Static analysis tools are a great help for developers to discover bugs, anti-patterns, before they occur in production systems. Such tools are usually integrated with the integrated development environment (IDE)--for example, Eclipse or IntelliJ--and are run either in the background (for example, when the the source file is saved, or triggered by the version control system) or manually by the developer. Of course, such tools must be effective: they should not distract the developer or “force a developer to context-switch away from her primary objective”; they should not report false positives (that is, correct code fragments reported as errors); and they should suggest a possible solution.
However, the authors found that existing tools (commercial and open source, such as Coverity and FindBugs) do not entirely fulfill the above requirements when applied to a large code base, where the languages are different, the teams are different with different skills, and the understanding and feeling of the analysis results vary. In this scenario, Tricorder is applied.
The authors present the Tricorder tool, a static program analysis platform used in production at Google. Tricorder is a toolchain that cooperates with the developer interfacing a set of available tools (as plugins) in a structured workflow applied to a large code base, with different languages and different IDEs. They present in detail how static analysis is performed in Google, providing usability data and usage statistics, mostly applied to Java, C++, Python, and Go.
The paper starts with an introductory part containing motivations and background work. It continues with the Google philosophy on program analysis, and then the implementation details and deployment of Tricorder. The paper concludes with a discussion section, related work, and analysis of the usage statistics.