views:

357

answers:

7
  • Do you use source code analyzers? If so, which ones and for which language development?
  • Do you find them helpful in solving potential bugs in your code? Or are most of their warnings trivial?
  • After prolonged use, do you find your code quality to be higher than before?
+1  A: 

I'm a long term user of PC-Lint for C and C++ and find it very helpful. These tools are most useful when taking over a code base you are unfamilier with. Over time you hit a law of diminishing returns, where the number of new bugs you find tends to trail off.

I always still to a full project lint on a big release.

Edit: There is a nice list of relevent tools on Wikipedia here

Shane MacLaughlin
lint preforms static code analysis it's not a "source code" analyzer
aku
Aren't the two terms interchangeable?
GaryF
Source code analysis is generally static, and pc-lint is a static source code analyser which focusses on finding bugs rather than formatting style. Could you name a dynamic source code analyser? ;)
Shane MacLaughlin
2 smcal, static analysis tool operates on binary level it doesn't parse source code to detect errors, for example ReSharper analyze code on the fly - it doesn't require you to build code to find out unused variables
aku
@aku, not by my understanding of the term. Static analysis is any analysis of code (source or binary) that is not being executed, e.g. lint. Dynamic analysis is analysis of code in-situ as it is executing. FWIW, Wikipedia agrees with me, see http://en.wikipedia.org/wiki/Static_code_analysis
Shane MacLaughlin
smcal, yep you're right. by "source analysis" I meant tools such as StyleCop, I agree that I was wrong with previous statement
aku
A: 

I use StyleCop for C#. It's a great tool to keep consistent code style that leads to better code quality. Also ReSharper does some code analysis but it's pretty basic.

aku
Which static analysis tools do you use for C and C++ that don't analyse the source code?
Shane MacLaughlin
smcal, which static analysis tools do you know that analyze source code (i.e. parse source code files) ?
aku
@aku, lint is the one that I use, and probably the longest such tool in use. Please see the following link for a list of static analysis tools; http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis
Shane MacLaughlin
smacl, I been too strict on terminology, by "source analysis" I meant tools that perform source code parsing. for example FxCop operates on MSIL level (it parse binary files)
aku
+3  A: 

I use a few static analysis tools in Java. FindBugs is the first line of defense, catching a lot of common errors and giving pretty useful feedback. It often spots the silly mistakes of tired programmers and doesn't place a high burden on the user.

PMD is good for a lot of other more niggly bugs, but requires a lot more configuration. You'll find that PMDs defaults are often over the top. There are too many rules that are probably beneficial on a tiny scale but ultimately don't help other programmers maintain your code. Some of the PMD rules often smack of premature optimisation.

Probably more useful is the CPD support in PMD. It attempts to find code that has been duplicated elsewhere, in order to make refactoring much easier. Run over an entire project, this really helps determine where the biggest priorities are for cleaning up code and stopping any DRY violations.

Checkstyle is also handy, making sure your coders conform to some coding style standard. it has a bit of overlap with PMD but is generally much more usable.

Finally, Cobertura is a great test coverage suite. Very handy for finding out where the unit tests are lacking, and where you should be prioritising the creation of new tests.

Oh, and I've also been testing out Jester. It seems to be pretty good for finding holes in tests, even where the code has some coverage. Not recommended yet, simply because I've not used it enough, but one to test out.

I run these tools both from within Eclipse and as part of an automated build suite.

GaryF
+1 Really thorough answer :)
Yuval A
+1  A: 

For C, I use MEMWATCH. It's really easy to use and free.

I've used it to find many memory bugs in the past.

Dana Robinson
This is a dynamic analysis tool, not a source code analyser.
Shane MacLaughlin
A: 

I'm pretty happy with ReSharper. Not only does it give useful bits of information while coding (e.g. needless casts, apply readonly and so forth) but its refactoring features are excellent for rearranging the code very quickly.

It doesn't cover everything, so FxCop (or similar) is a decent addition to the toolbox. However, as Resharper gives immediate feedback, the turnaround time is really good. (I'm aware that FxCop can be run from VS, but its just not the same imo).

Brian Rasmussen
+1  A: 

I used resharper and MS TS (basically FXCop) and both of them quite usefull especially in the following areas :

  • Identifying dead code
  • Wide Scope
  • Performance improvements (related with globalization etc.)

Recommendations are not always great but generally improved the quality of the code.

dr. evil
A: 

I find analyzers somewhat useful, i use the buildin to visual studio (ex. /analyze for c/c++ and the custom rules for .net), occasionally i use stylecop and codeitright for c# mostly for guidelines how things should be.

I don't think there is a perfect tool for everything, that finds every bug, but i think the tools help to find some bugs, not untraceable, but believe me you would spend a ton of time finding them.

Yes your code quality is SOMEWHAT better than before, but i also believe manual debugging is still needed alot. Source analyzers are not the ultimate cure they are a good medicine though. If there was a tool that you just execute it and find any kind of bugs and fixes it for you would cost millions.

Some programmers that i know swear that IBM Rational PurifyPlus is superb, but that is their opinion i just had 2-3 sessions with the tool.

But always remember one of the basic principles of programming logical errors are the hardest for find and fix, so long debugging hours are inevitable. A good code analyzer combined with unit testing may work miracles thought.

PS. i tend to produce far less errors in C# than in C++, someone may say i am wrong but although i use c++ more years than c# i find the "code it and i will take care of it" gc approach of C# far easier than c++ especially for projects you rush thing to finish at the time limit/deadline, which EVERY project is like this days...