False Positive: BC_UNCONFIRMED_CAST_OF_RETURN_VALUE when using generic bounded type

[pcimcioch]

Following code is safe in terms of casting, but spotbugs reports BC_UNCONFIRMED_CAST_OF_RETURN_VALUE

package test;

class Parent {}
class Child extends Parent {}

class Factory<T extends Parent> {
    private final Class<T> type;

    Factory(Class<T> type) {
        this.type = type;
    }

    public T create() {
        try {
            return type.newInstance();
        } catch (InstantiationException | IllegalAccessException e) {
            return null;
        }
    }
}

public class Test {
    public static void main(String[] args) {
        Factory<Child> cs = new Factory<>(Child.class);
        Child child = cs.create(); // BC_UNCONFIRMED_CAST_OF_RETURN_VALUE
        System.out.println(child);
    }
}

• If Parent is interface instead of class, this bug is not reported

interface Parent {}
class Child implements Parent {}

• If Factory doesn't bound type T to Parent, this bug is not reported

class Factory<T> {

• If type is bounded on method-level, this bug is not reported

class Factory {
    public <T extends Parent> T create(Class<T> type) {
        try {
            return type.newInstance();
        } catch (InstantiationException | IllegalAccessException e) {
            return null;
        }
    }
}

Spotbugs Version: 4.0.6
Report Level: Low

[welcome]

Thanks for opening your first issue here! 😃
Please check our contributing guideline. Especially when you report a problem, make sure you share a Minimal, Complete, and Verifiable example to reproduce it in this issue.

[alzimmermsft]

I'm also seeing a similar issue as this with a method such as:

public <T extends Throwable> T logThrowableAsError(T throwable) {
    // Logic to log the throwable.
    return throwable;
}

// Other code later
public void attemptSomething() throws IOException {
    try {
        trySomething();
    } catch (IOException ex) {
        throw logThrowableAsError(ex);
    }
}

Using Spotbugs version 4.2.0

[alzimmermsft]

We've upgraded to Spotbugs 4.2.2 and this continues to persist, is there any chance that this has been resolved by an even newer version?

[uhafner]

No, I am running latest 4.4.2 and the bug still is there:
https://ci.jenkins.io/job/Plugins/job/warnings-ng-plugin/job/PR-1075/15/spotbugs/source.011b3afe-630a-44df-8856-41442c138a42/#177

[danielnorberg]

I'm also seeing this issue.

[zman0900]

Also seeing this with fairly basic use of Jackson. For example:

package crap

import com.fasterxml.jackson.databind.ObjectReader;
import com.fasterxml.jackson.databind.json.JsonMapper;

public final class MyClass {
    private static final ObjectReader JSON_READER = JsonMapper.builder()
            .build()
            .readerFor(OtherClass.class);
}

[ERROR] Low: Unchecked/unconfirmed cast from com.fasterxml.jackson.databind.ObjectMapper to com.fasterxml.jackson.databind.json.JsonMapper of return value in crap.MyClass.() [crap.MyClass] At MyClass.java:[line 8] BC_UNCONFIRMED_CAST_OF_RETURN_VALUE

[CJ061626]

I'm seeing this issue with the latest release version of Kubernetes-client-6.8.0 when both ObjectMetaFluent class and SecretFluent class extend from the same base class BaseFluent.

Low: Unchecked/unconfirmed cast from io.fabric8.kubernetes.api.model.ObjectMetaFluent to io.fabric8.kubernetes.api.model.SecretFluent$MetadataNested of return value in ClassName.Class (package.ClassName) At ClassName.Java: BC_UNCONFIRMED_CAST_OF_RETURN_VALUE

import io.fabric8.kubernetes.api.model.Secret;
import io.fabric8.kubernetes.api.model.SecretBuilder;

public class ClassName {

final Secret secret =
            new SecretBuilder()
                .withNewMetadata()
                .withName(String)
                .withAnnotations(Map.of(String, String))
                .withLabels(Map.of(String, String))
                .endMetadata()
                .WithData(Map.of(String, String))
                .build()
}

[patchwork01]

I've reproduced this here: gchq/sleeper#1162

[salbracco24]

Any progress on this?

[robinjhector]

BC_UNCONFIRMED_CAST_OF_RETURN_VALUE is also apparent when you use the new pattern matching switch in java 21, (also together with generics) eg:

SomeInterface<?> myObject = ...

var result = switch(myObject) {
    case Impl1 i1 -> doStuff(i1); //i1 is cast to Impl1
}

I created a new issue: #2782

[gtoison]

This should be fixed by #2811 once released