Lessons from Building Static Analysis Tools at Google

From AcaWiki
Jump to: navigation, search

Citation: Caitlin Sadowski, Edward Aftandilian, Alex Eagle, Liam Miller-Cushon, Ciera Jaspan (2018) Lessons from Building Static Analysis Tools at Google. Communications of the ACM (RSS)
DOI (original publisher): 10.1145/3188720
Semantic Scholar (metadata): 10.1145/3188720
Sci-Hub (fulltext): 10.1145/3188720
Internet Archive Scholar (search for fulltext): Lessons from Building Static Analysis Tools at Google
Wikidata (metadata): Q61674533
Download: https://cacm.acm.org/magazines/2018/4/226371-lessons-from-building-static-analysis-tools-at-google/fulltext


Discusses lessons leading to and from "static analysis infrastructure used daily by most software engineers at Google."

Analysis tools used are simple, and include style checkers, bug-finding tools that may extend the compiler, analyzers that make calls to production services, and analyzers that examine properties of build outputs.

Describes failed attempts in 2006, 2009, and 2011 to integrate FindBugs into Google's workflow, and successful integrations of other tools. Lessons:

  • Finding bugs is easy in a large codebase
  • Most developers will not go out of their way to use static analysis tools
  • Developer happiness is key
  • Do not just find bugs, fix them
  • Crowdsource analysis development


  • Push workflow integration as early as possible
  • Code review is a sweet spot for displaying analysis warnings before code is committed
  • Curate tests, get feedback from developers so that they only get reports they want to fix and do not grow warning blindness

Theoretical and Practical Relevance

Discussed at https://news.ycombinator.com/item?id=16954877

Another summary at https://blog.sourced.tech/post/review-building-static-analysis-tools/