SonarAnalyzer for Java: Tricky Bugs are Running Scared
For the past year, the SonarSource team behind the SonarAnalyzer for Java has invested most of its time in developing a Symbolic Execution engine in order to find the kind of tricky bugs that are almost uncatchable by developers unaided.
The SonarAnalyzer for Java’s new symbolic execution engine allows it to statically trace all the execution paths in a piece of code. We’ll probably do a blog post in the near future to explain all the related concepts: Program Point, Program State, Symbolic Value, Control Flow Graph, Stack of Symbolic Values, Constraints on Symbolic Values, … but for the time being let’s just see the engine in action.
Example 1 is a null pointer dereference in the Apache Tika project. The nullability of an object is guessed here from a test done in the code.
Example 2 is also an NPE in the Apache Tika project. This time the nullability is due to a badly handled exception.
Example 3 is a useless condition in the Spark project.
Example 4 returns to Apache Tika with a suspect unreachable branch.
Based on those few examples I guess it’s pretty easy to understand how valuable it can be to quickly get this information early in the development lifecycle. So how can you benefit from the SonarAnalyzer for Java? Either by getting on-the-fly feedback directly in your favorite Java editor with SonarLint for Eclipse or SonarLint for IntelliJ, Or by integrating SonarQube analysis into your build process to continuously feed the SonarQube server.
Tricky bugs are running scared. The hunt is on!