Hacker News new | past | comments | ask | show | jobs | submit login

Running your code through static analysis can be eye-opening. And just like when you opened your eyes for the first time... you'll probably cry.



If I had a dollar for every time I saw this...

if(obj == null && obj.isValid())

I'd have approximately 960 dollars per project.


> if(obj == null && obj.isValid())

Why would you encounter this (often)? It seems to me that this code would never evaluate to true.


This is Java code. If you test for a null reference AND THEN dereference it, you get a NullPointerException. The check was supposed to be "!= null".

This check is obviously erroneous, and found via SCA. I was saying "if I had a dollar for every time I found this [via SCA] I'd have a lot of money."


I'm curious as well, I understand the bug / typo, but I don't think I've seen it more than a handful in 20+ years of C-like languages (mostly game development). In contrast, typing a single '=' instead of '==' seems a more common error IME (although still not frequent enough to drive me towards Yoda conditions to catch it).

Why do you think you are encountering this particular mistake so often? Is it something about your projects, your organization, your colleagues, or Java itself?


It's a braino, I think. Instead of the right thing, which would be what mathgladiator posted below, this is a guaranteed null pointer exception when obj actually is null.


I hope he means

> if (obj != null && obj.isValid()) { }

Which is semantically correct due to the fail-fast evaluate of AND, it does require a double check since it's strange from a logic point of view. This is one the reasons that brace languages are hard to optimize since you can't commute things that ought to commute.


That statement can't be commuted because it expresses a concept that can't be commuted.

If the two checks were independent (pure functions), it's not difficult for a compiler to determine that given enough program visibility.


Static code analysis has a long-term benefit as well as the more obvious short-term benefit. That is, it teaches us to be better developers as we strive to have the static analysis catch less issues in our code the next time [1]. I used static analysis to improve my style for C, Python, and most recently Ruby [2].

I think it had a lasting effect on my personal coding habits. But every once in a while, I will use the tools on my new code and it still finds things. I would probably benefit from being more persistent in using these tools.

[1]: This assumes that the issues caught be your static analysis tool are valid concerns, which in my experience, they tend to be.

[2]: Some static analysis tools that I've used with Ruby are reek, roodi, flay, and flog. Reek and roodi report code smells. Flay reports structural similarities (opportunities for refactoring). And flog estimates the complexity of your methods.


Static analysis is essential for anything that lives solely in the domain of syntax and style. Detecting bad smells (including duplication and excessive complexity) from when you got tired or interrupted is perfect for it, and is a great heuristic way to find areas that need more attention. In Python and I assume Ruby, anything that bears on function is more reliably detected with unit tests.


what tool did you use for ruby?


I mentioned that in my second footnote.


Equivalently in a very introspective language, running old code through new unit tests is eye-opening...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: