Tag Archives: static analysis

Static analysis for performance – the server side java symposium

Posted on by
1

Overall, I was disappointed by the session. Most of it was about the performance anti-patterns and i was expecting more about the static analysis tool. There was only one slide with an example of how to detect a pattern using static analysis and I found it hard to understand,  It is easy to say to tell new developers not to do something.  It is hard to detect programatically.   Nevertheless, the points made are valid and here are the notes.

Is Java slow? Not on Intel for C at least.

What are root causes of performance issues?

  • Bad architecture, code or design
  • Configuration
  • [or database/network and not java at all, but that’s out of scope here]
  • Many ways to write incorrect code. Static analysis is not a replacement for traditional performance tuning

Types of analysis:

  • Code query systems – Explore relationships among program elements, Codequest and jquery in this space
  • Semantic code query systens – focus on behavior in addition to structure.  Yonita is in this space.  Yonita starts with bytecode to capture all detail. Then query in sql or prolog to find anti-patterns
  • Note that yonita is a prototype and not yet publicly available

Redundant work
Examples

  • JSF calling output text and the getXXX<> method makes a database call each time
  • get value for key several time.  Ok if took like Hibernate is caching it for you
  • make the same ajax call twice and then do something different than the result

Fix by caching the value
Showed patterns for detecting, it looks complicated!

Other anti-patterns

  • Fine grained remote calls – entity beans versions 1 and 2
  • One by one processing – adding one at a time instead of batching so the transaction, authorization and database all happen repeatedly
  • Return a lot of records and discard the results

I asked if the static analysis tools could detect all of the anti-patterns shown. The answer was that it is library specific. I didn’t get a clear yes or no as to whether one could write a rule.

Someone asked about complex configurations. The answer was the tools struggle with dynamic configuration like Spring and specific support of the tool is required.

klocwork – a review

Posted on by
2

Since I wrote a review of JTest, I decided to do a review of the other commercial product I tried in the Java static analysis family – Klocwork

Installation

I ran into some trouble installing the trial Eclipse plugin. I saw a zip file to use instead of the update site.  I then unzipped it rather than pointing to it as a local install.   Which appears to work – you see klockwork show up in the Eclipse preferences, but get an error when trying to actually use it.

This gave me the opportunity to deal with their tech support.  Which was very good – they identified the problem correctly and told me to re-install properly.

Trial limitations

The trial limits you to scanning 300 files at a time.  This is perfectly reasonable – I can’t think of a reason you’d need to do more than that to see if you like a product.  I wanted to scan the same files as I had with JTest to compare output.

Since our product has more than 300 files, I thought I would just pick a few packages or classes with known issues.  I then learned they mean you can’t scan a project with more than 300 files rather than that you can’t scan more than 300 files.  Okay.  I used an Eclipse refactoring to move a bunch of packages to another project.  I’m not sure what this accomplished via the limit in the trial.  I was still able to scan everything.

The actual rules
In addition to the common static analysis rules (null ahndling, return values), some more interesting rules jumped out at me.  These include:

  1. Log forging – unvalidated input going into a log allows attacker to influence what logged
  2. If statement always evaluates to true/false – I like this was in the default rule configuration.
  3. Unchecked user input used in SQL query.  – It’s not user  input in our case, but a very good check to get you to manually review the code.

Summary

I also liked the minimizing of false positives.  Aside from my installation difficulties, I was very happy with the experience.

parasoft jtest – a review

Posted on by
Reply

I tried running Parasoft’s JTest against the modified JForum use by JavaRanch.

The first thing I did was run all the static analysis rules and got over 47 thousand hits.  Now this doesn’t mean much as some of the rules are cosmetic things and some directly confict with each other. (Use “*” for imports and don’t use “*” for imports imply every single file with get hit for one of them.  I started running all the rules so I could drill down and see what was out there.

A few of the rules were things that I had already noticed and made me cringe when reading the code.  For example, PostAction as a cyclomatic complexity (branch count) over over 40.  Ten is high.  40 is almost unreadable.

Some of the more interesting ones:

  • Found some duplicate code and string literal duplication.
  • The rules were updated for Java 5 – For example, it found I overwrote toString() but not valueOf() in an enum.
  • security rules for SQL injection
  • I really like “remove commmented out Java code” as this is a pet peeve of mine!
  • I learned that there is a problem with “double checked locking” pattern if you don’t use the volatile keyword.
  • As expected, JTest found unclosed resources, missing static keywords and the like.
  • There’s a bug in Java’s substring implementation that can cause an out of memory error.
  • It didn’t find a specific defect I was hoping to uncover when I downloaded it.  But this was more informative than not – now I know that defect isn’t in the code without having to look through hundreds of classes!

Some of the rules offer a “quick fix” where you can automatically fix the violation through your IDE plugin.  I used this to add {} to single line conditionals in 50 places without effort.

The only complaints I ran into:

  • It’s mostly updated for Java 5, but not completely.  One rule says to using StringBuffer instead of String when concatenting strings (when you should use StringBuilder.)
  • It’s slow – 5 minutes – 11 rules – 519 files.  PMD goes faster.
  • And of course – it’s expensive – but it’s intended for corporate users.  Thank you Parasoft for the trial to use on our non-commercial software!

The breadth of errors JTest can find is amazing.  It doesn’t just save you time manually reviewing code – it tells you about subtle errors you might not know about.