Add more logic

Author: PatrikScully

CHANGELOG.md

@@ -9,6 +9,10 @@ Currently the versioning policy of this project follows [Semantic Versioning v2.
 ### Fixed
 - Do not report BC_UNCONFIRMED_CAST for Java 21's type switches when the switch instruction is TABLESWITCH ([#2782](https://github.com/spotbugs/spotbugs/issues/2782))
 
+### Added
+- New detector `ResourceInMultipleThreadsDetector` and introduced new bug type:
+  - `AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD` is reported in case of unsafe resource access in multiple threads.
+
 ## 4.8.5 - 2024-05-03
 ### Fixed
 - Fix FP `SING_SINGLETON_GETTER_NOT_SYNCHRONIZED` with eager instances ([#2932](https://github.com/spotbugs/spotbugs/issues/2932))

spotbugs-tests/src/test/java/edu/umd/cs/findbugs/detect/ResourceInMultipleThreadsDetectorTest.java

@@ -12,11 +12,65 @@
 class ResourceInMultipleThreadsDetectorTest extends AbstractIntegrationTest {
 
     @Test
-    void testUSCurrency() {
-        performAnalysis("atomicMethods/ExampleClientCode.class", "atomicMethods/USCurrency.class");
+    void testSafeUsages() {
+        performAnalysis("commonResources/SafeAtomicFieldUsage.class",
+                "commonResources/SafeSynchronizedCollectionUsage.class",
+                "commonResources/SafeFieldUsages.class",
+                "commonResources/SynchronizedSafeFieldUsage.class",
+                "commonResources/SafeFieldGetterUsage.class",
+                "commonResources/SafeBuilderPattern.class",
+                "commonResources/SafePutFieldWithBuilderPattern.class",
+                "commonResources/SafeFieldUsageInMainThread.class",
+                "commonResources/CombinedThreadsInShutdownHook.class",
+                "commonResources/CombinedThreadsInShutdownHook$1.class",
+                "commonResources/Vehicle.class",
+                "commonResources/Vehicle$Builder.class");
         assertNumOfBugs(0);
     }
 
+    @Test
+    void testUnsafeFieldUsages() {
+        performAnalysis("commonResources/UnsafeFieldUsage.class",
+                "commonResources/Vehicle.class",
+                "commonResources/Vehicle$Builder.class");
+        assertNumOfBugs(5);
+        assertBug("UnsafeFieldUsage", "lambda$new$0", 8);
+        assertBug("UnsafeFieldUsage", "createVehicle", 16);
+        assertBug("UnsafeFieldUsage", "createVehicle", 17);
+        assertBug("UnsafeFieldUsage", "createVehicle", 18);
+        assertBug("UnsafeFieldUsage", "createVehicle", 19);
+    }
+
+    @Test
+    void testUnsafeFieldUsages2() {
+        performAnalysis("commonResources/UnsafeFieldUsage2.class",
+                "commonResources/Vehicle.class",
+                "commonResources/Vehicle$Builder.class");
+        assertNumOfBugs(2);
+        assertBug("UnsafeFieldUsage2", "lambda$new$0", 8);
+        assertBug("UnsafeFieldUsage2", "createVehicle", 16);
+    }
+
+    @Test
+    void testUnsafeFieldUsages3() {
+        performAnalysis("commonResources/UnsafeFieldUsage3.class",
+                "commonResources/Vehicle.class",
+                "commonResources/Vehicle$Builder.class");
+        assertNumOfBugs(2);
+        assertBug("UnsafeFieldUsage3", "lambda$new$0", 12);
+        assertBug("UnsafeFieldUsage3", "createVehicle", 8);
+    }
+
+    @Test
+    void testSynchronizedUnsafeFieldUsage() {
+        performAnalysis("commonResources/SynchronizedUnsafeFieldUsage.class",
+                "commonResources/Vehicle.class",
+                "commonResources/Vehicle$Builder.class");
+        assertNumOfBugs(2);
+        assertBug("SynchronizedUnsafeFieldUsage", "lambda$new$0", 8);
+        assertBug("SynchronizedUnsafeFieldUsage", "createVehicle", 16);
+    }
+
     private void assertNumOfBugs(int num) {
         final BugInstanceMatcher bugTypeMatcher = new BugInstanceMatcherBuilder()
                 .bugType("AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD").build();

spotbugs/etc/findbugs.xml

@@ -644,7 +644,7 @@
                     reports="UR_UNINIT_READ_CALLED_FROM_SUPER_CONSTRUCTOR"/>
           <Detector class="edu.umd.cs.findbugs.detect.AtomicityProblem"
                     reports="AT_OPERATION_SEQUENCE_ON_CONCURRENT_ABSTRACTION"/>
-          <Detector class="edu.umd.cs.findbugs.detect.ResourceInMultipleThreadsDetector"
+          <Detector class="edu.umd.cs.findbugs.detect.ResourceInMultipleThreadsDetector" speed="fast"
                     reports="AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD"/>
           <Detector class="edu.umd.cs.findbugs.detect.CheckExpectedWarnings"
                     reports="FB_UNEXPECTED_WARNING,FB_MISSING_EXPECTED_WARNING" disabled="true"

spotbugs/etc/messages.xml

@@ -232,8 +232,7 @@ applied to method parameters and uses of those method parameters. </p>
   <Detector class="edu.umd.cs.findbugs.detect.ResourceInMultipleThreadsDetector">
     <Details>
       <![CDATA[
-<p> Finds sequences of operations on synchronized/atomic abstractions
-    like SynchronizedList or AtomicReference that are not in a synchronized block.
+<p> Finds non-atomic typed resources that are used in multiple threads without proper synchronization.
     </p>
 ]]>
     </Details>
@@ -8682,11 +8681,17 @@ after the call to initLogging, the logger configuration is lost
       </Details>
   </BugPattern>
   <BugPattern type="AT_UNSAFE_RESOURCE_ACCESS_IN_THREAD">
-    <ShortDescription>todo</ShortDescription>
-    <LongDescription>todo</LongDescription>
+    <ShortDescription>Operation on resource is not safe in a multithreaded context</ShortDescription>
+    <LongDescription>Operation on resource {3} is not safe in a multithreaded context in {1}</LongDescription>
     <Details>
       <![CDATA[
-        <p>todo
+        <p>This code contains an operation on a resource that is not safe in a multithreaded context.
+            The resource may be accessed by multiple threads concurrently without proper synchronization.
+            This may lead to data corruption. Use synchronization or other
+            concurrency control mechanisms to ensure that the resource is accessed safely.</p>
+        <p>See the related SEI CERT rule, but the detector is not restricted to chained methods:
+          <a href="https://wiki.sei.cmu.edu/confluence/display/java/VNA04-J.+Ensure+that+calls+to+chained+methods+are+atomic">
+          VNA04-J. Ensure that calls to chained methods are atomic</a>.
         </p>]]>
     </Details>
   </BugPattern>

spotbugs/src/main/java/edu/umd/cs/findbugs/detect/FindPublicAttributes.java

@@ -18,10 +18,8 @@
 
 package edu.umd.cs.findbugs.detect;
 
-import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -39,15 +37,6 @@
 
 public class FindPublicAttributes extends OpcodeStackDetector {
 
-    private static final Set<String> CONSTRUCTOR_LIKE_NAMES = new HashSet<>(Arrays.asList(
-            Const.CONSTRUCTOR_NAME, Const.STATIC_INITIALIZER_NAME,
-            "clone", "init", "initialize", "dispose", "finalize", "this",
-            "_jspInit", "jspDestroy"));
-
-    private static final List<String> SETTER_LIKE_NAMES = Arrays.asList(
-            "set", "put", "add", "insert", "delete", "remove", "erase", "clear",
-            "push", "pop", "enqueue", "dequeue", "write", "append");
-
     private final BugReporter bugReporter;
 
     private final Set<XField> writtenFields = new HashSet<>();
@@ -84,7 +73,7 @@ public void visit(JavaClass obj) {
     public void sawOpcode(int seen) {
         // It is normal that classes used as simple data types have a
         // constructor to make initialization easy.
-        if (isConstructorLikeMethod(getMethodName())) {
+        if (MutableClasses.isConstructorLikeMethod(getMethodName())) {
             return;
         }
 
@@ -153,7 +142,7 @@ public void sawOpcode(int seen) {
             // which roughly describes its behavior, beginning with the verb.
             // If the verb does not hint that the method writes the object
             // then we skip it.
-            if (!looksLikeASetter(xmo.getName())) {
+            if (!MutableClasses.looksLikeASetter(xmo.getName())) {
                 return;
             }
 
@@ -192,17 +181,4 @@ public void sawOpcode(int seen) {
             writtenFields.add(field);
         }
     }
-
-    private static boolean isConstructorLikeMethod(String methodName) {
-        return CONSTRUCTOR_LIKE_NAMES.contains(methodName);
-    }
-
-    private static boolean looksLikeASetter(String methodName) {
-        for (String name : SETTER_LIKE_NAMES) {
-            if (methodName.startsWith(name)) {
-                return true;
-            }
-        }
-        return false;
-    }
 }