New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improve error-prone configuration for int-overflow bugs #11910
Comments
I think static analysis will be a significant help. So, I did a quick check at turning on Its flagging things like this as bad behavior: long function(int v) {
return v - 2;
} or this long foo() {
return 2 * 2
} As an aside, almost every single We may need something more nuanced or focused besides |
maybe we could even turn it on, and dump its output here as a one-time thing? we can just take a pass through it, and filter out the noisy ones. I realize it isn't ideal and doesn't improve the build, but it still helps us try to look for similar bugs. |
I can understand where it signals a problem but can't determine the domain (the v - 2 can underflow if you pass v small enough)... The 2* 2 case is odd, I'm surprised it doesn't see a constant there. I'm not a big fan of many of those tools - I agree they're noisy - but from time to time they do find real problems. |
I'm not looking into
These checks are finding some interesting stuff. I wish i knew a way to make error-prone show all the failures (like javac would). Instead the plugin fails on the first error and I have to fix that one and run it again (slowly) to see the next. Its brutally painful. |
So I'm 95% sure this is possible. There are two parts to it.
I was able to get the first part to work by adding PS FWIW I enabled a whole bunch of errorprone rules in Solr recently: |
-Pjavac.failOnWarnings=false should do it. Look at javac.gradle, we specifically enable -Werror:
|
Example of doing this in PR here: #11921 run with:
should do what you want. |
I put the output for enabling |
OK i checked out old git hash before #11905 commit, seems like "NarrowCalculation" is the best one? I think i made a mistake trying to turn on too many checks at once. I enabled the check like this:
And I run checker with Here's what this check said for the old buggy code with overflow, it seems to find it?:
Here's the log file against current main branch. This is about as narrow as I can get, as far as a check that would find the previous bug, to look for similar bugs and reduce the noise. I think this check looks worth enabling, we can just add some Turning on other checks such as narrow-compound-assignment would be good and reveals even more interesting stuff but its a separate amount of work. |
i've worked thru src/java and now i gotta deal with src/test, then ill make a PR so we can see what it looks like |
Description
As mentioned by @dweiss and @benwtrent in #11905, some static analysis could help here. Maybe it can force us to do a pass reviewing other sketchy possible bugs like this in the codebase, and help prevent new ones from popping up in the future.
I already looked into ecj (including their latest mainline) and don't see any applicable checks. So, let's look into error-prone?
The text was updated successfully, but these errors were encountered: