Talking About Static Analysis

We are fortunate that in the Java world, there are
many high-quality static analysis tools available for
free. I talked about a few of them the other night
at a meeting
of the Austin Java Users Group.

Like many people, the first static analysis tool
for Java code that I encountered was
FindBugs. The
current version is 1.1.1, but do not let that
relatively low version number fool
you - the tool is very robust and has been around for
quite a while.

My current fascination with static analysis tools
is driven by two things:
Project Jackpot and a desire
to spread the word about static analysis tools. Based on
my very un-scientific research, there are still many
developers who use Java but do not know about these tools.

In September I went to Oslo for
JavaZone.
I was talking with
a gentleman who attended my
presentation and our converation
drifted to tools for verifying the correctness of multi-threaded
code. I asked if he was using FindBugs (which has many bug detectors
for common concurrency problems) and he replied that he had never heard
of it. I was surprised for two reasons: he indicated he was not
new to the Java world and he apparently keeps up with
what is going on - he was attending a conference for Java developers.

My presentation in Austin provided further evidence. As I described
each tool I asked for a show of hands for the number of people who had
heard of the tool. Not many hands went up.

One more data point:
Fabiano Cruz
recently wrote an excellent blog
entry on static analysis tools. I sent him an email and he and I have
corresponded a bit since then. He stated that many of the developers
he encounters have also not heard of these tools.

So what's so great about these tools anyway? They help find bugs.
When talking about static analysis, "bug" is defined very broadly. In other words, static
analysis tools help locate common anti-patterns. Examples include
failure
to adhere to coding standard and unsafe practices such
as calling overridable methods from a constructor.

I only had a twenty minute speaking slot, so I had to move quickly
in order to demo six tools: FindBugs,
Checkstyle,
PMD,
IntelliJ IDEA's
Inspections feature,
the Eclipse Testing and Performance
Tools Platform's static analyis sub-project,
and the NetBeans IDE's Project Jackpot.

To me there are three very interesting trends in the world of Java
static analysis tools. The first is the increasing use of the
technology inside the major Java IDEs. IntelliJ IDEA's Inspections
feature has been available for a while, but the Eclipse TPTP
project and Project Jackpot have only been made available relatively
recently. The second is a follow-on of the first: the IDE-based tools
can not only find problems in your code, in many cases they can automatically
change the code for you in order to fix the problem.
I do not know of a standalone static analysis tool
that offers that feature.

The third trend is that it is getting easier and easier to define your
own "bug." In other words, if a tool does not provide a
pre-built definition for a particular code pattern that you are interested in,
you can write your own. If that means writing to a Java API, most folks
are not interested. More and more though, this is not necessary. PMD has
a feature where XPath expressions can be used. Eclipse TPTP has
a few simple templates available that you can choose from a dialog box. And
Project Jackpot has a very nice rules language that provides a unique
feature: you can not only specify a pattern to find, but also a pattern
to be used to replace any code that is found.

My presentation was not intended as a contest. All of these tools have
strengths and weaknesses. But I did put up a comparison matrix, which is
below.

The world of static analysis tools is much bigger than this. I have only
discussed bug-finding tools. There are others that are geared more towards
helping you understand the architecture of your source code. Fabiano and I
are planning to submit a proposal for a Birds of a Feather talk
on static analysis tools for JavaOne 2007.