dcsimg
July 18, 2018
Hot Topics:

Going Beyond Unit Testing with SpotBugs

  • July 5, 2018
  • By Robert Gravelle
  • Send Email »
  • More Articles »

Have you ever had a Java program that compiles cleanly, yet still exhibits some buggy behavior? Of course you have; it happens to the best of us! That's because only a very narrow scope of errors are caught during compilation—namely syntax errors, invalid references, and the like. The fact that the IDE will warn you when a program contains compile errors goes a long way towards guaranteeing that such errors won't find their way into your programs. At the same time, relying on the compiler to catch potential bugs is far from adequate, because it does nothing to guard against other types of errors, such as runtime or logic errors.

You can cast a wider net to catch more potential bugs by employing a static analysis tool such as SpotBugs. In today's article, we'll learn how to install the SpotBugs Eclipse plug-in and use it to identify issues in our program code.

What Is Static Analysis?

Unlike the Java compiler, which looks at the source code, static analysis inspects Java bytecode (compiled .class files) for occurrences of bug patterns. A bug pattern is a code expression/idiom that is often error-prone. Bug patterns can arise for a variety of reasons, including:

  • Use of difficult language features
  • Misunderstanding API methods
  • Misunderstanding variables when code is modified during maintenance
  • Garden variety mistakes: typos, use of the wrong operator, and so forth

SpotBugs, the recent successor of FindBugs, classifies potential errors in four ranks of increasing severity:

  1. Of concern
  2. Troubling
  3. Scary
  4. Scariest

This gives the developer a good inclination about each bug's possible impact and/or severity.

Installing the SpotBugs Plug-in

As with any plug-in, installing the SpotBugs plug-in is a piece of cake:

  1. Open the Eclipse Marketplace dialog by selecting Help -> Eclipse Marketplace... from the main menu.

In the Eclipse Marketplace dialog:

  1. Search for "SpotBugs." You should see SpotBugs at the top of the list:

    SpotBugs is highlighted
    Figure 1: SpotBugs is highlighted

  2. Click the Install button.
  3. On the next screen, accept the terms of the license agreement and click the Finish button to install the plug-in.
  4. You might get a dialog warning you that you are about to install unsigned content. Live dangerously and click Install anyway.

After you restart Eclipse, you'll be the proud owner of some free software!

Running SpotBugs on a Project

You'll need a good Java project to run the plug-in on. I'm using TuxGuitar, an open source version of the popular Guitar-Pro software. They have their source code hosted on a public SVN repository. It's a huge project, with lots of potential issues hidden within the dark recesses of its sprawling codebase.

Before running the analysis, let's open the SpotBugs views.

  1. Select Window -> Show View -> Other... to open the Show View dialog.
  2. Once there, type "Bug" in the Filter box to narrow the views list to the two SpotBugs ones.
  3. Select both the SpotBugs views and click Open to display them:

    The new files
    Figure 2: The new files

To apply SpotBugs to a project:

  1. Right-click the project in the Package Explorer, Then, select SpotBugs -> Find Bugs from the context menu.

After the analysis has concluded, the results will be presented in the Bug Explorer view. Here's what the TuxGuitar code generated:

The generated code
Figure 3: The generated code

The good news is that there are no bugs in the "Scariest" category. However, there are some "Scary," "Troubling," and "Of Concern" bugs. There is also a confidence factor for each bug category. This reflects the likelihood of these bugs to result in problems later. Each identified bug comes with a description of the issue. You can click it to see the line of code in the source that it pertains to—pretty nifty when you consider that SpotBugs is operating on bytecode!

Obtaining More Information on a Bug

Until you've been working with SpotBugs for some time, a bug like "ABadClass defines equals and uses Object.hashCode()" may not mean much to you. That's why SpotBugs includes a lot more information on each problem. To see it, right-click the bug and select Show Bug Info from the popup menu. That will bring up an info page in the Bug Info view:

The Info page
Figure 4: The Info page

Configuring SpotBugs Settings

The FindBugs plug-in makes it easy to customize the bugs analysis strategy, by offering various ways to filter warning and limit the strictness of the results. You can check the configuration interface by going to Window -> Preferences -> SpotBugs:

The Preferences window
Figure 5: The Preferences window

The easiest way to alter the number of bugs reported is to use the Minimum rank to report slider. The further right it's set, the more bugs will be reported. Conversely, the further left it's set, the fewer bugs you'll see. That's because the minimum rank threshold rises as the slider moves to the left. You'll see the minimum change as you go, from "Of concern," to "Troubling," to "Scary," and finally, to "Scariest." Each category is divided into five levels of rank.

Another useful setting is found on the Plug-ins and misc. settings tab. There, you can configure SpotBugs to run automatically as part of the project build by deselecting the Run SpotBugs analysis as extra job checkbox.

Conclusion

In today's article, we learned how to install, configure, and apply static analysis to our Java projects in Eclipse. Although SpotBugs won't rid your program of all bugs, it will definitely make a dent in the number of bugs that find their way into production.

About the Author

Rob

Rob Gravelle resides in Ottawa, Canada. His design company has built Web applications for numerous businesses and government agencies. E-mail him.

Rob's alter-ego, "Blackjacques," is an accomplished guitar player, who has released several CDs and cover songs. His band, Ivory Knight, was rated as one of Canada's top hard rock and metal groups by Brave Words magazine (issue #92).






Comment and Contribute

 


(Maximum characters: 1200). You have characters left.

 

 


Enterprise Development Update

Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that developer.com may send you developer offers via email, phone and text message, as well as email offers about other products and services that developer believes may be of interest to you. developer will process your information in accordance with the Quinstreet Privacy Policy.

Sitemap

Thanks for your registration, follow us on our social networks to keep up-to-date