Programming Tools: Code Complexity Metrics
Recently, I was asked to maintain some old code and test some new code. Both tasks required that I understand the code with which I was working. Most of the time, these jobs are non-trivial due to the complexity of most code. At least four items can make things complex:
the obvious problem of understanding what is written
what the code is supposed to do, both at the macro and micro level
the environment in which the code is to run
the assumptions made about each of these things
A lot of tools are available to help sort out each of these issues. Few programs out there, however, try to measure the complexity of the code. I define complexity of code as the amount of effort needed to understand and modify the code correctly. As I explain in this article, computing complexity metrics often is a highly personal task. Also, few metrics have been shown to be of real value in determining the amount of effort needed to maintain or test code.
Performance metrics measure how well a valid program executes. Profiling tools fall into this category, and many tools are available. But for maintenance metrics, there are surprising few tools. Therefore, this column concerns creating a maintenance metric tool that measures complexity. It can be used as a prototype for general tools in other languages.
Maintenance metrics also are called static metrics because they are based on the source code. I subdivide maintenance metrics into formatting metrics and logical metrics. Formatting metrics deals with such things as indentation conventions, comment forms, whitespace usage, naming conventions and so on. Logical metrics deals with such things as the number of paths through a program, the depth of conditional statements and blocks, the level of parenthesization in expressions, the number of terms and factors in expressions, the number of parameters and arguments used and the like.
Complexity metrics depend on both of these types of maintenance metrics. For example, poor naming conventions can make any program hard to understand, and poor logical constructs can add to the difficulty of dealing with the code.
Another thing to notice is the number of factors that can be defined when measuring complexity. For example, you may find something easy to understand, while I may find it difficult. Given this, it would be presumptive of me to tell you how complex your code is. To solve this problem, I remembered how relational databases handle reporting.
If there is some way of finding elements of a program, putting them into a explicit context and then writing them to a row in a table, we then could use SQL-like facilities to analyze the data in any desired way. That said, we can cheat a little. While writing the records, standard metrics can be computed that may handle most needs.
The McCabe Cyclomatic Metric was introduced by Thomas McCabe in 1976. It probably is the most useful logical metric. It measures the number of linearly independent paths through a program. For example, for a simple function that has no conditionals, only one path exists. This straight-line code usually is easy to follow. Programs that have many conditionals, in turn, are harder to follow. The difficulty also increases if multiple ways of exiting the program exist. That is why it often is a headache to debug a program with many exits.
The McCabe metric is:
M = E - N + X
where M is the McCabe Cyclomatic Complexity (MCC) metric, E is the number of edges in the graph of the program, N is the number of nodes or decision points in the graph of the program and X is the number of exits from the program.
In programming terms, edges are the code executed as a result of a decision--they are the decision points. Exits are the explicit return statements in a program. Normally, there is one explicit return for functions and no explicit return for subroutines.
A simpler method of computing the MCC is demonstrated in the equation below. If D is the number of decision points in the program, then
M = D + 1
Here, decision points can be conditional statements. Each decision point normally has two possible paths.
MCC also is useful in determining the testability of a program. Often, the higher the value, the more difficult and risky the program is to test and maintain.
Some standard values of Cyclomatic Complexity are shown in Table 1:
Table 1. Standard Values of Cyclomatic Complexity
|Cyclomatic Complexity||Risk Complexity|
|1-10||a simple program, without much risk|
|11-20||more complex, moderate risk|
|21-50||complex, high risk|
|51+||untestable, very high risk|
One final word on MCC that also applies to most of the other metrics: each element in the formulae is assumed to have the same weight. In MCC's case, both branches are assumed to be equally complex. However, in most cases this is not the case. Think of the if statement with code for only one branch--yet each branch is treated as having the same weight. Also, measures of expressions are all the same, even for those that contain many factors and terms. Be aware of this and be prepared, if your tool gives you the ability, to add weight to different branches. This metric is called an Extended McCabe Complexity Metric.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Ubuntu Online Summit
- Devuan Beta Release
- The Qt Company's Qt Start-Up
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- May 2016 Issue of Linux Journal
- The US Government and Open-Source Software
- The Death of RoboVM
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- BitTorrent Inc.'s Sync
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide