Slashdot Mirror
Finding Bugs Is Easy
daveho writes "My advisor and I are working on a tool to automatically find bugs in Java programs. One of the interesting results of our work is that we've found hundreds of real bugs in production code using extremely simple techniques. We believe that automated tools, if used more widely, could prevent a lot of bugs from making it in to production systems."
At first I was frustrated that it needs a jar file. On my hard drive my code is just sitting in directories. So I made a jar file out of my code just for this program.
Then I was frustrated that the GUI wouldn't show me the source, but then I realized that I had compiled without debugging information in my classes (no line numbers and such). I recompiled and remade the jar file and it started showing me the source.
Most of the errors that it finds in my stuff aren't really errors. I get a lot of complaint about "should be declared package" when package is the default and I don't specify a modifier. I also get errors about ignored exceptions for things like this:
// This can't happen.
// The input and output streams were constructed
// on memory structures that don't actually use IO.
} catch (IOException x){
}
I think it may have found a few bugs though. Its complaining about at least one thing not being threadsafe. Also complaining about an inner class being static when it probably shouldn't be.
Now I want an Ant task for this so that I can make sure it runs on my code every time I compile. It is sort of like extended compiler warnings. Pretty helpful.
Bugs in Java code? Inconceivable!
I thought it was impossible to write bugs in Java - nature's most perfect language! After all, all the Java bigo^H^H^H^Hzealot^H^H^H^H^H^Hexperts have always said that all software problems would vanish if we would just use their perfect language.
(/me removes tongue from cheek)
I just hope that the myriad and varied Java bigots out there will take this to heed: No language can prevent you from making mistakes.
(NOTE: I most emphatically do NOT assert that a language cannot make certain classes of errors more difficult to make!)
(NOTE 2: I also do not assert that all people who use Java, or promote the use of Java are bigots.)
There is no substitute for experience, careful design, and methodical testing.
www.eFax.com are spammers
Please note that FindBugs is alpha-quality software. You may find bugs in it, and the features and source code may change significantly in future releases.
...is to run it on itself.
Javac and Jikes will tell you where it can't compile. This is higher level stuff like "such-and-such should be final" and "you have implemented equals but not hashcode." Code will run, and probably run fine, with these, but they may lead to subtle bugs difficult to track down. Compile-time or formatting bugs are easy to find. Bugs that express themselves in non-obvious ways are what we need more tools for.
In answer to another post, of course good design and good coding are best. This tool does not seek to replace thought, but push us towards proper coding
They need to pick a name like "||gazm", "JizMop", or "Mozilla" like all the other cool OS projects. I'm sure they'll learn their lesson soon.
Your reality is lies and balderdash and I'm delighted to say that I have no grasp of it whatsoever. - Baron Munchausen
Why not call it "Lint"?
Automated tools like lint are an invaluable part of any software project and should be used at various points in a project's lifecycle. However, the bugs they find tend to be shallow (typecast problems, immediate memory violations, etc.). This is a certain improvement in software quality, but even Java programs can have side-effects from class to class that twist the mind of even the best programmer.
"Finding bugs is easy" makes sense in the context of my backyard but definitely not in programming.
Healthcare article at Kuro5hin
While working in IBM Research, we were developing a tool to do just that; I do believe it was significantly richer than this one. The first versions were aimed specifically at J2EE, and searched for really 'high-level' bugs -- anything from bad patterns to violations of the J2EE spec. The initial results of this effort are already included in WebSphere Studio Application Developer 5.0, as part of the Verifiers. More powerful versions will appear in future releases of WSAD.
- Tal Cohen
OK.
Why not contribute to the existing, GPL, OpenSource, Java Lint? Why start a new project?
http://artho.com/jlint/
--MM
The real value of tools like this is that they act as a sort of Instant Code Review. Just as you can use unit tests to quickly verify the (partial) correctness of your system, you can use tools like this to quickly find bad code so that it can be corrected before it causes more problems. Obviously, just like unit tests are not a complete replacement for QA, this is not a complete replacement for code reviews, but every little but helps.
And although it would be useful everywhere, I would think that a tool like this would fit nicely into an extreme programming shop, where the developers are already used to using automated tools on thier code.
Another great tool that deserves a look (besides those already mentioned) is PMD. I use PMD at work to find all sorts of cruft that can be cleaned out of older Java sources. It can be run inside your favourite IDE (to highlight the offending lines) or as an ANT task (generating a report in XML or HTML). Generally I've found it to be a great help, and the coders have been very responsive to my (many) feature suggestions and bug tickets. Most of the things it's found have been general cleanups (ie unused variables or imports), but it also helped find a number of bugs in our code too.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
I know it's expanding quickly, but the main thing the FindBugs homepage is missing is a list of the errors that FindBugs identifies.
I got a few hints from the screenshots and changelist... but I need more!
* infrastructure for doing dataflow analysis
* tracking of locks for inconsistent synchronization detector
* a few general cleanup fixes in the screenshot
The first 2 especially sound interesting... but not quite enough for me to download a 0.5 version release and slog through the source code.
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
How did you solve the halting problem? Or does it not check for potential infinite loops?
Jason
ProfQuotes
wrong. The JavaTM Virtual Machine Specification - Second Edition says the following :
2.5.1 Initial Values of VariablesEvery variable in a program must have a value before it is used:
while (!asleep()) sheep++
Imagine that your de-stabilised browser submits a 'random' but 'valid' (under the rules of the bank's error checking code) -- for example you say 'pay the cable co. $40' but your browser transmits 'pay the cable co. $400'.
I don't know which side of the autopsy/physician debugging argument I'd sit on. I quite like Matlab's approach (which I believe is similar to Lisp's), in that you can choose to enter debug mode when an error occurs, and you can then interactively probe you code to find out why it ended up in that state. This is particularly useful when you have (as I do) numerically-intensive code that might take several days to complete running -- you don't want to get to 3.9 days into a 4 day job and find out there was a bug in the very last command your code was to run without being able to figure out exactly why the error occurred -- the write-run-debug cycle would be very long indeed!
So, I can see the benefits of both approaches. I guess having a choice is important, and knowing when to opt for which flavour of error handling.
"The noble art of losing face will one day save the human race"---Hans Blix