I'M NOT A fan of wizards. Most wizards, to me, aren't very intelligent. They are, to put it
mildly, mostly a pain in the...er, neck. So, when I was asked to take a look at CodeWizard for Java
from ParaSoft, I didn't approach the task with very high expectations. However, as it turns out, I
was pleasantly surprised.
ParaSoft started as a vendor of software products for parallel computing (hence, presumably, the name).
In parallel computing, there is a need to analyze source code to determine whether and how to break it
up to run on multiple processors, and then how to reassemble the results. When parallel computing
failed to make a splash commercially, ParaSoft re-oriented its source code analysis technology to
address the admitted need for better identification and removal of bugs in standard computer programs.
Among its products, the company offers CodeWizard, a source code analysis product for C++, which is
based on Scott Meyers' Effective C++ books; Insure++, which instruments source code for
pinpointing errors during execution; jtest!, a Java testing tool; TCA, a test coverage
add-in for Insure++; and CodeWizard for Java, a source code analysis tool for Java. I tested
version 1.1 of CodeWizard for Java, which was announced in May 1998 (expanded analysis rules were
added in September 1998). A Solaris license on Sun hardware costs $1995, while a Windows 95 or NT
license is priced at $750; bundling and other discounts are available.
Installation
Installation was what we've come to expect under Windows—easy. Inserting the CD in the drive
produced a window listing all the available ParaSoft products on the CD. Double-clicking the CodeWizard
for Java icon installed the software into a directory (which can be set by the user). Installation
created subdirectories for manuals, bin.Win32, lib.Win32, with examples,
and took a little more than 5 MB on my Windows NT 4.0 system. It also created a file called
cwjpath.bat to add the CodeWizard for Java executables to your path and
make them available at the command line.
The installation includes help files and an uninstaller, along with the CodeWizard for Java Control Panel.
Various options can be set using the control panel, including regular expressions to implement your
shop's naming conventions for classes, methods, and the like (more on this later). The Control Panel
is an easy to use standard Windows application.
Heading For the On-Ramp
The online user guide is provided in HTML format and can be viewed using your browser. It suggested
trying the software on a demo program provided with CodeWizard, so that's what I did. I got the following
results:
F:\PARASOFT\CODEWI~1\examples>d:
D:\HOME\cwj>copy f:dem*.*
f:demo.java
1 file(s) copied.
D:\HOME\cwj>javac demo.java
Symantec Java! JustInTime Compiler
Version 210.063 for JDK 1.1.3
Copyright (C) 1996-97 Symantec Corporation
compiling: demo.java
D:\HOME\cwj>java demo
Symantec Java! JustInTime Compiler
Version 210.063 for JDK 1.1.3
Copyright (C) 1996-97 Symantec Corporation
In class demo: void main(String argv[]) is
not defined
Hmmm, not what I expected to see, particularly because these are the steps suggested by the manual. Looking
at the code, however, there's no way the class supplied in demo.java should
compile to a complete application. So, I ran cwj against the demo, with
these results:
D:\HOME\cwj>cwj demo.java
You do not have a password.
I recognize the reasons for passworded software, but that doesn't make it any more palatable to encounter
this message when installing from a distribution CD. Okay, obviously it was now time to contact technical
support.
Dances With Wizards
Technical support was knowledgeable, and the wait to talk to a live human was short. Once you get past
the password issue, things are relatively straightforward. (Passwords are locked to your hardware
machine ID, and have an option for timed expiration.)
Once you have a password, CodeWizard for Java is run in stand-alone mode for source code
analysis by typing cwj wherever you would type your normal Java compile command
(e.g., javac); so, cwj demo.java checks the
source file demo.java. You can get fancier with the command line. For
example, you might try something like:
cwj PrimeNumbers.java -Zoi "ClassNameRegExp ^[a-z]" -Zoi
"suppress item 2"
to check source file PrimeNumbers.java and pass parameters to check that class names start with a lower
case letter and to suppress messages relating to item 2.
You can also run CodeWizard for Java as an integrated tool that checks your code and then calls your Java
compiler, thus:
cwj -Zoi "analyze_only off" demo.java
This works if you have set your default Java compiler (e.g., javac) using a
configuration file parameter or an additional command line option. I personally like command line tools,
but I do most of my personal Java work in Visual Café, an integrated environment from Symantec. I
would be willing to run cwj periodically from a Command prompt
(or Windows 95 DOS box), but not all developers will be pleased with this approach. The documentation
indicates that CodeWizard for Java installs automatically into Microsoft Visual Studio 97, and comes
with instructions for adding CodeWizard buttons for its Analyze File and Control Panel to the
existing Microsoft Visual Studio buttons. It seemed easy, but I didn't want to do that for a tool
that may not be a permanent addition to my toolbox.
However you choose to invoke CodeWizard for Java, you can view its output in a graphical browser or
you can send it to stderr or to a report file as an ASCII report.
CodeWizard for Java also has configuration files that allow you to specify the options you desire once,
rather than on the command line each time using the -Zoi parameter.
CodeWizard's graphical browser, Insra, is the graphical user interface common to all the CodeWizard for
Java products. Insra allows you to view the error messages (or code commentary, call it what you will)
and has buttons for navigation and for suppressing items that are displayed.
A Few Potholes
I ran cwj on the demo.java file, and got Insra to
display the results. I then clicked on the error message in Insra, and a window appeared with a more
thorough explanation. I tried to look up Item 30 in the provided Help file, and was surprised to see
that there was no apparent entry for Item 30. However, tech support suggested double-clicking a
related entry, Item 29, and sure enough, Item 30 was explained there. I consider the help file to
have a bug, in that the heading for Item 29 should have indicated it was for 29-30, as do headings
for other groups of items.
Tech support also indicated that there were really 65 Items, not the 39 visible to me. It turned out
that the version of the software I received in October contained files from June, and there was a
newer release in September. The ParaSoft support site allowed me to download an updated version
in self-extracting executable form (slightly more than 3MB). This update contained the additional
items, and otherwise seemed to offer the same functionality as the earlier version I'd been working with.
Up and Cruising
CodeWizard for Java integrates to some extent with Microsoft Visual Studio, but it doesn't know
anything about Visual Café. So, I decided to throw some existing Java code at it and see what
happened. The code I used was for a GUI form-related application. CodeWizard for Java analyzed the
code and displayed summary results in the Command box from which it ran, with details in the Insra
GUI, all within the space of a few seconds. The summary statistics were:
D:\HOME\cwj>cwj *.java
CodeWizardJava parsing ...
checking for rule violations in D:\HOME\
cwj\FileServer.java
checking for rule violations in D:\HOME\
cwj\InfoID.java
checking for rule violations in D:\HOME\
cwj\KButton.java
checking for rule violations in D:\HOME\
cwj\MessageBox.java
checking for rule violations in D:\HOME\
cwj\TaxClient.java
checking for rule violations in D:\HOME\
cwj\TaxImpl.java
checking for rule violations in D:\HOME\
cwj\TaxInfo.java
checking for rule violations in D:\HOME\
cwj\TaxMenu.java
checking for rule violations in D:\HOME\
cwj\TaxServer.java
Summary metrics:
Number of Classes: 9
( Final Classes: 0 )
Number of Interfaces: 0
Number of Methods: 47
( Final Methods: 0 )
Number of Static Methods: 1
( Final Static Methods: 0 )
Number of Instance Variables: 32
( Finals: 0 )
Number of Static Variables: 25
( Final Static: 0 )
Number of Lines Parsed: 948
Number of Files Parsed: 9
The errors were organized by module in Insra; most of them were related to Item 10 and Item 20, with
some Items 7 and 8 thrown in. (At least the programmer was consistent!) Item 10 is Avoid public and
package instance variables and CodeWizard for Java obligingly identified the offending variable. Item
20 is Enforce name format of methods; in this case, CodeWizard for Java complains about method names,
that do not begin with a lower-case letter, because it comes pre-configured with a regular expression
to that effect. A double click on the indicated error brings up the module in Wordpad; the tool can be
configured to use your preferred editor, of course. A sample of CodeWizard at work on this multi-module
example is shown in Figure 1.
Figure 1. Insra displays each violation it finds and allows you to drill down to the actual code.
Rules!
What We Need are Rules!
CodeWizard for Java incorporates a number of items or recommended coding practices; violations of these
rules are reported by the tool. The documentation lists 39 of these items and, if you run off the
installation CD I received, these are the items that the tool checks:
Item Description Violation Enabled 1 Avoid
unused variablesPV X 2 Explicitly initialize all
variables. PV X 3 Switch statement with bad case.
PSV X 4 Make class names match their
filename.
I X 5 Avoid hiding inherited instance variables.
PV X 6 Avoid hiding inherited
static member
functions. PSV X 7 Constructor should explicitly
initialize all data members.
V X 8 Instantiated
classes should be made final. I X 9 Avoid
assignment within an if condition.
V X 10 Avoid
public and package instance variables. I X 11 List
all public and package
methods/data first. I X 12
Avoid hiding member variables in member funct-
ions. PV X 13 Implement
interfaces nontrivial-
ly or abstract. V X 14 Use "equals" instead of
"==". PV X 15
Use "Stringbuffer" instead of
"String". I X 16 Provide "default:" label for each
switch
statement. PV X 17 Provide incremental
in for-statement or use while-statement. I X 18
Enforce
name format of classes. V X 19 Enforce
name format of instance variables. V X 2 0 En-
force name
format of methods. V X 21 Enforce
name format of local variables. V X 22 Enforce
name format of
interfaces. V X 23 Enforce name
format of method parameters. V X 24 Enforce
name format of exceptions.
V X 25 Enforce name
format of class variables. V X 26 Enforce name
format of class methods. V X 27
Unused throws
statement. V X 28 Close stream in finally block.
V X 29 Unused private class variable.
V X 30 Un-
used private class methods. V X 31 Explicitly ini-
tialize all static variables. V X 32
Distinguish
between javadoc and ordinary comments. I X 33
Bad tag in javadoc comment. I X 34
Provide
javadoc comment for each top level class and in-
terface. I X 35 Provide javadoc comment
for
method and data. I X 36 Avoid declaring vari-
ables inside a for loop. PV X 37 Avoid
declaring
variables inside a while loop. PV X 38 Avoid dan-
gling else statements. PV X 39 Avoid
for-state-
ments with empty body. PV X Severity
Explanation: I - Informational, PV - Possible Vi-
olation,
V - Violation, PSV - Possible Severe Vio-
lation, SV - Severe Violation.
I like a number of these because they match my own prejudices. For example, Item 4 says make class
names match their filename. It's annoying to me to deal with code that doesn't follow this rule.
Or take Item 9, avoid assignment within an if condition. That one deals with bugs of the
form:
if (foo = 3) { //do some stuff
where the intention was to test foo, not set it.
Items 18-26 may give you pause if you don't want some tool telling you what naming conventions to follow.
However, CodeWizard for Java doesn't do that: what it does is require you to specify your own naming
conventions using regular expressions. The manual provides good examples of sample regular expressions,
if this powerful UNIX feature is not intuitive for you.
ParaSoft's manual notes that if you would like additional items not included in CodeWizard, you can
write your own rules using CodeWizard's optional API feature. You can also order custom rules from
ParaSoft's Web page which includes a mechanism for submitting requests for rules to be included in
the product; because Java is still a new programming environment, ParaSoft's openness to programmer
input is to be commended. A search of the documentation and Web site for information about the API
turned up nothing useful, however. ParaSoft's technical support personnel indicated that APIs for
writing your own items or rules are available, along with documentation, at $12,000 each for
Windows NT or Windows 95. ParaSoft also confirmed that they would customize CodeWizard for Java on
a paid basis for an organization, but could not quote prices as the cost would depend on the number
and complexity of the custom items and the extent of customization.
Suppressing Warnings
Given all the things it complains about, CodeWizard for Java does allow you to suppress warnings.
The suppression is driven by a rule number, rather than by warnings in particular modules, although
it is possible to tell the product to ignore files or packages. This is an improvement over the
kinds of warning levels we're used to in compilers. With a little work it would be possible to get
CodeWizard for Java not to report certain rule violations based on who generated the code, by
organizing the code, or by explicitly excluding the files. I don't want CodeWizard for Java to
tell me anything about the code generated by the gaggle of other wizards and operating environments
we have to deal with, so I'd like it not to do much of anything with generated code or, if it
must report, only report once. On the other hand, the code that's written by hand should be
subjected to a different and potentially more rigorous set of rules.
Consider a situation where names of classes written by the team's programmers follow a different
naming convention from that used by the compiler and/or library vendors; you can specify a regular
expression for your standard, and then sit through the errors reported on 3rd-party code; or you
can write a regular expression that allows both standards, and mask situations where your team
improperly adopts the 3rd-party standard, or you can just turn this item off and not have it
checked. All of these alternatives seem a little less than totally satisfactory.
I've observed that programmers turn off warning levels in compilers because they don't want to
see all those error messages. This in itself is a source of missed opportunities to detect bugs,
and CodeWizard for Java will suffer some of this same effect.
What Is It Good For?
CodeWizard for Java gives you a handy tool for checking your source code as you write. If you're
a beginning programmer, it may give you a leg up in learning Java (or, at least, learning some
of the things you shouldn't do). This approach fits well with CodeWizard's graphical interface.
And, if you're the kind of person who thinks the lint preprocessor for C is a good thing,
you'll be sold on CodeWizard for Java from the beginning.
My take on it is a little different, though. While the graphical mode for beginning programmers
is a nice option, I think the way to get value out of this tool is to plan to customize the rule
base to reflect what you want to see happening in your own shop, and the idiosyncrasies of your
own compiler, and to run the tool as part of your periodic build process. With this approach,
you can treat the CodeWizard for Java output much like compiler warnings, and decide who has
responsibility for taking action in response to these messages and under what conditions action
is required. Be aware, though, that the APIs for doing this are pricey, so it might make sense
to get a quote for the customization first.
I should note that having items 18-26 driven by user-defined regular expressions takes care of
many of the normal standards' issues found in most shops, which generally have to do with naming
conventions. CodeWizard does not deal with the other common shop standard issue, formatting of
source code, but that is easily taken care of by a customized version of indent or a similar
inexpensive pretty-printer solution. So, the tool as it exists, once you write the regular
expressions, may do enough for you to make the $12,000 API less than economically worthwhile.
However, under the philosophy of using the tool for more than just off-the-shelf rule checking,
it might make sense to also consider jtest!, another ParaSoft tool. jtest! is an
automated testing tool that runs Java code and reports back all the errors it finds in a log file.
It calculates test coverage and includes a playback facility to play back test sequences that
generate errors. So, the best solution might be to combine the two within the context of
controlled periodic builds, using CodeWizard for Java to enforce your shop's programming
standards and try to limit some questionable programming practices, coupled with jtest! to
identify actual bugs in the code.
Who Ya Gonna Call?
Statistics concerning average defect or bug rates and costs of finding and fixing bugs are not well
developed in our industry, but it seems clear that the cost of finding and fixing a single bug
can certainly exceed the $750 purchase price of CodeWizard for Java. If your development organization
includes anything other than highly experienced Java developers (a somewhat oxymoronic term) and
if you care about being able to gently enforce shop standards through an automated tool, CodeWizard
for Java seems like a good deal.
Tom Bragg is a software developer and expert witness in computer litigation, from McLean, VA. He
can be contacted at 202.928.1194 or by email at [email protected].