Java Source Code Analyzing Tools

1
Java Source Code Analyzing Tools

• By Xiang Kong
• June 1, 2004

2
Why source code analyzing tools?

• Software construction is the only software
  development activity that's guaranteed to be
  done, code is often the only accurate description
  of the software available, which makes it
  imperative that the source code be of the highest
  possible quality.
• Help developers to write better code.
• Find possible bugs.
• Improve productivity, save inspection time.
• Improve quality of software product.
• Enforce code conventions
• 80 of the lifetime cost of a piece of software
  goes to maintenance.
• Hardly any software is maintained for its whole
  life by the original author.
• Code conventions improve the readability of the
  software, allowing engineers to understand new
  code more quickly and thoroughly.

3
Evaluation Framework

• Must Check Suns Java Coding Standard
• The standard conventions that Sun follows and
  recommends that others follow.
• Most likely other developers are using it.
• Most likely there are existing checking tools
  available that support this standard.
• It covers filenames, file organization,
  indentation, comments, declarations, statements,
  white space, naming conventions, programming
  practices and includes a code example.

4
For Example

• Numerical constants (literals) should not be
  coded directly, except for -1, 0, and 1, which
  can appear in a for loop as counter values.
• Each line should contain at most one statement.
• argv // Correct
• argc // Correct
• argv argc-- // AVOID!
• Avoid using an object to access a class (static)
  variable or method. Use a class name instead.
• classMethod() //OK
• AClass.classMethod() //OK
• anObject.classMethod() //AVOID!

5
Evaluation Framework

• Availability to Define Own Rules
• Integration in Programming IDE
• High Performance
• Satisfaction of Requirements
• White-box unit testing code generation
• Test case can be created for basis path, random
  testing, and code coverage.
• Automating the black-box testing when formal
  specification, Model Driven Architecture and
  design by contract are used for requirement.
• Low Cost of Ownership

6
Evaluation Framework

• Check Complexity
• The tool should check following complexity
  of code
• Flow control, Cyclomatic Complexity
• Size number of classes, class size, method size,
  line length
• Inheritance depth
• Coupling between classes and packages
• Number of reuse

7
Evaluation Framework

• Check Possible Bugs
• If (string1 String2) ...
• If (name.equals(John)) ...
• When override equals method, not override
  hashCode method.
• Empty catch/finally block

8
Evaluation Framework

• Find Unused Code 
• Unused import
• Unused locale and class variable
• Unreachable code
• Unused private and public method

9
Parasoft Jtest

• Automates fundamental error prevention
  practices-- including unit testing and coding
  standard checking-- with the click of a button
• Generates and executes JUnit-format unit test
  cases for instant verification and white-box
  testing
• Provides a fast and easy way to add black-box
  tests, module tests, and system tests
• Identifies and prevents uncaught runtime
  exceptions, functional errors, memory leaks,
  performance problems, and security
  vulnerabilities
• Monitors test coverage
• Performs automated regression testing
• Supports Design by Contract
• Checks over 380 coding standards from Java
  experts
• Corrects violations of over 160 coding standards
• Allows the graphical or automated creation of
  custom coding standards
• Manages team-wide sharing of test settings and
  files
• Integrates seamlessly into IBM WebSphere Studio
  Application Developer and Eclipse

10
PMD

• PMD is an Open Source Java source code analyzer.
  PMD scans Java source code and looks for
  potential problems like
• Unused local variables
• Empty catch blocks
• Unused parameters
• Empty 'if' statements
• Duplicate import statements
• Unused private methods
• Classes which could be Singletons
• Short/long variable and method names
• PMD was initially written in support of Cougaar,
  a Defense Advanced Research Projects Agency
  (DARPA) project.
• Uses JavaCC parser generator with Extended
  Backus-Naur Formal (EBNF) grammar and JJTree to
  parse Java source code into an Abstract Syntax
  Tree (AST).
• Two ways to write rules Write a Java class or
  write an XPath expression.

11
JCSC

• Open Source
• JCSC is a powerful tool to check source code
  against a highly definable coding standard and
  potential bad code
• Bruce Eckel used JCSC to validate the code
  examples in his 3rd edition of Thinking in Java.
• Uses JavaCC and the GNU Regexp package to parse
  and define the rules.

12
Checkstyle

• Open Source
• Checkstyle is a development tool to help
  programmers write Java code that adheres to a
  coding standard. It automates the process of
  checking Java code to spare humans of this boring
  (but important) task.
• Ideal for projects that want to enforce a coding
  standard.
• Highly configurable.
• An example configuration file is supplied
  supporting the Sun Code Conventions

13
(No Transcript)
14
Other Similar Projects

• Open Source
• ESC/Java - Finds null dereference errors, array
  bounds errors, type cast errors, and race
  conditions. Uses Java Modeling Language
  annotations.
• FindBugs - works on byte code, uses BCEL. Source
  code uses templates, nifty stuff!
• Jamit - byte code analyzer, nice graphs
• JWiz - Research project, checks some neat stuff,
  like if you create a Button without adding an
  ActionListener to it.
• DoctorJ - Written in C. Uses Lex and YACC.
  Checks Javadoc, syntax and calculates metrics.
• Toad - All kinds of stuff from Big Blue.
• JLint - Written in C. Uses data flow analysis
  and a lock graph to do lots of synchronization
  checks. Operates on class files, not source code.
  
• Commercial
• JStyle - 995, nice folks, lots of metrics and
  rules
• Simian - fast, works with Java, C, C, CPP,
  COBOL, JSP, HTML
• CodePro Studio - 589, works with Eclipse, lots
  of rules
• KodeIn - 75, lots of rules, uses JavaCC.
• Assent - The usual stuff, seems pretty complete.
• CodeCompanion - Decent collection of rules, 199.
  
• AzoJavaChecker - Rules aren't listed online so
  it's hard to tell what they have.
• Aubjex - Rules aren't listed online. Appears to
  have some code modification stuff, 299. Flaw
  Detector - In beta, does control/data flow
  analysis to detect NullPointerExceptions

15
Recommendation

• Jtest is the best by far, best integration with
  Eclipse, easy to use. Expensive!
• I use PMD for my day-to-day work, PDM has more
  build-in rules than Checkstyle, and it is very
  good at defining your own rules.
• Checkstyle has good eclipse integration (setup
  screen), it has Sun Standard clearly defined in
  rules.
• In the future, Java IDE will have more and more
  similar features, but until that type of
  integration happens, Jtest's clarity and ease of
  use make it the sort of tool that should be in
  every programmer's standard toolbox.

16
References

• Code Conventions for the Java Programming
  Language http//java.sun.com/docs/codeconv/, Sun
  Microsystems
• Parasoft Jtest http//www.parasoft.com/ Generate
  JUnit test case. Handle regression test and check
  coding standard.
• PMD - http//pmd.sourceforge.net/
• Cougaar http//www.cougaar.org/, a Defense
  Advanced Research Projects Agency project.
• JCSC http//jcsc.sourceforge.net/
• Checkstyle http//checkstyle.sourceforge.net/
• ANTLR http//www.antlr.org/, ANother Tool for
  Language Recognition, is a language tool that
  provides a framework for constructing
  recognizers, compilers, and translators from
  grammatical descriptions containing Java, C, or
  C actions.

17
Questions?