Designing .NET Class Libraries: FxCop in Depth (April 6, 2005)
Posted: June 28, 2005
Please note: Portions of this transcript have been edited for clarity
Introduction
frankred [MS] (Moderator):
Hello & welcome to today’s Designing .NET Class Libraries chat on FxCop in Depth.
Let’s get started by introducing our knowledgeable experts...
Joe Duffy [MS] (Expert):
Thanks for coming along! My name's Joe Duffy, and I'm a Program Mgr on the CLR team. I have a blog over at https://www.bluebytesoftware.com/blog/. Looking forward to a fun chat...
BradA [MS] (Expert):
Welcome to the chat! I am Brad Abrams a Program Manager on the CLR team…
Start of Chat
BradA [MS] (Expert):
Q: I would like to use fxcop but there is so much result set data that i dont need and so much more that I need. so is there a quick way to start?
A: I think this best way to start is to scope down the number of rules you check for... for large codebases starting small and raising the bar is not a bad way to go.. something is better than nothing...
BradA [MS] (Expert):
Q: Is there a way to block developers from checking in code that does not pass FXcop rules?
A: There are some new features of VSTS that I am sure Mike will talk about a bit that make this easy... In addition, the way we do this in the framework build process is to have a "check-in test" that runs FXCop... it fails if there are new violations...
BradA [MS] (Expert):
Q: Does FxCop get updated for version 2.0 coming out soon?
A: Oh yes... we are doing some good stuff with it... adding new rules and most importantly integrating it into VS....
MikeFan [MS] (Expert):
Q: Can you add your own rules to FxCop and were is that documented?
A: Others have provided info on this already, but to complete the question: It is possible to write custom FxCop rules. There is no official SDK documentation for this currently, as our underlying API and some helper technologies have been in quite a bit of flux. John Robbins has written two MSDN articles on custom rules and has also blogged about the process. A simple internet query on his name and 'fxcop' will provide links to samples and text. As others have noted, there is custom rules development support in an active FxCop message board at www.gotdotnet.com/team/fxcop. In the future, we do expect to invest more heavily in SDK samples but this is likely several months out.
MikeFan [MS] (Expert):
Q: What will be the future of FxCop for persons who do not have Team System?
A: There is a free version of FxCop that is distributed externally at www.gotdotnet.com/team/fxcop. We plan to continue distributing this version to help support developers in writing reliable managed code applications that conform to the core MS Design Guidelines. The version of FxCop that ships in VS 2005 does have some additional analysis capabilities that do not exist in the free version. And, obviously, it is deeply integrated in the VS IDE. At this point, we have no plans to change our current distribution of the 'for-free' version.
MikeFan [MS] (Expert):
Q: How do you apply FXCop rules so that all public members are Pascal case?
A: Have I misunderstood your question? This analysis functionality exists in FxCop currently. Are you asking about auto-correcting source (which FxCop does not do)? Or is this a question about how custom rules are written?
MikeFan [MS] (Expert):
Q: Are there any plans to make Fxcop a Visual Studio Addin, so we do not have to switch back and forth? (for people without Team versioning system)
A: We have experimented in the past with making FxCop available as a VS add-in and there were significant performance issues in doing a good job with this. On the other hand, it is fairly straightforward to integrate the command-line version of the tool as an 'external tool' in the VS IDE. After configuration, FxCop messages are sent to the output window. In the presence of available pdb details, the violations are double-clickable (ie, you can jump directly to the source location of a defect).
Joe Duffy [MS] (Expert):
Q: Curious, how strict is the fxcop rules for MS development, do yall use a standard and stick to it?
A: We're getting better over time. Recently, we did a huge push that took us down to 0 violations. Now, 0 is not 0 in the true sense of the word... some violations we "triage and exclude" for reasons like COM interop, backwards compatability, consistency, and so on. It's now part of our regular check-in process, so we basically prevent code that would introduce new violations from getting into our codebase. Anthony Moore, dev lead on the BCL team, discussed in a recent Channel9 interview how we used FxCop to drive security push activities... https://channel9.msdn.com/ShowPost.aspx?PostID=35850. There are a ton of great security review style rules that ship as part of the external ruleset.
MikeFan [MS] (Expert):
Q: Why does FxCop emit this error "Class.Method():Void declares a local, '_Vb_t_i4_0', of type System.Int32, which is never used or is only assigned to. Use this local or remove it." on comiler emitted locals?
A: This is a false positive in version 1.312 of the tool, now resolved. Go to www.gotdotnet.com/team/fxcop to download a preview version of FxCop 1.32 that resolves the issue. And sorry for the inconvenience.
MikeFan [MS] (Expert):
Q: I am assuming fxcopy will work with assemblies buit with the 1.0 version of the framework?
A: Yes, FxCop runs extremely reliably analyzing .NET 1.0 assemblies. You cannot run FxCop itself on v1.0, however, you must be running at least version 1.1 of the framework.
MikeFan [MS] (Expert):
Q: Will the custom dictionary work even if Office isn't installed?
A: Currently, that is not the case. On detecting that office is not installed, FxCop throws an exception and disables all spelling rules. In a future release, we will have a more deeply integrated spell-checker that will work correctly even on machines without Office. I would expect this functionality to come on-line in the next FxCop revision, which will be version 1.33 or higher. The current 1.32 release, in beta right now, does not have this capability as we're still ironing out a few issues w/the new spell-check technology.
Joe Duffy [MS] (Expert):
Q: What is the external rule set?
A: The portion that customers get. We have a lot of R&D- and dogfood- style rules, and also things that rely on internally available only databases that FxCop hooks into. They're not appropriate for broader use, so we use them internally and don't ship 'em to customers.
MikeFan [MS] (Expert):
Q: Will FxCop work with reflection which means that I will have to build the assembly before I get the information about what rules I broken?
A: FxCop is a binary analyzer. So, yes, you must build your assemblies before we can analyze them. FxCop does not use reflection for this work, we have our own, entirely passive metadata reader that cracks binaries and extracts IL for analysis. This metadata reader allows us to avoid loading your assembly into the runtime, which provides several advantages (such as the ability to recompile your dlls with FxCop up and analyzing them).
MikeFan [MS] (Expert):
Q: Will the new version run with VS 2003 and VS2005 Professional?
A: The new version of FxCop that's available for free is still a stand-alone tool and will remain so for the time being. If you use this version, that means you will be in a side-by-side usage model, analyzing targets, switching to VS to resolve issues and recompile.
Joe Duffy [MS] (Expert):
Q: Will it be possible to generate a cool management report to review what rules are broken on daily basis?
A: Interestingly, we have infrastructure like this internally that we use... Reports that break down violations by rule, assembly, team, and that are sliced/diced in a few different ways. It's used mostly to notice regressions that were introduced as a result of holes in check-in coverage. It's not so hard to write yourself, but I know the FxCop team is looking at better team management tools for the future. For example, all it does is transforms the XML that FxCop spits out natively... It could be a simple XSLT. Any time it's not 0--you know something went awry! :)
MikeFan [MS] (Expert):
Q: Wow! MikeFan, will you release a code sample on how to access the assembly metaData without the need to use reflection?
A: We will not be distributing metadata reader samples, no. The reason for this is that our metadata reader is not itself a redistributable library. There is an initiative internally to provide external customers an alternate metadata reader. The group is code-named Phoenix, if you're interested in non-reflection-based assembly browsing, you might try to get more info on them (search the web). Also, Lutz Roeder (author of Reflector and also an MS employee) has developed his own metadata reader that is available for download by visiting his web site. Search on his name or 'reflector' to find a link.
MikeFan [MS] (Expert):
Q: Will FXCop integrate into real-time coding? which means it will alert immidiatly on broken rules same as Resharper is trying to do?
A: This is an excellent idea and is something that we're seriously investigating. There are some difficulties in providing a background analysis that occurs while editing in the IDE. The most obvious one is that functionality needs to be contrived that's specific to each source language, C++, C#, VB, J#, etc. One advantage with FxCop's current approach, of course, is that it works from IL. So, as long as you manage to compile something, we can inspect it. Having said that, we are currently in discussions with the language teams about implementing 'while you edit' analysis. It's obviously a very compelling scenario.
MikeFan [MS] (Expert):
Q: Is there an existing rule base for code complexity violations: methods too long, classes to large or too small, too many parameters, too deep nesting, etc.
A: The VS 2005 Team System Developer/Test SKUs will ship with some analysis along these lines. We have written a cyclomatic complexity check and have some analysis work on the back-burner to generate halstead metrics and other code quality measures. It is unlikely the latter analysis will make it into v1.0 of the product, but we hope to bring the functionality on-line asap, perhaps as part of a service pack release.
MikeFan [MS] (Expert):
Q: On the slide showing the FxCop issues related to COM guidelines, would adding a ComVisible(false) attribute to the public static field also be an acceptible solution?
A: As I recall, this would actually work, because we've special-cased that circumstance in FxCop. Note that doing so won't actually prevent the field from being exposed to COM, however.
MikeFan [MS] (Expert):
Q: Does FxCop have any rules that ship with it by default targeted for webbased assembles?
A: This is an analysis area that's very rich but which we haven't dived into yet. FxCop's primary purpose is to enforce the MS Design Guidelines, so our analysis is largely constrained to checks relevant for re-usable libraries. Along the way, we've also added some correctness checks that are either classic code analysis concerns or which capture expert guidance provided by the Common Language Runtime team.
MikeFan [MS] (Expert):
Q: Is it possible to specify the location of a custom dictionary via a config file or some other method?
A: FxCop will pick up custom dictionaries from many locations. First, you can use the XML format defined by FxCop (as exemplified by the sample CustomDictionary.xml file we install by default) or a custom.dic file as defined by Word (which is simply a flat list of recognized terms). FxCop will look for both kinds of file in the following locations: 1) alongside the current project file, if one exists, 2) in the user settings folder, 3) alongside the FxCop binary. FxCop will aggregate all located terms into its built-in table used at analysis time.
MikeFan [MS] (Expert):
Q: Why code generated clases with wsdl.exe for webservices get violarion "RemoveUnusedLocals"?
A: The reason for this is simply that wsdl.exe codegen is emitting an unused local somewhere. We have a work time to work with the wsdl.exe and xsd.exe tools owners to modify their code-emit or prevent FxCop from raising false positives (when the code emit is correct). We've done a lot of work with the ASP.NET team, and will now move to the wsdl and xsd folks.
MikeFan [MS] (Expert):
Q: I am assuming fxcopy will work with assemblies buit with the 1.0 version of the framework?
A: We are in the final stages of getting these checks into the standard tool set. Given where we're at in the 1.32 release cycle, I'd expect these rules to make it into 1.33 or, if we provide one, a patched version of 1.32.
MikeFan [MS] (Expert):
Q: does FXcopy comes with the latest rules of security design guidlines which were implemented by the BCL team? (saw some on channel 9)
A: Oops, pasted reply to the wrong question, to repeat: : We are in the final stages of getting these checks into the standard tool set. Given where we're at in the 1.32 release cycle, I'd expect these rules to make it into 1.33 or, if we provide one, a patched version of 1.32.
MikeFan [MS] (Expert):
Q: I've never written an FxCop rule, but how difficult would it be to write something that examines test fixtures within an assembly to verify that all methods in a class have been used in a test fixture somewhere? Is this a big undertaking?
A: FxCop already has some 'dead code' analysis that would serve as a pattern. There are internal helpers that will provide all known callers of a particular method. For accurate analysis, of course, you might need to insure that you're providing a complete set of analysis targets. We can provide more assistance on this if you post a question on the FxCop www.gotdotnet.com message board..
MikeFan [MS] (Expert):
Q: What are some of the more creative uses that you've seen for FxCop? Has anyone come up with a way of using FXCop that the team just never imagined?
A: FxCop has been used internally to generate some statistics and metrics against compiled assemblies. In a few other cases, people have used the tool to locate certain code patterns across a set of binaries, trying to assess, for example, the risk in making a proposed breaking change in their API. Other than that, the most creativity I've seen associated with FxCop lies in the reasons people contrive not to resolve their violations. 8)
MikeFan [MS] (Expert):
Q: Is there any pattern for FxCop usage, sth like cookbook - especially - the case is to run FxCop from as a task of some validation script?
A: We don't currently provide any helper docs for deploying FxCop, it's a good idea. We will try to provide some high-level guidance in this area when we get around to developing our custom rules SDK. Again, we don't expect an opportunity for doing so to occur for several months.
MikeFan [MS] (Expert):
Q: will there be a FxCop version that will be safe to use on Asp.Net applications? I've heard that at present time its not a good idea to run FxCop against Asp code-behind assemblies. I apologize if someone already asked this, I didn't see it in the history
A: The objections you've heard of are related to the fact that FxCop is currently very noisy against ASP.NET generated binaries. There are many code conditions in these assemblies that would represent real problems if they existed in a reusable library, but which can be ignored entirely in a web app. Com visibility, for example. What's the point of requiring an explicit ComVisible(bool) marking when COM client interop is clearly not in the cards on a web server? With FxCop 1.32 running on .NET Framework 2.0, we will have a much less noisy and more useful analysis. Web apps in version 2.0 are decorated with a special attribute that lets FxCop know we're dealing with ASP.NET compiled code and we modify our analysis accordingly.
MikeFan [MS] (Expert):
Q: Is there a compiled help that can be included in VS to work with FxCop? In contrast to the HTML pages.
A: VS Team System 2005 will ship with fully integrated rule topics and FxCop help. The stand-alone FxCop 1.32 (currently available for preview on www.gotdotnet.com/team/fxcop) has a compiled CHM file that will launch if you hit F1 after launching the tool.
MikeFan [MS] (Expert):
Q: Why code generated clases with wsdl.exe for webservices get violarion "RemoveUnusedLocals"?
A: Repeating the answer to this question, since the thread still appears open in the chatroom: The reason for this is simply that wsdl.exe codegen is emitting an unused local somewhere. We have a work time to work with the wsdl.exe and xsd.exe tools owners to modify their code-emit or prevent FxCop from raising false positives (when the code emit is correct). We've done a lot of work with the ASP.NET team, and will now move to the wsdl and xsd folks.
MikeFan [MS] (Expert):
Q: gotdotnetSite++;
A: Is this a suggestion to improve the gotdotnet site? :)
MikeFan [MS] (Expert):
Q: How do you apply a rule to make sure a developer will not break a design? for example, in MVC design pattern, Client side Logic should be in a xxxModel class only? Controller should hold only Navigation , etc
A: It sounds as though you're talking about an analysis that examines object hierarchies. You can examine IL for certain call sites, for example, and make sure these are only made from within a class of a specific type (or that extends a specific type). If you'll clarify what you want to look for, I might be able to provide more detail.
MikeFan [MS] (Expert):
Q: Will Fxcop will present the new cool 3d icons that comes with VSTS ? :)
A: This is not outside the realm of possibility. Note that the icons used in the FxCop target browser were 'borrowed' from VS 2003. We did make a small modification to indicate static items (we added a tiny red ball for these members).
frankred [MS] (Moderator):
We're almost out of time, so get those last questions in!
MikeFan [MS] (Expert):
Q: In VB code I get the "Override operator equals on overriding value type equals" but I can't override an operator in VB. I do, however think operator overriding is supported in 2.0 for VB? Is this correct? Will FxCop become compiler aware?
A: Here we go, I was waiting for an FxCop bug to materialize. I see by examining this rule source that 1.32 does not, in fact, account for VB binaries in this rule. I'll file a bug right away. We'll probably get this fix into the final version of 1.32. I can't confirm for you whether the next version of VB will support operator overloading, but I'll know sometime tomorrow. 8). Follow up with me on www.gotdotnet.com/team/fxcop.
MikeFan [MS] (Expert):
Q: Are there any third party tools that provide the code complexity analysis for C# and VB.Net?
A: As mentioned in a previous thread, the version of FxCop that ships with VS Team System 2005 generates cyclomatic complexity metrics. This functionality is not available in the free stand-alone version of the tool.
MikeFan [MS] (Expert):
Q: So that it knows if a C# or VB compiler was used so it makes determinations on these types of rules that don't apply to both, but do apply to IL, naturally?
A: Many FxCop rules require specific knowledge of language features and/or specific IL code patterns emitted by the various compilers. At analysis time, we use certain hints to make a call re: what language was used to generate a specific binary. For VB, we look for a reference to Microsoft.VisualBasic.dll or certain auto-generated types and namespaces.
frankred [MS] (Moderator):
It looks like we're out of time. I hope everyone had a good time and got answers to all of their questions. If you have more questions please visit the CLR team blogs https://msdn2.microsoft.com/netframework/aa569259.aspx section on the .NET Framework developer center. Please join us again next Wednesday for the next chat in the Designing .NET Class Libraries https://msdn2.microsoft.com/netframework/aa497250.aspx series.
Joe Duffy [MS] (Expert):
Thanks for coming along everybody! Ciao... see you next time.....
BradA [MS] (Expert):
Q: In VB code I get the "Override operator equals on overriding value type equals" but I can't override an operator in VB. I do, however think operator overriding is supported in 2.0 for VB? Is this correct? Will FxCop become compiler aware?
A: Well, it has been fun, see you next week for the enabling development tools cha...
.gif)
Top of page