Copyright © 2006 Quest Software

EngineeringBetter PL/SQL

Bert ScalzoDatabase Domain ExpertBert.Scalzo@Quest.com

11

Bert Scalzo …Database Expert & Product Architect for Quest Software

Oracle Background:• Worked with Oracle databases for over two decades (starting with version 4)• Work history includes time at both “Oracle Education” and “Oracle Consulting”

Academic Background:• Several Oracle Masters certifications• BS, MS and PhD in Computer Science• MBA (general business)• Several insurance industry designations

Key Interests:• Data Modeling• Database Benchmarking• Database Tuning & Optimization• "Star Schema" Data Warehouses• Oracle on Linux – and specifically: RAC on Linux

Articles for:• Oracle’s Technology Network (OTN)• Oracle Magazine,• Oracle Informant• PC Week (eWeek)

Articles for:• Dell Power Solutions

Magazine• The Linux Journal• www.linux.com• www.orafaq.com

22

Books by Bert …

Coming in 2009 …

3

Agenda• PL/SQL as a Language

• Costs of Software Defects

• Failure of Best Practices

• Code Reviews Inadequate

• Software Engineering to the Rescue

• Automation = Real Rescue = Better Code

• Code Metrics – Explanation & Examples

• Conclusion – Automated Metrics = Success

4

PL/SQL as a Language…• Relatively easy to learn (based on ADA)

• Well integrated with the Oracle Database

• Efficient for complex and/or large scale DB operations

• Origin was SQL Forms (later moved into database)

• Was once an optional $$$ add-on to the database

• Lots of books (best by Steven Feuerstein of Quest)

• Evolved into mature, robust and functional language

• Of late, many new Oracle features have been exposedvia PL/SQL API rather than adding additional new SQLcommands (e.g. DBMS_JOB, DBMS_SCHEDULER, DBMS_REDEFINITION, etc)

5

Simple is as Simple does…• Simple & easy to learn !auto= effective & efficient

• PL/SQL code is often as flawed as any other code

• Some of the worst code I’ve seen had been PL/SQL

• PL/SQL sometimes makes it easy to shoot self in foot

• Many PL/SQL code issues survive into production!!!

• I’ve been an “Expert Witness” in court cases on this

• So, how do we apply better “scientifically based”Software Engineering “Best Practices” to mitigatedevelopment mistakes – yielding “Better Code” ?

6

Costs of Software Defects…• Quote: inferior software in 2002 for US = $59.5 Billion

• Possible Breakdown– 2.5 Million IT workers in US

– Only about 50% doing coding

– So $59,500M / 1.125M coders ~= $50K per developer

• What if employers could hold you liable?

• So reduce your salary by $50K – ouch

• We’d all have to buy mal-practice insurance!

7

Interesting Statistics…

60%

40%

Programmer Time Development Costs

60%

40%

Bug Fixes

Maintenance

8

Failure of “Best Practices”…• Development teams use guidelines & best practices

• Lots of developers cubes’ are full of PL/SQL books

• Lots of new ideas:– Agile Development

– Interaction Design

– Technique de jour…

• Yet paradigms are problematic– Inconsistent implementations

– Less than perfect adherence

– How do we monitor & measure

• Net Effect: not quite effective as possible/promised

9

Code Reviews Inadequate…• Code Reviews are good in theory…

• But:– Increased cost in both time & money

– Requires “fair & reasonable” implementation

– Requires good team dynamics – “true peers”

– Only as good as those doing the code reviews

• Thus:– Few shops try them or give up on them far too easily

– Code reviews can also become just a “check box” task

• Need software to simplify, automate, make moreconsistent, provide way to monitor and measure!

10

Software Engineering to Rescue…• US Air force funded study in the mid 1980’s• Carnegie Mellon Software Engineering Institute (SEI)• Published “Managing the Software Process” in 1989• Basis for “Capability Maturity Model” (CMI) in 1991• Later “Capability Maturity Model Integration” (CMMI)• Simple 5 level gauge of software development:

– Initial: ad hoc, depends on the competence of people– Repeatable: project management to schedule & track– Defined: standards emerge and are applied across projects– Managed: management controls via statistical/quantitative metrics– Optimizing: adopt agile, innovative and incremental improvements

11http://www.sei.cmu.edu/cmmi/adoption/pdf/cmmi-overview07.pdf

12http://www.sei.cmu.edu/cmmi/adoption/pdf/cmmi-overview07.pdf

13

Automation to the Real Rescue…• Make code reviews painless and easy – and fun

• Perform automated code reviews before manual ones

• If not doing code reviews, at least do automated ones

• Eliminate simple and often embarrassing mistakes

• Provide team/project manager code quality reports

• Managers can now better measure many aspects:– Efficiency/effectiveness of the resulting code

– Efficiency/effectiveness of the developers (more accurate/fair)

– History of the code quality – for project progress/regression analysis

• Result: better code – and better developers over time

14

Toad’s “Code Xpert”…

15

Define your Coding Rules…

144 rulesfrom

StevenFeuerstienand BertScalzo

16

Examine the Results…

17

Automate Tuning as well…

18

Examine Code Metrics too…

Only performed once!

So what are these?

19

What are Code Metrics…

The critical and initial step in obtaining SEI maturity level-4 (managed) is tounderstand, embrace and implement quantitative analysis. But what exactlyis quantitative analysis?

Quantitative analysis is an analysis technique that seeks to understandbehavior by using complex mathematical and statistical modeling,measurement and research. By assigning a numerical value to variables,quantitative analysts try to decipher reality mathematically.

That’s really just a pretty academic way to overstate a rather simple idea.

There exist some very well published and accepted standards (i.e. formulas)for examining source code such as PL/SQL, and assigning it a numericrating. Furthermore, these ratings are simple numeric values that mapagainst ranges of values – and where those ranges have been categorized.

20

Halstead Complexity Measure…http://www.sei.cmu.edu/str/descriptions/halstead.html

This metric simply assigns a numerical complexity ratingbased upon the number of operators and operands in thesource code as follows:

Code is tokenized and counted,where:

n1 = the number of distinct operators

n2 = the number of distinct operands

N1 = the total number of operators

N2 = the total number of operands

The ideal range for a program unit is between 20 and 1000: wherethe higher the rating the more complex the code. If a program unitscores higher than 1000, it probably does too much. Lower = Better

21

McCabe’s Cyclomatic Complexity…http://www.sei.cmu.edu/str/descriptions/cyclomatic.html

This widely-used metric is considered a broad measure ofthe soundness and confidence for a program. It measuresthe number of linearly-independent paths (i.e. loops)through a program unit – assigning a simple number thatcan be compared to the complexity of other programs:

Cyclomatic complexity (CC) = E - N + p

Where E = the number of edges of the graph

N = the number of nodes of the graph

p = the number of connected components

22

Maintainability Index…http://www.sei.cmu.edu/str/descriptions/mitmpm.html

This metric is calculated using a very complex polynomialequation that combines weighted values for the HalsteadComplexity Measure, McCabe’s Cyclomatic Complexity,lines of code, and the number of comments as follows:

171 - 5.2 * ln(aveV) - 0.23 * aveV(g') - 16.2 * ln (aveLOC) + 50 * sin (sqrt(2.4 * perCM))

Where:

aveV = average Halstead Volume V per module

aveV(g') = average extended Cyclomatic Complexity per module

aveLOC = the average count of lines of code (LOC) per module

perCM = average percent of lines of comments per module

23

So let’s look once again…

Only performed once!

Pretty “complex” forsuch a small program

20 1 85

24

Fixed and Scored Again…

236% 200% 24%

TrulyBetter!

Measurable

Accurate

Objective

25

But, “Houston we have a problem”

• Most people either simply did not know or did not likethese software engineering metrics

• Common complaint was either who knows this junkor how to interpret such numbers

• Wanted a “working mans” solution rather than anacademically perfect principle …

• So Quest made Toad simpler– introduced a simple street light coloration (red, yellow, green)

representation based upon a proprietary formula– Created a default, minimal rule set (Bert’s and Steven’s top-20)

• Seems to have quelled the complaints so far …

26

Better code simplyyields clearly

obvious better score

27

Thank youPlease offer any questions or comments

Remember:

• No such thing as a “Perfect Program”

• Nor should we “waste time” trying for perfection

• Embrace software engineering approach & metrics

• Utilize software tools that support/automate that effort

• Measure success using simple yet reliable scientific metrics

• This approach improves code quality – and improves skill sets

• PS – all these concepts apply outside PL/SQL – but not use Toad

• Your mileage may well vary (especially percentages)