Fix detector StringConcatenation to detect bug SBSC_USE_STRINGBUFFER_…

…CONCATENATION also in Java 11 and above (#2186)

* Test for Issue #2182

* Fix detector `StringConcatenation` to detect bug `SBSC_USE_STRINGBUFFER_CONCATENATION` also in Java 11 and above

Instead of using `StringBuffer` or `StringBuilder` internally, Java 11 and above uses a dynamic call to `makeConcatWithConstants()` to append strings. However, in case of loops, this is still less efficient than creating a `StringBuffer` or `StringBuilder` outside the loop and using it inside to build the string. Previously, the `StringConcatenation` detector missed all the cases in Java 11 and higher, but this PR fixes this. See issue [#2182](#2182).

* Updated according to the comments of @ThrawnCA

Co-authored-by: Kengo TODA <skypencil@gmail.com>

CHANGELOG.md

@@ -9,6 +9,7 @@ Currently the versioning policy of this project follows [Semantic Versioning v2.
 - Fixed detector `DontUseFloatsAsLoopCounters` to prevent false positives. ([#2126](https://github.com/spotbugs/spotbugs/issues/2126))
 - Fixed regression in `4.7.2` caused by ([#2141](https://github.com/spotbugs/spotbugs/pull/2141))
 - improve compatibility with later version of jdk (>= 13). ([#2188](https://github.com/spotbugs/spotbugs/issues/2188))
+- Fixed detector `StringConcatenation` to detect bug `SBSC_USE_STRINGBUFFER_CONCATENATION` also in Java 11 and above ([#2182](https://github.com/spotbugs/spotbugs/issues/2182))
 - Fixed `OpcodeStackDetector` to to handle propagation of taints properly in case of string concatenation in Java 9 and above ([#2183](https://github.com/spotbugs/spotbugs/issues/2183))
 - Bump up log4j2 binding to `2.19.0`
 - Bump ObjectWeb ASM from 9.3 to 9.4 supporting JDK 20 ([#2200](https://github.com/spotbugs/spotbugs/pull/2200))

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/Issue2182Test.java

@@ -0,0 +1,36 @@
+package edu.umd.cs.findbugs.detect;
+
+import org.junit.Before;
+import org.junit.Test;
+
+import edu.umd.cs.findbugs.AbstractIntegrationTest;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcher;
+import edu.umd.cs.findbugs.test.matcher.BugInstanceMatcherBuilder;
+
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeThat;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.hasItem;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.number.OrderingComparison.greaterThanOrEqualTo;
+
+public class Issue2182Test extends AbstractIntegrationTest {
+    @Before
+    public void verifyJavaVersion() {
+        assumeFalse(System.getProperty("java.specification.version").startsWith("1."));
+        int javaVersion = Integer.parseInt(System.getProperty("java.specification.version"));
+        assumeThat(javaVersion, is(greaterThanOrEqualTo(11)));
+    }
+
+    @Test
+    public void test() {
+        performAnalysis("../java11/ghIssues/Issue2182.class");
+        BugInstanceMatcher matcher = new BugInstanceMatcherBuilder()
+                .bugType("SBSC_USE_STRINGBUFFER_CONCATENATION")
+                .inClass("Issue2182")
+                .inMethod("test")
+                .atLine(22)
+                .build();
+        assertThat(getBugCollection(), hasItem(matcher));
+    }
+}

spotbugs/src/main/java/edu/umd/cs/findbugs/detect/StringConcatenation.java

@@ -29,9 +29,10 @@
 
 import edu.umd.cs.findbugs.BugInstance;
 import edu.umd.cs.findbugs.BugReporter;
-import edu.umd.cs.findbugs.BytecodeScanningDetector;
 import edu.umd.cs.findbugs.StatelessDetector;
 import edu.umd.cs.findbugs.SystemProperties;
+import edu.umd.cs.findbugs.OpcodeStack.Item;
+import edu.umd.cs.findbugs.bcel.OpcodeStackDetector;
 import edu.umd.cs.findbugs.visitclass.DismantleBytecode;
 
 /**
@@ -42,7 +43,7 @@
  * @author Dave Brosius
  * @author William Pugh
  */
-public class StringConcatenation extends BytecodeScanningDetector implements StatelessDetector {
+public class StringConcatenation extends OpcodeStackDetector implements StatelessDetector {
     private static final boolean DEBUG = SystemProperties.getBoolean("sbsc.debug");
 
     static final int SEEN_NOTHING = 0;
@@ -61,8 +62,6 @@ public class StringConcatenation extends BytecodeScanningDetector implements Sta
 
     private boolean reportedThisMethod;
 
-    private int registerOnStack = -1;
-
     private int stringSource = -1;
 
     private int createPC = -1;
@@ -91,7 +90,6 @@ public void visit(Method obj) {
     private void reset() {
         state = SEEN_NOTHING;
         createPC = -1;
-        registerOnStack = -1;
         stringSource = -1;
 
         // For debugging: print what call to reset() is being invoked.
@@ -119,6 +117,23 @@ private boolean storeIntoRegister(int seen, int reg) {
         }
     }
 
+    private int getRegisterOnStack() {
+        return getRegisterOnStack(0);
+    }
+
+    private int getRegisterOnStack(int idx) {
+        if (idx >= stack.getStackDepth()) {
+            return -1;
+        }
+
+        Item item = stack.getStackItem(idx);
+        if (item == null) {
+            return -1;
+        }
+
+        return item.getRegisterNumber();
+    }
+
     @Override
     public void sawOpcode(int seen) {
         if (reportedThisMethod) {
@@ -161,10 +176,15 @@ public void sawOpcode(int seen) {
             if ((seen == Const.NEW) && getClassConstantOperand().startsWith("java/lang/StringBu")) {
                 state = SEEN_NEW;
                 createPC = getPC();
+            } else if (seen == Const.INVOKEDYNAMIC && "makeConcatWithConstants".equals(getNameConstantOperand())) {
+                state = CONSTRUCTED_STRING_ON_STACK;
+                stringSource = getRegisterOnStack(1);
+                createPC = getPC();
             }
             break;
 
         case SEEN_NEW:
+            int registerOnStack = getRegisterOnStack();
             if (seen == Const.INVOKESPECIAL && Const.CONSTRUCTOR_NAME.equals(getNameConstantOperand())
                     && "(Ljava/lang/String;)V".equals(getSigConstantOperand())
                     && getClassConstantOperand().startsWith("java/lang/StringBu") && registerOnStack >= 0) {
@@ -263,32 +283,10 @@ && getClassConstantOperand().startsWith("java/lang/StringBu")) {
         if (seen == Const.INVOKESTATIC && "valueOf".equals(getNameConstantOperand())
                 && "java/lang/String".equals(getClassConstantOperand())
                 && "(Ljava/lang/Object;)Ljava/lang/String;".equals(getSigConstantOperand())) {
-            // leave registerOnStack unchanged
-        } else {
-            registerOnStack = -1;
-            switch (seen) {
-            case Const.ALOAD_0:
-                registerOnStack = 0;
-                break;
-            case Const.ALOAD_1:
-                registerOnStack = 1;
-                break;
-            case Const.ALOAD_2:
-                registerOnStack = 2;
-                break;
-            case Const.ALOAD_3:
-                registerOnStack = 3;
-                break;
-            case Const.ALOAD:
-                registerOnStack = getRegisterOperand();
-                break;
-            default:
-                break;
-            }
         }
         if (DEBUG && state != oldState) {
             System.out.println("At PC " + getPC() + " changing from state " + oldState + " to state " + state + ", regOnStack = "
-                    + registerOnStack);
+                    + getRegisterOnStack());
         }
     }
 }

spotbugsTestCases/src/java11/Issue2182.java

@@ -0,0 +1,28 @@
+package ghIssues;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
+public class Issue2182 {
+
+    public void test() {
+        List<String> A = new ArrayList<String>();
+        A.add("Alex");
+        A.add("john");
+        A.add("lily");
+        A.add("tracy");
+        Iterator <String>it = A.iterator();
+
+        it = A.iterator();
+        String add = "";
+        while (it.hasNext()) {
+            String retrieve = it.next();
+            if (retrieve != null && !"".equals(retrieve)) {
+                add += retrieve;
+            }
+            System.out.println(add);
+        }
+    }
+
+}