Skip to content

Patterns

The bug patterns in Codegex are derived from SpotBugs. We select SpotBugs because it (1) is the most well-known and most used static analyzer, and (2) can detect more diverse types of bugs than other tools (e.g., Error Prone, PMD, Infer).

Motivating Study

Static analysis tools rely on bug patterns to detect a potential problem or bug in a given input program. We conducted a study of SpotBugs patterns and divide them into four categories (inter-class, class, method and statement) according to the context scope they use.

Research Questions

RQ1: What is the scope of analysis needed to detect a bug pattern in SpotBugs?

RQ2: What program analysis techniques are important for detecting a bug pattern in SpotBugs?

We provides the link of study table of SpotBugs' 451 patterns (2021/01) here.

Codegex patterns

Number of Implemented Patterns

Project Number of Patterns
Bad practice (BAD_PRACTICE) 22
Correctness (CORRECTNESS) 37
Malicious code vulnerability (MALICIOUS_CODE) 1
Multithreaded correctness (MT_CORRECTNESS) 5
Performance (PERFORMANCE) 14
Dodgy code (STYLE) 8
Total 87

Supported patterns

Bad practice (BAD_PRACTICE)

  1. CNT: Rough value of known constant found (CNT_ROUGH_CONSTANT_VALUE)
  2. UI: Usage of GetResource may be unsafe if class is extended (UI_INHERITANCE_UNSAFE_GETRESOURCE)
  3. IMSE: Dubious catching of IllegalMonitorStateException (IMSE_DONT_CATCH_IMSE)
  4. Nm: Use of identifier that is a keyword in later versions of Java (NM_FUTURE_KEYWORD_USED_AS_IDENTIFIER)
  5. Nm: Use of identifier that is a keyword in later versions of Java (NM_FUTURE_KEYWORD_USED_AS_MEMBER_IDENTIFIER)
  6. Dm: Method invokes dangerous method runFinalizersOnExit (DM_RUN_FINALIZERS_ON_EXIT)
  7. FI: Explicit invocation of finalizer (FI_EXPLICIT_INVOCATION)
  8. ES: Comparison of String objects using == or != (ES_COMPARING_STRINGS_WITH_EQ)
  9. Nm: Method names should start with a lower case letter (NM_METHOD_NAMING_CONVENTION)
  10. Nm: Class names shouldn’t shadow simple name of implemented interface (NM_SAME_SIMPLE_NAME_AS_INTERFACE)
  11. Nm: Class names shouldn’t shadow simple name of superclass (NM_SAME_SIMPLE_NAME_AS_SUPERCLASS)
  12. Nm: Class names should start with an upper case letter (NM_CLASS_NAMING_CONVENTION)
  13. Nm: Class is not derived from an Exception, even though it is named as such (NM_CLASS_NOT_EXCEPTION)
  14. Se: The readResolve method must be declared with a return type of Object. (SE_READ_RESOLVE_MUST_RETURN_OBJECT)
  15. Se: serialVersionUID isn’t final (SE_NONFINAL_SERIALVERSIONID)
  16. Se: serialVersionUID isn’t static (SE_NONSTATIC_SERIALVERSIONID)
  17. Se: serialVersionUID isn’t long (SE_NONLONG_SERIALVERSIONID)
  18. RC: Suspicious reference comparison of Boolean values (RC_REF_COMPARISON_BAD_PRACTICE_BOOLEAN)
  19. FS: Format string should use %n rather than n (VA_FORMAT_STRING_USES_NEWLINE)
  20. DMI: Random object created and used only once (DMI_RANDOM_USED_ONLY_ONCE)
  21. PZ: Don’t reuse entry objects in iterators (PZ_DONT_REUSE_ENTRY_OBJECTS_IN_ITERATORS)
  22. DMI: Don’t use removeAll to clear a collection (DMI_USING_REMOVEALL_TO_CLEAR_COLLECTION)

Correctness (CORRECTNESS)

  1. IL: A collection is added to itself (IL_CONTAINER_ADDED_TO_ITSELF)
  2. Dm: Useless/vacuous call to EasyMock method (DMI_VACUOUS_CALL_TO_EASYMOCK_METHOD)
  3. DMI: BigDecimal constructed from double that isn’t represented precisely (DMI_BIGDECIMAL_CONSTRUCTED_FROM_DOUBLE)
  4. RV: Random value from 0 to 1 is coerced to the integer 0 (RV_01_TO_INT)
  5. Dm: Incorrect combination of Math.max and Math.min (DM_INVALID_MIN_MAX)
  6. Nm: Class defines hashcode(); should it be hashCode()? (NM_LCASE_HASHCODE)
  7. Nm: Class defines tostring(); should it be toString()? (NM_LCASE_TOSTRING)
  8. Nm: Class defines equal(Object); should it be equals(Object)? (NM_BAD_EQUAL)
  9. Se: The readResolve method must not be declared as a static method. (SE_READ_RESOLVE_IS_STATIC)
  10. Se: Method must be private in order for serialization to work (SE_METHOD_MUST_BE_PRIVATE)
  11. RV: Exception created and dropped rather than thrown (RV_EXCEPTION_NOT_THROWN)
  12. DMI: Reversed method arguments (DMI_ARGUMENTS_WRONG_ORDER)
  13. EC: Call to equals(null) (EC_NULL_ARG)
  14. BIT: Bitwise OR of signed byte value (BIT_IOR_OF_SIGNED_BYTE)
  15. BIT: Check for sign of bitwise operation involving negative number (BIT_SIGNED_CHECK_HIGH_BIT)
  16. BIT: Incompatible bit masks (BIT_AND)
  17. BIT: Check to see if ((…) & 0) == 0 (BIT_AND_ZZ)
  18. BIT: Incompatible bit masks (BIT_IOR)
  19. SA: Self assignment of field (SA_FIELD_SELF_ASSIGNMENT)
  20. SA: Nonsensical self computation involving a field (e.g., x & x) (SA_FIELD_SELF_COMPUTATION)
  21. SA: Nonsensical self computation involving a variable (e.g., x & x) (SA_LOCAL_SELF_COMPUTATION)
  22. SA: Self comparison of field with itself (SA_FIELD_SELF_COMPARISON)
  23. SA: Self comparison of value with itself (SA_LOCAL_SELF_COMPARISON)
  24. DLS: Useless increment in return statement (DLS_DEAD_LOCAL_INCREMENT_IN_RETURN)
  25. FE: Doomed test for equality to NaN (FE_TEST_IF_EQUAL_TO_NOT_A_NUMBER)
  26. BC: Impossible downcast of toArray() result (BC_IMPOSSIBLE_DOWNCAST_OF_TOARRAY)
  27. RE: “.” or “|” used for regular expression (RE_POSSIBLE_UNINTENDED_PATTERN)
  28. RE: File.separator used for regular expression (RE_CANT_USE_FILE_SEPARATOR_AS_REGULAR_EXPRESSION)
  29. DLS: Overwritten increment (DLS_OVERWRITTEN_INCREMENT)
  30. BSHIFT: Possible bad parsing of shift operation (BSHIFT_WRONG_ADD_PRIORITY)
  31. IM: Integer multiply of result of integer remainder (IM_MULTIPLYING_RESULT_OF_IREM)
  32. USELESS_STRING: Invocation of toString on an unnamed array (DMI_INVOKING_TOSTRING_ON_ANONYMOUS_ARRAY)
  33. DMI: Bad constant value for month (DMI_BAD_MONTH)
  34. QBA: Method assigns boolean literal in boolean expression (QBA_QUESTIONABLE_BOOLEAN_ASSIGNMENT)
  35. DMI: Vacuous call to collections (DMI_VACUOUS_SELF_COLLECTION_CALL)
  36. DMI: D’oh! A nonsensical method invocation (DMI_DOH)
  37. DMI: Collections should not contain themselves (DMI_COLLECTIONS_SHOULD_NOT_CONTAIN_THEMSELVES)

Malicious code vulnerability (MALICIOUS_CODE)

  1. FI: Finalizer should be protected, not public (FI_PUBLIC_SHOULD_BE_PROTECTED)

Multithreaded correctness (MT_CORRECTNESS)

  1. STCAL: Static Calendar field (STCAL_STATIC_CALENDAR_INSTANCE)
  2. STCAL: Static DateFormat (STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE)
  3. VO: A volatile reference to an array doesn’t treat the array elements as volatile (VO_VOLATILE_REFERENCE_TO_ARRAY)
  4. WL: Synchronization on getClass rather than class literal (WL_USING_GETCLASS_RATHER_THAN_CLASS_LITERAL)
  5. No: Using notify() rather than notifyAll() (NO_NOTIFY_NOT_NOTIFYALL)

Performance (PERFORMANCE)

  1. Dm: Maps and sets of URLs can be performance hogs (DMI_COLLECTION_OF_URLS)
  2. Dm: Method invokes inefficient new String(String) constructor (DM_STRING_CTOR)
  3. Dm: Method invokes inefficient new String() constructor (DM_STRING_VOID_CTOR)
  4. Dm: Method invokes inefficient Boolean constructor; use Boolean.valueOf(…) instead (DM_BOOLEAN_CTOR)
  5. Bx: Method invokes inefficient Number constructor; use static valueOf instead (DM_NUMBER_CTOR)
  6. Bx: Method invokes inefficient floating-point Number constructor; use static valueOf instead (DM_FP_NUMBER_CTOR)
  7. Bx: Method allocates a boxed primitive just to call toString (DM_BOXED_PRIMITIVE_TOSTRING)
  8. Bx: Boxing/unboxing to parse a primitive (DM_BOXED_PRIMITIVE_FOR_PARSING)
  9. Bx: Boxing a primitive to compare (DM_BOXED_PRIMITIVE_FOR_COMPARE)
  10. Bx: Primitive value is boxed then unboxed to perform primitive coercion (BX_BOXING_IMMEDIATELY_UNBOXED_TO_PERFORM_COERCION)
  11. Dm: Method allocates an object, only to get the class object (DM_NEW_FOR_GETCLASS)
  12. Dm: Use the nextInt method of Random rather than nextDouble to generate a random integer (DM_NEXTINT_VIA_NEXTDOUBLE)
  13. IIO: Inefficient use of String.indexOf(String) (IIO_INEFFICIENT_INDEX_OF)
  14. IIO: Inefficient use of String.lastIndexOf(String) (IIO_INEFFICIENT_LAST_INDEX_OF)

Dodgy code (STYLE)

  1. NP: Immediate dereference of the result of readLine() (NP_IMMEDIATE_DEREFERENCE_OF_READLINE)
  2. RV: Method discards result of readLine after checking if it is non-null (RV_DONT_JUST_NULL_CHECK_READLINE)
  3. UCF: Useless control flow to next line (UCF_USELESS_CONTROL_FLOW_NEXT_LINE)
  4. SA: Self assignment of local variable (SA_LOCAL_SELF_ASSIGNMENT)
  5. SA: Double assignment of local variable (SA_LOCAL_DOUBLE_ASSIGNMENT)
  6. SA: Double assignment of field (SA_FIELD_DOUBLE_ASSIGNMENT)
  7. DMI: Code contains a hard coded reference to an absolute pathname (DMI_HARDCODED_ABSOLUTE_FILENAME)
  8. DMI: Invocation of substring(0), which returns the original value (DMI_USELESS_SUBSTRING)