Bill Pugh of the University of Maryland has released
FindBugs
1.1, an automated open source tool for finding potential
bugs in Java code. This release attempts to reduce the number of false positives and increase the number of null pointer dereferences it can detect.
This release also adds several new bug detectors including one
"for computing the absolute value of a random 32 bit
integer or of a hashcode. This is broken because
Math.abs(Integer.MIN_VALUE) == Integer.MIN_VALUE, and thus result of calling Math.abs, which is expected to be
nonnegative, will in fact be negative one time out of 2
32, which will invariably be the time your boss is demoing the
software to your customers."
I tested this out on XOM (which bundles jaxen). There are definitely more false positives than true positives. However there are also several new reports, mostly in jaxen, that I need to check out. It definitely found one class that needed an SUID and one redundant null check I could eliminate. Otherwise everything looks like a false positive.