(reproduced)
Today's code quality re-emphasizes that Java code must be checked by findBugs before submitting to SVN. Although I basically have findBugs plugins according to the menu, for more comprehensive learning and more efficient use, I searched and learned the usage of findbugs.
Inspection principle
Findbugs is a static analysis tool that examines a class or JAR file, comparing the bytecode to a set of defect patterns to find possible problems. Findbugs comes with its own detectors, including more than 60 kinds of Bad practice, more than 80 kinds of Correctness, 1 kind of Internationalization, 12 kinds of Malicious code vulnerability, 27 kinds of Multithreaded correctness, 23 kinds of Performance, and 43 kinds of Dodgy. We can also configure the check rules by ourselves (what checks to do, which checks to not do), or we can implement our own unique check rules (user-defined specific bug modes need to inherit its interface, write our own check classes, an advanced technique).
Static checking in white box testing is generally to check coding standard specifications and error lists. Coding standards tend to be set by teams based on their own experience and style. Now many IDE tools will remind in real time whether the code conforms to the code style when editing the code. The error list is generally a potential bug in the code. Although there is no syntax error in a certain code, there may be errors, such as thread deadlock. These are the list of errors that should be checked. Actionable way of static checking:
1. Code walkthrough:
Programmers can extract code for walkthrough at certain intervals.
During the walk-through, according to the summary report, these experiences are compiled into a list as the basis for the next code walk-through.
The characteristics of this method are that it is manual, multi-person discussion, and simple to operate, but the efficiency will be relatively low.
2. Code scanning
Use software to scan our code for potential problems. There are many commercial tools that can scan, such as Parasoft JTest, Software Analyzer, pclint and other tools, often different tools will target different languages. Of course there are many open source tools. Findbugs is mainly recommended for java here. Findbugs can run in three environments of ANT/GUI/ECLIPSE, and it can also write its own detector with relatively complete functions. We can usually collect our own or other people's development experience and make it a detector to improve the detection system of Findbugs. The characteristics of software scanning are that machine scanning is efficient, but it is not flexible enough, and it is more responsible for expansion.
Java static checking tool comparison
Reference: http://blog.csdn.net/ml5271169588/article/details/6975701
http://www.cnblogs.com/hyddd/archive/2008/12/16/1356310.html
| tool |
Purpose |
Check items |
| FindBugs check .class |
Find potential bugs in javabytecode (.class files) based on the concept of Bug Patterns |
Mainly check bug patterns in bytecode, such as NullPoint null pointer check, failure to properly close resources, string identical judgment errors (==, not equals), etc. |
| PMD Check source files |
Check for potential problems in Java source files |
mainly includes: Empty try/catch/finally/switch block Unused local variables, parameters and private methods Empty if/while statement Overly complex expressions, such as unnecessary if statements, etc. complex class |
| CheckStyle Check source files Main focus on format |
Check that Java source files conform to code specifications |
mainly includes: Javadoc comments Naming conventions Superfluous Imports Size metrics, such as methods that are too long Missing required whitespace Whitespace duplicate code |
use and configuration
Taken from: http://developer.51cto.com/art/200906/127165.htm
This article mainly introduces the use in Eclipse
FindBugs是一个可以在Java程序中发现Bugs的程序。它是专门用来寻找处于"Bug Patterns"列表中的代码的。Bug Patterns指很有可能是错误的代码的实例。
打开Bug Details视图Windows => Show View => Other… => FindBugs => BugDetails
在Package Explorer或Navigator视图中,选中你的Java项目,右键,可以看到"Find Bugs"菜单项,子菜单项里有"Find Bugs"和"Clear Bug Markers"两项内容,如下图所示:
我们建立一个简单的测试文件Test.java 内容如下:
| public class Test { private String[] name; public String[] getName() { return name; } public void setName(String[] name) { this.name = name; } } |
我们点中"Find Bugs",运行时会出现如下进度框:
运行结束后可以在Problems中看到增加了如下的警告信息内容
FindBugs运行后的警告信息内容不仅在Problems视图中显示,而且将标记在源代码标记框中,在源代码编辑器中我们可以看到警告标识,如下图:
当光标指向你的警告信息的代码上面时,就会有相应的错误提示信息,与Eclipse本身的错误或警告信息提示类似。
选中Problems视图里出现的相应问题,就会在代码编辑器里切换到相应的代码上去,方便根据相应的提示信息进行代码的修改。
在Problems视图里,选中相应的问题条目,右键,在弹出的菜单中,可以看到"Show Bug Details",如下图所示:
点中它,会切换到Bug Details视图上去,显示更加详细的提示信息。
当然,在代码编辑窗口中,点击带有警告提示信息的图标时,也会自动切换到Bud Details窗口去,查看详细的警告信息,如下图所示。
根据这里详细的信息,你可以得到FindBugs为什么会对你的代码报警告信息,及相应的处理办法,根据它的提示,你可以快速方便地进行代码修改。
根据提示,我们将代码修改成如下,再运行就不会报有警告信息了。
| public class Test { private String[] name; public String[] getName() { String[] temp = name; return temp; } public void setName(String[] name) { String[] temp = name; this.name = temp; } } |
配置FindBugs
选择你的项目,右键 => Properties => FindBugs =>
可以配置的信息包括如上图所示的四个选项的相关设置:
1. Run FindBugs Automatically开关
当此项选中后,FindBugs将会在你修改Java类时自动运行,如你设置了Eclipse自动编译开关后,当你修改完Java文件保存,FindBugs就会运行,并将相应的信息显示出来。
当此项没有选中,你只能每次在需要的时候自己去运行FindBugs来检查你的代码。
2. Minimum priority to report选择项
这个选择项是让你选择哪个级别的信息进行显示,有Low、Medium、High三个选择项可以选择,很类似于Log4J的级别设置啦。 比如:
你选择了High选择项,那么只有是High级别的提示信息才会被显示。
你选择了Medium选择项,那么只有是Medium和High级别的提示信息才会被显示。
你选择了Low选择项,那么所有级别的提示信息都会被显示。
3. Enable bug categories选择项
在这里是一些显示Bug分类的选择:
Correctness关于代码正确性相关方面的
Performance关于代码性能相关方面的
Internationalization关于代码国际化相关方面的
Multithreaded correctness关于代码多线程正确性相关方面的
Style关于代码样式相关方面的
Malicious code vulnerability关于恶意破坏代码相关方面的
比如:如果你把Style的检查框去掉不选择中它,那么与Style分类相关的警告信息就不会显示了。其它的类似。
4. Select bug patterns to check for选择项
在这里你可以选择所要进行检查的相关的Bug Pattern条目
可以从Bug codes、Detector name、Detector description中看到相应的是要检查哪些方面的内容,你可以根据需要选择或去掉相应的 检查条件。
三、详细说明
Findbugs是一个静态分析工具,它检查类或者JAR 文件,将字节码与一组缺陷模式进行对比以发现可能的问题。Findbugs自带检测器,其中有60余种Bad practice,80余种Correctness,1种 Internationalization,12种Malicious code vulnerability,27种Multithreaded correctness,23种Performance,43种Dodgy。
Bad practice 坏的实践
一些不好的实践,下面列举几个:
HE: 类定义了equals(),却没有hashCode();或类定义了equals(),却使用
Object.hashCode();或类定义了hashCode(),却没有equals();或类定义了hashCode(),却使用Object.equals();类继承了equals(),却使用Object.hashCode()。
SQL:Statement 的execute方法调用了非常量的字符串;或Prepared Statement是由一个非常量的字符串产生。
DE: 方法终止或不处理异常,一般情况下,异常应该被处理或报告,或被方法抛出。
Correctness 一般的正确性问题
可能导致错误的代码,下面列举几个:
NP: 空指针被引用;在方法的异常路径里,空指针被引用;方法没有检查参数是否null;null值产生并被引用;null值产生并在方法的异常路径被引用;传给方法一个声明为@NonNull的null参数;方法的返回值声明为@NonNull实际是null。
Nm: 类定义了hashcode()方法,但实际上并未覆盖父类Object的hashCode();类定义了tostring()方法,但实际上并未覆盖父类Object的toString();很明显的方法和构造器混淆;方法名容易混淆。
SQL:方法尝试访问一个Prepared Statement的0索引;方法尝试访问一个ResultSet的0索引。
UwF:所有的write都把属性置成null,这样所有的读取都是null,这样这个属性是否有必要存在;或属性从没有被write。
Internationalization 国际化
当对字符串使用upper或lowercase方法,如果是国际的字符串,可能会不恰当的转换。
Malicious code vulnerability 可能受到的恶意攻击
如果代码公开,可能受到恶意攻击的代码,下面列举几个:
FI: 一个类的finalize()应该是protected,而不是public的。
MS:属性是可变的数组;属性是可变的Hashtable;属性应该是package protected的。
Multithreaded correctness 多线程的正确性
多线程编程时,可能导致错误的代码,下面列举几个:
ESync:空的同步块,很难被正确使用。
MWN:错误使用notify(),可能导致IllegalMonitorStateException异常;或错误的
使用wait()。
No: 使用notify()而不是notifyAll(),只是唤醒一个线程而不是所有等待的线程。
SC: 构造器调用了Thread.start(),当该类被继承可能会导致错误。
Performance 性能问题
可能导致性能不佳的代码,下面列举几个:
DM:方法调用了低效的Boolean的构造器,而应该用Boolean.valueOf(…);用类似
Integer.toString(1) 代替new Integer(1).toString();方法调用了低效的float的构造器,应该用静态的valueOf方法。
SIC:如果一个内部类想在更广泛的地方被引用,它应该声明为static。
SS: 如果一个实例属性不被读取,考虑声明为static。
UrF:如果一个属性从没有被read,考虑从类中去掉。
UuF:如果一个属性从没有被使用,考虑从类中去掉。
Dodgy 危险的
具有潜在危险的代码,可能运行期产生错误,下面列举几个:
CI: The class is declared final but declares protected properties.
DLS: Assign a value to a local variable, but not read the local variable; assign a local variable to null, but not read the local variable.
ICAST: The result of multiplying integer numbers is converted into a long integer number. The integer type should be converted into a long integer number first and then multiplied.
INT: unnecessary integer-number comparison, such as X <= Integer.MAX_VALUE.
NP: A direct reference to readline() without judging whether it is null; a direct reference to a method call, which may return null.
REC: Catch Exception directly, when it might actually be a RuntimeException.
ST: Modify the class variable directly from the instance method, that is, the static property.
Original address: http://blog.csdn.net/chenlia/article/details/38295835