LOGIN | REGISTER NOW | SUBSCRIBE
 
print Printable version 
Most Read Latest News Blog Resources
CouchDB brings peer-based data replication
This NoSQL database is now production ready for developers who want to spread data out wit...
Experts: UML is active, but the buzz is lost
Since widespread acceptance, there is little enthusiasm around the language even ahead of ...
Compuware intros new GUI for mainframe tools
Beyond the GUI are plug-ins for data and debugging tools, as well as an OEM edition of Sli...
Black Hat conference fields suggestions for software security
Attendees give a wide variety of ideas about the subject, with Rex Black adding in some of...
Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter


            iphoneapp GET THE APP!

Stomping on the Bugs


By Allen Holub
May 1, 2006 —  (Page 1 of 3)
Bugs are a big deal. They, of course, inflate the cost of development. I just spent $850 of my client’s money—and wasted most of a day—tracking down what turned out to be a bug in ActiveMQ’s JMS implementation. (So much for “free” software.) Bugs are also the main source of security vulnerability in your program. Hackers attack bugs—it’s that simple.

Part of the bug problem is addressable with process: Test-Driven Development and continuous regression testing are essential practices. Code reviews and pair programming help too. However, none of these “best practices” will find all the bugs.

Computer programs that purport to find bugs have been around for a while. The venerable Unix lint utility did that with C programs. Unfortunately, for every real bug that lint found, it identified 40 or 50 fake bugs, places in the code where there was actually nothing wrong. This huge number of false positives discredited the whole idea of static analysis, of having a computer program find bugs for you.

Fortunately for all of us, we’ve learned a lot since Steve Johnson wrote the original lint back in 1977. I just installed FindBugs (findbugs.sourceforge.net), the brainchild of Bill Pugh and David Hovemeyer at the University of Maryland. This is a breathtakingly useful (and free) tool.

FindBugs finds the sorts of things you’d expect. Unread fields, unused variables and so forth, but it does a lot more.

The basic bug analysis is thorough—much more so than, say, Eclipse’s editor is. For example, it flags a possible null-pointer dereference if a method uses a reference that’s passed as an argument without first explicitly testing for null in various ways. That is, you can get rid of the error by putting an explicit test in an “if” statement, adding an “assert” and so forth.

FindBugs goes way beyond the obvious “correctness” problems, though. It can find performance problems, some threading bugs (like inconsistent use of synchronization), vulnerabilities to hacking, internationalization problems and style errors. The attack-vulnerability bugs are particularly important, since these things slip through code reviews all the time, and the consequences of an attack can be so large.


Pages 1 2 3 


Share this link: http://www.sdtimes.com/link/29281
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading



 
 
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 8/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Like Ruby n' Rails
Programming languages and Web frameworks go together like peas n carrots. Or Ruby n' Rails.
07/30/2010 04:36 PM EST

Adobe buys a Web-based IDE
Adobe looks to buy a rapid and agile Web development environment.
07/28/2010 03:49 PM EST

OpenStack opens up
OpenStack looks to be an intriguing new idea for running clouds.
07/28/2010 01:56 PM EST

 

Events calendar tab
SHARE
8/1/2010 to 8/5/2010
Boston
SHARE

VSLive
8/2/2010 to 8/6/2010
Redmond, Wash.
1105 Media

Agile 2010
8/9/2010 to 8/13/2010
Orlando
Agile Alliance

Delphi Live
8/23/2010 to 8/26/2010
San Jose
S&S Media

VMworld
8/30/2010 to 9/2/2010
San Francisco
VMware