Wednesday, February 25, 2009

FindBugs review

Lured by the promise land of a code base free of any problem I have decided to give a try to FindBugs on my freshly updated I-build.
Unfortunately FindBugs did not leave to the expectation since it failed with an NPE, which you would admit is rather ironic for such a tool...
Anyway, last time it worked for me (a few months back) my experience was in the end not really more useful than today's one since the tool returned a plethora of false positive hiding the real bugs it may have found. After talking to colleagues, we all came to the same conclusion, it could be useful if it had more reasonable defaults. Oh well...

3 comments:

David Carver said...

While yes you can get a few false postives. For the most part it does show several areas where you could potentially have problems. Many of them have to do with coding styles that could lead to issues.

Cleaning up the warnings and bugs that it finds, is a good thing as it does help reduce the overall affected code later on. I know of several eclipse projects that have used it to clean their code with some good results.

I've used it in XSL Tools with good results.

Andrei Loskutov said...

A good practice is to run FB (or other static analysis tool) once and check which bugs patterns are NOT important for current project, and which are MOST important.

Do not forget: the tool itself is a "dumb mashine", and it can never be as good as human developer (otherwise no one would need humans). So the human review of findings is the necessary step in the process :-)

Then exclude the "noisy" bugs patterns from analysis and try to fix the "high prio" bugs. In most cases not only fixing the bug instance is important, but also the review of the related code. In my experience, the buggy code has more issues *around* the bug as it unveiled by the tool.

BTW, one can use FB daily build update site to get latest FB snapshot (without NPE :)
http://findbugs.cs.umd.edu/eclipse-daily

Daniel said...

Pascal,

I have been using findbugs and pmd for years now, especially for the development of SAT4J, and I cannot really live without such tools now: I avoided quite a few bugs thanks to them.

Moreover, those tools help the programmer to improve it skills in java programming: the first time you see an error reported by the tool, you try to understand why it shows up, and then you learn new things about the Java language. Next time, you will probably just avoid to write buggy code. I experience that every year with my students.

It is true that there are still false positive and I admit that I haven't found a nice way to silent FB warnings on my code to have clean reports: you could use FB annotations but them it means a new dependency in your code.