I’m seeing a FP for java:S2259 (possible NPE) where the flow indicated by SQ (on the web portal) seems to suggest it’s not recognizing an exception within a catch clause.
A simplified version of the code is like this, where number comments indicate the tags in the flow given by SQ:
/*1*/ foo = null;
try {
foo = /*2*/ bar(x);
} catch (/*3*/ someException ex) {
throwItMyWay(ex, "Here in method xxx");
}
/*4*/ y = foo.someField;
The method bar() can’t return null, but can throw someException. SQ seems to recognize that bar() can’t return null because it only complains about the catch clause. The method throwItMyWay() reconstructs the exception in our preferred form and throws it, 100% guaranteed. Since there’s no try within the catch, the exception thrown by throwItMyWay() is guaranteed to be thrown by the method containing this code, meaning the last line cannot be reached.
However, SQ seems to think throwItMyWay() can return normally.
Is S2259 expected to be able to make this kind of analysis? Or have I just hit some natural limitation in how deep it can analyze?