Analysis and Comparison of common Java static code analysis tools

Source: Internet
Author: User
Tags coding standards finally block checkstyle

Introduction

This article first introduces the basic concepts and main technologies of static code analysis, and then introduces four existing mainstream Java static code analysis tools (Checkstyle, findbugs, PMD, jtestIn the end, they are analyzed and compared in terms of functions and features, hoping to help Java software developers understand static code analysis tools and select suitable tools for software development.

 

Introduction

During Java software development, the development team often spends a lot of time and energy discovering and modifying code defects. The Java static code analysis tool helps developers quickly and effectively locate code defects during code building and correct these problems in a timely manner, this greatly improves software reliability and saves software development and testing costs. Java static code analysis tools on the market are widely used and have their own merits. Therefore, this article will introduce four mainstream Java static code analysis tools (checkstyle, findbugs, PMD, jtest ), they are also analyzed and compared in terms of functions and features. They hope to help Java software developers understand static code analysis tools and select suitable tools for application to software development.

 

Introduction to static code analysis tools

What is static code analysis?

Static code analysis is to check the correctness of the program by analyzing or checking the syntax, structure, process, and interface of the source program without running the tested code, and find out the hidden errors and defects of the Code, such as parameter mismatch, ambiguous nested statements, incorrect recursion, invalid calculation, and possible NULL pointer references.

During software development, static code analysis often takes place before dynamic testing. It can also be used as a reference for developing dynamic testing cases. Statistics show that 30% to 70% of code logic design and coding defects can be found and repaired through static code analysis throughout the software development lifecycle.

However, static code analysis often requires a large amount of time consumption and accumulation of relevant knowledge. Therefore, for software development teams, static code analysis tools are used to automate code inspection and analysis, it can greatly improve software reliability and save software development and testing costs.

Advantages of static code analysis tools

1. Help program developers automatically perform static code analysis to quickly locate code hidden errors and defects.

2. Help code designers focus more on analyzing and solving code design defects.

3. significantly reduce the time spent on code line-by-line check, improve software reliability and save software development and testing costs.

Theoretical Basis and main technologies of Java static code analysis

  • Defect Pattern Matching: Defect Pattern Matching collects sufficient common defect patterns from the code analysis experience in advance, and matches the code to be analyzed with the existing Common Defect Pattern to complete software security analysis. This method is simple and convenient, but requires a sufficient number of built-in defect modes, and is prone to false positives.
  • Type inference: The type inference technology refers to the inference of the calculation object type in the Code to ensure that each statement in the code is executed for the correct type. This technology first predefines a set of type mechanisms, including type equivalence, type inclusion and other reasoning rules, and then performs inference calculation based on this rule. Type inference can check the type errors in the code, which is simple and efficient and suitable for quick detection of code defects.
  • Model check: Model Testing is based on the concept of finite state automation. This theory abstracts the analyzed code into an automatic machine system, it is assumed that the system is in a finite state or can be abstracted to a finite state. During model validation, the impact of each statement in the analyzed code is first abstracted into a state of finite state automation, and then the finite state machine is analyzed to achieve code analysis. Model testing is mainly suitable for testing the time series features such as program concurrency, but has a weak role in Data Value domains and data types.
  • Data Stream Analysis: Data Stream analysis is also a software verification technology, which collects information about variables referenced in the code to analyze the assignment, reference, and transmission of variables in the program. The analysis of data streams can determine the definition of variables and the situations where the variables are referenced in the code. It can also check the code data stream exceptions, such as references that are assigned before and only values without reference. Data Stream Analysis is mainly suitable for verifying the features of data domains in programs.

Existing mainstream Java static analysis tools

 Checkstyle

Checkstyle is an open-source project of SourceForge. It checks code standards and styles by checking the code encoding format, naming conventions, javadoc, and class design, in this way, developers can effectively abide by the coding standards.

Checkstyle provides plug-ins that support most common ides. The text mainly uses the checkstyle plug-in eclipse. As shown in 1, checkstyle checks the code encoding style and displays the check results in the problems view. In the figure, each magnifier icon in the code editor represents a code defect found by a checkstyle. Developers can view error or warning details in the problems view.

Figure 1. Use checkstyle for encoding style check

In addition, checkstyle allows you to customize code check specifications as needed. In the configuration panel of 2, you can set existing check specifications such as naming conventions, javadoc, blocks, add or delete custom inspection specifications on the basis of class design.

Figure 2. Use checkstyle to add custom code check specifications

Findbugs

Findbugs is an open-source Java static code analysis tool provided by the University of Maryland. By checking the class files or jar files, findbugs compares bytecode with a set of defect modes to discover code defects and complete static code analysis. Findbugs provides a visual UI interface and can also be used as an Eclipse plug-in. Findbugs is used as the Eclipse plug-in. After the installation is successful, the findbugs perspective will be added to eclipse. You can run findbugs for a specified Java class or jar file. In this case, findbugs will traverse the specified file for static code analysis, the code analysis result is displayed in the bugs explorer of findbugs perspective, as shown in 3:

Figure 3. Use findbugs for static code analysis

In the figure, the gray icon in bug explorer is of the Bug type. The red icon in each type indicates that the bug is serious, and the yellow icon indicates that the bug is of the warning level. Propreties lists the description and modification scheme of a bug.

In addition, findbugs also provides users with the function of customizing the bug pattern. You can customize the findbugs code check conditions as needed, as shown in Figure 4:

Figure 4. Use findbugs to add custom code check specifications

PMD

PMD is an open-source Java code static analysis tool released by DARPA on SourceForge. Based on its built-in coding rules, PMD performs static checks on Java code, including checking for potential bugs, unused code, repeated code, and creating new objects in the loop body. It provides integration with a variety of Java ides, such as Eclipse, idea, and netbean. This article mainly integrates with eclipse by using a plug-in. As shown in figure 5: In the violations overview view, the result of the static code analysis is displayed according to the code defect severity.

Figure 5. Static code analysis using PMD

It also allows developers to customize code check specifications. Developers can add, delete, import, and export code inspection specifications in panel 6.

Figure 6. Add a custom code check specification using PMD

Jtest

Jtest is an automated code optimization and testing tool developed by parasoft for Java, jtest's static code analysis function can automatically check and correct these hidden and hard-to-fix encoding errors according to more than 800 built-in JAVA coding specifications. You can also customize encoding rules to prevent special usage errors. Jtest provides eclipse-based plug-ins for installation. Jtest allows developers to inspect Java code encoding standards and display the check results in the jtesk window, as shown in Figure 7:

Figure 7. Static code analysis using jtest

At the same time, jtest also provides support for custom code check configurations and even custom encoding rules. This feature allows developers to customize the required encoding specifications based on different scenarios, as shown in Figure 8:

Figure 8. Use jtest to add custom code check specifications

 

Comparison of Java static analysis tools

This section compares the above Java static analysis tools from the following aspects:

Application Technology and analysis object

Table 1 lists the analysis objects of different tools and comparison of application technologies:

Table 1. Comparison of analysis objects and application technologies of different tools

Java static analysis tool Analysis object Application Technology
Checkstyle Java source file Defect Pattern Matching
Findbugs Bytecode Defect Pattern Matching; Data Stream Analysis
PMD Java source code Defect Pattern Matching
Jtest Java source code Defect Pattern Matching; Data Stream Analysis

Built-in programming specifications

Checkstyle:

  • Javadoc comments: Check javadoc comments of classes and Methods
  • Naming Conventions: Check whether the naming rules are met
  • Title: Check whether the file starts with some rows
  • Import Statement: Check whether the Import Statement complies with the definition specifications.
  • The size of the code block, that is, check the number of lines of code blocks such as classes and methods.
  • Blank: Check for blank characters, such as tab and carriage return characters.
  • Modifier: Check the modifier, such as the sequence in which the modifier is defined
  • Block: Check whether there are empty or invalid blocks.
  • Code problems: Check repeated code, condition judgment, magic number, and other problems
  • Class Design: Check whether class definitions comply with specifications, such as constructor definitions.

Findbugs:

  • Bad practice bad practices: Common Code errors, used for Defect Pattern Matching during static code checks
  • Correctness may cause Incorrect code, such as null pointer reference.
  • Internationalization problems: for example, incorrect String Conversion
  • Possible Malicious attacks, such as the definition of access permission Modifiers
  • Correctness of multithreading: for example, synchronization and thread scheduling problems are common in multithreaded programming.
  • Runtime performance problems: such as code inefficiency caused by variable definitions and method calls.

PMD:

  • Possible bugs: Check for potential code errors, such as empty try/catch/finally/switch statements
  • Dead Code: Check unused variables, parameters, and methods
  • Complex expressions: checks unnecessary if statements, for loops that can be replaced by while
  • Duplicate code: Check duplicate code
  • Create new object in the loop body: Check the new object in the loop body instance
  • Resource shutdown: Check whether resources such as connect, result, and statement are closed after they are used.

Jtest

  • Possible errors: Memory Corruption, memory leakage, pointer errors, library errors, logical errors, and algorithm errors
  • Unused code: Check unused variables, parameters, and methods
  • Initialization error: Memory Allocation Error, variable initialization error, variable definition conflict
  • Naming Conventions: Check whether the naming rules are met
  • Javadoc comments: Check javadoc comments of classes and Methods
  • Thread and synchronization: Checks synchronization and thread scheduling problems frequently seen in multi-thread programming.
  • Internationalization:
  • Garbage Collection: Check for Memory leakage risks in variables and JDBC Resources

Error Check capability

To compare the code defect detection capabilities of the above Java static analysis tool, this article will use a sample code for testing. The sample code will cover several common errors in our development, such as reference operations, object operations, complex expressions, Number Groups, unused variables or code segments, Resource Recycling, method calls, and code design. Finally, this article will record the analysis results of the sample code by different tools under the default check specification settings. The following is the sample code test. java. The comments section lists possible defects in the code.

Listing 1. Test. Java sample code

Package test; import Java. io. *; public class test {/*** write the bytes from input stream to output stream. * The input stream and output stream are not closed. * @ Param is * @ Param OS * @ throws ioexception */Public Boolean copy (inputstream is, outputstream OS) throws ioexception {int COUNT = 0; // If a null pointer is missing, Judge byte [] buffer = new byte [1024]; while (COUNT = is. read (buffer)> = 0) {OS. write (buffer, 0, count);} // I/O Stream not closed return true ;} /***** @ Param A * @ Param B * @ Param ending * @ return copy the elements from A to B, and stop when meet element ending */Public void copy (string [] A, string [] B, string ending) {int index; string temp = NULL; // NULL pointer error system. out. println (temp. length (); // The Int length =. length; For (Index = 0; index <. length; index ++) {// redundant if statement if (true) {// use limit SIF (temp = ending) {break;} to compare objects ;} // The array subscript check B [Index] = temp ;}}/***** @ Param file * @ return file contents as string is missing; null if file does not exist */Public void readfile (File file) {inputstream is = NULL; outputstream OS = NULL; try {is = new bufferedinputstream (New fileinputstream (File )); OS = new bytearrayoutputstream (); // returns the copy (is, OS); is. close (); OS. close ();} catch (ioexception e) {// the I/O Stream may not be closed. printstacktrace ();} finally {// Empty try/catch/Finally block }}}

Through the above test code, we compare the test results of the existing Java static code analysis tool as follows, as shown in table 2 below.

Table 2. Comparison of Java static code analysis tools

Code defect category Example Checkstyle Findbugs PMD Jtest
Reference operation Null Pointer Reference
Object operations Object comparison (use = instead of equals)
Expression complexity Extra if statements
Array usage Array subscript out of bounds
Unused variables or code segments Unused Variables
Resource Recycling I/O not closed
Method call Return value without Method
Code Design Empty try/catch/finally Blocks

It can be seen from the table that several tools have different focuses on code checks. Among them, checkstyle focuses more on the code writing format and whether it meets the encoding standard test, and the code bug discovery function is weak. findbugs, PMD, and jtest focus on discovering code defects. In the Code Defect check, these three tools have different types of code defects and overlap.

 

Summary

This article describes four mainstream Java static code analysis tools, including checkstyle, findbugs, PMD, and jtest, in terms of functions, features, and built-in programming specifications, the code analysis capabilities of these four tools are compared through a Java code example. These four tools have different built-in programming specifications, so they have different abilities to discover different types of code problems. Checkstyle focuses more on code writing format check, while findbugs, PMD, and jtest focuses on discovering code defects. Finally, I hope this article will help Java software developers and testers to learn more about the above four mainstream Java static analysis tools and help them select the appropriate tools as needed.

 

This article is from http://www.oschina.net/question/129540_23043!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.