Analysis and comparison of "reprint" Common Java static Code analysis tools

Source: Internet
Author: User
Tags finally block modifiers naming convention checkstyle



Excerpt from: http://www.oschina.net/question/129540_23043 analysis and comparison of common Java static code analysis tools






Introduction: This article first introduced the static Code Analysis basic concept and the main technology, then introduced the existing 4 kinds of mainstream Java static Code analysis tool (Checkstyle,findbugs,pmd,jtest), finally from the function, Features and other aspects to analyze and compare them, hoping to help Java software developers understand static code analysis tools, and choose the right tools to apply to software development.






Introduction



In the Java software development process, the development team often spends a lot of time and effort to discover and modify code flaws. The Java Static Code analysis tool enables developers to quickly and effectively locate code defects and correct them in a timely manner during code building, greatly improving software reliability and saving software development and testing costs. At present, there are many kinds of Java static Code analysis tools on the market, so this article will introduce the existing 4 kinds of mainstream Java Code Analysis Tools (Checkstyle,findbugs,pmd,jtest), and analyze and compare them from the aspects of function, characteristic, etc. Hope to help Java software developers understand static code analysis tools and choose the right tools to apply to software development.



Introduction to Static code analysis tools



What is static code analysis



Static code analysis refers to the need to run the code, only by analyzing or checking the source program's syntax, structure, process, interface, etc. to check the correctness of the program, to find code-behind errors and defects, such as parameter mismatch, ambiguous nested statements, incorrect recursion, illegal calculation, possible null pointer reference, and so on.



In the process of software development, static code analysis is often preceded by dynamic testing and can also be used as a reference for developing dynamic test cases. Statistics show that 30% to 70% of code logic design and coding flaws can be discovered and repaired through static code analysis throughout the software development lifecycle.



However, because static code analysis often requires a lot of time consumption and knowledge accumulation, for software development teams, using static code analysis tools to automate code inspection and analysis can greatly improve software reliability and save software development and testing costs.



Advantages of static Code analysis tools



1. Helper developers automatically perform static code analysis to quickly locate code-behind errors and defects.



2. Help code designers focus more on analyzing and resolving code design flaws.



3. Significantly reduce the time spent on line-by-row inspection of code, improve software reliability, and save software development and testing costs.






Theoretical basis and main technology of Java static code analysis


    • Defect Pattern Matching: defect pattern matching from the code analysis experience to collect enough common defect patterns, the code to be analyzed and existing common defect pattern matching pattern, so as to complete the software security analysis. The advantage of this approach is simple and convenient, but requires a sufficient number of defects in the built-in mode, and prone to false positives.
    • Type inference: The type inference technique is to ensure that each statement in the code is executed against the correct type by reasoning the type of the operand in the code. This technique will first define a set of type mechanisms, including inference rules such as type equivalence, type inclusions, and then inference calculations based on this rule. Type inference can examine the type errors in the code, simple, efficient, and suitable for rapid detection of code defects.
    • Model checking: The model test is based on the concept of finite state automata, which abstracts the analytical code into an automaton system, and assumes that the system is finite or can be attributed to finite state by abstraction. During the model test, the influence of each statement in the code is abstracted into a state of a finite state automaton, and then the code analysis is achieved by analyzing the finite state machine. The model test is mainly suitable for checking the sequence characteristics of the program concurrency, but it has a weak effect on the data type.
    • Data flow Analysis: Data flow analysis is also a software verification technology, which collects variable information referenced in the code to analyze the assignment, reference, and delivery of variables in the program. Analysis of a data stream determines the definition of a variable and the case in which it is referenced, while also examining a code data flow exception, such as a reference to a previous assignment, no reference to a value, and so on. Data stream analysis is mainly suitable for checking the data domain characteristics of the program.


Existing mainstream Java static analysis tools



Checkstyle



Checkstyle is an open source project for SourceForge, which examines code specifications and style checks on code-encoded formats, naming conventions, Javadoc, class designs, and so on, effectively constraining developers to better follow code writing specifications.



Checkstyle provides plug-ins that support most common Ides, with text primarily using the Checkstyle plugin in Eclipse. As shown in 1, Checkstyle encodes the code style check and displays the check results in the problems view. Figure, each magnifier icon in the Code Editor represents a code flaw found by a Checkstyle. Developers can view the error or warning details in the problems view.







In addition, Checkstyle enables users to customize code inspection specifications based on requirements, and in the 2 configuration panel, users can add or remove custom inspection specifications based on existing inspection specifications such as naming conventions, Javadoc, blocks, class designs, and so on.







Findbugs



FindBugs is an open source Java static Code analysis tool provided by the University of Maryland. FindBugs by examining a class file or JAR file, the bytecode is compared to a set of defect patterns to uncover code flaws and complete static code analysis. The FindBugs provides both a visual UI interface and can be used as an Eclipse plugin. The text will primarily use FindBugs as the Eclipse plugin. After the installation succeeds, the FindBugs perspective is added to eclipse, and the user can run FindBugs on the specified Java class or JAR file, where FindBugs traverses the specified file for static code analysis and displays the code analysis results in FINDB In the Bugs Explorer of UGS Perspective, as shown in 3:







The gray icon in the bug Explorer in the figure is the bug type, and the red icon in each category indicates that the bug is more severe, and the yellow icon indicates that the bug is a warning level. Propreties lists the description of the bug and the modification scheme.



In addition, FindBugs provides users with the ability to customize Bug Pattern. Users can customize the FindBugs code checking criteria as required, as shown in 4:







Pmd



PMD is an open source Java code static analysis tool released by DARPA on SourceForge. PMD carries out static checks of Java code through its built-in coding rules, including tests of potential bugs, unused code, repetitive code, and the creation of new objects in the loop body. PMD provides integration with a variety of Java Ides, such as Eclipse,idea,netbean. This article mainly uses PMD to integrate with Eclipse in plug-in mode. As shown in 5: In the violations overview view, the results of PMD static code analysis are displayed in the code defect severity set.







PMD also enables developers to customize code inspection specifications. Developers can add, delete, import, and Export code inspection specifications in a panel in 6.







Jtest



Jtest is an automated code optimization and testing tool for the Java language by Parasoft, Jtest's static code analysis feature automatically checks and corrects these hidden and hard-to-fix coding errors in accordance with its built-in 800 Java coding specifications. It also supports user-defined coding rules to help prevent some special usage errors. Jtest provides an Eclipse-based plug-in installation. Jtest enables developers to check the Java code for coding specifications and display the results of the check in a Jtask window, as shown in 7:







At the same time, Jtest provides support for custom code-checking configurations and even custom coding rules, which allows developers to customize the coding specifications required for different scenarios, as shown in 8:








Comparison of Java static analysis tools



This section compares the above Java static analysis tools in the following ways:



Application Technology and analytical objects



Table 1 below shows the comparison of the analysis objects and application technologies of different tools:




Table 1: Comparison of analytical objects and application techniques of different tools


Java static analysis Tools Analysis Object Application Technology
Checkstyle Java Source Files Defect Pattern Matching
Findbugs BYTE code defect pattern matching; Data Flow analysis
Pmd Java Source Code Defect Pattern Matching
Jtest Java Source Code defect pattern matching; Data Flow analysis





Built-in programming specifications



Checkstyle:


    • Javadoc notes: Checking Javadoc annotations for classes and methods
    • Naming convention: Check whether naming conforms to naming conventions
    • Title: Check if the file starts with some lines
    • Import statement: Check if Import statement conforms to definition specification
    • code block size, that is, check the number of lines of code blocks such as classes, methods, etc.
    • Blank: Check for whitespace characters, such as tab, carriage return, etc.
    • Modifiers: The inspection of decorated symbols, such as the order in which modifiers are defined
    • Block: Check for empty blocks or invalid blocks
    • Code problem: Check duplicate code, condition judgment, magic number and other problems
    • Class Design: Check that the definition of a class conforms to a specification, such as the definition of a constructor


Findbugs:


    • Bad practice Practice: Common code errors for static code checking for defect pattern matching
    • Correctness may result in incorrect code, such as null pointer reference, etc.
    • Internationalization-related issues: such as incorrect string conversions
    • Possible malicious attacks, such as the definition of access rights modifiers, etc.
    • Multithreading correctness: such as multithreaded programming common synchronization, thread scheduling problems.
    • Runtime Performance issues: Code inefficiencies caused by method calls, as defined by variables.


Pmd:


    • Possible Bugs: Check for potential code errors, such as empty try/catch/finally/switch statements
    • Unused code: Check for unused variables, parameters, methods, Dead
    • Complex expression: Checks for unnecessary if statements, which can be overridden by a for loop
    • Duplicate code: Check for duplicate code
    • Loop body Create new object: Check instantiate new object in loop body
    • Resource shutdown: Check whether connect,result,statement and other resources have been shut down after use


Jtest


    • Possible errors: Memory corruption, memory leaks, pointer errors, library errors, logic errors, algorithmic errors, etc.
    • Unused code: Check for unused variables, parameters, methods
    • Initialization error: Memory allocation error, variable initialization error, variable definition conflict
    • Naming convention: Check whether naming conforms to naming conventions
    • Javadoc notes: Checking Javadoc annotations for classes and methods
    • Threading and synchronization: Verifying common synchronization and thread scheduling problems in multithreaded programming
    • Internationalization issues:
    • Garbage collection: Check for variables and JDBC resources for memory Leak vulnerability


Error checking capability



To compare the code flaw detection capabilities of the above Java static analysis tools, this article will experiment with a sample code that will cover several common errors in our development, such as reference operations, object manipulation, complex expressions, array use, unused variables or snippets, resource recycling, Method invocation and code design several aspects. Finally, this article will be recorded in the default check specification settings, different tools for the sample code analysis results. The following is a sample code Test.java. The comment section of the code lists the possible flaws in the code.




Listing 1. Test.java Sample Code


Package Test;Import java.io.*;PublicClass Test{/** * Write the bytes from input stream to output stream. * The input stream and output stream is not closed. *@paramis *@paramOS *@throwsIOException * *Public Boolean Copy(InputStream is, OutputStream OS) ThrowsIOException {int count =0;Missing null pointer judgmentbyte[] Buffer =Newbyte[1024];while ((count = is.read (buffer)) >=0) {os.write (buffer,0, count);}I/O stream not closedReturntrue;}/** * *@paramA@paramb *@paramEnding *@returnCopy the elements from A to B, and stop when meet element ending */Public void Copy(string[] A, string[] b, String ending){int index; String temp =NullNull pointer error System.out.println (TEMP.LENGTH ());No variables usedint length=a.length;for (index=0; index&a.length; index++) {Redundant IF statementsIfTrue) {Object comparisons should use equalsif (temp==ending) {break;}Missing array subscript out of bounds check b[index]=temp;}}}/** * *@paramFile *@returnFile contents as String; Null if file does not exist */Public void ReadFile(File file){InputStream is =null;outputstream os = null;< Span class= "Hljs-keyword" >try {is =  new bufferedinputstream (new FileInputStream (file)), os = new bytearrayoutputstream (); Span class= "hljs-comment" >//not used method return value copy (Is,os); Is.close (); Os.close ();} catch (IOException e) { //may cause I/O stream not to close e.printstacktrace ();} finally{ Empty try/catch/finally Block}}}             


Using the above test code, we compare the test results of existing Java static code analysis tools as shown in table 2 below.
table 2. Comparison of Java static code analysis tools


Code defect Classification Example Checkstyle FindBugs PMD Jtest
Reference operation Null pointer reference
Object manipulation Object Comparisons (using = = instead of equals)
Complex expression Redundant IF statements
Array using Array subscript out of bounds
No variables or code snippets are used No variables used
Resource Recycling I/O is not closed
Method invocation Method return value not used
Code Design Empty block of try/catch/finally





You can see from the table that several tools are focused on code checking. Among them, Checkstyle more emphasis on the code writing format, and whether it conforms to the coding specification test, the discovery of code bugs is weak, and findbugs,pmd,jtest focus on the discovery of code defects. In code defect checking, the three tools differ in the code defect categories they target, and there are overlaps between categories.



Summarize



In this paper, the functions, features, and built-in programming specifications are described in detail in four mainstream Java code analysis tools, including Checkstyle,findbugs,pmd,jtest, and a Java code example to compare the code analysis capabilities of these four tools. Because these four tools have different built-in programming specifications, they also differ in their ability to discover different kinds of code problems. Checkstyle is more focused on code-writing format checking, while Findbugs,pmd,jtest focuses on discovering code flaws. Finally, hopefully this article will help Java software developers and testers Learn more about the four mainstream Java static analysis tools and help them choose the right tool for their needs.



Analysis and comparison of "reprint" Common Java static Code analysis tools


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.