Recently,
I have heard a lot of buzz about the static code analyzers. There are a bunch
of static code analyzers out there and I decided to get started on one of such analyzer
for Java. You can find the list of static java code analyzers here.
FindBugs?
FindBugs
is an open source tool for static analysis of Java programs. i.e It can find
bugs simply by inspecting program’s code. It scans java byte code rather than
source code and identifies defects/suspicious code in Java programs. Findbugs
needs the compiled class files. But, there is no need to execute the code for
the analysis. It is based on the concept of bug patterns. A bug pattern is a
code idiom that is often an error.
The
potential bugs are classified in four ranks:
1. Scariest
2. Scary
3. Troubling
4.
Of concern
Each
of these categories is further classified into High Confidence and Normal
Confidence. The findings from FindBugs
are reported as warnings that is “potential bugs” but not all warnings are
necessarily errors/bugs/defects. It is a hint to the developers about their
possible impact/severity. According to the developers of findBugs, the rate of
false warnings reported by FindBugs is less than 50%. FindBugs is written in
Java and can be run with any virtual machine compatible with Sun’s JDK1.5. It
uses BCEL (Byte
Code Engineering Library by Apache Commons) to analyze Java code.
FindBugs
supports plugin architecture and there are plugins available for Eclipse,
NetBeans, IntelliJ, Hudson, Jenkins etc.
Here
are a few screenshots of what kind of bugs were caught by FindBugs in Java in
my environment. (IDE: Eclipse Kepler; Java version: Java 7)
Click the screenshots for a better view
 |
| Categorizing the bugs in the 4 categories |
 |
| Possible NPE |
 |
| Comparison of objects using == instead of equals() |
 |
| Using Thread.sleep() with lock held |
 |
| Unused local variable |
If you notice the screen shots carefully, the
bug info section gives a detailed explanation of why the tool smells a bug at the
line that it indicates has a bug-pattern. The bug info contains useful
information for the developer to understand the reason of suspecting it as a bug
and deciding if it is really a bug or what the developer intended to do but is
bad practice. It also gives the rank, confidence, Pattern, Type, and Category
of bug pattern.
There
are around 400 bug patterns reported by findBugs in nine different categories:
1.
Correctness
2.
Bad Practice
3.
Dodgy Code
4.
Multithreaded Correctness
5.
Performance
6.
Malicious Code Vulnerability
7.
Security
8.
Experimental
9.
Internationalization
It
is very important to bear in mind that not all issues a static analyzer finds are
actually bugs. There are some coding preferences, which are a matter of style that
developers adopt even though they are not the most efficient. In case a developer doesn’t agree to a warning
by findBugs, the solution to this is to suppress warnings using
annotations. FindBugs supports several annotations
to express the developer’s intent so that FindBugs can issue warnings more appropriately.
Visit this
page for details on annotations.
More
information about this is available at:
Other
useful links and references:
The best article I ever found on the static analysis tools comparison. very detailed and exact information given. Time taken for this article is highly appreciable.
ReplyDelete