FindBugs 恶意代码(may expose internal representation),序列化(defines non-transient non-serializable )错误解决方法
来源:互联网 发布:rds数据库 编辑:程序博客网 时间:2024/06/05 00:56
1 )原代码如下:
protected String[] a = null;
public void test(String[] str){
this.a = str;
}
findbugs描述为:
This code stores a reference to an externally mutable object into the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Storing a copy of the object is better approach in many situations.
网上翻译如下:
可能因使引用可指向多个对象而暴露内部存储结构。
这代码使一个指向外部多个对象的引用指向了一个内部对象存储地址。
如果实例被未被信任代码访问或多个对象发生了未经检查的改变就会危及安全性或其它重要属性,
你需要去做一些不同的事情。存储一个对象的拷贝在许多情况下会是一个更好的方法。
修改如下:
public void test(String[] str){
if(str!=null)
this.a = str.clone();
}
--------------------------------------------------------------------------------
2 )在bean中定义数组类型的bug
[参考]http://topic.csdn.net/u/20080115/20/c8893ce0-5546-4762-97bb-9b00d10885cc.html
原代码:
private String[] name;
public String[] getName() {
return name;
}
public void setName(String[] name) {
this.name = name;
}
bug描述:
[EI] May expose internal representation by returning reference to mutable object [EI_EXPOSE_REP]
解决:
private String[] name;
public String[] getName() {
String[] temp = name;
return temp;
}
public void setName(String[] name) {
String[] temp = name;
this.name = temp;
}
说明:
所有容器类型如ArrayList和数组类型,如果你都自动生成get set,都会有这个警告。
这个警告的主要目的是:一般的get set直接把此对象中某一容器的引用放到外部,可以随便更改,违反了封装的原则,至于那个temp的方法,由于不是直接对内部容器进行操作,故没有警告,但没有实际意义,自己知道即可。
Returning a reference to a mutable object value stored in one of the object's fields exposes the internal representation of the object. If instances are accessed by untrusted code, and unchecked changes to the mutable object would compromise security or other important properties, you will need to do something different. Returning a new copy of the object is better approach in many situations.
--------------------------------------------------------------------------------
3) 序列化问题
源码:
private Obj[] obj;
public void getObj(){
Obj[] tep = obj;
return tep;
}
public Obj[] setObj(Obj[] o){
Obj[] tep = o;
this.obj = tep;
}
bug描述:
This Serializable class defines a non-primitive instance field which is neither transient, Serializable, or java.lang.Object, and does not appear to implement the Externalizable interface or the readObject() and writeObject() methods. Objects of this class will not be deserialized correctly if a non-Serializable object is stored in this field.
修改:
public class Obj implements Serializable {
...
}
4 ) new Integer(int) 和 Integer.valueOf(int)
bug描述:
[Bx] Method invokes inefficient Number constructor; use static valueOf instead [DM_NUMBER_CTOR]
Using new Integer(int)
is guaranteed to always result in a new object whereas Integer.valueOf(int)
allows caching of values to be done by the compiler, class library, or JVM. Using of cached values avoids object allocation and the code will be faster.
说明:
[参考]http://www.cnblogs.com/hyddd/articles/1391318.html
FindBugs推荐使用Integer.ValueOf(int)代替new Integer(int),因为这样可以提高性能。如果当你的int值介于-128~127时,Integer.ValueOf(int)的效率比Integer(int)快大约3.5倍。
下面看看JDK的源码,看看到Integer.ValueOf(int)里面做了什么优化:
final int offset = 128;
if (i >= -128 && i <= 127) { // must cache
return IntegerCache.cache[i + offset];
}
return new Integer(i);
}
private static class IntegerCache {
private IntegerCache(){}
static final Integer cache[] = new Integer[-(-128) + 127 + 1];
static {
for(int i = 0; i < cache.length; i++)
cache = new Integer(i - 128);
}
}
从源代码可以知道,ValueOf对-128~127这256个值做了缓存(IntegerCache),如果int值的范围是:-128~127,在ValueOf(int)时,他会直接返回IntegerCache的缓存给你。
所以你会看到这样的一个现象:
Integer a = 100;
Integer b = 100;
System.out.println(a==b);
Integer c = new Integer(100);
Integer d = new Integer(100);
System.out.println(c==d);
}
结果是:
true
false
因为:java在编译的时候 Integer a = 100; 被翻译成-> Integer a = Integer.valueOf(100);,所以a和b得到都是一个Cache对象,并且是同一个!而c和d是新创建的两个不同的对象,所以c自然不等于d。
再看看这段代码:
Integer a = 100;
Integer b = a;
a = a + 1; //或者a++;
System.out.println(a==b);
}
结果是:false
因为在对a操作时(a=a+1或者a++),a重新创建了一个对象,而b对应的还是缓存里的100,所以输出的结果为false。
--------------------------------------------------------------------------------
5) toString() 和 String
源码:
return a.toString();
bug描述
[Dm] Method invokes toString() method on a String [DM_STRING_TOSTRING]
Calling String.toString()
is just a redundant operation. Just use the String.
修改为:
return (String) a;
原文地址:http://www.blogjava.net/pure/archive/2009/09/30/296989.html
- FindBugs 恶意代码(may expose internal representation),序列化(defines non-transient non-serializable )错误解决方法
- findbugs提示:May expose internal representation by incorporating reference to mutable object 的理解.
- FindBugs分析记录May expose internal representation by returning reference to mutable ob
- Non-transient non-serializable instance field in serializable class sonar
- 【Python】Non-ASCII character '\xe6' 错误解决方法
- Non
- This software comes from a 3rd party and may contain non-free components的解决方法
- python 出现错误 SyntaxError: Non-ASCII character 的解决方法
- Eclipse提交代码错误:rejected –non-fast-forward解决方法
- Python出现"Non-ASCII character '\xe6' in file"错误解决方法
- eclipse提交代码错误:rejected –non-fast-forward解决方法
- Eclipse提交代码错误:rejected –non-fast-forward解决方法
- Java IO--对象序列化Serializable、ObjectOutputStream、ObjectInputStream、transient
- SyntaxError: Non-ASCII 错误
- 编译错误 error: control may reach end of non-void function
- control may reach end of non-void function [-Werror,-Wreturn-type] 错误记录
- JMeter错误:Response message: Non HTTP response message: Host of origin may not be blank
- NDK错误 org.gradle.process.internal.ExecException: Process 'command with non-zero exit value 2
- #define用法总结
- listView嵌套button或者其它clickable控件时会出现listView的onitemClick事件不响应的问题
- 测试Fragment(跳转回传onActivityResult问题)
- EF6增改删等常用基类
- ubuntu 网络仿真 段错误的一种可能的处理方法
- FindBugs 恶意代码(may expose internal representation),序列化(defines non-transient non-serializable )错误解决方法
- struts 搭建成功
- 关于 Linux C 中的头文件引用可能出现的问题解答
- 通过异类查询(OpenDataSource - OLEDB引擎驱动)把外部数据(Excel,TXT)导入到SqlServer及job代理执行出错的处理
- Unity3D的几种坐标系
- 一般图最大匹配问题-带花树开花算法
- netsh初步--删除无线网与设置共享无线网
- PHP集成百度Ueditor 1.4.3
- HighCharts常用方法总结