FindBugs plugins

FindBugs is a key code quality tool for Java based projects.

It includes several dozens of bug patterns which are used by FindBugs to identify potential bugs and, more in general, weaknesses in our code.

FindBugs has a plugin architecture which can be used to extend the set of detectors (bug patterns) used during the analysis.

There are few open source projects which aim to develop FindBugs plugin.

My preferred one is Fb-Contrib which contains a significant amount of additional detectors. See here for the complete list. Most of them are really useful to detect poor code quality.

Another interesting plugin is Find Security Bugs; the focus here is on security vulnerabilities (list here) like using unsecured random generator or not checking data received from the user.

Let’s have a look at versions dependencies:

JDK FindBugs FB-Contrib Find Security Bugs
7 and 8 3.x 6.x 1.3 and above
5 and 6 2.x 5.x 1.2

All plugins are released in .jar format and they can be easily added to the FindBugs :

  • FindBugs stand-alone: place the jar in the plugins dir inside FindBugs installation dir
  • Eclipse FindBugs plugin: use the plugin options to specify the plugin path or place the jar file inside FindBugs plugins dir
  • NetBeans FindBugs integration: use Custom FindBugs Plugins button inside Editor → Hints → FindBugs page.
  • IntelliJ FindBugs plugin: add new plugin in the Plugin Configuration tab.

After adding new plugins, review the list of detectors enabled. New detectors are usually added but not enabled.

Not null arguments in Java private methods

After the article on not null arguments on public methods, let’s talk about class private methods.

Checking the public method arguments is necessary to guarantee that methods callers are respecting the class API contract.

On the contrary, private methods are not visible to outside code so there is no need the detect contracts violation.

So, can we skip to check nullity of our private methods arguments ?

The answer is no.

Private methods are called by other methods from the same class so we (not class users) are responsible to guarantee that the methods are invoked correctly.

If we pass a null argument to a private method which need a non null argument, this is a bug in our code and we should fix it.

Joshua Bloch, in his famous Effective Java book, suggest to check private methods arguments using assertion.

This is correct approach because assertion are usually enabled during development and test, while we are debugging our code, and disabled in production code.

Let me make small example:

private void metSimple(final String arg) {
    System.out.println(arg.length());
}

The String argument arg of this method cannot be null. Best approach is to check the argument at the begin of the method body:

private void metChecked(final String arg) {
    assert arg != null;
    System.out.println(arg.length());
}

During the devolpment of the class (with assertions enabled) which uses the method, the assert will check nullity of the argument. Assertion error will help us to debug and improve our code.

To have better support from the IDE, we can also use Nonnull annotation (see this article for more details) like as follows:

private void metAnnotatedChecked(@javax.annotation.Nonnull final String arg) {
    assert arg != null;
    System.out.println(arg.length());
}

This is the preferred solution: assert check run at execution time while Nonnull annotation guides the IDE to detect improper method calls.

Using NetBeans 7.3 we have following situation:
NetBeans 7.3

NetBeans detects wrong method calls at lines 14 and 15 thanks to annotations while it does not find problems on lines 12 and 13.

NetBeans is also reporting an “Unnecessary test for null – the expression is never null”) on the assert line.This is a false message because the annotation cannot guarantee that arg method is never null; I have opened a bug report.

Update: this has been fixed on NetBeans 7.4

Using IntelliJ IDEA 12.1 Community Edition we have the following:

IntelliJ

Curiously the two IDEs have the same behavior:

  • same correct warnings (lines 14 and 15)
  • same missed warnings (lines 12 and 13)
  • same “bug” on line 32

Most probably there is some code sharing between the tools.

Eclipse users: please look at the comments on the my article on public methods.

Not null arguments in Java public methods

As Java programmer, one of my references is Joshua Bloch’s Effective Java. In this book, the theme 38 says we should always check the validity of the arguments on each method.

No excuse.

For example, let’s have a very dummy method which prints on the standard output the length of the String passed as argument:

public void metSimple(String arg) {
    System.out.println(arg.length());
}

if we call this method with a null String, we will get a Null Pointer Exception (NPE) at run-time.

Accordingly to Bloch’s book, we should add a proper check to validate the argument like as follow:

public void metChecked(final String arg) {
    if (arg == null) {
        throw new NullPointerException("Argument arg is null");
    }
    System.out.println(arg.length());
}

The check will assure us that the body of the method (here just a simple System.out.println but in real code will be more complex) can work on the argument arg without problems, knowing that the string arg is not null.

Note: we should not use assert instructions to check public methods arguments. Reason is that assert can be disabled. There is also an old but still valid Java article on assertions on this.

The nullity check is done at run-time so we need to work on testing side to have reasonable confidence that null condition (i.e the NPE) will not really happen in front of our customers.

Can we also have some support during coding? I mean, from our fabulous IDE?

Yes, but we need to help them, adding a “not null” annotation on the argument. There are several of these annotations but the standard is @javax.annotation.Nonnull.

Our method becomes:

public void metAnnotatedChecked(@Nonnull final String arg) {
    if (arg == null) {
        throw new NullPointerException("Argument arg is null");
    }
    System.out.println(arg.length());
}

The @Nonnull annotation is from jsr305 library. Maven users can add it in the pom the following dependency:

<dependency>
    <groupId>com.google.code.findbugs</groupId>
    <artifactId>jsr305</artifactId>;
    <version>2.0.1</version>;
</dependency>

The @Nonnull annotation simply says: dear method users, do not try to invoke it with a null as argument.

Important: the @Nonnull annotation is simply an annotation, a kind of hint for the tools. It is not a run-time check and it does not enforce or guarantee that nobody can call the method with a null argument. So our “if arg == null” check should stay there.

The IDEs use these annotations (there are also others like CheckForNull) to perform additional checks (named “null analysis”) during coding. Not at run-time. These checks complements the run-time checks.

Let’s how most popular IDEs use these annotations. To check their behavior I created a calling class as follows: