finding toxic code
play

FINDING TOXIC CODE Experiences and techniques for finding dangerous - PowerPoint PPT Presentation

Mar 05, 2024 •289 likes •630 views

FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language codebases Kornelis (Korny) Sietsma - @kornys on Twitter WHO AM I? 2 WHAT DO I DO NOW? Consulting, Delivery, Agile, Technical excellence And the

  1. FINDING TOXIC CODE Experiences and techniques for finding dangerous code in large multi-language codebases Kornelis (Korny) Sietsma - @kornys on Twitter

  2. WHO AM I? 2

  3. WHAT DO I DO NOW? Consulting, Delivery, Agile, Technical excellence And the occasional “Help us work out what is going wrong” project. 3

  4. A FISHY STORY This story is true. Only the facts have been changed to protect the innocent. 4

  5. FISHCORP HAD A PROBLEM Old “FishNet” system – ugly and hard to change. New dev manager – Mr Squid; New system: “SquidNet” – very pretty, but very very buggy, late to ship, and getting later. “Can you help us work out what is going wrong?” 5

  6. YOU HAVE TWO WEEKS Workshops • Whiteboard sessions • Process mapping • 1 million lines of code! • How do we quickly review 1 million lines of code? • C++, C#, JS, SQL stored procedures… • 6

  7. ”TOXIC” CODE - ERIK DÖRNENBURG BLOG 2008 https://erik.doernenburg.com/2008/11/how-toxic-is-your-code/ 7

  8. CODECITY Looks ideal: But… 8

  9. GRAVEYARD OF TOOLS CodeCrawler: Panopticode: Moose Technology: 9

  10. WHAT ABOUT SONARQUBE? 10

  11. HOW ABOUT REALLY LIGHTWEIGHT TOOLS? Something quick, simple, cross-language, works with just source code. What about CLOC ? 11

  12. 12

  13. 13

  14. ARCHITECTURE SquidNet FishNet UI - HTML, CSS, JS, ASPX, C# UI - AngularJS, CSS, HTML, custom JS Mobile Component Component Component Component “Business Logic” C# Web API Component Component Component Component Fishing DB Stored Procedures Squid DB Stored Procedures Data Data ETL SQL Data Warehouse Batch Batch Tasks + Optimisation Reporting 14

  15. HOW BIG IS TOO BIG? “Simply stated, an object should be no bigger than the size of my head when pressed up against the monitor – basically a screenful of code.” - James Lewis (@boicy) http://bovon.org/archives/350 15

  16. Si Simple cross-lan languag age e code ode smell ell 1: To Too m many l lines o of c code 16

  17. (LINES OF CODE - BETTER VIEWED IN THE APP!) 17

  18. CODE-MAAT – SCM-BASED INFORMATION Ownership and Authors • Code age • (Logical coupling) • (Code churn) • … and more • https://github.com/adamtornhill/code-maat 18

  19. Si Simple cross-lan languag age e code ode smell ell 2: To Too f few a authors 19

  20. AUTHORS – BETTER VIEWED IN THE APP 20

  21. Si Simple cross-lan languag age e code ode smell ell 3: To Too l little c change 21

  22. OPINIONS MAY DIFFER! • Living code tends to change – people use it, they find refactorings, they make changes. • Static unchanging code might be perfect – or it might contain lurking undiscovered bugs. Either way, over time, collective knowledge drops to zero. • If it is static because it is perfect, it should be extracted out into a standalone library, with a lot of automated tests. 22

  23. AGE – BETTER SHOWN IN THE APP 23

  24. HOW ABOUT IDENTIFYING COMPLEXITY? 24

  25. Si Simple cross-lan languag age e code ode smell ell 4: Using code indentation as a proxy xy for complexi xity 25

  26. 26

  27. HOW DO OTHER PROJECTS LOOK? Verify– microservices in Java, Ruby, Python Linux – large C codebase Kubernetes – mostly Go MongoDB – C++, C, Go, JavaScript VSCode – TypeScript, JavaScript 27

  28. OTHER AREAS TO EXPLORE Test quality – “temporal coupling” can detect it, but hard to use reliably. Also bad tests can look better than good tests. Duplication! Can be spotted by hand, but tooling would be nice. Deployment data – e.g. release timings, time between development and production. 28

  29. RELEASE TIME - DETAILS 29

  30. RELEASE TIME – LONG TERM TRENDS 30

  31. WHAT DID WE TELL FISHCORP? Your old code is complex, badly tested, mostly • only understood by 1 or 2 people Your new code is even worse - complex, full of • duplication, badly tested, and still tightly coupled to your old code. You need to move away from giant databases • and ETL jobs You need to build something new. • 31

  32. THANK YOU! QUESTIONS? Simple code smell summary: Classes/Files too large • Too few authors • Too little change • Too much complexity (via indentation) • Co Code will (eventu tually) be at t gi github.com/ko kornysietsma Tw Twitter: @ko kornys Em Email: ko korny@thoughtworks.com

  33. IMAGE CREDITS Fanfold Paper – Arnold Reinhold (via WikiMedia) HP-85 computer – Wolfgang Stief (via WikiMedia) James Lewis’ Head - @boicy on Twitter Your Code as a Crime Scene cover – Pragmatic Programmers 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation

RP1 Presenter: Ivar Slotboom Supervisor: Wouter van Dongen , DongIT UvA/SNE Static Code Analysis on Networking Code: Identifying the capabilities of finding implementation flaws using Abstract Syntax Trees RP1 4th of July, 2019 Presenter:

439 views • 20 slides
The Unhealthy Secrets of Coal Michele Prevost, MD Why is Coal Toxic? Toxic metals

The Unhealthy Secrets of Coal Michele Prevost, MD Why is Coal Toxic? Toxic metals

The Unhealthy Secrets of Coal Michele Prevost, MD Why is Coal Toxic? Toxic metals Radioactive elements (decays to Radon) Even low-sulfur coal produces bio-toxic sulfur and acidifies water Benzene derivatives

196 views • 18 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
1 Course Overview Session Three Prevention of Toxic Stress Preventing toxic stress in

1 Course Overview Session Three Prevention of Toxic Stress Preventing toxic stress in

Stress: The Good, Bad, and the Ugly Part One Catherine Nelson, Ph.D. University of Utah Cathy.nelson@utah.edu Course Overview: Stress Session One Definitions Physiology Toxic Stress Risk factors for experiencing toxic stress

384 views • 15 slides
Are the words toxic stress toxic? Speakers Join the National Conversation PRESENTER on

Are the words toxic stress toxic? Speakers Join the National Conversation PRESENTER on

DIGITAL DIALOGUE TRAUMA & RESILIENCE Are the words toxic stress toxic? Speakers Join the National Conversation PRESENTER on Child Abuse Cailin OConnor and Neglect Senior Associate Center for the Study of Social Policy

508 views • 15 slides
Dreaming in Drupal How to think like a developer to build without code Planning Finding a

Dreaming in Drupal How to think like a developer to build without code Planning Finding a

Dreaming in Drupal How to think like a developer to build without code Planning Finding a Module Filter & Sort Deciding Between Modules Installation Profiles Government, library, university - http://openpublicapp.com Intranet -

295 views • 7 slides
Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your way in a graph = station One loop = junction A system of interconnected loops L L What is the best way to go from L to ? L L L 1 ? L

2.13k views • 166 slides
Do humans need to detox? Why is there a need to Detox? All of us live in an ever- increasing

Do humans need to detox? Why is there a need to Detox? All of us live in an ever- increasing

Do humans need to detox? Why is there a need to Detox? All of us live in an ever- increasing toxic environment Are You Toxic? The question is no longer IF we are toxic the real question is HOW toxic are we? Toxins and our Health

759 views • 39 slides
Decompilation, type inference and finding the code to decompile Alan Mycroft Computer

Decompilation, type inference and finding the code to decompile Alan Mycroft Computer

UNIVERSITY OF CAMBRIDGE Decompilation, type inference and finding the code to decompile Alan Mycroft Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/users/am/ 30 January 2012 Decompilation, type inference and finding

614 views • 34 slides
Toxic stress in the lived Toxic stress in the lived experience of people of color experience of

Toxic stress in the lived Toxic stress in the lived experience of people of color experience of

Toxic stress in the lived Toxic stress in the lived experience of people of color experience of people of color Josefina Aylln-Nez, MA, MSEd Language Master at The Lawrenceville S chool Susan Park, PhD Instructor in Biology at The

201 views • 16 slides
Is this normal? Finding anomalies in real-time data. Who am I? Im Theo (@postwait on Twitter)

Is this normal? Finding anomalies in real-time data. Who am I? Im Theo (@postwait on Twitter)

Is this normal? Finding anomalies in real-time data. Who am I? Im Theo (@postwait on Twitter) I write a lot of code 50+ open source projects several commercial code bases I wrote Scalable Internet Architectures I sit on the ACM

327 views • 18 slides
CDC cellular automaton track finding. Various topics Oliver Frost Deutsches

CDC cellular automaton track finding. Various topics Oliver Frost Deutsches

CDC cellular automaton track finding. Various topics Oliver Frost Deutsches Elektronensynchrotron 2015-01-20 Overview > Changes to source code structure > Testing > Python support > Validation > Cosmics finding > Helix >

622 views • 26 slides
Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and

Fast and Secure Root Finding for Code-based Cryptosystems Falko Strenzke Cryptography and Computeralgebra, Department of Computer Science, Technische Universit at Darmstadt, Germany, fstrenzke@crypto-source.de April 13, 2015 Fast and

494 views • 38 slides
COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling

COZ : Finding Code that Counts with Causal Profiling Anuja Golechha Agenda Profiling Issues with current profilers Causal profiling COZ Overview and Implementation COZ Evaluation Comparison with Pivot Tracing

660 views • 23 slides
Finding Latent Code Errors via Machine Learning over Program Executions Yuriy Brun Michael D.

Finding Latent Code Errors via Machine Learning over Program Executions Yuriy Brun Michael D.

Finding Latent Code Errors via Machine Learning over Program Executions Yuriy Brun Michael D. Ernst University of Southern Massachusetts Institute California of Technology Bubble Sort // Return a sorted copy of the argument double[]

390 views • 38 slides
Reed-Solomon code. Berlekamp-Welsh Algorithm Finding Q ( x ) and E ( x ) ? Problem: Communicate n

Reed-Solomon code. Berlekamp-Welsh Algorithm Finding Q ( x ) and E ( x ) ? Problem: Communicate n

Reed-Solomon code. Berlekamp-Welsh Algorithm Finding Q ( x ) and E ( x ) ? Problem: Communicate n packets m 1 ,..., m n P ( x ) : degree n 1 polynomial. on noisy channel that corrupts k packets. Send P ( 1 ) ,..., P ( n + 2 k ) Receive R (

305 views • 8 slides
Introductory Course for Commercial Dog Breeders Part 10: Husbandry Standards Course Objectives

Introductory Course for Commercial Dog Breeders Part 10: Husbandry Standards Course Objectives

Introductory Course for Commercial Dog Breeders Part 10: Husbandry Standards Course Objectives By the end of this unit you should be able to: 1. Describe minimum food and water requirements for dogs 2. Describe the requirements for

809 views • 51 slides
CEPA: LESSONS FOR CHEMICAL REGULATION Joseph F. Castrilli, Counsel Canadian Environmental Law

CEPA: LESSONS FOR CHEMICAL REGULATION Joseph F. Castrilli, Counsel Canadian Environmental Law

CEPA: LESSONS FOR CHEMICAL REGULATION Joseph F. Castrilli, Counsel Canadian Environmental Law Assoc. Webinar: Science Meets Law December 12, 2019 Overview What is CELA? Nature of the Problem Posed by Toxic Substances in Canada CEPA

586 views • 55 slides
Toxicity Bioassays: A Useful Line of Evidence in Ecological Risk Assessment* Ned Black, Ph.D.

Toxicity Bioassays: A Useful Line of Evidence in Ecological Risk Assessment* Ned Black, Ph.D.

Toxicity Bioassays: A Useful Line of Evidence in Ecological Risk Assessment* Ned Black, Ph.D. Regional Ecologist US EPA Region IX 415-972-3055 black.ned@epa.gov *if you know what youre doing CERCLA Risk Characterization Acceptable

406 views • 14 slides
Graph Classification Classification Outline Introduction, Overview Classification using

Graph Classification Classification Outline Introduction, Overview Classification using

Graph Classification Classification Outline Introduction, Overview Classification using Graphs Graph classification Direct Product Kernel Predictive Toxicology example dataset Vertex classification Laplacian Kernel

605 views • 33 slides
0 Fire = 0 0 0 Reactivity = 0 HMIS-ratings (scale 0 - 4) HEALTH 0 Health = 0 Fire = 0

0 Fire = 0 0 0 Reactivity = 0 HMIS-ratings (scale 0 - 4) HEALTH 0 Health = 0 Fire = 0

FORM SDS-00038 REV 02 Page 1/6 Safety Data Sheet (SDS) OSHA HazCom Standard 29 CFR 1910.1200(g), Rev. 2012 and GHS Rev 03. Printing date 12/05/2014 Reviewed on 12/05/2014 * 1 Identification Product identifier Trade name: Microsporidia

369 views • 6 slides
TOXIC SUBSTANCES CONTROL ACT : Overview Susanna W. Blair and Ryan Schmit Office of Pollution

TOXIC SUBSTANCES CONTROL ACT : Overview Susanna W. Blair and Ryan Schmit Office of Pollution

TOXIC SUBSTANCES CONTROL ACT : Overview Susanna W. Blair and Ryan Schmit Office of Pollution Prevention and Toxics Office of Chemical Safety and Pollution Prevention U.S. Environmental Protection Agency Overview of Presentation Background

290 views • 26 slides
PARTNER SUPPORTER #TextileExchange18 Agenda #TextileExchange18 Update 2018 Membership

PARTNER SUPPORTER #TextileExchange18 Agenda #TextileExchange18 Update 2018 Membership

THANK YOU TO OUR 2018 MMC ROUND TABLE SPONSORS: PARTNER SUPPORTER #TextileExchange18 Agenda #TextileExchange18 Update 2018 Membership Industry Engagement Knowledge Building #TextileExchange18 #TextileExchange18 MMC LANDSCAPE Nicole

1.41k views • 59 slides
Organic Compounds in Water and Wastewater Cyanotoxins Removal in Water Treatment Lecture #30

Organic Compounds in Water and Wastewater Cyanotoxins Removal in Water Treatment Lecture #30

Print version CEE 697z Organic Compounds in Water and Wastewater Cyanotoxins Removal in Water Treatment Lecture #30 CEE 697z - Lecture #30 WRF Reports on Cyanotoxin Control Newcombe, 2002 (WRF 446) Removal of Algal Toxins from Drinking

478 views • 33 slides

More recommend