Destroy annoying bugs part 1: FindBugs and PMD doing good work cheaply

Destroy annoying bugs part 1: FindBugs and PMD doing good work cheaply


Finding bugs in your code can be quite nasty--especially if you don't know where to look. However, finding bugs automatically does not require astronaut training. I think it's time to leave that "pleasure" to free (as in freedom) automatic static code review tools like the ones reviewed in this series of articles.

These search-and-destroy missions are just a matter of running a command line tool (or Eclipse GUI). The methodology shakes your source code, kicking the tires and checking the manifest folds of the warp engine, scaring some of the worst issues into the light of observable reports. Did I also mention the satisfaction involved when splattering bugs? You get them before they get you; all rather proactive and vindictive, the poor fools do not stand a chance.

Did I also mention the satisfaction involved when splattering bugs?

By the end of this series of articles, I hope you will have that warm fuzzy feeling. It is great fun watching the birds fly from the grass. A strong handed technique to hit bugs rapidly and over time accurately. Did I also mention the satisfaction involved when splattering bugs?

The three tools I am going to introduce are:

  • FindBugs;
  • PMD;
  • TFTP, the Test and Performance Tools Platform Project for Eclipse.

They are all worthy technologies. I will describe hopefully enough to motivate you all to try them out, and perhaps even extend them with custom bug eating rule sets. Finally, you will get to read interviews from two of the leading lights: Professor Bill Pugh for FindBugs and his counterpart Tom Copeland who represents the excellent team effort going into PMD.

This article is split over a number of well-divided parts that represent a partial snapshot of current free software technologies. I have placed special emphasis on Java because it's the language I use in my daily working life (that's my secret identity as a Senior Developer). I am sure that counterpart tooling exists for C and C++ and most other languages, I just have little experience of these domains and will concentrate on where I have practiced and have enough real world experience to discuss.

Read on and be dazzled by the ease of use and economic viability of static code reviews, the searching of code for well-known and disliked bug patterns.

Why automatic tools?

To steal and better still misquote from a videoed presentation for Google by Bill Pugh: everyone makes mistakes and even the cleverest can, dare I say it, make really stupid mistakes. We all have our moments of programmer's insanity. Who needs a million monkeys bashing at typewriters when a tired programmer, stressed by artificial time constraints, can press that fatal key combination much more effectively. To make the situation worse is the disjointed nature of large projects scattered over many continents, consuming hundreds of thousands of lines of code. Even for excellent and well-regarded projects with bug densities ranging from nearly zero to ten significant issues per thousand lines of uncommented code, the process of raw black box functional debugging is economically unfavorable. In the face of these problems, the use of continuous builds with automatic static code reviews is a really sharp and pointed sword to use in the fight for quality, especially if the developers are motivated to clean up their programming bedrooms afterwards.

The use of continuous builds with automatic static code reviews is a really sharp and pointed sword to use in the fight for quality

How do they work?

The word "static" means just that: the source code is reviewed without actually running it.

If you study code long enough you can start to discern common patterns of failure. Each team or coder usually has a list of "favorite" annoying mistakes that others make. For one it will be accidentally throwing null-pointer exceptions, for another it's stupid naming conventions leading to messy code maintenance. Over time these mistakes can become the first and ocassionally only bug set they'll look for - hardly an unbiased review.

We all make mistakes and the more you code the more that will happen. Criticism is cheap especially for those who do very little and thus are flawless. The good news is that automatic code reviews are neutral, unbiased, and consistent once you understand them. The bad news is that some of the rules are not always correct and generate dust, and others are trivial for a given project. Choosing the obviously bad bugs first is a valid attack vector to starting out with this technology.

Imagine, if you dare, that the bullets are flying and there is a smell of frustrated managers and the sound of angry villagers with pitch forks echoing resonantly through the blood encrusted corridors. Under fire I have seen helpful rules such as finding problems begging to be wiped: infinite loops, removing of nullpointer exception locations, synchronization dubiousness, wasted resources, keeping database connections open and numerous language subtleties. Luckily, the reviews point to a large subset of these randomly distributed and well camouflaged bugs quickly and economically. The automated processes do not get bored or frustrated.

PMD works directly with the uncompiled -- unsoiled by reality -- source. FindBugs looks at the compiled code, the class file, and therefore does not even need the original .java files. TFTP allows the developer to browse their own code and provide a quick fix. Both PMD and FindBugs are simple to use and have plugins for Eclipse and other IDEs. All the tools work surprisingly quickly and measure in total hundreds of rules.

Coming up...

In Part 2 of this series serves as an introduction to static code review. I will briefly show you how to use PMD, FindBugs and TFTP inside Eclipse, a nice graphical start to a new day.

Part 3 has a FindBugs motif; you will have the pleasure of reading an interview with one of the driving forces behind the tool, Professor Bill Pugh. However, before the interview you will get your hands very dirty, very quickly for a large scale coding project of choice. Within a few lines of bash scripting and a little unzipping you will indulge your wildest Quality Assurance dreams quickly, painlessly, and automatically. It's worth noting that, in Bills experience, about 50% of the high or medium priority bugs found in such missions have historically been proven real. Sure, this may not be true for every project. However, these tools are super viable for the economics of large scale debugging processes, and have the potential to push the communal quality to a greater consistency. Developers then have more time to concentrate on the deeply hidden and nastier issues. Find out for yourself.

Finally in part 4, mission PMD, I will concentrate my efforts on the basics of PMD rule designing. With minimal knowledge of Xpath you will discover how truly easy it is to make your own custom rules for catching your local menagerie of bugs and mildly stupid inconsistencies. I will also introduced you to Tom Copeland, PMD team member, author of PMD Applied and a second book on JavaCC. Tom certainly knows what he is talking about.

Sit back, press the big red button and watch the stones fall from on high.

Acknowledgments

I would like to thank my wife Hester vander Heijden for fourteen years of reviewing my bugs and the Eclipse, FindBugs and PMD teams for building products so excellent and easy to use.

RESOURCES

Category: 
Hacking
Tagging: 
opensource developers
bug
code review

Author information

Alan Berg's picture

Biography

Alan Berg Bsc. MSc. PGCE, has been a lead developer at the Central Computer Services at the University of Amsterdam for the last eight years. In his spare time, he writes computer articles. He has a degree, two masters and a teaching qualification. In previous incarnations, he was a technical writer, an Internet/Linux course writer, and a science teacher. He likes to get his hands dirty with the building and gluing of systems. He remains agile by playing computer games with his kids who (sadly) consistently beat him physically, mentally and morally.

You may contact him at reply.to.berg At chello.nl

Most forwarded

Interview with Dave Mohyla, of DTIDATA

Dave Mohyla is the president and founder of dtidata.com, a hard drive recovery facility based in Tampa, Florida.

TM: Where are you based? What does your company do?
DTI Data recovery is based in South Pasadena, Florida which is a suburb of Tampa. We have been here for over 10 years. We operate a bio-metrically secured class 100 clean room where we perform hard drive recovery on all types of hard disks, from laptop hard drives to multi drive RAID systems.

Anybody up to writing good directory software?

Since the very beginning, directories (of any kind) have had a very central role in the internet. (I have recently grown fond of Free Web Directory. Even Slashdot can be considered a directory: a collection of great news and invaluable user-generated comments. As far as software is concerned, doing a quick search on Google about software directories will return the free (as in freedom) software directories like Savannah, SourceForge, Freshmeat and so on, followed by shareware and freeware sites such as FileBuzz, PCWin Download Center and All Freeware (great if you're looking for shareware and freeware, but definitely less comprehensive than their free-as-in-freedom counterparts).

Interview with Mark Shuttleworth

Mark Shuttleworth is the founder of Thawte, the first Certification Authority to sell public SSL certificates. After selling Thawte to Verisign, Mark moved on to training as an astronaut in Russia and visiting space. Once he got back he founded Ubuntu, the leading GNU/Linux distribution. He agreed on releasing a quick interview to Free Software Magazine.

Is better education the key to finding better software?

I read David Jonathon's article Anybody Up To Writing Good Directory Software? the other day, which got me thinking about software directories in general. As David mentioned, many of the software directories one finds when doing a quick google search are free as in beer, not as in freedom. But what interests me is the software directories that already exist, providing a combination of both free as in beer software, and open source software. Sites such as Freeware Downloads and Shareware Download don't advertise themselves as providing free as in liberty software, but each of them have a good selection of open source software available... if you know where to look.

Most emailed

Free Open Document label templates

If you’ve ever spent hours at work doing mailings, cursed your printer for printing outside the lines on your labels, or moaned “There has got to be a better way to do this,” here’s the solution you’ve been looking for. Working smarter, not harder! Worldlabel.com, a manufacture of labels offers Open Office / Libre Office labels templates for downloading in ODF format which will save you time, effort, and (if you want) make really cool-looking labels

Creating a user-centric site in Drupal

A little while ago, while talking in the #drupal mailing list, I showed my latest creation to one of the core developers there. His reaction was "Wow, I am always surprised what people use Drupal for". His surprise is somehow justified: I did create a site for a bunch of entertainers in Perth, a company set to use Drupal to take over the world with Entertainers.Biz.

Update: since writing this article, I have updated the system so that the whole booking process happens online. I will update the article accordingly!

So, why, why do people and companies develop free software?

More and more people are discovering free software. Many people only do so after weeks, or even months, of using it. I wonder, for example, how many Firefox users actually know how free Firefox really is—many of them realise that you can get it for free, but find it hard to believe that anybody can modify it and even redistribute it legally.

When the discovery is made, the first instinct is to ask: why do they do it? Programming is hard work. Even though most (if not all) programmers are driven by their higher-than-normal IQs and their amazing passion for solving problems, it’s still hard to understand why so many of them would donate so much of their time to creating something that they can’t really show off to anybody but their colleagues or geek friends.

Sure, anybody can buy laptops, and just program. No need to get a full-on lab or spend thousands of dollars in equipment. But... is that the full story?

Fun articles

Santa Claus - the most successful open source project

It dawned on me the other day, as I was shopping for the dozens of gifts it seems I have to buy every December, that Santa Claus is the most successful open source project in history. (Bridget @ Illiterarty would agree with that). Santa Claus is essentially a marketing development that is embodied by everyone who stuffs a sock, gives a gift, hosts a dinner or wishes Merry Christmas over the holiday season.

Most emailed

Editorial

When I first started thinking about Free Software Magazine, I was feeling enthusiastic about the dream. I had Dave, Gianluca, and Alan willing to help me, I had established members of the free software community willing to help me out, I had writers volunteering their time and energy for free, and I had a generous offer from OpenHosting for servers, all before I'd proved myself. There was a sense of excitement in the air, and I thought maybe, just maybe, I could make this work.

Free Software Magazine uses Apollo project management software and CRM for its everyday activities!