A recent series of tweets with @cemerick (follow me here)   got me to think about something that I’ve just taken for granted as something that is just done before every check-in (by at least two developers I know) – that being static analysis. It has seemed to me that most folks' (including mine) first impression of the massive amounts of output that a static analysis tool generates is, “Oh, dear Lord. What's all this crap about code style?”, and “Where're the useful results?”. After using it for a bit I came to appreciate it as a set of pragmatic heuristics providing a middle ground between formal system specification, and just getting it to compile.



What's it good for?

Good for teaching new folk.

Have a new developer that's never used the language before? Making them adjust to all of the warnings and errors that a static analysis tool generates will get them following what is probably generally accepted as “the way”. I'll give you a list of steps that you should go through before even thinking something is “ready” for whatever you might have in mind (you know check-in, review, etc...) that goes farther then just getting it to compile.

Lays a foundation for more advanced prediction systems.

There's a lot of current research on building defect prediction systems, and addressing the problem of people just ignoring the copious output generated, and putting it to good use. For examples see (sorry you will need an ACM account), http://portal.acm.org/citation.cfm?id=1062558, http://portal.acm.org/citation.cfm?id=1273487, (you'll need a IEEE account for this one) http://www2.computer.org/portal/web/csdl/doi/10.1109/TSE.2008.35. It's wouldn't be too hard to build a tool that does this since most of the analysis that is done has available open source implementations ready to be exploited. numpy, and openbayes are two I've been playing around with that have MCMC, PCA, and belief network modules ready to go.

You can modify it to your needs.

If you're still not happy with what the analysis is telling you you can always tweak it. Add your own rules, or stop the tool from reporting certain types of issues you don't care about or are convinced everyone follows anyways (yeah, sure they do).  It is usually just as simple as checking or unchecking a checkbox.



A list of static analysis tools I've played with:

Java:

findbugs -- http://findbugs.sourceforge.net/

agitarone -- http://www.agitar.com/ (Does have a evaluation period though)

C/C++:

Lint – Dudes, its everywhere.

Prefast – http://msdn.microsoft.com/en-us/library/ms933794.aspx

.Net:

fxCop – http://msdn.microsoft.com/en-us/library/bb429476%28VS.80%29.aspx

Python:

pyLint – http://pydev.sourceforge.net/pylint.html

BLOCKED SCRIPT

jsLint – http://www.jslint.com/lint.html


Share this post: email it! | bookmark it! | digg it! | reddit! | kick it! | live it!