GenevaJug

#sonarqube

DIY:Java Static Analysis

Nicolas PERU - @benzonicoMichael GUMOWSKI - @m-g-sonar

Ego boost

● Nicolas PERU - @benzonico ○ Java developer@SonarSource○ Developer in language team○ Lead of sonar java plugin○ Geneva Jug enthusiast

● Michael GUMOWSKI○ Java developer@SonarSource○ Developer in language team○ Run half marathon in 1h24

Static Analysis

Analyze code,

without executing it.

● Back Story

Sonar Java Plugin

Challenge

Get the language.

Lexical Analysis

Only two things are infinite, the universe and human

stupidity, and I am not sure about the former.

Syntactic Analysis

Only two things are infinite, the universe and human

stupidity, and I am not sure about the former.

Albert E. Subjects Verbs

Lexical Analysis

class A { int b;}

Syntactic Analysis

class A { int b;}

Keywords

Identifiers

punctuators

Syntax Tree

+

3

2 1

+

1 + 2 + 3

interface BinaryExpressionTree {

ExpressionTree leftOperand();

SyntaxToken operatorToken();

ExpressionTree rightOperand();

}

Java pop quizz !!

[ ]

[ ] ) [ ] [ ] {

int[ ] foo(int a[ ] ) [ ] [ ] {return null;

}

int[ ] foo(int a[ ] ) [ ] [ ] {return null;

}

int[ ][ ][ ] foo(int[ ] a) {return null;

}

Semantic Analysis

Only two things are infinite, the universe and human

stupidity, and I am not sure about the former.

Albert E.

Semantic Analysis

Only two things are infinite, the universe and human

stupidity, and I am not sure about the former.

Albert E.

Semantic Analysis

class A { int b; A(int b) { this.b = b; }}

Java pop quizz !!

class Foo<T> { class T { } T myField; }

Java pop quizz !!

class Foo<T> { class T { } T myField; }

How do you know that ?

JLS is your best friend

http://docs.oracle.com/javase/specs/jls/se8/html/index.html

Java pop quizz !!

interface F1 { }

interface F2 { }

Java pop quizz !!

class A<T extends F1 & F2>{ void fun(F1 f1){} void fun(T t){} }

Java pop quizz !!

class A<T extends F2 & F1>{ void fun(F1 f1){} void fun(T t){} }

Java pop quizz !!

The erasure of a type variable is the erasure of its leftmost bound.

How do you know that ?

JLS is your best friend

http://docs.oracle.com/javase/specs/jls/se8/html/index.html

Your turn now : Custom rules !

Beyond semantic : Symbolic Execution

Object myObject = new Object();

if(a) { myObject = null; }... if( !a ) { ... } else { myObject.toString(); } //NPE

Symbolic Execution

Object myObject = new Object();

if(a) { myObject = null; }... if( !a ) { … }else { myObject.toString(); } //NPE

Program State#0myObject != null

Symbolic Execution

Object myObject = new Object();

if(a) { myObject = null; }... if( !a ) { … }else { myObject.toString(); } //NPE

Program State#0myObject != null

Program State#1myObject != nulla = false

Program State#2myObject = nulla = true

Symbolic Execution

... if( !a ) { … } else {

myObject.toString(); // NPE}

Program State#1myObject != nulla = false

Program State#2myObject = nulla = true

Program State#4myObject = nulla = true

Program State#3...

Symbolic Execution challenges

Complex flows : Try Catch Finally try { methodCall(); methodThrowingException();} catch ( CustomException e) {...}finally {...}

Symbolic Execution challenges

Complex conditions :

if(a + 1 < (b* 10 - 39) ) { if( b > a/10 + 4 ) { … } // Always true}

Symbolic Execution challenges

Explosion of states :

if(a) {...} else {...}if(b) {...} else {...}if(c) {...} else {...}instruction; //evaluated by 8 states.

Uhoh ?!

From apache vysper:https://nemo.sonarqube.org/issues/search#issues=AVJ9P2Bzm66gr6MLNW_j

Uhoh ?!

From elastic search:https://nemo.sonarqube.org/issues/search#issues=AVJ9mFy_m66gr6MLNXpJ

Reach us

sonarqube@googlegroups.com

https://groups.google.com/forum/#!forum/sonarqube

sonarsource

jobs@sonarsource.com

Q & A