Start line:  
End line:  

Snippet Preview

Snippet HTML Code

Stack Overflow Questions
   * fb-contrib - Auxiliary detectors for Java programs
   * Copyright (C) 2005-2014 Dave Brosius
   * This library is free software; you can redistribute it and/or
   * modify it under the terms of the GNU Lesser General Public
   * License as published by the Free Software Foundation; either
   * version 2.1 of the License, or (at your option) any later version.
  * This library is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * Lesser General Public License for more details.
  * You should have received a copy of the GNU Lesser General Public
  * License along with this library; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 package com.mebigfatguy.fbcontrib.detect;
 import  org.apache.bcel.classfile.Field;
 import  org.apache.bcel.classfile.JavaClass;
 import  org.apache.bcel.classfile.Method;
looks for serialization of non-static inner classes. As this serializes the enclosing class, it may unintentially bring in more to the serialization than is wanted
 public class PossibleUnsuspectedSerialization extends BytecodeScanningDetector {
 	private final BugReporter bugReporter;
 	private OpcodeStack stack;

constructs a PUS detector given the reporter to report bugs on

bugReporter the sync of bug reports
 		this. = bugReporter;

implements the visitor to setup and tear down the opcode stack

classContext the context object of the currently parsed class
 	public void visitClassContext(ClassContext classContext) {
 		try {
 			 = new OpcodeStack();
 		} finally {
 			 = null;

implements the visitor to reset the opcode stack

obj the context object of the currently parsed method
 	public void visitMethod(Method obj) {

implements the visitor to look for serialization of an object that is an non-static inner class.

seen the context object of the currently parsed instruction
 	public void sawOpcode(int seen) {
 		try {
 			if (seen == INVOKEVIRTUAL) {
 				if ("java/io/ObjectOutputStream".equals(clsName)) {
 					if ("writeObject".equals(name)) {
 						if (.getStackDepth() > 0) {
 							JavaClass cls = item.getJavaClass();
 							if ((cls != null) && cls.getClassName().contains("$") && hasOuterClassSyntheticReference(cls)) {
catch (ClassNotFoundException cnfe) {
finally {
	private boolean hasOuterClassSyntheticReference(JavaClass cls) {
		Field[] fields = cls.getFields();
		for (Field f : fields) {
			if (f.isSynthetic()) {
				String sig = f.getSignature();
				if (sig.startsWith("L")) {
					sig = sig.substring(1, sig.length() - 1);
					if (cls.getClassName().startsWith(sig)) {
						return true;
		return false;
New to GrepCode? Check out our FAQ X