EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMER
Download as pptx, pdf1 like226 views
Static code analysis tools can analyze Java programs to find defects without executing the code. They use techniques like pattern matching, type inference, data flow analysis and symbolic execution. PVS-Studio is a static analysis tool for Java that was created using lessons from a C++ analyzer. It finds bugs like integer divisions by zero, dead code, copy-paste errors and other defects. Integrating static analysis into development processes helps improve code quality over time by detecting and fixing issues early.
{
return v1.Max(v2);
}
)
11](https://image.slidesharecdn.com/2e-190626171104/85/EVERYTHING-ABOUT-STATIC-CODE-ANALYSIS-FOR-A-JAVA-PROGRAMMER-11-320.jpg)
![Method annotations
int test(int a, int b) {
Math.max(a, b); //1
if (a > 5 && b < 2) {
// a = [6..INT_MAX]
// b = [INT_MIN..1]
if (Math.max(a, b) > 0) //2
{...}
}
return Math.max(a, a); //3
}
12](https://image.slidesharecdn.com/2e-190626171104/85/EVERYTHING-ABOUT-STATIC-CODE-ANALYSIS-FOR-A-JAVA-PROGRAMMER-12-320.jpg)
![Data-flow analysis
void func(int x) // x: [-2147483648..2147483647] //1
{
if (x > 3)
{
// x: [4..2147483647] //2
if (x < 10)
{
// x: [4..9] //3
}
}
else
{
// x: [-2147483648..3] //4
}
}
13](https://image.slidesharecdn.com/2e-190626171104/85/EVERYTHING-ABOUT-STATIC-CODE-ANALYSIS-FOR-A-JAVA-PROGRAMMER-13-320.jpg)
![Integer division
private static boolean checkSentenceCapitalization(@NotNull String value) {
List<String> words = StringUtil.split(value, " ");
....
int capitalized = 1;
....
return capitalized / words.size() < 0.2; // allow reasonable amount of
// capitalized words
}
V6011 [CWE-682] The '0.2' literal of the 'double' type is compared to a value of the 'int' type.
TitleCapitalizationInspection.java 169
IntelliJ IDEA
27](https://image.slidesharecdn.com/2e-190626171104/85/EVERYTHING-ABOUT-STATIC-CODE-ANALYSIS-FOR-A-JAVA-PROGRAMMER-27-320.jpg)
![Always false
PVS-Studio: V6007 [CWE-570] Expression '"0".equals(text)' is always false. ConvertIntegerToDecimalPredicate.java 46
IntelliJ IDEA
public boolean satisfiedBy(@NotNull PsiElement element) {
....
@NonNls final String text = expression.getText().replaceAll("_", "");
if (text == null || text.length() < 2) {
return false;
}
if ("0".equals(text) || "0L".equals(text) || "0l".equals(text)) {
return false;
}
return text.charAt(0) == '0';
}
28](https://image.slidesharecdn.com/2e-190626171104/85/EVERYTHING-ABOUT-STATIC-CODE-ANALYSIS-FOR-A-JAVA-PROGRAMMER-28-320.jpg)
![Unexpected number of iterations
public static String getXMLType(@WillNotClose InputStream in) throws
IOException
{
....
String s;
int count = 0;
while (count < 4) {
s = r.readLine();
if (s == null) {
break;
}
Matcher m = tag.matcher(s);
if (m.find()) {
return m.group(1);
}
}
....
}
29
SpotBugs
V6007 [CWE-571] Expression 'count < 4' is always true. Util.java 394](https://image.slidesharecdn.com/2e-190626171104/85/EVERYTHING-ABOUT-STATIC-CODE-ANALYSIS-FOR-A-JAVA-PROGRAMMER-29-320.jpg)
![Duplicates
V6033 [CWE-462] An item with the same key 'JavaPunctuator.PLUSEQU' has already been added. Check lines: 104, 100.
KindMaps.java 104
SonarJava
private final Map<JavaPunctuator, Tree.Kind> assignmentOperators =
Maps.newEnumMap(JavaPunctuator.class);
public KindMaps() {
....
assignmentOperators.put(JavaPunctuator.PLUSEQU, Tree.Kind.PLUS_ASSIGNMENT);
....
assignmentOperators.put(JavaPunctuator.PLUSEQU, Tree.Kind.PLUS_ASSIGNMENT);
....
}
31](https://image.slidesharecdn.com/2e-190626171104/85/EVERYTHING-ABOUT-STATIC-CODE-ANALYSIS-FOR-A-JAVA-PROGRAMMER-31-320.jpg)
EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMER
- 1. EVERYTHING ABOUT STATIC CODE ANALYSIS FOR A JAVA PROGRAMMER Maxim Stefanov PVS-Studio, C++/Java developer, Tula 1
- 2. About the speaker • Maxim Stefanov ([email protected]) • C++/Java developer in the PVS-Studio company • Activities: • Taking part in developing the C++ analyser core • Taking part in developing the Java analyzer 2
- 3. We’re going to talk about... • Theory • Code quality (bugs, vulnerabilities) • Methodologies of code protection against defects • Code Review • Static analysis and everything related to it • Tools • Existing tools of static analysis • SonarQube • PVS-Studio for Java what is it? • Several detected examples of code with defects • More about static analysis • Conclusions 3
- 4. Why we need to concern about code quality • Don’t let technical debt accrue, if a project is green • Don’t lose users, if a project already has a history 4
- 5. Cost of fixing a defect From the book by C. McConnell "Code Complete" 5
- 6. Methods to provide the code of high quality 6
- 7. Static code analysis Pros Cons Detects defects before code reviewing You cannot detect high level errors The analyser doesn’t get tired and is ready to work anytime False positives You can find some errors not knowing about such patterns You can detect errors that are difficult to notice when reviewing code 7
- 8. Technologies used in static analysis •Pattern-based analysis •Type inference •Data-flow analysis •Symbolic execution •Method annotations 8
- 9. Pattern-based analysis @Override public boolean equals(Object obj) { .... return index.equals(other.index) && type.equals(other.type) && version == other.version && found == other.found && tookInMillis == tookInMillis && Objects.equals(terms, other.terms); } 9
- 10. Type inference interface Human { ... } class Parent implements Human{ ... } class Child extends Parent { ... } ... class Animal { ... } ... boolean someMethod(List<Child> list, Animal animal) { if (list.remove(animal)) return false; ... } 10
- 11. Method annotations Class("java.lang.Math") - Function("max", Type::Int32, Type::Int32) .Pure() .Set(FunctionClassification::NoDiscard) .Requires(NotEquals(Arg1, Arg2)) .Returns(Arg1, Arg2, [](const Int &v1, const Int &v2) { return v1.Max(v2); } ) 11
- 12. Method annotations int test(int a, int b) { Math.max(a, b); //1 if (a > 5 && b < 2) { // a = [6..INT_MAX] // b = [INT_MIN..1] if (Math.max(a, b) > 0) //2 {...} } return Math.max(a, a); //3 } 12
- 13. Data-flow analysis void func(int x) // x: [-2147483648..2147483647] //1 { if (x > 3) { // x: [4..2147483647] //2 if (x < 10) { // x: [4..9] //3 } } else { // x: [-2147483648..3] //4 } } 13
- 14. Symbolic execution int someMethod(int A, int B) { if (A == B) return 10 / (A - B); return 1; } 14
- 16. SonarQube: who, what and why • Platform with open source code for continuous analysis and estimating the code quality • Contains a number of analyzers for various languages • Allows to integrate third-party analyzers • Clearly demonstrates quality of your project 16
- 21. Story of creating PVS-Studio for Java • Java is a popular language • Wide implementation area of the language • We could use mechanisms from the C++ analyzer (data-flow analysis, method annotations) 21
- 23. Spoon for getting a syntax tree and semantic model Spoon transforms the code in the metamodel: class TestClass { void test(int a, int b) { int x = (a + b) * 4; System.out.println(x); } } 23 Analyzer internals
- 24. Data-flow analysis, method annotations - usage of mechanisms from the C++ analyzer using SWIG 24 Analyzer internals
- 25. Diagnostic rule is a visitor with overloaded methods. Inside the methods the items that are of interest for us are traversed along the tree. 25 Analyzer internals
- 26. Several examples of errors, found using PVS-Studio 26
- 27. Integer division private static boolean checkSentenceCapitalization(@NotNull String value) { List<String> words = StringUtil.split(value, " "); .... int capitalized = 1; .... return capitalized / words.size() < 0.2; // allow reasonable amount of // capitalized words } V6011 [CWE-682] The '0.2' literal of the 'double' type is compared to a value of the 'int' type. TitleCapitalizationInspection.java 169 IntelliJ IDEA 27
- 28. Always false PVS-Studio: V6007 [CWE-570] Expression '"0".equals(text)' is always false. ConvertIntegerToDecimalPredicate.java 46 IntelliJ IDEA public boolean satisfiedBy(@NotNull PsiElement element) { .... @NonNls final String text = expression.getText().replaceAll("_", ""); if (text == null || text.length() < 2) { return false; } if ("0".equals(text) || "0L".equals(text) || "0l".equals(text)) { return false; } return text.charAt(0) == '0'; } 28
- 29. Unexpected number of iterations public static String getXMLType(@WillNotClose InputStream in) throws IOException { .... String s; int count = 0; while (count < 4) { s = r.readLine(); if (s == null) { break; } Matcher m = tag.matcher(s); if (m.find()) { return m.group(1); } } .... } 29 SpotBugs V6007 [CWE-571] Expression 'count < 4' is always true. Util.java 394
- 30. We can’t go on without Copy-Paste public class RuleDto { .... private final RuleDefinitionDto definition; private final RuleMetadataDto metadata; .... private void setUpdatedAtFromDefinition(@Nullable Long updatedAt) { if (updatedAt != null && updatedAt > definition.getUpdatedAt()) { setUpdatedAt(updatedAt); } } private void setUpdatedAtFromMetadata(@Nullable Long updatedAt) { if (updatedAt != null && updatedAt > definition.getUpdatedAt()) { setUpdatedAt(updatedAt); } } .... } 30 SonarQube V6032 It is odd that the body of method 'setUpdatedAtFromDefinition' is fully equivalent to the body of another method 'setUpdatedAtFromMetadata'. Check lines: 396, 405. RuleDto.java 396
- 31. Duplicates V6033 [CWE-462] An item with the same key 'JavaPunctuator.PLUSEQU' has already been added. Check lines: 104, 100. KindMaps.java 104 SonarJava private final Map<JavaPunctuator, Tree.Kind> assignmentOperators = Maps.newEnumMap(JavaPunctuator.class); public KindMaps() { .... assignmentOperators.put(JavaPunctuator.PLUSEQU, Tree.Kind.PLUS_ASSIGNMENT); .... assignmentOperators.put(JavaPunctuator.PLUSEQU, Tree.Kind.PLUS_ASSIGNMENT); .... } 31
- 32. How to integrate static analysis in the process of software development • Each developer has a static analysis tool on his machine • Analysis of the entire code base during the night builds. When suspicious code is found - all guilty ones get mails. 32
- 33. How to start using static analysis tools on large projects and not to lose heart 1. Check the project 2. Specify that all issued warnings are not interesting for us yet. Place the warnings in a special suppression file 3. Upload the file with markup in the version control system 4. Run the analyser and get warnings only for the newly written or modified code 5. PROFIT! 33
- 34. Conclusions • Static analysis – additional methodology, not a «silver bullet» • Static analysis has to be used regularly • You can immediately start using the analysis and postpone fixing of old errors • Competition is a key to progress 34
Editor's Notes
- #3: Добрый день. Меня зовут Максим. Я разработчик в компании PVS-Studio, которая занимается разработкой статического анализатора для языков программирования C/C++/C#/Java. Сегодня я хочу вам рассказать, что статический анализ кода является такой же неотъемлемой частью разработки как, например, Code Review, тестирование.