How to select Code Analysis Tools

Code checking tools are software products that check compile-time whether a software program adheres to a certain set of rules of a coding standard. Without such code checkers, the enforcement of a coding standard in an organization is likely to fail. There are two main causes for this: (1) the number of rules in a coding standard is usually so large that nobody can remind them all (except the author) and (2) some context-sensitive rules that demand inspection of several files are very hard to check by human beings.

Although code checkers can reduce formal code review time considerably, it certainly does not mean that code reviews are not needed anymore. Some coding rules cannot be checked at all (e.g. "Comments should be in English") or only partly at compile-time (e.g. "Use delete, whenever you use new"). On average about 65% of a coding standard can be covered with code checking tools.

There are several characteristics that should be assessed during the selection process of a code checker. There are 6 issues that are most important. Obvious requirements such as whether it is available for the used platform are not taken into account.

Availability to define own rules. Experience has shown that only about 20% of a propietary coding standard is available as built-in rule in a code checker. As a consequence, there should be a possibility to define own rules. This can be via an API (complex in use but powerful) or a graphical user interface (easy to use but limited).

Integration in programming IDE. Most end users of code checkers are software engineers. Therefore a code checker should fit smoothly in the used programming environment. Preferrably via a toolbar with an easy way of running the tool (one button push).

Presence of command-line version. In order to be able to integrate the code checker in the software development process and/or in the programming IDE (if no plug-in is available) it should be command-line oriented. Command-line versions also allow for nightly batch runs of the code checker to collect quality data.

High performance. Code checkers are slower than compilers by nature because they perform a more in-depth semantical analysis of the source code. However, performance is a key issue for end user acceptance of the tooling. Response times of more than 1 minute per file are perceived as not workable.

Low cost of ownership. Cost of ownership means purchase price and maintenance costs. Since code checkers are not used continuously by end users, floating licenses appear to be more cost effective in most cases. About 1 floating end user license is needed per 10 developers.

Available support. Decent product support is an essential feature of a code checker. Good support does not only mean prompt and adequate response to user questions and problems, but also the frequency of new product release. "We will solve this in the next release" is not interesting if the average product release cycle is 1 year.

This How-to is an excerpt from a article called "Industrial methodology to introduce coding standards" and i feel the considerations and points are logical and good to follow for the code analyzers evaluation.

Evaluation of three open source code analysers

There are couple of code analysis tools avaiable out there and three of them (FindBugs, PMD and QJPro) i have evaluated and would like to elaborate some more. I will give a quick demo for each along the way and it will give you a good visualization of how each tool looks like in the real life.

FindBugs

FindBugs looks for bugs in java the programs. It can detect a variety of common coding mistakes, including thread synchronization problems, misuse of API methods and etc.

FindBugs is a static analysis tool that examines java classes or JAR files and looks for potential problems by matching class bytecodes against a list of bug patterns. With static analysis tools, we can analyze software without actually running the program. FindBugs requires JRE (or JDK) 1.4.0 or later to run. However, it can analyze programs compiled for any version of Java. FindBugs supports a plugin architecture allowing anyone to add new bug detectors, which means we can write custom detectors to find application-specific problems and it has been used for Eclipse and Java JDK project for bugs finding.

We can run FindBugs in multiple ways -- from a GUI, from a command line, using Ant, as an Eclipse plug-in, and using Maven. However, it makes more sense to run it as an integrated part of nightly build infrastructure and generate a bug report, which could be easily done by using tools like CruiseControl, Anthill, or even simple cron to fire off nightly builds and giving the results as an email. FindBugs certainly won't find all the bugs, but they'll help find some of them. FindBugs can act as a safety net and detects identified bug patterns when developers check in their codes into the cvs. You can find a demo for FindBugs here and a viewlet here.

PMD

PMD is not like FindBugs and it analyzes the java source code instead of class files, scans and looks for potential problems like:

* Possible bugs - empty try/catch/finally/switch statements
* Dead code - unused local variables, parameters and private methods
* Suboptimal code - wasteful String/StringBuffer usage
* Overcomplicated expressions - unnecessary if statements, for loops that could be while loops
* Duplicate code - copied/pasted code means copied/pasted bugs


PMD has over 175 “rules”, which are undesirable patterns of code, right out of the box. These rules are grouped into “rulesets,” such as Basic, Unused Code Design, Optimization, Strict Exception, String and StringBuffer, Naming, JUnit and Java Logging.

Not all of them will be appropriate for our project or organization. Fortunately, PMD is configurable and we can configure which rules we want enforced. To do this, we can make our own ruleset file, which states which of the rules we want executed during analysis.

PMD is integrated with Eclipse, JBuilder, IntelliJ IDEA, Maven, Ant, and JDeveoper release 10.1.2 and 10.1.3.

It can also be run on demand from the command line, which allows it to be integrated into nightly Ant/Maven builds and publish the results to a shared location such as an intranet or file server.

There are two ways we can install the PMD plugin for JDeveloper release 10.1.3. One way is to install the extension by using JDeveloper's built in "update center" functionality. Fire up JDeveloper, click "Help", click "Check for Updates", then click "Add" to add a new update center and enter:

Name: PMD Update Center
Location: http://pmd.sf.net/center.xml

Or download the binary release here and unzip it into your JDEV_HOME\jdev\extensions.

To use the PMD, open the Tools-&Preferences menu, click on the PMD option, and select a couple of rules to try. To run it, right click on either a Java source file or a .jpr file (i.e., a project file) and select PMD. Any rule violations should show up in a LogWindow at the bottom of the screen. You can find the viewlet for the PMD here.

For FindBugs and PMD, these two tools focus on different aspects of software quality. Tools like PMD are extremely valuable on enforcing consistent coding style guidelines, and making code easier to understand by developers. Tools like FindBugs help uncover errors, while largely ignoring style issues. Therefore, PMD and FindBugs complement each other, and neither is a good substitute for the other.

There are some comments about FindBugs and PMD, which i found out from the www.theserverside.com and give a good explanation of both as well.

"FindBugs is a very good partner with PMD because it finds issues that are "deeper" than PMD's analysis. Its explanations of the bugs it finds are excellent. The most valuable bugs it picks up for my team are missing stream closures and inconsistent synchronization behavior. We removed the EI and EI2 rules, which spend a lot of time complaining about methods that return internal arrays, which in practice is not all that evil IMHO."

"PMD is definitely the most "complete" of all the tools mentioned here. Its customizability via XSL rules or code is great, the core rulesets are broad in scope and well thought-out, it works well, and has a good Eclipse plugin. Many of the rules are fairly shallow, insofar as they are more stylistic than genuine bug-analysis rules; you also will definitely want to pick and choose which rules to use. We found it pretty easy to select a ruleset between PMD and FindBugs that we all agreed in theory having zero violations was an attainable goal. We're currently just under one failure per 100 lines of code, which is the best of any commercial project I've been on."

QJPro

QJPro is very much similar to PMD and the reason i want to mention here is because QJPro prodvide a Plugin for JDeveloper 9.0.x which PMD did not have. If developers who are using a lower version of JDeveloper like release 9.0.x and want to have a plugin like PMD, maybe QJPro can be considered. You can find the viewlet for the QJPro here.

J2EE Application Performance Tuning Approach

1.0 Set a goal: such as the response time for a given screen transaction per user. or transaction throughput, which is the number of transactions in a given time period, usually one second. For example, you could have a performance measurement that could be no more than three seconds for each screen form or a transaction throughput of one hundred transactions in one second. You should be able to find out this kind of information from project service-level or quality of service (QoS) requirements.

2.0 Identify the bottlenecks: For example, if the CPU usage on an application server is high, you will want to focus on tuning the application server first. There are some simple ways to identify the problem areas, check out my another post for some quick techniques.

3.0 Follow a methodical path: It is better spent tuning a method that takes 10 seconds but gets called 100 times than tuning a method that takes one minute but gets called only once. Make one change and stress-test it, if the change results in positive impact, only then will you make it permanent.

Two kinds of tools that are helpful in the tunning process, namely stress tools that generating load to your application and monitoring tools that collecting data of various performance indicators. For a comprehensive list of stress and monitoring tools, check out Software QA/Test Resource Center.

This is a good article about tunning strategy for the apache, tomcat & application itself, check it out. If none of the solution resolve the bottlenecks, you can consider scaling up the server (database & application). If horizontal scaling is not possible, consider the option of vertical scaling.

By the way, there is one tool I would like to mention here is the JMeter - a free tool from Apache community. It Can be used to simulate a heavy load on a server, network or object to test its strength or to analyze overall performance under different load types. It can also make a graphical analysis of performance or test server/script/object behavior under heavy concurrent load. To get to know it, check out this demo from my colleague - Srini.

J2EE Application Performance Tuning and Optimization

When an application is deployed into the production environment, there are many factors contribute to the ultimate application performance & throughput, not only from application iteself, but types of hardward, settings and configurations of os and servers( web, application & database) and even the way of network setup also play a part.

As there are many places may degrade the performace, approches and solutions will be different and various. Maintaining a list of articles and papers about these approches and soutions will be very helpful & useful in our team and I would like to put some effort to maintain a such list of articles available in the internet regarding the application side(E.g programming practise, application server configurations, technology usage and etc).

Performance tuning is as much as it is a science, team work will be more productive and enjoyable than one man show. If you are the people like me and would like to put some effort into this, let me know and maybe in future we can co-author a paper or a course ( English/Chinese) based on our experience and knowledge gained. :)

In the meantime, i would like to share some of my own experience in the performance tuning and optimization.

In the reality, when expecting application performance & throughput is not met, no party in the project would like to admit the issues or problems are from them since people don't like changes and project deadline is around the corner. In the end, the deadline is extened and peoples from different team (application, infrastructure, database) have to sit together to look into the case.

No matter which team are responsible for it, the most important thing is to find out where & what the bottlenecks are degrading the performance. Bare in mind that there maybe more than one bottleneck exist and no point to complain other people. There are some verifications we can do to find out them one by one until the output meets the expectation.

To verify whethere the network is the cause, we can try to ping or ftp an big file to the target machine to get to know the network speed. If the speed is very slow, it may be one of bottleneck degrading the application, we can inform the infrastrucre team to review their network routing strategy.

To verfiy whethere servers are running or responding slowly, there are a few things we need to look out. We need to know the hardward type, os configuration and server installation version. Especially in the staging environment, one machine may be shared by multiple teams and applcaitons and people can cap the cpu & memeory resource for certain process such as the database server, application server and even your deployed applicaton without knowing it. People can tell you that the machine running the application or servers is a very fast and even with dual processor, but it doesnot mean you are having full power of that machine.

Other than the OS configurations, you also need to know the installation version of server (database, application) and whether they has been installed and setup with recommened parameters and models.

For the application, usually the performace issues are from inefficient business logic, bad sql statement (E.g not using prepared statement & execute batch and commit too frequently, etc.) and db connection handling (connection pooling, leaking, jdbc driver). Usually, a code review will be very helpful to spot those problems. For the sql statement, it is best to consult with DBA to tune the sql (such as truncating a table VS deleting all records). To spot whether there is a db connection leaking, run the "netstat" in the command line and verfiy if there are any outstanding db connection ports opening after db works are done. If the problem still can not be identified, you can use tools like application profiler to spot the bottleneck from certain method or function of the application and narrow down until you find the problem.

What is ebXML?

Electronic Business using eXtensible Markup Language, the 'eb' in ebXML stands for electronic business," and you can pronounce the phrase as "electronic business XML," "e-biz XML," "e-business XML," or simply "ee-bee-ex-em-el". ebXML is a family of XML based standards sponsored by OASIS and UN/CEFACT whose mission is to provide an open, XML-based infrastructure that enables the global use of electronic business information in an interoperable, secure and consistent manner by all trading partners.

ebXML was published in 1999 as an initiative of the United Nations Centre for Trade Facilitation and Electronic Business (UN/CEFACT) and the Organization for the Advancement of Structured Information Standards (OASIS). The original project envisioned five layers of data specification, including XML standards for:

-Business processes,
-Collaboration protocol agreements,
-Core data components,
-Messaging, &
-Registries and repositories

ebXML is not itself a standard, rather, it is a container for several key specification standards administered by UN/CEFACT and OASIS.

Key ebXML standards include ebXML Messaging Services, ebXML Registry, ebXML Business Process Specification Schema and ebXML Collaboration Protocol Profile and Agreement (CPP/CPA).

The International Organization for Standardization (ISO) has approved the following five ebXML specifications as the ISO 15000 standard, under the general title, Electronic business eXtensible markup language:

ISO 15000-1: ebXML Collaborative Partner Profile Agreement
ISO 15000-2: ebXML Messaging Service Specification
ISO 15000-3: ebXML Registry Information Model
ISO 15000-4: ebXML Registry Services Specification
ISO 15000-5: ebXML Core Components Technical Specification, Version 2.01

OASIS technical committees and UN/CEFACT retain the responsibility for maintaining and advancing the above specifications.

The freebXML.org initiative was established to promote development and adoption of ebXML-based open-source software.

 

Additional resources:

Understanding ebXML, Untangling the business Web of the future.
http://www-128.ibm.com/developerworks/xml/library/x-ebxml/
ebXMl Tutorial
http://www.javapassion.com/webservices/ebXML4.pdf

Java/XML rich-client technology

Rich client technology/platform like visual basic and java swing, developers are very much familiar and other technologies like ajax (Google Web Tookit & ECHO2), Eclipse RCP and XUL (Mozila) are also well-known for years.

Recently, I came across an article talking about java/xml rich client technology and its online demonstration impressed me very much in its richness of client-side widgets and functionalities. It runs inside a browser, but pretty muck like a appliaction running on the desktop.

Not like XUL, it does not need a XUL motor (such as Mozila) to provide a running platform, but using jvm plugin in the browser, which allows it to be used in different browsers with jvm plugin.

Currently,two companies are providing this kind of technology, which are nexaweb and asperon. Their online demos are worth for a look.

Enterprise Console Demo From Nexaweb
http://demo.nexaweb.com/Nexaweb/start.jsp?app=sanmgr/index.xml&nocache=true

Order Management Demo From Nexaweb
http://demo.nexaweb.com/Nexaweb/nopushstart.jsp?app=orderdemo/orderStatus.do&nocache=true

CRM Demo from Asperon
http://www.asperon.net/crm/index.html

There are some other interesting rich client demos which is using XUL or Ajax. Check it out.

Ajax Demo from Echo2
http://demo.nextapp.com/Demo/app

XUL Demoonstration
http://xul.sourceforge.net/challenge.html

Reference:
Wei C. (2004). XML Rich Client Technology Strengthens Java. Last retrieved from
http://www.computerworld.com/developmenttopics/development/story/0,10801,93858,00.html?SKC=

Wei C. (2004). Java or .NET? XML Rich-Client AJAX Technology Brings Zero-Install Rich Client To Java
Last retrieved from http://jdj.sys-con.com/read/111208_2.htm

Countries with My Footprints