Code quality

Leave a comment

I’ve not post for some time, i was quite bust to set up some CI / metrics tools on a new project.

This raise me some questions / comments.

1) Complexity of the tools

When you read (even in my posts) it’s simple …  I’ve forget a bit the ‘open community’ and in its bad aspects.

Let me illustrate a bit. I am working in a team using mainly Java / Php.

So, using standard tools :

  • Source revision control : svn
  • IDE : eclipse
  • Build : Maven
  • CI : hudson

So, up to now, everything looks fine. I used to use some static code anlysis, in order to know the code quality :

Jdepend, PMD, findbugs, Javancss, cobertura, sonar, Coverity, …

So, nothing really exotic/fancy and most of them are ‘classical’ static code analysis tools.

So,  doing  my ‘Yoda’ show, i’ve encourage the team to use them as soon as possible in their development process so in the IDE.

I’ve plug them in their pom file (maven configuration file), update my hudson installation to have the trend, ….

AND … you know what …. 6 tools,  16 versions needed, because of incompatibility in maven, hudson,  pmd, ….

1 tool , 4 plugin needed …. most of the time just to parse an XML file, or to draw a simple curve with linear data …..

What’s a mess ! where is simplicity ? easy to use ? why coupling a CI tools with build specific plugin ??? why mixing build tools with Source control tools ???

Why not keeping the principle of less coupling to build/CI/static code analysis tools ????

Doing dcode is important, but application design should not be forget.

2) the second point, is some comments : it’s expensive to fix issues …

How can someone justify that fixing an issues at developing time … 5 .. 10 minutes … is more expensive that discovering the issue in production (something like 1$ a minute ? ) , requiring some dev again, some QA, some deployment …..

Of course, the bug may never be seen in production …. for how long ?  Don’t forget the Murphy law : if you can have a problem, you’ll have it !

How can Static Code Analysis tools may help you ?

Leave a comment

I love Static Code Analysis tools (SCA) because they are easy to use, easy to run, and most of the time very valuable.

You have of course, a learning step to know each families of tools (syntax checker, tools ensuring rules compliance, tools finding bugs,..) and to know which one to use and when to use it. But, as soon as you have this knowledge, you are very efficient and you can use them for example, during code review (even on large project) to have a good idea of the issues (it’s not easy to discover manually) or the origin of a problem. For example, you may have scalability issues on a project, but the root cause may be fully different from one project to an other one,…, the tools will help you to spot the origin.

So, I’m currently playing with several ‘bug finder’ tools, some commercial one, and some open source ones, on languages like Java/C/C++/C#,…The results ‘after some analysis’ give a good overview of a Project Quality.

So, like I am currently trying to explain to a friend of mine how to do Continuous Integration on top of Mysql (patches, plugin, specific hook, …) , I’m trying to plug some of these tools inside is Mysql CI line.

And … surprise …. more than 2000 potential bugs in Mysql Source code.

Lot of errors are due to memory handling, synchronization lock,  ‘some’ function return null, and the result of the call is used without any tests, some errors with static/non static field, ….., …..

That’s impressive …. there was a lot of time I’ve not seen so many errors per line of code. Also, the errors are very heterogeneous in the code … (side effect of open source ? )

In the following table I give some metrics :
Module Name                        Number of errors

client code 134
cmd-line-utils 80
core 1034
example 6
libmysql 211
mysys 61
server-tools 34
storage/archive 38
storage/blackhole 1
storage/csv 9
storage/federated 5
storage/heap 8
storage/innobase 262
storage/myisam 147
storage/ndb 785
system 0

For the experience I have,  I can say than 85% of the time there is a real bugs when the tool launched raise a warning.
Sometime, it took time to discover but, it was right 🙂

Some examples extracted from Myisam storage engine :

* storage/myisam/mi_check.c

Return code not check : everywhere the return code is checked, and an error is raised … my checker assume the return code is critical. So why at this line … no check ???

=> ligne 1185 :i_pack_get_block_info(info, &info->bit_buff, &block_info, &info->rec_buff, file, filepos)

* storage/myisam/mi_key.c

NPE :
–> ligne 252 : char_length= (!is_ft && cs && cs->mbmaxlen > 1) ? length/cs->mbmaxlen : length;
//so assuming cs is null
–> ligne 268
FIX_LENGTH(cs, pos, length, char_length); //which dereference cs without any checks ….

* storage/myisam/mi_rkey.c

Lock error :
—-> ligne 78 : rw_rdlock(&share->key_root_lock[inx]); // take a lock
if (!(nextflag & (SEARCH_FIND | SEARCH_NO_FIND | SEARCH_LAST))) use_key_length=USE_WHOLE_KEY;
……
if (rtree_find_first(info,inx,key_buff,use_key_length,nextflag) line 146
DBUG_ENTER(“table2myisam”);
if (!(my_multi_malloc(MYF(MY_WME, …..) ///// the allocation is not stored … and never free
DBUG_RETURN(HA_ERR_OUT_OF_MEM);

Static code analysis

Leave a comment

My current hobby is to find efficient / easy to use / and well package tools to analyse code.

For those of you who don’t know these technics,  I’ll summarize them as : ‘tools which analyse your source code, in order to help you to find potentiel bugs, or it try to convince you to change your way of programming and may give you some new programming hits, ….,’.

If your build process is clean, or if you use a standard IDE, adding these tools is very cheap, and the benefice is great.

One more ….

Leave a comment

Some of my friends start again their blog,  i was thinking, why not ….. 🙂

So, taking two minutes of my time, looks for a blog site … and create my own.