3 <title>FindBugs™ - Find Bugs in Java Programs</title>
4 <link rel="stylesheet" type="text/css" href="findbugs.css" />
14 <td bgcolor="#b9b9fe" valign="top" align="left" width="20%">
15 <table width="100%" cellspacing="0" border="0">
16 <tr><td><a class="sidebar" href="index.html"><img src="umdFindbugs.png" alt="FindBugs"></a></td></tr>
18 <tr><td> </td></tr>
20 <tr><td><b>Docs and Info</b></td></tr>
21 <tr><td><font size="-1"><a class="sidebar" href="demo.html">Demo and data</a></font></td></tr>
22 <tr><td><font size="-1"><a class="sidebar" href="users.html">Users and supporters</a></font></td></tr>
23 <tr><td><font size="-1"><a class="sidebar" href="http://findbugs.blogspot.com/">FindBugs blog</a></font></td></tr>
24 <tr><td><font size="-1"><a class="sidebar" href="factSheet.html">Fact sheet</a></font></td></tr>
25 <tr><td><font size="-1"><a class="sidebar" href="manual/index.html">Manual (en)</a></font></td></tr>
26 <tr><td><font size="-1"><a class="sidebar" href="http://www.simeji.com/findbugs/doc/manual_ja/index.html">Manual (ja)</a></font></td></tr>
27 <tr><td><font size="-1"><a class="sidebar" href="FAQ.html">FAQ</a></font></td></tr>
28 <tr><td><font size="-1"><a class="sidebar" href="bugDescriptions.html">Bug descriptions</a></font></td></tr>
29 <tr><td><font size="-1"><a class="sidebar" href="mailingLists.html">Mailing lists</a></font></td></tr>
30 <tr><td><font size="-1"><a class="sidebar" href="publications.html">Documents and Publications</a></font></td></tr>
31 <tr><td><font size="-1"><a class="sidebar" href="links.html">Links</a></font></td></tr>
33 <tr><td> </td></tr>
35 <tr><td><a class="sidebar" href="downloads.html"><b>Downloads</b></a></td></tr>
37 <tr><td> </td></tr>
39 <tr><td><a class="sidebar" href="http://www.cafeshops.com/findbugs"><b>FindBugs Swag</b></a></td></tr>
41 <tr><td> </td></tr>
43 <tr><td><b>Development</b></td></tr>
44 <tr><td><font size="-1"><a class="sidebar" href="reportingBugs.html">Reporting bugs</a></font></td></tr>
45 <tr><td><font size="-1"><a class="sidebar" href="contributing.html">Contributing</a></font></td></tr>
46 <tr><td><font size="-1"><a class="sidebar" href="team.html">Dev team</a></font></td></tr>
47 <tr><td><font size="-1"><a class="sidebar" href="api/index.html">API</a> <a class="sidebar" href="api/overview-summary.html">[no frames]</a></font></td></tr>
48 <tr><td><font size="-1"><a class="sidebar" href="Changes.html">Change log</a></font></td></tr>
49 <tr><td><font size="-1"><a class="sidebar" href="http://sourceforge.net/projects/findbugs">SF project page</a></font></td></tr>
50 <tr><td><font size="-1"><a class="sidebar" href="http://findbugs.cvs.sourceforge.net/findbugs">Browse source</a></font></td></tr>
54 <td align="left" valign="top">
59 <a href="http://findbugs.sourceforge.net/"><img src="buggy-sm.png"
60 alt="FindBugs logo" border="0" /> </a>
61 <td valign="center"> <a href="http://www.umd.edu/"><img src="informal.png"
62 alt="UMD logo" border="0" /> </a>
63 <td valign="center"> <a
64 href="http://www.fortifysoftware.com/products/sca40.jsp#findbugs"><img
65 src="Fortify.png" alt="Fortify logo" border="0" align="right" />
67 <td valign="center"><a
68 href="http://www.surelogic.com/"><img
69 src="surelogic.png" alt="SureLogic logo" border="0" align="right" />
75 FindBugs™ - Find Bugs in Java Programs
79 This is the web page for FindBugs, a program which uses static analysis
81 in Java code. It is free software, distributed under the
83 <a href="http://www.gnu.org/licenses/lgpl.html">Lesser GNU
84 Public License</a>. The name FindBugs™ and the
85 <a href="buggy-sm.png">FindBugs logo</a> are trademarked by
86 <a href="http://www.umd.edu">The University of Maryland</a>.
87 FindBugs is <a href="#sponsored">sponsored</a> by <a
88 href="http://www.fortifysoftware.com/products/sca40.jsp#findbugs">Fortify Software</a>
90 href="http://www.surelogic.com/">SureLogic</a>.
91 As of May 8th, 2007, FindBugs has been downloaded more than 368,911 times.
96 FindBugs requires JRE (or JDK) 1.4.0 or later to run.
97 However, it can analyze programs compiled for any version of Java.
98 The current version of FindBugs is 1.3.0, released on
99 09:39:09 EST, 08 November, 2007.
100 <a href="reportingBugs.html">We are very interested in getting feedback on how to improve
104 <a href="#moreSoftware">More</a> |
105 <a href="#sample">Output</a> |
106 <a href="#try">Try</a> |
107 <a href="#changes">Changes</a> |
108 <a href="#talks">Talks</a> |
109 <a href="#papers">Papers </a> |
110 <a href="#sponsors">Sponsors</a> |
111 <a href="#support">Support</a>
113 <h1><a name="moreSoftware">Additional open source projects</a></h1>
114 <p>The following software is being made available by the University of Maryland and the FindBugs project.
115 The software is still preliminary, and needs volunteers to help mature it.
117 <li><a href="http://code.google.com/p/multithreadedtc/">Multithreaded test case</a>, a framework designed to make it
118 easy to create test cases for concurrent software in which multiple threads must coordindate their activity to perform a test
119 (e.g., testing a concurrent blocking queue, with one thread that blocks when it trys to add to a full queue, and another thread that
120 unblocks the first by removing an element).
122 <li><a href="http://code.google.com/p/checked-uncontended-lock/">Checked uncontended lock</a>, an implementation of the Java 5 Lock
123 and ReadWriteLock interfaces that throw exceptions if they detect lock contention. These locks are designed to be used for debugging,
124 and can be used in places where you don't believe you need to use a lock but want to verify that at runtime.
131 <a name="sample">Sample output</a>
135 As an example of the kind of issues FindBugs can identify,
136 <a href="demo.html">we provide our results</a> on the Sun's JDK
137 7, Eclipse, Netbeans, Glassfish and JBoss. We present
138 these results as a table showing the number of warnings we
139 generate, an html report generated by FindBugs, and using a Java
140 Webstart demo of FindBugs that loads the results of our analysis
141 and the relevant source, so that you can view the source
142 corresponding to each of our warnings and judge for yourself the
143 accuracy of Findbugs.
147 Briefly, this table gives the number of warnings we found in
148 various applications we use as benchmarks:
152 <tr><th rowspan="2">Application</th><th colspan="2">Details</th><th colspan="2">Correctness bugs</th><th rowspan="2">Bad Practice</th><th rowspan="2">Dodgy</th><th rowspan="2">KNCSS
153 </th></tr><tr><th>HTML</th><th>WebStart</th><th>NP bugs</th><th>Other
154 </th></tr><tr><td align="right">Sun JDK 1.7.0-b12</td><td align="right">
155 <a href="http://findbugs.cs.umd.edu/demo/jdk7/index.html">All</a>
156 </td><td align="right">
157 <a href="http://findbugs.cs.umd.edu/demo/jdk7/index.jnlp">All</a>
158 <a href="http://findbugs.cs.umd.edu/demo/jdk7/small.jnlp">Small</a>
159 </td><td align="right">68</td><td align="right">180</td><td align="right">954</td><td align="right">654</td><td align="right">597
161 </td></tr><tr><td align="right">eclipse-SDK-3.3M7-solaris-gtk</td><td align="right">
162 <a href="http://findbugs.cs.umd.edu/demo/eclipse/index.html">All</a>
163 </td><td align="right">
164 <a href="http://findbugs.cs.umd.edu/demo/eclipse/index.jnlp">All</a>
165 <a href="http://findbugs.cs.umd.edu/demo/eclipse/small.jnlp">Small</a>
166 </td><td align="right">146</td><td align="right">259</td><td align="right">1,079</td><td align="right">643</td><td align="right">1,447
168 </td></tr><tr><td align="right">netbeans-6_0-m8</td><td align="right">
169 <a href="http://findbugs.cs.umd.edu/demo/netbeans/index.html">All</a>
170 </td><td align="right">
171 <a href="http://findbugs.cs.umd.edu/demo/netbeans/index.jnlp">All</a>
172 <a href="http://findbugs.cs.umd.edu/demo/netbeans/small.jnlp">Small</a>
173 </td><td align="right">189</td><td align="right">305</td><td align="right">3,010</td><td align="right">1,112</td><td align="right">1,022
175 </td></tr><tr><td align="right">glassfish-v2-b43</td><td align="right">
176 <a href="http://findbugs.cs.umd.edu/demo/glassfish/index.html">All</a>
177 </td><td align="right">
178 <a href="http://findbugs.cs.umd.edu/demo/glassfish/index.jnlp">All</a>
179 <a href="http://findbugs.cs.umd.edu/demo/glassfish/small.jnlp">Small</a>
180 </td><td align="right">146</td><td align="right">154</td><td align="right">964</td><td align="right">1,222</td><td align="right">2,176
182 </td></tr><tr><td align="right">jboss-4.0.5</td><td align="right">
183 <a href="http://findbugs.cs.umd.edu/demo/jboss/index.html">All</a>
184 </td><td align="right">
185 <a href="http://findbugs.cs.umd.edu/demo/jboss/index.jnlp">All</a>
186 <a href="http://findbugs.cs.umd.edu/demo/jboss/small.jnlp">Small</a>
187 </td><td align="right">30</td><td align="right">57</td><td align="right">263</td><td align="right">214</td><td align="right">178
191 <em>KNCSS</em> - Thousands of lines of non-commenting source
196 <a name="try">Try FindBugs now on your project!</a>
199 Using Java Web Start you can try the GUI version of FindBugs now
200 on your project. As long as you have a 1.4 or better JRE
202 <a href="http://findbugs.cs.umd.edu/demo/jnlp/findbugs.jnlp">run
203 FindBugs now</a>. If you are using Java 1.5 or later, you will see
204 the new GUI that we wrote over the summer.
208 <a name="changes">Change history</a>
210 <p> The current version of FindBugs is s 1.3.0. Changes since version 1.2.1:</p>
212 <li>New Detectors</li>
214 <li>edu.umd.cs.findbugs.detect.NoteDirectlyRelevantTypeQualifiers</li>
215 <li>edu.umd.cs.findbugs.detect.ReflectiveClasses</li>
216 <li>edu.umd.cs.findbugs.detect.SynchronizationOnSharedBuiltinConstant</li>
218 <li>DL_SYNCHRONIZATION_ON_SHARED_CONSTANT
220 <li>edu.umd.cs.findbugs.detect.OverridingEqualsNotSymmetrical</li>
222 <li>EQ_OVERRIDING_EQUALS_NOT_SYMMETRIC
224 <li>edu.umd.cs.findbugs.detect.CheckTypeQualifiers</li>
226 <li>TQ_ALWAYS_VALUE_USED_WHERE_NEVER_REQUIRED</li>
227 <li>TQ_NEVER_VALUE_USED_WHERE_ALWAYS_REQUIRED</li>
228 <li>TQ_MAYBE_SOURCE_VALUE_REACHES_ALWAYS_SINK</li>
229 <li>TQ_MAYBE_SOURCE_VALUE_REACHES_NEVER_SINK</li>
232 <li>New Reports (existing detectors)</li>
234 <li>edu.umd.cs.findbugs.detect.FindHEmismatch</li>
236 <li>EQ_DOESNT_OVERRIDE_EQUALS </li>
238 <li>edu.umd.cs.findbugs.detect.Naming
240 <li>NM_WRONG_PACKAGE</li>
241 <li>NM_WRONG_PACKAGE_INTENTIONAL</li>
242 <li>NM_SAME_SIMPLE_NAME_AS_SUPERCLASS</li>
243 <li>NM_SAME_SIMPLE_NAME_AS_INTERFACE</li>
245 <li>edu.umd.cs.findbugs.detect.FindRefComparison</li>
247 <li>EC_UNRELATED_TYPES_USING_POINTER_EQUALITY</li>
249 <li>edu.umd.cs.findbugs.detect.IncompatMask</li>
251 <li>BIT_SIGNED_CHECK</li>
252 <li>BIT_SIGNED_CHECK_HIGH_BIT</li>
254 <li>edu.umd.cs.findbugs.detect.LazyInit</li>
256 <li>LI_LAZY_INIT_UPDATE_STATIC</li>
258 <li>edu.umd.cs.findbugs.detect.FindDeadLocalStores</li>
260 <li>DLS_DEAD_STORE_OF_CLASS_LITERAL</li>
262 <li>edu.umd.cs.findbugs.detect.MethodReturnCheck</li>
264 <li>RV_RETURN_VALUE_IGNORED_BAD_PRACTICE</li>
265 <li>RV_EXCEPTION_NOT_THROWN</li>
268 <li>Changes to Existing Reports</li>
270 <li>NS_NON_SHORT_CIRCUIT: BAD_PRACTICE -> STYLE</li>
271 <li>NS_DANGEROUS_NON_SHORT_CIRCUIT: CORRECTNESS -> STYLE</li>
272 <li>RC_REF_COMPARISON: CORRECTNESS -> BAD_PRACTICE</li>
276 <li>Added importing and exporting of bug filters</li>
277 <li>Better handling of failed analysis runs</li>
278 <li>Added "-look" parameter for selecting look-and-feel</li>
279 <li>Fixed incorrect package filtering</li>
280 <li>Fixed issue where "synchronized" was not syntax-highlighted</li>
282 <li>Ant-task Changes</li>
284 <li>Refactored common ant-task code to AbstractFindBugsTask</li>
285 <li>Added tasks for computeBugHistory, convertXmlToText, filterBugs, mineBugHistory, setBugDatabaseInfo</li>
289 <li>Updates to GUI section, including new screenshots</li>
290 <li>Added description of rejarForAnalysis</li>
291 <li>Revamp of data-mining section</li>
295 <li>Internal restructuring for lower memory overhead</li>
299 <li>Fixed typo: was STCAL_STATIC_SIMPLE_DATA_FORMAT_INSTANCE now STCAL_STATIC_SIMPLE_DATE_FORMAT_INSTANCE</li>
300 <li>-outputFile parameter became -output</li>
301 <li>More sensitivity and specificity inLazyInit detector</li>
302 <li>More sensitivity and specificity in Naming detector</li>
303 <li>More sensitivity and specificity in UnreadFields detector</li>
304 <li>More sensitivity in FindNullDeref detector</li>
305 <li>More sensitivity in FindBadCast2 detector</li>
306 <li>More specificity in FindReturnRef detector</li>
307 <li>Many other tweaks and bugfixes</li>
312 <a href="Changes.html">Older versions...</a>
316 <a name="talks">Talks about FindBugs</a>
320 <a href="http://findbugs.cs.umd.edu/talks/findbugs.mov">Quicktime
321 movie</a> showing of demo of our new GUI to view some of the null
322 pointer bugs in Eclipse (Big file warning: 23 Megabytes)
325 <li><a href="http://findbugs.cs.umd.edu/talks/JavaOne2007-TS2007.pdf">JavaOne 2007 talk on Improving Software Quality Using Static Analysis</a>
327 <a href="http://findbugs.cs.umd.edu/talks/fb-sdbp-2006.pdf">Talk</a>
329 <a href="http://www.sdexpo.com/2006/sdbp/">SD Best Practices</a>,
330 Sept 14th (more of a handle on tutorial about using FindBugs)
333 <a href="http://findbugs.cs.umd.edu/talks/fb-Sept1213-2006.pdf">Talk</a>
335 <a href="http://itasoftware.com/">ITA Software</a> and
336 <a href="http://www.csail.mit.edu/">MIT</a>, Sept 12th and 13th
337 (more of a research focus)
341 href="http://video.google.com/videoplay?docid=-8150751070230264609">Video
342 of talk</a> Bill Pugh gave at
343 <a href="http://www.google.com">Google</a>, July 6th, 2006
346 <a href="http://javaposse.com/index.php?post_id=95780">Java
347 Posse podcast interview with Bill Pugh and Brian Goetz</a>
350 <h1><a name="papers">Papers about FindBugs</a></h1>
352 <li><a href="http://findbugs.cs.umd.edu/papers/MoreNullPointerBugs07.pdf">Finding More Null Pointer Bugs,
353 But Not Too Many</a>, by
354 <a href="http://faculty.ycp.edu/~dhovemey/">David Hovemeyer</a>, York College of Pennsylvania
355 and <a href="http://www.cs.umd.edu/~pugh/">William Pugh</a>, Univ. of Maryland,
356 <a href="http://paste07.cs.washington.edu/">7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering</a>,
359 <li><a href="http://findbugs.cs.umd.edu/papers/FindBugsExperiences07.pdf">Evaluating Static Analysis
360 Defect Warnings On Production Software,</a>
361 <a href="http://www.cs.umd.edu/~nat/">Nathaniel Ayewah and <a href="http://www.cs.umd.edu/~pugh/">William Pugh</a>, Univ. of Maryland, and
362 J. David Morgenthaler, John Penix and YuQian Zhou, Google, Inc.,
363 <a href="http://paste07.cs.washington.edu/">7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering</a>,
369 <a name="sponsors">Sponsors</a>
372 Financial support for the open source FindBugs project is provided by our sponsors,
374 href="http://www.fortifysoftware.com/products/sca40.jsp#findbugs">Fortify
376 href="http://www.surelogic.com/">SureLogic</a>,
379 href="http://www.fortifysoftware.com/products/sca40.jsp#findbugs">Fortify Software</a> sells security tools,
380 including Fortify Source Code Analysis, which which uses static
381 analysis to search for security vulnerabilities (much as FindBugs
382 uses static analysis to look for general code quality problems.
383 FindBugs is integrated into Fortify's tools, providing an
384 integrated tool set to look for and audit both security and
385 quality problems (<a href="pressRelease.pdf">press release</a>).
390 href="http://www.surelogic.com/">SureLogic</a> provides a suite of static and dynamic tools designed
391 to find concurrency errors, such as data races and design errors. Starting Fall 2007, SureLogic will provide
392 training, consulting and support for FindBugs on a commercial basis, and will be contributing to the FindBugs open source effort.
395 Fortify Software now provides
396 <a href="http://opensource.fortifysoftware.com/">Java Open
397 Review, a free analysis and on-line reviewing service</a> to selected
398 open source projects. This provides analysis for both correctness
399 issues identified by FindBugs and security issues (such as SQL
400 injection and Cross-site scripting identified by Fortify's
402 href="http://www.fortifysoftware.com/products/sca40.jsp#findbugs">Source
403 Code Analysis</a>, and provides a on-line auditing and commenting
404 facility for contributors of each project. Defect warnings are not
405 visible to the general public, only to contributors of each
406 project. There is a place on the web page where you can request
407 that your project be included in the set of projects reviewed.
409 <h1><a name="support">Additional Support</a></h1>
411 YourKit is kindly supporting open source projects with its full-featured Java Profiler.
412 YourKit, LLC is creator of innovative and intelligent tools for profiling
413 Java and .NET applications. Take a look at YourKit's leading software products:
414 <a href="http://www.yourkit.com/java/profiler/index.jsp">YourKit Java Profiler</a> and
415 <a href="http://www.yourkit.com/.net/profiler/index.jsp">YourKit .NET Profiler</a>.
418 Additional financial support for the FindBugs project has been provided by
419 <a href="http://www.google.com">Google</a>,
420 <a href="http://www.sun.com">Sun Microsystems</a>,
421 <a href="http://www.nsf.gov">National Science Foundation</a>
422 grants ASC9720199 and CCR-0098162, and by a 2004
424 href="http://www-306.ibm.com/software/info/university/products/eclipse/eig-2004.html">IBM
425 Eclipse Innovation award</a>.
428 Any opinions, findings and conclusions or recommendations
429 expressed in this material are those of the author(s) and do not
430 necessarily reflect the views of the National Science Foundation
433 <script language="JavaScript" type="text/javascript">
434 <!---//hide script from old browsers
435 document.write( "Last updated "+ document.lastModified + "." );
436 //end hiding contents --->
438 <p> Send comments to <a class="sidebar" href="mailto:findbugs@cs.umd.edu">findbugs@cs.umd.edu</a>
440 <A href="http://sourceforge.net"><IMG src="http://sourceforge.net/sflogo.php?group_id=96405&type=5" width="210" height="62" border="0" alt="SourceForge.net Logo" /></A>