Would Static Analysis Tools Help Developers with Code Reviews?

Would Static Analysis Tools Help Developers with Code Reviews?

Sebastiano Panichella Venera Arnaoudova Massimiliano Di Penta Giuliano Antoniol

OUTLINE

Context: Code Reviews.

Case Study: Code Reviews of 6 Open Source Projects.

Results: Warnings Resolved by Developers During Reviews.

CODE REVIEWSWhy, What, How?

CODE REVIEWSWhy?

CODE REVIEWSWhy: concrete benefits…

Improved  Code  Quality

Fewer  defects  in  Code

Improved  Knowledge  Transfer

Education  of  Junior  Programmers

Benefits

“Expectations, Outcomes, and Challenges of Modern Code Review” Alberto Bacchelli and Christian Bird - ICSE 2013

“Common Outcomes of Code Review”

CODE REVIEWSWhat: types of peer code reviews?

Formal  Inspection  Process

Over  The  Shoulder  Reviews

Email  Pass  Around  Interviews

Tool  assisted  reviews

Pair  Programming

CODE REVIEWSWhat: types of peer code reviews?

Over  The  Shoulder  Reviews

Email  Pass  Around  Interviews

Tool  assisted  reviews

Pair  Programming

“Modern code review is a form of code inspection which has the qualities of being informal, tool-based

and frequent.”

“Expectations, Outcomes, and Challenges of Modern Code Review” Alberto Bacchelli and Christian Bird - ICSE 2013

Formal  Inspection  Process

MODERN CODE REVIEWS

“Modern code review is a form of code inspection which has the qualities of

being informal, tool-based and frequent.”

“Expectations, Outcomes, and Challenges of Modern Code Review” Alberto Bacchelli and Christian Bird - ICSE 2013

MODERN CODE REVIEWS: TOOLS(I)

Code Reviews Management

GERRIT: a Tool to Conduct and Manage Code Reviews

GERRIT: a Tool to Conduct and Manage Code Reviews

GERRIT: a Tool to Conduct and Manage Code Reviews

GERRIT: a Tool to Conduct and Manage Code Reviews

GERRIT: a Tool to Conduct and Manage Code Reviews

MODERN CODE REVIEWS(I)

Code Reviews Management

MODERN CODE REVIEWS(I)

Code Reviews Management

(II) Bugs/Issues

Detection

MODERN CODE REVIEWS(I)

Code Reviews Management

(II) Bugs/Issues

Detection

LIMITATION:provide a too extensive list

of recommendations

Past Work

Kim et al. - FSE 2007

Only10%, of suggestedwarnings are removed

by bug fix changes

To What Extend Static Analysis Tools Help Developers During Code Reviews?

To What Extent Static Analysis Tools Help Developers During Code Reviews?

Project History

To What Extent Static Analysis Tools Help Developers During Code Reviews?

Project History

During Code Reviews

We argue that the Use ofStatic Analysis Tools

Would be Highly Beneficial During Code Reviews…

CASE STUDY

Code Reviews of 6 Open Source Projects.

Goal: understanding how static analysis tools could have helped in dealing with warnings developers solved during code reviews.

Quality focus: reducing developers’ effort during the code review task.

Perspective: develop tool to support the configuration of static analysis tools towards warnings that are considered relevant by developers.

CASE STUDY

RESEARCH QUESTIONS

RQ1: To what extent warnings detected by static analysis tools are removed during code reviews?

RQ2: What kinds of warnings detected by static analysis tool are mainly considered during code reviews?

Projects Observe Period KLOC # of Reviews Analysed

Uses Checkstylee

Uses PDM

Eclipse CDT 2013-11-29 - 2014-09-22

1,500–1,550

309

Eclipse Platform UI

2013-06-24 - 2014-09-09

2,092–2,305

16

Eclipse JDT Core

2013-05-23 - 2014-09-24

2,736–2,554

113

OpenDaylight Controller

2013-01-01 - 2014-09-24

149–171 161

Motech 2013-07-24 - 2014-09-24

586–1,909 209

Vaadin 2013-06-01 - 2014-09-24

6,174–6,114

180

CONTEXTObject:

Tools Experimented:

STUDY PROCEDURE

PATCH SETS COMPARISON…

Given a Code Review

PATCH SETS COMPARISON…

Given a Code Review

We use…

PATCH SETS COMPARISON…

Given a Code Review

We use... to compare warnings density

variation between…

First patch

Last patch

RQ1To what extent warnings detected by

static analysis tools are removed during code reviews?

ProjectsDensity of Warnings

[P-value]# of Warning

[P-value]Density of Warnings

[P-value]# of Warning

[P-value]

Eclipse CDT 0.074 0.025 0.028 <001

Eclipse JDT Core 0.450 0.919 0.351 0.624

Eclipse Platform UI

0.132 0.857 0.011 0.2

OpenDaylight Controller

0.080 <0.01 0.614 <0.01

Motech >0.01 <0.01 0.205 <0.01

Vaadin NA NA 0.148 0.209

Changes of Warnings Density (and Absolute Number) During Code Reviews.

ProjectsDensity of Wornings

[P-value]# of Warning

[P-value]Density of Wornings

[P-value]# of Warning

[P-value]

Eclipse CDT 0.074 0.025 0.028 <001

Eclipse JDT Core 0.450 0.919 0.351 0.624

Eclipse Platform UI

0.132 0.857 0.011 0.2

OpenDaylight Controller

0.080 <0.01 0.614 <0.01

Motech >0.01 <0.01 0.205 <0.01

Vaadin NA NA 0.148 0.209

Changes of Warnings Density (and Absolute Number) During Code Reviews.

ProjectsDensity of Wornings

[P-value]# of Warning

[P-value]Density of Wornings

[P-value]# of Warning

[P-value]

Eclipse CDT 0.074 0.025 0.028 <001

Eclipse JDT Core 0.450 0.919 0.351 0.624

Eclipse Platform UI

0.132 0.857 0.011 0.2

OpenDaylight Controller

0.080 <0.01 0.614 <0.01

Motech >0.01 <0.01 0.205 <0.01

Vaadin NA NA 0.148 0.209

Changes of Warnings Density (and Absolute Number) During Code Reviews.

Cumulative Percentage of Removed Warnings

Projects Uses Checkstyle

Uses PDM

% of Resolved Warnings % of Resolved Warnings

Eclipse CDT 11% 11%Eclipse

Platform UI 5% 7%Eclipse JDT

Core 11% 9%OpenDaylight

Controller 15% 15%

Motech 23% 13%

Vaadin - 13%

Cumulative Percentage of Removed Warnings

Projects Uses Checkstyle

Uses PDM

% of Resolved Warnings % of Resolved Warnings

Eclipse CDT 11% 11%Eclipse

Platform UI 5% 7%Eclipse JDT

Core 11% 9%OpenDaylight

Controller 15% 15%

Motech 23% 13%

Vaadin - 13%

RQ2What kinds of warnings detected by

static analysis tool are mainly considered during code reviews?

Qualitative Analysis

Qualitative Analysis

Qualitative Analysis

Qualitative Analysis

“We randomly sampled 10% of code reviews that resolved at least one warning”

Qualitative AnalysisQualitative Analysis

“Warning that Developers Fix During Code Reviews:”

Qualitative Analysis

“Warning that Developers Fix During Code Reviews:”

Type Resolution

Qualitative Analysis

“Warning that Developers Fix During Code Reviews:”

Unused code

Type Resolution

Qualitative Analysis

“Warning that Developers Fix During Code Reviews:”

Imports

Regular Expression

Type Resolution

Unused code

Qualitative Analysis

“Warning that Developers Fix During Code Reviews:”

Imports

Regular Expression

Type Resolution

Unused code

Eclipse CDT: Percentage of PDM’ Resolved Warnings

Warning Types % Resolved Warnings

Type Resolution 100% Import 100%Basic 75%

Sunsecure 67%Codesize 59%

Unusedcode 58%Logging-java 51%

j2ee 47%

Design 42%

junit 38%

Empty 33%Javabeans 26%

Naming 14%

Braces 14%

…. …..

Eclipse CDT: Percentage of PDM’ Resolved Warnings

Warning Types % Resolved Warnings

Type Resolution 100% Import 100%Basic 75%

Sunsecure 67%Codesize 59%

Unusedcode 58%Logging-java 51%

j2ee 47%

Design 42%

junit 38%

Empty 33%Javabeans 26%

Naming 14%

Braces 14%

…. …..

“Quantitative Analisys Confirms Findings of the Qualitative analysis..”

OpenDaylight Controller: Percentage of Checkstyle’ Resolved Warnings

Warning Types % Resolved Warnings

Regular Expressions 100% Modifiers 100%

Metrics 100%import 53%

Whitespace 48%Class Design 47%

Annotations 40%Naming 16%Coding 15%

%Javadoc Comments 12%

Size Violations 11%Javabeans 26%

Block Checks 10%

Miscellaneous 8%

…. …..

“Similar Results for Checkstyle Warnings..”

OpenDaylight Controller: Percentage of Checkstyle’ Resolved Warnings

Warning Types % Resolved Warnings

Regular Expressions 100% Modifiers 100%

Metrics 100%import 53%

Whitespace 48%Class Design 47%Annotations 40%

Naming 16%Coding 15%

%Javadoc Comments 12%Size Violations 11%

Javabeans 26%

Block Checks 10%Miscellaneous 8%

…. …..

Developers Fix also Warnings related to:

1) naming convention

2) code formatting

3) code comments

By implication…

“Enforcing the removal of certain warnings before submitting a patch..”