The PVS-Studio development doesn’t stand still – the team is always monitoring new trends in programming and working hard on further analyzer development. The biggest feature that appeared in the analyzer is support for Java. It is a widely used one today, and it was one of the candidates when we were considering which language to choose next. The team made available the most popular ways of the analyzer integration in the build system for the users: plugins for Maven, Gradle, and IntelliJ IDEA. However, this is just the beginning – there are a lot of ideas on further improvements in this area.
In 2018, the team was also actively working on C++ and C# analyzer development and had released a new version of the PVS-Studio. C++ (and C#) analyzer warnings were classified according to the Common Weakness Enumeration (CWE). A PVS-Studio static code analyzer has become able to classify its warnings according to MISRA C and MISRA C++ standards. It has become relevant in relation to the development of support for various embedded systems. Documentation has also undergone big changes: all improvements have been focused on writing more common and easy-to-understand instructions for working on different systems.
Of course, the developers couldn’t help testing the new version of the analyzer and have checked open projects such as IntelliJ IDEA, SpotBugs, SonarQube, и SonarJava. Here are some of the examples.
private static boolean checkSentenceCapitalization(@NotNull String value) { List<String> words = StringUtil.split(value, " "); .... int capitalized = 1; .... return capitalized / words.size() < 0.2; // allow reasonable amount of // capitalized words }
The point was that the function should return true if less than 20% of the words begin with a capital letter. Actually, the check is not working, because integer division occurs. As a result of division, we can obtain only two values: 0 or 1.
The function will return false, only if all words begin with a capital letter. In all other cases, division operation will result in 0 and the function will return true.
Here is another interesting example:
public synchronized boolean isIdentifier(@NotNull String name, final Project project) { if (!StringUtil.startsWithChar(name,'\'') && !StringUtil.startsWithChar(name,'\"')) { name = "\"" + name; } if (!StringUtil.endsWithChar(name,'"') && !StringUtil.endsWithChar(name,'\"')) { name += "\""; } .... }
This code fragment checks that the name is enclosed in either single or double quotation marks. If it’s not so, double quotation marks are added automatically.
Due to a typo, the end of the name is checked only for the presence of double quotation marks. As a result, the name in single quotation marks will be processed incorrectly.
The name
‘Abcd’
due to adding extra double quotes will turn into:
‘Abcd'”
Read more about other errors in Java code here: https://www.viva64.com/en/b/0603/
Beyond all this, the PVS-Studio team made a nice New Year’s gift for those who develops open source projects. All the contributors of such projects hosted on GitHub or Bitbucket are given free usage of the static code analyzer.
The post Did you know that the bug search tools in Java code have bugs too? appeared first on The Crazy Programmer.
No comments:
Post a Comment