Being Smart about FxCop

  • Article

I love FxCop…. If you have not seen
it you should totally go check it
out… Like all great developer tools it started its life because a developer
had a focused problem he needed to solve.
One of the lead developers on the then newly formed
.NET Framework team was responsible for
a large number of APIs in the framework.
He (and a bunch of others) had just gotten though helping me put together
the first pass of the .NET
Framework Design Guidelines Specification. Oh the hours we spent discussing naming
conventions etc... Anyway, he now
needed to make his APIs conform to the guidelines. So like any good developer he saw the
need for a tool. So over the
weekend he busted out the first version of FxCop… It was a cmdline tool that
checked a handful API design issues.

Soon the
.NET Framework Group Program Manager (my
boss at the time) picked the tool up, made it extensible and added more rules,
then I hacked on it a bit, then
Krzysztof Cwalina added a GUI and finally we got real
dev resources when Michael Fanning picked the tool up and made it
real.

But now the real reason I post… The
tool has served us well and has caught a number of good issues in the Framework…
but I have on issue with the way people use it. There is just something deep within
developers that want to fix every single issue, even if they *KNOW* good
and well it is a false positive… Maybe it is from years of using lint type
programs but that model doesn’t work here.
FxCop is primarily an API design tool… it is an aid to a
educated API designer… It provides hints and
suggestions but, design guidelines are subjective by nature and so are many of
FxCop rules. They need to be
understood, considered in context not just blindly fixed. I guarantee if you just blindly fix all
issues FxCop raises your API will be worse than if you do nothing. An example… We have a rule that
encourage use of properties rather than methods for “Get” accessors. Now the DG
goes on for pages about exactly how to make this call, but most of those rules
are subject and therefore hard to FxCop to catch. So, for example FxCop complains
about the public
Guid
GetNext() method we have the Guid class which
generates a guid close in sort order to the current guid (which isn’t truly
unique I’d guess, but helpful for debugging)… FxCop suggests making this a Next
property… now, does that make sense?
No…
Guid’s don’t have a
logical backing store for “Next”… it is purely computational and therefore a
method is better.

As FxCop has grown out of purely the
API space, there are indeed violations
you should always fix… for example we now catch places where CultureInfo should
be passed to string comparison routines to avoid a bizarre security bug having
to do with code points such as the Turkish I…. (the issue is
described here on slide 24 in general)

Have fun with FxCop, but keep your
thinking caps on… that is why they pay you the big bucks
right??