Over a million developers have joined DZone.

Finding bugs that matter with Findbugs


What is FindBugs?

     FindBugs is an open source static analysis tool that analyzes Java class files


     Developed from Research at University of Maryland, led by Bill Pugh

     Looks for  for programming defects based on  ~ 300 different bug patterns from real bugs

     bug patterns are grouped into categories: correctness, bad practice, performance…

     each pattern assigned a priority: high, medium or low.

     High-Medium priority have low false positive rates: effort was put into trying to ensure that issues reported as high or medium priority correctness issues were issues that had a low false positive rate, and that developers would be interested in examining all issues reported as high or medium priority correctness issues, even in large code bases.


FindBugs looks for  Bugs  based on real bug Patterns:

      broad and common patterns:

      a read or write on a null pointer


      Methods whose return value should not be ignored

      Also specific bug patterns:

      Every Programming Puzzler

      Eclipse documented bug fixes

      Every chapter in Effective Java

      lots from Worse than failure : http://thedailywtf.com/



Some Bug Patterns:



Cloneable Not Implemented Correctly


Double Checked Locking


Dropped Exception


Suspicious Equals Comparison


Bad Covariant Definition of Equals


Equal objects must have equal hashcodes


Inconsistent Synchronization


Static Field Modifiable By Untrusted Code


Null Pointer Dereference


Non-Short-Circuit Boolean Operator


Open Stream


Redundant Comparison to Null


Read Return Should Be Checked


Return Value Should Be Checked


Non-serializable Serializable Class


Uninitialized Read In Constructor


Unconditional Wait


Wait Not In Loop





Misconceptions about Bugs:


     Programmers are smart

     Smart people don’t make dumb mistakes


     Smart people make dumb mistakes

     Common errors:

     wrong boolean operator, forgetting parentheses, etc. Misunderstood class or method  !


Who uses Findbugs?

     Developed from Research at University of Maryland

     Google, Ebay, Sun, Wells Fargo…

     Bill Pugh , Professor from University of Maryland, spent a year sabbatical at Google  working Findbugs  into their development process:

     Google runs FindBugs over all Java code

     1800s issues identified, > 600 fixed.

     Ebay found 2 developers reviewing  Findbugs  was 10 times more effective than 2 testers



Some Bug Categories

• Correctness - the code is doing something wrong, you should look at it

• Bad practice - the code violates good practice

      Dodgy Code



• Security defect



Can you find the Bug below ?


public String sendMessage (User user, String body, Date time) {

    return sendMessage(user, body, null);



public String sendMessage (User user, String body, Date time, List attachments) {

   String xml = buildXML (body, attachments);

   String response = sendMessage(user, xml);

   return response;



This line causes an Infinite recursive loop. This bug is  high priority,  in the correctness category.

return sendMessage(user, body, null);



Can you find the Bug below ?


public String foundType() {

   return this.foundType();



Should be

public String foundType() {

   return this.foundType;



This is another example of an infinite recursive loop. This bug is found often  in a decorator pattern when you forget to delegate to another method

 Findbugs found 5 infinite recursive loops in  JDK1.6.0-b13.  Including this one written by Joshua Bloch

• Smart people make dumb mistakes

• 27 across all versions of JDK, 31 in Google’s Java code

• Embrace and fix your dumb mistakes!



Can you find the Bug?

if (name != null || name.length > 0)


Should be

if (name != null && name.length > 0)

this null pointer bug was found in com.sun.corba



Can you find the Bug?
private final String _lock = "LOCK";

Constant Strings are shared (even private ones) across all other classes loaded by the JVM. This could lead to unexpected deadlocks in conjunction with other code. This bug was found in Jetty.



This null pointer bug was in Eclipse since  3.2:

if (adapters == null && adapters.length == 0)



•example of  statement or branche that if executed guarantee that a null pointer exception will occur

but in this case adapters is probably never null, that’s why it didn’t get noticed.

      some mistakes don’t matter much, because  the impact of the mistake is minimal.

null pointer exceptions usually get noticed. A harder error to find is that it won’t return if the length is 0.


Can you find the bug?

try { ... }

catch (IOException e) {

  new SAXException("Server side Exception:" + e);



The Exception is created and dropped rather than thrown, Should be :

  throw new SAXException("Server side Exception:" + e);



Can you find the Bug?

public static String getNameById(String userId) {

    String str = userId;


    str.replace(' ', '_');


    return str;



Ignores the return value of the replace() method, Should be:

     str= str.replace(' ', '_');


A very common mistake is ignoring the return value on methods whose return value shouldn't be ignored.

• Strings are immutable, so functions like trim() and replace() return a new String.



What does this Print?


Integer one = 1;

Long addressTypeCode = 1L;

if (addressTypeCode.equals(one)) {


} else {

     System.out.println("not equals");



It prints "not equals". According to the contract of equals(), objects of different classes should always compare as unequal


Incomparable equality:


      Using .equals to compare incompatible types

      Using .equals to compare arrays

      only checks if the same array

      Checking to see if a Set<Long> contains an Integer

      never found, even if the same integral value is contained in the map

      Calling get(String) on a Map<Integer,String>

      Returns false , not an error

     These bugs may be hard to find on your own

      Types not always explicit

      May be introduced by refactoring

            For example a Google refactoring changed a method to return byte[ ] rather than String



Bugs that Matter…

You can have mistakes which don't actually cause problems. Bugs that matter depend on the context.  Not every bug found matters, but the effective use of Findbugs can remove bugs cheaper than with other methods


What is the best way to use Findbugs?

You want to find an effective way to use static analysis to improve software quality. 5-10% of mistakes can be found with Findbugs, for some types of bugs it can find all of them.  Testing and running code in production will find the bugs that matter, the bugs that cause problems .  If you run Findbugs on code in production , then a lot of bugs have been fixed, if you run on new code your are more likely to find bugs. The reason to use findbugs is not to fix all your quality problems, but rather for the issues it does find,  finding and fixing with Findbugs is cheaper than finding with testing or causing a problem in production.

      Use Findbugs on new code to remove bugs cheaply before bugs are detected using more expensive techniques

      The best time to have a developer  look at a warning is when it is introduced, while the code is fresh in a developer’s head.


Expensive Mistakes are …

      Mistakes that fail silently

      Bugs that silently cause the wrong answer to be computed are the scariest bugs, because they will not be noticed easily .

      Mistakes that cause loss of money when they occur

      Mistakes that are hard to fix

Mistakes that matter ($$)  can be found by testing or eventually in production,  but it is cost effective to find bugs  before testing and production with findbugs.



Runtime exceptions can be your friend… runtime exceptions can point you right where the error is

If a mistake causes a runtime exception, then the mistake will be found  and corrected .

Throwing a runtime exception is often a reasonable way to fail safely and report a failure.

Runtime exceptions represent conditions that reflect errors in your program's logic and cannot be reasonably recovered from



Can you find the Bug?

// calculate DR amount by aggregating CR amounts

BigDecimal drAmount = new BigDecimal(0);

for (JournalEntry je: journalEntries)


     // persist to db


        drAmount, // aggregated amount

        true, // Debit





Ignores return value of BigDecimal.add(), should be


 drAmount= drAmount.add(je.getCrAmount());


This bug would have cost $ in production, but fixed at Google, within 30 minutes of being reported.


Can you find the Bug?

int value2;

Public boolean equals(Integer value1){

  return value1== intValue() ;


public Integer intValue() {

  return value2;



Uses reference equality rather than .equals, should be:

Public boolean equals(Integer value1){

  return value1.equals(intValue() );



For boxed primitives, == and != are computed using pointer equality, but <, <=, >, >= are computed by comparing unboxed primitive values. This can bite you on other classes (e.g., String), but boxed primitives is where people get bit



Concurrency Bugs

      Inconsistent synchronization –

      a lock is held   sometimes when field accessed

      Problems with wait/notify –

      e.g., call to wait() not in loop

      unsafe lazy initialization of static field



Can you find the bug?

synchronized (object) {

  if (<condition does not hold>) {



  // Proceed when condition holds



Should be:

synchronized (object) {

  while (<condition does not hold>) {



  // Proceed when condition holds



Use Java 5!  simplified concurrency , less likely to make these mistakes.



Running FindBugs

      Eclipse plugin


      Run with Hudson build



      Findbugs home page


      Bill Pugh Findbugs Devoxx talk


      Bill Pugh Oredev talk:




{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}