It's very hard to suggest formal metrics, but let me try.

1) Code coverage by automated unit tests.

Any part of code should be covered by one or two automated test cases. Code coverage can be measured in automatic mode by different profiles.

2) Length of functions (methods) / units (classes). The one with 60 lines for method or 1k lines for unit (class) is bad one. Not counting in-code documentation.

Can be measured in automatic mode.

3) Not only "length" but also "width" of code - how many included constructions are used in method? For example, if { for{ while { if { do {...}}}}} is a signal of bad code.

Can be measured automatically.

4) Using of code patterns. It's hard to extract formal rules for using patterns, but may be this will help:
- any class should have interface, unless it's a utility class with static methods
- no fields should be public, unless it's a data-only structure.
- static methods should be only in utility classes
- etc. :)

Of course, the stability of code should be proved by tests, not by any formal metrics. But such formal metrics can help to find problematic pieces of code.

posted August 6, 2007

I'd return that question with:
1) What for?
Examine why your collecting the metrics. What are you trying to demonstrate by collecting the metrics? This may affect what you decide to measure.
2) Who wants to know?
Who are you displaying the results to? If its senior management, the detailed metrics might get a bit lost, if its for the developers, then detailed analysis may be acceptable.

Perhaps ask the metric audience what they want?

Good Luck!

posted August 6, 2007

Quality is in the eye of the end-user i.e. the person or entity that garners the benefit of the deployed system. By this definition, every quality metric must directly influcence the end-user's experience.

A high quality application will exhibit the following:

Adherance to requirements
Rapid response to change in the business space
Enthusiastic user acceptance
Robust behavior
Reasonable or better performance
Deliver on schedule and within budget

Taking them in turn

Adherance to requirements implies that the software does what its sponsors intend it to do. Note the users, *not* the developers, own the requirements. The developers own the specifications, which must conform to and support the requirements. This is extremely difficult to measure.

Rapid response to change in the business space -- a.k.a. agility. This encompasses maintainability. On the analysis/design level, this correlates strongly positively with strong separation by subject matter. On the coding level, this is supported by low cyclometric numbers within method flow of control graphs. (This is a fancy, mathematical way of saying "keep it simple.")

Enthusiastic user acceptance, a.k.a. 'Usability'. User Interface metrics -- particularly the principle of minimum surprise -- apply here. Focus groups and other usability evaluation methodologies help here.


Robust behavior, a.k.a. reliability or hardening. Rule 1: all publicly visible operations must be complete -- i.e., must exhibit reasonable and predictible behavior under all possible circumstances. Insist on a tripartate method structure containing:

1. Validation of preconditions
2. The method implementation
3. Validation of postconditions and invariants

Reasonable or better performance. First and formost, negotiate the ground rules, which should have the form p% of transactions complete within time t, where 0 < p < 100 and 0 < t. Next, design in the performance from the get-go, making sure that the system scales appropriately. It can be as bad to over-engineer performance as it is to under-engineer it. Make sure to load test throughly before deploying.

Deliver on schedule and within budget -- this sounds straightforward, but may be the most difficult to accomplish. First, the technical side has to manage user expectations and must push back against infeasible schedules and budgets. Secondly, the development group must measure progress continuously and alert the users to any deviation from plan. Open communication and establish trust from the beginning; sometimes this requires the technical side to bear bad news.

I hope all this helps.

posted August 6, 2007

"From my experience, it's mostly the gut feeling that matters when some one ships the code to repository"

In the process I use the code is ready to commit to the repository when the unit tests pass. That doesn't mean I'm done with it, just that it's ready to check in.

When doing code reviews there are three metrics I like to use to help me focus on possible problem areas:

1 Cyclomatic Complexity
2 NPath Complexity
3 Kirks Metric (Halstead's program volume / LOC)

posted August 12, 2007

The Personal Software Process (PSP) Process Quality Index (PQI) is relevant here since you are looking for the metrics that can be used by developer to monitor the quality of his/her work during the code development before checking in to the repository. Other metrics derived from the number of defects found by test team will need to wait until the test team performs the integration and system testing.

The following is the PSP PQI copy pasted from the link specified below:
1. Design/Code Time
The ratio of detailed design to coding time - when engineers do not take the time to produce a thorough design, they generally make more design errors. To reduce this risk, design time should equal at least 100% of coding time.

2. Code Review Time
The time spent in code review, compared with coding time - by doing a personal code review before they compile, engineers can find a large percentage of their defects. A thorough code review should take 50% or more of coding time.

3. Compile Defects/ KLOC
The defects per KLOC found in compile - even with good review times and rates, the review still could have missed a lot of defects. For quality products, compile defects should be less than 10 defects/KLOC.

4. Design Review Time
Detailed design review time, related to detailed design time - a thorough detailed design review should take 50% or more of the time spent in detailed design. Anything less generally indicates an inadequate review.

5. Unit Test Defects/ KLOC
The defects per KLOC found in unit test - the number of defects found in unit test is one of the best indicators of the number that will later be found. When the unit test defects/KLOC exceed 5, subsequent problems are likely.

Links:

• http://www.sei.cmu.edu/publications/articles/practice-preach/practice-preac...
• http://www.ddj.com/architect/184415470

posted 10 months ago

Hi

Code quality is measured against what it is supposed to do and how it is done?

Most of the time requirements, architectures and design define how good the code is.


Metrics that can be used are


1) Reliability - No of defects identified in multiple rounds of testing or stress testing or burn in test and observe the stability.

2) Code coverage -- % of code covered using tools such as VIsual pure coverage etc.,

3) Design and code traceability -- % of conformance to design. No of design units covered to total design units

4) No of unit test cases per feature or method or class. Minimum 4 test cases per feature ( +ve, -ve and stress, system interaction)

5) % Conformance to standards -- use of fx cop or jtest and codify the rules

6) Number of methods/class, (6 avg), no of lines / method < 60). Same can be described for procedures, functions etc.,

7) % of code documentation. No of lines of documentation/code base( atleast 15% in documentation). Javadoc has more details

8) Exception handling --- Clean exits for application and system exception with proper throw

9) DFT -- Design and code for testability -- Need to provide necessary trace to pinpoint errors. This will be a clear metric for MTTR ( mean time to repair)

10) elements such as scalability, performance would have been covered as part of the design and ideally should not be covered in code metric.

11) no of issues ( bugs and peer reviews)/ kloc at unit level

12) defect leakage % . Number of defects identified from system testing/ total no of errors. This will be a key metric


Random thoughts and you need anything more can be expanded

cheers
cvn

posted 10 months ago

To me, computers is still a science. There's a lot of engineering to happen. Here are some useful tips, in addition to the good ones from below:
1. Apply GRASP patterns. You may/not find an opportunity for a design pattern. GRASP patterns are almost always applicable to most of the modern languages.
2. Doing analysis like bugs per KLOC or lines changed per KLOC was a good practice in COBOL days. Many a times critical bugs are solved in C/C++ by changing one or two lines. From my experience, I developed a different methodology to measure this aspect. I use the ratio of effort(man days) spent on fixing the bug to the effort spent on development. This gives you a better understanding of the productivity. Use historical data to calculate this ratio and set targets accordingly for your team. That works best.

posted 10 months ago

Answere by previous posts are good, I would like to add

1. Number of unit test bugs identified and fixed per kloc. This tells how deep unit testing was done, The tools used for unit testing.
2. Number of QA bugs found against the criticality of the bugs.
3. The test reports and reviews of the artifacts referring which the coding was done.
4. Peers review logs.
5. I donot give preference to the number of test cases while prefer the quality of test cases again not missing any minute requirement.

Links:

• http://http;//www.j2eequestions.com

posted August 6, 2007

Although I have different approach to measure quality of code – By conducting static test (Check List). For example – we have created various checklist point each language or platform, like we have identified few areas for Core Java or C++ Code standard review point (Design Patterns, Modularity, Configurability, Cross-platform portability, Memory Management, Exception Handling, Type casting (Variable, Classes, Method etc), Design Specification Traceability etc). We follow this approach as it is very much difficult to ensure code standard from any Dynamic Testing Approach (Regardless of Automation or Manual Testing). This approach is bit costly we need competent reviewer (Kind of Technical Architect level) but this worth as per my experience.

posted August 6, 2007

Good programming is a highly demanding activity, that stands closer to some form of art than anything else. Symmetry, orthogonality, rhythm and simplicity are examples of the non-technical aspects of good programming. The term "beauty" is not far away.

Measuring "beauty" is certainly not a small feat. So, the metrics you'll get from static analysis tools will give you some interesting indications, but nothing more. You can argue that that's largely enough. I wouldn't.

There isn't any better metrics than code review by your peers. Use the tools to quickly spot what might be the problematic areas in your code base, then ask the team to do a thorough code review of these parts and provide constructive criticisms.

This is also a good opportunity to learn from each other, and to make the team more cohesive.

If you are playing in the Microsoft .NET world, I cannot tell you how much NDepend is a wonderful tool for getting information on your code.

Links:

• http://www.ndepend.com/

posted August 6, 2007

Don't forget about the people!
Your ability to change the product, fix bugs or turn it around completely largely lies in hands of developers. If they are professionals and they are excited, you actually have chances of doing so. Better yet, get them excited about the quality as well - and they will find new ways to keep the quality up.

Metrics mentioned above do make sense. People is just another dimension.

posted August 6, 2007

Go for function points rather than KLOC. Function points are difficult to measure, need an expert, but then KLOC method is not accurate,
because the measurements depend on the programmer's programming
style and the programming language that you are coding in.

Here are some metrics that you can look at :

Unit testing defect density : No. of unit testing defects/No. of function
points
(Same can be applied to unit integration testing)

2. No. of requirements defects found

3. No. of functional spec. defects found.

4. No. of defects found in code review/No. of function points
in that function.

Note that cost of fixing a bug increases as the product development
cycle proceeds to later stages. So, it's important to keep track
of WHEN a bug is found. The sooner the bug found, the less the
cost, energy and time to fix it. This is an important consideration.

posted August 6, 2007

There are several metrics used for gauging software quality. First, I’ll echo the comments of others by saying you should clearly identify what you want to learn from the metrics. Second, keep it simple; don’t collect a huge volume of metrics at first. Begin with some straightforward measurements, and then add others as you gain knowledge about the system. This said, some basic software quality metrics follow here.
• Number of defects – Break this down into no. of issues found during development, found during QA, and found following release, etc. Finding and fixing a defect is always better sooner than later.
• Rate of defect discovery – I.e. defects found in the past day/week/month. Does QA continue to find new defects? Is QA still adding new test cases (preferably automated test cases)?
• Test coverage – Test cases (preferably automated) per module/class/KLOC/etc.
• Defect density – Total defects per module/class/KLOC/etc.

Hope this helps.

posted August 6, 2007

Whatever metrics you use, consider not making them too public internally, or if you do, do not provide incentives for them -- it becomes too tempting to game the system rather than doing the right thing.

To measure overall code quality, we have an independent QA shop measure how many defects have been found, how many are outstanding, and how many have been fixed. By watching these numbers, it's possible to see when one reaches the knee of the curve. That's the point when more things are getting addressed than broken.

posted August 10, 2007

Well here is my take on this topic, I don't see why a developer would want to know if his code is "reasonably good". From a quality perspective I would say: Start with "Testable Requirements", if the requirement can be tested, then this is a pass/fail for the developer to meet.

If the inputs and outputs are clearly defined, then the full range of test cases can be run against the code.

Now this is fine if you are implementing new functionality, but obviously does not help if you are performing maintenance work, unless you can retrofit testable requirements into the existing code base.

Code coverage and other quality metrics really should not be the developers responsibility, the QA dept should have an approach that will determine what needs to be tested, but in smaller shops this does not happen, as the developer becomes the tester and the QA manager etc.

Overall my response has to be: Hire a QA team to improve the overall quality, they will put the necessary mechanism in place to ensure the developer delivers quality code.

posted 10 months ago

Hi Venkat,

Big topic, thanks! Code quality is directly aligned with fitness for use. Life critical software deserves rigorous testing and metrics more so than gaming software for emample. So, my response is - it depends.

Eileen

posted 10 months ago

A metric which I consider applicable to any paradigm (oop, procedural etc)
and efficient to prove at least that a design and an effort for molularization
took place is called cyclomatic complexity.
It is a concrete measurement and besides the above it definately gives an
indication of how it would be for another programmer/developer/designer/architect to follow/take-over the application,
which is definately a metric of quality in our era.

Links:

• http://www.codeproject.com/dotnet/Cyclomatic_Complexity.asp
• http://javaboutique.internet.com/tutorials/metrics/

posted 10 months ago

for me complexity is the key - the real killer in any system is complexity. A highly complex system becomes brittle quickly, which leads to further errors down the road. Complexity is something code inspections don't pick out or are adpated for - so find a good tool in the paradigm you're working in that drives to understan the complexity of your code. Once you're there, and you establish boundary conditions for allowable levels of complexity, then you can use other methods, such as code inspections, to reduce the complexity. But the key predictor for poor quality systems is complexity. This is especially true the larger your software system.

I agree with the thoughts that quality is in the eye of the beholder, and it's actually the end user experience that is essential to get right. Combine that thought with metrics related to function points and defect density per function point, and you're on the right track. Measuring defects per requirement, functional spec defects vs. requirements, and code coverage are all good indicators of working or defective systems. But few people have the methodology or patience to run validation against functional specs or do requirements traceability. These are worthwhile acitivities if you want to get predictive in your software development effectiveness.

In the end you have leading indicators and trailing indicators. A test methodology provides trailing indicators that hamper overall producitivity and effectiveness. Leading indicators, such as function point analysis, requirements coverage/traceability, and even code complexity are more meaningful, productive and cost effective metrics to track. But you need to change your overall approach to make them work, and in the end, you need a system large enough to invest in the time, training and tools to make them work.

posted 10 months ago