Watching Static and Dynamic Analysis Go Mainstream

Last week, I asked whether design by contract could please be the next thing in programming to go mainstream, so that we could manage version updates more sensibly. I don’t actually think there’s much chance of it happening, but one of the emails I received about it made me realize that two other things I care about have already passed the tipping point: static and dynamic code analysis.

As their names suggest, the first is concerned with looking at the code while it’s standing still, while the second examines how the code behaves when it’s running. Static analyzers like Lint have been around for years—so long, in fact, that “lint” has become a verb, just like “make”. Today’s static analyzers, like Checkstyle, can detect many more problems, and are extensible, so that users with a grudge can add new intelligence piece by piece. Dynamic analyzers have just as ancient a pedigree: prof, gprof, gcov, and their ilk have been helping people figure out which bits of their code are actually being used for thirty-odd years. What’s new is how frequently these tools are now integrated into other systems. The JUnit extensions page lists several tools that create coverage reports in the wake of unit tests (courses here at the University of Toronto have used Clover to great effect), which are themselves showing up in CruiseControl and other continuous integration frameworks. A few weeks ago, my twenty-line change to someone else’s C++ was bounced by a Subversion pre-commit hook because Insure++ found a memory leak. I think this is wonderful, but I’m a little concerned at how little attention it’s getting in classrooms. We’re still trying to get instructors to adopt version control for all programming courses, and I was told a month ago that students doing the major project course sequence at the University of Waterloo’s Software Engineering program aren’t required to use any particular tooling at all. I’d love to add some of this stuff to DrProject, but I’m afraid it would make it less accessible, rather than more.

Added 2006-07-19: Panagiotis Louridas has an article in the July’06 issue of IEEE Software that talks about static checking tools for Java, particularly FindBugs. I’ve griped before about how hard object/relational mappers and other “hide the code” tools are to debug; if someone could build a lint-like tool for them, a lot of people would applaud.