Experiences Using Static Analysis to Find Bugs

Nathaniel Ayewah
David Hovemeyer
J. David Morgenthaler
William Pugh
IEEE Software, 25(2008), pp. 22-29


Static analysis examines code in the absence of input data and without running the code, and can detect potential security violations (e.g., SQL injection), runtime errors (e.g., dereferencing a null pointer) and logical inconsistencies (e.g., a conditional test that cannot possibly be true). While there is a rich body of literature on algorithms and analytical frameworks used by such tools, reports describing experiences with such tools in industry are much harder to come by. In this paper, we describe FindBugs, an open source static analysis tool for Java, and experience using it in production settings. FindBugs does not push the envelope in terms of the sophistication of its analysis techniques. Rather, it is designed to evaluate what kinds of defects can be effectively detected with relatively simple techniques and to help us understand how such tools can be incorporated into the software development process. FindBugs has become very popular, downloaded more than 500,000 times and used by many major companies and software projects. We report on experience running FindBugs against Sun’s JDK implementation, using Findbugs at Google where it has been used for more than a year and a half and incorporated into their standard development process, and preliminary results from a survey of FindBugs users.

Research Areas