Rotten Code Is a Weapon of Mass Destruction

Peter Coffee: Like U.N. inspectors, Reasoning's tools can tell us what's out there.

When the latest Disney film, "Treasure Planet," yielded disappointing revenues for its Thanksgiving weekend opening, the company was quick to let the industry know that it had a recovery plan. As reported by the New York Times, "Disney executives … point out that Treasure Planet is the last of the films to be made using more costly, complex and labor-intensive animation processes. Future films will … use newer techniques to cut costs, like simplifying much of the animation and using computers to do more of the work."

In short words, when the customers dont like the product, Disneys solution is to find a way to give them something that may be even worse--but is cheaper to produce. Computers are great at doing that, but its no way to do business.

In general, we dont need managers who follow the path of least resistance to the worst product that can be sold, at the lowest cost that can be achieved. What we need is intelligent application of ITs productivity gains to produce superior results that offer the buyer compelling value. But it seems that the business of building enterprise applications is busily following Disneys path.

More than half of all software projects are more than 50 percent over budget, according to Pricewaterhouse Coopers, whose figures also suggest that four out of five projects both cost more and take longer than planned. The reason may well be that "the quality of the code out there is shockingly bad," as grimly observed by CEO Scott Trappe at the software inspection firm of Reasoning Inc. in Mountain View, Calif. "The average is getting worse," Trappe added when we spoke last week about the companys Illuma source code inspection service.

Even relatively error-proof languages, such as Java--well, compared with C++, anyway--are failing to arrest the slide, said Trappe. "Were finding that Java code has a similar defect density to C/C++ code: About 70 percent of reported errors in C/C++ are null pointer dereferences, while null object dereferences in Java are comparable," he told me. New problems arise from Javas more advanced facilities, such as its ease of writing the multithreaded code thats needed for responsive behavior despite slow network interactions: Potential deadlocks between interdependent threads are hard to find, Trappe said, without overwhelming numbers of the false-positive error reports that destroy the credibility of any quality assurance process.

One bright spot in the industry, said Trappe, is open-source development, with its emphasis on people reading each others code. The potential embarrassment of public ridicule is probably a powerful motivation to get things right--or even better, to write code thats impressively craftsmanlike, rather than merely good enough. "There arent enough data points yet to be statistically significant, but what weve seen so far suggests that open source code may have much lower defect density than commercial software--about 1 defect per 10,000 lines, about three times better than we typically see," Trappe estimated.

Apart from the obvious costs of projects that are late and over budget, Trappe warned that many IT managers may not see the largest but least visible component of rotten codes costs. "Their most senior guys spend a third of their time fixing bugs introduced by junior guys who have no idea what theyve done wrong. The answers arent deep, this is not obscure stuff--a lot of the stuff that we find is very basic," he told me.

Unless the audience for your applications is as tolerant as a movie theater full of preschool children, your strategy had better be to fix the problem--not to cut the cost of continuing to do things wrong.

Tell me whats wrong with the code you see.