What static analyzers do you make a point of running on Java code, and why?

Question

I have experimented with several different static analyzers for Java, notably Findbugs and PMD.

I am looking for examples of other static analyzers that may be worth running on Java code.

Answer 1

Next to FindBugs and PMD, there are also Bandera, ESC/Java and JLint. You can find a comparision of them here (PDF). Here's an extract of relevance:

Bug Category - Example                            | ESC | FindBugs | JLint | PMD
--------------------------------------------------+-----+----------+-------+-----
General - Null dereference                        |  V  |    V     |   V   |  V
Concurrency - Possible deadlock                   |  V  |    V     |   V   |  V
Exceptions - Possible unexpexted exception        |  V  |          |       |
Array - Length may be less than zero              |  V  |          |   V   |   
Mathematics - Division by zero                    |  V  |          |   V   |  
Conditional, loop - Unreachable code              |     |    V     |       |  V 
String - Checking equality using == or !=         |     |    V     |   V   |  V
Object overriding - Equal objects/equal hashcodes |     |    V     |   V   |  V
I/O stream - Stream not closed on all paths       |     |    V     |       |  
Unused or duplicate statement - Unused local      |     |    V     |       |  V
Design - Should be a static inner class           |     |    V     |       |  
Unnecessary statement - Unnecessary return        |     |          |       |  V

_{Note: The article is from 2004. The tools may have been improved in the meanwhile.}

As you see, FindBugs and PMD finds pretty much and are also the most popular static analyser tools. However, some points are also covered by a smart IDE nowadays, like null deference, unused locals and unreachable code. Eclipse for example can warn on them.

Answer 2

Findbugs is pretty much the standard, as it's very robust (for a tool that started out of research), regularly maintained, and with recent versions really covers most of the bases. It also has great Eclipse integration and a variety of filtering and sorting options to let you achieve your preferred signal-to-noise ratio.

My only wish is that it could provide a workflow for recommendations, so I could choose to ignore specific instances (e.g., for code I have no control on) and only see changes. Continuous analysis would also be nice, when I have spare cores.

I'm familiar with several very promising research tools that use static analysis for things like checking API conformance or threading analysis. Unfortunately, none of them is truly production-quality and they demand some investment on the side of the developer.

Answer 3

Theres a list of java static analysis tools here: http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis#Java

Findbugs is my personal favourite because of its easy to use interface and comprehensive analysis, plus there are plugins for eclipse and idea.

Answer 4

I would suggest you use the code analyser in IntelliJ. It has over 600 checks which are easy to turn on and off, however the main reason is that many checks have quick fixes.

If you just run a report, you might find 1000s or 10,000s of flagged issues. This can be tedious to address when each issue often has very little value but has the real risk that you will introduce a bug. However IntelliJ lets you select and fix 1000s of issues in a matter of minutes, with a much lower risk of introducing a bug.

The IntelliJ CE is open source and free and has this feature.