Iris Classon
Iris Classon - In Love with Code

Stupid Question 102: What is a static program analysis tool?

[To celebrate my first year of programming I will ask a ‘stupid’ questions daily on my blog for a year, to make sure I learn at least 365 new things during my second year as a developer]

What is a static program analysis tool?

Something called StyleCop has been mentioned quite a few times, and tools such as JustCode and ReSharper.
They are all something called static program analysis tools. StyleCop was a Microsoft project, and it check the source code to see if it confirms to the recommended design standards/guidelines set by Microsoft (discussed in the previous question). It is today an open source project and can be downloaded on codeplex.

I think it’s about time we answer the obvious question - what is static program analysis tool?

It’s a tool that analyses your code without executing it (hence static). It inspects the code and checks against preset rules (algorithms) trying to detect things that will cause bugs or that don’t confirm to the standards. This process is automated within the tool, with the user often allowed to do add rules, adjust them or remove them (select to ignore). Some explain the tools as a coach, some as an inspector, and some as a tiny helper. I guess those three would be three ways of looking at the tool, it can be a do or die (you have to obey) or a teaching tool (hey, look what you can do!) or a buddy giving suggestions. For me it is often a combination of those three, and the better I get at coding, the more the tool is more of a helper.

Static analysis can also be performed manually, and there are different ways of doing that, but usually when develoeprs talk about static analysis they refer to the automated tools, using the ‘code review’ for manual checking. How confusing. Oh well :)

Any good / bad experience with these tools? Any funny stories? Tell me :D :D

Comments

Leave a comment below, or by email.
Chris
12/14/2012 1:00:17 PM
I was in a project for a company where Resharper/StyleCop with a custom ruleset was a mandatory tool for every developer involved. With 12 coders working on the same codebase with a common repository, StyleCop was how management made sure every bit of code delivered and checked into the repository met the coding standards set by the company, A bit annoying at first, but you soon got used to it. The worst was getting emails from petty know-it-all co-workers telling me I've checked in a file that didn't conform to our Stylecop standards. 
Mark Carr
12/14/2012 3:45:25 PM
Sorry, not read your article thoroughly. Needed mental pabulum (AKA Booze - it is Friday). Check out Bon Knuth. He's the man. 
Mark Carr
12/14/2012 3:45:56 PM
Don (Typo = Blame Tex) 
Mark Carr
12/14/2012 4:04:01 PM
ReSharper
http://visualstudiogallery.msdn.microsoft.com/EA4AC039-1B5C-4D11-804E-9BEDE2E63ECF 
Mark Carr
12/14/2012 4:06:07 PM
More booze... Merry xmas pink coder. 
gatesvp
12/19/2012 12:00:05 PM
Static analysis tools have a couple of purposes.

One purpose is to catch obvious technical problems early in the process. Typically things like memory management. Are you checking mallocs? Are you freeing memory correctly? Are you handling known exceptions? Do you have unreachable code? Are you failing to check for nulls on a public method? etc.

Programmers write lots of code and it's not always easy to catch all of these problems up front. This was particularly difficult with C & C++ where tracking memory allocations was very important but not very easy.

The second reason for things like StyleCop is to enforce a certain structure to the code. Again, it's easy to be lazy and forget certain elements on code that we write for ourselves. But when you have lots of people working a code base, certain things suddenly become very important. A static analysis tools or code review tool can ensure that standards are upheld for everyone's benefit. 
Tweedeldee
12/21/2012 10:57:53 AM
Hi there!
Pretty nice blog you got here, I'll try and provide my 2 cents here. :)

As a static analysis tool, I'd like to cite Sonar : http://www.sonarsource.org/
It's more a nice dashboard that sums up informations coming from a few well-established tools than a code analysis tool, but it really helps actually using these tools.

I won't re-say the uses that have already been described here, but I'll add another one to the list : 
- assessing an existing code base's quality before signing a maintenance contract.
In some projects, the company in charge of the maintenance is not always the one that  developped the code. It can be crucial to assess the state of the code before signing up that maintenance contract. 
I've also run into a customer which was using such tools to keep an eye of the work done by the contracted compagnies, and a good report was necessary for the acceptance tests.

All that to say that such tools are mostly a developer friends, used internaly, but they can also become a term of a contract. 


Last modified on 2012-12-12

comments powered by Disqus