Sitting in the FindBugs session, it’s pretty interesting. The last time I interacted with static analysis it was a product from Parasoft (?) and it wasn’t that compelling. FindBugs looks interesting, simple, and is integrated with Hudson. Everyone seems to be moving to Hudson, Kohsuke has created a very compelling CI server.
Quick Facts
FindBugs Project Page. FindBugs is LGPL, it is integrated with a bunch of different IDEs + Ant + Maven + Hudson. It is used by some very large players including Sun, EBay, and Google.
Notes from the Session
- “in anger” is a British term, loosely translated to “using something with seriousness and intent”.
- “FindBugz analyzes a program without exectuing it Generally static analysis tools have no idea what your program is supposed to do Instead it looks for violations of reasonable programming practices. If this statement is executed an NPE will occur. Not a replacement for testing, very good at finding that you have code that is not tested.”
- “FindBugz is 5-6 years old.” when he started working on FindBugz, people didn’t take static anaysis very seriously, the attitude was “Programmers are smart, smart programmers don’t make dumb mistakes, we have all these good techniques for finding bugs so if there actually are bugs in production code they must be very subtle bugs.” In other words, people didn’t take static analysis very seriously. On the next slide he shows an egregious bug that was released in the JDK. Something like:
if (filters == null ) { filters.remove( filter ); } - Quote: “I found embarrassing bugs writen by some of the best programmers I know. I found bugs in Joshua Bloch’s code. “
- Quote: “.When you start talking about 00,000 lines or a millions lines, the kinds of things I’m talking about become essential. Google, Sun, and Ebay use FindBugs. Google has fixed more than 1000 issues identified by findbugs. Googl has removed more than 80 infinite loops from the Google codebase with Findbugs.”
- Quote: “Findbugz is a small open source project. Only 3 people that regularly commit code to it, none of them full time. A lot of the stuff is not well documented. “
- Quote: “Hudson is my favorite way to use FindBugz. “
- Quote: “One of the [worst] use cases for static analysis is for your pointy haired boss to decide who’s writing good code and whos writing bad code. “
- Google Facts:
Over two years, one person year of effort. Reviewed 1663 issues, 804 fixed by developers. Back of hte envelope 5-15 issues reviewed and processed per day per auditor. - Spends a lot of time talking about filtering bugs - what bugs to ignore. His advice was to ignore low priority bugs in a massive code base.
- Other cool stuff: Findbugs will keep track of historical bugs. You can track your project’s improvement over time. It keeps track of “Bug Instances” in an XML format.
- Swing GUI and Eclipse plugins allow you to annotate results from FindBugs, the annotations are stored in the XML. You can run an analysis and then someone can circle back and say things like “Ignore this bug”, “Judy is going to fix this bug”, etc. You can reconcile bugs against bug history. My impression here is that FindBugs is less a reporting tool and more a tool that lets you act on those reports.
- Currently working to store this bug database in an external database
CheckStyle has many of the same checks and has many more style checks as well.
I preiodically execute PMD and FindBugs in our Java projects with custom sets of rules/filters.
I've learned a lot from both tools.
I've been using FindBugs since I saw the JavaOne presentation in...2005 I think (or was it 2004?). I don't use it every day, but I run it every so often and I find it an invaluable tool in improving a code base.