dev@glassfish.java.net

Re: How many folks are using static analysis tools...

From: Aditya Dada <Aditya.Dada_at_Sun.COM>
Date: Thu, 14 Sep 2006 19:51:40 -0400

I'm sure everyone must have seen the daily FindBugs reports that Terena
produces on the nightly glassfish builds.

While working with Jerome, Tony and Geoff, we too came to the conclusion
that there were way too many warnings for people to go through.
So while I had personally filed laundry-list bugs in the last release
for each component that were reported to have bugs by the tool, I'm am
currently working with Terena to implement the 'delta' feature i.e. the
daily email will contain a small list of bugs that were introduced last
night (as found by FindBugs of course).

the list would be much more readable, and hence, the bugs much easier to
identify and fix.

till then, if you're interested in knowing the bugs in your area, click
on any HTML file at:
http://javaweb.sfbay/java/re/glassfish/9.1/nightly/findbugs/snapshot/
...and grep for the package that you work on.

Also, like Bill just mentioned, FindBugs has the ability to use filters
i.e. you can choose to filter out some warnings that are false
positives. If there are any such warnings that you'd like filtered out,
please let me know and I can work with Terena to incorporate that in the
daily FindBugs run.

-Aditya


Kohsuke Kawaguchi changed the world a bit at a time, and said on
9/14/2006 6:57 PM:

> Peter Williams wrote:
>
>> IMO, far too much human interpretation is currently required of the
>> results to eliminate false positives to allow any of these options to
>> be practical at this time. This goes for FindBugs and PMD as I've
>> used those two. Not sure about any others, but I would expect there
>> as well.
>
>
> Amen to that.
>
> The best place to do such static analysis is when you are typing code.
> IOW, static code analysis should be a part of the IDE. Then you have
> natural incentive to fix those, and it also makes you productive as it
> catches common data-flow related errors, too.
>
> The problem with having a separate report later, especially with a
> large project like Glassfish, is that for any one developer the S/N
> ratio is way too low. Remember, for one developer, everybody else's
> problems count as noise. So in practice nothing gets done.
>
> That said, running it once and fixing obvious problems sound like a
> reasonable thing to do.
> 

-- 
"If it wasn't for the 'last minute' nothing would get done."
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.