Issue No. 05 - Sept.-Oct. (2008 vol. 25)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MS.2008.130
Nathaniel Ayewah , University of Maryland, College Park
David Hovemeyer , York College of Pennsylvania
J. David Morgenthaler , Google
John Penix , Google
William Pugh , University of Maryland, College Park
Static analysis examines code in the absence of input data and without running the code. It can detect potential security violations (SQL injection), runtime errors (dereferencing a null pointer) and logical inconsistencies (a conditional test that can't possibly be true). Although a rich body of literature exists on algorithms and analytical frameworks used by such tools, reports describing experiences in industry are much harder to come by. The authors describe FindBugs, an open source static-analysis tool for Java, and experiences using it in production settings. FindBugs evaluates what kinds of defects can be effectively detected with relatively simple techniques and helps developers understand how to incorporate such tools into software development.
static analysis, FindBugs, code quality, bug patterns, software defects, software quality
N. Ayewah, J. Penix, J. D. Morgenthaler, W. Pugh and D. Hovemeyer, "Using Static Analysis to Find Bugs," in IEEE Software, vol. 25, no. , pp. 22-29, 2008.