UP | HOME
../../

Static Code Analysis to Find Bugs

TBD: merge ../SecureProg/static-analysis.html

1 Code Inspections

  1. Empirical data lets us conclude:
  2. The combination of design and code inspections usually removes 70-85 percent or more of the defects in a prod uct (Jones 1996).
  3. Designers and coders learn to improve their work through participating in inspections, and inspections increase productivity by about 20 percent (Fagan 1976, Humphrey 1989, Gilb and Graham 1993, Wiegers 2002).
  4. On a project that uses inspections for design and code, the inspections take up about 10-15 percent of project budget and will typically reduce overall project cost.
  5. The typical organization uses a test-heavy defect-removal approach and achieves only about 85 percent defect removal efficiency.
  6. Leading organizations use a wider variety of techniques and achieve defect-removal efficiencies of 95 percent or higher (Gones 2000).

2 Selected Code Review Tools

  1. [Unordered. Required Visits]
  2. Crucible https://www.atlassian.com/software/crucible
  3. CodeCollaborator https://smartbear.com/product/collaborator/
  4. Review Board https://www.reviewboard.org/
  5. CodeStriker http://codestriker.sourceforge.net/
  6. CodeBrag http://codebrag.com/ "Your daily code review tool"
  7. Barkeep http://getbarkeep.org/ "the friendly code review system"
  8. SonarQube http://www.sonarqube.org/
  9. jlint http://jlint.sourceforge.net/ find bugs, inconsistencies and synchronization problems by doing data flow analysis
  10. Doxygen Code Review http://www.stack.nl/~dimitri/doxygen/ Generate documentation from source code
  11. FindBugs http://findbugs.sourceforge.net/
  12. PMD https://github.com/pmd
  13. CheckStyle http://checkstyle.sourceforge.net/

3 FindBugs

  1. A bug pattern is a code idiom that is often an error.
    1. Difficult language features
    2. Misunderstood API methods
    3. Misunderstood invariants when code is maintain
    4. typos, wrong boolean operators, …
  2. Static analysis to inspect Java bytecode for bug patterns.
    1. Without executing the program
    2. don't even need the program's source
  3. can report false warnings, and also miss real errors.
    1. In practice, false warnings < 50%.

3.1 FindBugs Categories

  1. Bad practice
  2. Correctness
  3. Dodgy
  4. Experimental
  5. Internationalization
  6. Malicious code vulnerability
  7. Multithreaded correctness
  8. Performance
  9. Security

3.2 Slides

  1. ./findbugs-etc.pptx FindBugs, etc. Eclipse and IDEA Plugins. These are pmateti's slides.

4 PMD

PMD parses Java source code and looks for potential problems like:

  1. Possible bugs - empty try/catch/finally/switch statements
  2. Dead code - unused local variables, parameters and private methods
  3. Suboptimal code - wasteful String/StringBuffer usage
  4. Overcomplicated expressions - unnecessary if statements, for loops that could be while loops
  5. Duplicate code - copied/pasted code means copied/pasted bugs
  6. PMD-CPD - Copy/Paste Detector (CPD)

4.1 PMD RuleSets

  1. Android Rules: These rules deal with the Android SDK.
  2. Basic Rules: The Basic Ruleset contains a collection of good practices which everyone should follow.
  3. Braces Rules: The Braces Ruleset contains a collection of braces rules.
  4. Clone Implementation Rules: The Clone Implementation ruleset contains a collection of rules that find questionable usages of the clone() method.
  5. Code Size Rules: The Code Size Ruleset contains a collection of rules that find code size related problems.
  6. Controversial Rules: The Controversial Ruleset contains rules that, for whatever reason, are considered controversial.
  7. Coupling Rules: These are rules which find instances of high or inappropriate coupling between objects and packages.
  8. Design Rules: The Design Ruleset contains a collection of rules that find questionable designs.
  9. Import Statement Rules: These rules deal with different problems that can occur with a class' import statements.
  10. JavaBean Rules: The JavaBeans Ruleset catches instances of bean rules not being followed.
  11. JUnit Rules: These rules deal with different problems that can occur with JUnit tests.
  12. Java Logging Rules: The Java Logging ruleset contains a collection of rules that find questionable usages of the logger.
  13. Migration Rules: Contains rules about migrating from one JDK version to another.
  14. Migration15: Contains rules for migrating to JDK 1.5
  15. Naming Rules: The Naming Ruleset contains a collection of rules about names - too long, too short, and so forth.
  16. Optimization Rules: These rules deal with different optimizations that generally apply to performance best practices.
  17. Strict Exception Rules: These rules provide some strict guidelines about throwing and catching exceptions.
  18. String and StringBuffer Rules: Problems that can occur with manipulation of the class String or StringBuffer.
  19. Security Code Guidelines: These rules check the security guidelines from Sun.
  20. Unused Code Rules: The Unused Code Ruleset contains a collection of rules that find unused code.

4.2 PMD Rule Examples

  1. EmptyCatchBlock: Empty Catch Block finds instances where an exception is caught, but not hing is done. In most circumstances, this swallows an exception which should either be acte d on or reported.
  2. EmptyIfStmt: Empty If Statement finds instances where a condition is checked but nothing is done about it.
  3. EmptyWhileStmt: Empty While Statement finds all instances where a while statement does nothing. If it is a timing loop, then you should use Thread.sleep() for it; if it's a while loop th at does a lot in the exit expression, rewrite it to make it clearer.
  4. EmptyTryBlock: Avoid empty try blocks - what's the point?
  5. EmptyFinallyBlock: Avoid empty finally blocks - these can be deleted.
  6. EmptySwitchStatements: Avoid empty switch statements.
  7. JumbledIncrementer: Avoid jumbled loop incrementers - it's usually a mistake, and it's conf using even if it's what's intended.
  8. ForLoopShouldBeWhileLoop: Some for loops can be simplified to while loops - this makes t hem more concise.

5 CheckStyle

  1. Development tool to help programmers write Java code that adheres to a coding standard. It automates the process of checking Java code to spare humans of this boring (but important) task.
  2. Highly configurable and can be made to support al most any coding standard. An example configuration file is supplied supporting the TBD Sun Code Conventions. Other sample configuration files are supplied for other well known conventions.

5.1 Dead Code Detector

TBD fig

6 IntelliJ Idea

IDE Features Community Edition Ultimate Edition Code Duplicates No Yes Code Coverage No Yes Code Inspector Yes Yes Spell Checker Yes Yes

  1. More than 600 automated Code Inspections
  2. Finding probable bugs
  3. Locating the “dead” code
  4. Detecting performance issues
  5. Improving code structure and maintainability

7 Miscellaneous Tools

  1. Phabricator http://phabricator.org/
  2. CKJM - Chidamber and Kemerer Java Metrics
  3. Cobertura & EMMA – Test Code Coverage http://cobertura.github.io/cobertura/ A code coverage utility for Java.
  4. JavaNCSS - A Source Measurement Suite http://www.kclee.de/clemens/java/javancss/ A Source Measurement Suite for Java
  5. JDepend – Package Dependencies; Efferent Couplings (Ce) (number of other packages that the classes in the package depend upon)
  6. Struture101 http://structure101.com/ "For understanding, analyzing, m easuring and controlling the quality of your software Architecture as it evolves over time."
  7. Sotoarc/Sotograph https://www.hello2morrow.com/ "Architecture and quality in-depth analysis and monitoring for Java"
  8. XRadar http://xradar.sourceforge.net/ roduces HTML/SVG reports of the systems current state and the development over time

8 References

  1. https://en.wikibooks.org/wiki/Introduction_to_Software_Engineering/Tools/Static_Code_Analysis
  2. http://findbugs.sourceforge.net/ David Hovemeyer and William Pugh, "Finding Bugs is Easy", ACM SIGPLAN Notices, Volume 39 Issue 12, December 2004, pp 92 - 106, search for its PDF, Required Reading
  3. http://checkstyle.sourceforge.net/ Checkstyle verifies that your Java code adheres to a coding standard.
  4. http://pmd.sourceforge.net/ PMD finds unused variables, empty catch blocks, unnecessary object creation, and so forth. Plugin for Eclipse and IDEA
  5. ./findbugs-etc.pptx FindBugs, etc. Eclipse and IDEA Plugins. These are pmateti's slides, TBD to be merged into these notes.
  6. http://web.stanford.edu/~engler/engler-vmcai04.pdf Engler, Dawson, and Madanlal Musuvathi. "Static analysis versus software model checking for bug finding." Verification, Model Checking, and Abstract Interpretation. Springer Berlin Heidelberg, 2004.
  7. Chou, Andy, Junfeng Yang, Benjamin Chelf, Seth Hallem, and Dawson Engler. An empirical study of operating systems errors. Vol. 35, no. 5. ACM, 2001.
  8. Brown, Fraser, Andres Nötzli, and Dawson Engler. "How to Build Static Checking Systems Using Orders of Magnitude Less Code." Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems. ACM, 2016. http://web.stanford.edu/~mlfbrown/paper.pdf Recommended Reading.
  9. Brittany Johnson, Yoonki Song, Emerson Murphy-Hill, and Robert Bowdidge "Why Don't Software Developers Use Static Analysis Tools to Find Bugs? ", http://2013.icse-conferences.org/ 35th International Conference on Software Engineering (ICSE 2013). Web PDF Required Reading.
  10. http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
Copyright © 2016 pmateti@wright.edu www.wright.edu/~pmateti 2016-03-28