Wednesday, August 26, 2009 10:54 AM
Go on. Go get all staticy - A discussion about static analysis tools
A recent series of tweets with @cemerick (follow me here) got me to think about
something that I’ve just taken for granted as something that is
just done before every check-in (by at least two developers I know) –
that being static analysis. It has seemed to me that most folks'
(including mine) first impression of the massive amounts of output
that a static analysis tool generates is, “Oh, dear Lord. What's
all this crap about code style?”, and “Where're the useful
results?”. After using it for a bit I came to appreciate it as a
set of pragmatic heuristics providing a middle ground between formal
system specification, and just getting it to compile.
What's it good for?
Good for teaching new folk.
Have a new developer that's never used the language before?
Making them adjust to all of the warnings and errors that a static
analysis tool generates will get them following what is probably
generally accepted as “the way”. I'll give you a list of steps
that you should go through before even thinking something is “ready”
for whatever you might have in mind (you know check-in, review,
etc...) that goes farther then just getting it to compile.
Lays a foundation for more advanced prediction
There's a lot of current research on building defect prediction
systems, and addressing the problem of people just ignoring the
copious output generated, and putting it to good use. For examples
see (sorry you will need an ACM account),
(you'll need a IEEE account for this one)
It's wouldn't be too hard to build a tool that does this since most
of the analysis that is done has available open source
implementations ready to be exploited. numpy,
are two I've been playing around with that have MCMC, PCA, and belief network modules ready to go.
You can modify it to your needs.
If you're still not happy with what the analysis is telling you
you can always tweak it. Add your own rules, or stop the tool from
reporting certain types of issues you don't care about or are
convinced everyone follows anyways (yeah, sure they do). It is usually just as simple as checking or unchecking a checkbox.
A list of static analysis
tools I've played with:
findbugs -- http://findbugs.sourceforge.net/
agitarone -- http://www.agitar.com/
(Does have a evaluation period though)
Lint – Dudes, its everywhere.
Prefast – http://msdn.microsoft.com/en-us/library/ms933794.aspx
pyLint – http://pydev.sourceforge.net/pylint.html
jsLint – http://www.jslint.com/lint.html