PMD: Automated source code analysis and bug detection
PMD, an open-source automated Java source code analysis and bug detection tool, recently reached version 4.0. InfoQ spoke with Tom Copeland, PMD project lead, to learn more about PMD and what capabilities it provides.
PMD is a static Java source code analysis tool, similar in concept to Checkstyle, FindBugs and Coverity. It searches Java code for inefficient code, bugs, common coding problems, and other such issues. PMD can be used in the development environment through IDE integrations, or it can be incorporated directly into an Ant or Maven build. PMD uses rules to perform the source code analysis, and the rules are grouped into rulesets. InfoQ asked Cohen to describe them in more detail:
The rules are categorized by the sort of problem they check for - thus the unused code ruleset finds unused local variables and private fields and methods, the strict exception ruleset finds methods that throw Exception and catch blocks that catch NullPointerException, and so forth. There are also library-specific rulesets. For example, there's a JUnit ruleset that finds common problems (such as using
assertNull(x)) in JUnit test suites. Currently we've got around 225 rules and there are more in the pipeline.
New rules are added as folks think of them and submit patches or feature requests. Each rule has a suite of unit tests to minimize the number of obvious false positives reported; we hope this helps keep the PMD reports reasonably clean.
InfoQ asked Copeland what was new in 4.0, and he said that the biggest new feature is Java 5. PMD has been rewritten in Java 5, and it now expects to analyze Java 5 source code by default - Java 1.4 and earlier are still supported though. Increases in performance were also mentioned, along with bugfixes and new code-checking rules. When asked what the next major step would be for PMD, Copeland said:
Type resolution is the next big thing. Currently PMD examines one source file at a time, which limits the scope of its rules. Allan Caplan, one of the PMD core committers, has done a lot of work in this direction by using the bytecode manipulation library ASM to parse classfile dependencies, and we think that this will reduce false positives and find more real problems. We've also got a data flow analysis layer that will be able to take advantage of this type resolution ability once it's finished. Should be fun times!