Cross-class-capable extendable static analysis tool for java?

Question

I'm trying to write rules for detecting some errors in annotated multi-threaded java programs. As a toy example, I'd like to detect if any method annotated with @ThreadSafe calls a method without such an annotation, without synchronization. I'm looking for a tool that would allow me to write such a test.

I've looked at source analyzers, like CheckStyle and PMD, and they don't really have cross-class analysis capabilities. Bytecode analysers, like FindBugs and JLint seem rather difficult to extend.

I'd settle for a solution to something even simpler, but posing the same difficulty: writing a custom rule that checks whether each overriden method is annotated with @Override.

Answer 1

A simple tool to checkup on annotations is apt (http://java.sun.com/j2se/1.5.0/docs/guide/apt/ also part of Java 6 api in javax.annotation.processing) however this only has type information (ie I couldn't find a quick way to get at the inheritance hierarchy using the javax.lang.model api, however if you can load the class you can get that information using reflection).

Answer 2

Try javap + regexes (eg. Perl)

Answer 3

You can do cross-class analysis in PMD (though I've never used it for this specific purpose). I think it's possible using this visitor pattern that they document, though I'll leave the specifics to you.

Answer 4

Have you tried FindBugs? It actually supports a set of annotations for thread safety (the same as those used in Java Concurrency in Practice). Also, you can write your own custom rules. I'm not sure whether you can do cross-class analysis, but I believe so.

Peter Ventjeer has a concurrency checking tool (that uses ASM) to detect stuff like this. I'm not sure if he's released it publicly but he might able to help you.

And I believe Coverity's static/dynamic analysis tools for thread safety do checking like this.

Answer 5

The DMS Software Reengineering Toolkit can parse/ name-resolve, build call graphs for arbitrarily large sets of Java source files (with backup information from .class files). One can code custom cross-calls analyses using this.

One example is to do dead code detection, by parsing all the compilation-units involved, building symbol tables for everything and chasing down all the references. A top level definition with no references and no claim of being an external API item is dead. This tool also automatically strips out the dead code, and at the end you can choose what you want: the report of dead entities, or the code stripped of those entities.

Because DMS builds a call graph for the classes involved, you should be able to straightforwardly walk down the call graph starting from methods with your annotation, looking for called methods without, and issue a complaint.

See http://www.semanticdesigns.com/Products/DMS/DMSToolkit.html