Dr. Florian Deißenböck

On Friday, February 21st Apple published an update for iOS that fixed a serious security issue. What makes this issue interesting, is not only its severity but also the fact that the issue can be nicely pinned down two a single line of code. Conveniently, this code is open-source and available for analysis!

In this post I’ll explain why this major security issue is, after all, the result of a number of quality issues, which are often undervalued as minor flaws.

 

Read more...

A fundamental challenge when introducing reviews is that reviewing code is hard. This post summarizes our practices to nevertheless make life for a reviewer as easy as possible.

 

Read more...

Dr. Nils Göde

Code quality audits are a fundamental part of our daily work as software quality consultants. The objective of such an audit is to assess the quality of a system’s source code and identify trends based on the code’s evolution. That makes an audit an important prerequisite for ongoing quality control and improvement. Understandably, we are not able to publish the results of the audits that we do for our customers. That makes it sometimes hard for us to explain what such an audit looks like. Instead of lengthy descriptions, we decided to analyze the code quality of an open-source system and use this as a showcase to illustrate what our quality audits look like.

 

There are different categories of quality aspects that we analyze in our code audits. This is the…

Read more...

Reviews point out problems in somebody’s work. Unfortunately, both giving and receiving criticism can be hard. To successfully introduce reviews, we must overcome this resistance. Since finding (and later removing) problems is the primary goal of reviews, this challenge is inherent—no review process can avoid it. We can, however, make receiving review results much easier. This post describes two simple but effective practices we use in our code reviews.

 

Read more...

Dr. Martin Feilkas

As the post ‘Tools Do Not Improve Quality’ by my colleague Nils already destroyed the naive dream of simply installing a tool and get all maintenance nightmare healed over night, I would like to address a follow-up question in this post: If tools are not sufficient, how can we improve quality then?

 

Several years ago when we still were blue-eyed researchers on software quality, we started out developing different kinds of quality analyses in the context of our tool ConQAT. We worked hard on eliminating false positives and achieved highly precise analyses at the end. We thought developers will love adressing each issue these tools emit. When we presented analysis results to developers, they usually agreed on the relevance of the deficits we identified.…

Read more...

Dr. Nils Göde

Asking people what they do to improve the quality of their software product, one

of the most frequent answers is something like »Oh, we have installed

[Checkstyle|FindBugs|ConQAT|Sonar|…] and it runs as part of our continuous integration

process«. However, when looking for indications of any quality

improvements, we are mostly unable to find any.

Read more...

The primary purpose of automated tests is to reveal regression bugs. But how can we tell how well a test suite does this? Code coverage measurement is often used to assess tests in practice. But what does it really tell? We analyzed a set of open-source projects to find out and came up with a clear answer. This post summarizes our findings.

 

Read more...

Dr. Nils Göde

Who could possibly better judge the quality of our code than ourselves? We wrote this code. We are the experts. So why should we invest in a professional code quality audit? Let me give you a few reasons why it is a worthwhile investment.

Read more...

Dr. Nils Göde

Quality control has many facets, but if there is one factor that distinguishes

good from high-end quality control, it is the systematic use of

manual code reviews. While a lot can be achieved by tool-supported analyses and

improvements, manual reviews have some unique benefits.

 

Read more...

Dr. Nils Göde

At least not all of them at once. The awareness of quality deficits (these

include bugs, lack of understandability, missing documentation, a lack of tests,

and so on) seems to follow a sinus-curve like shape.

 

 

 

In those phases with the highest awareness, project managers and their developer

teams often decide to dedicate a larger block of time exclusively to cleaning up

the system and putting everything else on hold. All too often, the ambitious

objective is to remove all quality deficits—in many cases without even

specifying what a relevant quality deficit is.

 

 

Don’t do this!

Read more...