Static Analysis with Klocwork

Klocwork, a provider of source code analysis tools, just released the Insight Pro suite for agile development projects.  Klocwork Insight Pro checks Java, C#, C and C++ code for memory and resource leaks, security vulnerabilities, and buffer overflows.  DZone interviewed Klockwork CTO, Gwyn Fisher, to get an in-depth look at Insight Pro and its static analysis engine.  Insight Pro includes three tools to reduce bug debt and increase iteration speed.

Continuous static analysis

Static analysis traditionally relied on user interaction to perform code checks.  Gwyn Fisher says, "Whether this is a complex server-side scripting process, or pushing buttons in desktop environments, the developer has been responsible for requesting an analysis to be performed, and is then responsible for taking action on the results all at once."  Insight Pro's static analysis has what Klocwork calls a "no-click usability model."  Fisher explains, "The no-click usability model removes this step [requesting analysis] from the developer’s responsibilities, and ensures that static analysis is performed automatically for them, consciously providing an analog to how spell checking works within word processors. Without conscious interaction, therefore, developers always have the most up-to-date analysis results available to them, based on actions they’re taking anyway, such as saving a file, opening a file, transitioning between different files in a tabbed environment, etc."  

The automatic static analysis capabilities of Insight Pro are powered by a sophisticated semantic database.  Fisher says, "Underlying everything that we do is our static analysis engine that understands what your code will actually do when it’s executed, without requiring you to run it. In order to do this, we build a database of the semantics of your code suitable for us to interpret via symbolic execution. This database is the crux of our intellectual property."

Fisher says Klocwork's analysis automation tools are what set them apart from other competitors.  "There are some standalone code review and refactoring tools such as SmartBear, Atlassian, and DevExpress, but none that provide the full suite of capabilities provided by Klocwork, nor are they built on our static analysis technology which is a unqiue differentiator."

Collaborative peer code reviews

Insight Pro's collaborative, peer-based code review tool facilitates simple pre- and post- check-in reviews.   Code can be reviewed by an architect or team leader and anybody can take part in a code review any time.  The code review tool includes an RSS feed that tells developers when code is ready for review.  The tool also includes asynchronous reviews over the web.  Fisher said, "One of the biggest problems with code reviews in a traditional setting is scheduling the right people to be in the room at the right time, coupled with actually knowing who the right people you need are. Using an asynchronous and opt-in model for code review allows those reviews to take place when the reviewer wants, regardless of global location, and promotes reviews by non-typical reviewers, for example product owners, testers and peers, as opposed to the typically invited attendees such as architects, managers, etc."

Insight Pro integrates with several third-party configuration management environments:

• Code management environments: integrates with ClearCase, Subversion, etc.
• Problem tracking environments: integrates with ClearQuest, Bugzilla, etc.
• Continuous integration environments: integrates with CruiseControl, ElectricCommander, etc.

Insight Pro also supports the Visual Studio (2005 and 2008) and Eclipse (3.4 and 3.5) IDEs

Automated code refactoring

Efficient refactoring is a challenge for many developers in the Agile environment.  Fisher explains, "When developers commit code for completed features, they carry a responsibility to “clean up” that code to make it as elegant and maintainable as possible, so that the next developer to pick up that code can add features quickly, with a minimal learning curve. Refactoring is the exercise developers go through in making their code suitable for others to understand.  In C/C++, this is an overwhelmingly manual task, prone to errors, and taking significant time.  Insight Pro helps the developer complete these activities faster and more accurately than currently possible by providing a variety of tools from context menus in their development environments."

Insight Pro's tools reduce the risk of "bug debt" Fisher says.  Bug debt is an Agile community term for bugs that don't get addressed within their original iteration.  Fisher adds, "The problem with accumulating bug debt is due to the corollary effect, namely 'pay yourself first'.  If you’re following an Agile process, the first items you have to address within an iteration are your debt items from the previous iteration. Obviously as your debt accumulates, your ability to implement new features or stories within an iteration craters rapidly. Therefore the ability to remove bugs from code as its being written is key to lowering bug debt and thereby increasing the amount of feature implementation work possible within any given iteration."

DZone asked Fisher what Agile methodologies are supported by Insight Pro.  Fisher responded, "Insight Pro isn't specific to a particular Agile methodology, but the three core capabilities fully support Agile's need to create working software in a rapid delivery environment. Non-agile shops can also benefit from the capabilities to improve their productivity and approach to produce high quality software."

The future for Klocwork

Fisher told DZone that Klocwork intends to continue expanding their portfolio of developer productivity tools, "leveraging our strong position in the developer’s environment and our core of semantics, delivering a set of tools that make the C/C++ developer’s life a much easier and more productive place to be."  Fisher says Klocwork Insight Pro will be availble on November 26th.