We are fortunate that in the Java world, there are many high-quality static analysis tools available for free. I talked about a few of them the other night at a meeting of the Austin Java Users Group.

Like many people, the first static analysis tool for Java code that I encountered was FindBugs. The current version is 1.1.1, but do not let that relatively low version number fool you - the tool is very robust and has been around for quite a while.

My current fascination with static analysis tools is driven by two things: Project Jackpot and a desire to spread the word about static analysis tools. Based on my very un-scientific research, there are still many developers who use Java but do not know about these tools.

In September I went to Oslo for JavaZone. I was talking with a gentleman who attended my presentation and our converation drifted to tools for verifying the correctness of multi-threaded code. I asked if he was using FindBugs (which has many bug detectors for common concurrency problems) and he replied that he had never heard of it. I was surprised for two reasons: he indicated he was not new to the Java world and he apparently keeps up with what is going on - he was attending a conference for Java developers.

My presentation in Austin provided further evidence. As I described each tool I asked for a show of hands for the number of people who had heard of the tool. Not many hands went up.

One more data point: Fabiano Cruz recently wrote an excellent blog entry on static analysis tools. I sent him an email and he and I have corresponded a bit since then. He stated that many of the developers he encounters have also not heard of these tools.

So what's so great about these tools anyway? They help find bugs. When talking about static analysis, "bug" is defined very broadly. In other words, static analysis tools help locate common anti-patterns. Examples include failure to adhere to coding standard and unsafe practices such as calling overridable methods from a constructor.

I only had a twenty minute speaking slot, so I had to move quickly in order to demo six tools: FindBugs, Checkstyle, PMD, IntelliJ IDEA's Inspections feature, the Eclipse Testing and Performance Tools Platform's static analyis sub-project, and the NetBeans IDE's Project Jackpot.

To me there are three very interesting trends in the world of Java static analysis tools. The first is the increasing use of the technology inside the major Java IDEs. IntelliJ IDEA's Inspections feature has been available for a while, but the Eclipse TPTP project and Project Jackpot have only been made available relatively recently. The second is a follow-on of the first: the IDE-based tools can not only find problems in your code, in many cases they can automatically change the code for you in order to fix the problem. I do not know of a standalone static analysis tool that offers that feature.

The third trend is that it is getting easier and easier to define your own "bug." In other words, if a tool does not provide a pre-built definition for a particular code pattern that you are interested in, you can write your own. If that means writing to a Java API, most folks are not interested. More and more though, this is not necessary. PMD has a feature where XPath expressions can be used. Eclipse TPTP has a few simple templates available that you can choose from a dialog box. And Project Jackpot has a very nice rules language that provides a unique feature: you can not only specify a pattern to find, but also a pattern to be used to replace any code that is found.

My presentation was not intended as a contest. All of these tools have strengths and weaknesses. But I did put up a comparison matrix, which is below.

The world of static analysis tools is much bigger than this. I have only discussed bug-finding tools. There are others that are geared more towards helping you understand the architecture of your source code. Fabiano and I are planning to submit a proposal for a Birds of a Feather talk on static analysis tools for JavaOne 2007.

发表评论

IT瘾于2006年11月11日 下午07时50分06秒发布 #