What's your worst bug that Findbugs found?

Question

What's the trickiest bug that Findbugs (or similar static analysis tool) has found in your code that you wouldn't have caught without using such tools?

Code snippets of offending code would be much appreciated.

Has the effort from running such tools and dealing with the false positives been worth it or would alternative methods (code reviews, etc.) been a better use of your time? If you use these tools, do you implement them as part of the build, and do you fail the build if there are warnings from the analysis tools?

Answer 1

"Has the effort from running such tools and dealing with the false positives been worth it or would alternative methods (code reviews, etc.) been a better use of your time? If you use these tools, do you implement them as part of the build, and do you fail the build if there are warnings from the analysis tools?"

I use findbugs, checkstyle, and PMD all the time. When I was teaching (on sabatical at the moment) I had my students run them all as well for each assignment. Their code was much better for running it than for not.

No particular type of bug stands out, so not examples.

When I used to work at a company producing a Java IDE that was mix of C/C++/Java we moved from one compiler to MS VC++. That effort took about a year for one person. At the end of it there were about 60 projects and several had their warnings disabled. In a fit of annoyance one day I turned all 60 projects up to W4 (the highest they would go). We had over 100,000 warnings (I think the reporting cap is 100,000 so who knows how many we had!).

The most spectacular error there was a pointer to a pointer that was assigned the value of some random spot in memory. We changed it so the random spot was NULL and everytime you dragged a control off the toolbar onto a form on the GUI Builder the IDE would crash. I have no idea how it managed to work as well as it did before that.

Contrast this to when I worked at a research lab and we were not allowed to check in code with warnings.

The tools are worth it, they will find issues in the code - and fixing issues is a good thing. It is best to run the tools on the code early and fix often. There was no way we could ever run a lint program on the IDE source until we had cleaned up the warnings from the compiler. If you let your code get that dirty you will likely have a huge number of bugs and working on the code will not be pleasant.

My preference is to run the tools along with the build and fix them before running any unit tests. Any time you spend fixing the issues is well worth it. In my experience there are not a huge number of false positives in either my (IMO well written) code, or my students (not so well written) code.