1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>FindBugs Change Log</title>
<link rel="stylesheet" type="text/css" href="findbugs.css">
</head>
<body>
<table width="100%">
<tr>
<td bgcolor="#b9b9fe" valign="top" align="left" width="20%">
<table width="100%" cellspacing="0" border="0">
<tr><td><a class="sidebar" href="index.html"><img src="umdFindbugs.png" alt="FindBugs"></a></td></tr>
<tr><td> </td></tr>
<tr><td><b>Docs and Info</b></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="findbugs2.html">FindBugs 2.0</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="demo.html">Demo and data</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="users.html">Users and supporters</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="http://findbugs.blogspot.com/">FindBugs blog</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="factSheet.html">Fact sheet</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="manual/index.html">Manual</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="ja/manual/index.html">Manual(ja/日本語)</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="FAQ.html">FAQ</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="bugDescriptions.html">Bug descriptions</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="mailingLists.html">Mailing lists</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="publications.html">Documents and Publications</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="links.html">Links</a></font></td></tr>
<tr><td> </td></tr>
<tr><td><a class="sidebar" href="downloads.html"><b>Downloads</b></a></td></tr>
<tr><td> </td></tr>
<tr><td><a class="sidebar" href="http://www.cafeshops.com/findbugs"><b>FindBugs Swag</b></a></td></tr>
<tr><td> </td></tr>
<tr><td><b>Development</b></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/tracker/?group_id=96405">Open bugs</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="reportingBugs.html">Reporting bugs</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="contributing.html">Contributing</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="team.html">Dev team</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="api/index.html">API</a> <a class="sidebar" href="api/overview-summary.html">[no frames]</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="Changes.html">Change log</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/projects/findbugs">SF project page</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/browse/">Browse source</a></font></td></tr>
<tr><td><font size="-1"><a class="sidebar" href="http://code.google.com/p/findbugs/source/list">Latest code changes</a></font></td></tr>
</table>
</td>
<td align="left" valign="top">
<h1>FindBugs Change Log, Version 2.0.3</h1>
<ul>
<li>New Bug patterns: <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_BOXED_PRIMITIVE_FOR_PARSING">DM_BOXED_PRIMITIVE_FOR_PARSING</a>,
<a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_RETURN_RELAXING_ANNOTATION">NP_METHOD_RETURN_RELAXING_ANNOTATION</a>,
and
<a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION">NP_METHOD_PARAMETER_TIGHTENS_ANNOTATION</a>
</li>
<li>Add the ability in the GUI to save the currently viewable/filtered bugs to HTML output.
<li>When dataflow does't terminate, make sure we continue with
analysis.
<li>Fix some problems that resulting in dataflow analysis not
terminating
<li>Get parameter annotations from default parameters
annotations applied to the method.
<li>Add subversion change number to eclipse plugin qualifier.
<li>Disabled detector for <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#AM_CREATES_EMPTY_JAR_FILE_ENTRY">AM_CREATES_EMPTY_JAR_FILE_ENTRY</a>;
it complaints inappropriately about code that creates directory
entries.
<li>Add warnings about incompatible types passed to
org.testng.Assert.assertEquals</li>
<li>Add logic that understands more of the Google Guava APIs.
<li>Disable type qualifier validator execution within Eclipse plugin;
too many problems with class loading and security manager (see #1154 Random obscure Eclipse failures)
<li>Consistently check both access flags and attributes to see if something is synthetic. Compiler is
inconsistent about where synthetic elements are marked.
<li>Fixed false positives for the following bug patterns (17
occurrences in findbugsTestCases):
<ul>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BC">BC</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_INSTANCEOF">BC_IMPOSSIBLE_INSTANCEOF</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE">INT_BAD_COMPARISON_WITH_NONNEGATIVE_VALUE</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#IS2_INCONSISTENT_SYNC">IS2_INCONSISTENT_SYNC</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS">NP_NULL_PARAM_DEREF_ALL_TARGETS_DANGEROUS</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#OBL_UNSATISFIED_OBLIGATION">OBL_UNSATISFIED_OBLIGATION</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE">RCN_REDUNDANT_NULLCHECK_OF_NULL_VALUE</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a>
</li>
</ul>
<li>Fixed false negatives for the following bug patterns (45
occurrences in findbugsTestCases):
<ul>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_NUMBER_CTOR">DM_NUMBER_CTOR</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_ARRAY_AND_NONARRAY">EC_ARRAY_AND_NONARRAY</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE">EC_INCOMPATIBLE_ARRAY_COMPARE</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#IS_FIELD_NOT_GUARDED">IS_FIELD_NOT_GUARDED</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#IT_NO_SUCH_ELEMENT">IT_NO_SUCH_ELEMENT</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS">JCIP_FIELD_ISNT_FINAL_IN_IMMUTABLE_CLASS</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH">NP_NULL_ON_SOME_PATH</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_PARAM_VIOLATION">NP_NONNULL_PARAM_VIOLATION</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE">NP_NULL_ON_SOME_PATH_FROM_RETURN_VALUE</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_STORE_INTO_NONNULL_FIELD">NP_STORE_INTO_NONNULL_FIELD</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#RE_POSSIBLE_UNINTENDED_PATTERN">RE_POSSIBLE_UNINTENDED_PATTERN</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#SA_FIELD_SELF_COMPARISON">SA_FIELD_SELF_COMPARISON</a>
</ul>
</ul>
<h1>FindBugs Change Log, Version 2.0.2</h1>
<ul>
<li>Fix false positions for <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a>
- fixing <a
href="https://sourceforge.net/tracker/?func=detail&aid=3547559&group_id=96405&atid=614693">Bug3547559</a>,
<a
href="https://sourceforge.net/tracker/?func=detail&aid=3555408&group_id=96405&atid=614693">Bug3555408</a>,
<a
href="https://sourceforge.net/tracker/?func=detail&aid=3580266&group_id=96405&atid=614693">Bug3580266</a>
and <a
href="https://sourceforge.net/tracker/?func=detail&aid=3587164&group_id=96405&atid=614693">Bug3587164</a>.
</li>
<li>Fix false positives for <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#SF_SWITCH_NO_DEFAULT">SF_SWITCH_NO_DEFAULT</a>
<li>Inline access methods for private fields,
fixing false positive in <a
href="https://sourceforge.net/tracker/?func=detail&aid=3484713&group_id=96405&atid=614693">Bug3484713</a>.
<li>Type qualifier annotations, including nullness
annotations, are now ignored on vararg parameters (including
default and inherited annotations), awaiting JSR308.
<li>Defined new bug pattern to give better explanations of
issues involving strict type qualifiers <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED">TQ_UNKNOWN_VALUE_USED_WHERE_ALWAYS_STRICTLY_REQUIRED</a>
<li>Adjusted analysis of type qualifiers, now giving warnings
where a computed value is used in a place where a value with a
strict type qualifier is required.
<li>Complain about missing classes only if they are
encountered while analyzing application classes; ignore missing
classes that are encounted while analyzing classes loaded from the
auxclasspath. Fix for <a
href="https://sourceforge.net/tracker/?func=detail&aid=3588379&group_id=96405&atid=614693">Bug3588379</a>
<li>Fixed false positive null pointer warning coming from
synthetic bridge methods, fixing <a
href="https://sourceforge.net/tracker/?func=detail&aid=3589328&group_id=96405&atid=614693">Bug3589328</a>
<li>In general, suppress warnings in synthetic methods.
<li>Fix some false positives involving <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>
on classes that extend generic collection classes.
</li>
<li>Combine multiple identical warnings about
<a
href="http://findbugs.sourceforge.net/bugDescriptions.html#DM_DEFAULT_ENCODING">DM_DEFAULT_ENCODING</a>
that occur in the same method,
simplifying issue triage.
<li>Changes by Andrey Loskutov
<ul>
<li>fixed job scheduling errors in 3.8/4.2 Eclipse <a
href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=393748">bug
report</a>
<li>more realistic progress bar updates for jobs
<li>added nullness annotations for some common Eclipse API
methods known to usually return null values
<li>Added support for org.eclipse.jdt.annotation.Nullable,
NonNull and NonNullByDefault annotations (introduced with
Eclipse 3.8/4.2)</li>
</ul>
<li>Documentation improvements
<li><a href="http://code.google.com/p/findbugs/source/list">lots
of other small changes</a>
</ul>
<h1>FindBugs Change Log, Version 2.0.1</h1>
<ul>
<li>New bug patterns; in some cases, bugs previous reported as
other bug patterns are reported as instances of these new bug
patterns in order to make it easier for developers to understand
the bug reports
<ul>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_RELATIVE_PATH_TRAVERSAL">PT_RELATIVE_PATH_TRAVERSAL</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR">NP_NONNULL_FIELD_NOT_INITIALIZED_IN_CONSTRUCTOR</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#MS_SHOULD_BE_REFACTORED_TO_BE_FINAL">MS_SHOULD_BE_REFACTORED_TO_BE_FINAL</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST_OF_RETURN_VALUE">BC_UNCONFIRMED_CAST_OF_RETURN_VALUE</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#PT_ABSOLUTE_PATH_TRAVERSAL">PT_ABSOLUTE_PATH_TRAVERSAL</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS">TQ_COMPARING_VALUES_WITH_INCOMPATIBLE_TYPE_QUALIFIERS</a></li>
</ul>
</li>
<li>Changes to fix false negatives for the following bug
patterns: <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_UNCONFIRMED_CAST">BC_UNCONFIRMED_CAST</a>,
<a
href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_BAD_ARRAY_COMPARE">EC_BAD_ARRAY_COMPARE</a>,
<a
href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_UNUSUAL">EQ_UNUSUAL</a>,
<a
href="http://findbugs.sourceforge.net/bugDescriptions.html#GC_UNRELATED_TYPES">GC_UNRELATED_TYPES</a>,
and <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE">NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE</a>.
</li>
<li>Changes to fix false positions for the following bug
patterns: <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_DOH">DMI_DOH</a>,
<a
href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_UNRELATED_TYPES">EC_UNRELATED_TYPES</a>,
and <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#SE_BAD_FIELD">SE_BAD_FIELD</a>.
</li>
</ul>
<h1>FindBugs Change Log, Version 2.0.0</h1>
<h2>Changes since version 1.3.8</h2>
<ul>
<li>New bug patterns; in some cases, bugs previous reported as
other bug patterns are reported as instances of these new bug
patterns in order to make it easier for developers to understand
the bug reports
<ul>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR
</a></li>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED
</a></li>
</ul>
</li>
<li>Providing a bug rank (1-20), and the ability to filter by
bug rank. Eventually, it will be possible to specify your own
rules for ranking bugs, but the procedure for doing so hasn't been
specified yet.</li>
<li>Fixed about <a
href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45
bugs filed</a> through SourceForge
</li>
<li>Various reclassifications and priority tweaks</li>
<li>Added more bug annotations to a variety of bug reports.
This provides more context for understanding bug reports (e.g., if
the value in question was is the return value of a method, the
method is described as the source of the value in a bug
annotation). This also provide more accurate tracking of issues
across versions of the code being analyzed, but has the downside
that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9
on the same version of code being analyzed, FindBugs may think
that mistakenly believe that the issue reported by 1.3.8 was fixed
and a new issue was introduced that was reported by FindBugs
1.3.9. While annoying, it would be unusual for more than a dozen
issues per million lines of codes to be mistracked.</li>
<li>Lots of internal changes moving towards FindBugs 2.0, but
these features are undocumented, not yet officially supported, and
subject to radical changes before FindBugs 2.0 is released.</li>
</ul>
<p>Changes since version 1.3.8</p>
<ul>
<li>New bug patterns; in some cases, bugs previous reported as
other bug patterns are reported as instances of these new bug
patterns in order to make it easier for developers to understand
the bug reports
<ul>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST ">BC_IMPOSSIBLE_DOWNCAST
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY ">BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#EC_INCOMPATIBLE_ARRAY_COMPARE ">EC_INCOMPATIBLE_ARRAY_COMPARE
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#JLM_JSR166_UTILCONCURRENT_MONITORENTER ">JLM_JSR166_UTILCONCURRENT_MONITORENTER
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE ">LG_LOST_LOGGER_DUE_TO_WEAK_REFERENCE
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#NP_CLOSING_NULL ">NP_CLOSING_NULL
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE ">RC_REF_COMPARISON_BAD_PRACTICE
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN ">RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED ">RV_RETURN_VALUE_OF_PUTIFABSENT_IGNORED
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#SIC_THREADLOCAL_DEADLY_EMBRACE ">SIC_THREADLOCAL_DEADLY_EMBRACE
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR ">UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR
</a>
<li><a
href="http://findbugs.sourceforge.net/bugDescriptions.html#VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED ">VA_FORMAT_STRING_EXPECTED_MESSAGE_FORMAT_SUPPLIED
</a>
</ul>
</li>
<li>Providing a bug rank (1-20), and the ability to filter by
bug rank. Eventually, it will be possible to specify your own
rules for ranking bugs, but the procedure for doing so hasn't been
specified yet.</li>
<li>Fixed about <a
href="https://sourceforge.net/search/index.php?group_id=96405&search_summary=1&search_details=1&type_of_search=artifact&group_artifact_id%5B%5D=614693&open_date_start=2009-03-16&open_date_end=2009-08-20&form_submit=Search">45
bugs filed</a> through SourceForge
</li>
<li>Various reclassifications and priority tweaks</li>
<li>Added more bug annotations to a variety of bug reports.
This provides more context for understanding bug reports (e.g., if
the value in question was is the return value of a method, the
method is described as the source of the value in a bug
annotation). This also provide more accurate tracking of issues
across versions of the code being analyzed, but has the downside
that when comparing results from FindBugs 1.3.8 and FindBugs 1.3.9
on the same version of code being analyzed, FindBugs may think
that mistakenly believe that the issue reported by 1.3.8 was fixed
and a new issue was introduced that was reported by FindBugs
1.3.9. While annoying, it would be unusual for more than a dozen
issues per million lines of codes to be mistracked.</li>
<li>Lots of internal changes moving towards FindBugs 2.0, but
these features are undocumented, not yet officially supported, and
subject to radical changes before FindBugs 2.0 is released.</li>
</ul>
<p>Changes since version 1.3.7</p>
<ul>
<li>Primarily another small bugfix release.</li>
<li>FindBugs base:
<ul>
<li>New Reports:
<ul>
<li>SF_SWITCH_NO_DEFAULT: missing default case in switch
statement.</li>
<li>SF_DEAD_STORE_DUE_TO_SWITCH_FALLTHROUGH_TO_THROW:
value ignored when switch fallthrough leads to thrown
exception.</li>
<li>INT_VACUOUS_BIT_OPERATION: bit operations that don't
do any meaningful work.</li>
<li>FB_UNEXPECTED_WARNING: warning generated that
conflicts with @NoWarning FindBugs annotation.</li>
<li>FB_MISSING_EXPECTED_WARNING: warning not generated
despite presence of @ExpectedWarning FindBugs annotation.</li>
<li>NOISE category: intended for use in data mining
experiments.
<ul>
<li>NOISE_NULL_DEREFERENCE: fake null point dereference
warning.</li>
<li>NOISE_METHOD_CALL: fake method call warning.</li>
<li>NOISE_FIELD_REFERENCE: fake field dereference
warning.</li>
<li>NOISE_OPERATION: fake operation warning.</li>
</ul>
</li>
</ul>
</li>
<li>Other:
<ul>
<li>Garvin Leclaire has created a new Apache Maven
repository for FindBugs at <a
href="http://code.google.com/p/findbugs/">the Google Code
FindBugs SVN repository</a>. (Thanks Garvin!)
</li>
</ul>
</li>
<li>Fixes:
<ul>
<li>[ 2317842 ] Highlighting broken in Windows</li>
<li>[ 2515908 ] check for oddness should track sign of
argument</li>
<li>[ 2487936 ] "L B GC" false pos cast from
Map.Entry.getKey() to Map.get()</li>
<li>[ 2528264 ] Ant tasks not compatible with Ant 1.7.1</li>
<li>[ 2539590 ] SF_SWITCH_FALLTHROUGH wrong message
reported</li>
<li>[ 2020066 ] Bug history displayed in fancy-hist.xsl is
incorrect</li>
<li>[ 2545098 ] Invalid character in analysis results file</li>
<li>[ 2492673 ] Plugin sites should specify "requires
Eclipse 3.3 or newer"</li>
<li>[ 2588044 ] a tiny typing error</li>
<li>[ 2589048 ] Documentation for convertXmlToText
insufficient</li>
<li>[ 2638739 ] NullPointerException when building</li>
</ul>
</li>
<li>Patches:
<ul>
<li>[ 2538184 ] Make BugCollection implement
Iterable<BugInstance> (thanks to Tomas Pollak)</li>
<li>[ 2249771 ] Add Maven2 Findbugs plugin link to the
Links page (thanks to Garvin Leclaire)</li>
<li>[ 2609526 ] Japanese manual update (thanks to K.
Hashimoto)</li>
<li>[ 2119482 ] CheckBcel checks for nonexistent classes
(thanks to Jerry James)</li>
</ul>
</li>
</ul>
</li>
<li>FindBugs Eclipse plugin:
<ul>
<li>Major feature enhancements (thanks to Andrey Loskutov).
See <a href="http://andrei.gmxhome.de/findbugs/index.html">this
overview</a> for more information.
</li>
<li>Major test improvements (thanks to Tomas Pollak).</li>
<li>Fixes:
<ul>
<li>[ 2532365 ] Compiler warning</li>
<li>[ 2522989 ] Fix filter files selection</li>
<li>[ 2504068 ] NullPointerException</li>
<li>[ 2640849 ] NPE in Eclipse plugin 1.3.7 and Eclipse
3.5 M5</li>
</ul>
</li>
<li>Patches:
<ul>
<li>[ 2143140 ] Unchecked conversion fixes for Eclipse
plugin (thanks to Jerry James)
</ul>
</li>
</ul>
</li>
</ul>
<p>Changes since version 1.3.6</p>
<ul>
<li>Overall, a small bugfix release.
<li>New detection of accidental vacuous/useless calls to
EasyMock methods, and of generic signatures that proclaim the use
of unhashable classes in ways that require that they be hashed.
<li>Eliminate some false positives where we were warning about
a useless call (e.g., comparing two incompatible types for
equality), but the only thing the code was doing with the result
was passing it to assertFalse.
<li>Japanese localization and manual by K.Hashimoto. (Thanks!)
<li>Added -exclude and -outputDir command line options to
rejarForAnalysis
<li>Extended -adjustPriorities option to FindBugs analysis
textui so that you can modify the priorities of individual bug
patterns as well as visitors, and also completely suppress
individual bug patterns or visitors.
<ul>
<li>e.g., -adjustPriority
MS_SHOULD_BE_FINAL=suppress,MS_PKGPROTECT=suppress,EI_EXPOSE_REP=suppress,EI_EXPOSE_REP2=suppress,PZLA_PREFER_ZERO_LENGTH_ARRAYS=raise
</ul>
</ul>
<p>Changes since version 1.3.5</p>
<ul>
<li>Added fairly exhaustive static analysis of uses of format
strings, checking for missing or extra arguements, invalid format
specifiers, or mismatched format specifiers and arguments (e.g,
passing a String value for a %d format specifier). The logic for
doing so is derived from Sun's java.util.Formatter class, and
available separately from FindBugs as part of the <a
href="https://jformatstring.dev.java.net/">jFormatString</a>
project.
<li>More tuning of the unsatisfied obligation detector. Since
this detector is still rather noisy and an unfinished research
project, I've moved the generated issues to a new category:
EXPERIMENTAL.
<li>Added check for <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_ADD_OF_SIGNED_BYTE">BIT_ADD_OF_SIGNED_BYTE</a>;
similar to <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#BIT_IOR_OF_SIGNED_BYTE">BIT_IOR_OF_SIGNED_BYTE</a>,
except that addition is being used to combine shifted signed
bytes.
<li>Changed detection of EI_EXPOSE_REP2, so we only report it
if the value stored is guaranteed to be the same value that was
passed in as a parameter.
<li>Added <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS">EQ_CHECK_FOR_OPERAND_NOT_COMPATIBLE_WITH_THIS</a>,
a warning when an equals method checks to see if an operand is an
instance of a class not compatible with itself. For example, if
the Foo class checks to see if the argument is an instance of
String. This is either a questionable design decision or a coding
mistake.
<li>Added <a
href="http://findbugs.sourceforge.net/bugDescriptions.html#DMI_INVOKING_HASHCODE_ON_ARRAY">DMI_INVOKING_HASHCODE_ON_ARRAY</a>,
which checks for invoking <code>hashCode()</code> on an array,
which returns a hash code that ignores the contents of the array.
<li>Added checks for using <code>x.removeAll(x)</code> to
rather than <code>x.clear()</code> to clear an array.
<li>Add checks for calls such as <code>x.contains(x)</code>, <code>x.remove(x)</code>
and <code>x.containsAll(x)</code>.
<li>Improvements to Eclipse plugin (thanks to Andrey
Loskutov):
<ul>
<li>Report separate markers for each occurrence of an issue
that appears multiple times in a method
<li>fine tuning for reported markers: add only one marker
for fields, add marker on right position
<li>link bugs selected in bug explorer view to the opened
editor and vice versa
<li>select bugs selected in editor ruler in the opened bug
explorer view
<li>consistent abbreviations used in both bug explorer and
bug details view
<li>added "Expand All" button to the bug explorer view
<li>added "Go Into/Go Up" buttons to the bug explorer view
<li>added "Copy to clipboard" menu/functionality to the
details view list widget
<li>fix for CNF exception if loading the backup solution for
broken browser widget
</ul>
</ul>
<p>Changes since version 1.3.4</p>
<ul>
<li>Analysis about 15% faster
<li><a
href="http://sourceforge.net/tracker/?atid=614693&group_id=96405&func=browse&status=closed">38
bugs closed</a></li>
<li>New defect warnings:
<ul>
<li>calls to methods that always throw
UnsupportedOperationException (DMI_UNSUPPORTED_METHOD)
<li>repeated conditional tests (e.g., <code>if (x
< 0 || x < 0) ...</code>) (RpC_REPEATED_CONDITIONAL_TEST)
<li>Complete rewrite of detector for format string problems.
More accurate, finds more problems, generates more descriptive
reports, several different bug pattern
(VA_FORMAT_STRING_EXTRA_ARGUMENTS_PASSED,
VA_FORMAT_STRING_ILLEGAL, VA_FORMAT_STRING_MISSING_ARGUMENT,
VA_FORMAT_STRING_BAD_ARGUMENT,
VA_FORMAT_STRING_NO_PREVIOUS_ARGUMENT)
<li>Fairly complete implementation of JSR-305 custom type
qualifier analysis (no support for custom validators yet).
(TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK
TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_ALWAYS_SINK
TQ_EXPLICIT_UNKNOWN_SOURCE_VALUE_REACHES_NEVER_SINK)
<li>New detector for unsatisfied obligations such forgetting
to close a file (OBL_UNSATISFIED_OBLIGATION).
<li>Warning when a parameter is marked as nullable, but is
always dereferenced.
(NP_PARAMETER_MUST_BE_NONNULL_BUT_MARKED_AS_NULLABLE)
<lI>Separate warning for dereference the result of readLine
(NP_DEREFERENCE_OF_READLINE_VALUE)
</ul>
<li>When XML is generated with messages, the project stats now
include <FileStat> elements. For each source file, this
gives the path for the file, the total number of warnings for that
file, and a bugHash for the file. While the instanceHash for a bug
is intended to be version invariant (ignoring line numbers, etc),
the bugHash for a file is intended to reflect all the information
about the warnings in that file. The intended use case is that if
the bugHash for a file is the same in two analysis runs, then <em>nothing</em>
has changed about any of the warnings reported for that file
between the two analysis runs.
<li>More merging of similar issues within a method. For
example, if the result of readLine() is dereferences multiple
times within a method, it will be reported as a single warning
with occurrences at multiple source lines.
</ul>
<p>Changes since version 1.3.3</p>
<ul>
<li>FindBugs base
<ul>
<li>New Reports:
<ul>
<li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: equals method
overrides equals in superclass and may not be symmetric</li>
<li>EQ_ALWAYS_TRUE: equals method always returns true</li>
<li>EQ_ALWAYS_FALSE: equals method always returns false</li>
<li>EQ_COMPARING_CLASS_NAMES: equals method compares class
names rather than class objects</li>
<li>EQ_UNUSUAL: Unusual equals method</li>
<li>EQ_GETCLASS_AND_CLASS_CONSTANT: equals method fails
for subtypes</li>
<li>SE_READ_RESOLVE_IS_STATIC: The readResolve method must
not be declared as a static method.</li>
<li>SE_PRIVATE_READ_RESOLVE_NOT_INHERITED: private
readResolve method not inherited by subclasses</li>
<li>MSF_MUTABLE_SERVLET_FIELD: Mutable servlet field</li>
<li>XSS_REQUEST_PARAMETER_TO_SEND_ERROR: Servlet reflected
cross site scripting vulnerability</li>
<li>SKIPPED_CLASS_TOO_BIG: Class too big for analysis</li>
</ul>
</li>
<li>Other:
<ul>
<li>Value-number analysis now more space-efficient</li>
<li>Enhancements to reduce memory overhead when analyzing
very large classes</li>
<li>Now skips very large classes that would otherwise take
too much time and memory to analyze</li>
<li>Infrastructure for tracking effectively-constant/
effectively-final fields</li>
<li>Added more cweids</li>
<li>Enhanced taint tracking for taint-based detectors</li>
<li>Ignore doomed calls to equals if result is used as an
argument to assertFalse</li>
<li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC handles compareTo</li>
<li>Priority tweak for ICAST_INTEGER_MULTIPLY_CAST_TO_LONG
(only low priority if multiplying by 1000)</li>
<li>Improved tracking of fields across method calls</li>
</ul>
</li>
<li>Fixes:
<ul>
<li>[ 1941450 ] DLS_DEAD_LOCAL_STORE not reported</li>
<li>[ 1953323 ] Omitted break statement in
SynchronizeAndNullCheckField</li>
<li>[ 1942620 ] Source Directories selection dialog
interface confusion (partial)</li>
<li>[ 1948275 ] Unhelpful "Load of known null"</li>
<li>[ 1933922 ] MWM error in findbugs</li>
<li>[ 1934772 ] 1.3.3 appears to rely on JDK 1.6, JNLP
still specifies 1.5</li>
<li>[ 1933945 ] -loadbugs doesn't work</li>
<li>Fixed problems for class names starting with '$'</li>
<li>Fixed bugs and incomplete handling of annotations in
VersionInsensitiveBugComparator</li>
</ul>
</li>
<li>Patches:
<ul>
<li>[ 1955106 ] Javadoc fixes</li>
<li>[ 1951930 ] Superfluous import statements (thanks to
Jerry James)</li>
<li>[ 1951907 ] Missing @Deprecated annotations (thanks to
Jerry James)</li>
<li>[ 1951876 ] Infonode Docking Windows compile fix
(thanks to Jerry James)</li>
<li>[ 1936055 ] bugfix for findbugs.de.comment not working
(thanks to Peter Fokkinga)
</ul>
</li>
</ul>
<li>FindBugs BlueJ plugin
<ul>
<li>Updated to use FindBugs 1.3.4 (first new release since
1.1.3)</li>
</ul>
</li>
</ul>
<p>Changes since version 1.3.2</p>
<ul>
<li>FindBugs base
<ul>
<li>New Detectors:
<ul>
<li>FieldItemSummary: Produces summary information for
what is stored into fields</li>
<li>SynchronizeOnClassLiteralNotGetClass: Look for code
that synchronizes on the results of getClass rather than on
class literals</li>
<li>SynchronizingOnContentsOfFieldToProtectField: This
detector looks for code that seems to be synchronizing on a
field in order to guard updates of that field</li>
</ul>
</li>
<li>New BugCode:
<ul>
<li>HRS: HTTP Response splitting vulnerability</li>
<li>WL: Possible locking on wrong object</li>
</ul>
</li>
<li>New Reports:
<ul>
<li>DMI_CONSTANT_DB_PASSWORD: This code creates a database
connect using a hard coded, constant password</li>
<li>HRS_REQUEST_PARAMETER_TO_COOKIE: HTTP cookie formed
from untrusted input</li>
<li>HRS_REQUEST_PARAMETER_TO_HTTP_HEADER: HTTP parameter
directly written to HTTP header output</li>
<li>CN_IMPLEMENTS_CLONE_BUT_NOT_CLONEABLE: Class defines
clone() but doesn't implement Cloneable</li>
<li>DL_SYNCHRONIZATION_ON_BOXED_PRIMITIVE: Synchronization
on boxed primitive could lead to deadlock</li>
<li>DL_SYNCHRONIZATION_ON_BOOLEAN: Synchronization on
Boolean could lead to deadlock</li>
<li>ML_SYNC_ON_FIELD_TO_GUARD_CHANGING_THAT_FIELD:
Synchronization on field in futile attempt to guard that field
</li>
<li>DLS_DEAD_LOCAL_STORE_IN_RETURN: Useless assignment in
return statement</li>
<li>WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL:
Synchronization on getClass rather than class literal</li>
</ul>
</li>
<li>Other:
<ul>
<li>Many enhancements to cross-site scripting detector and
its documentation</li>
<li>Enhanced switch fall through handling</li>
<li>Enhanced unread field handling (look for IF_ACMPEQ and
IF_ACMPNE)</li>
<li>Clarified documentation for @Nullable in manual</li>
<li>Fewer DeadLocalStore false positives</li>
<li>Fewer UnreadField false positives</li>
<li>Fewer StaticCalendarDetector false positives</li>
<li>Performance fix for slow file system IO e.g. Clearcase
repositories (thanks, Andrei!)</li>
<li>Other, general performance enhancements (thanks,
Andrei!)</li>
<li>Enhancements for using FindBugs scripts with MKS on
Windows (thanks, Kelly O'Hair!)</li>
<li>Noted in the manual that jsr305.jar must be present
for annotations to compile</li>
<li>Added and fine-tuned default-nullness annotations</li>
<li>More CWE IDs added</li>
<li>Check and warning for unexpected BCEL version in
classpath</li>
</ul>
</li>
<li>Fixes:
<ul>
<li>Bug fix to handling of local variable tables in BCEL</li>
<li>Refined documentation for
MTIA_SUSPECT_STRUTS_INSTANCE_FIELD</li>
<li>[ 1927295 ] NPE when called on project root</li>
<li>[ 1926405 ] Incorrect dead store warning</li>
<li>[ 1926409 ] Incorrect redundant nullcheck warning</li>
<li>[ 1926389 ] Wrong line number printed/highlighted in
bug</li>
<li>[ 1927040 ] typo in bug description</li>
<li>[ 1926263 ] Minor glitch in HTML output</li>
<li>[ 1926240 ] Minor error in standard options in manual</li>
<li>[ 1926236 ] Minor bug in installation section of
manual</li>
<li>[ 1925539 ] ZIP is default file system code base</li>
<li>[ 1894701 ] Livelock / memory leak in
ObjectTypeFactory (thanks, Andrei!)</li>
<li>[ 1867491 ] Doesn't reload annotations after code
changes in IDE (thanks, Andrei!)</li>
<li>[ 1921399 ] -project option not supported</li>
<li>[ 1913834 ] "Dead" store to variable with method call</li>
<li>[ 1917352 ] H B se:...field in serializable class</li>
<li>[ 1911617 ] CloneIdiom relies on
getNameConstantOperand for INSTANCEOF</li>
<li>[ 1911620 ] False +: DLS predecrement before return</li>
<li>[ 1871376 ] False negative: non-serializable Map field</li>
<li>[ 1871051 ] non standard clone() method</li>
<li>[ 1908854 ] Error in TestASM</li>
<li>[ 1907539 ] 22 minor errors in bug checker
documentation</li>
<li>[ 1897323 ] EJB implementation class false positives</li>
<li>[ 1899648 ] Crash on startup on Vista with Java
1.6.0_04</li>
</ul>
</li>
</ul>
</li>
<li>FindBugs Eclipse plugin (change log by Andrey Loskutov)
<ul>
<li>new feature: export basic FindBugs numbers for projects
via File->Export->Java->BugCounts (Andrey Loskutov)</li>
<li>new feature: jobs for different projects will be run in
parallel per default if running on a multi-core PC
("fb.allowParallelBuild" system property not used anymore)
(Andrey Loskutov)</li>
<li>fixed performance slowdown in the multi-threaded build,
caused by workspace operation locks during assigning marker
attributes (Andrey Loskutov)</li>
</ul>
</li>
</ul>
<p>Changes since version 1.3.1</p>
<ul>
<li>FindBugs base
<ul>
<li>New Bug Category:
<ul>
<li>SECURITY (Abbrev: S), A use of untrusted input in a
way that could create a remotely exploitable security
vulnerability</li>
</ul>
</li>
<li>New Detectors:
<ul>
<li>CrossSiteScripting: This detector looks for
obvious/blatant cases of cross site scripting vulnerabilities</li>
</ul>
</li>
<li>New BugCode:
<ul>
<li>XSS: Cross site scripting</li>
</ul>
</li>
<li>New Reports:
<ul>
<li>XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER: HTTP
parameter directly written to Servlet output, giving XSS
vulnerability</li>
<li>XSS_REQUEST_PARAMETER_TO_JSP_WRITER: HTTP parameter
directly written to JSP output, giving XSS vulnerability</li>
<li>EQ_OTHER_USE_OBJECT: equals() method defined that
doesn't override Object.equals(Object)</li>
<li>EQ_OTHER_NO_OBJECT: equals() method inherits rather
than overrides equals(Object)</li>
<li>NP_NULL_ON_SOME_PATH_MIGHT_BE_INFEASIBLE: Possible
null pointer dereference on path that might be infeasible</li>
</ul>
</li>
<li>Other:
<ul>
<li>Added -noClassOk command-line parameter to
command-line and ant interfaces; when -noClassOk is specified
and no classfiles are given, FindBugs will print a warning
message and output a well- formed file with no warnings</li>
<li>Fewer false positives for null pointer bugs</li>
<li>Suppress dead-local-store false positives in .jsp code</li>
<li>Type fixes in warning messages</li>
<li>Better warning message for NP_NULL_ON_SOME_PATH</li>
<li>"WMI" bug code description renamed from "Wrong Map
Iterator" to "Inefficient Map Iterator"</li>
</ul>
</li>
<li>Fixes:
<ul>
<li>[ 1893048 ] FindBugs confused by a findbugs.xml file</li>
<li>[ 1878528 ] XSL xforms don't support history features</li>
<li>[ 1876584 ] two default.xsl flaws</li>
<li>[ 1874856 ] Format string bug detector doesn't handle
special operators</li>
<li>[ 1872645 ] computeBugHistory -
java.lang.IllegalArgumentException</li>
<li>[ 1872237 ] Ant task fails when no .class files</li>
<li>[ 1868670 ] Filters: include AND exclude don't allowed</li>
<li>[ 1868666 ] check-for-oddness reported, but array
length can never be negative</li>
<li>[ 1866108 ] SetBugDatabaseInfoTask strips dir from
output filename</li>
<li>[ 1866021 ] MineBugHistoryTask strips dir of output
filename</li>
<li>[ 1865265 ] code doesn't handle
StringBuffer.append([CII) right</li>
<li>[ 1864793 ] Warning when casting a null reference
compared to a String</li>
<li>[ 1863376 ] Typo in manual chap 8: Filter Files</li>
<li>[ 1862705 ] Transient fields that default to null</li>
<li>[ 1842545 ] DLS on catch variable (with priority
tweaking)</li>
<li>[ 1816258 ] false positive BC_IMPOSSIBLE_CAST</li>
<li>[ 1551732 ] Get erroneous DLS with while loop</li>
</ul>
</li>
</ul>
</li>
<li>FindBugs Eclipse plugin (change log by Andrey Loskutov)
<ul>
<li>new feature: added Bug explorer view (replacing Bug tree
view), based on Common Navigator framework (Andrey Loskutov)</li>
<li>bug 1873860 fixed: empty projects are no longer shown in
Bug tree view (Andrey Loskutov)</li>
<li>new feature: bug counts decorators for projects, folders
and files (has to be activated via Preferences -> general
-> appearance -> label decorations)(Andrey Loskutov)</li>
<li>patch 1746499: better icons (Alessandro Nistico)</li>
<li>patch 1893685: Find bug actions on change sets bug
(Alessandro Nistico)</li>
<li>fixed bug 1855384: Bug configuration is broken in
Eclipse (Andrey Loskutov)</li>
<li>refactored FindBugs properties page (Andrey Loskutov)</li>
<li>refactored FindBugs worker/builder/run action (Andrey
Loskutov)</li>
<li>FB detects now only bugs from classes on project's
classpath (no double work on duplicated class files) (Andrey
Loskutov)</li>
<li>fixed bug introduced by the bad patch for 1867951: FB
cannot be executed incrementally on a folder of file (Andrey
Loskutov)</li>
<li>fixed job rule: now jobs for different projects may run
in parallel if running on a multi-core PC and
"fb.allowParallelBuild" system property is set to true (Andrey
Loskutov)</li>
<li>fixed FB auto-build not started if .fbprefs or
.classpath was changed (Andrey Loskutov)</li>
<li>fixed not reporting bugs on secondary types (classes
defined in java files with different name) (Andrey Loskutov)</li>
</ul>
</li>
</ul>
<p>Changes since version 1.3.0</p>
<ul>
<li>New Reports
<ul>
<li>VA_FORMAT_STRING_ARG_MISMATCH: A format-string method
with a variable number of arguments is called, but the number of
arguments passed does not match with the number of %
placeholders in the format string. This is probably not what the
author intended.
<li>IO_APPENDING_TO_OBJECT_OUTPUT_STREAM: This code opens a
file in append mode and that wraps the result in an object
output stream. This won't allow you to append to an existing
object output stream stored in a file. If you want to be able to
append to an object output stream, you need to keep the object
output stream open. The only situation in which opening a file
in append mode and the writing an object output stream could
work is if on reading the file you plan to open it in random
access mode and seek to the byte offset where the append
started.
<li>NP_BOOLEAN_RETURN_NULL: A method that returns either
Boolean.TRUE, Boolean.FALSE or null is an accident waiting to
happen. This method can be invoked as though it returned a value
of type boolean, and the compiler will insert automatic unboxing
of the Boolean value. If a null value is returned, this will
result in a NullPointerException.
</ul>
</li>
<li>Changes to Existing Reports
<ul>
<li>RV_DONT_JUST_NULL_CHECK_READLINE: CORRECTNESS ->
STYLE</li>
<li>DMI_INVOKING_TOSTRING_ON_ARRAY: Long description
mentions array name whenever possible</li>
</ul>
</li>
<li>Fixes:
<ul>
<li>Updated manual to mention that Java 1.5 is now a
requirement for running FindBugs
<li>Applied patch 1840206 fixing issue "Ant task does not
work when presetdef is used" - thanks to phejl
<li>Applied patch 1778690 fixing issue "Ant task: tolerate
but complain about invalid auxClasspath" - thanks to David
Schmidt
<li>Applied patch 1852125 adding a Chinese-language GUI
bundle props file - thanks to fifi
<li>Applied patch 1845903 adding ability to load XML results
with the Eclipse plugin - thanks to Alex Mont
<li>Fixed issue 1844671 - "FP for "reversed" null check in
catch for stream close"
<li>Fixed issue 1836050 - "-onlyAnalyze broken"
<li>Fixed issue 1853011 - "Typo: Field names should start
with aN lower case letter"
<li>Fixed issue 1844181 - "JNLP file does not contain all
necessary JARs"
<li>Fixed issue 1840245 - "xxxException class does not
derive from Exception"
<li>Fixed issue 1840277 - "[M D EC] Typo in bug
documentation"
<li>Fixed issue 1782447 - "OutOfMemoryError if i activate
Findbugs on my project"
<li>Fixed issue 1830576 - "[regression] keySet/entrySet
false positive"
</ul>
</li>
<li>Other:
<ul>
<li>New bug code: "IO" (for
IO_APPENDING_TO_OBJECT_OUTPUT_STREAM)</li>
<li>Added "-onlyMostRecent" option for computeBugHistory
script/ant task
<li>More explicit language in
RV_RETURN_VALUE_IGNORED_BAD_PRACTICE messages
<li>Modified ResourceValueAnalysis to correctly identify
null == X or null != X as a null check (for issue 1844671)
<li>Modified DMI_HARDCODED_ABSOLUTE_FILENAME logic in
DumbMethodInvocations to ignore files from /etc or /dev and
increase priority of files from /home
<li>Better bug details for infinite loop warnings
<li>Modified unread-fields detector to reduce false
positives from reflective fields
<li>build.xml "classes" target now builds all sources in one
step
</ul>
</li>
</ul>
<p>Changes since version 1.2.1</p>
<ul>
<li>New Detectors and Reports
<ul>
<li>SynchronizationOnSharedBuiltinConstant
<ul>
<li>DL_SYNCHRONIZATION_ON_SHARED_CONSTANT: The code
synchronizes on a shared primitive constant, such as an
interned String. Such constants are interned and shared across
all other classes loaded by the JVM. Thus, this could be
locking on something that other code might also be locking.
This could result in very strange and hard to diagnose
blocking and deadlock behavior. See <a
href="http://www.javalobby.org/java/forums/t96352.html">http://www.javalobby.org/java/forums/t96352.html</a>
and <a href="http://jira.codehaus.org/browse/JETTY-352">http://jira.codehaus.org/browse/JETTY-352</a>.
</ul>
</li>
<li>OverridingEqualsNotSymmetrical
<ul>
<li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC: Looks for equals
methods that override equals methods in a superclass where the
equivalence relationship might not be symmetrical.
</ul>
</li>
<li>CheckTypeQualifiers
<ul>
<li>TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED: A value
specified as carrying a type qualifier annotation is consumed
in a location or locations requiring that the value not carry
that annotation. More precisely, a value annotated with a type
qualifier specifying when=ALWAYS is guaranteed to reach a use
or uses where the same type qualifier specifies when=NEVER.</li>
<li>TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED: A value
specified as not carrying a type qualifier annotation is
guaranteed to be consumed in a location or locations requiring
that the value does carry that annotation. More precisely, a
value annotated with a type qualifier specifying when=NEVER is
guaranteed to reach a use or uses where the same type
qualifier specifies when=ALWAYS.</li>
<li>TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK: A value
that might not carry a type qualifier annotation reaches a use
which requires that annotation.</li>
<li>TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK: A value
which might carry a type qualifier annotation reaches a use
which forbids values carrying that annotation.</li>
</ul>
</li>
</ul>
</li>
<li>New Reports (existing detectors)
<ul>
<li>FindHEmismatch
<ul>
<li>EQ_DOESNT_OVERRIDE_EQUALS: This class extends a class
that defines an equals method and adds fields, but doesn't
define an equals method itself. Thus, equality on instances of
this class will ignore the identity of the subclass and the
added fields. Be sure this is what is intended, and that you
don't need to override the equals method. Even if you don't
need to override the equals method, consider overriding it
anyway to document the fact that the equals method for the
subclass just return the result of invoking super.equals(o).</li>
</ul>
</li>
<li>Naming
<ul>
<li>NM_WRONG_PACKAGE, NM_WRONG_PACKAGE_INTENTIONAL: The
method in the subclass doesn't override a similar method in a
superclass because the type of a parameter doesn't exactly
match the type of the corresponding parameter in the
superclass.</li>
<li>NM_SAME_SIMPLE_NAME_AS_SUPERCLASS: This class has a
simple name that is identical to that of its superclass,
except that its superclass is in a different package (e.g., <code>alpha.Foo</code>
extends <code>beta.Foo</code>). This can be exceptionally
confusing, create lots of situations in which you have to look
at import statements to resolve references and creates many
opportunities to accidently define methods that do not
override methods in their superclasses.
</li>
<li>NM_SAME_SIMPLE_NAME_AS_INTERFACE: This class/interface
has a simple name that is identical to that of an
implemented/extended interface, except that the interface is
in a different package (e.g., <code>alpha.Foo</code> extends <code>beta.Foo</code>).
This can be exceptionally confusing, create lots of situations
in which you have to look at import statements to resolve
references and creates many opportunities to accidently define
methods that do not override methods in their superclasses.
</li>
</ul>
<li>FindRefComparison
<ul>
<li>EC_UNRELATED_TYPES_USING_POINTER_EQUALITY: This method
uses using pointer equality to compare two references that
seem to be of different types. The result of this comparison
will always be false at runtime.</li>
</ul>
</li>
<li>IncompatMask
<ul>
<li>BIT_SIGNED_CHECK, BIT_SIGNED_CHECK_HIGH_BIT: This
method compares an expression such as <tt>((event.detail
& SWT.SELECTED) > 0)</tt>. Using bit arithmetic and then
comparing with the greater than operator can lead to
unexpected results (of course depending on the value of
SWT.SELECTED). If SWT.SELECTED is a negative number, this is a
candidate for a bug. Even when SWT.SELECTED is not negative,
it seems good practice to use '!= 0' instead of '> 0'.
</li>
</ul>
</li>
<li>LazyInit
<ul>
<li>LI_LAZY_INIT_UPDATE_STATIC: This method contains an
unsynchronized lazy initialization of a static field. After
the field is set, the object stored into that location is
further accessed. The setting of the field is visible to other
threads as soon as it is set. If the further accesses in the
method that set the field serve to initialize the object, then
you have a <em>very serious</em> multithreading bug, unless
something else prevents any other thread from accessing the
stored object until it is fully initialized.
</li>
</ul>
</li>
<li>FindDeadLocalStores
<ul>
<li>DLS_DEAD_STORE_OF_CLASS_LITERAL: This instruction
assigns a class literal to a variable and then never uses it.
<a href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">The
behavior of this differs in Java 1.4 and in Java 5.</a> In Java
1.4 and earlier, a reference to <code>Foo.class</code> would
force the static initializer for <code>Foo</code> to be
executed, if it has not been executed already. In Java 5 and
later, it does not. See Sun's <a
href="//java.sun.com/j2se/1.5.0/compatibility.html#literal">article
on Java SE compatibility</a> for more details and examples, and
suggestions on how to force class initialization in Java 5.
</li>
</ul>
</li>
<li>MethodReturnCheck
<ul>
<li>RV_RETURN_VALUE_IGNORED_BAD_PRACTICE: This method
returns a value that is not checked. The return value should
be checked since it can indication an unusual or unexpected
function execution. For example, the <code>File.delete()</code>
method returns false if the file could not be successfully
deleted (rather than throwing an Exception). If you don't
check the result, you won't notice if the method invocation
signals unexpected behavior by returning an atypical return
value.
</li>
<li>RV_EXCEPTION_NOT_THROWN: This code creates an
exception (or error) object, but doesn't do anything with it.
</li>
</ul>
</li>
</ul>
</li>
<li>Changes to Existing Reports
<ul>
<li>NS_NON_SHORT_CIRCUIT: BAD_PRACTICE -> STYLE</li>
<li>NS_DANGEROUS_NON_SHORT_CIRCUIT: CORRECTNESS -> STYLE</li>
<li>RC_REF_COMPARISON: CORRECTNESS -> BAD_PRACTICE</li>
</ul>
</li>
<li>GUI Changes
<ul>
<li>Added importing and exporting of bug filters</li>
<li>Better handling of failed analysis runs</li>
<li>Added "-look" parameter for selecting look-and-feel</li>
<li>Fixed incorrect package filtering</li>
<li>Fixed issue where "synchronized" was not
syntax-highlighted</li>
</ul>
</li>
<li>Ant-task Changes
<ul>
<li>Refactored common ant-task code to AbstractFindBugsTask</li>
<li>Added tasks for computeBugHistory, convertXmlToText,
filterBugs, mineBugHistory, setBugDatabaseInfo</li>
</ul>
</li>
<li>Manual
<ul>
<li>Updates to GUI section, including new screenshots</li>
<li>Added description of rejarForAnalysis</li>
<li>Revamp of data-mining section</li>
</ul>
</li>
<li>Other Major
<ul>
<li>Internal restructuring for lower memory overhead</li>
</ul>
</li>
<li>Other Minor
<ul>
<li>Fixed typo: was STCAL_STATIC_SIMPLE_DATA_FORMAT_INSTANCE
now STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE</li>
<li>-outputFile parameter became -output</li>
<li>More sensitivity and specificity inLazyInit detector</li>
<li>More sensitivity and specificity in Naming detector</li>
<li>More sensitivity and specificity in UnreadFields
detector</li>
<li>More sensitivity in FindNullDeref detector</li>
<li>More sensitivity in FindBadCast2 detector</li>
<li>More specificity in FindReturnRef detector</li>
<li>Many other tweaks and bug fixes</li>
</ul>
</li>
</ul>
<p>Changes since version 1.2.0</p>
<ul>
<li>Bug fixes:
<ul>
<li><a
href="http://fisheye2.cenqua.com/changelog/findbugs/?cs=8219">Fix</a>
<a
href="http://sourceforge.net/tracker/index.php?func=detail&aid=1726946&group_id=96405&atid=614693">bug</a>
with detectors that were requested to be disabled but were
enabled due to requirements of other detectors.</li>
<li>Fix bugs in incremental analysis within Eclipse plugin</li>
<li>Fix some analysis errors</li>
<li>Fix some threading bugs in GUI2</li>
<li>Report version as version when it was compiled, not when
it was run</li>
<li>Copy analysis time stamp when filtering or transforming
analysis files.</li>
</ul>
<li>Enabled StaticCalendarDetector</li>
<li>Reworked GUI2 to use standard FindBugs filters
<ul>
<li>Allow a suppression filter to be stored in a project and
persisted to the XML representation of a project.</li>
</ul>
</li>
<li>Move away from old GUI2 save format (a directory
containing an xml file and another file containing serialized
filters).</li>
<li>Support/recommend use of two new file extensions/formats:
<dl>
<dt>.fba - FindBugs Analysis File</dt>
<dd>Exactly the same as an existing bug collection file
stored in XML format, but using a distinct file extension to
make it easier to figure out which xml files contain FindBugs
results.</dd>
<dt>.fbp - FindBugs Project File</dt>
<dd>Contains just the information needed to run FindBugs and
display the results (e.g., the files to be analyzed, the
auxiliary class path and the location of source files)
</dl>
</li>
</ul>
<p>Changes since version 1.1.3</p>
<ul>
<li>Added -xml:withAbridgedMessages option to generate xml
containing shorter messages. The messages will be shorted by doing
things like eliding package names, and leaving off the source line
from the LongMessage. These messages are appropriate if being used
in a context where the non-message components of the bug
annotations will be used to provide more information (e.g.,
clicking on the message for a MethodAnnotation will display the
source for the method).
<ul>
<li>FindBugsDisplayFeatures.setAbridgedMessages(true) can be
used to generate abridged messages when FindBugs is being
accessed directly (not via generated XML) from a GUI or IDE.</li>
</ul>
<li>In null pointer analysis, try to be better about always
showing two locations: where it is known null and where it is
dereferenced.
<li>Interprocedural analysis of which methods return nonnull
values
<li>Use method calls to select order in which classes are
analyzed, and order in which methods are analyzed, to improve
interprocedural analysis results.
<li>Significant improvements in memory footprint, memory
allocation and CPU utilization (20-30% reduction in all three)
<li>Added a project name, to provide better descriptions in
the HTML output.
<li>Added new bug pattern: Casting to char, or bit masking
with nonnegative value, and then checking to see if the result is
negative.
<li>Stopped reporting transient fields of classes not marked
as serializable. Transient is used by other persistence
frameworks.
<li>Improvements to detector for SQL injection (Thanks to <a
href="http://www.clock.org/~matt">Matt Hargett</a> for his
contributions
<li>Changed open/save options in GUI2 to not distinguish
between FindBugs projects and saved FindBugs analysis results.
<li>Improvements to detection of serious non-short-circuit
evaluation.
<li>Updated Japanese localization (thanks to Ruimo Uno)
<li>Eclipse plugin changes:
<ul>
<li>Created Bug User Annotations and Bug Tree Views
<li>Use different icons for different bug priorities
<li>Provide more information in Bug Details view
</ul>
</ul>
<p>Changes since version 1.1.2:</p>
<ul>
<li>Fixed broken Ant task
<li>Added running ant task to smoke test
<li>Added validating xml and html output to smoke test
<li>Fixed some (but not all) issues with html output
validation
<li>Added check for x.equals(x) and x.compareTo(x)
<li>Various bug fixes
</ul>
<p>Changes since version 1.1.1:</p>
<ul>
<li>Added check for infinite iterative loops</li>
<li>Added check for use of incompatible types in a collection
(e.g., checking to see if a Set<String> contains a
StringBuffer).</li>
<li>Added check for invocations of equals or hashCode on a
URL, which, <a
href="http://michaelscharf.blogspot.com/2006/11/javaneturlequals-and-hashcode-make.html">surprising
many people</a>, requires DNS resolution.
</li>
<li>Added check for classes that define compareTo but not
equals; such classes can exhibit some anomalous behavior (e.g.,
they are treated differently by PriorityQueues in Java 5 and Java
6).</li>
<li>Added a check for useless self operations (e.g., x < x
or x ^ x).</li>
<li>Fixed a data race that could cause the GUI to fail on
startup</li>
<li>Partial internationalization of the new GUI</li>
<li>Fix bug in "Redo analysis" option of new GUI</li>
<li>Tuning to reduce false positives</li>
<li>Fixed a bug in null pointer analysis that was generating
false positive null pointer warnings on exception paths. Fixing
this bug eliminates about 1/4 of the warnings on null pointer
exceptions on exception paths.</li>
<li>Fixed a bug in the processing of phi nodes for fields in
the null pointer analysis</li>
<li>Applied contributed patch that provides more quick fixes
in Eclipse plugin.</li>
<li>Fixed a number of bugs in the Eclipse auto update sites,
and in the way date qualifiers were being used in the Eclipse
plugin. You may need to manually disable your existing version of
the plugin and download the 1.1.2 from the update site to get the
automatic update function working correctly. The Eclipse update
sites are described at <a
href="http://findbugs.cs.umd.edu/eclipse/">http://findbugs.cs.umd.edu/eclipse/</a>.
</li>
<li>Fixed progress bar in Eclipse plugin</li>
<li>A number of other bug fixes.</li>
</ul>
<p>Changes since version 1.1.0:</p>
<ul>
<li>less scanning of classes not on the analysis path (This
was causing some performance problems.)</li>
<li>no unread field warnings for fields annotated with
javax.persistent or javax.ejb3</li>
<li>Eclipse plugin
<ul>
<li>bug annotation info displayed in Bug Details tab</li>
<li>.fbwarnings data file now stored in .metadata (not in
the project itself)</li>
</ul>
</li>
<li>new SE_BAD_FIELD_INNER_CLASS pattern</li>
<li>updates to Japanese translation (ruimo)</li>
<li>fix some internal slashed/dotted path confusion</li>
<li>other minor improvements</li>
</ul>
<p>Changes since version 1.0.0:</p>
<ul>
<li>Overall, the change from FindBugs 1.0.0 to FindBugs 1.1.0
has been a big change. We've done a lot of work in a lot of areas,
and aren't even going to try to enumerate all the changes.</li>
<li>We spent a lot of time reviewing the results generated by
FindBugs for open source and commercial code bases, and made a
number of changes, small and large, to minimize the number of
false positives. Our primary focus for this was warnings reported
as high and medium priority correctness warnings. Our internal
evaluation is that we produce very few high/medium priority
correctness warnings where the analysis is actually wrong, and
that more than 75% of the high/medium priority correctness
warnings correspond to real coding defects that need addressing in
the source code. The remaining 25% are largely cases such as a
branch or statement that if taken would lead to an error, but in
fact is a dead branch or statement that can never be taken. Such
coding is confusing and hard to maintain, so it should arguably be
fixed, but it is unlikely to actually result in an error during
execution. Thus, some might classify those warnings as false
positives.</li>
<li>We've substantially improved the analysis for errors that
could result in null pointer dereferences. Overall, our experience
has been that these changes have roughly doubled the number of
null pointer errors we detect, without increasing the number of
false positives (in fact, our false positive rate has gone down).
The improvements are due to four factors:
<ul>
<li>By default, we now do some interprocedural analysis to
determine methods that unconditionally dereference their
parameters.</li>
<li>FindBugs also comes with a model of which JDK methods
unconditionally dereference their parameters.</li>
<li>We do limited tracking of fields, so that we can detect
null values stored in fields that lead to exceptions.</li>
<li>We implemented a new analysis technique to find
guaranteed dereferences. Consider the following example: <pre>public int f(Object x, boolean b) {
int result = 0;
if (x == null) result++;
else result--;
// at this point, we know x is null on a simple path
if (b) {
// at this point, x is only null on a complex path
// we don't know if the path in which x is null and b is true is feasible
return result + x.hashCode();
}
else {
// at this point, x is only null on a complex path
// we don't know if the path in which x is null and b is false is feasible
return result - x.hashCode();
}
</pre>
<p>
FindBugs 1.0 used forward dataflow analysis to determine
whether each value is definitely null, null on a simple path,
possible null on a complex path, or definitely nonnull. Thus,
at the statement where
<code> result </code>
is decremented, we know that
<code> x </code>
is definitely null, and at the point before
<code> if (b) </code>
, we know that
<code> x </code>
is null on a simple path. If
<code> x </code>
were to be dereferenced here, we would generate a warning,
because if the else branch of the
<code> if (x == null) </code>
were ever taken, a null pointer exception would result.
</p>
<p>
However, in both the then and else branches of the
<code> if (b) </code>
statement,
<code> x </code>
is only null on a complex path that may be infeasible. It might
be that the program logic is such that if
<code> x </code>
is null, then
<code> b </code>
is never true, so generating a warning about the dereference in
the then clause might be a false positive. We could try to
analyze the program to determine whether it is possible for
<code> x </code>
to be null and
<code> b </code>
to be true, but that can be a hard analysis problem.
</p>
<p>
However,
<code> x </code>
is dereferenced in both the then <em>and</em> else branches of
the
<code> if (b) </code>
statement. So at the point immediately before
<code> if (b) </code>
, we know that
<code> x </code>
is null on a simple path <em>and</em> that
<code> x </code>
is guaranteed to be dereferenced on all paths from this point
forward. FindBugs 1.1 performs a backwards data flow analysis
to determine the values that are guaranteed to be dereferenced,
and will generate a warning in this case.
</p>
</li>
</ul>
<p>
The following screen shot of our new GUI shows an example of this
analysis, as well as showing off our new GUI and points out a
limitation of our current plugins for Eclipse and NetBeans. The
screen shot shows a null pointer bug in HelpDisplay.java. The
test for
<code> href!=null </code>
on line 78 suggests that
<code> href </code>
could be null. If it is, then
<code> href </code>
will be dereferenced on either line 87 or on line 90, generating
a NPE. Note that our analysis here also understands that passing
<code> href </code>
to
<code> URLEncoder.encode </code>
will deference it, and thus treats line 87 as a dereference, even
though
<code> href </code>
is not actually dereferenced at that line. Within our new GUI,
all of these locations are highlighted and listed in the summary
panel. In the original GUI (and in HTML output) we list all of
the locations, but only the primary location is highlighted by
the original GUI. In the Eclipse and NetBeans plugins, only the
primary location is displayed; fixing this is on our todo list
(contributions welcome).
</p>
<p>
<img src="guaranteedDereference.png" alt="">
</p>
</li>
<li>Preliminary support for detectors using the frameworks
other than BCEL, such as the <a href="http://asm.objectweb.org/">ASM</a>
bytecode framework. You may experiment with writing ASM-based
detectors, but beware the API may still change (which could
possibly also affect BCEL-based detectors). In general, we've
started trying to move away from a deep dependence on BCEL, but
that change is only partially complete. Probably best to just
avoid this until we complete more work on this. This change is
only visible to FindBugs plugin developers, and shouldn't be
visible to FindBugs users.
</li>
<li>
<p>Bug categories (CORRECTNESS, MT_CORRECTNESS, etc.) are no
longer hard-coded, but rather defined in xml files associated
with plugins, including the core plugin which defines the
standard categories. Third-party plugins can define their own
categories.</p>
</li>
<li>
<p>Several bug patterns have been moved from CORRECTNESS and
STYLE into a new category, BAD_PRACTICE. The English localization
of STYLE has changed from "Style" to "Dodgy."</p>
<p>In general, we've worked very hard to limit CORRECTNESS
bugs to be real programming errors and sins of commission. We
have reclassified as BAD_PRACTICE a number of bad design
practices that result in overly fragile code, such as defining an
equals method that doesn't accept null or defining class with a
equals method that inherits hashCode from class Object.</p>
<p>In general, our guidelines for deciding whether a bug
should be classified as CORRECTNESS, BAD_PRACTICE or STYLE are:</p>
<dl>
<dt>CORRECTNESS</dt>
<dd>A problem that we can recognize with high confidence and
is an issue that we believe almost all developers would want to
examine and address. We recommend that software teams review all
high and medium priority warnings in their entire code base.</dd>
<dt>BAD_PRACTICE</dt>
<dd>A problem that we can recognize with high confidence and
represents a clear violation of recommended and standard coding
practice. We believe each software team should decide which bad
practices identified by FindBugs it wants to prohibit in the
team's coding standard, and take action to remedy violations of
those coding standards.</dd>
<dt>STYLE</dt>
<dd>These are places where something strange or dodgy is
going on, such as a dead store to a local variable. Typically,
less than half of these represent actionable programming
defects. Reviewing these warnings in any code under active
development is probably a good idea, but reviewing all such
warnings in your entire code base might be appropriate only in
some situations. Individual or team programming styles can
substantially influence the effectiveness of each of these
warnings (e.g., you might have a coding practice or style in
your group that confuses one of the detectors into generating a
lot of STYLE warnings); you will likely want to selectively
suppress or report the STYLE warnings that are effective for
your group.</dd>
</dl>
</li>
<li>Released a preliminary version of a new GUI (known
internally as GUI2 -- not very creative, huh?)</li>
<li>Provided standard ways to mark user designations of bug
warnings (e.g., as NOT_A_BUG or SHOULD_FIX). The internal logic
now records this, it is represented in the XML file, and GUI2
allows the designations to be applied (along with free-form user
annotations about each warning). The user designations and
annotations are not yet supported by the Eclipse plugin, but we
clearly want to support it in Eclipse shortly.</li>
<li>Added a check for a bad comparison with a signed byte with
a value not in the range -128..127. For example: <pre>boolean find200(byte b[]) {
for(int i = 0; i < b.length; i++) if (b[i] == 200) return i;
return -1;
}
</pre>
</li>
<li>Added a checking for testing if a value is equal to
Double.NaN (no value is equal to NaN, not even NaN).</li>
<li>Added a check for using a class with an equals method but
no hashCode method in a hashed data structure.</li>
<li>Added check for uncallable method of an anonymous inner
class. For example, in the following code, it is impossible to
invoke the initalValue method (because the name is misspelled and
as a result is doesn't override a method in ThreadLocal). <pre>private static ThreadLocal serialNum = new ThreadLocal() {
protected synchronized Object initalValue() {
return new Integer(nextSerialNum++);
}
};
</pre>
</li>
<li>Added check for a dead local store caused by a switch
statement fall through</li>
<li>Added check for computing the absolute value of a random
32 bit integer or of a hashcode. This is broken because <code>
Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE </code> , and thus
result of calling Math.abs, which is expected to be nonnegative,
will in fact be negative one time out of 2 <sup> 32 </sup> , which
will invariably be the time your boss is demoing the software to
your customers.
</li>
<li>More careful resolution of inherited methods and fields.
Some of the shortcuts we were taking in FindBugs 1.0.0 were
leading to inaccurate results, and it was fairly easy to address
this by making the analysis more accurate.</li>
<li>Overall, analysis times are about 1.6 times longer in
FindBugs 1.1.0 than in FindBugs 1.0.0. This is because we have
enabled substantial additional analysis at the default effort
level (the actual analysis engine is significantly faster than in
FindBugs 1.0). On a recent AMD Athlon processor, analyzing
JDK1.6.0 (about 1 million lines of code) requires about 15 minutes
of wall clock time.</li>
<li>Provided class and script (printClass) to print classfile
in the human readable format produced by BCEL</li>
<li>Provided -findSource option to setBugDatabaseInfo</li>
</ul>
<p>Changes since version 0.9.7:</p>
<ul>
<li>fix ObjectTypeFactory bug that was suppressing some bugs</li>
<li>opcode stack may determine definite zeros on some paths</li>
<li>opcode stack can track some constant string concatenations
(dbrosius)</li>
<li>default effort performs iterative opcode analysis (but min
effort does not)</li>
<li>default heap size upped to 384m</li>
<li>schema for XML output available: bugcollection.xsd</li>
<li>fixed some internal confusion between dotted and slashed
class names</li>
<li>New detectors
<ul>
<li>CheckImmutableAnnotation.java: checks JCIP annotations</li>
</ul>
</li>
<li>Updated detectors
<ul>
<li>BadRegEx.java: understands Pattern.LITERAL, warns about
"."</li>
<li>FindUnreleasedLock.java: fewer false positives</li>
<li>DumbMethods.java: check for vacuous comparisons to
MAX_INTEGER or MIN_INTEGER, fix bugs detecting
DM_NEXTINT_VIA_NEXTDOUBLE</li>
<li>FindPuzzlers.java: detect <tt>n%2==1</tt>, detect
toString() on array types
</li>
<li>FindInconsistentSync2.java: detects IS_FIELD_NOT_GUARDED
</li>
<li>MethodReturnCheck.java: add check for discarded newly
constructed values, increase priority of some ignored
constructed exceptions, better handling of bytecode compiled by
Eclipse</li>
<li>FindEmptySynchronizedBlock.java: better handling of
bytecode compiled by Eclipse</li>
<li>DoInsideDoPrivileged.java: warn if call to setAccessible
isn't in doPriviledged, don't report private methods</li>
<li>LoadOfKnownNullValue.java: fix bug that was reporting
false positives on <code> finally </code> blocks
</li>
<li>CheckReturnAnnotationDatabase.java: better checks for
unstarted threads</li>
<li>ConfusionBetweenInheritedAndOuterMethod.java: fewer
false positives, fixed a package-handling bug</li>
<li>BadResultSetAccess.java: separate bug pattern for
PreparedStatements, <code> BRZA </code> category folded into <code>
SQL </code> category
</li>
<li>FindDeadLocalStores.java, FindBadCast2.java,
DumbMethods.java, RuntimeExceptionCapture.java: coalesce similar
bugs within a method into a single bug instance with multiple
source lines</li>
</ul>
</li>
<li>Eclipse plugin
<ul>
<li>plugin ID changed from <tt>de.tobject.findbugs</tt> to <tt>edu.umd.cs.findbugs.plugin.eclipse</tt>
</li>
<li>support for findbugs eclipse auto-update site</li>
</ul>
</li>
<li>Updated test case files
<ul>
<li>BadRegEx.java</li>
<li>JSR166.java</li>
<li>ConcurrentModificationBug.java</li>
<li>DeadStore.java</li>
<li>InstanceOf.java</li>
<li>LoadKnownNull.java</li>
<li>NeedsToCheckReturnValue.java</li>
<li>BadResultSetAccessTest.java</li>
<li>DeadStore.java</li>
<li>TestNonNull2.java</li>
<li>TestImmutable.java</li>
<li>TestGuardedBy.java</li>
<li>BadRandomInt.java</li>
<li>six test cases added to new <code> TigerTraps </code>
directory
</li>
</ul>
</li>
<li>fix bug that was generating duplicate uids</li>
<li>fix bug with <code> -onlyAnalyze some.package.* </code> on
jdk1.4
</li>
<li>fix regression bug in
DismantleByteCode.getRefConstantOperand()</li>
<li>fix some minor bugs with the Swing GUI</li>
<li>reordered some bugInstances so that source line
annotations come last</li>
<li>removed references to unused java system properties</li>
<li>French translation updates (David Cotton)</li>
<li>Japanese translation updates (Hanai Shisei)</li>
<li>content cleanup for findbugs.xml and messages.xml</li>
<li>references to cvs hostname updated to
findbugs.cvs.sourceforge.net</li>
<li>documented xdoc output options, new
mineBugHistory/computeBugHistory options</li>
</ul>
<p>Changes since version 0.9.6:</p>
<ul>
<li>performance improvements</li>
<li>ObjectType instances are cached to reduce memory footprint
</li>
<li>for performance and memory reasons stateless detectors are
no longer cloned, must clear their own state between .class files
</li>
<li>fixed bug in bytecode-set lookup for methods (was causing
bad results for IS2, perhaps others)</li>
<li>fix some OpcodeStack bugs with integer and long
operations, perform iterative analysis when effort is <tt>max</tt>
</li>
<li>HTML output includes LongMessage text again (regression in
0.95 - 0.96)</li>
<li>New detectors
<ul>
<li>CalledMethods.java: builds a list of invoked methods for
other detectors to consult (non-reporting)</li>
<li>UncallableMethodOfAnonymousClass.java: detect anonymous
inner classes that define methods that are probably intended to
but do not override methods in a superclass.</li>
</ul>
</li>
<li>Updated detectors
<ul>
<li>FindFieldSelfAssignment.java: recognize separate fields
with the same name (one from superclass)</li>
<li>FindLocalSelfAssignment2.java: handles backward branches
better (Dave Brosius)</li>
<li>FindBadCast2.java: BC_NULL_INSTANCEOF changed to
NP_NULL_INSTANCEOF</li>
<li>FindPuzzlers.java: eliminate false positive on setDate()
(Dave Brosius)</li>
</ul>
</li>
<li>Eclipse plugin
<ul>
<li>fix serious threading bug</li>
<li>preferences for Filters and effort (Peter Hendriks)</li>
<li>French localization (David Cotton)</li>
<li>fix bug when reporting inner classes (Peter Friese)</li>
</ul>
</li>
<li>Updated test case files
<ul>
<li>Mwn.java (Carl Burke/Dave Brosius)</li>
<li>DumbMethodInvocations.java (Anto paul/Dave Brosius)</li>
<!--sic-->
</ul>
</li>
<li>XML output includes garbage collection duration</li>
<li>French messages updated (David Cotton)</li>
<li>Swing GUI shows file name after Load Bugs command</li>
<li>Ant task to launch the findbugs frame (Mark McKay)</li>
<li>miscellaneous code cleanup</li>
</ul>
<p>Changes since version 0.9.5:</p>
<ul>
<li>Updated detectors
<ul>
<li>FindNullDeref.java: respect NonNull and CheckForNull
field annotations</li>
<li>SerializableIdiom.java: detect non-private readObject
and writeObject methods</li>
<li>FindRefComparison.java: smarter array comparison
detection</li>
<li>IsNullValueAnalysis.java: detect <tt>null
instanceof</tt>
</li>
<li>FindLocalSelfAssignment2.java: suppress some false
positives (Dave Brosius)</li>
<li>FindUnreleasedLock.java: don't waste time processing
classes that don't refer to java.util.concurrent.locks</li>
<li>MutableStaticFields.java: report the source line (Dave
Brosius)</li>
<li>SwitchFallthrough.java: better handling of System.exit()
(Dave Brosius)</li>
<li>MultithreadedInstanceAccess.java: better handling of
Servlet.init() (Dave Brosius)</li>
<li>ConfusionBetweenInheritedAndOuterMethod.java: now
enabled</li>
</ul>
</li>
<li>Eclipse plugin
<ul>
<li>background processing (Peter Friese)</li>
<li>internationalization, Japanese localization (Takashi
Okamoto)</li>
</ul>
</li>
<li>findbugs <tt>-onlyAnalyze</tt> option now works on windows
platforms
</li>
<li>mineBugHistory <tt>-noTabs</tt> option for better
alignment of output columns
</li>
<li>filterBugs <tt>-fixed</tt> option (also: will now
recognize the most recent version string)
</li>
<li>XML output includes running time and memory usage data</li>
<li>miscellaneous minor corrections to the manual</li>
<li>better bytecode analysis of the <tt>iinc</tt> instruction
</li>
<li>fix bug in null pointer analysis</li>
<li>improved catch block heuristics</li>
<li>some type analysis tweaks</li>
<li>Bug priority changes
<ul>
<li>DumbMethodInvocations.java: decrease priority of
hard-coded <tt>/tmp</tt> filenames
</li>
<li>ComparatorIdiom.java: decrease priority of
non-serializable anonymous comparators</li>
<li>FindSqlInjection.java: decrease priority of appending a
constant or a static</li>
</ul>
</li>
<li>Updated bug explanations
<ul>
<li>NM_VERY_CONFUSING (Dave Brosius)</li>
</ul>
</li>
<li>Updated test case files
<ul>
<li>BadStoreOfNonSerializableObject.java</li>
<li>BadRandomInt.java</li>
<li>TestFieldAnnotations.java</li>
<li>UseInitCause.java</li>
<li>SqlInjection.java</li>
<li>ArrayEquality.java</li>
<li>BadIntegerOperations.java</li>
<li>Pilhuhn.java</li>
<li>InstanceOf.java</li>
<li>SwitchFallthrough.java (Dave Brosius)</li>
</ul>
</li>
<li>fix URL decoding bug when running under Java Web Start
(Dave Brosius)</li>
<li>distribution includes <tt>project.xml</tt> file for
NetBeans
</li>
</ul>
<p>Changes since version 0.9.4:</p>
<ul>
<li>New detectors
<ul>
<li>VarArgsProblems.java</li>
<li>FindSqlInjection.java: now enabled</li>
<li>ComparatorIdiom.java: comparators usually implement
serializable</li>
<li>Naming.java: detect methods not overridden due to
eponymously typed args from different packages</li>
</ul>
</li>
<li>Updated detectors
<ul>
<li>SwitchFallthrough.java: surpress some false positives</li>
<li>DuplicateBranches.java: surpress some false positives</li>
<li>IteratorIdioms.java: surpress some false positives</li>
<li>FindHEmismatch.java: surpress some false positives</li>
<li>QuestionableBooleanAssignment.java: finds more cases of
<tt>if (b=true)</tt> ilk
</li>
<li>DumbMethods.java: detect int remainder by 1, delayed gc
errors</li>
<li>SerializableIdiom.java: detect store of nonserializable
object into field of serializable class</li>
<li>FindNullDeref.java: fix potential exception</li>
<li>IsNullValue.java: fix potential exception</li>
<li>MultithreadedInstanceAccess.java: fix potential
exception</li>
<li>PreferZeroLengthArrays.java: flag the method, not the
line</li>
</ul>
</li>
<li>Remove some inadvertent dependencies on JDK 1.5</li>
<li>Sort order should be more consistent</li>
<li>XML output changes
<ul>
<li>Option to sort XML bug output</li>
<li>Now contains instance IDs</li>
<li>uid no longer missing (was causing problems with fancy
HTML output)</li>
<li>Typo fixed</li>
</ul>
</li>
<li>Internal changes to track source files, <tt>-sourceInfo</tt>
option
</li>
<li>Bug matching: first try exact bug pattern matching, option
to compare priorities, option to disable package moves</li>
<li>Architecture documentation in <tt>design/architecture</tt>
</li>
<li>Test cases move into their own CVS project</li>
<li>Don't report warnings that occur outside the analyzed
classes</li>
<li>Fixes to the build.xml files</li>
<li>Better handling of @CheckReturnValue and @CheckForNull
annotations (also, some additional methods searched for check
return value and check for null)</li>
<li>Fixed some stream-closing bugs (one by <tt>z-fb-user</tt>/Dave
Brosius)
</li>
<li>Bug priority changes
<ul>
<li>increase priority of ignoring return value of
java.sql.Connection methods</li>
<li>increase priority of comparing classes like Integer
using <tt>==</tt>
</li>
<li>decrease priority of IT_NO_SUCH_ELEMENT if we see any
call to <tt>next()</tt>
</li>
<li>tweak priority of NM_METHOD_CONSTRUCTOR_CONFUSION</li>
<li>decrease priority of RV_RETURN_VALUE_IGNORED for an
inherited annotation that doesn't return same type as class</li>
</ul>
</li>
<li>Updated bug explanations
<ul>
<li>RCN_REDUNDANT_NULLCHECK_WOULD_HAVE_BEEN_A_NPE</li>
<li>DP_CREATE_CLASSLOADER_INSIDE_DO_PRIVILEGED</li>
<li>IMA_INEFFICIENT_MEMBER_ACCESS (Dave Brosius)</li>
<li>some Japanese improvements to messages_ja.xml ( <tt>ruimo</tt>)
</li>
<li>some German improvements to findbugs_de.properties (Dave
Brosius, <tt>dvholten</tt>)
</li>
</ul>
</li>
<li>Updated test case files
<ul>
<li>BadIntegerOperations.java</li>
<li>SecondKaboom.java</li>
<li>OpenDatabase.java (Dave Brosius)</li>
<li>FindOpenStream.java (Dave Brosius)</li>
<li>BadRandomInt.java</li>
</ul>
</li>
<li>Source-lines info maintained for methods (handy for
abstract and native methods)</li>
<li>Remove surrounding opcodes from source line annotations</li>
<li>Better error when can't read file</li>
<li>Swing GUI: removed console pane from FindBugsFrame, fix
missing classes bug</li>
<li>Fixes to OpcodeStack.java</li>
<li>Detectors may attach a custom value to an OpcodeStack.Item
(Dave Brosius)</li>
<li>Filter.java: ability to add text messages to XML output,
fix bug with <tt>-withMessages</tt>
</li>
<li>SourceInfoMap supports ranges of source lines</li>
<li>Ant task supports the <tt>timestampNow</tt> attribute
</li>
</ul>
<p>Changes since version 0.9.3:</p>
<ul>
<li>Substantial rework of datamining code</li>
<li>Removed bogus warnings about await on things other than
Condition not being in a loop</li>
<li>Fixed bug in OpcodeStack handling of dup2 of long/double
values</li>
<li>Don't report array types as missing classes</li>
<li>Adjustment of some warnings on ignored return values</li>
<li>Added thread safety annotations from Java Concurrency in
Practice (no detectors written for these yet)</li>
<li>Added annotation for methods that, if overridden, should
be invoked by overriding methods via a call to super</li>
<li>Updated -html:fancy.xsl (Etienne Giraudy)</li>
</ul>
<p>Note: there was no version 0.9.2</p>
<p>Changes since version 0.9.1:</p>
<ul>
<!-- New detectors -->
<li>Embellish USM to find abstract methods that implement an
interface method (Dave Brosius)</li>
<li>New detector to find stores of literal booleans inside if
or while expressions (Dave Brosius)</li>
<li>New style detector to find final classes that declare
protected fields (Dave Brosius)</li>
<li>New detector to find subclass methods that simply forward,
verbatim, to the super class (Dave Brosius)</li>
<li>Detector to find instances where code is attempting to
write an object out via an implementation of DataOutput, but the
object is not guaranteed to be Serializable (Jon Christiansen,
Bill Pugh)</li>
<!-- Feature enhancements -->
<li>Large (35%) analysis speedup (Bill Pugh)</li>
<li>Add line numbers to Swing GUI code panel (Dave Brosius)</li>
<li>Added effort options to Swing GUI (Dave Brosius)</li>
<li>Add ability to specify bugs file to open from command line
for GUI version, through -loadbugs (Phillip Martin)</li>
<li>New stylesheet for generating HTML: use option <tt>-html:plain.xsl</tt>
(Chris Nappin)
</li>
<li>New stylesheet for generating HTML: use option <tt>-html:fancy.xsl</tt>
(Etienne Giraudy)
</li>
<li>Updated Japanese bug message translations (Shisei Hanai)</li>
<!-- Bug fixes -->
<li>XHTML compliance fixes for bug details (Etienne Giraudy)</li>
<li>Various detector fixes (Shisei Hanai)</li>
<li>Fixed bugs in the project preferences dialog int the
Eclipse plugin (Takashi Okamoto, Thomas Einwaller)</li>
<li>Lowered priority of analysis thread in Swing GUI (David
Hovemeyer, suggested by Shisei Hanai and Jeffrey W. Badorek)</li>
<li>Fixed EclipsePlugin to correctly pick up auxclasspath
entries (Jon Christiansen)</li>
</ul>
<p>Changes since version 0.9.0:</p>
<ul>
<li>Fixed dependence on JRE 1.5: all features should work on
JRE 1.4 again</li>
<li>Fixed -effort command line option handling for Swing GUI</li>
<li>Fixed conserveSpace and workHard attributes int Ant task</li>
<li>Added support for effort attribute in Ant task</li>
</ul>
<p>Changes since version 0.8.8:</p>
<ul>
<!-- New detectors and bug patterns -->
<li>XMLFactoryBypass detector to find direct allocation of xml
class implementations (Dave Brosius)</li>
<li>InefficientMemberAccess detector to find accesses to
owning class private members (Dave Brosius)</li>
<li>DuplicateBranches detector checks switch statements too
(Dave Brosius)</li>
<!-- Feature enhancements -->
<li>FindBugs available from findbugs.sourceforge.net as Java
Web Start application (Dave Brosius)</li>
<li>Updated Japanese bug message translations (Shisei Hanai)</li>
<li>Improved bug detail message for covariant equals() (Shisei
Hanai)</li>
<li>Modeling of instanceof checks is now enabled by default,
making the bad cast detector much more useful (Bill Pugh, David
Hovemeyer)</li>
<li>Support for detector ordering constraints in plugin
descriptor (David Hovemeyer)</li>
<li>Simpler option to control analysis effort: -effort: <i>value</i>,
where <i>value</i> is one of <code> min </code> , <code>
default </code> , or <code> max </code> (David Hovemeyer)
</li>
<li>Using -effort:max, FindNullDeref checks for null arguments
passed to methods which dereference them unconditionally (David
Hovemeyer)</li>
<li>FindNullDeref checks @Null and @NonNull annotations for
parameters and return values (David Hovemeyer)</li>
<!-- Bug fixes -->
</ul>
<p>Changes since version 0.8.7:</p>
<ul>
<!-- New detectors and bug patterns -->
<li>New detector to find duplicate code in if/else statements
(Dave Brosius)</li>
<li>Look for calls to wait() on Condition objects (David
Hovemeyer)</li>
<li>Look for java.util.concurrent.Lock objects not released on
every path out of method (David Hovemeyer)</li>
<li>Look for calls to Thread.sleep() with a lock held (David
Hovemeyer)</li>
<li>More accurate detection of impossible casts (Bill Pugh,
David Hovemeyer)</li>
<!-- Feature enhancements -->
<li>Saved XML now contains project statistics (Jay Dunning)</li>
<li>Filter files can select by bug pattern type and warning
priority (David Hovemeyer)</li>
<!-- Bug fixes -->
<li>Restored some files inadvertently omitted from previous
release (Rohan Lloyd, David Hovemeyer)</li>
<li>Make sure detectors requiring JDK 1.5 runtime classes are
only executed if those classes are available (David Hovemeyer)</li>
<li>Don't display analysis error dialog unless there is really
an error (David Hovemeyer)</li>
<li>Updated and expanded French translations of bug patterns
and Swing GUI (Olivier Parent)</li>
<li>Fixed invalid character encoding in German Swing GUI
translation (Olivier Parent)</li>
<li>Fix locale used for date format in project stats (K.
Hashimoto)</li>
<li>Fixed LongDescription elements in xml:withMessages output
format (K. Hashimoto)</li>
</ul>
<p>Changes since version 0.8.6:</p>
<ul>
<!-- new detectors -->
<li>Extend Naming detector to look for classes that are named
XXXException but that are not Exceptions (Dave Brosius)</li>
<li>New detector to find classes that expose semaphores in the
public implementation through the 'this' reference. (Dave Brosius)
</li>
<li>New Style detector to find Struts Action/Servlet derived
classes that reference instance member variable not in
synchronized blocks. (Dave Brosius)</li>
<li>New Style detector to find classes that declare
implementation of interfaces that are already implemented by super
classes (Dave Brosius)</li>
<li>New Style detector to find circular dependencies between
classes (Dave Brosius)</li>
<li>New Style detector to find unnecessary math on constants
(Dave Brosius)</li>
<li>New detector to find equality comparisons using floating
point math (Jay Dunning)</li>
<li>New faster detector to find local self assignments (Bill
Pugh)</li>
<li>New detector to find infinite recursive loops (Bill Pugh)
</li>
<li>New detector to find for loops with an incorrect increment
(Bill Pugh)</li>
<li>New detector to find suspicious uses of
BufferedReader.readLine() and String.indexOf() (Bill Pugh)</li>
<li>New detector to find suspicious integer to double casts
(David Hovemeyer, Bill Pugh)</li>
<li>New detector to find invalid regular expression patterns
(Bill Pugh)</li>
<li>New detector to find Bloch/Gafter Java puzzlers (Bill
Pugh)</li>
<!-- feature enhancements -->
<li>New system property to suppress reporting of DLS based on
local variable name (Glenn Boysko)</li>
<li>Enhancements to configuration dialog in Eclipse plugin,
allow for saving enabled detectors in Eclipse projects (Phil
Crosby)</li>
<li>Sortable columns in detector dialog (Dave Brosius)</li>
<li>New tab in gui for showing bugs grouped by category (Dave
Brosius)</li>
<li>Improved German translation of Swing GUI (Thomas Kuehne)</li>
<li>Improved source file reporting in Emacs output format (Len
Trigg)</li>
<li>Improvements to redundant null comparison detector (Bill
Pugh)</li>
<li>Localization of run analysis and analysis error dialogs in
Swing GUI (K. Hashimoto)</li>
<!-- Bug fixes -->
<li>Don't scan equals methods in FindHEMismatch if code is
native (Greg Bentz)</li>
<li>French translation fixes (David Cotton)</li>
<li>Internationalization report fixes (K. Hashimoto)</li>
<li>Japanese translations updates (SHISEI Hanai)</li>
</ul>
<p>Changes since version 0.8.5:</p>
<ul>
<!-- new detectors -->
<li>New detector to find catch blocks that may inadvertently
catch runtime exceptions (Brian Goetz)</li>
<li>New detector to find objects that are instantiated based
on classes that only have static methods and fields, using the
synthesized constructor (Dave Brosius)</li>
<li>New detector to find calls to Thread.interrupted() in a
non static context, and especially with non currentThread()
threads (Dave Brosius)</li>
<li>New detector to find calls to equals() methods that use
Object's version. (Dave Brosius)</li>
<li>New detector to find Applets that call methods in the
constructor refering to the AppletStub (Dave Brosius)</li>
<li>New detector to find some cases of infinite recursion
(Bill Pugh)</li>
<li>New detector to find dead stores to local variables (David
Hovemeyer, Bill Pugh)</li>
<li>Extend Dumb Method detector for toUpperCase(),
toLowerCase() without a locale, new Integer(1).toString(), new
XXX().getClass(), and new Thread() without a run implementation
(Dave Brosius) <!-- feature enhancements -->
</li>
<li>Ant task supports "errorProperty" attribute, which sets an
Ant property to "true" if an error occurs running FindBugs
(Michael Tamm)</li>
<li>Eclipse plugin allows filtering of warnings by bug
category, priority (David Hovemeyer)</li>
<li>Swing GUI allows filtering of warnings by bug category
(David Hovemeyer)</li>
<li>Ability to annotate methods using Java 1.5 annotations
that suppress FindBugs warnings (Bill Pugh)</li>
<li>New -adjustExperimental for lowering priority of
BugPatterns that are experimental (Dave Brosius)</li>
<li>Allow for command line options 'files' using the @ symbol
(David Hovemeyer)</li>
<li>New -adjustPriority command line option to for adjusting
bug priorites (David Hovemeyer)</li>
<li>Added an Edit menu (cut/copy/paste) to Swing GUI (Dave
Brosius)</li>
<li>French translation supplied (David Cotton) <!-- Bug fixes -->
</li>
</ul>
<p>Changes since version 0.8.4:</p>
<ul>
<!-- new detectors -->
<li>New detector for volatile references to arrays (Bill Pugh)
</li>
<li>New detector to find instanceof usage where inheritance
can be determined statically (Dave Brosius)</li>
<li>New detector to find ResultSet.getXXX updateXXX calls
using index 0 (Dave Brosius)</li>
<li>New detector to find empty zip or jar entries (Bill Pugh)
<!-- feature enhancements -->
</li>
<li>HTML output generation using built-in XSLT stylesheet or
user-defined stylesheet (David Hovemeyer)</li>
<li>Allow URLs to be specified to analyze zip/jar files, local
directories, and single classfiles (David Hovemeyer)</li>
<li>New command line option -onlyAnalyze restricts analysis to
selected classes and packages without reducing accuracy (David
Hovemeyer)</li>
<li>Allow Swing GUI to show source code in jar files on
Windows systems (Dave Brosius) <!-- Bug fixes -->
</li>
<li>Fix the Switch Fall Thru detector (Dave Brosius, David
Hovemeyer, Bill Pugh)</li>
<li>MacOS GUI fixes (Rohan Lloyd)</li>
<li>Fix false positive in BOA in case where method is
correctly and 'incorrectly' overridden (Dave Brosius)</li>
<li>Fixed memory blowup when analyzing methods which access a
large number of fields (David Hovemeyer)</li>
</ul>
<p>Changes since version 0.8.3:</p>
<ul>
<li>Initial and preliminary localization of the Swing
GUI. Translations by:
<ul>
<li>German - Peter D. Stout, Holger Stenzhorn</li>
<li>Finnish - Juha Knuutila</li>
<li>Estonian - Tanel Lebedev</li>
<li>Japanese - Hanai Shisei</li>
</ul>
</li>
<li>Eliminated debug print statements inadvertently left
enabled</li>
<li>Reverted some changes in the open stream detector: this
should fix some false positives that were introduced in the
previous release</li>
<li>Fixed a couple missing class reports</li>
</ul>
<p>Changes since version 0.8.2:</p>
<ul>
<!-- New detectors -->
<li>New detector to find improperly overridden GUI Adapter
classes (Dave Brosius)</li>
<li>New detector to find improperly setup JUnit TestCases
(Dave Brosius)</li>
<li>New detector to find variables that mask class level
fields (Dave Brosius)</li>
<li>New detector to find comparisons of values computed with
bitwise operators that always yield the same result (Tom Truscott)
</li>
<li>New detector to find unsafe getClass().getResource() calls
(Bill Pugh)</li>
<li>New detector to find GUI changes not in GUI thread but in
static main (Bill Pugh)</li>
<li>New detector to find calls to Collection.toArray() with
zero-length array argument; it is more efficient to pass an array
the size of the collection, which can be populated and returned as
the result (Dave Brosius) <!-- Analysis improvements -->
</li>
<li>Better suppression of false warnings in various detectors
(Bill Pugh, David Hovemeyer)</li>
<li>Enhancement to ReadReturnShouldBeChecked detector for
skip() (Dave Brosius)</li>
<li>Enhancement to DumbMethods detector (Dave Brosius)</li>
<li>Open stream detector does not report wrappers of streams
passed as method parameters (David Hovemeyer) <!-- Feature enhancements -->
</li>
<li>Cancel confirmation dialog in Swing GUI (Pete Angstadt)</li>
<li>Better relative path saving in Project file (Dave Brosius)
</li>
<li>Detector Priority in GUI is now saved in prefs file (Dave
Brosius)</li>
<li>Controls in GUI to reorder source and classpath entries,
and ability to flip between Project details and bugs pages (Dave
Brosius)</li>
<li>In Swing GUI, analysis error dialog supports "Select All"
and "Copy" operations for easy generation of error reports (Dave
Brosius)</li>
<li>Complete translation of bug descriptions and messages into
Japanese (Hanai Shisei) <!-- Bug fixes -->
</li>
<li>Fixed bug in DroppedException detector (Dave Brosius) <!-- Development stuff -->
</li>
<li>The source distribution defaults to using JDK 1.5 javac to
compile, but support for compiling with JSR-14 prototype is still
supported</li>
</ul>
<p>Changes since version 0.8.1:</p>
<ul>
<li>Fixed a critical ClassCastException bug (triggered if the
-workHard option was used, and an exception type was merged with
an array type during type inference)</li>
</ul>
<p>Changes since version 0.8.0:</p>
<ul>
<li>Disabled SwitchFallthrough detector to work around
NullPointerExceptions</li>
<li>Added some additional false positive suppression
heuristics</li>
</ul>
<p>Also, two contributors to the 0.8.0 release were
inadvertently left out of the credits:</p>
<ul>
<li>Pete Angstadt fixed several problems in the Swing GUI</li>
<li>Francis Lalonde provided a task resource file for the
FindBugs Ant task</li>
</ul>
<p>Changes since version 0.7.4:</p>
<ul>
<li>New detector to look for uses of "+" operator to
concatenate String objects in a loop (Dave Brosius)</li>
<li>Reference comparison detector looks for places where the
argument passed to the equals(Object) method isn't the same type
as the receiver object</li>
<li>Better suppression of false warnings in many detectors</li>
<li>Many improvements to Eclipse plugin (Andrey Loskutov,
Peter Friese)</li>
<li>Fixed problem with building Eclipse plugin on Windows
(Thomas Klaeger)</li>
<li>Open stream detector looks for unclosed PreparedStatement
objects (Thomas Klaeger, Rohan Lloyd)</li>
<li>Fix for open stream detector: it wasn't detecting close()
methods called through an invokeinterface instruction (Thomas
Klaeger)</li>
<li>Refactoring of visitor classes to enforce use of accessors
for visited class features (Brian Goetz)</li>
</ul>
<p>Changes since version 0.7.3:</p>
<ul>
<li>Experimental modification of open stream detector to look
for non-escaping JDBC resources (connections and statements) that
aren't closed on all paths out of method</li>
<li>Eclipse plugin fixed so it compiles and runs on Eclipse
2.1.x (Peter Friese)</li>
<li>Option to Swing GUI and command line to generate project
file using relative paths for archives, source directories, and
aux classpath entries (Dave Brosius)</li>
<li>Improvements to findbugs.bat script for launching FindBugs
on Windows (Dave Brosius)</li>
<li>Updated Japanese message translations (Hiroshi Okugawa)</li>
<li>Uncalled private methods are now reported as low priority,
unless they have the same name as another method in the class
(which is more likely to indicate an actual bug)</li>
<li>Added some missing data in the bug messages XML files</li>
<li>Fixed some problems building from source on Windows
systems</li>
<li>Various minor bug fixes</li>
</ul>
<p>Changes since version 0.7.2:</p>
<ul>
<li>Enhanced Eclipse plugin, which displays the detailed bug
description in a view (Phil Crosby)</li>
<li>Various tweaks to existing detectors to reduce false
warnings</li>
<li>New command line option <code> -workHard </code> enables
pruning of infeasible or unlikely exception edges, which results
in better accuracy in the open stream detector, at the expense of
a 30%-100% slowdown
</li>
<li>New website and HTML documentation design</li>
<li>Documentation includes an HTML document with descriptions
of all bug patterns reported by FindBugs</li>
<li>Web page has a link to a <a
href="http://www.simeji.com/findbugs/doc/manual_ja/index.html">Japanese
translation</a> of the FindBugs manual, contributed by Hiroshi
Okugawa
</li>
<li>Changed the Inconsistent Synchronization detector so that
fields synchronized 50% of the time (or more) are reported as
medium priority bugs (previously they were reported as low)</li>
<li>New detector to find code that catches
IllegalMonitorStateException</li>
<li>New detector to find private methods that are never called
</li>
<li>New detector to find suspicious uses of
non-short-circuiting boolean operators ( <code> & </code> and
<code> | </code> , rather than <code> && </code> and <code>
|| </code> )
</li>
</ul>
<p>Changes since version 0.7.1:</p>
<ul>
<li>Incorporated patched version of BCEL, which allows classes
compiled with JDK 1.5.0 beta to be analyzed</li>
<li>Fixed some bugs related to lookups of array classes</li>
<li>Fixed bug that prevented GUI from loading XML result files
when running under JDK 1.5.0 beta</li>
<li>Added new experimental bug detector, LazyInit, which looks
for potentially buggy lazy initializations of static fields</li>
<li>Because of long filenames, switched to distributing the
source archive as a zip file rather than a tar file</li>
<li>The 0.7.1 source tarfile was botched - 0.7.2 has a valid
source archive</li>
<li>Fixed some problems in the Ant build script</li>
<li>Fixed NullPointerException when checking Class-Path
attribute for Jar files without manifests</li>
<li>Generate version numbers for the core and UI Eclipse
plugins using the Version class; all version numbers are now in a
common location</li>
</ul>
<p>Changes since version 0.7.0:</p>
<ul>
<li>Eclipse plugin (contributed by Peter Friese)</li>
<li>Source package structure rearranged: all source (other
than Eclipse plugin UI) is in the edu.umd.cs.findbugs package, or
a subpackage</li>
<li>Class-Path attributes of manifests of analyzed jar files
are used to set the aux classpath automatically (Peter D. Stout)</li>
<li>GUI starts in directory specified by user.home property
(Peter D. Stout)</li>
<li>Added -project option to GUI (Mikko T.)</li>
<li>Added -look:{plastic,gtk,native} option to GUI, for
setting look and feel (Mikko T.)</li>
<li>Fixed DataflowAnalysisException in inconsistent
synchronization detector</li>
<li>Ant task supports failOnError parameter (Rohan Lloyd)</li>
<li>Serializable class warnings are downgraded to low priority
for GUI classes</li>
<li>MWN detector will only report calls to wait(), notify(),
and notifyAll() methods that have the correct signature</li>
<li>FindBugs works with latest CVS version of BCEL</li>
<li>Zip and Jar files may be added to the source path</li>
<li>The GUI will automatically find source files residing in
analyzed Zip or Jar files</li>
</ul>
<p>Note that the version number jumped from 0.6.6 to 0.6.9;
there were no 0.6.7 or 0.6.8 releases.</p>
<p>Changes since version 0.6.9:</p>
<ul>
<li>Added -conserveSpace option to reduce memory use at the
expense of analysis precision</li>
<li>Bug fixes in findbugs.bat script: JAVA_HOME handling,
autodetection of FINDBUGS_HOME, missing output with -textui</li>
<li>Fixed NullPointerException when a missing class is
encountered</li>
</ul>
<p>Changes since version 0.6.6:</p>
<ul>
<li>The null pointer dereference detector is more powerful</li>
<li>Significantly improved heuristics and bug fixes in
inconsistent synchronization detector</li>
<li>Improved heuristics in open stream and dropped exception
detectors; fewer false positives should be reported</li>
<li>Save HTML summary in XML results files, rather than
recomputing; this makes loading results in GUI much faster</li>
<li>Report at most one String comparison using == or != per
method</li>
<li>The findbugs.bat script on Windows autodetects
FINDBUGS_HOME, and doesn't open a DOS window when launching the
GUI (contributed by TJSB)</li>
<li>Emacs reporting format (contributed by David Li)</li>
<li>Various bug fixes</li>
</ul>
<p>Changes since 0.6.5:</p>
<ul>
<li>Rewritten inconsistent synchronization detector; accuracy
is significantly improved, and bug reports are prioritized</li>
<li>New detector to find self assignment (x=x) of local
variables (suggested by Jeff Martin)</li>
<li>New detector to find calls to wait(), notify(), and
notifyAll() on an object which is not obviously locked</li>
<li>Open stream detector now reports Readers and Writers</li>
<li>Fixed bug in finalizer idioms detector which caused
spurious warnings about failure to call super.finalize() (reported
by Jim Menard)</li>
<li>Fixed bug where output stream was not closed using non-XML
output (reported by Sigiswald Madou)</li>
<li>Fixed corrupted HTML bug detail message (reported by
Trevor Harmon)</li>
</ul>
<p>Changes since version 0.6.4:</p>
<ul>
<li>For redundant comparison of reference values, fixed false
positives resulting from duplication of code in finally blocks</li>
<li>Fixed false positives resulting from wrapped byte array
streams left open</li>
<li>Fixed bug in Ant task preventing output file from working
properly if a relative path was used</li>
</ul>
<p>Changes since version 0.6.3:</p>
<ul>
<li>Fixed bug in Ant task where output would be corrupted, and
added a <code> timeout </code> attribute
</li>
<li>Added -outputFile option to text UI, for explicitly
specifying an output file</li>
<li>GUI has a summary window, for statistics about overall bug
densities (contributed by Mike Fagan)</li>
<li>Find redundant comparisons of reference values</li>
<li>More accurate detection of Strings compared with == and !=
operators</li>
<li>Detection of other reference types which should generally
not be compared with == and != operators; Boolean, Integer, etc.</li>
<li>Find non-transient non-serializable instance fields in
Serializable classes</li>
<li>Source code may be compiled with latest early access
generics-enabled javac (version 2.2)</li>
</ul>
<p>Changes since version 0.6.2:</p>
<ul>
<li>GUI supports filtering bugs by priority</li>
<li>Ant task rewritten; supports all functionality offered by
Text UI (contributed by Mike Fagan)</li>
<li>Ant task is fully documented in the manual</li>
<li>Classes in nested archives are analyzed; this allows full
support for analyzing .ear and .war files (contributed by Mike
Fagan)</li>
<li>DepthFirstSearch changed to use non-recursive
implementation; this should fix the StackOverflowErrors that
several users reported</li>
<li>Various minor bugfixes and improvements</li>
</ul>
<p>Changes since version 0.6.1:</p>
<ul>
<li>New detector to look for useless control flow (suggested
by Richard P. King and Mike Fagan)</li>
<li>Look for places where return value of
java.io.File.createNewFile() is ignored (suggested by Richard P.
King)</li>
<li>Fixed bug in resolution of source files (only the first
source directory was searched)</li>
<li>Fixed a NullPointerException in the bytecode pattern
matching code</li>
<li>Ant task supports project files (contributed by Mike
Fagan)</li>
<li>Unix findbugs script honors the <code> JAVA_HOME </code>
environment variable (contributed by Pedro Morais)
</li>
<li>Allow .war and .ear files to be analyzed</li>
</ul>
<p>Changes since version 0.6.0:</p>
<ul>
<li>New bug pattern detector which looks for places where a
null pointer might be dereferenced</li>
<li>New bug pattern detector which looks for IO streams that
are opened, do not escape the method, and are not closed on all
paths out of the method</li>
<li>New bug pattern detector to find methods that can return
null instead of a zero-length array</li>
<li>New bug pattern detector to find places where the == or !=
operators are used to compare String objects</li>
<li>Command line interface can save bugs as XML</li>
<li>GUI can save bugs to and load bugs from XML</li>
<li>An "Annotations" window in the GUI allows the user to add
textual annotations to bug reports; these annotations are
preserved when bugs are saved as XML</li>
<li>In this release, the Japanese bug summary translations by
Germano Leichsenring are really included (they were inadvertently
omitted in the previous release)</li>
<li>Completely rewrote the control flow graph builder,
hopefully for the last time</li>
<li>Simplified implementation of control flow graphs, which
should reduce memory use and possibly improve performance</li>
<li>Improvements to command line interface (list bug
priorities, filter by priority, specify aux classpath, specify
project to analyze)</li>
<li>Various bug fixes and enhancements</li>
</ul>
<p>Changes since version 0.5.4</p>
<ul>
<li>Added an <a href="http://ant.apache.org/">Ant</a> task for
FindBugs, contributed by Mike Fagan.
</li>
<li>Added a GUI dialog which allows individual bug pattern
detectors to be enabled or disabled. Disabling certain slow
detectors can greatly speed up analysis of large programs, at the
expense of reducing the number of potential bugs found.</li>
<li>Added a new detector for finding improperly ignored return
values for methods such as <code> String.trim() </code> .
Suggested by Andreas Mandel.
</li>
<li>Japanese translations of the bug summaries, contributed by
Germano Leichsenring.</li>
<li>Filtering of results is supported in command line
interface. See the <a href="manual/index.html">FindBugs manual</a>
for details.
</li>
<li>Added "byte code patterns", a general pattern matching
infrastructure for bytecode instructions. This feature
significantly reduces the complexity of implementing new bug
pattern detectors.</li>
<li>Enabled a new general dataflow analysis to track values in
methods.</li>
<li>Switched to new control-flow graph builder implementation.
</li>
</ul>
<p>Changes since version 0.5.3</p>
<ul>
<li>Fixed a bug in the script used to launch FindBugs on
Windows platforms.</li>
<li>Fixed crashes when analyzing class files without source
line information.</li>
<li>All major errors are reported using an error dialog; file
not found errors are more informative.</li>
<li>Minor GUI improvements.</li>
</ul>
<p>Changes since version 0.5.2</p>
<ul>
<li>All of the source code and related files are in a single
directory tree.</li>
<li>Updated some of the detectors to produce source line
information.</li>
<li><a href="http://ant.apache.org/">Ant</a> build script and
several GUI enhancements and fixes contributed by Mike Fagan.</li>
<li>Converted to use a <a href="AddingDetectors.txt">plugin
architecture</a> for loading bug detectors.
</li>
<li>Eliminated generics-related compiler warnings.</li>
<li>More complete documentation has been added.</li>
</ul>
<p>Changes since version 0.5.1:</p>
<ul>
<li>Fixed a large number of bugs in the BCEL Repository and
FindBugs's use of the Repository. With these changes,
FindBugs should <em>never</em> crash or otherwise misbehave
because of Repository lookup failures. Because of these
changes, you must use a modified version of <code> bcel.jar
</code> with FindBugs. This jar file is included in the FindBugs
0.5.2 binary release. A complete patch containing the <a
href="http://faculty.ycp.edu/~dhovemey/bcel-30-April-2003.patch">modifications
against the BCEL CVS main branch as of April 30, 2003</a> is also
available.
</li>
<li>Implemented the "auxiliary classpath entry list".
Aux classpath entries can be added to a project to provide classes
that are referenced by the analyzed application, but should not
themselves be analyzed. Having all referenced classes
available allows FindBugs to produce more accurate results.</li>
</ul>
<p>Changes since version 0.5.0:</p>
<ul>
<li>Many user interface bugs have been fixed.</li>
<li>Upgraded to a recent CVS version of BCEL, with some bug
fixes. This should prevent FindBugs from crashing when there
is a failure to find a class on the classpath.</li>
<li>Added support for Plastic look and feel from <a
href="http://www.jgoodies.com/">jgoodies.com</a>.
</li>
<li>Major overhaul of infrastructure for doing dataflow
analysis.</li>
</ul>
<hr> <p>
<script language="JavaScript" type="text/javascript">
<!---//hide script from old browsers
document.write( "Last updated "+ document.lastModified + "." );
//end hiding contents --->
</script>
<p> Send comments to <a class="sidebar" href="mailto:findbugs@cs.umd.edu">findbugs@cs.umd.edu</a>
<p>
<A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=96405&type=5" width="210" height="62" border="0" alt="SourceForge.net Logo" /></A>
</td>
</tr>
</table>
</body>
</html>
|
