PREfast: Less Bugs, More Reliability
By Stephanie Horstmanshof and Suzanne Ross
October 25, 2004 12:00 AM PT

Pop Quiz. What are the three things a Microsoft developer can't live without? If you guessed: 1) Pizza, 2) Late-night Xbox play-offs, and 3) PREfast, you'd be pretty darn close. Okay, you're saying. I got the first two, obvious. But PREfast?

PREfast is a tool that identifies defects in C/C++ source code. It's the hot new setup for developers who want cleaner code.

The Programmers Productivity Research Center (PPRC) at Microsoft Research has been working for several years to help developers and testers find more bugs and measure performance. In fact, the tools have done such a good job of helping developers be more efficient that several of the tools must be run on major code bases before the products can be released.

A few years ago Microsoft customers started getting wind of the tools. They wanted them. They wanted to write higher-quality code that was free from annoying bugs. So, for the first time, teams from Microsoft and PPRC got together to release an internal tool to external customers.

PREfast is a static analysis tool that identifies defects in C/C++ source code. Developers and testers use it iteratively throughout the development process. PREfast plows through source code, one function at a time, and looks for coding patterns and incorrect code usage that may indicate a programming error. When Prefast finds an error it triggers a defect warning in the PREfast error log. Users can then view all defect warnings on a Web-based user interface (UI). In addition to the warning, the UI provides a snippet of the offending source code and a link to documentation that explains why the error was triggered.

PREfast helps developers perform quick desktop error detection without having to install SQL Server and IIS. The tool can detect a wide variety of defects, including the use of functions with known security problems or common programming errors such as hiding global declarations with a local declaration. It handles resource management issues such as not checking memory allocation before use and not freeing memory after use.

The first internal release of PREfast was in early 2001. It originally offered a basic set of defect detection capabilities with a limited user interface. With each additional release, the team, led by Ramanathan Venkatapathy, worked to increase the value of the tool by offering additional defect detection and improving the UI.

Right from the start, PREfast had a big following within Microsoft. "We had over a thousand users, including the Office, SQL, and Windows teams," said Venkatapathy.

Its popularity led members of PPRC, Visual Studio Team Developer and Windows DDK, to discuss an external release of PREfast. The close collaboration of these teams led to the first external release of PREfast as part of the Windows DDK.

The Windows Driver Development Kit (DDK) team provides hardware developers and device driver writers with information about developing, debugging, and testing their products. PREfast was first released externally as part of the Windows .NET Server 2003 DDK in spring of 2003. Because this was the first PPRC tool to be released outside the company, the initial offering was a pared down version of the internal PREfast tool.

The Visual Studio Team Developer is responsible for providing tools that enable developers and testers to create high quality Enterprise software.

The Visual Studio Team Developer has spent the past year integrating a fully functional version of PREfast into the Visual Studio environment and bringing it current with the latest version of the compiler. This will be part of Visual Studio Team System 2005 that is shipping the first half of next year. "This has been a great partnership," said Sean Sandys from the team. "Going forward, we will further develop and support PREfast. We will also continue to partner on new code analysis technologies with the PPRC team."