Smart Bear Software

Smart Bear Company Site  

About

  • Code review tips, software development topics, and random thoughts from the folks at Smart Bear Software.

Subscribe

Search

FAQs

Code Collaborator

Tweets

    follow us on Twitter

    Recent Posts

    Summaries

    Archives

    More...

    Categories

    Meta

    « Should code review metrics be LOCs or SLOCs? | Main | How peer code review fixes the "false-positive" problem with static analysis tools »

    May 11, 2009

    Can static code analysis replace peer code review?

    By Jason Cohen

    Whenever I talk about peer code review, someone always wants to pit static code analysis tools against human review.  Which is better?  They assume that because we sell a peer review tool we necessarily have to hate automation.

    But that's just not true.  You need both.

    Want to simultaneously waste developers' time and give them trivial busywork?  Have them hunt around for local variables that aren't all lowercase and find instances where you've overloaded equals() but not hashCode().

    Anything you can automate... should be automated!  Of course.

    But there are certain questions that static analysis can never answer.  Like:

    1. Does the code work as documented?
    2. Are the unit tests correct?
    3. Can another developer look at this code and be able to use or maintain it?
    4. Is this a good algorithm?
    5. Is this good code organization?

    Items 1-3 especially are important.  Really important, if you care about code quality.  The only way to answer these questions is through peer code review.

    Static analysis is like the spell-checker in Word.  Of course you should use it, and of course you should clear spelling errors before handing your document to a friend to edit.  But it's that human edit that finds the problems, checks for correctness, and can identify the sentences that are "weird."

    Spell Czech is good, butt knot enough.  It takes a human to find the important problems.

    So definitely run that static code analysis!  Just don't expect that to magically make your code correct or maintainable.

    Posted by Jason Cohen on May 11, 2009 at 05:57 AM in Code Review |

    TrackBack

    TrackBack URL for this entry:
    http://www.typepad.com/services/trackback/6a010535ed641d970b01156f6b33c0970c

    Listed below are links to weblogs that reference Can static code analysis replace peer code review?:

    Comments

    Feed You can follow this conversation by subscribing to the comment feed for this post.

    Alen

    Good points, I've also added my two cents from a static analysis perspective: http://kloctalk.klocwork.com/?p=173

    Posted by: Alen | May 19, 2009 at 02:51 PM

    Tom Harris

    Of these questions, the biggest one that is solely in the domain of code review is "Can another developer look at this code and be able to use or maintain it?"

    A "no" answer on this is what we're looking for from code review, so that code can be simplified and clarified, making it less error-prone.

    And catching problems with readability and maintainability depend on being able to see the entire codebase with point-and-click navigation, not just the diffs the reviewer has chosen to upload. Discussed in today's Smart Bear webinar (see temporary partial log at http://twitter.com/tweetquality or tweet-search #collab).

    Hoping for that feature, whether it's:

    1. Bringing review into IDE environment
    2. Bringing web codebase browsing (e.g. OpenGrok) into Code Reviewer / Code Collaborator
    3. Opening Smart Bear APIs so customer community can do it for themselves

    Posted by: Tom Harris | July 15, 2009 at 12:38 PM

    Post a comment

    If you have a TypeKey or TypePad account, please Sign In.