other. </p> ]]> </Details> </BugPattern> <BugPattern type="NM_VERY_CONFUSING_INTENTIONAL"> <ShortDescription>Very confusing method names (but perhaps intentional)</ShortDescription> <LongDescription>VERY confusing (but perhaps intentional) to have methods {1} and {3}</LongDescription> <Details> <![CDATA[ <p> The referenced methods have names that differ only by capitalization. This is very confusing because if the capitalization were identical then one of the methods would override the other. From the existence of other methods, it seems that the existence of both of these methods is intentional, but is sure is confusing. You should try hard to eliminate one of them, unless you are forced to have both due to frozen APIs. </p> ]]> </Details> </BugPattern> <BugPattern type="NM_WRONG_PACKAGE"> <ShortDescription>Method doesn't override method in superclass due to wrong package for parameter</ShortDescription> <LongDescription>{1} doesn't override method in superclass because parameter type {4} doesn't match superclass parameter type {5}</LongDescription> <Details> <![CDATA[ <p> The method in the subclass doesn't override a similar method in a superclass because the type of a parameter doesn't exactly match the type of the corresponding parameter in the superclass. For example, if you have:</p> <pre><code>import alpha.Foo; public class A { public int f(Foo x) { return 17; } } ---- import beta.Foo; public class B extends A { public int f(Foo x) { return 42; } } </code></pre> <p>The <code>f(Foo)</code> method defined in class <code>B</code> doesn't override the <code>f(Foo)</code> method defined in class <code>A</code>, because the argument types are <code>Foo</code>'s from different packages. </p> ]]> </Details> </BugPattern> <BugPattern type="NM_WRONG_PACKAGE_INTENTIONAL"> <ShortDescription>Method doesn't override method in superclass due to wrong package for parameter</ShortDescription> <LongDescription>{1} doesn't override method in superclass because parameter type {4} doesn't match superclass parameter type {5}</LongDescription> <Details> <![CDATA[ <p> The method in the subclass doesn't override a similar method in a superclass because the type of a parameter doesn't exactly match the type of the corresponding parameter in the superclass. For example, if you have:</p> <pre><code>import alpha.Foo; public class A { public int f(Foo x) { return 17; } } ---- import beta.Foo; public class B extends A { public int f(Foo x) { return 42; } public int f(alpha.Foo x) { return 27; } } </code></pre> <p>The <code>f(Foo)</code> method defined in class <code>B</code> doesn't override the <code>f(Foo)</code> method defined in class <code>A</code>, because the argument types are <code>Foo</code>'s from different packages. </p> <p>In this case, the subclass does define a method with a signature identical to the method in the superclass, so this is presumably understood. However, such methods are exceptionally confusing. You should strongly consider removing or deprecating the method with the similar but not identical signature. </p> ]]> </Details> </BugPattern> <BugPattern type="NM_CONFUSING"> <ShortDescription>Confusing method names</ShortDescription> <LongDescription>Confusing to have methods {1} and {3}</LongDescription> <Details> <![CDATA[ <p> The referenced methods have names that differ only by capitalization.</p> ]]> </Details> </BugPattern> <BugPattern type="NM_METHOD_CONSTRUCTOR_CONFUSION"> <ShortDescription>Apparent method/constructor confusion</ShortDescription> <LongDescription>{1} was probably intended to be a constructor</LongDescription> <Details> <![CDATA[ <p> This regular method has the same name as the class it is defined in. It is likely that this was intended to be a constructor. If it was intended to be a constructor, remove the declaration of a void return value. If you had accidentally defined this method, realized the mistake, defined a proper constructor but cannot get rid of this method due to backwards compatibility, deprecate the method. </p> ]]> </Details> </BugPattern> <BugPattern type="NM_LCASE_HASHCODE"> <ShortDescription>Class defines hashcode(); should it be hashCode()?</ShortDescription> <LongDescription>Class {0} defines hashcode(); should it be hashCode()?</LongDescription> <Details> <![CDATA[ <p> This class defines a method called <code>hashcode()</code>. This method does not override the <code>hashCode()</code> method in <code>java.lang.Object</code>, which is probably what was intended.</p> ]]> </Details> </BugPattern> <BugPattern type="NM_LCASE_TOSTRING"> <ShortDescription>Class defines tostring(); should it be toString()?</ShortDescription> <LongDescription>Class {0} defines tostring(); should it be toString()?</LongDescription> <Details> <![CDATA[ <p> This class defines a method called <code>tostring()</code>. This method does not override the <code>toString()</code> method in <code>java.lang.Object</code>, which is probably what was intended.</p> ]]> </Details> </BugPattern> <BugPattern type="NM_BAD_EQUAL"> <ShortDescription>Class defines equal(Object); should it be equals(Object)?</ShortDescription> <LongDescription>Class {0} defines equal(Object); should it be equals(Object)?</LongDescription> <Details> <![CDATA[ <p> This class defines a method <code>equal(Object)</code>. This method does not override the <code>equals(Object)</code> method in <code>java.lang.Object</code>, which is probably what was intended.</p> ]]> </Details> </BugPattern> <BugPattern type="NM_CLASS_NOT_EXCEPTION"> <ShortDescription>Class is not derived from an Exception, even though it is named as such</ShortDescription> <LongDescription>Class {0} is not derived from an Exception, even though it is named as such</LongDescription> <Details> <![CDATA[ <p> This class is not derived from another exception, but ends with 'Exception'. This will be confusing to users of this class.</p> ]]> </Details> </BugPattern> <BugPattern type="RR_NOT_CHECKED"> <ShortDescription>Method ignores results of InputStream.read()</ShortDescription> <LongDescription>{1} ignores result of {2}</LongDescription> <Details> <![CDATA[ <p> This method ignores the return value of one of the variants of <code>java.io.InputStream.read()</code> which can return multiple bytes. If the return value is not checked, the caller will not be able to correctly handle the case where fewer bytes were read than the caller requested. This is a particularly insidious kind of bug, because in many programs, reads from input streams usually do read the full amount of data requested, causing the program to fail only sporadically.</p> ]]> </Details> </BugPattern> <BugPattern type="SR_NOT_CHECKED"> <ShortDescription>Method ignores results of InputStream.skip()</ShortDescription> <LongDescription>{1} ignores result of {2}</LongDescription> <Details> <![CDATA[ <p> This method ignores the return value of <code>java.io.InputStream.skip()</code> which can skip multiple bytes. If the return value is not checked, the caller will not be able to correctly handle the case where fewer bytes were skipped than the caller requested. This is a particularly insidious kind of bug, because in many programs, skips from input streams usually do skip the full amount of data requested, causing the program to fail only sporadically. With Buffered streams, however, skip() will only skip data in the buffer, and will routinely fail to skip the requested number of bytes.</p> ]]> </Details> </BugPattern> <BugPattern type="SE_READ_RESOLVE_IS_STATIC"> <ShortDescription>The readResolve method must not be declared as a static method.</ShortDescription> <LongDescription>{1} should be declared as an instance method rather than a static method</LongDescription> <Details> <![CDATA[ <p> In order for the readResolve method to be recognized by the serialization mechanism, it must not be declared as a static method. </p> ]]> </Details> </BugPattern> <BugPattern type="SE_PRIVATE_READ_RESOLVE_NOT_INHERITED"> <ShortDescription>Private readResolve method not inherited by subclasses</ShortDescription> <LongDescription>Private readResolve method in {0} not inherited by subclasses.</LongDescription> <Details> <![CDATA[ <p> This class defines a private readResolve method. Since it is private, it won't be inherited by subclasses. This might be intentional and OK, but should be reviewed to ensure it is what is intended. </p> ]]> </Details> </BugPattern> <BugPattern type="SE_READ_RESOLVE_MUST_RETURN_OBJECT"> <ShortDescription>The readResolve method must be declared with a return type of Object.</ShortDescription> <LongDescription>The method {1} must be declared with a return type of Object rather than {1.returnType}</LongDescription> <Details> <![CDATA[ <p> In order for the readResolve method to be recognized by the serialization mechanism, it must be declared to have a return type of Object. </p> ]]> </Details> </BugPattern> <BugPattern type="SE_TRANSIENT_FIELD_OF_NONSERIALIZABLE_CLASS"> <ShortDescription>Transient field of class that isn't Serializable.</ShortDescription> <LongDescription>{1.givenClass} is transient but {0} isn't Serializable</LongDescription> <Details> <![CDATA[ <p> The field is marked as transient, but the class isn't Serializable, so marking it as transient has absolutely no effect. This may be leftover marking from a previous version of the code in which the class was Serializable, or it may indicate a misunderstanding of how serialization works. </p> <p><em>This bug is reported only if special option <tt>reportTransientFieldOfNonSerializableClass</tt> is set.</em></p> ]]> </Details> </BugPattern> <BugPattern type="SE_TRANSIENT_FIELD_NOT_RESTORED"> <ShortDescription>Transient field that isn't set by deserialization.</ShortDescription> <LongDescription>The field {1} is transient but isn't set by deserialization</LongDescription> <Details> <![CDATA[ <p> This class contains a field that is updated at multiple places in the class, thus it seems to be part of the state of the class. However, since the field is marked as transient and not set in readObject or readResolve, it will contain the default value in any deserialized instance of the class. </p> ]]> </Details> </BugPattern> <BugPattern type="SE_PREVENT_EXT_OBJ_OVERWRITE"> <ShortDescription>Prevent overwriting of externalizable objects</ShortDescription> <LongDescription>Any caller can reset the value of the object by using the readExternal() method.</LongDescription> <Details> <![CDATA[ <p>The <code>readExternal()</code> method must be declared as public and is not protected from malicious callers, so the code permits any caller to reset the value of the object at any time.</p> <p>To prevent overwriting of externalizable objects, you can use a Boolean flag that is set after the instance fields have been populated. You can also protect against race conditions by synchronizing on a private lock object. </p> ]]> </Details> </BugPattern> <BugPattern type="SE_METHOD_MUST_BE_PRIVATE"> <ShortDescription>Method must be private in order for serialization to work</ShortDescription> <LongDescription>The method {1.givenClass} must be private to be invoked in serialization/deserialization of {0}</LongDescription> <Details> <![CDATA[ <p> This class implements the <code>Serializable</code> interface, and defines a method for custom serialization/deserialization. But since that method isn't declared private, it will be silently ignored by the serialization/deserialization API.</p> ]]> </Details> </BugPattern> <BugPattern type="SE_NO_SUITABLE_CONSTRUCTOR_FOR_EXTERNALIZATION"> <ShortDescription>Class is Externalizable but doesn't define a void constructor</ShortDescription> <LongDescription>{0} is Externalizable but doesn't define a void constructor</LongDescription> <Details> <![CDATA[ <p> This class implements the <code>Externalizable</code> interface, but does not define a public void constructor. When Externalizable objects are deserialized, they first need to be constructed by invoking the public void constructor. Since this class does not have one, serialization and deserialization will fail at runtime.</p> ]]> </Details> </BugPattern> <BugPattern type="SE_NO_SUITABLE_CONSTRUCTOR"> <ShortDescription>Class is Serializable but its superclass doesn't define a void constructor</ShortDescription> <LongDescription>{0} is Serializable but its superclass doesn't define an accessible void constructor</LongDescription> <Details> <![CDATA[ <p> This class implements the <code>Serializable</code> interface and its superclass does not. When such an object is deserialized, the fields of the superclass need to be initialized by invoking the void constructor of the superclass. Since the superclass does not have one, serialization and deserialization will fail at runtime.</p> ]]> </Details> </BugPattern> <BugPattern type="SE_NO_SERIALVERSIONID"> <ShortDescription>Class is Serializable, but doesn't define serialVersionUID</ShortDescription> <LongDescription>{0} is Serializable; consider declaring a serialVersionUID</LongDescription> <Details> <![CDATA[ <p> This class implements the <code>Serializable</code> interface, but does not define a <code>serialVersionUID</code> field. A change as simple as adding a reference to a .class object will add synthetic fields to the class, which will unfortunately change the implicit serialVersionUID (e.g., adding a reference to <code>String.class</code> will generate a static field <code>class$java$lang$String</code>). Also, different source code to bytecode compilers may use different naming conventions for synthetic variables generated for references to class objects or inner classes. To ensure interoperability of Serializable across versions, consider adding an explicit serialVersionUID.</p> ]]> </Details> </BugPattern> <BugPattern type="SE_COMPARATOR_SHOULD_BE_SERIALIZABLE"> <ShortDescription>Comparator doesn't implement Serializable</ShortDescription> <LongDescription>{0} implements Comparator but not Serializable</LongDescription> <Details> <![CDATA[ <p> This class implements the <code>Comparator</code> interface. You should consider whether or not it should also implement the <code>Serializable</code> interface. If a comparator is used to construct an ordered collection such as a <code>TreeMap</code>, then the <code>TreeMap</code> will be serializable only if the comparator is also serializable. As most comparators have little or no state, making them serializable is generally easy and good defensive programming. </p> ]]> </Details> </BugPattern> <BugPattern type="SF_SWITCH_FALLTHROUGH"> <ShortDescription>Switch statement found where one case falls through to the next case</ShortDescription> <LongDescription>Switch statement found in {1} where one case falls through to the next case</LongDescription> <Details> <![CDATA[ <p> This method contains a switch statement where one case branch will fall through to the next case. Usually you need to end this case with a break or return.</p> ]]> </Details> </BugPattern> <BugPattern type="SF_SWITCH_NO_DEFAULT"> <ShortDescription>Switch statement found where default case is missing</ShortDescription> <LongDescription>Switch statement found in {1} where default case is missing</LongDescription> <Details> <![CDATA[ <p> This method contains a switch statement where default case is missing. Usually you need to provide a default case.</p> <p>Because the analysis only looks at the generated bytecode, this warning can be incorrect triggered if the default case is at the end of the switch statement and the switch statement doesn't contain break statements for other cases. ]]> </Details> </BugPattern> <BugPattern type="SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH"> <ShortDescription>Dead store due to switch statement fall through</ShortDescription> <LongDescription>Value of {2.givenClass} from previous case is overwritten here due to switch statement fall through</LongDescription> <Details> <![CDATA[ <p> A value stored in the previous switch case is overwritten here due to a switch fall through. It is likely that you forgot to put a break or return at the end of the previous case. </p> ]]> </Details> </BugPattern> <BugPattern type="SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW"> <ShortDescription>Dead store due to switch statement fall through to throw</ShortDescription> <LongDescription>Value of {2.givenClass} from previous case is lost here due to switch statement fall through to throw</LongDescription> <Details> <![CDATA[ <p> A value stored in the previous switch case is ignored here due to a switch fall through to a place where an exception is thrown. It is likely that you forgot to put a break or return at the end of the previous case. </p> ]]> </Details> </BugPattern> <BugPattern type="WS_WRITEOBJECT_SYNC"> <ShortDescription>Class's writeObject() method is synchronized but nothing else is</ShortDescription> <LongDescription>{0}'s writeObject method is synchronized but nothing else is</LongDescription> <Details> <![CDATA[ <p> This class has a <code>writeObject()</code> method which is synchronized; however, no other method of the class is synchronized.</p> ]]> </Details> </BugPattern> <BugPattern type="RS_READOBJECT_SYNC"> <ShortDescription>Class's readObject() method is synchronized</ShortDescription> <LongDescription>{0}'s readObject method is synchronized</LongDescription> <Details> <![CDATA[ <p> This serializable class defines a <code>readObject()</code> which is synchronized. By definition, an object created by deserialization is only reachable by one thread, and thus there is no need for <code>readObject()</code> to be synchronized. If the <code>readObject()</code> method itself is causing the object to become visible to another thread, that is an example of very dubious coding style.</p> ]]> </Details> </BugPattern> <BugPattern type="SE_NONSTATIC_SERIALVERSIONID"> <ShortDescription>serialVersionUID isn't static</ShortDescription> <LongDescription>{1} isn't static</LongDescription> <Details> <![CDATA[ <p> This class defines a <code>serialVersionUID</code> field that is not static. The field should be made static if it is intended to specify the version UID for purposes of serialization.</p> ]]> </Details> </BugPattern> <BugPattern type="SE_NONFINAL_SERIALVERSIONID"> <ShortDescription>serialVersionUID isn't final</ShortDescription> <LongDescription>{1} isn't final</LongDescription> <Details> <![CDATA[ <p> This class defines a <code>serialVersionUID</code> field that is not final. The field should be made final if it is intended to specify the version UID for purposes of serialization.</p> ]]> </Details> </BugPattern> <BugPattern type="SE_NONLONG_SERIALVERSIONID"> <ShortDescription>serialVersionUID isn't long</ShortDescription> <LongDescription>{1} isn't long</LongDescription> <Details> <![CDATA[ <p> This class defines a <code>serialVersionUID</code> field that is not long. The field should be made long if it is intended to specify the version UID for purposes of serialization.</p> ]]> </Details> </BugPattern> <BugPattern type="SE_BAD_FIELD"> <ShortDescription>Non-transient non-serializable instance field in serializable class</ShortDescription> <LongDescription>Class {0} defines non-transient non-serializable instance field {1.name}</LongDescription> <Details> <![CDATA[ <p> This Serializable class defines a non-primitive instance field which is neither transient, Serializable, or <code>java.lang.Object</code>, and does not appear to implement the <code>Externalizable</code> interface or the <code>readObject()</code> and <code>writeObject()</code> methods. Objects of this class will not be deserialized correctly if a non-Serializable object is stored in this field.</p> ]]> </Details> </BugPattern> <BugPattern type="SE_BAD_FIELD_INNER_CLASS"> <ShortDescription>Non-serializable class has a serializable inner class</ShortDescription> <LongDescription>{0} is serializable but also an inner class of a non-serializable class</LongDescription> <Details> <![CDATA[ <p> This Serializable class is an inner class of a non-serializable class. Thus, attempts to serialize it will also attempt to associate instance of the outer class with which it is associated, leading to a runtime error. </p> <p>If possible, making the inner class a static inner class should solve the problem. Making the outer class serializable might also work, but that would mean serializing an instance of the inner class would always also serialize the instance of the outer class, which it often not what you really want. ]]> </Details> </BugPattern> <BugPattern type="SE_INNER_CLASS"> <ShortDescription>Serializable inner class</ShortDescription> <LongDescription>{0} is serializable and an inner class</LongDescription> <Details> <![CDATA[ <p> This Serializable class is an inner class. Any attempt to serialize it will also serialize the associated outer instance. The outer instance is serializable, so this won't fail, but it might serialize a lot more data than intended. If possible, making the inner class a static inner class (also known as a nested class) should solve the problem. ]]> </Details> </BugPattern> <BugPattern type="SE_BAD_FIELD_STORE"> <ShortDescription>Non-serializable value stored into instance field of a serializable class</ShortDescription> <LongDescription>{2} stored into non-transient field {1.givenClass}</LongDescription> <Details> <![CDATA[ <p> A non-serializable value is stored into a non-transient field of a serializable class.</p> ]]> </Details> </BugPattern> <BugPattern type="SC_START_IN_CTOR"> <ShortDescription>Constructor invokes Thread.start()</ShortDescription> <LongDescription>{1} invokes {2}</LongDescription> <Details> <![CDATA[ <p> The constructor starts a thread. This is likely to be wrong if the class is ever extended/subclassed, since the thread will be started before the subclass constructor is started.</p> ]]> </Details> </BugPattern> <BugPattern type="SS_SHOULD_BE_STATIC"> <ShortDescription>Unread field: should this field be static?</ShortDescription> <LongDescription>Unread field: {1}; should this field be static?</LongDescription> <Details> <![CDATA[ <p> This class contains an instance final field that is initialized to a compile-time static value. Consider making the field static.</p> ]]> </Details> </BugPattern> <BugPattern type="UUF_UNUSED_FIELD"> <ShortDescription>Unused field</ShortDescription> <LongDescription>Unused field: {1}</LongDescription> <Details> <![CDATA[ <p> This field is never used. Consider removing it from the class.</p> ]]> </Details> </BugPattern> <BugPattern type="URF_UNREAD_FIELD"> <ShortDescription>Unread field</ShortDescription> <LongDescription>Unread field: {1}</LongDescription> <Details> <![CDATA[ <p> This field is never read. Consider removing it from the class.</p> ]]> </Details> </BugPattern> <BugPattern type="UUF_UNUSED_PUBLIC_OR_PROTECTED_FIELD"> <ShortDescription>Unused public or protected field</ShortDescription> <LongDescription>Unused public or protected field: {1}</LongDescription> <Details> <![CDATA[ <p> This field is never used. The field is public or protected, so perhaps it is intended to be used with classes not seen as part of the analysis. If not, consider removing it from the class.</p> ]]> </Details> </BugPattern> <BugPattern type="URF_UNREAD_PUBLIC_OR_PROTECTED_FIELD"> <ShortDescription>Unread public/protected field</ShortDescription> <LongDescription>Unread public/protected field: {1}</LongDescription> <Details> <![CDATA[ <p> This field is never read. The field is public or protected, so perhaps it is intended to be used with classes not seen as part of the analysis. If not, consider removing it from the class.</p> ]]> </Details> </BugPattern> <BugPattern type="QF_QUESTIONABLE_FOR_LOOP"> <ShortDescription>Complicated, subtle or wrong increment in for-loop</ShortDescription> <LongDescription>Complicated, subtle or wrong increment in for-loop {1}</LongDescription> <Details> <![CDATA[ <p>Are you sure this for loop is incrementing/decrementing the correct variable? It appears that another variable is being initialized and checked by the for loop. </p> ]]> </Details> </BugPattern> <BugPattern type="UWF_NULL_FIELD"> <ShortDescription>Field only ever set to null</ShortDescription> <LongDescription>Field only ever set to null: {1}</LongDescription> <Details> <![CDATA[ <p> All writes to this field are of the constant value null, and thus all reads of the field will return null. Check for errors, or remove it if it is useless.</p> ]]> </Details> </BugPattern> <BugPattern type="UWF_UNWRITTEN_PUBLIC_OR_PROTECTED_FIELD"> <ShortDescription>Unwritten public or protected field</ShortDescription> <LongDescription>Unwritten public or protected field: {1}</LongDescription> <Details> <![CDATA[ <p> No writes were seen to this public/protected field. All reads of it will return the default value. Check for errors (should it have been initialized?), or remove it if it is useless.</p> ]]> </Details> </BugPattern> <BugPattern type="UWF_UNWRITTEN_FIELD"> <ShortDescription>Unwritten field</ShortDescription> <LongDescription>Unwritten field: {1}</LongDescription> <Details> <![CDATA[ <p> This field is never written. All reads of it will return the default value. Check for errors (should it have been initialized?), or remove it if it is useless.</p> ]]> </Details> </BugPattern> <BugPattern type="ST_WRITE_TO_STATIC_FROM_INSTANCE_METHOD"> <ShortDescription>Write to static field from instance method</ShortDescription> <LongDescription>Write to static field {2} from instance method {1}</LongDescription> <Details> <![CDATA[ <p> This instance method writes to a static field. This is tricky to get correct if multiple instances are being manipulated, and generally bad practice. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_LOAD_OF_KNOWN_NULL_VALUE"> <ShortDescription>Load of known null value</ShortDescription> <LongDescription>Load of known null value in {1}</LongDescription> <Details> <![CDATA[ <p> The variable referenced at this point is known to be null due to an earlier check against null. Although this is valid, it might be a mistake (perhaps you intended to refer to a different variable, or perhaps the earlier check to see if the variable is null should have been a check to see if it was non-null). </p> ]]> </Details> </BugPattern> <BugPattern type="NP_DEREFERENCE_OF_READLINE_VALUE"> <ShortDescription>Dereference of the result of readLine() without nullcheck</ShortDescription> <LongDescription>Dereference of the result of readLine() without nullcheck in {1}</LongDescription> <Details> <![CDATA[ <p> The result of invoking readLine() is dereferenced without checking to see if the result is null. If there are no more lines of text to read, readLine() will return null and dereferencing that will generate a null pointer exception. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_IMMEDIATE_DEREFERENCE_OF_READLINE"> <ShortDescription>Immediate dereference of the result of readLine()</ShortDescription> <LongDescription>Immediate dereference of the result of readLine() in {1}</LongDescription> <Details> <![CDATA[ <p> The result of invoking readLine() is immediately dereferenced. If there are no more lines of text to read, readLine() will return null and dereferencing that will generate a null pointer exception. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_UNWRITTEN_FIELD"> <ShortDescription>Read of unwritten field</ShortDescription> <LongDescription>Read of unwritten field {2.name} in {1}</LongDescription> <Details> <![CDATA[ <p> The program is dereferencing a field that does not seem to ever have a non-null value written to it. Unless the field is initialized via some mechanism not seen by the analysis, dereferencing this value will generate a null pointer exception. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_UNWRITTEN_PUBLIC_OR_PROTECTED_FIELD"> <ShortDescription>Read of unwritten public or protected field</ShortDescription> <LongDescription>Read of unwritten public or protected field {2.name} in {1}</LongDescription> <Details> <![CDATA[ <p> The program is dereferencing a public or protected field that does not seem to ever have a non-null value written to it. Unless the field is initialized via some mechanism not seen by the analysis, dereferencing this value will generate a null pointer exception. </p> ]]> </Details> </BugPattern> <BugPattern type="SIC_THREADLOCAL_DEADLY_EMBRACE"> <ShortDescription>Deadly embrace of non-static inner class and thread local</ShortDescription> <LongDescription>{0} needs to be _static_ to avoid a deadly embrace with {1}</LongDescription> <Details> <![CDATA[ <p> This class is an inner class, but should probably be a static inner class. As it is, there is a serious danger of a deadly embrace between the inner class and the thread local in the outer class. Because the inner class isn't static, it retains a reference to the outer class. If the thread local contains a reference to an instance of the inner class, the inner and outer instance will both be reachable and not eligible for garbage collection. </p> ]]> </Details> </BugPattern> <BugPattern type="SIC_INNER_SHOULD_BE_STATIC"> <ShortDescription>Should be a static inner class</ShortDescription> <LongDescription>Should {0} be a _static_ inner class?</LongDescription> <Details> <![CDATA[ <p> This class is an inner class, but does not use its embedded reference to the object which created it. This reference makes the instances of the class larger, and may keep the reference to the creator object alive longer than necessary. If possible, the class should be made static. </p> ]]> </Details> </BugPattern> <BugPattern type="UWF_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR"> <ShortDescription>Field not initialized in constructor but dereferenced without null check</ShortDescription> <LongDescription>{1.givenClass} not initialized in constructor and dereferenced in {2}</LongDescription> <Details> <![CDATA[ <p> This field is never initialized within any constructor, and is therefore could be null after the object is constructed. Elsewhere, it is loaded and dereferenced without a null check. This could be either an error or a questionable design, since it means a null pointer exception will be generated if that field is dereferenced before being initialized. </p> ]]> </Details> </BugPattern> <BugPattern type="SIC_INNER_SHOULD_BE_STATIC_ANON"> <ShortDescription>Could be refactored into a named static inner class</ShortDescription> <LongDescription>The class {0} could be refactored into a named _static_ inner class</LongDescription> <Details> <![CDATA[ <p> This class is an inner class, but does not use its embedded reference to the object which created it. This reference makes the instances of the class larger, and may keep the reference to the creator object alive longer than necessary. If possible, the class should be made into a <em>static</em> inner class. Since anonymous inner classes cannot be marked as static, doing this will require refactoring the inner class so that it is a named inner class.</p> ]]> </Details> </BugPattern> <BugPattern type="SIC_INNER_SHOULD_BE_STATIC_NEEDS_THIS"> <ShortDescription>Could be refactored into a static inner class</ShortDescription> <LongDescription>The class {0} could be refactored into a _static_ inner class</LongDescription> <Details> <![CDATA[ <p> This class is an inner class, but does not use its embedded reference to the object which created it except during construction of the inner object. This reference makes the instances of the class larger, and may keep the reference to the creator object alive longer than necessary. If possible, the class should be made into a <em>static</em> inner class. Since the reference to the outer object is required during construction of the inner instance, the inner class will need to be refactored so as to pass a reference to the outer instance to the constructor for the inner class.</p> ]]> </Details> </BugPattern> <BugPattern type="WA_NOT_IN_LOOP"> <ShortDescription>Wait not in loop</ShortDescription> <LongDescription>Wait not in loop in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a call to <code>java.lang.Object.wait()</code> which is not in a loop. If the monitor is used for multiple conditions, the condition the caller intended to wait for might not be the one that actually occurred.</p> ]]> </Details> </BugPattern> <BugPattern type="WA_AWAIT_NOT_IN_LOOP"> <ShortDescription>Condition.await() not in loop</ShortDescription> <LongDescription>Condition.await() not in loop in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a call to <code>java.util.concurrent.await()</code> (or variants) which is not in a loop. If the object is used for multiple conditions, the condition the caller intended to wait for might not be the one that actually occurred.</p> ]]> </Details> </BugPattern> <BugPattern type="NO_NOTIFY_NOT_NOTIFYALL"> <ShortDescription>Using notify() rather than notifyAll()</ShortDescription> <LongDescription>Using notify rather than notifyAll in {1}</LongDescription> <Details> <![CDATA[ <p> This method calls <code>notify()</code> rather than <code>notifyAll()</code>. Java monitors are often used for multiple conditions. Calling <code>notify()</code> only wakes up one thread, meaning that the thread woken up might not be the one waiting for the condition that the caller just satisfied.</p> ]]> </Details> </BugPattern> <BugPattern type="UC_USELESS_VOID_METHOD"> <ShortDescription>Useless non-empty void method</ShortDescription> <LongDescription>Method {1} seems to be useless</LongDescription> <Details> <![CDATA[ <p>Our analysis shows that this non-empty void method does not actually perform any useful work. Please check it: probably there's a mistake in its code or its body can be fully removed. </p> <p>We are trying to reduce the false positives as much as possible, but in some cases this warning might be wrong. Common false-positive cases include:</p> <ul> <li>The method is intended to trigger loading of some class which may have a side effect.</li> <li>The method is intended to implicitly throw some obscure exception.</li> </ul> ]]> </Details> </BugPattern> <BugPattern type="UC_USELESS_CONDITION"> <ShortDescription>Condition has no effect</ShortDescription> <LongDescription>Useless condition: it's known that {2} at this point</LongDescription> <Details> <![CDATA[ <p>This condition always produces the same result as the value of the involved variable that was narrowed before. Probably something else was meant or the condition can be removed.</p> ]]> </Details> </BugPattern> <BugPattern type="UC_USELESS_CONDITION_TYPE"> <ShortDescription>Condition has no effect due to the variable type</ShortDescription> <LongDescription>Useless condition: it's always {2} because variable type is {3}</LongDescription> <Details> <![CDATA[ <p>This condition always produces the same result due to the type range of the involved variable. Probably something else was meant or the condition can be removed.</p> ]]> </Details> </BugPattern> <BugPattern type="UC_USELESS_OBJECT"> <ShortDescription>Useless object created</ShortDescription> <LongDescription>Useless object stored in variable {2} of method {1}</LongDescription> <Details> <![CDATA[ <p>Our analysis shows that this object is useless. It's created and modified, but its value never go outside of the method or produce any side-effect. Either there is a mistake and object was intended to be used or it can be removed.</p> <p>This analysis rarely produces false-positives. Common false-positive cases include:</p> <p>- This object used to implicitly throw some obscure exception.</p> <p>- This object used as a stub to generalize the code.</p> <p>- This object used to hold strong references to weak/soft-referenced objects.</p> ]]> </Details> </BugPattern> <BugPattern type="UC_USELESS_OBJECT_STACK"> <ShortDescription>Useless object created on stack</ShortDescription> <LongDescription>Useless object created in method {1}</LongDescription> <Details> <![CDATA[ <p>This object is created just to perform some modifications which don't have any side-effect. Probably something else was meant or the object can be removed.</p> ]]> </Details> </BugPattern> <BugPattern type="RANGE_ARRAY_INDEX"> <ShortDescription>Array index is out of bounds</ShortDescription> <LongDescription>Array index is out of bounds: {3}</LongDescription> <Details> <![CDATA[ <p> Array operation is performed, but array index is out of bounds, which will result in ArrayIndexOutOfBoundsException at runtime.</p> ]]> </Details> </BugPattern> <BugPattern type="RANGE_ARRAY_OFFSET"> <ShortDescription>Array offset is out of bounds</ShortDescription> <LongDescription>Array offset is out of bounds: {3}</LongDescription> <Details> <![CDATA[ <p> Method is called with array parameter and offset parameter, but the offset is out of bounds. This will result in IndexOutOfBoundsException at runtime. </p> ]]> </Details> </BugPattern> <BugPattern type="RANGE_ARRAY_LENGTH"> <ShortDescription>Array length is out of bounds</ShortDescription> <LongDescription>Array length is out of bounds: {3}</LongDescription> <Details> <![CDATA[ <p> Method is called with array parameter and length parameter, but the length is out of bounds. This will result in IndexOutOfBoundsException at runtime. </p> ]]> </Details> </BugPattern> <BugPattern type="RANGE_STRING_INDEX"> <ShortDescription>String index is out of bounds</ShortDescription> <LongDescription>String index is out of bounds when calling {5}: {3}</LongDescription> <Details> <![CDATA[ <p> String method is called and specified string index is out of bounds. This will result in StringIndexOutOfBoundsException at runtime. </p> ]]> </Details> </BugPattern> <BugPattern type="RV_CHECK_FOR_POSITIVE_INDEXOF"> <ShortDescription>Method checks to see if result of String.indexOf is positive</ShortDescription> <LongDescription>{1} checks to see if result of String.indexOf is positive</LongDescription> <Details> <![CDATA[ <p> The method invokes String.indexOf and checks to see if the result is positive or non-positive. It is much more typical to check to see if the result is negative or non-negative. It is positive only if the substring checked for occurs at some place other than at the beginning of the String.</p> ]]> </Details> </BugPattern> <BugPattern type="RV_DONT_JUST_NULL_CHECK_READLINE"> <ShortDescription>Method discards result of readLine after checking if it is non-null</ShortDescription> <LongDescription>{1} discards result of readLine after checking if it is non-null</LongDescription> <Details> <![CDATA[ <p> The value returned by readLine is discarded after checking to see if the return value is non-null. In almost all situations, if the result is non-null, you will want to use that non-null value. Calling readLine again will give you a different line.</p> ]]> </Details> </BugPattern> <BugPattern type="RV_RETURN_VALUE_IGNORED_INFERRED"> <ShortDescription>Method ignores return value, is this OK?</ShortDescription> <LongDescription>Return value of {2.givenClass} ignored, is this OK in {1}</LongDescription> <Details> <![CDATA[ <p>This code calls a method and ignores the return value. The return value is the same type as the type the method is invoked on, and from our analysis it looks like the return value might be important (e.g., like ignoring the return value of <code>String.toLowerCase()</code>). </p> <p>We are guessing that ignoring the return value might be a bad idea just from a simple analysis of the body of the method. You can use a @CheckReturnValue annotation to instruct SpotBugs as to whether ignoring the return value of this method is important or acceptable. </p> <p>Please investigate this closely to decide whether it is OK to ignore the return value. </p> ]]> </Details> </BugPattern> <BugPattern type="RV_RETURN_VALUE_IGNORED_NO_SIDE_EFFECT"> <ShortDescription>Return value of method without side effect is ignored</ShortDescription> <LongDescription>Return value of {2.givenClass} ignored, but method has no side effect</LongDescription> <Details> <![CDATA[ <p>This code calls a method and ignores the return value. However, our analysis shows that the method (including its implementations in subclasses if any) does not produce any effect other than return value. Thus, this call can be removed. </p> <p>We are trying to reduce the false positives as much as possible, but in some cases this warning might be wrong. Common false-positive cases include:</p> <p>- The method is designed to be overridden and produce a side effect in other projects which are out of the scope of the analysis.</p> <p>- The method is called to trigger the class loading which may have a side effect.</p> <p>- The method is called just to get some exception.</p> <p>If you feel that our assumption is incorrect, you can use a @CheckReturnValue annotation to instruct SpotBugs that ignoring the return value of this method is acceptable. </p> ]]> </Details> </BugPattern> <BugPattern type="RV_RETURN_VALUE_IGNORED"> <ShortDescription>Method ignores return value</ShortDescription> <LongDescription>Return value of {2.givenClass} ignored in {1}</LongDescription> <Details> <![CDATA[ <p> The return value of this method should be checked. One common cause of this warning is to invoke a method on an immutable object, thinking that it updates the object. For example, in the following code fragment,</p> <pre><code>String dateString = getHeaderField(name); dateString.trim(); </code></pre> <p>the programmer seems to be thinking that the trim() method will update the String referenced by dateString. But since Strings are immutable, the trim() function returns a new String value, which is being ignored here. The code should be corrected to: </p> <pre><code>String dateString = getHeaderField(name); dateString = dateString.trim(); </code></pre> ]]> </Details> </BugPattern> <BugPattern type="RV_RETURN_VALUE_IGNORED_BAD_PRACTICE"> <ShortDescription>Method ignores exceptional return value</ShortDescription> <LongDescription>Exceptional return value of {2} ignored in {1}</LongDescription> <Details> <![CDATA[ <p> This method returns a value that is not checked. The return value should be checked since it can indicate an unusual or unexpected function execution. For example, the <code>File.delete()</code> method returns false if the file could not be successfully deleted (rather than throwing an Exception). If you don't check the result, you won't notice if the method invocation signals unexpected behavior by returning an atypical return value. </p> ]]> </Details> </BugPattern> <BugPattern type="RV_CHECK_COMPARETO_FOR_SPECIFIC_RETURN_VALUE"> <ShortDescription>Code checks for specific values returned by compareTo</ShortDescription> <LongDescription>Check to see if return value of {2.givenClass} is equal to {3}</LongDescription> <Details> <![CDATA[ <p> This code invoked a compareTo or compare method, and checks to see if the return value is a specific value, such as 1 or -1. When invoking these methods, you should only check the sign of the result, not for any specific non-zero value. While many or most compareTo and compare methods only return -1, 0 or 1, some of them will return other values. ]]> </Details> </BugPattern> <BugPattern type="RV_EXCEPTION_NOT_THROWN"> <ShortDescription>Exception created and dropped rather than thrown</ShortDescription> <LongDescription>{2.givenClass} not thrown in {1}</LongDescription> <Details> <![CDATA[ <p> This code creates an exception (or error) object, but doesn't do anything with it. For example, something like </p> <pre><code>if (x < 0) { new IllegalArgumentException("x must be nonnegative"); } </code></pre> <p>It was probably the intent of the programmer to throw the created exception:</p> <pre><code>if (x < 0) { throw new IllegalArgumentException("x must be nonnegative"); } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="NP_ALWAYS_NULL"> <ShortDescription>Null pointer dereference</ShortDescription> <LongDescription>Null pointer dereference of {2.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> A null pointer is dereferenced here. This will lead to a <code>NullPointerException</code> when the code is executed.</p> ]]> </Details> </BugPattern> <BugPattern type="NP_CLOSING_NULL"> <ShortDescription>close() invoked on a value that is always null</ShortDescription> <LongDescription>Cannot close {2.givenClass} since it is always null in {1}</LongDescription> <Details> <![CDATA[ <p> close() is being invoked on a value that is always null. If this statement is executed, a null pointer exception will occur. But the big risk here you never close something that should be closed. ]]> </Details> </BugPattern> <BugPattern type="NP_STORE_INTO_NONNULL_FIELD"> <ShortDescription>Store of null value into field annotated @Nonnull</ShortDescription> <LongDescription>Store of null value into field {2.givenClass} annotated @Nonnull in {1}</LongDescription> <Details> <![CDATA[ <p> A value that could be null is stored into a field that has been annotated as @Nonnull. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_ALWAYS_NULL_EXCEPTION"> <ShortDescription>Null pointer dereference in method on exception path</ShortDescription> <LongDescription>Null pointer dereference of {2.givenClass} in {1} on exception path</LongDescription> <Details> <![CDATA[ <p> A pointer which is null on an exception path is dereferenced here. This will lead to a <code>NullPointerException</code> when the code is executed. Note that because SpotBugs currently does not prune infeasible exception paths, this may be a false warning.</p> <p> Also note that SpotBugs considers the default case of a switch statement to be an exception path, since the default case is often infeasible.</p> ]]> </Details> </BugPattern> <BugPattern type="NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE"> <ShortDescription>Parameter must be non-null but is marked as nullable</ShortDescription> <LongDescription>{2} must be non-null but is marked as nullable</LongDescription> <Details> <![CDATA[ <p> This parameter is always used in a way that requires it to be non-null, but the parameter is explicitly annotated as being Nullable. Either the use of the parameter or the annotation is wrong. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_NULL_ON_SOME_PATH"> <ShortDescription>Possible null pointer dereference</ShortDescription> <LongDescription>Possible null pointer dereference of {2.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> There is a branch of statement that, <em>if executed,</em> guarantees that a null value will be dereferenced, which would generate a <code>NullPointerException</code> when the code is executed. Of course, the problem might be that the branch or statement is infeasible and that the null pointer exception cannot ever be executed; deciding that is beyond the ability of SpotBugs. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE"> <ShortDescription>Possible null pointer dereference on branch that might be infeasible</ShortDescription> <LongDescription>Possible null pointer dereference of {2.givenClass} on branch that might be infeasible in {1}</LongDescription> <Details> <![CDATA[ <p> There is a branch of statement that, <em>if executed,</em> guarantees that a null value will be dereferenced, which would generate a <code>NullPointerException</code> when the code is executed. Of course, the problem might be that the branch or statement is infeasible and that the null pointer exception cannot ever be executed; deciding that is beyond the ability of SpotBugs. Due to the fact that this value had been previously tested for nullness, this is a definite possibility. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_NULL_ON_SOME_PATH_EXCEPTION"> <ShortDescription>Possible null pointer dereference in method on exception path</ShortDescription> <LongDescription>Possible null pointer dereference of {2.givenClass} in {1} on exception path</LongDescription> <Details> <![CDATA[ <p> A reference value which is null on some exception control path is dereferenced here. This may lead to a <code>NullPointerException</code> when the code is executed. Note that because SpotBugs currently does not prune infeasible exception paths, this may be a false warning.</p> <p> Also note that SpotBugs considers the default case of a switch statement to be an exception path, since the default case is often infeasible.</p> ]]> </Details> </BugPattern> <BugPattern type="NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE"> <ShortDescription>Possible null pointer dereference due to return value of called method</ShortDescription> <LongDescription>Possible null pointer dereference in {1} due to return value of called method</LongDescription> <Details> <![CDATA[ <p> The return value from a method is dereferenced without a null check, and the return value of that method is one that should generally be checked for null. This may lead to a <code>NullPointerException</code> when the code is executed. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_NULL_PARAM_DEREF_NONVIRTUAL"> <ShortDescription>Non-virtual method call passes null for non-null parameter</ShortDescription> <LongDescription>Non-virtual method call in {1} passes null for non-null parameter of {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> A possibly-null value is passed to a non-null method parameter. Either the parameter is annotated as a parameter that should always be non-null, or analysis has shown that it will always be dereferenced. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS"> <ShortDescription>Method call passes null for non-null parameter</ShortDescription> <LongDescription>Null passed for non-null parameter of {2.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> A possibly-null value is passed at a call site where all known target methods require the parameter to be non-null. Either the parameter is annotated as a parameter that should always be non-null, or analysis has shown that it will always be dereferenced. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_NULL_PARAM_DEREF"> <ShortDescription>Method call passes null for non-null parameter</ShortDescription> <LongDescription>Null passed for non-null parameter of {2.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> This method call passes a null value for a non-null method parameter. Either the parameter is annotated as a parameter that should always be non-null, or analysis has shown that it will always be dereferenced. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_NONNULL_PARAM_VIOLATION"> <ShortDescription>Method call passes null to a non-null parameter</ShortDescription> <LongDescription>Null passed for non-null parameter of {2.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> This method passes a null value as the parameter of a method which must be non-null. Either this parameter has been explicitly marked as @Nonnull, or analysis has determined that this parameter is always dereferenced. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_NONNULL_RETURN_VIOLATION"> <ShortDescription>Method may return null, but is declared @Nonnull</ShortDescription> <LongDescription>{1} may return null, but is declared @Nonnull</LongDescription> <Details> <![CDATA[ <p> This method may return a null value, but the method (or a superclass method which it overrides) is declared to return @Nonnull. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_CLONE_COULD_RETURN_NULL"> <ShortDescription>Clone method may return null</ShortDescription> <LongDescription>{1} may return null</LongDescription> <Details> <![CDATA[ <p> This clone method seems to return null in some circumstances, but clone is never allowed to return a null value. If you are convinced this path is unreachable, throw an AssertionError instead. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_TOSTRING_COULD_RETURN_NULL"> <ShortDescription>toString method may return null</ShortDescription> <LongDescription>{1} may return null</LongDescription> <Details> <![CDATA[ <p> This toString method seems to return null in some circumstances. A liberal reading of the spec could be interpreted as allowing this, but it is probably a bad idea and could cause other code to break. Return the empty string or some other appropriate string rather than null. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_GUARANTEED_DEREF"> <ShortDescription>Null value is guaranteed to be dereferenced</ShortDescription> <LongDescription>{2.givenClass} could be null and is guaranteed to be dereferenced in {1}</LongDescription> <Details> <![CDATA[ <p> There is a statement or branch that if executed guarantees that a value is null at this point, and that value that is guaranteed to be dereferenced (except on forward paths involving runtime exceptions). </p> <p>Note that a check such as <code>if (x == null) throw new NullPointerException();</code> is treated as a dereference of <code>x</code>.</p> ]]> </Details> </BugPattern> <BugPattern type="NP_GUARANTEED_DEREF_ON_EXCEPTION_PATH"> <ShortDescription>Value is null and guaranteed to be dereferenced on exception path</ShortDescription> <LongDescription>{2.name} is null guaranteed to be dereferenced in {1} on exception path</LongDescription> <Details> <![CDATA[ <p> There is a statement or branch on an exception path that if executed guarantees that a value is null at this point, and that value that is guaranteed to be dereferenced (except on forward paths involving runtime exceptions). </p> ]]> </Details> </BugPattern> <BugPattern type="SI_INSTANCE_BEFORE_FINALS_ASSIGNED"> <ShortDescription>Static initializer creates instance before all static final fields assigned</ShortDescription> <LongDescription>Static initializer for {0} creates instance before all static final fields assigned</LongDescription> <Details> <![CDATA[ <p> The class's static initializer creates an instance of the class before all of the static final fields are assigned.</p> ]]> </Details> </BugPattern> <BugPattern type="OS_OPEN_STREAM"> <ShortDescription>Method may fail to close stream</ShortDescription> <LongDescription>{1} may fail to close stream</LongDescription> <Details> <![CDATA[ <p> The method creates an IO stream object, does not assign it to any fields, pass it to other methods that might close it, or return it, and does not appear to close the stream on all paths out of the method. This may result in a file descriptor leak. It is generally a good idea to use a <code>finally</code> block to ensure that streams are closed.</p> ]]> </Details> </BugPattern> <BugPattern type="OS_OPEN_STREAM_EXCEPTION_PATH"> <ShortDescription>Method may fail to close stream on exception</ShortDescription> <LongDescription>{1} may fail to close stream on exception</LongDescription> <Details> <![CDATA[ <p> The method creates an IO stream object, does not assign it to any fields, pass it to other methods, or return it, and does not appear to close it on all possible exception paths out of the method. This may result in a file descriptor leak. It is generally a good idea to use a <code>finally</code> block to ensure that streams are closed.</p> ]]> </Details> </BugPattern> <BugPattern type="PZLA_PREFER_ZERO_LENGTH_ARRAYS"> <ShortDescription>Consider returning a zero length array rather than null</ShortDescription> <LongDescription>Should {1} return a zero length array rather than null?</LongDescription> <Details> <![CDATA[ <p> It is often a better design to return a length zero array rather than a null reference to indicate that there are no results (i.e., an empty list of results). This way, no explicit check for null is needed by clients of the method.</p> <p>On the other hand, using null to indicate "there is no answer to this question" is probably appropriate. For example, <code>File.listFiles()</code> returns an empty list if given a directory containing no files, and returns null if the file is not a directory.</p> ]]> </Details> </BugPattern> <BugPattern type="UCF_USELESS_CONTROL_FLOW"> <ShortDescription>Useless control flow</ShortDescription> <LongDescription>Useless control flow in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a useless control flow statement, where control flow continues onto the same place regardless of whether or not the branch is taken. For example, this is caused by having an empty statement block for an <code>if</code> statement:</p> <pre><code>if (argv.length == 0) { // TODO: handle this case } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="UCF_USELESS_CONTROL_FLOW_NEXT_LINE"> <ShortDescription>Useless control flow to next line</ShortDescription> <LongDescription>Useless control flow to next line in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a useless control flow statement in which control flow follows to the same or following line regardless of whether or not the branch is taken. Often, this is caused by inadvertently using an empty statement as the body of an <code>if</code> statement, e.g.:</p> <pre><code>if (argv.length == 1); System.out.println("Hello, " + argv[0]); </code></pre> ]]> </Details> </BugPattern> <BugPattern type="RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE"> <ShortDescription>Nullcheck of value previously dereferenced</ShortDescription> <LongDescription>Nullcheck of {2.givenClass} at {4.lineNumber} of value previously dereferenced in {1}</LongDescription> <Details> <![CDATA[ <p> A value is checked here to see whether it is null, but this value cannot be null because it was previously dereferenced and if it were null a null pointer exception would have occurred at the earlier dereference. Essentially, this code and the previous dereference disagree as to whether this value is allowed to be null. Either the check is redundant or the previous dereference is erroneous.</p> ]]> </Details> </BugPattern> <BugPattern type="RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE"> <ShortDescription>Redundant nullcheck of value known to be null</ShortDescription> <LongDescription>Redundant nullcheck of {2} which is known to be null in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a redundant check of a known null value against the constant null.</p> ]]> </Details> </BugPattern> <BugPattern type="RCN_REDUNDANT_NULLCHECK_OF_NONNULL_VALUE"> <ShortDescription>Redundant nullcheck of value known to be non-null</ShortDescription> <LongDescription>Redundant nullcheck of {2}, which is known to be non-null in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a redundant check of a known non-null value against the constant null.</p> ]]> </Details> </BugPattern> <BugPattern type="RCN_REDUNDANT_COMPARISON_TWO_NULL_VALUES"> <ShortDescription>Redundant comparison of two null values</ShortDescription> <LongDescription>Redundant comparison of two null values in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a redundant comparison of two references known to both be definitely null.</p> ]]> </Details> </BugPattern> <BugPattern type="RCN_REDUNDANT_COMPARISON_OF_NULL_AND_NONNULL_VALUE"> <ShortDescription>Redundant comparison of non-null value to null</ShortDescription> <LongDescription>Redundant comparison of non-null value to null in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a reference known to be non-null with another reference known to be null.</p> ]]> </Details> </BugPattern> <BugPattern type="RCN_REDUNDANT_CHECKED_NULL_COMPARISON" deprecated="true"> <!-- deprecated in favor of two separate RCN_ patterns --> <ShortDescription>Redundant comparison to null of previously checked value</ShortDescription> <LongDescription>Redundant comparison to null of previously checked {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a redundant comparison of a reference value to null. Two types of redundant comparison are reported: </p> <ul> <li> Both values compared are definitely null</li> <li> One value is definitely null and the other is definitely not null</li> </ul> <p> This particular warning generally indicates that a value known not to be null was checked against null. While the check is not necessary, it may simply be a case of defensive programming.</p> ]]> </Details> </BugPattern> <BugPattern type="UL_UNRELEASED_LOCK"> <ShortDescription>Method does not release lock on all paths</ShortDescription> <LongDescription>{1} does not release lock on all paths</LongDescription> <Details> <![CDATA[ <p> This method acquires a JSR-166 (<code>java.util.concurrent</code>) lock, but does not release it on all paths out of the method. In general, the correct idiom for using a JSR-166 lock is: </p> <pre><code>Lock l = ...; l.lock(); try { // do something } finally { l.unlock(); } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="UL_UNRELEASED_LOCK_EXCEPTION_PATH"> <ShortDescription>Method does not release lock on all exception paths</ShortDescription> <LongDescription>{1} does not release lock on all exception paths</LongDescription> <Details> <![CDATA[ <p> This method acquires a JSR-166 (<code>java.util.concurrent</code>) lock, but does not release it on all exception paths out of the method. In general, the correct idiom for using a JSR-166 lock is: </p> <pre><code>Lock l = ...; l.lock(); try { // do something } finally { l.unlock(); } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="RC_REF_COMPARISON"> <ShortDescription>Suspicious reference comparison</ShortDescription> <LongDescription>Suspicious comparison of {2} references in {1}</LongDescription> <Details> <![CDATA[ <p> This method compares two reference values using the == or != operator, where the correct way to compare instances of this type is generally with the equals() method. It is possible to create distinct instances that are equal but do not compare as == since they are different objects. Examples of classes which should generally not be compared by reference are java.lang.Integer, java.lang.Float, etc. RC_REF_COMPARISON covers only wrapper types for primitives. Suspicious types list can be extended by adding frc.suspicious system property with comma-separated classes:</p> <pre><code><systemPropertyVariables> <frc.suspicious>java.time.LocalDate,java.util.List</frc.suspicious> </systemPropertyVariables> </code></pre> ]]> </Details> </BugPattern> <BugPattern type="RC_REF_COMPARISON_BAD_PRACTICE"> <ShortDescription>Suspicious reference comparison to constant</ShortDescription> <LongDescription>Suspicious comparison of a {2} reference to constant in {1}</LongDescription> <Details> <![CDATA[ <p> This method compares a reference value to a constant using the == or != operator, where the correct way to compare instances of this type is generally with the equals() method. It is possible to create distinct instances that are equal but do not compare as == since they are different objects. Examples of classes which should generally not be compared by reference are java.lang.Integer, java.lang.Float, etc.</p> ]]> </Details> </BugPattern> <BugPattern type="RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN"> <ShortDescription>Suspicious reference comparison of Boolean values</ShortDescription> <LongDescription>Suspicious comparison of Boolean references in {1}</LongDescription> <Details> <![CDATA[ <p> This method compares two Boolean values using the == or != operator. Normally, there are only two Boolean values (Boolean.TRUE and Boolean.FALSE), but it is possible to create other Boolean objects using the <code>new Boolean(b)</code> constructor. It is best to avoid such objects, but if they do exist, then checking Boolean objects for equality using == or != will give results than are different than you would get using <code>.equals(...)</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="EC_UNRELATED_TYPES_USING_POINTER_EQUALITY"> <ShortDescription>Using pointer equality to compare different types</ShortDescription> <LongDescription>Using pointer equality to compare a {2.givenClass} with a {3.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> This method uses pointer equality to compare two references that seem to be of different types. The result of this comparison will always be false at runtime. </p> ]]> </Details> </BugPattern> <BugPattern type="EC_UNRELATED_TYPES"> <ShortDescription>Call to equals() comparing different types</ShortDescription> <LongDescription>Call to {3.simpleClass}.equals({2.simpleClass}) in {1}</LongDescription> <Details> <![CDATA[ <p> This method calls equals(Object) on two references of different class types and analysis suggests they will be to objects of different classes at runtime. Further, examination of the equals methods that would be invoked suggest that either this call will always return false, or else the equals method is not symmetric (which is a property required by the contract for equals in class Object). </p> ]]> </Details> </BugPattern> <BugPattern type="EC_UNRELATED_INTERFACES"> <ShortDescription>Call to equals() comparing different interface types</ShortDescription> <LongDescription>Call to {3.simpleClass}.equals({2.simpleClass}) in {1}</LongDescription> <Details> <![CDATA[ <p> This method calls equals(Object) on two references of unrelated interface types, where neither is a subtype of the other, and there are no known non-abstract classes which implement both interfaces. Therefore, the objects being compared are unlikely to be members of the same class at runtime (unless some application classes were not analyzed, or dynamic class loading can occur at runtime). According to the contract of equals(), objects of different classes should always compare as unequal; therefore, according to the contract defined by java.lang.Object.equals(Object), the result of this comparison will always be false at runtime. </p> ]]> </Details> </BugPattern> <BugPattern type="EC_UNRELATED_CLASS_AND_INTERFACE"> <ShortDescription>Call to equals() comparing unrelated class and interface</ShortDescription> <LongDescription>Call to {3.simpleClass}.equals({2.simpleClass}) in {1}</LongDescription> <Details> <![CDATA[ <p> This method calls equals(Object) on two references, one of which is a class and the other an interface, where neither the class nor any of its non-abstract subclasses implement the interface. Therefore, the objects being compared are unlikely to be members of the same class at runtime (unless some application classes were not analyzed, or dynamic class loading can occur at runtime). According to the contract of equals(), objects of different classes should always compare as unequal; therefore, according to the contract defined by java.lang.Object.equals(Object), the result of this comparison will always be false at runtime. </p> ]]> </Details> </BugPattern> <BugPattern type="EC_NULL_ARG"> <ShortDescription>Call to equals(null)</ShortDescription> <LongDescription>Call to equals(null) in {1}</LongDescription> <Details> <![CDATA[ <p> This method calls equals(Object), passing a null value as the argument. According to the contract of the equals() method, this call should always return <code>false</code>.</p> ]]> </Details> </BugPattern> <BugPattern type="MWN_MISMATCHED_WAIT"> <ShortDescription>Mismatched wait()</ShortDescription> <LongDescription>Mismatched wait() in {1}</LongDescription> <Details> <![CDATA[ <p> This method calls Object.wait() without obviously holding a lock on the object. Calling wait() without a lock held will result in an <code>IllegalMonitorStateException</code> being thrown.</p> ]]> </Details> </BugPattern> <BugPattern type="MWN_MISMATCHED_NOTIFY"> <ShortDescription>Mismatched notify()</ShortDescription> <LongDescription>Mismatched notify() in {1}</LongDescription> <Details> <![CDATA[ <p> This method calls Object.notify() or Object.notifyAll() without obviously holding a lock on the object. Calling notify() or notifyAll() without a lock held will result in an <code>IllegalMonitorStateException</code> being thrown.</p> ]]> </Details> </BugPattern> <BugPattern type="SA_LOCAL_SELF_ASSIGNMENT_INSTEAD_OF_FIELD"> <ShortDescription>Self assignment of local rather than assignment to field</ShortDescription> <LongDescription>Self assignment of {2} rather than assigned to field in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a self assignment of a local variable, and there is a field with an identical name, e.g.:</p> <pre><code> int foo; public void setFoo(int foo) { foo = foo; } </code></pre> <p>The assignment is useless. Did you mean to assign to the field instead?</p> ]]> </Details> </BugPattern> <BugPattern type="SA_LOCAL_SELF_ASSIGNMENT"> <ShortDescription>Self assignment of local variable</ShortDescription> <LongDescription>Self assignment of {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a self assignment of a local variable; e.g.</p> <pre><code>public void foo() { int x = 3; x = x; } </code></pre> <p> Such assignments are useless, and may indicate a logic error or typo. </p> ]]> </Details> </BugPattern> <BugPattern type="SA_FIELD_SELF_ASSIGNMENT"> <ShortDescription>Self assignment of field</ShortDescription> <LongDescription>Self assignment of field {2.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a self assignment of a field; e.g. </p> <pre><code>int x; public void foo() { x = x; } </code></pre> <p>Such assignments are useless, and may indicate a logic error or typo.</p> ]]> </Details> </BugPattern> <BugPattern type="SA_FIELD_DOUBLE_ASSIGNMENT"> <ShortDescription>Double assignment of field</ShortDescription> <LongDescription>Double assignment of field {2.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a double assignment of a field; e.g. </p> <pre><code>int x,y; public void foo() { x = x = 17; } </code></pre> <p>Assigning to a field twice is useless, and may indicate a logic error or typo.</p> ]]> </Details> </BugPattern> <BugPattern type="SA_LOCAL_DOUBLE_ASSIGNMENT"> <ShortDescription>Double assignment of local variable</ShortDescription> <LongDescription>Double assignment of {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains a double assignment of a local variable; e.g. </p> <pre><code>public void foo() { int x,y; x = x = 17; } </code></pre> <p>Assigning the same value to a variable twice is useless, and may indicate a logic error or typo.</p> ]]> </Details> </BugPattern> <BugPattern type="SA_FIELD_SELF_COMPUTATION"> <ShortDescription>Nonsensical self computation involving a field (e.g., x & x)</ShortDescription> <LongDescription>Nonsensical self computation of {2.givenClass} with itself in {1}</LongDescription> <Details> <![CDATA[ <p> This method performs a nonsensical computation of a field with another reference to the same field (e.g., x&x or x-x). Because of the nature of the computation, this operation doesn't seem to make sense, and may indicate a typo or a logic error. Double-check the computation. </p> ]]> </Details> </BugPattern> <BugPattern type="SA_LOCAL_SELF_COMPUTATION"> <ShortDescription>Nonsensical self computation involving a variable (e.g., x & x)</ShortDescription> <LongDescription>Nonsensical self computation of {2} with itself in {1}</LongDescription> <Details> <![CDATA[ <p> This method performs a nonsensical computation of a local variable with another reference to the same variable (e.g., x&x or x-x). Because of the nature of the computation, this operation doesn't seem to make sense, and may indicate a typo or a logic error. Double-check the computation. </p> ]]> </Details> </BugPattern> <BugPattern type="SA_FIELD_SELF_COMPARISON"> <ShortDescription>Self comparison of field with itself</ShortDescription> <LongDescription>Self comparison of {2.givenClass} with itself in {1}</LongDescription> <Details> <![CDATA[ <p> This method compares a field with itself, and may indicate a typo or a logic error. Make sure that you are comparing the right things. </p> ]]> </Details> </BugPattern> <BugPattern type="SA_LOCAL_SELF_COMPARISON"> <ShortDescription>Self comparison of value with itself</ShortDescription> <LongDescription>Self comparison of {2} with itself {1}</LongDescription> <Details> <![CDATA[ <p> This method compares a local variable with itself, and may indicate a typo or a logic error. Make sure that you are comparing the right things. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_LONG_BITS_TO_DOUBLE_INVOKED_ON_INT"> <ShortDescription>Double.longBitsToDouble invoked on an int</ShortDescription> <LongDescription>Double.longBitsToDouble invoked on an int in {1}</LongDescription> <Details> <![CDATA[ <p> The Double.longBitsToDouble method is invoked, but a 32 bit int value is passed as an argument. This almost certainly is not intended and is unlikely to give the intended result. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_ARGUMENTS_WRONG_ORDER"> <ShortDescription>Reversed method arguments</ShortDescription> <LongDescription>Arguments in wrong order for invocation of {2.name} in {1}</LongDescription> <Details> <![CDATA[ <p> The arguments to this method call seem to be in the wrong order. For example, a call <code>Preconditions.checkNotNull("message", message)</code> has reserved arguments: the value to be checked is the first argument. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_RANDOM_USED_ONLY_ONCE"> <ShortDescription>Random object created and used only once</ShortDescription> <LongDescription>Random object created and used only once in {1}</LongDescription> <Details> <![CDATA[ <p> This code creates a java.util.Random object, uses it to generate one random number, and then discards the Random object. This produces mediocre quality random numbers and is inefficient. If possible, rewrite the code so that the Random object is created once and saved, and each time a new random number is required invoke a method on the existing Random object to obtain it. </p> <p>If it is important that the generated Random numbers not be guessable, you <em>must</em> not create a new Random for each random number; the values are too easily guessable. You should strongly consider using a java.security.SecureRandom instead (and avoid allocating a new SecureRandom for each random number needed). </p> ]]> </Details> </BugPattern> <BugPattern type="RV_ABSOLUTE_VALUE_OF_RANDOM_INT"> <ShortDescription>Bad attempt to compute absolute value of signed random integer</ShortDescription> <LongDescription>Bad attempt to compute absolute value of signed random integer in {1}</LongDescription> <Details> <![CDATA[ <p> This code generates a random signed integer and then computes the absolute value of that random integer. If the number returned by the random number generator is <code>Integer.MIN_VALUE</code>, then the result will be negative as well (since <code>Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE</code>). (Same problem arises for long values as well). </p> ]]> </Details> </BugPattern> <BugPattern type="RV_ABSOLUTE_VALUE_OF_HASHCODE"> <ShortDescription>Bad attempt to compute absolute value of signed 32-bit hashcode</ShortDescription> <LongDescription>Bad attempt to compute absolute value of signed 32-bit hashcode in {1}</LongDescription> <Details> <![CDATA[ <p> This code generates a hashcode and then computes the absolute value of that hashcode. If the hashcode is <code>Integer.MIN_VALUE</code>, then the result will be negative as well (since <code>Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE</code>). </p> <p>One out of 2^32 strings have a hashCode of Integer.MIN_VALUE, including "polygenelubricants" "GydZG_" and ""DESIGNING WORKHOUSES". </p> ]]> </Details> </BugPattern> <BugPattern type="RV_REM_OF_RANDOM_INT"> <ShortDescription>Remainder of 32-bit signed random integer</ShortDescription> <LongDescription>Remainder of 32-bit signed random integer computed in {1}</LongDescription> <Details> <![CDATA[ <p> This code generates a random signed integer and then computes the remainder of that value modulo another value. Since the random number can be negative, the result of the remainder operation can also be negative. Be sure this is intended, and strongly consider using the Random.nextInt(int) method instead. </p> ]]> </Details> </BugPattern> <BugPattern type="RV_REM_OF_HASHCODE"> <ShortDescription>Remainder of hashCode could be negative</ShortDescription> <LongDescription>Remainder of hashCode could be negative in {1}</LongDescription> <Details> <![CDATA[ <p> This code computes a hashCode, and then computes the remainder of that value modulo another value. Since the hashCode can be negative, the result of the remainder operation can also be negative. </p> <p> Assuming you want to ensure that the result of your computation is nonnegative, you may need to change your code. If you know the divisor is a power of 2, you can use a bitwise and operator instead (i.e., instead of using <code>x.hashCode()%n</code>, use <code>x.hashCode()&(n-1)</code>). This is probably faster than computing the remainder as well. If you don't know that the divisor is a power of 2, take the absolute value of the result of the remainder operation (i.e., use <code>Math.abs(x.hashCode()%n)</code>). </p> ]]> </Details> </BugPattern> <BugPattern type="INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE"> <ShortDescription>Bad comparison of nonnegative value with negative constant or zero</ShortDescription> <LongDescription>Bad comparison of nonnegative value with {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This code compares a value that is guaranteed to be non-negative with a negative constant or zero. </p> ]]> </Details> </BugPattern> <BugPattern type="INT_BAD_COMPARISON_WITH_SIGNED_BYTE"> <ShortDescription>Bad comparison of signed byte</ShortDescription> <LongDescription>Bad comparison of signed byte with {2} in {1}</LongDescription> <Details> <![CDATA[ <p> Signed bytes can only have a value in the range -128 to 127. Comparing a signed byte with a value outside that range is vacuous and likely to be incorrect. To convert a signed byte <code>b</code> to an unsigned value in the range 0..255, use <code>0xff & b</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="INT_BAD_COMPARISON_WITH_INT_VALUE"> <ShortDescription>Bad comparison of int value with long constant</ShortDescription> <LongDescription>Bad comparison of int with {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This code compares an int value with a long constant that is outside the range of values that can be represented as an int value. This comparison is vacuous and possibly incorrect. </p> ]]> </Details> </BugPattern> <BugPattern type="INT_VACUOUS_BIT_OPERATION"> <ShortDescription>Vacuous bit mask operation on integer value</ShortDescription> <LongDescription>Vacuous {2} operation on {3} in {1}</LongDescription> <Details> <![CDATA[ <p> This is an integer bit operation (and, or, or exclusive or) that doesn't do any useful work (e.g., <code>v & 0xffffffff</code>). </p> ]]> </Details> </BugPattern> <BugPattern type="INT_VACUOUS_COMPARISON"> <ShortDescription>Vacuous comparison of integer value</ShortDescription> <LongDescription>Vacuous comparison of integer value {1}</LongDescription> <Details> <![CDATA[ <p> There is an integer comparison that always returns the same value (e.g., x <= Integer.MAX_VALUE). </p> ]]> </Details> </BugPattern> <BugPattern type="INT_BAD_REM_BY_1"> <ShortDescription>Integer remainder modulo 1</ShortDescription> <LongDescription>Integer remainder modulo 1 computed in {1}</LongDescription> <Details> <![CDATA[ <p> Any expression (exp % 1) is guaranteed to always return zero. Did you mean (exp & 1) or (exp % 2) instead? </p> ]]> </Details> </BugPattern> <BugPattern type="BIT_IOR_OF_SIGNED_BYTE"> <ShortDescription>Bitwise OR of signed byte value</ShortDescription> <LongDescription>Bitwise OR of signed byte value computed in {1}</LongDescription> <Details> <![CDATA[ <p> Loads a byte value (e.g., a value loaded from a byte array or returned by a method with return type byte) and performs a bitwise OR with that value. Byte values are sign extended to 32 bits before any bitwise operations are performed on the value. Thus, if <code>b[0]</code> contains the value <code>0xff</code>, and <code>x</code> is initially 0, then the code <code>((x << 8) | b[0])</code> will sign extend <code>0xff</code> to get <code>0xffffffff</code>, and thus give the value <code>0xffffffff</code> as the result. </p> <p>In particular, the following code for packing a byte array into an int is badly wrong: </p> <pre><code>int result = 0; for (int i = 0; i < 4; i++) { result = ((result << 8) | b[i]); } </code></pre> <p>The following idiom will work instead: </p> <pre><code>int result = 0; for (int i = 0; i < 4; i++) { result = ((result << 8) | (b[i] & 0xff)); } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="BIT_ADD_OF_SIGNED_BYTE"> <ShortDescription>Bitwise add of signed byte value</ShortDescription> <LongDescription>Bitwise add of signed byte value computed in {1}</LongDescription> <Details> <![CDATA[ <p> Adds a byte value and a value which is known to have the 8 lower bits clear. Values loaded from a byte array are sign extended to 32 bits before any bitwise operations are performed on the value. Thus, if <code>b[0]</code> contains the value <code>0xff</code>, and <code>x</code> is initially 0, then the code <code>((x << 8) + b[0])</code> will sign extend <code>0xff</code> to get <code>0xffffffff</code>, and thus give the value <code>0xffffffff</code> as the result. </p> <p>In particular, the following code for packing a byte array into an int is badly wrong: </p> <pre><code>int result = 0; for (int i = 0; i < 4; i++) result = ((result << 8) + b[i]); </code></pre> <p>The following idiom will work instead: </p> <pre><code>int result = 0; for (int i = 0; i < 4; i++) result = ((result << 8) + (b[i] & 0xff)); </code></pre> ]]> </Details> </BugPattern> <BugPattern type="BIT_AND"> <ShortDescription>Incompatible bit masks</ShortDescription> <LongDescription>Incompatible bit masks in (e & {2} == {3}) yields a constant result in {1}</LongDescription> <Details> <![CDATA[ <p> This method compares an expression of the form (e & C) to D, which will always compare unequal due to the specific values of constants C and D. This may indicate a logic error or typo.</p> ]]> </Details> </BugPattern> <BugPattern type="BIT_SIGNED_CHECK"> <ShortDescription>Check for sign of bitwise operation</ShortDescription> <LongDescription>Check for sign of bitwise operation in {1}</LongDescription> <Details> <![CDATA[ <p> This method compares an expression such as <code>((event.detail & SWT.SELECTED) > 0)</code>. Using bit arithmetic and then comparing with the greater than operator can lead to unexpected results (of course depending on the value of SWT.SELECTED). If SWT.SELECTED is a negative number, this is a candidate for a bug. Even when SWT.SELECTED is not negative, it seems good practice to use '!= 0' instead of '> 0'. </p> ]]> </Details> </BugPattern> <BugPattern type="BIT_SIGNED_CHECK_HIGH_BIT"> <ShortDescription>Check for sign of bitwise operation involving negative number</ShortDescription> <LongDescription>Check for sign of bitwise operation involving {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method compares a bitwise expression such as <code>((val & CONSTANT) > 0)</code> where CONSTANT is the negative number. Using bit arithmetic and then comparing with the greater than operator can lead to unexpected results. This comparison is unlikely to work as expected. The good practice is to use '!= 0' instead of '> 0'. </p> ]]> </Details> </BugPattern> <BugPattern type="BIT_AND_ZZ"> <ShortDescription>Check to see if ((...) & 0) == 0</ShortDescription> <LongDescription>Check to see if ((...) & 0) == 0 in {1}</LongDescription> <Details> <![CDATA[ <p> This method compares an expression of the form <code>(e & 0)</code> to 0, which will always compare equal. This may indicate a logic error or typo.</p> ]]> </Details> </BugPattern> <BugPattern type="BIT_IOR"> <ShortDescription>Incompatible bit masks</ShortDescription> <LongDescription>Incompatible bit masks in (e | {2} == {3}) yields constant result in {1}</LongDescription> <Details> <![CDATA[ <p> This method compares an expression of the form <code>(e | C)</code> to D. which will always compare unequal due to the specific values of constants C and D. This may indicate a logic error or typo.</p> <p> Typically, this bug occurs because the code wants to perform a membership test in a bit set, but uses the bitwise OR operator ("|") instead of bitwise AND ("&").</p> <p>Also such bug may appear in expressions like <code>(e & A | B) == C</code> which is parsed like <code>((e & A) | B) == C</code> while <code>(e & (A | B)) == C</code> was intended.</p> ]]> </Details> </BugPattern> <BugPattern type="LI_LAZY_INIT_INSTANCE" deprecated="true"> <!-- never generated? --> <ShortDescription>Incorrect lazy initialization of instance field</ShortDescription> <LongDescription>Incorrect lazy initialization of instance field {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains an unsynchronized lazy initialization of a non-volatile field. Because the compiler or processor may reorder instructions, threads are not guaranteed to see a completely initialized object, <em>if the method can be called by multiple threads</em>. You can make the field volatile to correct the problem. For more information, see the <a href="http://www.cs.umd.edu/~pugh/java/memoryModel/">Java Memory Model web site</a>. </p> ]]> </Details> </BugPattern> <BugPattern type="LI_LAZY_INIT_STATIC"> <ShortDescription>Incorrect lazy initialization of static field</ShortDescription> <LongDescription>Incorrect lazy initialization of static field {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains an unsynchronized lazy initialization of a non-volatile static field. Because the compiler or processor may reorder instructions, threads are not guaranteed to see a completely initialized object, <em>if the method can be called by multiple threads</em>. You can make the field volatile to correct the problem. For more information, see the <a href="http://www.cs.umd.edu/~pugh/java/memoryModel/">Java Memory Model web site</a>. </p> ]]> </Details> </BugPattern> <BugPattern type="LI_LAZY_INIT_UPDATE_STATIC"> <ShortDescription>Incorrect lazy initialization and update of static field</ShortDescription> <LongDescription>Incorrect lazy initialization and update of static field {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method contains an unsynchronized lazy initialization of a static field. After the field is set, the object stored into that location is further updated or accessed. The setting of the field is visible to other threads as soon as it is set. If the further accesses in the method that set the field serve to initialize the object, then you have a <em>very serious</em> multithreading bug, unless something else prevents any other thread from accessing the stored object until it is fully initialized. </p> <p>Even if you feel confident that the method is never called by multiple threads, it might be better to not set the static field until the value you are setting it to is fully populated/initialized.</p> ]]> </Details> </BugPattern> <BugPattern type="JLM_JSR166_LOCK_MONITORENTER"> <ShortDescription>Synchronization performed on Lock</ShortDescription> <LongDescription>Synchronization performed on {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method performs synchronization on an object that implements java.util.concurrent.locks.Lock. Such an object is locked/unlocked using <code>acquire()</code>/<code>release()</code> rather than using the <code>synchronized (...)</code> construct. </p> ]]> </Details> </BugPattern> <BugPattern type="JML_JSR166_CALLING_WAIT_RATHER_THAN_AWAIT"> <ShortDescription>Using monitor style wait methods on util.concurrent abstraction</ShortDescription> <LongDescription>Calling {2.name} rather than {3.name} in {1}</LongDescription> <Details> <![CDATA[ <p> This method calls <code>wait()</code>, <code>notify()</code> or <code>notifyAll()</code> on an object that also provides an <code>await()</code>, <code>signal()</code>, <code>signalAll()</code> method (such as util.concurrent Condition objects). This probably isn't what you want, and even if you do want it, you should consider changing your design, as other developers will find it exceptionally confusing. </p> ]]> </Details> </BugPattern> <BugPattern type="JLM_JSR166_UTILCONCURRENT_MONITORENTER"> <ShortDescription>Synchronization performed on util.concurrent instance</ShortDescription> <LongDescription>Synchronization performed on {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This method performs synchronization on an object that is an instance of a class from the java.util.concurrent package (or its subclasses). Instances of these classes have their own concurrency control mechanisms that are orthogonal to the synchronization provided by the Java keyword <code>synchronized</code>. For example, synchronizing on an <code>AtomicBoolean</code> will not prevent other threads from modifying the <code>AtomicBoolean</code>.</p> <p>Such code may be correct, but should be carefully reviewed and documented, and may confuse people who have to maintain the code at a later date. </p> ]]> </Details> </BugPattern> <BugPattern type="UPM_UNCALLED_PRIVATE_METHOD"> <ShortDescription>Private method is never called</ShortDescription> <LongDescription>Private method {1} is never called</LongDescription> <Details> <![CDATA[ <p> This private method is never called. Although it is possible that the method will be invoked through reflection, it is more likely that the method is never used, and should be removed. </p> ]]> </Details> </BugPattern> <BugPattern type="UMAC_UNCALLABLE_METHOD_OF_ANONYMOUS_CLASS"> <ShortDescription>Uncallable method defined in anonymous class</ShortDescription> <LongDescription>Uncallable method {1} defined in anonymous class</LongDescription> <Details> <![CDATA[ <p> This anonymous class defines a method that is not directly invoked and does not override a method in a superclass. Since methods in other classes cannot directly invoke methods declared in an anonymous class, it seems that this method is uncallable. The method might simply be dead code, but it is also possible that the method is intended to override a method declared in a superclass, and due to a typo or other error the method does not, in fact, override the method it is intended to. </p> ]]> </Details> </BugPattern> <BugPattern type="ODR_OPEN_DATABASE_RESOURCE"> <ShortDescription>Method may fail to close database resource</ShortDescription> <LongDescription>{1} may fail to close {2.excludingPackage}</LongDescription> <Details> <![CDATA[ <p> The method creates a database resource (such as a database connection or row set), does not assign it to any fields, pass it to other methods, or return it, and does not appear to close the object on all paths out of the method. Failure to close database resources on all paths out of a method may result in poor performance, and could cause the application to have problems communicating with the database. </p> ]]> </Details> </BugPattern> <BugPattern type="ODR_OPEN_DATABASE_RESOURCE_EXCEPTION_PATH"> <ShortDescription>Method may fail to close database resource on exception</ShortDescription> <LongDescription>{1} may fail to close database resource on exception</LongDescription> <Details> <![CDATA[ <p> The method creates a database resource (such as a database connection or row set), does not assign it to any fields, pass it to other methods, or return it, and does not appear to close the object on all exception paths out of the method. Failure to close database resources on all paths out of a method may result in poor performance, and could cause the application to have problems communicating with the database.</p> ]]> </Details> </BugPattern> <BugPattern type="SBSC_USE_STRINGBUFFER_CONCATENATION"> <ShortDescription>Method concatenates strings using + in a loop</ShortDescription> <LongDescription>{1} concatenates strings using + in a loop</LongDescription> <Details> <![CDATA[ <p> The method seems to be building a String using concatenation in a loop. In each iteration, the String is converted to a StringBuffer/StringBuilder, appended to, and converted back to a String. This can lead to a cost quadratic in the number of iterations, as the growing string is recopied in each iteration. </p> <p>Better performance can be obtained by using a StringBuffer (or StringBuilder in Java 5) explicitly.</p> <p> For example:</p> <pre><code>// This is bad String s = ""; for (int i = 0; i < field.length; ++i) { s = s + field[i]; } // This is better StringBuffer buf = new StringBuffer(); for (int i = 0; i < field.length; ++i) { buf.append(field[i]); } String s = buf.toString(); </code></pre> ]]> </Details> </BugPattern> <BugPattern type="IIL_PREPARE_STATEMENT_IN_LOOP"> <ShortDescription>Method calls prepareStatement in a loop</ShortDescription> <LongDescription>{1} calls prepareStatement with the constant arguments in a loop</LongDescription> <Details> <![CDATA[ <p> The method calls Connection.prepareStatement inside the loop passing the constant arguments. If the PreparedStatement should be executed several times there's no reason to recreate it for each loop iteration. Move this call outside of the loop.</p> ]]> </Details> </BugPattern> <BugPattern type="IIL_ELEMENTS_GET_LENGTH_IN_LOOP"> <ShortDescription>NodeList.getLength() called in a loop</ShortDescription> <LongDescription>{1} calls NodeList.getLength() in a loop for getElementsByTagName return value</LongDescription> <Details> <![CDATA[ <p> The method calls NodeList.getLength() inside the loop and NodeList was produced by getElementsByTagName call. This NodeList doesn't store its length, but computes it every time in not very optimal way. Consider storing the length to the variable before the loop. </p> ]]> </Details> </BugPattern> <BugPattern type="IIL_PATTERN_COMPILE_IN_LOOP"> <ShortDescription>Method calls Pattern.compile in a loop</ShortDescription> <LongDescription>{1} calls Pattern.compile with the constant arguments in a loop</LongDescription> <Details> <![CDATA[ <p> The method calls Pattern.compile inside the loop passing the constant arguments. If the Pattern should be used several times there's no reason to compile it for each loop iteration. Move this call outside of the loop or even into static final field.</p> ]]> </Details> </BugPattern> <BugPattern type="IIL_PATTERN_COMPILE_IN_LOOP_INDIRECT"> <ShortDescription>Method compiles the regular expression in a loop</ShortDescription> <LongDescription>{1} compiles the regular expression in a loop</LongDescription> <Details> <![CDATA[ <p> The method creates the same regular expression inside the loop, so it will be compiled every iteration. It would be more optimal to precompile this regular expression using Pattern.compile outside of the loop.</p> ]]> </Details> </BugPattern> <BugPattern type="IIO_INEFFICIENT_INDEX_OF"> <ShortDescription>Inefficient use of String.indexOf(String)</ShortDescription> <LongDescription>{1} uses String.indexOf(String) instead of String.indexOf(int)</LongDescription> <Details> <![CDATA[ <p> This code passes a constant string of length 1 to String.indexOf(). It is more efficient to use the integer implementations of String.indexOf(). f. e. call <code>myString.indexOf('.')</code> instead of <code>myString.indexOf(".")</code></p> ]]> </Details> </BugPattern> <BugPattern type="IIO_INEFFICIENT_LAST_INDEX_OF"> <ShortDescription>Inefficient use of String.lastIndexOf(String)</ShortDescription> <LongDescription>{1} uses String.lastIndexOf(String) instead of String.lastIndexOf(int)</LongDescription> <Details> <![CDATA[ <p> This code passes a constant string of length 1 to String.lastIndexOf(). It is more efficient to use the integer implementations of String.lastIndexOf(). f. e. call <code>myString.lastIndexOf('.')</code> instead of <code>myString.lastIndexOf(".")</code></p> ]]> </Details> </BugPattern> <BugPattern type="ITA_INEFFICIENT_TO_ARRAY"> <ShortDescription>Method uses toArray() with zero-length array argument</ShortDescription> <LongDescription>{1} uses Collection.toArray() with zero-length array argument</LongDescription> <Details> <![CDATA[ <p> This method uses the toArray() method of a collection derived class, and passes in a zero-length prototype array argument. It is more efficient to use <code>myCollection.toArray(new Foo[myCollection.size()])</code> If the array passed in is big enough to store all of the elements of the collection, then it is populated and returned directly. This avoids the need to create a second array (by reflection) to return as the result.</p> ]]> </Details> </BugPattern> <BugPattern type="IJU_ASSERT_METHOD_INVOKED_FROM_RUN_METHOD"> <ShortDescription>JUnit assertion in run method will not be noticed by JUnit</ShortDescription> <LongDescription>JUnit assertion in {1} will not be noticed by JUnit</LongDescription> <Details> <![CDATA[ <p> A JUnit assertion is performed in a run method. Failed JUnit assertions just result in exceptions being thrown. Thus, if this exception occurs in a thread other than the thread that invokes the test method, the exception will terminate the thread but not result in the test failing. </p> ]]> </Details> </BugPattern> <BugPattern type="IJU_SETUP_NO_SUPER"> <ShortDescription>TestCase defines setUp that doesn't call super.setUp()</ShortDescription> <LongDescription>TestCase {0} defines setUp that doesn't call super.setUp()</LongDescription> <Details> <![CDATA[ <p> Class is a JUnit TestCase and implements the setUp method. The setUp method should call super.setUp(), but doesn't.</p> ]]> </Details> </BugPattern> <BugPattern type="IJU_TEARDOWN_NO_SUPER"> <ShortDescription>TestCase defines tearDown that doesn't call super.tearDown()</ShortDescription> <LongDescription>TestCase {0} defines tearDown that doesn't call super.tearDown()</LongDescription> <Details> <![CDATA[ <p> Class is a JUnit TestCase and implements the tearDown method. The tearDown method should call super.tearDown(), but doesn't.</p> ]]> </Details> </BugPattern> <BugPattern type="IJU_SUITE_NOT_STATIC"> <ShortDescription>TestCase implements a non-static suite method</ShortDescription> <LongDescription>TestCase {0} implements a non-static suite method</LongDescription> <Details> <![CDATA[ <p> Class is a JUnit TestCase and implements the suite() method. The suite method should be declared as being static, but isn't.</p> ]]> </Details> </BugPattern> <BugPattern type="IJU_BAD_SUITE_METHOD"> <ShortDescription>TestCase declares a bad suite method</ShortDescription> <LongDescription>Bad declaration for suite method in {0}</LongDescription> <Details> <![CDATA[ <p> Class is a JUnit TestCase and defines a suite() method. However, the suite method needs to be declared as either</p> <pre><code>public static junit.framework.Test suite() </code></pre> <p> or </p> <pre><code>public static junit.framework.TestSuite suite() </code></pre> ]]> </Details> </BugPattern> <BugPattern type="IJU_NO_TESTS"> <ShortDescription>TestCase has no tests</ShortDescription> <LongDescription>TestCase {0} has no tests</LongDescription> <Details> <![CDATA[ <p> Class is a JUnit TestCase but has not implemented any test methods.</p> ]]> </Details> </BugPattern> <BugPattern type="BOA_BADLY_OVERRIDDEN_ADAPTER"> <ShortDescription>Class overrides a method implemented in super class Adapter wrongly</ShortDescription> <LongDescription>Class {0} overrides a method {1} implemented in super class Adapter wrongly</LongDescription> <Details> <![CDATA[ <p> This method overrides a method found in a parent class, where that class is an Adapter that implements a listener defined in the java.awt.event or javax.swing.event package. As a result, this method will not get called when the event occurs.</p> ]]> </Details> </BugPattern> <BugPattern type="BRSA_BAD_RESULTSET_ACCESS" deprecated="true"> <!-- deprecated in favor of SQL_BAD_RESULTSET_ACCESS --> <ShortDescription>Method attempts to access a result set field with index 0</ShortDescription> <LongDescription>{1} attempts to access a result set field with index 0</LongDescription> <Details> <![CDATA[ <p> A call to getXXX or updateXXX methods of a result set was made where the field index is 0. As ResultSet fields start at index 1, this is always a mistake.</p> ]]> </Details> </BugPattern> <BugPattern type="SQL_BAD_RESULTSET_ACCESS"> <ShortDescription>Method attempts to access a result set field with index 0</ShortDescription> <LongDescription>{1} attempts to access a result set field with index 0</LongDescription> <Details> <![CDATA[ <p> A call to getXXX or updateXXX methods of a result set was made where the field index is 0. As ResultSet fields start at index 1, this is always a mistake.</p> ]]> </Details> </BugPattern> <BugPattern type="SQL_BAD_PREPARED_STATEMENT_ACCESS"> <ShortDescription>Method attempts to access a prepared statement parameter with index 0</ShortDescription> <LongDescription>{1} attempts to access a prepared statement parameter with index 0</LongDescription> <Details> <![CDATA[ <p> A call to a setXXX method of a prepared statement was made where the parameter index is 0. As parameter indexes start at index 1, this is always a mistake.</p> ]]> </Details> </BugPattern> <BugPattern type="SIO_SUPERFLUOUS_INSTANCEOF"> <ShortDescription>Unnecessary type check done using instanceof operator</ShortDescription> <LongDescription>{1} does an unnecessary type check using instanceof operator when it can be determined statically</LongDescription> <Details> <![CDATA[ <p> Type check performed using the instanceof operator where it can be statically determined whether the object is of the type requested. </p> ]]> </Details> </BugPattern> <BugPattern type="BAC_BAD_APPLET_CONSTRUCTOR"> <ShortDescription>Bad Applet Constructor relies on uninitialized AppletStub</ShortDescription> <LongDescription>Bad Applet Constructor relies on uninitialized AppletStub</LongDescription> <Details> <![CDATA[ <p> This constructor calls methods in the parent Applet that rely on the AppletStub. Since the AppletStub isn't initialized until the init() method of this applet is called, these methods will not perform correctly. </p> ]]> </Details> </BugPattern> <BugPattern type="EC_ARRAY_AND_NONARRAY"> <ShortDescription>equals() used to compare array and nonarray</ShortDescription> <LongDescription>Calling {3.simpleClass}.equals({2.simpleClass}) in {1}</LongDescription> <Details> <![CDATA[ <p> This method invokes the .equals(Object o) to compare an array and a reference that doesn't seem to be an array. If things being compared are of different types, they are guaranteed to be unequal and the comparison is almost certainly an error. Even if they are both arrays, the <code>equals()</code> method on arrays only determines if the two arrays are the same object. To compare the contents of the arrays, use <code>java.util.Arrays.equals(Object[], Object[])</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="EC_BAD_ARRAY_COMPARE"> <ShortDescription>Invocation of equals() on an array, which is equivalent to ==</ShortDescription> <LongDescription>Using .equals to compare two {2.simpleClass}'s, (equivalent to ==) in {1}</LongDescription> <Details> <![CDATA[ <p> This method invokes the .equals(Object o) method on an array. Since arrays do not override the equals method of Object, calling equals on an array is the same as comparing their addresses. To compare the contents of the arrays, use <code>java.util.Arrays.equals(Object[], Object[])</code>. To compare the addresses of the arrays, it would be less confusing to explicitly check pointer equality using <code>==</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="EC_INCOMPATIBLE_ARRAY_COMPARE"> <ShortDescription>equals(...) used to compare incompatible arrays</ShortDescription> <LongDescription>Using equals to compare a {2.simpleClass} and a {3.simpleClass} in {1}</LongDescription> <Details> <![CDATA[ <p> This method invokes the .equals(Object o) to compare two arrays, but the arrays of incompatible types (e.g., String[] and StringBuffer[], or String[] and int[]). They will never be equal. In addition, when equals(...) is used to compare arrays it only checks to see if they are the same array, and ignores the contents of the arrays. </p> ]]> </Details> </BugPattern> <BugPattern type="STI_INTERRUPTED_ON_CURRENTTHREAD"> <ShortDescription>Unneeded use of currentThread() call, to call interrupted()</ShortDescription> <LongDescription>{1} makes an unneeded call to currentThread() just to call interrupted()</LongDescription> <Details> <![CDATA[ <p> This method invokes the <code>Thread.currentThread()</code> call, just to call the <code>interrupted()</code> method. As <code>interrupted()</code> is a static method, it is more simple and clear to use <code>Thread.interrupted()</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="STI_INTERRUPTED_ON_UNKNOWNTHREAD"> <ShortDescription>Static Thread.interrupted() method invoked on thread instance</ShortDescription> <LongDescription>{1} invokes static Thread.interrupted() method on thread instance</LongDescription> <Details> <![CDATA[ <p> This method invokes the Thread.interrupted() method on a Thread object that appears to be a Thread object that is not the current thread. As the interrupted() method is static, the interrupted method will be called on a different object than the one the author intended. </p> ]]> </Details> </BugPattern> <BugPattern type="IP_PARAMETER_IS_DEAD_BUT_OVERWRITTEN"> <ShortDescription>A parameter is dead upon entry to a method but overwritten</ShortDescription> <LongDescription>The parameter {2} to {1} is dead upon entry but overwritten</LongDescription> <Details> <![CDATA[ <p> The initial value of this parameter is ignored, and the parameter is overwritten here. This often indicates a mistaken belief that the write to the parameter will be conveyed back to the caller. </p> ]]> </Details> </BugPattern> <BugPattern type="DLS_DEAD_LOCAL_STORE_SHADOWS_FIELD"> <ShortDescription>Dead store to local variable that shadows field</ShortDescription> <LongDescription>Dead store to {2} rather than field with same name in {1}</LongDescription> <Details> <![CDATA[ <p> This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used. There is a field with the same name as the local variable. Did you mean to assign to that variable instead? </p> ]]> </Details> </BugPattern> <BugPattern type="DLS_DEAD_LOCAL_STORE"> <ShortDescription>Dead store to local variable</ShortDescription> <LongDescription>Dead store to {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This instruction assigns a value to a local variable, but the value is not read or used in any subsequent instruction. Often, this indicates an error, because the value computed is never used. </p> <p> Note that Sun's javac compiler often generates dead stores for final local variables. Because SpotBugs is a bytecode-based tool, there is no easy way to eliminate these false positives. </p> ]]> </Details> </BugPattern> <BugPattern type="DLS_DEAD_LOCAL_STORE_IN_RETURN"> <ShortDescription>Useless assignment in return statement</ShortDescription> <LongDescription>Useless assignment in return from {1}</LongDescription> <Details> <![CDATA[ <p> This statement assigns to a local variable in a return statement. This assignment has no effect. Please verify that this statement does the right thing. </p> ]]> </Details> </BugPattern> <BugPattern type="DLS_DEAD_LOCAL_INCREMENT_IN_RETURN"> <ShortDescription>Useless increment in return statement</ShortDescription> <LongDescription>Useless increment in return from {1}</LongDescription> <Details> <![CDATA[ <p>This statement has a return such as <code>return x++;</code> / <code>return x--;</code>. A postfix increment/decrement does not impact the value of the expression, so this increment/decrement has no effect. Please verify that this statement does the right thing. </p> ]]> </Details> </BugPattern> <BugPattern type="DLS_DEAD_STORE_OF_CLASS_LITERAL"> <ShortDescription>Dead store of class literal</ShortDescription> <LongDescription>Dead store of {3}.class in {1}</LongDescription> <Details> <![CDATA[ <p> This instruction assigns a class literal to a variable and then never uses it. <a href="http://www.oracle.com/technetwork/java/javase/compatibility-137462.html#literal">The behavior of this differs in Java 1.4 and in Java 5.</a> In Java 1.4 and earlier, a reference to <code>Foo.class</code> would force the static initializer for <code>Foo</code> to be executed, if it has not been executed already. In Java 5 and later, it does not. </p> <p>See Oracle's <a href="http://www.oracle.com/technetwork/java/javase/compatibility-137462.html#literal">article on Java SE compatibility</a> for more details and examples, and suggestions on how to force class initialization in Java 5+. </p> ]]> </Details> </BugPattern> <BugPattern type="DLS_DEAD_LOCAL_STORE_OF_NULL"> <ShortDescription>Dead store of null to local variable</ShortDescription> <LongDescription>Dead store of null to {2} in {1}</LongDescription> <Details> <![CDATA[ <p>The code stores null into a local variable, and the stored value is not read. This store may have been introduced to assist the garbage collector, but as of Java SE 6.0, this is no longer needed or useful. </p> ]]> </Details> </BugPattern> <BugPattern type="MF_METHOD_MASKS_FIELD"> <ShortDescription>Method defines a variable that obscures a field</ShortDescription> <LongDescription>{1} defines a variable that obscures field {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> This method defines a local variable with the same name as a field in this class or a superclass. This may cause the method to read an uninitialized value from the field, leave the field uninitialized, or both.</p> ]]> </Details> </BugPattern> <BugPattern type="MF_CLASS_MASKS_FIELD"> <ShortDescription>Class defines field that masks a superclass field</ShortDescription> <LongDescription>Field {1.givenClass} masks field in superclass {2.class}</LongDescription> <Details> <![CDATA[ <p> This class defines a field with the same name as a visible instance field in a superclass. This is confusing, and may indicate an error if methods update or access one of the fields when they wanted the other.</p> ]]> </Details> </BugPattern> <BugPattern type="WMI_WRONG_MAP_ITERATOR"> <ShortDescription>Inefficient use of keySet iterator instead of entrySet iterator</ShortDescription> <LongDescription>{1} makes inefficient use of keySet iterator instead of entrySet iterator</LongDescription> <Details> <![CDATA[ <p> This method accesses the value of a Map entry, using a key that was retrieved from a keySet iterator. It is more efficient to use an iterator on the entrySet of the map, to avoid the Map.get(key) lookup.</p> ]]> </Details> </BugPattern> <BugPattern type="ISC_INSTANTIATE_STATIC_CLASS"> <ShortDescription>Needless instantiation of class that only supplies static methods</ShortDescription> <LongDescription>{1} needlessly instantiates a class that only supplies static methods</LongDescription> <Details> <![CDATA[ <p> This class allocates an object that is based on a class that only supplies static methods. This object does not need to be created, just access the static methods directly using the class name as a qualifier.</p> ]]> </Details> </BugPattern> <BugPattern type="REC_CATCH_EXCEPTION"> <ShortDescription>Exception is caught when Exception is not thrown</ShortDescription> <LongDescription>Exception is caught when Exception is not thrown in {1}</LongDescription> <Details> <![CDATA[ <p> This method uses a try-catch block that catches Exception objects, but Exception is not thrown within the try block, and RuntimeException is not explicitly caught. It is a common bug pattern to say try { ... } catch (Exception e) { something } as a shorthand for catching a number of types of exception each of whose catch blocks is identical, but this construct also accidentally catches RuntimeException as well, masking potential bugs. </p> <p>A better approach is to either explicitly catch the specific exceptions that are thrown, or to explicitly catch RuntimeException exception, rethrow it, and then catch all non-Runtime Exceptions, as shown below:</p> <pre><code>try { ... } catch (RuntimeException e) { throw e; } catch (Exception e) { ... deal with all non-runtime exceptions ... } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="DCN_NULLPOINTER_EXCEPTION"> <ShortDescription>NullPointerException caught</ShortDescription> <LongDescription>Do not catch NullPointerException like in {1}</LongDescription> <Details> <![CDATA[ <p> According to SEI Cert rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/ERR08-J.+Do+not+catch+NullPointerException+or+any+of+its+ancestors">ERR08-J</a> NullPointerException should not be caught. Handling NullPointerException is considered an inferior alternative to null-checking. <p> This non-compliant code catches a NullPointerException to see if an incoming parameter is null: </p> <pre><code> boolean hasSpace(String m) { try { String ms[] = m.split(" "); return names.length != 1; } catch (NullPointerException e) { return false; } } </code></pre> <p> A compliant solution would use a null-check as in the following example: </p> <pre><code> boolean hasSpace(String m) { if (m == null) return false; String ms[] = m.split(" "); return names.length != 1; } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="FE_TEST_IF_EQUAL_TO_NOT_A_NUMBER"> <ShortDescription>Doomed test for equality to NaN</ShortDescription> <LongDescription>Doomed test for equality to NaN in {1}</LongDescription> <Details> <![CDATA[ <p> This code checks to see if a floating point value is equal to the special Not A Number value (e.g., <code>if (x == Double.NaN)</code>). However, because of the special semantics of <code>NaN</code>, no value is equal to <code>Nan</code>, including <code>NaN</code>. Thus, <code>x == Double.NaN</code> always evaluates to false. To check to see if a value contained in <code>x</code> is the special Not A Number value, use <code>Double.isNaN(x)</code> (or <code>Float.isNaN(x)</code> if <code>x</code> is floating point precision). </p> ]]> </Details> </BugPattern> <BugPattern type="FE_FLOATING_POINT_EQUALITY"> <ShortDescription>Test for floating point equality</ShortDescription> <LongDescription>Test for floating point equality in {1}</LongDescription> <Details> <![CDATA[ <p> This operation compares two floating point values for equality. Because floating point calculations may involve rounding, calculated float and double values may not be accurate. For values that must be precise, such as monetary values, consider using a fixed-precision type such as BigDecimal. For values that need not be precise, consider comparing for equality within some range, for example: <code>if ( Math.abs(x - y) < .0000001 )</code>. See the Java Language Specification, section 4.2.4. </p> ]]> </Details> </BugPattern> <BugPattern type="UM_UNNECESSARY_MATH"> <ShortDescription>Method calls static Math class method on a constant value</ShortDescription> <LongDescription>Method calls static Math class method on a constant value</LongDescription> <Details> <![CDATA[ <p> This method uses a static method from java.lang.Math on a constant value. This method's result in this case, can be determined statically, and is faster and sometimes more accurate to just use the constant. Methods detected are: </p> <table> <tr> <th>Method</th> <th>Parameter</th> </tr> <tr> <td>abs</td> <td>-any-</td> </tr> <tr> <td>acos</td> <td>0.0 or 1.0</td> </tr> <tr> <td>asin</td> <td>0.0 or 1.0</td> </tr> <tr> <td>atan</td> <td>0.0 or 1.0</td> </tr> <tr> <td>atan2</td> <td>0.0</td> </tr> <tr> <td>cbrt</td> <td>0.0 or 1.0</td> </tr> <tr> <td>ceil</td> <td>-any-</td> </tr> <tr> <td>cos</td> <td>0.0</td> </tr> <tr> <td>cosh</td> <td>0.0</td> </tr> <tr> <td>exp</td> <td>0.0 or 1.0</td> </tr> <tr> <td>expm1</td> <td>0.0</td> </tr> <tr> <td>floor</td> <td>-any-</td> </tr> <tr> <td>log</td> <td>0.0 or 1.0</td> </tr> <tr> <td>log10</td> <td>0.0 or 1.0</td> </tr> <tr> <td>rint</td> <td>-any-</td> </tr> <tr> <td>round</td> <td>-any-</td> </tr> <tr> <td>sin</td> <td>0.0</td> </tr> <tr> <td>sinh</td> <td>0.0</td> </tr> <tr> <td>sqrt</td> <td>0.0 or 1.0</td> </tr> <tr> <td>tan</td> <td>0.0</td> </tr> <tr> <td>tanh</td> <td>0.0</td> </tr> <tr> <td>toDegrees</td> <td>0.0 or 1.0</td> </tr> <tr> <td>toRadians</td> <td>0.0</td> </tr> </table> ]]> </Details> </BugPattern> <BugPattern type="CD_CIRCULAR_DEPENDENCY"> <ShortDescription>Test for circular dependencies among classes</ShortDescription> <LongDescription>Class {0} has a circular dependency with other classes</LongDescription> <Details> <![CDATA[ <p> This class has a circular dependency with other classes. This makes building these classes difficult, as each is dependent on the other to build correctly. Consider using interfaces to break the hard dependency. </p> ]]> </Details> </BugPattern> <BugPattern type="RI_REDUNDANT_INTERFACES"> <ShortDescription>Class implements same interface as superclass</ShortDescription> <LongDescription>Class {0} implements same interface as superclass</LongDescription> <Details> <![CDATA[ <p> This class declares that it implements an interface that is also implemented by a superclass. This is redundant because once a superclass implements an interface, all subclasses by default also implement this interface. It may point out that the inheritance hierarchy has changed since this class was created, and consideration should be given to the ownership of the interface's implementation. </p> ]]> </Details> </BugPattern> <BugPattern type="MTIA_SUSPECT_STRUTS_INSTANCE_FIELD"> <ShortDescription>Class extends Struts Action class and uses instance variables</ShortDescription> <LongDescription>Class {0} extends Struts Action class and uses instance variables</LongDescription> <Details> <![CDATA[ <p> This class extends from a Struts Action class, and uses an instance member variable. Since only one instance of a struts Action class is created by the Struts framework, and used in a multithreaded way, this paradigm is highly discouraged and most likely problematic. Consider only using method local variables. Only instance fields that are written outside of a monitor are reported. </p> ]]> </Details> </BugPattern> <BugPattern type="MTIA_SUSPECT_SERVLET_INSTANCE_FIELD"> <ShortDescription>Class extends Servlet class and uses instance variables</ShortDescription> <LongDescription>Class {0} extends Servlet class and uses instance variables</LongDescription> <Details> <![CDATA[ <p> This class extends from a Servlet class, and uses an instance member variable. Since only one instance of a Servlet class is created by the J2EE framework, and used in a multithreaded way, this paradigm is highly discouraged and most likely problematic. Consider only using method local variables. </p> ]]> </Details> </BugPattern> <BugPattern type="PS_PUBLIC_SEMAPHORES"> <ShortDescription>Class exposes synchronization and semaphores in its public interface</ShortDescription> <LongDescription>Class {0} exposes synchronization and semaphores in its public interface</LongDescription> <Details> <![CDATA[ <p> This class uses synchronization along with wait(), notify() or notifyAll() on itself (the this reference). Client classes that use this class, may, in addition, use an instance of this class as a synchronizing object. Because two classes are using the same object for synchronization, Multithread correctness is suspect. You should not synchronize nor call semaphore methods on a public reference. Consider using an internal private member variable to control synchronization. </p> ]]> </Details> </BugPattern> <BugPattern type="ICAST_INTEGER_MULTIPLY_CAST_TO_LONG"> <ShortDescription>Result of integer multiplication cast to long</ShortDescription> <LongDescription>Result of integer multiplication cast to long in {1}</LongDescription> <Details> <![CDATA[ <p> This code performs integer multiply and then converts the result to a long, as in:</p> <pre><code>long convertDaysToMilliseconds(int days) { return 1000*3600*24*days; } </code></pre> <p> If the multiplication is done using long arithmetic, you can avoid the possibility that the result will overflow. For example, you could fix the above code to:</p> <pre><code>long convertDaysToMilliseconds(int days) { return 1000L*3600*24*days; } </code></pre> <p> or </p> <pre><code>static final long MILLISECONDS_PER_DAY = 24L*3600*1000; long convertDaysToMilliseconds(int days) { return days * MILLISECONDS_PER_DAY; } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="ICAST_INT_2_LONG_AS_INSTANT"> <ShortDescription>int value converted to long and used as absolute time</ShortDescription> <LongDescription>int converted to long and passed as absolute time to {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This code converts a 32-bit int value to a 64-bit long value, and then passes that value for a method parameter that requires an absolute time value. An absolute time value is the number of milliseconds since the standard base time known as "the epoch", namely January 1, 1970, 00:00:00 GMT. For example, the following method, intended to convert seconds since the epoch into a Date, is badly broken:</p> <pre><code>Date getDate(int seconds) { return new Date(seconds * 1000); } </code></pre> <p>The multiplication is done using 32-bit arithmetic, and then converted to a 64-bit value. When a 32-bit value is converted to 64-bits and used to express an absolute time value, only dates in December 1969 and January 1970 can be represented.</p> <p>Correct implementations for the above method are:</p> <pre><code>// Fails for dates after 2037 Date getDate(int seconds) { return new Date(seconds * 1000L); } // better, works for all dates Date getDate(long seconds) { return new Date(seconds * 1000); } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="ICAST_INT_CAST_TO_FLOAT_PASSED_TO_ROUND"> <ShortDescription>int value cast to float and then passed to Math.round</ShortDescription> <LongDescription>int value cast to float and then passed to Math.round in {1}</LongDescription> <Details> <![CDATA[ <p> This code converts an int value to a float precision floating point number and then passing the result to the Math.round() function, which returns the int/long closest to the argument. This operation should always be a no-op, since converting an integer to a float should give a number with no fractional part. It is likely that the operation that generated the value to be passed to Math.round was intended to be performed using floating point arithmetic. </p> ]]> </Details> </BugPattern> <BugPattern type="ICAST_INT_CAST_TO_DOUBLE_PASSED_TO_CEIL"> <ShortDescription>Integral value cast to double and then passed to Math.ceil</ShortDescription> <LongDescription>Integral value cast to double and then passed to Math.ceil in {1}</LongDescription> <Details> <![CDATA[ <p> This code converts an integral value (e.g., int or long) to a double precision floating point number and then passing the result to the Math.ceil() function, which rounds a double to the next higher integer value. This operation should always be a no-op, since converting an integer to a double should give a number with no fractional part. It is likely that the operation that generated the value to be passed to Math.ceil was intended to be performed using double precision floating point arithmetic. </p> ]]> </Details> </BugPattern> <BugPattern type="ICAST_IDIV_CAST_TO_DOUBLE"> <ShortDescription>Integral division result cast to double or float</ShortDescription> <LongDescription>Integral division result cast to double or float in {1}</LongDescription> <Details> <![CDATA[ <p> This code casts the result of an integral division (e.g., int or long division) operation to double or float. Doing division on integers truncates the result to the integer value closest to zero. The fact that the result was cast to double suggests that this precision should have been retained. What was probably meant was to cast one or both of the operands to double <em>before</em> performing the division. Here is an example: </p> <pre><code>int x = 2; int y = 5; // Wrong: yields result 0.0 double value1 = x / y; // Right: yields result 0.4 double value2 = x / (double) y; </code></pre> ]]> </Details> </BugPattern> <BugPattern type="J2EE_STORE_OF_NON_SERIALIZABLE_OBJECT_INTO_SESSION"> <ShortDescription>Store of non serializable object into HttpSession</ShortDescription> <LongDescription>Store of non serializable {2} into HttpSession in {1}</LongDescription> <Details> <![CDATA[ <p> This code seems to be storing a non-serializable object into an HttpSession. If this session is passivated or migrated, an error will result. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_NONSERIALIZABLE_OBJECT_WRITTEN"> <ShortDescription>Non serializable object written to ObjectOutput</ShortDescription> <LongDescription>Non serializable {2} written to ObjectOutput in {1}</LongDescription> <Details> <![CDATA[ <p> This code seems to be passing a non-serializable object to the ObjectOutput.writeObject method. If the object is, indeed, non-serializable, an error will result. </p> ]]> </Details> </BugPattern> <BugPattern type="VA_FORMAT_STRING_USES_NEWLINE"> <ShortDescription>Format string should use %n rather than \n</ShortDescription> <LongDescription>Format string should use %n rather than \n in {1}</LongDescription> <Details> <![CDATA[ <p> This format string includes a newline character (\n). In format strings, it is generally preferable to use %n, which will produce the platform-specific line separator. When using text blocks introduced in Java 15, use the <code>\</code> escape sequence: <code>String value = """ first line%n\ second line%n\ """;</code> </p> ]]> </Details> </BugPattern> <BugPattern type="VA_PRIMITIVE_ARRAY_PASSED_TO_OBJECT_VARARG"> <ShortDescription>Primitive array passed to function expecting a variable number of object arguments</ShortDescription> <LongDescription>{2} passed to varargs method {3} in {1}</LongDescription> <Details> <![CDATA[ <p> This code passes a primitive array to a function that takes a variable number of object arguments. This creates an array of length one to hold the primitive array and passes it to the function. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS"> <ShortDescription>Equals method should not assume anything about the type of its argument</ShortDescription> <LongDescription>Equals method for {0} assumes the argument is of type {0.givenClass}</LongDescription> <Details> <![CDATA[ <p> The <code>equals(Object o)</code> method shouldn't make any assumptions about the type of <code>o</code>. It should simply return false if <code>o</code> is not the same type as <code>this</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_BAD_CAST_TO_ABSTRACT_COLLECTION"> <ShortDescription>Questionable cast to abstract collection</ShortDescription> <LongDescription>Questionable cast from Collection to abstract class {3} in {1}</LongDescription> <Details> <![CDATA[ <p> This code casts a Collection to an abstract collection (such as <code>List</code>, <code>Set</code>, or <code>Map</code>). Ensure that you are guaranteed that the object is of the type you are casting to. If all you need is to be able to iterate through a collection, you don't need to cast it to a Set or List. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_IMPOSSIBLE_CAST_PRIMITIVE_ARRAY"> <ShortDescription>Impossible cast involving primitive array</ShortDescription> <LongDescription>Impossible cast involving primitive array in {1}</LongDescription> <Details> <![CDATA[ <p> This cast will always throw a ClassCastException. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_IMPOSSIBLE_CAST"> <ShortDescription>Impossible cast</ShortDescription> <LongDescription>Impossible cast from {2} to {3} in {1}</LongDescription> <Details> <![CDATA[ <p> This cast will always throw a ClassCastException. SpotBugs tracks type information from instanceof checks, and also uses more precise information about the types of values returned from methods and loaded from fields. Thus, it may have more precise information than just the declared type of a variable, and can use this to determine that a cast will always throw an exception at runtime. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_IMPOSSIBLE_DOWNCAST"> <ShortDescription>Impossible downcast</ShortDescription> <LongDescription>Impossible downcast from {2} to {3} in {1}</LongDescription> <Details> <![CDATA[ <p> This cast will always throw a ClassCastException. The analysis believes it knows the precise type of the value being cast, and the attempt to downcast it to a subtype will always fail by throwing a ClassCastException. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY"> <ShortDescription>Impossible downcast of toArray() result</ShortDescription> <LongDescription>Impossible downcast of toArray() result to {3} in {1}</LongDescription> <Details> <![CDATA[ <p> This code is casting the result of calling <code>toArray()</code> on a collection to a type more specific than <code>Object[]</code>, as in:</p> <pre><code>String[] getAsArray(Collection<String> c) { return (String[]) c.toArray(); } </code></pre> <p>This will usually fail by throwing a ClassCastException. The <code>toArray()</code> of almost all collections return an <code>Object[]</code>. They cannot really do anything else, since the Collection object has no reference to the declared generic type of the collection. <p>The correct way to do get an array of a specific type from a collection is to use <code>c.toArray(new String[0]);</code> or <code>c.toArray(new String[c.size()]);</code> (the former is <a href="https://shipilev.net/blog/2016/arrays-wisdom-ancients/#_historical_perspective">slightly more efficient</a> since late Java 6 updates). <p>There is one common/known exception to this. The <code>toArray()</code> method of lists returned by <code>Arrays.asList(...)</code> will return a covariantly typed array. For example, <code>Arrays.asArray(new String[] { "a" }).toArray()</code> will return a <code>String []</code>. SpotBugs attempts to detect and suppress such cases, but may miss some. </p> ]]> </Details> </BugPattern> <BugPattern type="NP_NULL_INSTANCEOF"> <ShortDescription>A known null value is checked to see if it is an instance of a type</ShortDescription> <LongDescription>A known null value is checked to see if it is an instance of {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This instanceof test will always return false, since the value being checked is guaranteed to be null. Although this is safe, make sure it isn't an indication of some misunderstanding or some other logic error. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_NULL_INSTANCEOF" deprecated="true"> <!-- deprecated in favor of NP_NULL_INSTANCEOF --> <ShortDescription>A known null value is checked to see if it is an instance of a type</ShortDescription> <LongDescription>A known null value is checked to see if it is an instance of {2} in {1}</LongDescription> <Details> <![CDATA[ <p> This instanceof test will always return false, since the value being checked is guaranteed to be null. Although this is safe, make sure it isn't an indication of some misunderstanding or some other logic error. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_IMPOSSIBLE_INSTANCEOF"> <ShortDescription>instanceof will always return false</ShortDescription> <LongDescription>instanceof will always return false in {1}, since a {2} cannot be a {3}</LongDescription> <Details> <![CDATA[ <p> This instanceof test will always return false. Although this is safe, make sure it isn't an indication of some misunderstanding or some other logic error. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_VACUOUS_INSTANCEOF"> <ShortDescription>instanceof will always return true</ShortDescription> <LongDescription>instanceof will always return true for all non-null values in {1}, since all {2} are instances of {3}</LongDescription> <Details> <![CDATA[ <p> This instanceof test will always return true (unless the value being tested is null). Although this is safe, make sure it isn't an indication of some misunderstanding or some other logic error. If you really want to test the value for being null, perhaps it would be clearer to do better to do a null test rather than an instanceof test. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_UNCONFIRMED_CAST"> <ShortDescription>Unchecked/unconfirmed cast</ShortDescription> <LongDescription>Unchecked/unconfirmed cast from {2} to {3} in {1}</LongDescription> <Details> <![CDATA[ <p> This cast is unchecked, and not all instances of the type cast from can be cast to the type it is being cast to. Check that your program logic ensures that this cast will not fail. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_UNCONFIRMED_CAST_OF_RETURN_VALUE"> <ShortDescription>Unchecked/unconfirmed cast of return value from method</ShortDescription> <LongDescription>Unchecked/unconfirmed cast from {2} to {3} of return value in {1}</LongDescription> <Details> <![CDATA[ <p> This code performs an unchecked cast of the return value of a method. The code might be calling the method in such a way that the cast is guaranteed to be safe, but SpotBugs is unable to verify that the cast is safe. Check that your program logic ensures that this cast will not fail. </p> ]]> </Details> </BugPattern> <BugPattern type="BC_BAD_CAST_TO_CONCRETE_COLLECTION"> <ShortDescription>Questionable cast to concrete collection</ShortDescription> <LongDescription>Questionable cast from {2} to {3} in {1}</LongDescription> <Details> <![CDATA[ <p> This code casts an abstract collection (such as a Collection, List, or Set) to a specific concrete implementation (such as an ArrayList or HashSet). This might not be correct, and it may make your code fragile, since it makes it harder to switch to other concrete implementations at a future point. Unless you have a particular reason to do so, just use the abstract collection class. </p> ]]> </Details> </BugPattern> <BugPattern type="RE_POSSIBLE_UNINTENDED_PATTERN"> <ShortDescription>"." or "|" used for regular expression</ShortDescription> <LongDescription>"." or "|" used for regular expression in {1}</LongDescription> <Details> <![CDATA[ <p> A String function is being invoked and "." or "|" is being passed to a parameter that takes a regular expression as an argument. Is this what you intended? For example </p> <ul> <li>s.replaceAll(".", "/") will return a String in which <em>every</em> character has been replaced by a '/' character</li> <li>s.split(".") <em>always</em> returns a zero length array of String</li> <li>"ab|cd".replaceAll("|", "/") will return "/a/b/|/c/d/"</li> <li>"ab|cd".split("|") will return array with six (!) elements: [, a, b, |, c, d]</li> </ul> <p> Consider using <code>s.replace(".", "/")</code> or <code>s.split("\\.")</code> instead. </p> ]]> </Details> </BugPattern> <BugPattern type="RE_BAD_SYNTAX_FOR_REGULAR_EXPRESSION"> <ShortDescription>Invalid syntax for regular expression</ShortDescription> <LongDescription>Invalid syntax for regular expression in {1}</LongDescription> <Details> <![CDATA[ <p> The code here uses a regular expression that is invalid according to the syntax for regular expressions. This statement will throw a PatternSyntaxException when executed. </p> ]]> </Details> </BugPattern> <BugPattern type="RE_CANT_USE_FILE_SEPARATOR_AS_REGULAR_EXPRESSION"> <ShortDescription>File.separator used for regular expression</ShortDescription> <LongDescription>File.separator used for regular expression in {1}</LongDescription> <Details> <![CDATA[ <p> The code here uses <code>File.separator</code> where a regular expression is required. This will fail on Windows platforms, where the <code>File.separator</code> is a backslash, which is interpreted in a regular expression as an escape character. Among other options, you can just use <code>File.separatorChar=='\\' ? "\\\\" : File.separator</code> instead of <code>File.separator</code> </p> ]]> </Details> </BugPattern> <BugPattern type="DLS_OVERWRITTEN_INCREMENT"> <ShortDescription>Overwritten increment</ShortDescription> <LongDescription>Overwritten increment in {1}</LongDescription> <Details> <![CDATA[ <p> The code performs an increment/decrement operation (e.g., <code>i++</code> / <code>i--</code>) and then immediately overwrites it. For example, <code>i = i++</code> / <code>i = i--</code> immediately overwrites the incremented/decremented value with the original value. </p> ]]> </Details> </BugPattern> <BugPattern type="ICAST_QUESTIONABLE_UNSIGNED_RIGHT_SHIFT"> <ShortDescription>Unsigned right shift cast to short/byte</ShortDescription> <LongDescription>Unsigned right shift cast to short/byte in {1}</LongDescription> <Details> <![CDATA[ <p> The code performs an unsigned right shift, whose result is then cast to a short or byte, which discards the upper bits of the result. Since the upper bits are discarded, there may be no difference between a signed and unsigned right shift (depending upon the size of the shift). </p> ]]> </Details> </BugPattern> <BugPattern type="BSHIFT_WRONG_ADD_PRIORITY"> <ShortDescription>Possible bad parsing of shift operation</ShortDescription> <LongDescription>Possible bad parsing of shift operation in {1}</LongDescription> <Details> <![CDATA[ <p> The code performs an operation like (x << 8 + y). Although this might be correct, probably it was meant to perform (x << 8) + y, but shift operation has a lower precedence, so it's actually parsed as x << (8 + y). </p> ]]> </Details> </BugPattern> <BugPattern type="ICAST_BAD_SHIFT_AMOUNT"> <ShortDescription>32 bit int shifted by an amount not in the range -31..31</ShortDescription> <LongDescription>32 bit int shifted by {2} bits in {1}</LongDescription> <Details> <![CDATA[ <p> The code performs shift of a 32 bit int by a constant amount outside the range -31..31. The effect of this is to use the lower 5 bits of the integer value to decide how much to shift by (e.g., shifting by 40 bits is the same as shifting by 8 bits, and shifting by 32 bits is the same as shifting by zero bits). This probably isn't what was expected, and it is at least confusing. </p> ]]> </Details> </BugPattern> <BugPattern type="IM_MULTIPLYING_RESULT_OF_IREM"> <ShortDescription>Integer multiply of result of integer remainder</ShortDescription> <LongDescription>Integer multiple of result of integer remainder in {1}</LongDescription> <Details> <![CDATA[ <p> The code multiplies the result of an integer remaining by an integer constant. Be sure you don't have your operator precedence confused. For example i % 60 * 1000 is (i % 60) * 1000, not i % (60 * 1000). </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_INVOKING_HASHCODE_ON_ARRAY"> <ShortDescription>Invocation of hashCode on an array</ShortDescription> <LongDescription>Invocation of hashCode on array in {1}</LongDescription> <Details> <![CDATA[ <p> The code invokes hashCode on an array. Calling hashCode on an array returns the same value as System.identityHashCode, and ignores the contents and length of the array. If you need a hashCode that depends on the contents of an array <code>a</code>, use <code>java.util.Arrays.hashCode(a)</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_INVOKING_TOSTRING_ON_ARRAY"> <ShortDescription>Invocation of toString on an array</ShortDescription> <LongDescription>Invocation of toString on {2.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> The code invokes toString on an array, which will generate a fairly useless result such as [C@16f0472. Consider using Arrays.toString to convert the array into a readable String that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_INVOKING_TOSTRING_ON_ANONYMOUS_ARRAY"> <ShortDescription>Invocation of toString on an unnamed array</ShortDescription> <LongDescription>Invocation of toString on an unnamed array in {1}</LongDescription> <Details> <![CDATA[ <p> The code invokes toString on an (anonymous) array. Calling toString on an array generates a fairly useless result such as [C@16f0472. Consider using Arrays.toString to convert the array into a readable String that gives the contents of the array. See Programming Puzzlers, chapter 3, puzzle 12. </p> ]]> </Details> </BugPattern> <BugPattern type="IM_AVERAGE_COMPUTATION_COULD_OVERFLOW"> <ShortDescription>Computation of average could overflow</ShortDescription> <LongDescription>Computation of average could overflow in {1}</LongDescription> <Details> <![CDATA[ <p>The code computes the average of two integers using either division or signed right shift, and then uses the result as the index of an array. If the values being averaged are very large, this can overflow (resulting in the computation of a negative average). Assuming that the result is intended to be nonnegative, you can use an unsigned right shift instead. In other words, rather that using <code>(low+high)/2</code>, use <code>(low+high) >>> 1</code> </p> <p>This bug exists in many earlier implementations of binary search and merge sort. Martin Buchholz <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6412541">found and fixed it</a> in the JDK libraries, and Joshua Bloch <a href="http://googleresearch.blogspot.com/2006/06/extra-extra-read-all-about-it-nearly.html">widely publicized the bug pattern</a>. </p> ]]> </Details> </BugPattern> <BugPattern type="IM_BAD_CHECK_FOR_ODD"> <ShortDescription>Check for oddness that won't work for negative numbers</ShortDescription> <LongDescription>Check for oddness that won't work for negative numbers in {1}</LongDescription> <Details> <![CDATA[ <p> The code uses x % 2 == 1 to check to see if a value is odd, but this won't work for negative numbers (e.g., (-5) % 2 == -1). If this code is intending to check for oddness, consider using (x & 1) == 1, or x % 2 != 0. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_HARDCODED_ABSOLUTE_FILENAME"> <ShortDescription>Code contains a hard coded reference to an absolute pathname</ShortDescription> <LongDescription>Hard coded reference to an absolute pathname in {1}</LongDescription> <Details> <![CDATA[ <p>This code constructs a File object using a hard coded to an absolute pathname (e.g., <code>new File("/home/dannyc/workspace/j2ee/src/share/com/sun/enterprise/deployment");</code> </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_BAD_MONTH"> <ShortDescription>Bad constant value for month</ShortDescription> <LongDescription>Bad month value of {2} passed to {3} in {1}</LongDescription> <Details> <![CDATA[ <p> This code passes a constant month value outside the expected range of 0..11 to a method. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_USELESS_SUBSTRING"> <ShortDescription>Invocation of substring(0), which returns the original value</ShortDescription> <LongDescription>{1} invokes substring(0), which returns the original value</LongDescription> <Details> <![CDATA[ <p> This code invokes substring(0) on a String, which returns the original value. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_CALLING_NEXT_FROM_HASNEXT"> <ShortDescription>hasNext method invokes next</ShortDescription> <LongDescription>{1} invokes {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> The hasNext() method invokes the next() method. This is almost certainly wrong, since the hasNext() method is not supposed to change the state of the iterator, and the next method is supposed to change the state of the iterator. </p> ]]> </Details> </BugPattern> <BugPattern type="SWL_SLEEP_WITH_LOCK_HELD"> <ShortDescription>Method calls Thread.sleep() with a lock held</ShortDescription> <LongDescription>{1} calls Thread.sleep() with a lock held</LongDescription> <Details> <![CDATA[ <p> This method calls Thread.sleep() with a lock held. This may result in very poor performance and scalability, or a deadlock, since other threads may be waiting to acquire the lock. It is a much better idea to call wait() on the lock, which releases the lock and allows other threads to run. </p> ]]> </Details> </BugPattern> <BugPattern type="DB_DUPLICATE_BRANCHES"> <ShortDescription>Method uses the same code for two branches</ShortDescription> <LongDescription>{1} uses the same code for two branches</LongDescription> <Details> <![CDATA[ <p> This method uses the same code to implement two branches of a conditional branch. Check to ensure that this isn't a coding mistake. </p> ]]> </Details> </BugPattern> <BugPattern type="DB_DUPLICATE_SWITCH_CLAUSES"> <ShortDescription>Method uses the same code for two switch clauses</ShortDescription> <LongDescription>{1} uses the same code for two switch clauses</LongDescription> <Details> <![CDATA[ <p> This method uses the same code to implement two clauses of a switch statement. This could be a case of duplicate code, but it might also indicate a coding mistake. </p> ]]> </Details> </BugPattern> <BugPattern type="IMA_INEFFICIENT_MEMBER_ACCESS"> <ShortDescription>Method accesses a private member variable of owning class</ShortDescription> <LongDescription>{1} accesses to a private member variable of owning class</LongDescription> <Details> <![CDATA[ <p> This method of an inner class reads from or writes to a private member variable of the owning class, or calls a private method of the owning class. The compiler must generate a special method to access this private member, causing this to be less efficient. Relaxing the protection of the member variable or method will allow the compiler to treat this as a normal access. </p> ]]> </Details> </BugPattern> <BugPattern type="XFB_XML_FACTORY_BYPASS"> <ShortDescription>Method directly allocates a specific implementation of xml interfaces</ShortDescription> <LongDescription>{1} directly allocates a specific implementation of xml interfaces</LongDescription> <Details> <![CDATA[ <p> This method allocates a specific implementation of an xml interface. It is preferable to use the supplied factory classes to create these objects so that the implementation can be changed at runtime. See </p> <ul> <li>javax.xml.parsers.DocumentBuilderFactory</li> <li>javax.xml.parsers.SAXParserFactory</li> <li>javax.xml.transform.TransformerFactory</li> <li>org.w3c.dom.Document.create<i>XXXX</i></li> </ul> <p>for details.</p> ]]> </Details> </BugPattern> <BugPattern type="USM_USELESS_SUBCLASS_METHOD"> <ShortDescription>Method superfluously delegates to parent class method</ShortDescription> <LongDescription>{1} superfluously delegates to parent class method</LongDescription> <Details> <![CDATA[ <p> This derived method merely calls the same superclass method passing in the exact parameters received. This method can be removed, as it provides no additional value. </p> ]]> </Details> </BugPattern> <BugPattern type="USM_USELESS_ABSTRACT_METHOD"> <ShortDescription>Abstract Method is already defined in implemented interface</ShortDescription> <LongDescription>Abstract Method {1} is already defined in implemented interface</LongDescription> <Details> <![CDATA[ <p> This abstract method is already defined in an interface that is implemented by this abstract class. This method can be removed, as it provides no additional value. </p> ]]> </Details> </BugPattern> <BugPattern type="CI_CONFUSED_INHERITANCE"> <ShortDescription>Class is final but declares protected field</ShortDescription> <LongDescription>Class {0} is final but declares protected field {1}</LongDescription> <Details> <![CDATA[ <p> This class is declared to be final, but declares fields to be protected. Since the class is final, it cannot be derived from, and the use of protected is confusing. The access modifier for the field should be changed to private or public to represent the true use for the field. </p> ]]> </Details> </BugPattern> <BugPattern type="QBA_QUESTIONABLE_BOOLEAN_ASSIGNMENT"> <ShortDescription>Method assigns boolean literal in boolean expression</ShortDescription> <LongDescription>{1} assigns boolean literal in boolean expression</LongDescription> <Details> <![CDATA[ <p> This method assigns a literal boolean value (true or false) to a boolean variable inside an if or while expression. Most probably this was supposed to be a boolean comparison using ==, not an assignment using =. </p> ]]> </Details> </BugPattern> <BugPattern type="VR_UNRESOLVABLE_REFERENCE"> <ShortDescription>Class makes reference to unresolvable class or method</ShortDescription> <LongDescription>Unresolvable reference to {1} by {0}</LongDescription> <Details> <![CDATA[ <p> This class makes a reference to a class or method that cannot be resolved using against the libraries it is being analyzed with. </p> ]]> </Details> </BugPattern> <BugPattern type="GC_UNCHECKED_TYPE_IN_GENERIC_CALL"> <ShortDescription>Unchecked type in generic call</ShortDescription> <LongDescription>Unchecked argument of type Object provided where type {3.givenClass} is expected in {1}</LongDescription> <Details> <![CDATA[ <p> This call to a generic collection method passes an argument while compile type Object where a specific type from the generic type parameters is expected. Thus, neither the standard Java type system nor static analysis can provide useful information on whether the object being passed as a parameter is of an appropriate type. </p> ]]> </Details> </BugPattern> <BugPattern type="GC_UNRELATED_TYPES"> <ShortDescription>No relationship between generic parameter and method argument</ShortDescription> <LongDescription>{2.givenClass} is incompatible with expected argument type {3.givenClass} in {1}</LongDescription> <Details> <![CDATA[ <p> This call to a generic collection method contains an argument with an incompatible class from that of the collection's parameter (i.e., the type of the argument is neither a supertype nor a subtype of the corresponding generic type argument). Therefore, it is unlikely that the collection contains any objects that are equal to the method argument used here. Most likely, the wrong value is being passed to the method.</p> <p>In general, instances of two unrelated classes are not equal. For example, if the <code>Foo</code> and <code>Bar</code> classes are not related by subtyping, then an instance of <code>Foo</code> should not be equal to an instance of <code>Bar</code>. Among other issues, doing so will likely result in an equals method that is not symmetrical. For example, if you define the <code>Foo</code> class so that a <code>Foo</code> can be equal to a <code>String</code>, your equals method isn't symmetrical since a <code>String</code> can only be equal to a <code>String</code>. </p> <p>In rare cases, people do define nonsymmetrical equals methods and still manage to make their code work. Although none of the APIs document or guarantee it, it is typically the case that if you check if a <code>Collection<String></code> contains a <code>Foo</code>, the equals method of argument (e.g., the equals method of the <code>Foo</code> class) used to perform the equality checks. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_COLLECTIONS_SHOULD_NOT_CONTAIN_THEMSELVES"> <ShortDescription>Collections should not contain themselves</ShortDescription> <LongDescription>Collections should not contain themselves in call to {2.givenClass}</LongDescription> <Details> <![CDATA[ <p> This call to a generic collection's method would only make sense if a collection contained itself (e.g., if <code>s.contains(s)</code> were true). This is unlikely to be true and would cause problems if it were true (such as the computation of the hash code resulting in infinite recursion). It is likely that the wrong value is being passed as a parameter. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_VACUOUS_SELF_COLLECTION_CALL"> <ShortDescription>Vacuous call to collections</ShortDescription> <LongDescription>For any collection c, calling c.{2.name}(c) doesn't make sense</LongDescription> <Details> <![CDATA[ <p> This call doesn't make sense. For any collection <code>c</code>, calling <code>c.containsAll(c)</code> should always be true, and <code>c.retainAll(c)</code> should have no effect. </p> ]]> </Details> </BugPattern> <BugPattern type="PZ_DONT_REUSE_ENTRY_OBJECTS_IN_ITERATORS"> <ShortDescription>Don't reuse entry objects in iterators</ShortDescription> <LongDescription>{0} is both an Iterator and a Map.Entry</LongDescription> <Details> <![CDATA[ <p> The entrySet() method is allowed to return a view of the underlying Map in which an Iterator and Map.Entry. This clever idea was used in several Map implementations, but introduces the possibility of nasty coding mistakes. If a map <code>m</code> returns such an iterator for an entrySet, then <code>c.addAll(m.entrySet())</code> will go badly wrong. All of the Map implementations in OpenJDK 7 have been rewritten to avoid this, you should too. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_ENTRY_SETS_MAY_REUSE_ENTRY_OBJECTS"> <ShortDescription>Adding elements of an entry set may fail due to reuse of Entry objects</ShortDescription> <LongDescription>Adding elements of an entry set may fail due to reuse of {2.simpleClass}.Entry object in {1}</LongDescription> <Details> <![CDATA[ <p> The entrySet() method is allowed to return a view of the underlying Map in which a single Entry object is reused and returned during the iteration. As of Java 6, both IdentityHashMap and EnumMap did so. When iterating through such a Map, the Entry value is only valid until you advance to the next iteration. If, for example, you try to pass such an entrySet to an addAll method, things will go badly wrong. </p> ]]> </Details> </BugPattern> <BugPattern type="DMI_USING_REMOVEALL_TO_CLEAR_COLLECTION"> <ShortDescription>Don't use removeAll to clear a collection</ShortDescription> <LongDescription>removeAll used to clear a collection in {1}</LongDescription> <Details> <![CDATA[ <p> If you want to remove all elements from a collection <code>c</code>, use <code>c.clear</code>, not <code>c.removeAll(c)</code>. Calling <code>c.removeAll(c)</code> to clear a collection is less clear, susceptible to errors from typos, less efficient and for some collections, might throw a <code>ConcurrentModificationException</code>. </p> ]]> </Details> </BugPattern> <BugPattern type="STCAL_STATIC_CALENDAR_INSTANCE"> <ShortDescription>Static Calendar field</ShortDescription> <LongDescription>{1} is static field of type java.util.Calendar, which isn't thread safe</LongDescription> <Details> <![CDATA[ <p>Even though the JavaDoc does not contain a hint about it, Calendars are inherently unsafe for multithreaded use. Sharing a single instance across thread boundaries without proper synchronization will result in erratic behavior of the application. Under 1.4 problems seem to surface less often than under Java 5 where you will probably see random ArrayIndexOutOfBoundsExceptions or IndexOutOfBoundsExceptions in sun.util.calendar.BaseCalendar.getCalendarDateFromFixedDate().</p> <p>You may also experience serialization problems.</p> <p>Using an instance field is recommended.</p> <p>For more information on this see <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6231579">JDK Bug #6231579</a> and <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6178997">JDK Bug #6178997</a>.</p> ]]> </Details> </BugPattern> <BugPattern type="STCAL_INVOKE_ON_STATIC_CALENDAR_INSTANCE"> <ShortDescription>Call to static Calendar</ShortDescription> <LongDescription>Call to method of static java.util.Calendar in {1}</LongDescription> <Details> <![CDATA[ <p>Even though the JavaDoc does not contain a hint about it, Calendars are inherently unsafe for multithreaded use. The detector has found a call to an instance of Calendar that has been obtained via a static field. This looks suspicious.</p> <p>For more information on this see <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6231579">JDK Bug #6231579</a> and <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6178997">JDK Bug #6178997</a>.</p> ]]> </Details> </BugPattern> <BugPattern type="STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE"> <ShortDescription>Static DateFormat</ShortDescription> <LongDescription>{1} is a static field of type java.text.DateFormat, which isn't thread safe</LongDescription> <Details> <![CDATA[ <p>As the JavaDoc states, DateFormats are inherently unsafe for multithreaded use. Sharing a single instance across thread boundaries without proper synchronization will result in erratic behavior of the application.</p> <p>You may also experience serialization problems.</p> <p>Using an instance field is recommended.</p> <p>For more information on this see <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6231579">JDK Bug #6231579</a> and <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6178997">JDK Bug #6178997</a>.</p> ]]> </Details> </BugPattern> <BugPattern type="STCAL_INVOKE_ON_STATIC_DATE_FORMAT_INSTANCE"> <ShortDescription>Call to static DateFormat</ShortDescription> <LongDescription>Call to method of static java.text.DateFormat in {1}</LongDescription> <Details> <![CDATA[ <p>As the JavaDoc states, DateFormats are inherently unsafe for multithreaded use. The detector has found a call to an instance of DateFormat that has been obtained via a static field. This looks suspicious.</p> <p>For more information on this see <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6231579">JDK Bug #6231579</a> and <a href="http://bugs.java.com/bugdatabase/view_bug.do?bug_id=6178997">JDK Bug #6178997</a>.</p> ]]> </Details> </BugPattern> <BugPattern type="TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS"> <ShortDescription>Comparing values with incompatible type qualifiers</ShortDescription> <LongDescription>Value annotated as having the type qualifier {2.simpleName} is compared for equality with a value that never has that qualifier</LongDescription> <Details> <![CDATA[ <p> A value specified as carrying a type qualifier annotation is compared with a value that doesn't ever carry that qualifier. </p> <p> More precisely, a value annotated with a type qualifier specifying when=ALWAYS is compared with a value that where the same type qualifier specifies when=NEVER. </p> <p> For example, say that @NonNegative is a nickname for the type qualifier annotation @Negative(when=When.NEVER). The following code will generate this warning because the return statement requires a @NonNegative value, but receives one that is marked as @Negative. </p> <pre><code>public boolean example(@Negative Integer value1, @NonNegative Integer value2) { return value1.equals(value2); } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED"> <ShortDescription>Value annotated as carrying a type qualifier used where a value that must not carry that qualifier is required</ShortDescription> <LongDescription>Value annotated as carrying type qualifier {2.simpleName} used where a value that must not carry that qualifier is required</LongDescription> <Details> <![CDATA[ <p> A value specified as carrying a type qualifier annotation is consumed in a location or locations requiring that the value not carry that annotation. </p> <p> More precisely, a value annotated with a type qualifier specifying when=ALWAYS is guaranteed to reach a use or uses where the same type qualifier specifies when=NEVER. </p> <p> For example, say that @NonNegative is a nickname for the type qualifier annotation @Negative(when=When.NEVER). The following code will generate this warning because the return statement requires a @NonNegative value, but receives one that is marked as @Negative. </p> <pre><code>public @NonNegative Integer example(@Negative Integer value) { return value; } </code></pre> ]]> </Details> </BugPattern> <BugPattern type="TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED"> <ShortDescription>Value without a type qualifier used where a value is required to have that qualifier</ShortDescription> <LongDescription>Value without a type qualifier is used in a place that requires a {2.simpleName} annotation</LongDescription> <Details> <![CDATA[ <p> A value is being used in a way that requires the value to be annotated with a type qualifier. The type qualifier is strict, so the tool rejects any values that do not have the appropriate annotation. </p> <p> To coerce a value to have a strict annotation, define an identity function where the return value is annotated with the strict annotation. This is the only way to turn a non-annotated value into a value with a strict type qualifier annotation. </p> ]]> </Details> </BugPattern> <BugPattern type="TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED"> <ShortDescription>Value annotated as never carrying a type qualifier used where value carrying that qualifier is required</ShortDescription> <LongDescription>Value annotated as never carrying type qualifier {2.simpleName} used where value carrying that qualifier is required</LongDescription> <Details> <![CDATA[ <p> A value specified as not carrying a type qualifier annotation is guaranteed to be consumed in a location or locations requiring that the value does carry that annotation. </p> <p> More precisely, a value annotated with a type qualifier specifying when=NEVER is guaranteed to reach a use or uses where the same type qualifier specifies when=ALWAYS. </p> <p> TODO: example </p> ]]> </Details> </BugPattern> <BugPattern type="TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK"> <ShortDescription>Value that might not carry a type qualifier is always used in a way requires that type qualifier</ShortDescription> <LongDescription>Value that might not carry the {2.simpleName} annotation is always used in a way that requires that type qualifier</LongDescription> <Details> <![CDATA[ <p> A value that is annotated as possibly not being an instance of the values denoted by the type qualifier, and the value is guaranteed to be used in a way that requires values denoted by that type qualifier. </p> ]]> </Details> </BugPattern> <BugPattern type="TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK"> <ShortDescription>Value that might carry a type qualifier is always used in a way prohibits it from having that type qualifier</ShortDescription> <LongDescription>Value that might carry the {2.simpleName} annotation is always used in a way that prohibits it from having that type qualifier</LongDescription> <Details> <![CDATA[ <p> A value that is annotated as possibly being an instance of the values denoted by the type qualifier, and the value is guaranteed to be used in a way that prohibits values denoted by that type qualifier. </p> ]]> </Details> </BugPattern> <BugPattern type="TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK"> <ShortDescription>Value required to not have type qualifier, but marked as unknown</ShortDescription> <LongDescription>Value is required never be {2.simpleName}, but is explicitly annotated as unknown with regards to {2.simpleName}</LongDescription> <Details> <![CDATA[ <p> A value is used in a way that requires it to be never be a value denoted by a type qualifier, but there is an explicit annotation stating that it is not known where the value is prohibited from having that type qualifier. Either the usage or the annotation is incorrect. </p> ]]> </Details> </BugPattern> <BugPattern type="TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK"> <ShortDescription>Value required to have type qualifier, but marked as unknown</ShortDescription> <LongDescription>Value is required to always be {2.simpleName}, but is explicitly annotated as unknown with regards to {2.simpleName}</LongDescription> <Details> <![CDATA[ <p> A value is used in a way that requires it to be always be a value denoted by a type qualifier, but there is an explicit annotation stating that it is not known where the value is required to have that type qualifier. Either the usage or the annotation is incorrect. </p> ]]> </Details> </BugPattern> <BugPattern type="IO_APPENDING_TO_OBJECT_OUTPUT_STREAM"> <ShortDescription>Doomed attempt to append to an object output stream</ShortDescription> <LongDescription>Doomed attempt to append to an object output stream in {1}</LongDescription> <Details> <![CDATA[ <p> This code opens a file in append mode and then wraps the result in an object output stream like as follows: </p> <pre><code>OutputStream out = new FileOutputStream(anyFile, true); new ObjectOutputStream(out);</code></pre> <p> This won't allow you to append to an existing object output stream stored in a file. If you want to be able to append to an object output stream, you need to keep the object output stream open. </p> <p>The only situation in which opening a file in append mode and the writing an object output stream could work is if on reading the file you plan to open it in random access mode and seek to the byte offset where the append started. </p> ]]> </Details> </BugPattern> <BugPattern type="WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL"> <ShortDescription>Synchronization on getClass rather than class literal</ShortDescription> <LongDescription>Synchronization on getClass rather than class literal in {1}</LongDescription> <Details> <![CDATA[ <p> This instance method synchronizes on <code>this.getClass()</code>. If this class is subclassed, subclasses will synchronize on the class object for the subclass, which isn't likely what was intended. For example, consider this code from java.awt.Label:</p> <pre><code>private static final String base = "label"; private static int nameCounter = 0; String constructComponentName() { synchronized (getClass()) { return base + nameCounter++; } } </code></pre> <p>Subclasses of <code>Label</code> won't synchronize on the same subclass, giving rise to a datarace. Instead, this code should be synchronizing on <code>Label.class</code>.</p> <pre><code>private static final String base = "label"; private static int nameCounter = 0; String constructComponentName() { synchronized (Label.class) { return base + nameCounter++; } } </code></pre> <p>Bug pattern contributed by Jason Mehrens.</p> ]]> </Details> </BugPattern> <BugPattern type="OBL_UNSATISFIED_OBLIGATION"> <ShortDescription>Method may fail to clean up stream or resource</ShortDescription> <LongDescription>{1} may fail to clean up {2}</LongDescription> <Details> <![CDATA[ <p> This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation. </p> <p> In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns. </p> <p> This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check: </p> <ul> <li><a href="https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md">contributing guideline</a></li> <li><a href="https://github.com/spotbugs/discuss/issues?q=">mailinglist</a></li> </ul> <p> In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us. </p> <p> See Weimer and Necula, <i>Finding and Preventing Run-Time Error Handling Mistakes</i> (<a href="https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf">PDF</a>), for a description of the analysis technique. </p> ]]> </Details> </BugPattern> <BugPattern type="OBL_UNSATISFIED_OBLIGATION_EXCEPTION_EDGE"> <ShortDescription>Method may fail to clean up stream or resource on checked exception</ShortDescription> <LongDescription>{1} may fail to clean up {2} on checked exception</LongDescription> <Details> <![CDATA[ <p> This method may fail to clean up (close, dispose of) a stream, database object, or other resource requiring an explicit cleanup operation. </p> <p> In general, if a method opens a stream or other resource, the method should use a try/finally block to ensure that the stream or resource is cleaned up before the method returns. </p> <p> This bug pattern is essentially the same as the OS_OPEN_STREAM and ODR_OPEN_DATABASE_RESOURCE bug patterns, but is based on a different (and hopefully better) static analysis technique. We are interested is getting feedback about the usefulness of this bug pattern. For sending feedback, check: </p> <ul> <li><a href="https://github.com/spotbugs/spotbugs/blob/master/.github/CONTRIBUTING.md">contributing guideline</a></li> <li><a href="https://github.com/spotbugs/discuss/issues?q=">mailinglist</a></li> </ul> <p> In particular, the false-positive suppression heuristics for this bug pattern have not been extensively tuned, so reports about false positives are helpful to us. </p> <p> See Weimer and Necula, <i>Finding and Preventing Run-Time Error Handling Mistakes</i> (<a href="https://people.eecs.berkeley.edu/~necula/Papers/rte_oopsla04.pdf">PDF</a>), for a description of the analysis technique. </p> ]]> </Details> </BugPattern> <BugPattern type="FB_UNEXPECTED_WARNING"> <ShortDescription>Unexpected/undesired warning from SpotBugs</ShortDescription> <LongDescription>Unexpected/undesired {2} SpotBugs warning in {1}</LongDescription> <Details> <![CDATA[ <p>SpotBugs generated a warning that, according to a <code>@NoWarning</code> annotation, is unexpected or undesired.</p> ]]> </Details> </BugPattern> <BugPattern type="FB_MISSING_EXPECTED_WARNING"> <ShortDescription>Missing expected or desired warning from SpotBugs</ShortDescription> <LongDescription>Missing expected or desired {2} SpotBugs warning in {1}</LongDescription> <Details> <![CDATA[ <p>SpotBugs didn't generate a warning that, according to an <code>@ExpectedWarning</code> annotation, is expected or desired.</p> ]]> </Details> </BugPattern> <BugPattern type="RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED"> <ShortDescription>Return value of putIfAbsent ignored, value passed to putIfAbsent reused</ShortDescription> <LongDescription>Return value of putIfAbsent is ignored, but {4} is reused in {1}</LongDescription> <Details> <![CDATA[ The <code>putIfAbsent</code> method is typically used to ensure that a single value is associated with a given key (the first value for which put if absent succeeds). If you ignore the return value and retain a reference to the value passed in, you run the risk of retaining a value that is not the one that is associated with the key in the map. If it matters which one you use and you use the one that isn't stored in the map, your program will behave incorrectly. ]]> </Details> </BugPattern> <BugPattern type="LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE"> <ShortDescription>Potential lost logger changes due to weak reference in OpenJDK</ShortDescription> <LongDescription>Changes to logger could be lost in {1}</LongDescription> <Details> <![CDATA[ <p>OpenJDK introduces a potential incompatibility. In particular, the java.util.logging.Logger behavior has changed. Instead of using strong references, it now uses weak references internally. That's a reasonable change, but unfortunately some code relies on the old behavior - when changing logger configuration, it simply drops the logger reference. That means that the garbage collector is free to reclaim that memory, which means that the logger configuration is lost. For example, consider: </p> <pre><code>public static void initLogging() throws Exception { Logger logger = Logger.getLogger("edu.umd.cs"); logger.addHandler(new FileHandler()); // call to change logger configuration logger.setUseParentHandlers(false); // another call to change logger configuration } </code></pre> <p>The logger reference is lost at the end of the method (it doesn't escape the method), so if you have a garbage collection cycle just after the call to initLogging, the logger configuration is lost (because Logger only keeps weak references).</p> <pre><code>public static void main(String[] args) throws Exception { initLogging(); // adds a file handler to the logger System.gc(); // logger configuration lost Logger.getLogger("edu.umd.cs").info("Some message"); // this isn't logged to the file as expected } </code></pre> <p><em>Ulf Ochsenfahrt and Eric Fellheimer</em></p> ]]> </Details> </BugPattern> <BugPattern type="AT_OPERATION_SEQUENCE_ON_CONCURRENT_ABSTRACTION"> <ShortDescription>Sequence of calls to concurrent abstraction may not be atomic</ShortDescription> <LongDescription>Sequence of calls to {2} may not be atomic in {1}</LongDescription> <Details> <![CDATA[ <p>This code contains a sequence of calls to a concurrent abstraction (such as a concurrent hash map). These calls will not be executed atomically. ]]> </Details> </BugPattern> <BugPattern type="DM_DEFAULT_ENCODING"> <ShortDescription>Reliance on default encoding</ShortDescription> <LongDescription>Found reliance on default encoding in {1}: {2}</LongDescription> <Details> <![CDATA[ <p> Found a call to a method which will perform a byte to String (or String to byte) conversion, and will assume that the default platform encoding is suitable. This will cause the application behavior to vary between platforms. Use an alternative API and specify a charset name or Charset object explicitly.</p> ]]> </Details> </BugPattern> <BugPattern type="NP_METHOD_PARAMETER_RELAXING_ANNOTATION"> <ShortDescription>Method tightens nullness annotation on parameter</ShortDescription> <LongDescription>Method {1} overrides the nullness annotation relaxing the ancestor method requirements on parameter.</LongDescription> <Details> <![CDATA[<p> A method should always implement the contract of a method it overrides. Thus, if a method takes a parameter that is marked as @Nullable, you shouldn't override that method in a subclass with a method where that parameter is @Nonnull. Doing so violates the contract that the method should handle a null parameter. </p>]]> </Details> </BugPattern> <BugPattern type="NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION"> <ShortDescription>Method tightens nullness annotation on parameter</ShortDescription> <LongDescription>Method {1} overrides the nullness annotation of parameter {2} in an incompatible way</LongDescription> <Details> <![CDATA[<p> A method should always implement the contract of a method it overrides. Thus, if a method takes a parameter that is marked as @Nullable, you shouldn't override that method in a subclass with a method where that parameter is @Nonnull. Doing so violates the contract that the method should handle a null parameter. </p>]]> </Details> </BugPattern> <BugPattern type="NP_METHOD_RETURN_RELAXING_ANNOTATION"> <ShortDescription>Method relaxes nullness annotation on return value</ShortDescription> <LongDescription>Method {1} overrides the return value nullness annotation in an incompatible way.</LongDescription> <Details> <![CDATA[<p> A method should always implement the contract of a method it overrides. Thus, if a method takes is annotated as returning a @Nonnull value, you shouldn't override that method in a subclass with a method annotated as returning a @Nullable or @CheckForNull value. Doing so violates the contract that the method shouldn't return null. </p>]]> </Details> </BugPattern> <BugPattern type="EOS_BAD_END_OF_STREAM_CHECK"> <ShortDescription>Data read is converted before comparison to -1</ShortDescription> <LongDescription>The return value of {2} in method {1} is converted to {3} before comparison to {4}.</LongDescription> <Details> <![CDATA[<p> The method java.io.FileInputStream.read() returns an int. If this int is converted to a byte then -1 (which indicates an EOF) and the byte 0xFF become indistinguishable, this comparing the (converted) result to -1 causes the read (probably in a loop) to end prematurely if the character 0xFF is met. Similarly, the method java.io.FileReader.read() also returns an int. If it is converted to a char then -1 becomes 0xFFFF which is Character.MAX_VALUE. Comparing the result to -1 is pointless, since characters are unsigned in Java. If the checking for EOF is the condition of a loop then this loop is infinite.</p> <p> See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/FIO08-J.+Distinguish+between+characters+or+bytes+read+from+a+stream+and+-1">FIO08-J. Distinguish between characters or bytes read from a stream and -1</a>. </p>]]> </Details> </BugPattern> <BugPattern type="REFLC_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_CLASS"> <ShortDescription>Public method uses reflection to create a class it gets in its parameter which could increase the accessibility of any class</ShortDescription> <LongDescription>Public method {1} uses reflection to create a class it gets in its parameter which could increase the accessibility of any class</LongDescription> <Details> <![CDATA[ <p> <a href="https://wiki.sei.cmu.edu/confluence/display/java/SEC05-J.+Do+not+use+reflection+to+increase+accessibility+of+classes%2C+methods%2C+or+fields">SEI CERT SEC05-J</a> rule forbids the use of reflection to increase accessibility of classes, methods or fields. If a class in a package provides a public method which takes an instance of java.lang.Class as its parameter and calls its newInstance() method then it increases accessibility of classes in the same package without public constructors. An attacker code may call this method and pass such class to create an instance of it. This should be avoided by either making the method non-public or by checking for package access permission on the package. A third possibility is to use the java.beans.Beans.instantiate() method instead of java.lang.Class.newInstance() which checks whether the Class object being received has any public constructors. </p>]]> </Details> </BugPattern> <BugPattern type="REFLF_REFLECTION_MAY_INCREASE_ACCESSIBILITY_OF_FIELD"> <ShortDescription>Public method uses reflection to modify a field it gets in its parameter which could increase the accessibility of any class</ShortDescription> <LongDescription>Public method {1} uses reflection to modify a field it gets in its parameter which could increase the accessibility of any class.</LongDescription> <Details> <![CDATA[ <p> <a href="https://wiki.sei.cmu.edu/confluence/display/java/SEC05-J.+Do+not+use+reflection+to+increase+accessibility+of+classes%2C+methods%2C+or+fields">SEI CERT SEC05-J</a> rule forbids the use of reflection to increase accessibility of classes, methods or fields. If a class in a package provides a public method which takes an instance of java.lang.reflect.Field as its parameter and calls a setter (or setAccessible()) method then it increases accessibility of fields in the same package which are private, protected or package private. An attacker code may call this method and pass such field to change it. This should be avoided by either making the method non-public or by checking for package access permission on the package. </p>]]> </Details> </BugPattern> <BugPattern type="MC_OVERRIDABLE_METHOD_CALL_IN_CONSTRUCTOR"> <ShortDescription>An overridable method is called from a constructor</ShortDescription> <LongDescription>Overridable method {2} is called from constructor {1}.</LongDescription> <Details> <![CDATA[<p> Calling an overridable method during in a constructor may result in the use of uninitialized data. It may also leak the this reference of the partially constructed object. Only static, final or private methods should be invoked from a constructor.</p> <p> See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/MET05-J.+Ensure+that+constructors+do+not+call+overridable+methods">MET05-J. Ensure that constructors do not call overridable methods</a>. </p>]]> </Details> </BugPattern> <BugPattern type="MC_OVERRIDABLE_METHOD_CALL_IN_CLONE"> <ShortDescription>An overridable method is called from the clone() method.</ShortDescription> <LongDescription>Overridable method {2} is called from method clone() in class {0}.</LongDescription> <Details> <![CDATA[<p> Calling overridable methods from the clone() method is insecure because a subclass could override the method, affecting the behavior of clone(). It can also observe or modify the clone object in a partially initialized state. Only static, final or private methods should be invoked from the clone() method.</p> <p> See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88487921">MET06-J. Do not invoke overridable methods in clone()</a>. </p>]]> </Details> </BugPattern> <BugPattern type="MC_OVERRIDABLE_METHOD_CALL_IN_READ_OBJECT"> <ShortDescription>An overridable method is called from the readObject method.</ShortDescription> <LongDescription>Overridable method {2} is called from readObject.</LongDescription> <Details> <![CDATA[<p> The readObject() method must not call any overridable methods. Invoking overridable methods from the readObject() method can provide the overriding method with access to the object's state before it is fully initialized. This premature access is possible because, in deserialization, readObject plays the role of object constructor and therefore object initialization is not complete until readObject exits.</p> <p> <br/> See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/SER09-J.+Do+not+invoke+overridable+methods+from+the+readObject%28%29+method"> SER09-J. Do not invoke overridable methods from the readObject() method</a>. </p>]]> </Details> </BugPattern> <BugPattern type="SING_SINGLETON_IMPLEMENTS_CLONEABLE"> <ShortDescription>Class using singleton design pattern directly implements Cloneable interface.</ShortDescription> <LongDescription>Class ({0}) using singleton design pattern directly implements Cloneable interface.</LongDescription> <Details> <![CDATA[ <p> If a class using singleton design pattern directly implements the Cloneable interface, it is possible to create a copy of the object, thus violating the singleton pattern.<br> Therefore, implementing the Cloneable interface should be avoided.<br><br> For more information, see: <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a>. </p>]]> </Details> </BugPattern> <BugPattern type="SING_SINGLETON_INDIRECTLY_IMPLEMENTS_CLONEABLE"> <ShortDescription>Class using singleton design pattern indirectly implements Cloneable interface.</ShortDescription> <LongDescription>Class ({0}) using singleton design pattern indirectly implements Cloneable interface.</LongDescription> <Details> <![CDATA[ <p> If a class using singleton design pattern indirectly implements the Cloneable interface, it is possible to create a copy of the object, thus violating the singleton pattern.<br> Therefore, implementing the Cloneable interface should be avoided. If that's not possible because of an extended super-class, the solution would be overriding the clone method to unconditionally throw CloneNotSupportedException.<br><br> For more information, see: <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a>. </p>]]> </Details> </BugPattern> <BugPattern type="SING_SINGLETON_IMPLEMENTS_CLONE_METHOD"> <ShortDescription>Class using singleton design pattern implements clone() method without being an unconditional CloneNotSupportedException-thrower.</ShortDescription> <LongDescription>Class ({0}) using singleton design pattern implements clone() method without being an unconditional CloneNotSupportedException-thrower.</LongDescription> <Details> <![CDATA[ <p> This class is using singleton design pattern and does not implement the Cloneable interface, but implements the clone() method without being an unconditional CloneNotSupportedException-thrower. With that, it is possible to create a copy of the object, thus violating the singleton pattern.<br> Therefore, implementing the clone method should be avoided, otherwise the solution would be overriding the clone method to unconditionally throw CloneNotSupportedException.<br><br> For more information, see: <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a>. </p>]]> </Details> </BugPattern> <BugPattern type="SING_SINGLETON_HAS_NONPRIVATE_CONSTRUCTOR"> <ShortDescription>Class using singleton design pattern has non-private constructor.</ShortDescription> <LongDescription>Class ({0}) using singleton design pattern has non-private constructor.</LongDescription> <Details> <![CDATA[ <p> This class is using singleton design pattern and has non-private constructor (please note that a default constructor might exist which is not private). Given that, it is possible to create a copy of the object, thus violating the singleton pattern.<br> The easier solution would be making the constructor private.<br><br> <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a> rule </p>]]> </Details> </BugPattern> <BugPattern type="SING_SINGLETON_IMPLEMENTS_SERIALIZABLE"> <ShortDescription>Class using singleton design pattern directly or indirectly implements Serializable interface.</ShortDescription> <LongDescription>Class ({0}) using singleton design pattern directly or indirectly implements Serializable interface.</LongDescription> <Details> <![CDATA[ <p> This class (using singleton design pattern) directly or indirectly implements the Serializable interface, which allows the class to be serialized.<br> Deserialization makes multiple instantiation of a singleton class possible, and therefore should be avoided.<br><br> <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a> rule </p>]]> </Details> </BugPattern> <BugPattern type="SING_SINGLETON_GETTER_NOT_SYNCHRONIZED"> <ShortDescription>Instance-getter method of class using singleton design pattern is not synchronized.</ShortDescription> <LongDescription>Instance-getter method of class using singleton design pattern ({0}) is not synchronized.</LongDescription> <Details> <![CDATA[ <p> Instance-getter method of class using singleton design pattern is not synchronized. When this method is invoked by two or more threads simultaneously, multiple instantiation of a singleton class becomes possible.<br><br> <a href="https://wiki.sei.cmu.edu/confluence/display/java/MSC07-J.+Prevent+multiple+instantiations+of+singleton+objects">SEI CERT MSC07-J</a> rule </p>]]> </Details> </BugPattern> <BugPattern type="SSD_DO_NOT_USE_INSTANCE_LOCK_ON_SHARED_STATIC_DATA"> <ShortDescription>Instance level lock was used on a shared static data</ShortDescription> <LongDescription>Static field "{2}" is modified by an instance level {3}.</LongDescription> <Details> <![CDATA[<p> If the lock or the synchronized method is not static, that modifies the static field, that could leave the shared static data unprotected against concurrent access. This could occur in two ways, if a synchronization method uses a non-static lock object, or a synchronized method is declared as non-static. Both ways are ineffective. Best solution is to use a private static final lock object to secure the shared static data.</p> <p> See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/LCK06-J.+Do+not+use+an+instance+lock+to+protect+shared+static+data"> LCK06-J. Do not use an instance lock to protect shared static data</a>. </p>]]> </Details> </BugPattern> <BugPattern type="FL_FLOATS_AS_LOOP_COUNTERS"> <ShortDescription>Do not use floating-point variables as loop counters</ShortDescription> <LongDescription>Using floating-point loop counters can lead to unexpected behavior.</LongDescription> <Details> <![CDATA[<p> Using floating-point variables should not be used as loop counters, as they are not precise, which may result in incorrect loops. A loop counter is a variable that is changed with each iteration and controls when the loop should terminate. It is decreased or increased by a fixed amount each iteration.</p> <p>See rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/NUM09-J.+Do+not+use+floating-point+variables+as+loop+counters">NUM09-J</a>.</p> ]]> </Details> </BugPattern> <BugPattern type="THROWS_METHOD_THROWS_RUNTIMEEXCEPTION"> <ShortDescription>Method intentionally throws RuntimeException.</ShortDescription> <LongDescription>Method intentionally throws RuntimeException.</LongDescription> <Details> <![CDATA[ <p> Method intentionally throws RuntimeException.<br> According to the <a href="https://wiki.sei.cmu.edu/confluence/display/java/ERR07-J.+Do+not+throw+RuntimeException%2C+Exception%2C+or+Throwable">SEI CERT ERR07-J rule</a>, throwing a RuntimeException may cause errors, like the caller not being able to examine the exception and therefore cannot properly recover from it.<br> Moreover, throwing a RuntimeException would force the caller to catch RuntimeException and therefore violate the <a href="https://wiki.sei.cmu.edu/confluence/display/java/ERR08-J.+Do+not+catch+NullPointerException+or+any+of+its+ancestors">SEI CERT ERR08-J rule</a>.<br> Please note that you can derive from Exception or RuntimeException and may throw a new instance of that exception. </p>]]> </Details> </BugPattern> <BugPattern type="THROWS_METHOD_THROWS_CLAUSE_BASIC_EXCEPTION"> <ShortDescription>Method lists Exception in its throws clause.</ShortDescription> <LongDescription>Method lists Exception in its throws clause.</LongDescription> <Details> <![CDATA[ <p> Method lists Exception in its throws clause.<br> When declaring a method, the types of exceptions in the throws clause should be the most specific. Therefore, using Exception in the throws clause would force the caller to either use it in its own throws clause, or use it in a try-catch block (when it does not necessarily contain any meaningful information about the thrown exception).<br><br> For more information, see the <a href="https://wiki.sei.cmu.edu/confluence/display/java/ERR07-J.+Do+not+throw+RuntimeException%2C+Exception%2C+or+Throwable">SEI CERT ERR07-J rule</a>. </p>]]> </Details> </BugPattern> <BugPattern type="THROWS_METHOD_THROWS_CLAUSE_THROWABLE"> <ShortDescription>Method lists Throwable in its throws clause.</ShortDescription> <LongDescription>Method lists Throwable in its throws clause.</LongDescription> <Details> <![CDATA[ <p> Method lists Throwable in its throws clause.<br> When declaring a method, the types of exceptions in the throws clause should be the most specific. Therefore, using Throwable in the throws clause would force the caller to either use it in its own throws clause, or use it in a try-catch block (when it does not necessarily contain any meaningful information about the thrown exception).<br> Furthermore, using Throwable like that is semantically a bad practice, considered that Throwables include Errors as well, but by definition they occur in unrecoverable scenarios.<br><br> For more information, see the <a href="https://wiki.sei.cmu.edu/confluence/display/java/ERR07-J.+Do+not+throw+RuntimeException%2C+Exception%2C+or+Throwable">SEI CERT ERR07-J rule</a>. </p>]]> </Details> </BugPattern> <BugPattern type="PERM_SUPER_NOT_CALLED_IN_GETPERMISSIONS"> <ShortDescription>Custom class loader does not call its superclass's getPermissions()</ShortDescription> <LongDescription>Custom class loader {1} does not call its superclass's getPermissions()</LongDescription> <Details> <![CDATA[ <p> <a href="https://wiki.sei.cmu.edu/confluence/display/java/SEC07-J.+Call+the+superclass%27s+getPermissions%28%29+method+when+writing+a+custom+class+loader">SEI CERT rule SEC07-J</a> requires that custom class loaders must always call their superclass's getPermissions() method in their own getPermissions() method to initialize the object they return at the end. Omitting it means that a class defined using this custom class loader has permissions that are completely independent of those specified in the systemwide policy file. In effect, the class's permissions override them. </p> ]]> </Details> </BugPattern> <BugPattern type="USC_POTENTIAL_SECURITY_CHECK_BASED_ON_UNTRUSTED_SOURCE"> <ShortDescription>Potential security check based on untrusted source.</ShortDescription> <LongDescription>Non-final method {4} was called at {5} before entering a doPrivileged block and was also called inside the block at {6} on a non-final class instance of {3} in public method {1}. If this call is a check before entering the doPrivileged() block then it may be unreliable since the method may receive an instance of a malicious descendant of the class which has this overridden to behave differently than expected.</LongDescription> <Details> <![CDATA[<p> A public method of a public class may be called from outside the package which means that untrusted data may be passed to it. Calling a method before the doPrivileged to check its return value and then calling the same method inside the class is dangerous if the method or its enclosing class is not final. An attacker may pass an instance of a malicious descendant of the class instead of an instance of the expected one where this method is overridden in a way that it returns different values upon different invocations. For example, a method returning a file path may return a harmless path to check before entering the doPrivileged block and then a sensitive file upon the call inside the doPrivileged block. To avoid such scenario defensively copy the object received in the parameter, e.g. by using the copy constructor of the class used as the type of the formal parameter. This ensures that the method behaves exactly as expected. <p> See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/SEC02-J.+Do+not+base+security+checks+on+untrusted+sources">SEC02-J. Do not base security checks on untrusted sources</a>. </p>]]> </Details> </BugPattern> <BugPattern type="ASE_ASSERTION_WITH_SIDE_EFFECT"> <ShortDescription>Expression in assertion may produce a side effect</ShortDescription> <LongDescription>The expression used in assertion at {1} may produce a side effect. If assertions are disabled, the expression won't get executed and the result of the method might change.</LongDescription> <Details> <![CDATA[ <p>Expressions used in assertions must not produce side effects.</p> <p>See <https://wiki.sei.cmu.edu/confluence/display/java/EXP06-J.+Expressions+used+in+assertions+must+not+produce+side+effects><code>SEI CERT Rule EXP06</code></a> for more information. </p> ]]> </Details> </BugPattern> <BugPattern type="ASE_ASSERTION_WITH_SIDE_EFFECT_METHOD"> <ShortDescription>Method invoked in assertion may produce a side effect</ShortDescription> <LongDescription>The method called in assertion at {1} may produce a side effect. If assertions are disabled, the method invocation won't get executed and the result of the method might change.</LongDescription> <Details> <![CDATA[ <p>Expressions used in assertions must not produce side effects.</p> <p>See <https://wiki.sei.cmu.edu/confluence/display/java/EXP06-J.+Expressions+used+in+assertions+must+not+produce+side+effects><code>SEI CERT Rule EXP06</code></a> for more information. </p> ]]> </Details> </BugPattern> <BugPattern type="PA_PUBLIC_PRIMITIVE_ATTRIBUTE"> <ShortDescription>Primitive field is public</ShortDescription> <LongDescription>Primitive field {1} is public and set from inside the class, which makes it too exposed. Consider making it private to limit external accessibility.</LongDescription> <Details> <![CDATA[ <p> <a href="https://wiki.sei.cmu.edu/confluence/display/java/OBJ01-J.+Limit+accessibility+of+fields">SEI CERT rule OBJ01-J</a> requires that accessibility to fields must be limited. Otherwise, the values of the fields may be manipulated from outside the class, which may be unexpected or undesired behaviour. In general, requiring that no fields are allowed to be public is overkill and unrealistic. Even the rule mentions that final fields may be public. Besides final fields, there may be other usages for public fields: some public fields may serve as "flags" that affect the behavior of the class. Such flag fields are expected to be read by the current instance (or the current class, in case of static fields), but written by others. If a field is both written by the methods of the current instance (or the current class, in case of static fields) and from the outside, the code is suspicious. Consider making these fields private and provide appropriate setters, if necessary. Please note that constructors, initializers and finalizers are exceptions, if only they write the field inside the class, the field is not considered as written by the class itself.</p> ]]> </Details> </BugPattern> <BugPattern type="PA_PUBLIC_ARRAY_ATTRIBUTE"> <ShortDescription>Array-type field is public</ShortDescription> <LongDescription>Array-type field {1} is public, which makes it too exposed. Consider making it private to limit external accessibility.</LongDescription> <Details> <![CDATA[ <p> <a href="https://wiki.sei.cmu.edu/confluence/display/java/OBJ01-J.+Limit+accessibility+of+fields">SEI CERT rule OBJ01-J</a> requires that accessibility of fields must be limited. Making an array-type field final does not prevent other classes from modifying the contents of the array. However, in general, requiring that no fields are allowed to be public is overkill and unrealistic. There may be usages for public fields: some public fields may serve as "flags" that affect the behavior of the class. Such flag fields are expected to be read by the current instance (or the current class, in case of static fields), but written by others. If a field is both written by the methods of the current instance (or the current class, in case of static fields) and from the outside, the code is suspicious. Consider making these fields private and provide appropriate setters, if necessary. Please note that constructors, initializers and finalizers are exceptions, if only they write the field inside the class, the field is not considered as written by the class itself.</p> ]]> </Details> </BugPattern> <BugPattern type="PA_PUBLIC_MUTABLE_OBJECT_ATTRIBUTE"> <ShortDescription>Mutable object-type field is public</ShortDescription> <LongDescription>Mutable object-type field {1} is public, which makes it too exposed. Consider making it private to limit external accessibility.</LongDescription> <Details> <![CDATA[ <p> <a href="https://wiki.sei.cmu.edu/confluence/display/java/OBJ01-J.+Limit+accessibility+of+fields">SEI CERT rule OBJ01-J</a> requires that accessibility of fields must be limited. Making a mutable object-type field final does not prevent other classes from modifying the contents of the object. However, in general, requiring that no fields are allowed to be public is overkill and unrealistic. There may be usages for public fields: some public fields may serve as "flags" that affect the behavior of the class. Such flag fields are expected to be read by the current instance (or the current class, in case of static fields), but written by others. If a field is both written by the methods of the current instance (or the current class, in case of static fields) and from the outside, the code is suspicious. Consider making these fields private and provide appropriate setters, if necessary. Please note that constructors, initializers and finalizers are exceptions, if only they write the field inside the class, the field is not considered as written by the class itself. In case of object-type fields "writing" means calling methods whose name suggest modification.</p> ]]> </Details> </BugPattern> <BugPattern type="VSC_VULNERABLE_SECURITY_CHECK_METHODS"> <ShortDescription>Non-Private and non-final security check methods are vulnerable</ShortDescription> <LongDescription>The method '{1}' performs security check by using '{2}' method of Security Manager Class, but is overrideable. Declare the method final or private in order to resolve the issue. </LongDescription> <Details> <![CDATA[<p> Methods that perform security checks should be prevented from being overridden, so they must be declared as private or final. Otherwise, these methods can be compromised when a malicious subclass overrides them and omits the checks. <p> See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/MET03-J.+Methods+that+perform+a+security+check+must+be+declared+private+or+final">MET03-J. Methods that perform a security check must be declared private or final</a>. </p>]]> </Details> </BugPattern> <BugPattern type="AA_ASSERTION_OF_ARGUMENTS"> <ShortDescription>Assertion is used to validate an argument of a public method</ShortDescription> <LongDescription>Assertion validates method argument at {1}. If assertions are disabled, there won't be any argument validation.</LongDescription> <Details> <![CDATA[ <p>Assertions must not be used to validate arguments of public methods because the validations are not performed if assertions are disabled.</p> <p> See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/MET01-J.+Never+use+assertions+to+validate+method+arguments">MET01-J. Never use assertions to validate method arguments</a> for more information. </p> ]]> </Details> </BugPattern> <BugPattern type="PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS_CLASS_NAMES"> <ShortDescription>Do not reuse public identifiers from JSL as class name</ShortDescription> <LongDescription>The name of the class {0} shadows the publicly available identifier from the Java Standard Library.</LongDescription> <Details> <![CDATA[<p> It's a good practice to avoid reusing public identifiers from the Java Standard Library as class names. This is because the Java Standard Library is a part of the Java platform and is expected to be available in all Java environments. Doing so can lead to naming conflicts and confusion, making it harder to understand and maintain the code. It's best practice to choose unique and descriptive class names that accurately represent the purpose and functionality of your own code. To provide an example, let's say you want to create a class for handling dates in your application. Instead of using a common name like "Date", which conflicts with the existing java.util.Date class, you could choose a more specific and unique name like or "AppDate" or "DisplayDate". A few key points to keep in mind when choosing names as identifier: <ul> <li>Use meaningful prefixes or namespaces: Prepend a project-specific prefix or namespace to your class names to make them distinct. For example, if your project is named "MyApp", you could use "MyAppDate" as your class name.</li> <li>Use descriptive names: Opt for descriptive class names that clearly indicate their purpose and functionality. This helps avoid shadowing existing Java Standard Library identifiers. For instance, instead of "List", consider using "CustomAppList".</li> <li>Follow naming conventions: Adhere to Java's naming conventions, such as using camel case (e.g., MyClass) for class names. This promotes code readability and reduces the chances of conflicts.</li> </ul> </p> <p>See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/DCL01-J.+Do+not+reuse+public+identifiers+from+the+Java+Standard+Library">DCL01-J. Do not reuse public identifiers from the Java Standard Library</a>.</p> ]]> </Details> </BugPattern> <BugPattern type="PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS_FIELD_NAMES"> <ShortDescription>Do not reuse public identifiers from JSL as field name</ShortDescription> <LongDescription>Name of the field {1.name} in class {0} shadows the publicly available identifier from the Java Standard Library.</LongDescription> <Details> <![CDATA[<p> It is a good practice to avoid reusing public identifiers from the Java Standard Library as field names in your code. Doing so can lead to confusion and potential conflicts, making it harder to understand and maintain your codebase. Instead, it is recommended to choose unique and descriptive names for your fields that accurately represent their purpose and differentiate them from Standard Library identifiers. To provide an example, let's say you want to create a class for handling dates in your application. Instead of using a common name like "Date", which conflicts with the existing java.util.Date class, you could choose a more specific and unique name like or "AppDate" or "DisplayDate". For example, let's say you're creating a class to represent a car in your application. Instead of using a common name like "Component" as a field, which conflicts with the existing java.awt.Component class, you should opt for a more specific and distinct name, such as "VehiclePart" or "CarComponent". A few key points to keep in mind when choosing names as identifier: <ul> <li>Use descriptive names: Opt for descriptive field names that clearly indicate their purpose and functionality. This helps avoid shadowing existing Java Standard Library identifiers. For instance, instead of "list", consider using "myFancyList"</li> <li>Follow naming conventions: Adhere to Java's naming conventions, such as using mixed case for field names. Start with a lowercase first letter and the internal words should start with capital letters (e.g., myFieldUsesMixedCase). This promotes code readability and reduces the chances of conflicts.</li> </ul> </p> <p>See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/DCL01-J.+Do+not+reuse+public+identifiers+from+the+Java+Standard+Library">DCL01-J. Do not reuse public identifiers from the Java Standard Library</a>.</p> ]]> </Details> </BugPattern> <BugPattern type="PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS_METHOD_NAMES"> <ShortDescription>Do not reuse public identifiers from JSL as method name</ShortDescription> <LongDescription>The name of the method {1} shadows the publicly available identifier from the Java Standard Library.</LongDescription> <Details> <![CDATA[<p> It is a good practice to avoid reusing public identifiers from the Java Standard Library as method names in your code. Doing so can lead to confusion, potential conflicts, and unexpected behavior. To maintain code clarity and ensure proper functionality, it is recommended to choose unique and descriptive names for your methods that accurately represent their purpose and differentiate them from standard library identifiers. To provide an example, let's say you want to create a method that handles creation of a custom file in your application. Instead of using a common name like "File" for the method, which conflicts with the existing java.io.File class, you could choose a more specific and unique name like or "generateFile" or "createOutPutFile". A few key points to keep in mind when choosing names as identifier: <ul> <li>Use descriptive names: Opt for descriptive method names that clearly indicate their purpose and functionality. This helps avoid shadowing existing Java Standard Library identifiers. For instance, instead of "abs()", consider using "calculateAbsoluteValue()".</li> <li>Follow naming conventions: Adhere to Java's naming conventions, such as using mixed case for method names. Method names should be verbs, with the first letter lowercase and the first letter of each internal word capitalized (e.g. runFast()). This promotes code readability and reduces the chances of conflicts.</li> </ul> </p> <p>See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/DCL01-J.+Do+not+reuse+public+identifiers+from+the+Java+Standard+Library">DCL01-J. Do not reuse public identifiers from the Java Standard Library</a>.</p> ]]> </Details> </BugPattern> <BugPattern type="PI_DO_NOT_REUSE_PUBLIC_IDENTIFIERS_LOCAL_VARIABLE_NAMES"> <ShortDescription>Do not reuse public identifiers from JSL as method name</ShortDescription> <LongDescription>Variable name {2} in method {1} shadows the publicly available identifier from the Java Standard Library.</LongDescription> <Details> <![CDATA[<p> When declaring local variables in Java, it is a good practice to refrain from reusing public identifiers from the Java Standard Library. Reusing these identifiers as local variable names can lead to confusion, hinder code comprehension, and potentially cause conflicts with existing publicly available identifier names from the Java Standard Library. To maintain code clarity and avoid such issues, it is best practice to select unique and descriptive names for your local variables. To provide an example, let's say you want to store a custom font value in a variable. Instead of using a common name like "Font" for the variable name, which conflicts with the existing java.awt.Font class, you could choose a more specific and unique name like or "customFont" or "loadedFontName". A few key points to keep in mind when choosing names as identifier: <ul> <li>Use descriptive names: Opt for descriptive variable names that clearly indicate their purpose and functionality. This helps avoid shadowing existing Java Standard Library identifiers. For instance, instead of "variable", consider using "myVariableName".</li> <li>Follow naming conventions: Adhere to Java's naming conventions, such as using mixed case for variable names. Start with a lowercase first letter and the internal words should start with capital letters (e.g. myVariableName). This promotes code readability and reduces the chances of conflicts.</li> </ul> </p> <p>See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/DCL01-J.+Do+not+reuse+public+identifiers+from+the+Java+Standard+Library">DCL01-J. Do not reuse public identifiers from the Java Standard Library</a>.</p> ]]> </Details> </BugPattern> <BugPattern type="ENV_USE_PROPERTY_INSTEAD_OF_ENV"> <ShortDescription>It is preferable to use portable Java property instead of environment variable.</ShortDescription> <LongDescription>It is preferable to use portable Java property '{3}' instead of environment variable '{2}' in method {1}.</LongDescription> <Details> <![CDATA[<p> Environment variables are not portable, the variable name itself (not only the value) may be different depending on the running OS. Not only the names of the specific environment variables can differ (e.g. `USERNAME` in Windows and `USER` in Unix systems), but even the semantics differ, e.g. the case sensitivity (Windows being case-insensitive and Unix case-sensitive). Moreover, the Map of the environment variables returned by <code>java.lang.System.getenv()</code> and its collection views may not obey the general contract of the <code>Object.equals(java.lang.Object)</code> and <code>Object.hashCode()</code> methods. Consequently, using environment variables may have unintended side effects. Also, the visibility of environment variables is less restricted compared to Java Properties: they are visible to all descendants of the defining process, not just the immediate Java subprocess. For these reasons, even the Java API of <code>java.lang.System</code> advises to use Java properties (<code>java.lang.System.getProperty(java.lang.String)</code>) instead of environment variables (<code>java.lang.System.getenv(java.lang.String)</code>) where possible. </p> <p> If a value can be accessed through both System.getProperty() and System.getenv(), it should be accessed using the former. </p> <p> Mapping of corresponding Java System properties: <table> <tr> <th>Environment variable</th> <th>Property</th> </tr> <tr><td>JAVA_HOME</td> <td>java.home</td></tr> <tr><td>JAVA_VERSION</td> <td>java.version</td></tr> <tr><td>TEMP</td> <td>java.io.tmpdir</td></tr> <tr><td>TMP</td> <td>java.io.tmpdir</td></tr> <tr><td>PROCESSOR_ARCHITECTURE</td> <td>os.arch</td></tr> <tr><td>OS</td> <td>os.name</td></tr> <tr><td>USER</td> <td>user.name</td></tr> <tr><td>USERNAME</td> <td>user.name</td></tr> <tr><td>HOME</td> <td>user.home</td></tr> <tr><td>HOMEPATH</td> <td>user.home</td></tr> <tr><td>CD</td> <td>user.dir</td></tr> <tr><td>PWD</td> <td>user.dir</td></tr> </table> </p> <p> See SEI CERT rule <a href="https://wiki.sei.cmu.edu/confluence/display/java/ENV02-J.+Do+not+trust+the+values+of+environment+variables">ENV02-J. Do not trust the values of environment variables</a>. </p>]]> </Details> </BugPattern> <!-- ********************************************************************** BugCodes ********************************************************************** --> <BugCode abbrev="FS">Format string problem</BugCode> <BugCode abbrev="SKIPPED">Analysis skipped</BugCode> <BugCode abbrev="IL">Infinite Loop</BugCode> <BugCode abbrev="VO">Use of volatile</BugCode> <BugCode abbrev="UI">Unsafe inheritance</BugCode> <BugCode abbrev="FL">Use of floating point precision</BugCode> <BugCode abbrev="TEST">Testing prototype and incomplete bug pattern</BugCode> <BugCode abbrev="IMSE">Dubious catching of IllegalMonitorStateException</BugCode> <BugCode abbrev="CN">Bad implementation of cloneable idiom</BugCode> <BugCode abbrev="CAA">Covariant array assignment</BugCode> <BugCode abbrev="AT">Possible atomicity violation</BugCode> <BugCode abbrev="FI">Incorrect use of finalizers</BugCode> <BugCode abbrev="ES">Checking String equality using == or !=</BugCode> <BugCode abbrev="ML">Synchronization on updated field (Mutable Lock)</BugCode> <BugCode abbrev="UG">Unsynchronized get method, synchronized set method</BugCode> <BugCode abbrev="IO">Input/Output problem</BugCode> <BugCode abbrev="IC">Initialization circularity</BugCode> <BugCode abbrev="SI">Suspicious static initializer</BugCode> <BugCode abbrev="MSF">Mutable servlet field</BugCode> <BugCode abbrev="IS">Inconsistent synchronization</BugCode> <BugCode abbrev="Eq">Problems with implementation of equals()</BugCode> <BugCode abbrev="Co">Problems with implementation of compareTo()</BugCode> <BugCode abbrev="HE">Equal objects must have equal hashcodes</BugCode> <BugCode abbrev="AM">API misuse</BugCode> <BugCode abbrev="Dm">Dubious method used</BugCode> <BugCode abbrev="Bx">Questionable Boxing of primitive value</BugCode> <BugCode abbrev="UR">Uninitialized read of field in constructor</BugCode> <BugCode abbrev="RR">Method ignores results of InputStream.read()</BugCode> <BugCode abbrev="NN">Naked notify</BugCode> <BugCode abbrev="UW">Unconditional wait</BugCode> <BugCode abbrev="SP">Method spins on field</BugCode> <BugCode abbrev="DC">Double-check pattern</BugCode> <BugCode abbrev="Wa">Wait not in loop</BugCode> <BugCode abbrev="No">Using notify() rather than notifyAll()</BugCode> <BugCode abbrev="DE">Dropped or ignored exception</BugCode> <BugCode abbrev="Ru">Method invokes run()</BugCode> <BugCode abbrev="It">Incorrect definition of Iterator</BugCode> <BugCode abbrev="SnVI">Serializable class with no Version ID</BugCode> <BugCode abbrev="Se">Incorrect definition of Serializable class</BugCode> <BugCode abbrev="WS">Class's writeObject() method is synchronized but nothing else is</BugCode> <BugCode abbrev="RS">Class's readObject() method is synchronized</BugCode> <BugCode abbrev="SC">Constructor invokes Thread.start()</BugCode> <BugCode abbrev="MS">Mutable static field</BugCode> <BugCode abbrev="ME">Mutable enum field</BugCode> <BugCode abbrev="EI">Method returning array may expose internal representation</BugCode> <BugCode abbrev="Nm">Confusing method name</BugCode> <BugCode abbrev="SS">Unread field should be static</BugCode> <BugCode abbrev="UuF">Unused field</BugCode> <BugCode abbrev="UrF">Unread field</BugCode> <BugCode abbrev="UwF">Unwritten field</BugCode> <BugCode abbrev="SIC">Inner class could be made static</BugCode> <BugCode abbrev="TLW">Wait with two locks held</BugCode> <BugCode abbrev="RANGE">Range checks</BugCode> <BugCode abbrev="RV">Bad use of return value from method</BugCode> <BugCode abbrev="LG">Logger problem</BugCode> <BugCode abbrev="IA">Ambiguous invocation</BugCode> <BugCode abbrev="HSC">Huge String constants</BugCode> <BugCode abbrev="HRS">HTTP Response splitting vulnerability</BugCode> <BugCode abbrev="PT">Path traversal</BugCode> <BugCode abbrev="XSS">Cross site scripting vulnerability</BugCode> <BugCode abbrev="NP">Null pointer dereference</BugCode> <BugCode abbrev="NOISE">Bogus random warning</BugCode> <BugCode abbrev="RpC">Repeated conditional test</BugCode> <BugCode abbrev="OS">Stream not closed on all paths</BugCode> <BugCode abbrev="PZLA">Prefer zero length arrays to null to indicate no results</BugCode> <BugCode abbrev="UCF">Useless control flow</BugCode> <BugCode abbrev="RCN">Redundant comparison to null</BugCode> <BugCode abbrev="UL">Lock not released on all paths</BugCode> <BugCode abbrev="RC">Questionable use of reference equality rather than calling equals</BugCode> <BugCode abbrev="EC">Comparing incompatible types for equality</BugCode> <BugCode abbrev="MWN">Mismatched wait() or notify()</BugCode> <BugCode abbrev="SA">Useless self-operation</BugCode> <BugCode abbrev="INT">Suspicious integer expression</BugCode> <BugCode abbrev="BIT">Suspicious bitwise logical expression</BugCode> <BugCode abbrev="LI">Unsynchronized Lazy Initialization</BugCode> <BugCode abbrev="JLM">Synchronization on java.util.concurrent objects</BugCode> <BugCode abbrev="UPM">Private method is never called</BugCode> <BugCode abbrev="UMAC">Uncallable method of anonymous class</BugCode> <BugCode abbrev="EI2">Storing reference to mutable object</BugCode> <BugCode abbrev="NS">Suspicious use of non-short-circuit boolean operator</BugCode> <BugCode abbrev="ODR">Database resource not closed on all paths</BugCode> <BugCode abbrev="SBSC">String concatenation in loop using + operator</BugCode> <BugCode abbrev="IIL">Inefficient code which can be moved outside of the loop</BugCode> <BugCode abbrev="IIO">Inefficient use of String.indexOf(String) or String.lastIndexOf(String)</BugCode> <BugCode abbrev="ITA">Inefficient use of collection.toArray(new Foo[0])</BugCode> <BugCode abbrev="SW">Swing coding rules</BugCode> <BugCode abbrev="IJU">Improperly implemented JUnit TestCase</BugCode> <BugCode abbrev="BOA">Badly Overridden Adapter</BugCode> <BugCode abbrev="SF">Switch case falls through</BugCode> <BugCode abbrev="SIO">Superfluous instanceof</BugCode> <BugCode abbrev="BAC">Bad Applet Constructor</BugCode> <BugCode abbrev="UOE">Use Object Equals</BugCode> <BugCode abbrev="STI">Suspicious Thread Interrupted</BugCode> <BugCode abbrev="DLS">Dead local store</BugCode> <BugCode abbrev="IP">Ignored parameter</BugCode> <BugCode abbrev="MF">Masked Field</BugCode> <BugCode abbrev="WMI">Inefficient Map Iterator</BugCode> <BugCode abbrev="ISC">Instantiated Static Class</BugCode> <BugCode abbrev="DCN">Don't Catch NullPointer Exception</BugCode> <BugCode abbrev="REC">RuntimeException capture</BugCode> <BugCode abbrev="FE">Test for floating point equality</BugCode> <BugCode abbrev="UM">Unnecessary Math on constants</BugCode> <BugCode abbrev="UC">Useless code</BugCode> <BugCode abbrev="CNT">Rough value of known constant</BugCode> <BugCode abbrev="CD">Circular Dependencies</BugCode> <BugCode abbrev="RI">Redundant Interfaces</BugCode> <BugCode abbrev="MTIA">Multithreaded Instance Access</BugCode> <BugCode abbrev="PS">Public Semaphores</BugCode> <BugCode abbrev="BSHIFT">Bad shift</BugCode> <BugCode abbrev="ICAST">Casting from integer values</BugCode> <BugCode abbrev="RE">Regular expressions</BugCode> <BugCode abbrev="SQL">Potential SQL Problem</BugCode> <BugCode abbrev="WL">Possible locking on wrong object</BugCode> <BugCode abbrev="ESync">Empty Synchronized blocks</BugCode> <BugCode abbrev="QF">Questionable for loops</BugCode> <BugCode abbrev="VA">Vararg problems</BugCode> <BugCode abbrev="BC">Bad casts of object references</BugCode> <BugCode abbrev="IM">Questionable integer math</BugCode> <BugCode abbrev="ST">Misuse of static fields</BugCode> <BugCode abbrev="JCIP">Violation of net.jcip annotations</BugCode> <BugCode abbrev="USELESS_STRING">Useless/non-informative string generated</BugCode> <BugCode abbrev="DMI">Dubious method invocation</BugCode> <BugCode abbrev="PZ">Warning inspired by Joshua Bloch's and Neal Gafter's Programming Puzzlers</BugCode> <BugCode abbrev="SWL">Sleep with lock held</BugCode> <BugCode abbrev="J2EE">J2EE error</BugCode> <BugCode abbrev="DB">Duplicate Branches</BugCode> <BugCode abbrev="IMA">Inefficient Member Access</BugCode> <BugCode abbrev="XFB">XML Factory Bypass</BugCode> <BugCode abbrev="USM">Useless Subclass Method</BugCode> <BugCode abbrev="CI">Confused Inheritance</BugCode> <BugCode abbrev="QBA">Questionable Boolean Assignment</BugCode> <BugCode abbrev="VR">Version compatibility issue</BugCode> <BugCode abbrev="DP">Use doPrivileged</BugCode> <BugCode abbrev="GC">Suspicious calls to generic collection methods</BugCode> <BugCode abbrev="STCAL">Static use of type Calendar or DateFormat</BugCode> <BugCode abbrev="TQ">Inconsistent use of type qualifier annotations</BugCode> <BugCode abbrev="OBL">Unsatisfied obligation to clean up stream or resource</BugCode> <BugCode abbrev="FB">SpotBugs did not produce the expected warnings on a method</BugCode> <BugCode abbrev="DL">Unintended contention or possible deadlock due to locking on shared objects</BugCode> <BugCode abbrev="JUA">Problems in JUnit Assertions</BugCode> <BugCode abbrev="EOS">Bad End of Stream check</BugCode> <BugCode abbrev="REFLC">Reflection increasing accessibility of classes</BugCode> <BugCode abbrev="REFLF">Reflection increasing accessibility of fields</BugCode> <BugCode abbrev="MC">Dangerous call to overridable method</BugCode> <BugCode abbrev="CT">Constructor throws</BugCode> <BugCode abbrev="SSD">Do not use an instance lock to protect shared static data</BugCode> <BugCode abbrev="SING">Singleton problems</BugCode> <BugCode abbrev="THROWS">Exception throwing related problems</BugCode> <BugCode abbrev="PERM">Custom class loader does not call its superclass's getPermissions()</BugCode> <BugCode abbrev="USC">Potential security check based on untrusted source</BugCode> <BugCode abbrev="ASE">Assertion with side effect</BugCode> <BugCode abbrev="PA">Public Attribute</BugCode> <BugCode abbrev="VSC">Vulnerable security check performing methods</BugCode> <BugCode abbrev="AA">Misuse of assertions for checking arguments of public methods</BugCode> <BugCode abbrev="PI">Do not reuse public identifiers from Java Standard Library</BugCode> <BugCode abbrev="ENV">Environment variable is used instead of the corresponding Java property</BugCode> </MessageCollection>