Atlantic Northeast Software Symposium
August 8 - 10, 2008 - Princeton, NJ
Squashing bugs with FindBugs
Does your program have bugs, despite unit tests, integration tests, and code reviews? You bet. Are you using static analysis as part of your QA process? If not, you're probably missing out on some bugs that can be caught before they bite your customers.
The cost of finding a bug increases dramatically the longer it lurks without being discovered. Fortunately, today?s development tools (IDEs and compilers) can identify many potential bugs within a few seconds of their creation, resulting in higher quality code and more productive programmers. However, even the best programmers can create bugs that are very hard to spot if they make it through their first few minutes of their existence.
Until recently, automated code analyzers have not been very useful for mainstream developers. Most code analysis packages focused either on stylistic issues (such as indenting and variable naming), or on formal correctness proofs (which require an investment in specification that few developers can afford to make.)
FindBugs, an open-source tool developed by Bill Pugh and David Hovermeyer of the University of Maryland, has raised the bar for ease-of-use and effectiveness of automated code analysis for finding bugs. FindBugs has been able to find many serious bugs in production software, including Eclipse, JBoss, Apache Tomcat and Sun's JDK implementation, with an impressively low false-positive rate compared to other approaches.
This session will explore how static code auditing tools work, how it is easy to write bug-detector plugins to find new bug patterns, presents some common bug patterns and fun "find the bug" puzzles, and shows how code auditing tools can easily identify them.
Every developer will want to have these tools in their toolbox.
About Brian Goetz
Brian Goetz has been a professional software developer for 20 years. He is the author of over 75 articles on software development, and his book, Java Concurrency In Practice, was published in May 2006 by Addison-Wesley. He serves on the JCP Expert Groups for JSRs 166 (concurrency utilities), 107 (caching), and 305 (annotations for safety analysis). He is a frequent presenter at JavaOne, OOPSLA, JavaPolis, SDWest, and the No Fluff Just Stuff Software Symposium Tour. Brian is a Sr. Staff Engineer at Sun Microsystems.More About Brian »