Do you care about your code? Track code coverage on new code, right now !

by freddy mallet|

    A few weeks ago, I had a passionate debate with my old friend Nicolas Frankel about the usefulness of the code coverage metric. We started on Twitter and then Nicolas wrote a blog entry stating "Your code coverage metric is not meaningful" and so useless. Not only am I thinking exactly the opposite, but I would even say that not tracking the code coverage on new code is almost insane nowadays.



    For what I know, I haven't found anything in the code


    But before talking about the importance of tracking code coverage on new code and the relating paradigm shift, let's start by mentioning something which is probably one of the root causes of the misalignment with Nicolas: static and dynamic analysis tools will never, ever manage to say "your code is clean, well-designed, bug free and highly maintainable". Static and dynamic analysis tools are only able to say "For what I know, I haven't found anything wrong in the code.". And so by extension this is also true for any metric/technique used to understand/analyse the source code. A high level of coverage is not a guarantee for the quality of the product, but a low level is a clear indication of insufficient testing.

    For Nicolas, tracking the code coverage is useless because in some cases, unit tests leading to increase the code coverage can be crappy. For instance, unit tests might not contain any assertions, or unit tests might cover all branches but not all possible inputs. To fix those limitations, Nicolas says that the only solution is to do some mutation testing while computing code coverage (see for instance pitest.org for Java) to make sure that unit tests are robust. Ok, but if you really want to touch the Grail, is it enough? Absolutely not! You can have a code coverage of 100% and some very robust but... fully unmaintainable unit tests. Mutation testing doesn't provide any way, for instance to know how "unit" your unit tests are, or if there is lot of redundancy between your unit tests.

    To sum-up, when you care about the maintainability, reliability and security of your application, you can/should invest some time and effort to reach some higher maturity levels. But if you wait to find the ultimate solution to start, that will never happen. Moreover maturity levels should be reached progressively:

    • It doesn't make any sense to care about code coverage if there isn't a continuous integration environment
    • It doesn't make any sense to care about mutation testing if only 5% of the source code is covered by unit tests
    • ... etc.



    And here I don't even mention the extra effort involved in the execution of mutation testing and the analysis of the results. But don't miss my point: mutation testing is a great technic and I encourage you to give a try to http://pitest.org/ and to the SonarQube Pitest plugin done by Alexandre Victoor. I'm just saying that as a starting point, mutation testing is already a too advanced technic.

    Developers want to learn


    There is a second root cause of misalignment with Nicolas: should we trust that developers have a will to progress? If the answer is NO, we might spend a whole life fighting with them and always making their lives more difficult. Obviously, you'll always find some reluctant developers, doing some push back and not caring at all about the quality and reliability of the source code. But I prefer targeting the vast majority of developers eager to learn and to progress. For that majority of developers, the goal is to always make life more fun instead of making it harder. So, how do you infect your "learning" developers with the desire to unit test?

    When you start the development of an application from scratch unit testing might be quite easy. But when you're maintaining an application with 100,000 lines of code and only 5% is covered by unit tests, you could quickly feel depressed. And obviously most of us are dealing with legacy code. When you're starting out so far behind, it can require years to reach a total unit test coverage of 90%. So for those first few years, how are you going to reinforce the practice? How are you going to make sure that in a team of 15 developers, all developers are going to play the same game?

    At SonarSource we failed during many years



    Indeed, we were stuck with a code coverage of 60% on the platform and were not able to progress. Thankfully, David Gageot joined the team at that time, and things were pretty simple for him: any new piece of code should have a coverage of at least 100% :-). That's it, and that's what he did. From there we decided to set-up a quality gate with a very simple and powerful criteria: when we release a new version of any product at SonarSource, the code coverage on new or updated code can't be less than 80%. When this is the case, the request for release is rejected. That's it, that's what we did, and we finally started to fly. One year and an half later, the code coverage on the SonarQube platform is 82% and 84% on the overall SonarSource products (400,000 lines of code and 20,000 unit tests).

    Code coverage on new/changed code is a game changer


    And it's pretty simple to understand why:

    • Whatever your application is, and may it be a legacy one or not, the quality gate is always the same and doesn't evolve over time: just make the coverage on your new/changed lines of code greater than X%
    • There's no longer a need to look at the global code coverage and legacy Technical Debt. Just forget it and stop feeling depressed!
    • As each year X% of your overall code evolves (at Google for example, each year 50% of the code evolves), having coverage on changed code means that even without paying attention to the overall code coverage, it will increase quickly just "as a side effect".
    • If one part of the application is not covered at all by unit tests but has not evolved during the past 3 years, why should you invest the effort to increase the maintainability of this piece of code? It doesn't make sense. With this approach, you'll start taking care of it if and only if one day some functional changes need to be done. In other words, the cost to bootstrap this process is low. There's no need to stop the line and make the entire team work for X months just to reimburse the old Technical Debt.
    • New developers don't have any choice other than playing the game from day 1 because if they start injecting some uncovered piece of code, the feedback loop is just a matter of hours, and anyway their new code will never go into production.



    This new approach to deal with the Technical Debt is part of this paradigm shift explained in our "Continuous Inspection" white paper. Another blog entry will follow explaining how to easily track any kind of Technical Debt with such approach, not just debt related to the lack of code coverage. And thanks Nicolas Frankel for keeping feeding this open debate.