@annajayne anna@riverblade.co.uk Riverblade Ltd - - PowerPoint PPT Presentation

annajayne
SMART_READER_LITE
LIVE PREVIEW

@annajayne anna@riverblade.co.uk Riverblade Ltd - - PowerPoint PPT Presentation

May 24, 2023 258 likes •470 views

Anna-Jayne Metcalfe @annajayne anna@riverblade.co.uk Riverblade Ltd www.riverblade.co.uk If you want to ask something... Dont wait until the end just ask Photo by Anna-Jayne Metcalfe @annajayne So Whats the Problem? Our code is

slide-1
SLIDE 1

Anna-Jayne Metcalfe @annajayne anna@riverblade.co.uk

Riverblade Ltd www.riverblade.co.uk

slide-2
SLIDE 2

If you want to ask something...

Don’t wait until the end – just ask

@annajayne Photo by Anna-Jayne Metcalfe

slide-3
SLIDE 3

So What’s the Problem?

 Our code is a bit crap  We’d like to analyse it for defects, but...

 It’s not obvious where to start  There’s too little time to go through it all  Change is risk!

 People can be resistant to change (ref. “the 80%”)

 Excuses, excuses (too expensive/not enough time/

“noise”...etc....)

 Potential results:

 “Let’s not change to the way we do things now”  Ever degrading quality

Photo by Anna-Jayne Metcalfe https://www.flickr.com/photos/jalapenokitten/13202393564 @annajayne

slide-4
SLIDE 4

How Organisations Analyse Code

 Most of them don’t!  But when they do...

 Reactive rather than proactive  Unrealistic expectations (magic bullet syndrome)  No planning or long term strategy  Inadequate training  Lip service  No thought to warning policies

 Lack of realism  Complaints about “Noise”  Blaming the tool for not finding their bugs

  • High bounce rate (“throw it in a drawer and forget it")

Photo by Anna-Jayne Metcalfe https://www.flickr.com/photos/jalapenokitten/8482770406 @annajayne

slide-5
SLIDE 5

The “Noise” Problem

 Code analysis tools look for many types of problems with varying

severity

 Severity is organisationally context dependent

 What do we care about right now?  What are we likely to care about next?

 The true noise level is usually far lower than it is perceived to be

 One teams "noise" is another ‘s "essential quality information"  e.g. Ignoring a return values / immutability / naming conventions

Opinion:

If you’re not worried about a particular type of issue that's fine - but it’s your responsibility to tell the analysis tool. If you don't, blaming the tool for being "noisy" by warning you is unfair.

Photo by Anna-Jayne Metcalfe https://www.flickr.com/photos/jalapenokitten/8481867196 @annajayne

slide-6
SLIDE 6

 Some issues represent obvious hard bugs (e.g. crashes)

 These are the ones we tend to think of as “real” analysis issues

 But “softer” issues can indicate bugs too - just not always as

  • bviously

 e.g. Making a var unnecessarily mutable is not obviously a bug (but

it is undesirable)

 If however doing so causes a data race, is it still not a bug?

 So "lower severity" issues are still worth acting on - and can

require behavioural change by the dev team as much as "hard bugs" do...

 Classic example: #gotofail

(https://www.imperialviolet.org/2014/02/22/applebug.html)

“But Is It A Bug?”

Photo by Ron Cogswell https://www.flickr.com/photos/22711505@N05/14426117094 @annajayne

slide-7
SLIDE 7

Three Scenarios

Photo by Ewan Munro https://www.flickr.com/photos/55935853@N00/2778557435 @annajayne

slide-8
SLIDE 8

Scenario 1: Green Field Projects

 Our dream scenario!

Photo by Anna-Jayne Metcalfe https://www.flickr.com/photos/jalapenokitten/3956022559 @annajayne

slide-9
SLIDE 9

Scenario 1: Green Field Projects

 We’d all like to work there, right?

 Define the warning policy you need and apply it from

the outset

 Do everything right (TDD, CI, Continuous Deployment

etc.)

 Refine and repeat  Succeed!

 Life is good. And we have cookies.

Photo by Anna-Jayne Metcalfe https://www.flickr.com/photos/jalapenokitten/3956022559 @annajayne

slide-10
SLIDE 10

Scenario 2: Existing Codebases

"We've got a Big Ball of Mud and We're Not Afraid to Use It“

Photo by Ali West https://www.flickr.com/photos/alismith44/357361903 @annajayne

slide-11
SLIDE 11

Scenario 2: Existing Codebases

 Far more likely than a green field project!  The first time you run an analysis tool on an existing

codebase you will almost certainly detect lots of issues.

 You need to develop an effective strategy for dealing

with them

 This needs to be integrated into your planning  But before we do that, we need to think about how to get

started with that big pile of results...

Photo by Ali West https://www.flickr.com/photos/alismith44/357361903 @annajayne

slide-12
SLIDE 12

Scenario 3: Emergency!

 Something has gone wrong and people all around are

panicking...

@annajayne Photo by star5112 https://www.flickr.com/photos/johnjoh/44866567

slide-13
SLIDE 13

Scenario 3: Emergency!

 Static analysis might have stopped the bug happening

in the first place, but by now it is probably too late

 If you are dealing with a hard to track down

memory/resource leak, crash etc. dynamic analysis is probably your best bet for fixing the immediate problem

But don’t forget...

When the dust settles, static analysis could help prevent something like it happening again - if you invest the time to do it right. Do a post-mortem, and act on it!

@annajayne Photo by star5112 https://www.flickr.com/photos/johnjoh/44866567

slide-14
SLIDE 14

Defining Your Warning Policy

@annajayne Photo by Alpha https://www.flickr.com/photos/avlxyz/2166936281

slide-15
SLIDE 15

Defining Your Warning Policy

 There are basically two approaches:

1.

Turn on everything you think you might need

(generally the most applicable approach) 2.

Turn on only the things you are looking for

(works well when you know roughly what you are looking for and need to focus specifically on those issues)

 Run an initial analysis and review the results

Photo by Alpha https://www.flickr.com/photos/avlxyz/2166936281 @annajayne

slide-16
SLIDE 16

Rinse, Review, Repeat

 Export a summary of the initial analysis results

 Review, highlight and prioritise what you care about  Turn everything else off

 Reanalyse to establish a baseline  Fix what you can in each sprint

 Fix the simplest ones first  Learn the impact of fixing each type of issue  TEST CONTINUOUSLY

Photo by Pasukaru76 https://www.flickr.com/photos/pasukaru76/4438219543 @annajayne

slide-17
SLIDE 17

Evolution is Revolutionary

 We want the quality of the code to improve over time

 Review progress regularly (at least each sprint)  If you are measuring velocity, assign story points to

refactorings you expect to have to do, based on the issues identified

 Once all (or most) issues of a given severity/priority have

been addressed, turn up the policy

 The aim is for the issue count to never increase unless you

have just make the policy more aggressive

 Arrest decay and gradually improve quality while managing

risk

Photo by Becca Peterson https://www.flickr.com/photos/beccapeterson/5667804930 @annajayne

slide-18
SLIDE 18

Who is Responsible for Quality?

 The short answer is ALL OF US

 Give someone in your team overall responsibility for the policy  All team members must have responsibility for analysing the code

and acting on results

  • Training and mentoring (remember the "80%") are very important

 BUT: We’re human. We often take shortcuts or make excuses  #gotofail is a perfect example or something which just should

not have happened. We don’t know the details of how it happened, but we know there are tools and practices which could have prevented it.

Photo by Anna-Jayne Metcalfe @annajayne

slide-19
SLIDE 19

Restating the Obvious

 This stuff isn’t easy:

 None of us are perfect  We all make mistakes (and excuses!) sometimes  Organisations are as much at fault as we are  We never have enough time  We never have quite the right tools  "It's too much risk!"

 But...

 Change will only happen if we take responsibility for it  Working smarter makes our lives easier

Photo by Anna-Jayne Metcalfe https://www.flickr.com/photos/jalapenokitten/3956810870 @annajayne

slide-20
SLIDE 20

Any (more) questions?

@annajayne

A few links:

 http://www.linkedin.com/groups/Static-Code-Analysis-1973349  http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis

http://clang-analyzer.llvm.org/ (open source C/C++/Objective C analysis tool)

 http://www.gimpel.com (commercial C/C++ analysis tool)  http://sourceforge.net/apps/mediawiki/cppcheck (open source C++ analysis tool)  http://msdn.microsoft.com/en-us/library/bb429476(v=vs.80).aspx (free C# analysis

tool)

 http:// www.findbugs.org (open source Java analysis tool)  http://www.jslint.com/ (open source Javascript analysis tool)  http://pylint.org (open source Python analysis tool)  https://github.com/roodi/roodi (open source Ruby analysis tool)  http:// www.softwareverify.com (commercial dynamic analysis tools)

Photo by Anna-Jayne Metcalfe http://riverblade.co.uk/blog.php