John D. Mitchell's Blog

Performance Archives

FindBugs in Anger

If you aren't already using Findbugs then hopefully you've at least heard about it by now and have some idea of how useful it can be.

If not, then let me say that FindBugs is a must have tool in the arsenal of any Java developer and any development team that's not using it as part of their regular development practices is incompetent.

Bill Pugh has done a fantastic job making FindBugs a great F/OSS tool which helps detect a large variety of all too common programming mistakes in Java.

You can find an online demo, slides from last year's FindBugs introduction , and can even run FindBugs over the web.

If you aren't yet convinced that FindBugs is really useful, let me point out that I've used FindBugs as an expert witness in cases where outsourcing projects had gone wrong and people were arguing about the quality of the delivered code (among other things). You have been warned. :-)

Go wild!

JaveOne 2007, Community One

Sun is, as everybody knows, struggling to get mindshare around their products. This is especially true as they try to get uptake as they open source more of their stuff -- such as Solaris.

Hiring Ian Murdock of Debian fame is a pretty good idea to me. One of the biggest hurdles to (Open) Solaris uptake is the fact that so many things in dealing with Solaris are so annoyingly odd to all the folks who are used to the relatively consistent GNU userland experience and the usable package managers on Linux and *BSD distributions.

Another item that came through over and over again throughout the day was that one of, if not the key reason to use Solaris is DTrace. DTrace is an efficient execution tracing framework and if you haven't used it, you're missing out. Story after story from a wide variety of developers, sys admins, QA folks, etc. touted how using DTrace allowed them to get insight into the actual running of their systems and how big a difference that can make. While it's an open question of whether/when this will make it to Linux, DTrace is already in the next version of OS X and will be in the *BSDs sooner rather than later.

I must say that I was surpised how little I saw emphasizing the coolness of ZFS. It's a modern filesystem designed for the current disk storage and usage reality rather than how things were 20 years ago. Coupling ZFS with Sun's Thumper box is, IMHO, a compelling reason to actually buy Sun hardware. There's no really good filesystems in the open source world if you actually care about your data and want good performance and manageability. ReiserFS is pretty much orphaned and while the ext family are okay for desktop and non-critical servers, they just don't cut it when the data really matters.

Of course, for Java developers, the question is pretty much moot as to whether it's any advantage to go with Linux or Open Solaris. Java runs well on both. It was quite funny to hear some pushback to Greg Luck's (of ehcache) comment that OS doesn't really matter -- just a good JRE implementation. That's just playing out the old Java mantra of "write once, run anywhere" in the real world. Of course, operating system choice does matter to a point -- Greg's own company is an example of moving from ASP.net to Java because of scalability / performance reasons and days vs. months and years of uptime.

For me, I've used all of them for so long that it's mostly just a question of using what works for any given need. I'm hoping that the continued opening up of Solaris will help spur improvements in the Linux world and that many of the things that we love about the OSS operating systems will help improve Solaris so that moving around from one to the other is even easier.

Piss Poor Web Security Approaches

Pete Freitag writes up 20 ways to Secure your Apache Configuration. Now, all 20 tips are useful to help make Apache less insecure but they certainly don't make an Apache installation actually "secure."

First off, note clearly how many things you have to go out of your way to turn off. That is, look at all of the extraneous, insecure junk that is installed and configured as part of a default Apache setup up. That's a big violation of the security dictum that we should be secure by default and have to explicitly take action to add in extra, insecure things. An example of why this is so important is that if you actually go through all of this tightening and then upgrade that server and forget to go back through and do all of the tightening again... Oops, not only will your system be insecure again but you'll probably be under the false assumption that your system is secure when it isn't. I've seen this happen way too many times to my clients and friends.

Second, if one really cares about security, why on earth would anyone consider Apache at all? There are many much better http server solutions out there for anyone needing serious security such as publicfile. Publicfile takes an arguably extreme approach and is fundamentally incapable of the vast majority of web server security problems. Therefore, other web servers such as the venerable, static-speed demon thttpd, the new, feature-rich kid on the block, LightTPD, or even the commercial king-of-the-hill Zeus Web Server can be a much better blend of increased security and increased performance.

Of course, if you're doing Java-based web server applications, Jetty and Resin are great solutions but they also tend to err by having way too much enabled by the default configurations.

Sun to open-source SPARC architecture

Sun's open-source evangelist, Simon Phipps says that "the Verilog source code, tools and more behind the UltraSPARC T1 (the "design point") will be released under an OSI-approved open source license next year." They will supposedly be trying to create a hardware development community around SPARC computer architecture via OpenSPARC.net.

Given that the SPARC architecture has, like MIPS, been relegated to the "who cares" leagues in recent years, this move is a chance for Sun to (try to) save its hardware-based lifestyle. Of course, it remains to be seen what all of the details are in terms of things like patent and trademark legal land mines.

Of course, for those following along, look at how Sun's "born again" take on open source is proceeding everywhere except for the Java core. That's an awfully good indication of where Sun thinks the real power is (and what they are afraid of losing their control of).

ObJava: Sun's David Dagastine shows benchmarks of running Java J2SE v5 on Sun UltraSPARC T1.

GCC turns 4.0

The GNU folks have released version 4.0 of the venerable GCC compiler with built-in support for the C, C++, Objective-C, Ada, Fortran, and Java programming languages.

The biggest general change is the completely new intermediate language representation based on tree SSA. SSA (Static, Single Assignment) is a modern approach to the intermediate representation of the parsed programs which allows for a much more sane and aggressive approach to optimization.

On the Java front, the GCJ sub-project has made major improvements including better support of AWT and Swing and a lot more of the other Java libraries such as java.util.regex. If you didn't know, GCC can generate native (machine-specific) binaries directly from Java code.

Check out the ChangeLog for more details.

Rhythms in Software Development

In Fartlek - Increasing your Sustainable Pace, Erik Meade uses the fartlek concept to talk about sustainable pace in software development. However, the notion of fartlek comes from training e.g., runners. That is, the combination of short, intense work interspersed with longer, lower intensity work increases an athlete's ability to perform both in terms of their base level and their peak performance.

So, in terms of training software developers to become more proficient, there is some validity in intensive learning situations so as to point out the need to improve our ways of doing things. However, the fartlek metaphor doesn't really work in the software development world because the stress of high pressure work doesn't e.g, make us more capable of sustaining a faster base pace or increase our peak performance. The facts are clear that the stress induces worse results and more work (due to the need to e.g., fix the bugs introduced as a consequence of trying to ameliorate the stress) both in the short term and over time.

A more appropriate metaphor for what Erik is talking about is the notion of rhythm. Humans, both individuals and groups, function in rhythms. The rhythms come in various granularities such as daily, weekly, seasonally, etc. and various types such as mental, physical, emotional, and spiritual. In my experience, software developers and managers (and the myriad, inhumane "methodologies" that are used) not only tend to ignore the rhythms in our lives but actively fight against them.

For example, one key aspect in the perennial war between computer "languages for dumb people" and "languages for smart people" is how the language designers choose to either put various kinds of straitjackets on people or give folks plenty of rope to hang themselves with. :-)

The key manifestation of rhythm in agile practices is, IMHO, actually the notion of (very) short cycles, both individually in terms of individual task management (via, e.g., TDD) and group project management (i.e., XP's "iterations" and Scrum's "sprints"). The rapid cycling provides the hooks, if you will, of perceiving the reality of what's been accomplished (or not) and choosing how to adjust moving forward.

I leave it, for now, as an exercise for the reader to delve into how the notion of rhythm fits into the software itself and the systems that we create with that software.

The Tar Pit of Programming

Frederick P. Brooks, Jr.'s classic, The Mythical Man-Month: Essays on Software Engineering is the first selection for the java.net bookclub.

I'm honored to be the moderator for this first bookclub foray and I expect things to get boiling as we attempt to address the tar pits in which we are stuck. I hope that you will join us in examining and discussing the fads, fallacies, dreams, and harsh realities of modern sofware development.

Lame "survey" on Java reliability

First off, let me question the fact that nowhere is it listed in the article that we can't actually get a copy of the survey and survey results without signing up for one of Wiley Technologies seminars (i.e., sales pitches). Tsk, tsk, tsk.

Now, without a much better idea of the actual contents of the survey it's ridiculous to rely on any of the so-called results of the survey. Let's just say, for the moment, that I'm skeptical all around all of the numbers. I call on Wiley Technology to provide the full survey and results to one and all so that we can decide for ourselves.

JavaOne 2003: Java's Debutante Ball

Check out my article looking back on the weird and wondrous happenings at this year's JavaOne show.

Scheduling Snafu

Yes indeed, you know the cluetrain has left the station when perennial favorite, Doug Lea, has his Concurrency talk scheduled in one of the tiny session rooms. Yeah, that makes a lot of sense at a developer conference.

The best suggestion that I heard to help make up for it would be to make Doug's talk available online for free -- instead of having to fork out $40 (on top of the conference fee!) to be able to get access to all of the conferences sessions online.

This work is licensed under a Creative Commons License.