SofCheck Inspector's output is generated in the Output_Directory. Output is generated in two formats, both of which preserve the Java package/source file hierarchy. The recommended format is HTML, suitable for display by a browser. It is produced under the html subdirectory of the Output_Directory. A more traditional interleaved source and inspection message listing is produced under the list subdirectory of the Output_Directory. The contents of the list subdirectory may be displayed with any ASCII text viewer.

To look at the output, point your browser at html/index.html, in the Output_Directory.

The back button (<<) and forward button(>>) are located in SofCheck Inspector's titlebar. Use these buttons to navigate through the command history associated with the large right panel of the main window. These buttons will work more predictably than the browser's built-in back and forward buttons, because of the multi-frame user interface provided by SofCheck Inspector. The browser's built-in back and forward buttons work fine with the other windows (Message History, Race Conditions, Class List, and Help windows).

The Main Window is composed of up to four panels, with a titlebar across the top. The Partition panel in the upper-left panel contains a list of the partitions into which the Inspector has broken up the system for more efficient analysis. Click on All Partitions to display all directories and files, or click on a named partition to filter directories and files to those inspected within that partition. The Partition panel will not be present if the inspection was performed as a whole and no partitions are created. The -global command line flag instructs Inspector to avoid making partitions; Inspector may not create partitions if the analysis is small.

The Files panel on the left, below the Directories panel, lists source files analyzed by the Inspector. A “-” to the left of the file indicates that the file has been dropped since the base inspection; a “+” indicates that the file has been added since the base inspection. Initially, the Files panel shows all of the source files in the system, across directories and partitions. Filter the list by selecting a single partition in the Partitions panel. You may also filter the list by selecting Partition n Files or a single directory in the Directories panel. Click on a file name to view the File Summary, described below.

In the Main panel on the right, you may click on one of three tabbed views: Inspection Overview, File Summary, and File Source.

The Inspection Overview view shows the inspection's File Hot Spots, a sorted list of files, those with the most important inspection messages listed first. Importance is ranked according to an algorithm that considers the number, a calculated degree of priority, and newness of inspection messages. In the header, the Current Inspection shows the date and number of the inspection run that generated this output, whereas the Base shows the date and number of the base inspection. The base inspection is a prior inspection against which the current inspection is compared, to determine changes since a prior run.

For each of the files, a set of columns show the numbers of high, medium, and low probability inspection messages. The higher the probability, the greater the likelihood the indicated line of code would fail when executed. Each probability category has three columns: base, deltas, and now. The base shows the total number of inspection messages that were found in the base inspection in each file. The now column shows the total number of inspection messages that are found in each file for the current inspection. The deltas column shows how many unique inspection messages were dropped and/or added between the base and current inspection in the form dropped/added, e.g. “-2/+5” means that two messages were dropped and five new ones were added. Click on an individual file name to display its File Summary.

If any of the files have been added (“+”) or dropped (“-”) since the base inspection, the File Hot Spots table will have a “-/+” column to mark the file in this way. Dropped files (i.e., files that were present in the base inspection, but are not in the current inspection) appear at the end of the table, after the files for the current inspection. Clicking on the name of a dropped file will bring you to its File Summary view, but because the file is not part of the current inspection, you will not be able to access its File Source view.

The File Summary view shows a file's Method Hot Spots, a sorted list of methods, those with the most important inspection messages listed first. As for the Inspection Overview, importance is ranked according to an algorithm that considers the number, a calculated degree of priority, and newness of inspection messages. The following section will list a method summary table for each method that has inspection messages. If there are no inspection messages for the file, there will be no Hot Spots or Method Summary tables. The last section lists all methods, even those with no inspection messages, with links to jump to the source for each method. If a method name has a hyperlink, clicking on it will bring you to the Method Summary table in the File Summary view.

The File Source view shows an annotated source file listing for the current file. If no source was available for a .class file that was inspected, only the annotations will be displayed. The source is interspersed with preconditions and postconditions, lines with added inspection message indicators (“+” to the left of the line number), and color-coded hyperlinks to the inspection messages. Click on the Precondition/Postcondition indicator (“P/P”) near the top of a method's definition to show a list of all preconditions and postconditions in the bottom view pane.

Click on a color-coded, hyperlinked line to show the associated inspection message(s) in the bottom view pane. The colors are assigned according to the highest probability message associated with any one line, red for high, yellow for medium, green for low. Each inspection message will show a blank or “+” indicator (“+” indicating this message is new in the current inspection), a message category, a high/medium/low probability indicator, and a detailed text description. Click on Prev Msg or Next Msg to view the previous or subsequent inspection message for the file, respectively. Click on the Edit Icon, the image of a pencil-and-paper to the left of the probability indicator, to open the Per File Message Status Window.

Click on the Inspection Overview, File Summary, or File Source tabs to alternate between views. Remember to use the << and >> buttons in the Inspector titlebar to navigate back and forward, respectively, between viewed pages. (Avoid using the browser's default back and forward buttons, since they may lose track of your view state information.)

Click on the Race Conditions button in the titlebar to view the Race Conditions report. The button is suppressed if the inspection was performed with the -no-race-conditions command line option. See the section Identify Possible Race Conditions for a description of how to interpret the results of the race condition analysis.

Click on the History button in the titlebar to view the Message History report. This button is visible only if a Database_Dir has been specified in the library file (see above) for the current inspection and the user has not specified the -no-error-history command line option. This report contains a table of the number of messages identified in every inspection, in total and grouped by each directory of sources, since the database was created. Each row corresponds to an inspection. Rows of baseline inspections appear darker.

At the bottom of the Message History report is a histogram of the total number of errors over time, with one column per inspection.

Note: for the Message History Report, each message in the database is evaluated relative to the current inspection, the current base inspection, and the current MessagePatterns.xml file. As a result, the message counts for prior inspections may vary from those counts that were reported at the time of the actual inspection.

Click on the Class List button in the titlebar to view a list of all classes inspected in the current run. Click on a class in the left pane, and the right pane will display detailed information including the source file, superclass, and a list of virtual methods, constructors, static methods, instance fields, static fields, and references to other classes. The methods and fields of each class inherited from its superclass are displayed using an italic font. Methods and fields directly defined on a class are displayed using normal font. In the right pane, click on the superclass or a reference to another class to jump to it in the Class List. Methods with inspection messages will have hyperlinks. Click on a method hyperlink or the source file hyperlink to jump to the File Source view.

Click the Messages button in the titlebar to open the Message Status Overview window. This window contains a system-wide summary of the messages organized by Message Category, and again by source file. The Message Status Overview allows you to sort/filter system-wide summaries of inspection messages and to access per-file summaries.

Message Category Table

For each row in the Message Category Table, the message count for each category is further broken down by High/Medium/Low probability.

Uncheck the Select box for a message category to suppress that category from appearing in the Source File Table.

Source File Table

Each row in the Source File Table is uniquely defined by source file and message category. The message counts are subtotaled for each category of messages in a source file. As with the Message Category Table, each file-category row has High/Medium/Low probability columns. File-category rows with zero inspection messages are not shown.

Click on a column header to sort the display by that criterion. Sorting large tables can take a long time. While the sort is being performed, the column header will be highlighted, and a Stop Sort button will appear at the top of the window. You may continue working in other areas of the browser while a sort is running, although performance may be slowed. The Stop Sort button will disappear when the sort finishes. Click on the Stop Sort button to stop a sort before it finishes.

Navigating to the Per-File Message Status Window

Click on a Source File Name in the Message Status Overview window to navigate to the detailed message list for that file.

Alternately, open the detailed message list for a file by clicking on the edit icon which also appears

• in the bottom pane of the File Source view, preceding each message's probability, and
• in the top index tab for a selected file, if the file has any inspection messages

Per-File Message Status Window/Editing Messages

Note : This message-edit functionality requires that Google Gears be installed on your system. Google Gears is an open source browser extension that enables web applications to provide offline functionality using JavaScript APIs. Google Gears is supported on Firefox 1.5+ and Internet Explorer 6.0+ on Windows Vista/XP. If Google Gears has not been installed and you try to edit a message, a button will be provided for you to Get Google Gears. At that website, simply click the "Install Google Gears" button to download it and run the Google Gears installer. After the installation, you will need to exit your current browser session, and then start a new one, for the message-edit functionality to be available.

At the upper-left of the window, the Filter Options grid contains checkboxes to control which messages are displayed. for History options, check added to select messages that were not in the base inspection but appear in the current inspection, dropped to display messages that appear in the base but not in the current inspection, and unchanged to display messages that appear both in the base and current inspections. For probability, check High, Medium, and Low to display messages with corresponding current probabilities.

By default, added, unchanged, and dropped messages are displayed, for High and Medium probabilities; Low probability messages are hidden. You may check a box to show the corresponding messages, or uncheck the box to hide them. The filtering options selected affect all files, not just the one whose messages are currently being displayed.

Click on any of the hyperlinked column headers to sort by that column, which can be Status, +/-, Msg Id, Method, Line, or Message Category. Sorting columns in this window uses your browser's build-in sorting capability, and may be unresponsive during a sort. Most sorts should complete in a reasonable amount of time.

The Status column displays the current probability for a message. The Review button indicates that the message has yet to be reviewed, while the Edit button indicates that the message has already been reviewed/modified. Both buttons bring up a popup window through which the user can change the probablity of the message and/or add comments to it. The history of all changes made to the message is also displayed. for a message that has yet to be reviewed, click on the Mark As Reviewed button to confirm the probability assigned by the Inspector; this will also automatically add a comment to the message, with the timestamp of the review.

Changes which you make during your current browser session will be reflected in the Message Status window and corresponding File Source view; however, they will not be fully incoporated into the output (i.e., in any of the Overview tables, or in the message-status Change History) until the Inspector is re-run. From the Inspector Console, choose the Run->Regenerate Reports menu item to fully incorporate the latest message edits *without* rerunning the analysis engine. This will also pick up any changes made by others on your system who have been examining the same output. (Note : Even if you do not re-run the Inspector, changes that you make in one browser session will be available in subsequent browser sessions. However, the color-coding of source lines in the File Source view (based upon message probability) may not be accurate until the corresponding Message Status window is loaded.)

The Msg Id column contains Inspector-generated message identifiers used to uniquely identify each inspection message. Click on a Msg Id to jump to the File Source view for that message.

Click the Annotations button in the titlebar to open the Annotations Report window. This window contains a system-wide summary of annotations per file, with deltas.

Click on a file to get a detailed view of annotations per method, including some history information, filterable by annotation kind, and whether the annotation is new, unchanged or dropped.

Click on the Help button in the titlebar to view this SofCheck Inspector User Guide.

In addition to the files in the html subdirectory, there are listing files in the list subdirectory of the Output_Directory, each with the suffix .txt. These files contain source listings interleaved with SofCheck Inspector messages. Some of the information in these listings is at a lower-level than that displayed in the browser. We suggest initially viewing the output through the browser interface. The listings may be used for more detailed analysis, if desired.

The overview.txt file in the list subdirectory provides aggregated message information in a series of tables using comma-separated list format, each intended to be suitable for import into a spreadsheet.

Run-Time Test Vectors

The Inspector creates a test_vectors.txt file directly in the output directory (as opposed to in the list or html subdirectory). This file contains a report which, for methods that have any significant control flow (if/while/for statements), identifies the distinct ranges of values for inputs (or combinations of inputs) that will ensure that each block of code is executed. for example, if the report includes:

  Graph.Util:Get_Value
    X: {0..2}, {3..2_147_483_650}
    X - Y: {-inf..0}, {1..+inf}
  

The Inspector determines these test vectors as a side-effect of its control and data flow analysis of each method. The test vector report can help a project achieve higher coverage in run-time functionality tests to complement the full coverage static error detection tests provided by the Inspector.

SofCheck Inspector output is comprised of messages and annotations. The types of messages and annotations produced are described below. For an overview of SofCheck Inspector's output, refer to the How to View SofCheck Inspector Output section.

SofCheck Inspector uses static analysis to track possible run-time values of all variables, parameters, and fields at each point in the source code. using this information, it identifies conditions under which a Java run-time check might fail (null pointer, array out of bounds, etc.), an exception might be thrown, a user-written assertion might fail, or a numeric calculation might overflow or wraparound.

The messages that the Inspector emits, when it detects one of the above conditions, are referred to as Check-Related Messages. The Inspector's titlebar displays the Total Checks Analyzed (i.e., the total number of such checks that it performs as part of its static analysis over the entire program), as well as the Total Checks Passed (i.e., the number of such checks that it determines will pass). The Percentage Passed statistic is an important metric to help you track the overall quality of your code, or determine the quality of third-party or outsourced code. Each file's File Summary page will also display the same check-statistics, on a per-file basis.

Some messages that the Inspector emits do not fall into the Check-Related category. These messages are "suspicious preconditions", as well as the race-condition messages and the code redundancy messages (see below). The Hots Spots tables, in both the Inspection Overview and File Summary pages, display the total error-counts using a breakdown of Check-Related Messages and Other Messages.

The messages produced by SofCheck Inspector indicate particular lines of source code that could cause a crash or questionable behavior at run time. The reason is given (such as “array index out of bounds”), along with a rough indication (based on heuristics) of the likelihood that this message identifies a defect that could lead to incorrect results in actual usage of the program. Occasionally a message contains too much information to fit conveniently on the screen. In that case the message will be truncated and will be replaced with an ellipsis (“...”) as indication that truncation has occurred. The complete text of the message is available for viewing in the corresponding .txt file.

These are the messages produced by SofCheck Inspector. NOTE: CWE refers to the Common Weakness Enumeration, a community-developed dictionary of common software weaknesses, hosted on the web by The MITRE Corporation. The numbers following CWE are the indices into the CWE dictionary, for weaknesses that correspond to the given Inspector message.

SofCheck Inspector produces three sorts of race condition messages. See Identify Possible Race Conditions for details on using the SofCheck Inspector to perform race condition analysis. Note that when the Inspector indicates that no lock is held, it actually means that no lock visible to multiple threads is held. There may in fact be a local lock held. See Identify Possible Race Conditions for more information on the handling of local locks. See above for an explanation of the CWE references.

If Inspector indicates a race condition at a particular line in your program, it is best to refer to the Race Conditions report by clicking on the Race Conditions button in the titlebar. The Race Conditions report is organized by the affected object, and gives an overall perspective on how the various thread entry points are involved in creating the potential race condition on the given object. See Identify Possible Race Conditions for more information on how to interpret this report. Note that the current release of Inspector does not detect deadlocks between threads(sometimes called “deadly embraces”). Rather it identifies data objects that are potentially referenced without adequate synchronization.

SofCheck Inspector makes conservative assumptions in order to avoid missing potential problems. Because of these assumptions, SofCheck Inspector might generate inspection messages that a programmer would decide are not true problems, or that are problems that would not occur during a normal execution of the program. for example, a given numeric overflow might occur only if the program ran continuously for decades. Inspection messages that are not true problems are called false positives.

To help deal with false positives, SofCheck Inspector categorizes inspection messages into three levels, according to the likelihood the message corresponds to a true problem. For example, a "divide by zero" error might be categorized as "high." An "overflow" that only occurs near the limits of the maximum long integer value, however, might be categorized as "medium," especially if there are intermediate exit points in the loop that would prevent the overflow. Use of a global variable that is not explicitly initialized might be categorized as "low" because Java provides well-defined default initial values for all globals. These levels are determined by matching against patterns provided in a MessagePatterns.xml file. With guidance from SofCheck, this MessagePatterns.xml file may be used to tune the categorization of messages to the needs of a particular project.

The following terms are used to distinguish between different inspections and messages when an historical database is being maintained for a body of code.

Where an historical database is specified, the Inspection Overview's base inspection defaults to be the second most recent baseline inspection, one run with the -baseline command-line flag. Use the -cutoff flag to override the default base inspection by assigning the inspection ID of an arbitrary inspection to be the base.

Inspector uses the historical database, the message type, and the line number on which the message is associated to determine whether a base message matches a current message or the current message is new. Each new inspection message is assigned a unique identifier, and that identifier is maintained across subsequent runs. If the source file has been modfied significantly between base and current inspections, Inspector may not be able to determine that a current message matches a base message. In this case it will designate the current message as new. Similarly, if Inspector cannot read the historical database for any reason, it will determine that all current messages are new.

SofCheck Inspector generates the following kinds of annotations on each Java method. See Use Annotations for Code Review below for a discussion of how annotations can be used to aid in source code review.

• Preconditions specify requirements that the method imposes on its inputs. for example, a method might require a certain parameter to be non-null for proper operation of the method. These preconditions are checked at every call site. A message is given for any precondition that a caller might violate.
  • The notation “init'ed(X)” means that X is expected to be initialized prior to calling the method, but no further requirement is imposed on its value.
  • The notation “(soft)” means that the precondition is associated with code that might not be executed on certain calls to the method, so violating the precondition might be safe under those circumstances. However, violating the precondition on every call would not be wise, as there are values for other inputs that could cause a violation of the precondition to lead to a run-time failure.
  • The notation “base...fld” refers to the “fld” field of any object accessible by following one or more levels of indirection starting at “base,” not including “base.fld” itself. this notation is used to handle iterative or recursive algorithms that walk recursive data structures. for example, in an algorithm that walks a linked list, a possible precondition might be “init'ed(X...next)” meaning that the “next” field of any object reachable from X must be initialized (not including X.next itself—there will be a separate “init'ed(X.next)” precondition if appropriate).
  
  
• Presumptions display what SofCheck Inspector presumes about the results of an external method whose byte codes are unavailable for inspection, or are in a separate partition. There are separate presumptions for each call site, with a string in the form “@<line-number-of-the-call>” appended to the name of the method. Presumptions are not generally used to determine preconditions of the calling routine, but they might influence postconditions of the calling routine. See below for further discussion of presumptions.
  
  
• Postconditions characterize the behavior of the method in terms of its outputs and the presumptions made.
  • The notation “old X” in a postcondition refers to the value X had on entry to the method.
  • The notation “possibly_updated(X)” is used to convey that X is a possible output, but there is no specific set of values that it is known to have after the method completes.
  • The notation “new MyClass(Method#N)” refers to the MyClass object created by the Nth constructor within Method. The notation “new MyClass(Method#N) <num objects>” refers to the number of times this constructor might be invoked at run-time for each call of the method. if an asterisk (“*”) follows the index (e.g. “new MyClass(Method#3*)”) then the constructor arises from a nested call on “Method,” which may represent a recursive call, or simply a nested call on a same-named method.
  
  
• Unanalyzed calls display the external calls to methods that the SofCheck Inspector has not analyzed, and so participate in the determination of presumptions. Note that these annotations include all directly unanalyzed calls as well as the unanalyzed calls in the call graph subtree that have an influence on the current methods.
  

• The following annotations are not present in the .html output but are presented in the more detailed .txt files. However, every Input in a .txt file appears at least once in some precondition in a .html file, and every Output and new Object in a .txt file appears at least once in some postcondition in a .html file.
  • Inputs comprise a list of all variables (parameters, fields of objects, static class fields) referenced by each method.
  • Outputs comprise a list of all variables (fields of objects, static class fields, method results) modified by each method.
  • New Objects comprise a list of heap-allocated objects, created by a method, that are not garbage-collected during the execution of the method itself; these are new objects that are accessible after return from the method.

SofCheck Inspector ideally should be used early in the development cycle, as soon as there is code that compiles. Thereafter it may be run every day, or as often as there is a build of some part of the system. In general, SofCheck Inspector is best suited to be used during periodic (daily) system builds, with its output made available to all relevant parties. It requires compiled JVM byte codes, but can operate on less than an entire system. Since static analysis does not require running code, SofCheck Inspector may perform its analysis at the point of unit, integration, or system build—even before any run time testing has been performed. By using SofCheck Inspector to find defects before they enter run time testing, it will minimize the number of crashes encountered during testing, allowing functional tests to run to completion and thereby provide usable output for test engineers.

Various types of users may take advantage of SofCheck Inspector. Here are some examples:

Software Developer

Use the File Summary and File Source views to focus on potential problem areas. Review the preconditions and postconditions of your code to ensure conformance with specifications. Review preconditions and postconditions of others' code to ensure you are integrating with it without making unwarranted assumptions.

Quality Assurance Engineer

Use preconditions and postconditions to assist with boundary test design. Identify potentially blocking bugs before the effort of setting up complex tests.

Integrator

Use the Overview and Total Checks Analyzed/Total Checks Passed statistics to rapidly evaluate the quality of third party or outsourced code. Review Hot Spots to identify areas of concern for your integration—even in the absence of third party source.

Manager

Use the Inspection Overview, Hot Spots lists, Total Checks Analyzed/Total Checks Passed statistics, and Message History to monitor codebase health and quality assurance progress.

The following scenarios illustrate how SofCheck Inspector can be used to:

• Find Defects in Code
• Use Annotations for Code Reviews
• Identify Possible Race Conditions

SofCheck Inspector helps the review of inspection messages by categorizing them into High, Medium, and Low probability, reflecting the descending likelihood that a given message corresponds to a defect that will cause a problem during actual use. In addition, High probability messages are less likely to be false positives, while it is more likely that a Low probability message might correspond to a false positive. When starting to inspect a codebase, we recommend focusing on High probability messages, while initially ignoring Medium and Low probability messages. When High probability messages have been understood or remedied, consider the Medium probability messages. Only those developing mission critical systems might eventually want to systematically review all the Low probability messages. As discussed below, by taking advantage of the Inspector's historical database capability, you can easily identify just new messages that correspond to recently modified code. In addition, since the Message_Patterns file that determines how inspection messages are categorized can be tuned, most users can focus their attention on High and Medium probability messages.

By specifying a Database_Dir in the Library File, you can request that SofCheck Inspector keep an historical database of inspection messages, to allow it to differentiate messages that appear as added (not present in an historical base inspection, but present in the current inspection), dropped (present in a base inspection, but not in the current inspection), and unchanged (present in both a base inspection and the current inspection). The base inspection is either the most recent inspection (prior to the current inspection) run with the -baseline parameter or a prior inspection identified by the -cutoff parameter in the current run.

For a library with an historical database, it is reasonable to investigate just the new Medium and Low probability messages rather than reviewing all such messages. There are generally far fewer new messages, and new messages should be related to recent code changes. Therefore, even Low probability messages might be worth reviewing when marked new.

For inspection messages that are not deemed to be critical errors, revising code to alleviate the identified issue might still be useful, to make the code easier to understand for human readers, and to help make the code less vulnerable to future problems as it undergoes maintenance.

Whether it is a formal team process or an ad-hoc, one-person activity, manually reviewing source code is a good way to identify problems early in the development cycle. Unfortunately, it can also be quite time consuming, especially when the reviewer is not the author of the code. SofCheck Inspector reduces the effort required for understanding source code by characterizing the input requirements and the net effect of each component of the code base.

Specifically, SofCheck Inspector determines preconditions and postconditions for every Java method it analyzes. It also makes presumptions about external methods it calls whose byte codes are not available for inspection, or which are so complex that they threaten to exhaust the available machine resources. SofCheck Inspector displays preconditions, presumptions, and postconditions in its web-based source listings as a Java comment block immediately preceding the first executable line of the method. if a large number of conditions are found, the display list will be truncated and an ellipsis ("...") substituted for the undisplayed messages. You may display all of the preconditions, presumptions, and postconditions in the bottom pane of the File Source view by clicking on the P/P link at the top of the comment block or on the ellipsis (...) at the bottom of a truncated comment block.

The preconditions displayed by the Inspector are implicit requirements that are imposed on the inputs to a method, as determined by analyzing the algorithms used within the method. Violating preconditions might cause the method to fail or to give meaningless results. During code review, the reviewer can verify that the preconditions determined by the Inspector for the code as written are appropriate, and meet the underlying requirements for the method.

Early in a development cycle, system documentation might be missing or incomplete. Since SofCheck Inspector generates preconditions for each class without requiring that the entire enclosing system be available, it can be used before system integration to understand methods as they are developed. In a mature, maintained codebase the system documentation might no longer agree with current code's behavior. In either case, SofCheck Inspector's generated preconditions can be used to verify both the written and unwritten assumptions made by the codewriters.

Presumptions represent assumptions made by the Inspector about the results of a call on a method whose code is unavailable for analysis. A separate presumption is made for each call site to the unanalyzed method, with a string in the form “@<line-number-of-the-call>” appended to the name of the method. Presumptions do not generally affect the preconditions of the calling routine, but they might influence postconditions of the calling routine.

Postconditions are characteristics of the output which a method could produce, presuming its preconditions are satisfied and the presumptions made about unanalyzed calls are appropriate. Postconditions can help a reviewer understand the purpose and effect of code, even in the absence of other documentation. Likewise, postconditions can be helpful to software developers making use of a method. Comparing postconditions to either preconditions or the context of calling routines can provide valuable insight into the workings of the code which might not be obvious from solely a manual review.

SofCheck Inspector detects common forms of race conditions. A race condition may exist if there are two or more concurrent threads that attempt to access the same object, and at least one of them is doing an update. for example, if a Reader thread makes a copy of a List Object at the same time a Writer task is modifying the List Object, the copy of the List Object may be corrupt. Languages such as Java use synchronization or locking as a means to guard against race conditions. SofCheck Inspector identifies race conditions where synchronization is not used or is used incorrectly. (Note that the current release of Inspector does not identify potential deadlocks, also known as deadly embraces, where two threads are stuck waiting on locks held by the other.)

A lock is held during any synchronized method or during any synchronized block of code. Any variable that can be accessed by more than one referencing thread simultaneously must be locked at every reference to guard against race conditions. Furthermore, the referencing lock should match the lock used by other threads to prevent updates during access. If locking is absent, or if one reference uses a different lock than some other reference, SofCheck Inspector identifies a possible race condition. Note that an identified race condition is not guaranteed to create problems on every execution, but it might cause a problem, depending on specific run time circumstances.

Note that if a lock is associated with an object that is newly created each time a method is called, it does not actually provide any synchronization between distinct calls on that method. A lock is only effective if it is associated with an object that is visible to multiple threads. The Inspector essentially ignores locks on objects that are not visible to multiple threads, as they have no synchronizing effect. this means that the Inspector may indicate that there are no locks held at the point of a reference to a potentially shared object, even though there are in fact some local locks held. A future release will identify any potential problems associated with local locks more explicitly.

SofCheck Inspector must understand the threading structure of the program being analyzed to detect race conditions. There are two types of entry points that are important to race condition analysis: Reentrant entry points and Daemon entry points. A Reentrant entry point represents code that can be invoked by multiple threads concurrently. A Daemon entry point (also called a singleton) is presumed to be invoked only by a single thread at a time.

Identify reentrant entry points with the -reentrant "class:method" option on the SofCheck Inspector command line. Use the -daemon "class:method" to identify daemon entry points. See Command Line Invocation above for the syntax for these options. if no -daemon or -reentrant options are specified, SofCheck Inspector uses a default set of entry points for the analysis, based on typical Java and J2EE conventions for multi-threaded applications, servlets, struts Action classes, and JSP pages. SofCheck Inspector recognizes as Reentrant entry points any methods matching

• "*:doGet(*"
• "*:doPost(*", and
• "*:execute(ActionMapping*", and
• "*:_jspService(*"

• "*:run()"

Normally you should specify your own entry points explicitly, unless you have verified that these default entry point patterns will correctly identify all relevant thread entry points.

For partitions that include one or more thread entry points, an indication of zero detected race conditions ensures that there is no path within that partition from one of these entry points to any of the three kinds of unsynchronized access to shared data objects identified by SofCheck Inspector.

SofCheck Inspector performs race condition analysis by default. this helps to ensure that potential race conditions are identified early. Locating race conditions with run-time testing can be difficult given that they normally show symptoms only intermittently, or under heavy load. Note that you may use the -no-race-conditions command line parameter to suppress race condition analysis.

The Race Condition report gives complete details about the shared objects in your program that might be subject to unsafe access. The Race Condition report is divided into three panes. The upper right pane, which runs horizontally, summarizes which methods Inspector has determined are daemon-thread entry points or reentrant entry points. The narrow pane which runs along the left shows the shared objects that might be involved in a race condition. The third pane, which is the large pane taking up the lower right of the report, has a table that summarizes the kinds of race conditions associated with each object, and then provides further information below, reached by clicking on the name of a particular object. For each shared object there is a summary report and a detailed report. The summary report identifies which entry point is associated with each possible race condition. The detailed report goes further by identifying every reference to the object organized by thread entry point, locks held (L1, L2, etc.), and whether it is a read (R) or a write (W) access. A key at the bottom indicates the actual Java object associated with each lock.

As mentioned above, the Inspector only concerns itself with locks that are visible to multiple threads, so an indication of None in the locks held column means no thread-visible locks are held. There may be locks associated with locally created objects, but these provide no effective synchronization between distinct threads.

See Race Condition Messages for details on the messages produced by race condition analysis.

SofCheck Inspector performs static error detection by holding in main memory a representation of the entire subsystem being analyzed. It is possible that the subsystem being analyzed is so large that its representation cannot be contained in the memory of the host machine on which SofCheck Inspector is running. SofCheck Inspector automatically divides the system under inspection into partitions that are more likely to be analyzable within the memory constraints of the host machine. A user can override this automatic partitioning process by specifying the -global command line option. This will force SofCheck Inspector to perform a global analysis of all of the code identified in the library.

Note that it is more likely that a global analysis might run out of memory during the processing of some source file. In that case, the source file is skipped and analysis proceeds as though that file was not present in the library.

SofCheck Inspector makes presumptions about the return values and other side effects of unanalyzed method calls. The presumptions of each unanalyzed method call are displayed in the method information block of the calling method. The source line number of the unanalyzed method call is shown after an @ sign, and information about its presumed return value or other side effect is displayed.

The actual unanalyzed call might be directly on the line specified in the presumption (by the @nnn) or it might be a call that occurs inside the method called on the given line. You can tell if it's an indirect call or a direct call by the name given in the presumption. If it doesn't correspond to the name of the method directly called on the given line, then it must be something called indirectly.

Sometimes the presumptions made by SofCheck Inspector are overly "optimistic", such as a given call will never return a null, when in fact it can return a null. For example, suppose that under some circumstances, an unanalyzed method call can return a null, but that the calling method never checks for this possibility, and instead dereferences the return value without checking. This could cause an exception when the program is run, and implies that the program being analyzed contains a latent defect. If the Inspector makes the presumption that the called method does not return null, then it would not identify this latent defect. for this reason, the programmer should check the presumptions about unanalyzed method calls and verify that they are appropriate.

Alternatively, the presumptions made by SofCheck Inspector might be "insufficient". For example the Inspector might presume that some unanalyzed method call could return null, when in fact it never does. Later, in some use of the returned value, far away from the unanalyzed call, the Inspector might complain that a possibly-null value is being dereferenced. The original presumption was insufficient in this case, because it didn't match the actual behavior of the unanalyzed call, and thereby led to the complaint. The programmer can eliminate such a complaint by adding code immediately after the point of the call to assert that the returned value is not null. This will cause the Inspector to tighten up its presumption about the unanalyzed call to satisfy the assertion, and the complaints at other points in the code will go away.

Command Line Invocation

top

Inspections may be run from the SofCheck Inspector Console, as described earlier , or from the command line. SofCheck Inspector is invoked on the command line as follows:

    inspector[.exe] -lib <library-file>
      [-all | <name> ...]
      [-allow-duplicates]
      [-background | -log]
      [-baseline]
      [-cutoff <inspection_id>]
      [-global]
      [-messages [ min | normal | max] ]
      [ {-daemon "<class>:<method>"} ...
         {-reentrant "<class>:<method>"} ... ]
      [-output-only]
      [-no-race-conditions]
      [-no-error-history]
      [ [-at-file <directory>] ... @<filename> ... ]
      [-repartition]
      [-status-codes]

    inspector[.exe] [ -help | -v | -version ]

-lib <library-file>

Specify the library file name. The library file is a text file that can be generated by the SofCheck Inspector Console or edited manually with a text editor. If a directory name is given, use the default file name (i.e., inspector.library) in that directory.