This week's giveaway is in the Android forum.
We're giving away four copies of Android Security Essentials Live Lessons and have Godfrey Nolan on-line!
See this thread for details.
The moose likes Agile and Other Processes and the fly likes code review vs static analysis Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Engineering » Agile and Other Processes
Bookmark "code review vs static analysis" Watch "code review vs static analysis" New topic

code review vs static analysis

Jeanne Boyarsky
internet detective

Joined: May 26, 2003
Posts: 30130

Roy's post got me thinking about the difference between code review and static analysis.

The static analysis vendors say static analysis is a type of code review. I use static analysis for two purposes:
1) To get me looking at potentially troublesome code. Bad practices tend to cluster. As a human, this code is worth more time.
2) To ensure certain practices never make it into the codebase. Why should a human need to look for a DateFormat object as an instance variable.

I certainly don't think static analysis replaces code reviews of course. I'm curious what others think on this. Both the people from SmartBear and more broadly.

[Blog] [JavaRanch FAQ] [How To Ask Questions The Smart Way] [Book Promos]
Blogging on Certs: SCEA Part 1, Part 2 & 3, Core Spring 3, OCAJP, OCPJP beta, TOGAF part 1 and part 2
Brandon DuRette
Smart Bear Support

Joined: Jul 06, 2009
Posts: 8
At Smart Bear, we use both FindBugs and PMD for static analysis and we still review every line of code. There are certain things that static analysis tools are great at and some things that they just cannot do. They can detect most bad idioms (like your DateFormat example). They can detect inconsistent code (you checked for null before dereferencing a parameter once, but not every time within a method), which probably indicates a bug. They can detect complex code (by computing cyclomatic complexity) and flag it for further review or refactoring.

They cannot reason about whether the code works, conforms to the spec, and is maintainable. In my mind, this is the primary function of code review. Here are some questions that go on my mental code review checklist:

1) Do the unit tests validate the specified behavior?
2) Are there missing test cases?
3) Did the unit tests change? If so, was this an intentional change or a "get the unit tests to pass" change?
4) Can I understand the code?
5) Are variables well-named?
6) Are the comments sufficient?
7) Is there a better way? Especially a better way that makes use of some common code. Static analysis can detect duplicate code, but that's not exactly what I'm looking for here. I'm considering alternative approaches that would simplify the code by using some common library code.

For more thoughts:
Can static code analysis replace peer code review?

Code Review Tools - Code Review and More - The Smart Bear Blog
Jimmy Clark
Ranch Hand

Joined: Apr 16, 2008
Posts: 2187
The phrase "code review" is typically used to describe a human process, not a "computing" process. In reality, it most likely has different meanings for different organizations. In my experience, "code review" is a meeting of one or more engineers, one or more programmers, and a project manager or business analyst. The purpose of the meeting is to review the "design" of a software application or service.

Static analysis of code is a "computing" process and can be used to create documentation to be reviewed in a code review meeting. Or, it can be one of the steps that occurs before or after a code review, and maybe depend upon how well the code is written.

Basically, you can use static analysis and code review together.
Gregg Sporar
Smart Bear Support

Joined: Jan 04, 2007
Posts: 6

Just one additional thought - you can use static analysis and code review together:

Jeanne Boyarsky
internet detective

Joined: May 26, 2003
Posts: 30130

Great thoughts. I like how you use code revie for "readable maintainable" code and not just "code that works at the moment."
Andy Yang

Joined: Jul 20, 2009
Posts: 1
Static analysis checks are only as good as the rules that the analysis uses to find stuff. Code Review encompasses many other types of "checks" that are not or even could not be codified into an automated rule. They may include reviewing code for functional integrity - something that static analysis does not typically focus on. Static analysis usually finds flaws in coding practices, such as logic problems that suggest the code is incorrect or possible exceptions in the code and doesn't understand features.

Static analysis does do a subset of code review and can do it on a much larger scale (even through most every path in the code). It's a good idea to use both static analysis and manual code review together.
wood burning stoves
subject: code review vs static analysis
Similar Threads
static analysis tools and its impact on code review
ship it: building developers
Junits monitoring
What is your view on code reviews?
[Ship It!] Code Reviews