Fix ConstructorThrow SpotBugs warnings in core module

[DomGarguilo]

This PR fixes the warnings from the core module. Here is a description from the ticket:

This warning gets emitted when an exception is thrown within an constructor.

There are several ways to avoid this warning:

1. make the class final
2. remove the thrown exception from the constructor
3. add a finalize() method so it cant be overridden
4. make the constructor private

There are pros and cons to each fix.

• making a class final prohibits inheriting it
• removing the thrown exception usually means forgoing validation
• adding a finalize() method means we also need to ignore the deprecation warning since finalizer() is deprecated
• making the constructor private usually takes a lot of refactoring to move to a different pattern to create the object

I think the best approach here is to work through a couple modules at a time and fix these.

I removed omit block from the root pom and instead moved it into each module so that we can just ignore this spotbugs warning until we fix them in each module.

[ddanielr]

Moving this check out from the top-level pom to the modules makes sense.

Do we need to make release notes changes for finalizing any of the classes that are defined in our public API?

[DomGarguilo]

Do we need to make release notes changes for finalizing any of the classes that are defined in our public API?

That is a good question. I am not sure.

[DomGarguilo]

I think feedback regarding the method of fixing this warning would be helpful (making the class final vs. adding the finalize() method). I tried to only make things final if it was an inner class and/or something that seemed very unlikely to be subclassed, however I just used my best judgement so would like others input on this part.

[ddanielr]

Do we need to make release notes changes for finalizing any of the classes that are defined in our public API?

That is a good question. I am not sure.

I think feedback regarding the method of fixing this warning would be helpful (making the class final vs. adding the finalize() method). I tried to only make things final if it was an inner class and/or something that seemed very unlikely to be subclassed, however I just used my best judgement so would like others input on this part.

I don't see an issue with finalizing the default implementation classes since users should be implementing new classes from the interface rather than extending the clientImpl classes.

Since finalize() is deprecated, does this SpotBugs warning go away if we were to switch to a newer java version?

[dlmarion]

I think feedback regarding the method of fixing this warning would be helpful (making the class final vs. adding the finalize() method).

I have no issue with making classes final where we can and where it makes sense. I'm not sure adding a finalizer to fix the others is a good long-term approach though it's likely the easiest fix. Finalizers themselves are deprecated and will be removed in a future Java release. I'm wondering if fixing the objects so that they don't throw exceptions from the constructor is the better choice, for example, using an init method on the objects that needs to be called post-construction but before use. There is now a jvm option, --finalization=disabled, in JDK 18 that disables all Finalizers as a step toward removal.

[ctubbsii]

These are pretty broad suppressions. I think it's nice that you're trying to narrow them down and triage them one at a time, but I'm wondering if this should be considered a WIP, or is this the intended final PR?

[ctubbsii]

We have other spotbugs filters in src/main/spotbugs/exclude-filter.xml, where we have fine-grained control over things to filter, and instead of omitting entire detectors, we can filter based on the documented bug names. I'm not sure which is better, but it would probably be nice to consolidate the config, so we're doing it all in one place, instead of doing some here in the pom, and others elsewhere in the exclude-filter.xml file.

[DomGarguilo]

I would argue that each serves a different purpose. To me it seems the filters in exclude-filter.xml are more or less permanent for code that we don't expect to change where as this new <omitVisitors> approach is a nice way to temporarily omit these detectors while we are fixing them. If we find that we want to permanently omit these detectors than I think it would be a good idea to move things into the xml file but for now this seems to work well.

[ctubbsii]

It's only temporary while it's in the PR. Once it gets merged, it's more or less permanent, or at least as permanent as the exclude-filter.xml files. My review comments are based on the desired end result after this is merged. That is to say, doing it in a different way while you're working on it is fine... but unless there's a good reason to have these configured separately from what's in the exclude-filter.xml files, then it's better that the end result by the time this is merged, has removed these extra configs, or consolidated them with the exclude-filter.xml files, so we don't have config scattered everywhere that basically does similar things.

[ctubbsii]

I'd really rather not add these methods in so many places. If this isn't possible to address another way, I think we can just suppress it. Adding this deprecated method is probably the least good workaround.

[DomGarguilo]

Yea I agree. Adding the finalize method definitely seems like the worst fix.

I think the best way to handle things is

1. if its easy and safe to remove the exception thrown from the constructor, do that (usually not possible)
2. try to make the class final if its obvious that it can be made final
3. add a @SuppressFBWarnings tag to the place in the code that the warning is coming from

Do you think that sounds good or would do you think its best to suppress this at module/project level?

[keith-turner]

Avoiding finalize here will be helpful in the future https://openjdk.org/jeps/421

[ctubbsii]

Do you think that sounds good or would do you think its best to suppress this at module/project level?

I think trying those 3 fixes, in that order, are probably best. There may be good reasons to suppress at the module/project level, but it should be a very good reason. We have relatively few module/project-wide exceptions, and they are easily articulable, like the comments in the existing spotbugs/exclude-filter.xml files.

[ctubbsii]

In addition to previous comments about consolidating spotbugs config rules, this config here makes me wonder what rules are associated with "SharedVariableAtomicityDetector" and "ConstructorThrow", and why we're suppressing them here. It seems that suppression here is just because they are noisy?

[DomGarguilo]

I'm not sure i understand your question about why we're suppressing them here. Do you mean within that module specifically or within the poms in general?

[ctubbsii]

I mean, having the config here raises the question "why are we skipping these checks?" without bothering to provide an answer. In the other places, such as the annotation, or the XML file, we generally offer an explanation, but there isn't one here. It's not clear what checks are being skipped, and why, when these visitors are being omitted.

[DomGarguilo]

This PR is no longer a WIP.

To fix these spotbugs warnings I either made the class final (best solution, not possible everywhere) or I added a @SuppressFBWarnings tag to the class.

[keith-turner]

All the java changes look good, could not really review the maven changes very well though.

[keith-turner]

Could these changes be made in the accumulo parent pom instead of in each pom?

[DomGarguilo]

They could but the point of doing it in each pom is to allow us to make these changes incrementally so we don't have to fix the whole codebase at once and instead can go module by module.

[ctubbsii]

It would be much simpler to just set <spotbugs.omitVisitors /> in the property section of the various POMs rather than add the whole plugin config to the pom.

[DomGarguilo]

Made this change in 941c2a3 @ctubbsii. Definitely a better approach than what I had before.

[ctubbsii]

This class actually seems like it might be useful to extend. The check in the constructor probably doesn't need to be there, and is overly restrictive. It's only there as a sanity check to make sure we didn't screw up elsewhere in Accumulo... but having it here isn't exactly the right place for that check, and is overly restrictive.

[ctubbsii]

While we may be reluctant to make final public API classes that the user might have extended, stuff in *Impl are fair game. I'm not sure if it's possible to make them all final (we might extend them ourselves, elsewhere internally), but if it is possible, there shouldn't be any harm doing so.

[ctubbsii]

Suggested change

<plugins />

[ctubbsii]

Suggested change

	<build>
	<plugins />
	</build>

[ctubbsii]

Suggested change

<plugins />

[ctubbsii]

Suggested change

	<build>
	<plugins />
	</build>

[ctubbsii]

Suggested change

	<build>
	<plugins />
	</build>

[ctubbsii]

Suggested change

<plugins />

[ctubbsii]

Suggested change

	<build>
	<plugins />
	</build>