Turn the microscope: using machine learning and data science to optimize code quality

Transcript

1. codescene.com @AdamTornhill Turn the microscope June 2022 using machine learning

   and data science to optimize code quality

2. @AdamTornhill “Technical debt is code that’s more expensive to maintain

   than it should be.” Software Design X-Rays, 2018 What is Technical Debt?

3. What we actually know: Research on Technical Debt Waste 


   Software developers spend 23-42% of their work week dealing with technical debt and bad code.1, 2, 3 1 Besker, T., Martini, A., Bosch, J. (2019) “Software Developer Productivity Loss Due to Technical Debt” 2 Stripe, (2018), “The Developer Coef fi cient: Software engineering ef fi ciency and its $3 trillion impact on global GDP” 3 https://codescene.com/technical-debt/whitepaper/calculate-business-costs-of-technical-debt.pdf 4 Sultana, K. Z., Codabux, Z., & Williams, B. (2020, December). Examining the relationship of code and architectural smells with software vulnerabilities. Vulnerabilities 
 There is a statistically signi fi cant correlation between software vulnerabilities and code smells like Brain Classes, complex implementations, and large classes.4

4. Technical Debt: where we are as an industry Research finds

   that developers are frequently forced to introduce new Technical Debt as companies keep trading code quality for sho r t-term gains like new features.1 1 T Besker, A Ma r tini, and J Bosch. 2019. “Software developer productivity loss due to 
 technical debt—a replication and extension study examining 1207 developers’ development work”

5. Why sho r t-term gains win over long-term maintainability: Hyperbolic

   Discounting

6. “There's never enough time to do something right, but there's

   always enough time to do it over.”* Melvin E. Conway (1968). “How Do Committees Invent?” @AdamTornhill * Thanks, Kevlin Henney

7. codescene.com @AdamTornhill Fighting hyperbolic discounting: Visualise accidental code complexity

8. Code Health: beyond a single metric Examples on Code Health

   Issues Module Level: Low Cohesion, many responsibilities Brain Class, low cohesion, large class, at least 
 one Brain Method Function Level: Brain Methods, complex functions that centralize 
 the behavior of the module Copy-pasted logic, missing abstractions, DRY violations Implementation Level: Deeply Nested Logic, if-statements inside if-statements Primitive Obsession, missing a domain language Code health as a proxy for code quality: 1. Detect prope r ties of the code that are known to correlate with increased maintenance costs and with higher risks of defects. 2. Aggregate the metrics via a network calibrated from a large baseline library of code. 3. Categorise (Red/Green/Yellow), and visualize. Learn More: https://codescene.com/blog/measure-code-health-of-your-codebase/

9. @AdamTornhill Selenium: a project for web browser automation 450k lines

   of code https:/ /github.com/SeleniumHQ/selenium Visualizing code health

10. @AdamTornhill Visualizing code health Selenium: a project for web browser

    automation 450k lines of code https:/ /github.com/SeleniumHQ/selenium

11. @AdamTornhill Selenium: a project for web browser automation 450k lines

    of code https:/ /github.com/SeleniumHQ/selenium Visualizing code health

12. Examples: a gallery of code @AdamTornhill CoreCLR: the runtime for

    .Net 8.5 million lines of code https:/ /github.com/dotnet/coreclr Tomcat: web server and Servlet container 500k lines of code https:/ /github.com/apache/tomcat

13. codescene.com @AdamTornhill From “knowing” to knowing: Quantify the business impact

    of complex code

14. Research to quantify the impact of code quality: scope &

    data @AdamTornhill ▶ A quantitive large-scale study of code quality impact. ▶ Data from 39 commercial codebases. ▶ Analysed more than 40 000 software modules. ▶ Many different industry segments. ▶ Tested across 14 programming languages. ▶ Using the CodeScene tool to automated the analyses. ▶ Our research findings are statistical significant and peer reviewed for the International Conference on Technical Debt 20221 1 Research publication: https://arxiv.org/abs/2203.04374

15. The costs of low code quality: why is it so

    hard to measure? ▶ Organizations don’t know the development costs of individual modules. 1 ▶ Hence, related numbers (i.e. on technical debt impact) come from surveys and self-repo r ted estimates. 2 1. Tracking detailed time in development would be a significant overhead. A few organisations enforce “Time Spent” to be repo r ted in Jira, but that time is per task level, not per code module 2. Ga r tner (2021): , McKinsey (2020), Stripe (2018) We know the staffing costs.. ..and we could (in theory) get the costs per ticket… ..but we have no way of knowing how those costs are distributed across code of various quality! source code

16. Time-In-Development: how do we measure it? File 1 File 2

    Jira Issue X moved to “In Progress”: sta r ts the sub-cycle time #1 commit #1 cycle time #1 sub-cycle times #1 + #3 sub-cycle times #2 + #3 Time-In-Development: Data source: Jira commit #N cycle time #3 cycle time #3 commit #2 cycle time #2 Data source: Jira + Git

17. codescene.com @AdamTornhill The results: Does code quality matter?

18. Green Code: Implementing a feature is twice as fast Healthy

    Warning Ale r t Code Health category Mean time for implementing a ticket Relative scale Development time for code changes 0.05 0.10 0.15 additional time spent compared to healthy code @AdamTornhill

19. Red Code: A feature can take up to 9 times

    longer Healthy Warning Ale r t Code Health category Unce r tainty: maximum time for implementing a ticket Relative scale Development time for code changes 0.20 0.40 0.60 0.80 1.00 additional unce r tainty compared to healthy code @AdamTornhill

20. Red Code: 15 times more defects Healthy Warning Ale r

    t Defects by Code Health category Defects Relative scale Number of Defects 0.20 0.40 0.60 0.80 additional defects/rework compared to healthy code @AdamTornhill

21. The programmer perspective: how low quality code impacts development teams

    @AdamTornhill The most frequent causes of unhappiness: 1. Stuck in problem-solving 2. Time pressure 3. Work with bad code “[Developers] suffer tremendously when they meet bad code that code have been avoided in the fi rst place” Grazitotin, D., & Fagerholm, F. (2019). “Happiness and the Productivity of Software Engineers"

22. Theory into practice: how would we use this data? Code

    quality constraints a business ▶ Give all stakeholders — devs, product, management — the same situational awareness of where the strong and weak pa r ts are. Fight hyperbolic discounting: ▶ Discussing future risks primes you for sta r ting to address them. Build a business case for improvements: ▶ Refactoring and larger improvements can come with a business expectation. @AdamTornhill

23. codescene.com @AdamTornhill Making it actionable: Prioritize large amounts of technical

    debt

24. @AdamTornhill Red Code: Where do we sta r t? Tomcat:

    web server and Servlet container 500k lines of code https:/ /github.com/apache/tomcat

25. @AdamTornhill Hotspots: Prioritize based on developer behaviour Most code is

    stable: low interest technical debt Most development activity is in a small pa r t of the codebase: high interest technical debt Interest rate: Code Change Frequency

26. A look into a Hotspot: 
 Actionable Insights? @AdamTornhill 4,000

    Lines of Code!

27. Function Level Hotspots Parse Recommended functions to improve. Hotspots: X-Ray:

    StandardContext.java From https://pragprog.com/book/atevol/software-design-x-rays

28. X-Ray of StandardContext.java @AdamTornhill

29. codescene.com @AdamTornhill Getting actionable advice: Using ML to build a

    personalised refactoring catalogue

30. @AdamTornhill The need for better refactoring tools https:/ /refactoring.com/catalog/extractFunction.html

31. @AdamTornhill Automated refactoring recommendations: how it works Detect code that

    degrades in health so that we can act: …but we can just as easily fi nd code that improves its health:

32. @AdamTornhill Git Commits Read more: https://codescene.com/engineering-blog/refactoring-recommendations Filter: improving code health?

    Automated refactoring recommendations: how it works Is the Git diff useful to a human? Trained on classi fi ed samples. Social proximity? That is, the refactoring is done by “your” team? Architectural proximity? That is, the refactoring is in “your” domain and pa r t of the code? Ranked refactoring recommendations

33. @AdamTornhill A personalised refactoring catalogue example on Complex Method Refactoring

    from keycloak Refactoring: 1. Identify commonalities. 2. Encapsulate the commonalities. 3. Use the higher level abstraction to simplify the code.

34. @AdamTornhill Context & team-aligned style: To stream, or not to

    stream Refactoring from keycloak

35. Speed + Quality: you can have it all “Our results

    indicate that improving code quality could free existing capacity; with 15 times fewer bugs, twice the development speed, and 9 times lower unce r tainty in completion time, the business advantage of code quality should be unmistakably clear.” A. Tornhill & M. Borg (2022) @AdamTornhill Healthy Warning Ale r t 0.20 0.40 0.60 0.80 1.00 Quality dimension: where are the risks and oppo r tunities? Hotspot dimension: what’s the impact and priorities?

36. Tools + examples: https://codescene.com/ Blogs on Software Evolution & Technical

    Debt: • https://www.codescene.com/blog/ • https://adamtornhill.com/ behavioral code analysis techniques, tech debt, teams, microservice analyses Adam Tornhill https://twitter.com/AdamTornhill https://se.linkedin.com/company/codescene