When we encounter what seems like
an especially clever trade name, it sometimes turns out that we're working too
hard: What looked to us like an ingenious pun is often unintended.
We're fairly certain, though, that
Klocwork, in Burlington, Mass., intended its name to be a double play
on words. It combines the abbreviation "kLOC," for "thousands of lines of code,"
with the notion that the software development process should run in a much more
consistent and predictable way.
We got an early look at the shipping
code of Version 7.1 of Klocwork's development tool
suite, finalized on June 14,
which defies the easy categorization of the source code editors and debuggers
that used to be the staples of development tool reviews.
The Klocwork lineup might even be
termed a suite of suites. It comprises several bundles of tools addressing
varied combinations of source code defect and vulnerability analysis,
application architecture visualization, and development process
improvement.
The Klocwork team's efforts have
clearly gone into substance rather than style. Developers who've grown
accustomed to professionally packaged tools that install as easily as any
end-user application, with correspondingly friendly user interface design, may
form an unfavorable first impression of Klocwork's products.
The installation guide is an 88-page
manual, with nearly a quarter of that devoted to a chapter ominously titled
"Planning Your Installation," plus 10 more pages of actual installation
instructions.
Some of our early work with the product
found us unceremoniously dumped from a multistep process when we pointed, for
example, to a nonempty directory as the place to store a tool's analysis
results.
In practice, though, a development
organization that assimilates these tools into its day-to-day operations will
not continue to encounter these problems and should not be discouraged by them.
What's more important is the leverage these tools can provide—when assembled
into a configuration that fits a particular environment—in making sure that
quality code is built in a productive manner.
For teams developing in C/C++ or Java
and seeking improved process measurement depth and rigor—especially when working
on multiple development platforms—Klocwork's tools merit
investigation.
New in June's Version 7.1 is Java 1.5
compatibility, incorporating the added features of that Java update into
Klocwork's inSight Architect tool (see screen). Java developers who are tempted
to assert that Java has no security problems may find it educational to look
over the list of potential security vulnerabilities that Klocwork can detect in
Java code.
The tools can also offer Java style
guidance in areas such as matching the abstraction level of a potentially thrown
exception to that of the method in question.
Version 7.1's defect detection in C and
C++ code has become more subtle. This release has a nasty, suspicious mind (we
mean this as a compliment) when it comes to identifying pieces of code that
might wind up dereferencing a null pointer by indirect, but sadly plausible,
chains of misfortune.
We also note that Klocwork 7.1 has
become more assertive about calling things errors, rather than merely suggesting
their investigation, as the default response when certain patterns are noticed.
Either the Klocwork developers are getting more confident in their detection
algorithms, or (perhaps more likely) they've decided that developers need to be
whacked with a metaphorical two-by-four to get their attention.
Klocwork's tools are available in two
combinations. The Defect + Security Suite is priced at $2,995 per user, and the
more complete Development Suite (which we tested) is priced at $3,995 per
user.
