Skip to main content

Did you know that the bug search tools in Java code have bugs too?

The PVS-Studio development doesn’t stand still – the team is always monitoring new trends in programming and working hard on further analyzer development. The biggest feature that appeared in the analyzer is support for Java. It is a widely used one today, and it was one of the candidates when we were considering which language to choose next. The team made available the most popular ways of the analyzer integration in the build system for the users: plugins for Maven, Gradle, and IntelliJ IDEA. However, this is just the beginning – there are a lot of ideas on further improvements in this area.

In 2018, the team was also actively working on C++ and C# analyzer development and had released a new version of the PVS-Studio. C++ (and C#) analyzer warnings were classified according to the Common Weakness Enumeration (CWE). A PVS-Studio static code analyzer has become able to classify its warnings according to MISRA C and MISRA C++ standards. It has become relevant in relation to the development of support for various embedded systems. Documentation has also undergone big changes: all improvements have been focused on writing more common and easy-to-understand instructions for working on different systems.

Of course, the developers couldn’t help testing the new version of the analyzer and have checked open projects such as IntelliJ IDEA, SpotBugs, SonarQube, и SonarJava. Here are some of the examples.

private static boolean checkSentenceCapitalization(@NotNull String value) {
  List<String> words = StringUtil.split(value, " ");
  ....
  int capitalized = 1;
  ....
  return capitalized / words.size() < 0.2; // allow reasonable amount of
                                           // capitalized words
}

The point was that the function should return true if less than 20% of the words begin with a capital letter. Actually, the check is not working, because integer division occurs. As a result of division, we can obtain only two values: 0 or 1.

The function will return false, only if all words begin with a capital letter. In all other cases, division operation will result in 0 and the function will return true.

Here is another interesting example:

public synchronized boolean isIdentifier(@NotNull String name,
                                         final Project project) {
  if (!StringUtil.startsWithChar(name,'\'') &&
      !StringUtil.startsWithChar(name,'\"')) {
    name = "\"" + name;
  }
  if (!StringUtil.endsWithChar(name,'"') &&
      !StringUtil.endsWithChar(name,'\"')) {
    name += "\"";
  }
 ....
}

This code fragment checks that the name is enclosed in either single or double quotation marks. If it’s not so, double quotation marks are added automatically.

Due to a typo, the end of the name is checked only for the presence of double quotation marks. As a result, the name in single quotation marks will be processed incorrectly.

The name

‘Abcd’

due to adding extra double quotes will turn into:

‘Abcd'”

Read more about other errors in Java code here: https://www.viva64.com/en/b/0603/

Beyond all this, the PVS-Studio team made a nice New Year’s gift for those who develops open source projects. All the contributors of such projects hosted on GitHub or Bitbucket are given free usage of the static code analyzer.

The post Did you know that the bug search tools in Java code have bugs too? appeared first on The Crazy Programmer.



from The Crazy Programmer https://www.thecrazyprogrammer.com/2019/01/did-you-know-that-the-bug-search-tools-in-java-code-have-bugs-too.html
Labels:

Comments

Post a Comment

Popular posts from this blog

Rail Fence Cipher Program in C and C++[Encryption & Decryption]

Here you will get rail fence cipher program in C and C++ for encryption and decryption. It is a kind of transposition cipher which is also known as zigzag cipher. Below is an example. Here Key = 3. For encryption we write the message diagonally in zigzag form in a matrix having total rows = key and total columns = message length. Then read the matrix row wise horizontally to get encrypted message. Rail Fence Cipher Program in C #include<stdio.h> #include<string.h> void encryptMsg(char msg[], int key){ int msgLen = strlen(msg), i, j, k = -1, row = 0, col = 0; char railMatrix[key][msgLen]; for(i = 0; i < key; ++i) for(j = 0; j < msgLen; ++j) railMatrix[i][j] = '\n'; for(i = 0; i < msgLen; ++i){ railMatrix[row][col++] = msg[i]; if(row == 0 || row == key-1) k= k * (-1); row = row + k; } printf("\nEncrypted Message: "); for(i = 0; i < key; ++i) f...
3 comments
Read more

Data Encryption Standard (DES) Algorithm

Data Encryption Standard is a symmetric-key algorithm for the encrypting the data. It comes under block cipher algorithm which follows Feistel structure. Here is the block diagram of Data Encryption Standard. Fig1: DES Algorithm Block Diagram [Image Source: Cryptography and Network Security Principles and Practices 4 th Ed by William Stallings] Explanation for above diagram: Each character of plain text converted into binary format. Every time we take 64 bits from that and give as input to DES algorithm, then it processed through 16 rounds and then converted to cipher text. Initial Permutation: 64 bit plain text goes under initial permutation and then given to round 1. Since initial permutation step receiving 64 bits, it contains an 1×64 matrix which contains numbers from 1 to 64 but in shuffled order. After that, we arrange our original 64 bit text in the order mentioned in that matrix. [You can see the matrix in below code] After initial permutation, 64 bit text passed throug...
Post a Comment
Read more

Accessibility Insights for the Web and Windows makes accessibility even easier

I recently stumbled upon https://accessibilityinsights.io . There's both a Chrome/ Edge extension and a Windows app, both designed to make it easier to find and fix accessibility issues in your websites and apps. The GitHub for the Accessibility Insights extension for the web is at https://github.com/Microsoft/accessibility-insights-web and they have three trains you can get on: Canary (released continuously) Insider (on feature completion) Production (after validation in Insider) It builds on top of the Deque Axe core engine with a really fresh UI. The "FastPass" found these issues with my podcast site in seconds - which kind of makes me feel bad, but at least I know what's wrong! However, the most impressive visualization in my opinion was the Tab Stop test! See below how it draws clear numbered line segments as you Tab from element. This is a brilliant way to understand exactly how someone without a mouse would move through your site. I can easily s...
1 comment
Read more