SlideShare a Scribd company logo

Regular use of static code analysis in team development

P
PVS-Studio

Static code analysis technologies are used in companies with mature software development processes. However, there might be different levels of using and introducing code analysis tools into a development process: from manual launch of an analyzer "from time to time" or when searching for hard-to-find errors to everyday automatic launch or launch of a tool when adding new source code into the version control system.

Technology
1 of 5
Download to read offline
Regular use of static code analysis in team development Authors: Evgeniy Ryzhkov, Andrey Karpov Date: 09.08.2010 Abstract Static code analysis technologies are used in companies with mature software development processes. However, there might be different levels of using and introducing code analysis tools into a development process: from manual launch of an analyzer "from time to time" or when searching for hard-to-find errors to everyday automatic launch or launch of a tool when adding new source code into the version control system. The article discusses different levels of using static code analysis technologies in team development and shows how to "move" the process from one level to another. The article refers to the PVS-Studio code analyzer developed by the authors as an example. Introduction Static code analyzer is a tool to search for software errors throughout source code. This tool helps avoid errors at the early stage of developing a software solution instead of later stages of testing or using it. However, companies do not often manage to get benefit from such tools. There are different reasons for that. Some projects are merely not suitable for introducing a code analyzer from the economic point of view, some others are not large enough for the effect to be visible. That is why you should understand when integrating static code analysis into the development process can be beneficial and when not before doing this. Relying on the authors' experience (developing, promoting and selling their own static code analyzer), the article formulates main considerations that you should take into account when introducing such tools into the development process. About static code analysis Static code analysis is a technology of searching for errors in programs by parsing source code and seeking for patterns of known errors in it. This technology is implemented in special tools called static code analyzers. The word "static" means that code is parsed without executing the program. Tools that analyze a program while it is running are called dynamic code analyzers. The most popular static analyzers are produced by companies Coverity, Klocwork, Gimpel Software. Popular dynamic analyzers are produced by Intel (Intel Parallel Inspector) and Micro Focus (DevPartner Bounds Checker) companies. We should also mention a specialized static code analyzer PVS-Studio developed and promoted by the authors of this article.
The result of a static code analyzer's operation is a list of potential errors found in code with reference to a particular file and line. In other words, this is a list of errors that very much resembles the list generated by the compiler. The term "potential errors (issues)" is used here not accidentally: unfortunately, a static analyzer cannot be absolutely precise and tell you if some potential error is a real issue in your code. Only programmer knows this. That is why code analyzers sometimes generate false alarms (alas, and there is no way to avoid them). Static code analyzers are distinguished according to the type of programming languages they support (Java, C#, C, C++) and issues they can diagnose (general-purpose analyzers or specialized analyzers, for instance, intended for 64-bit or parallel software development). Kinds of projects static code analysis is relevant for It is reasonable to employ static code analysis not in all the projects but only in medium and large ones. The discussion of what to consider small/medium/large projects is obviously outside the scope of this article, but we recommend, relying on our experience, to take static analysis into account when dealing with projects taking more than 30 person-months. If a software project takes less, it is better just to have several skilled developers in this project instead of using static analysis. A team of two-four skilled workers will well manage such a project and provide its good quality from the viewpoint of software. But if there are either more people working on a project or it takes more than half a year, it is very naïve to hope that "all we need to do is just write without errors". Ways (scenarios) of using static code analyzers Let's consider cases when a developer team may find it necessary to use static code analysis. We intentionally take a case when static analysis is only being integrated into the development process, for if it has been employed for a long time, there is no sense in discussing the issues of introducing it. So, suppose there is a team of 5 persons whose job is to port the code of a software project to 64 bits. Suppose also that the project is written in C/C++. We note beforehand that these assumptions are made deliberately so that we can employ our code analyzer PVS-Studio in the example. So, the developers fix main compilation errors, build the application and make the distribution package. They begin to test it and find out that there are very mysterious errors in the program which appear only in the 64-bit version. Developers go to Google, type "64-bit platform C++ issues" and among 8.5 million results, on the first page they see a link to our article "20 issues of porting C++ code on the 64-bit platform" from which they learn that, as it turns out, there are various issues in C/C++ applications that were not seen before but appear in their 64-bit versions. In the same article they read that there is a PVS-Studio tool that will let them find and fix these issues. Then the developers download the tool, study its demo version, purchase it if it suits, find a number of errors in their code with the help of our analyzer, correct them and the program gets rid of issues. After that the developers consider the task of creating the 64- bit version of their program solved and refuse to use the analyzer further since they think they do not need it anymore. Here is another scenario close to the previous one. A team of 5 developers encounters an error in one of third-party modules when developing a Java-application. Unfortunately, they do not manage to find the error "with their eyes", so they download a demo version of some code analyzer, find the error in this third-party module, fix it but do not purchase the license for this tool due to limitations of the project's budget. The results are: the error is fixed, the application is released, and the license agreement for the
tool is not violated. Everything looks well but this way of using static analyzers cannot be called right as well. The third way of using static analysis. Developers start to use Visual Studio Team Foundation Server that provides a capability of launching code analysis for files being added into the version control system. Some weeks later, the developers turn off the code analysis since adding new code turned into a game "make the analyzer let us add the file". All these three scenarios discussed above are not good ways of using static analysis, even despite the fact that the analyzer helped to find real errors in code in the first two cases and in the third case the code seems to be absolutely poor. What are the reasons for these failures? What prevents developers from using static code analyzers to the full extent Let's study the reasons why all the ways of using static analysis described above are not good. If a team employs a specialized code analyzer (as in the described case when searching for 64-bit issues), the temptation to stop using the tool after all the issues seem to be found and fixed is very great. Certainly, if the 64-bit version of a software product is released, it may seem that there is no much sense to use a special tool further. However, it is not so. If you refuse to use such an analyzer, some time (actually some months) later you will encounter those errors that could be detected by the code analyzer in your new code. That is, although you have the 64-bit version of your application and it was debugged (some time ago), still the new code might have errors typical of 64-bit applications. The conclusion from the first scenario: refusing to employ a specialized code analyzer after its work is done leads to appearance of new similar software errors rather soon. In the second case, the team decided to use a specialized tool only when they understood that their project contained hard-to-find errors. After fixing those errors the team refused the tool. The problem about this approach is that hard-to-find errors will appear in the project again, sooner or later. But the next time it might be users who will notice them first and not developers or testers. The conclusion from the second scenario coincides with that in the first case: refusing to use a tool will inevitably lead to new hard-to-find errors. In the third scenario when developers refused to use static analysis when adding new code because of troubles they encountered when adding new code into the version control system, the problem is not in the static analyzer at all. The problem is in the insufficient skill level of the team. First, the team did not manage to set the tool so that its warnings helped them. Second, maybe their code was really rather bad since the analyzer produced so many diagnostic messages. So, let's formulate the main problems that prevent developers from permanently using static code analyzers in their work: 1. High price of static code analyzers does not allow developers to use them in small (especially from the budget's viewpoint) projects. You should just understand that there are projects static analysis is not suitable for due to economic reasons and not technological ones. 2. A static code analyzer produces many false alarms. Alas, any code analyzer generates false alarms and in some cases their number might be very large. The reason for this lies in the philosophy of such tools: it is better to generate ten or hundred false messages than miss one
real error. You should not hope that some analyzers produce fewer false alarms than some others. It is better to choose a tool that can somehow handle them. For instance, our PVS-Studio analyzer has the "Mark as False Alarm" function. With its help you can mark false alarms of the analyzer right in your code, i.e. specify that the analyzer must not generate some type of messages in some particular line. 3. Bad integration into the development environment. If a static analyzer does not provide for smooth "seamless" integration into the development environment, hardly will anyone use it. 4. Absent capability of automated launch of the tool from the command line. This limitation does not let developers analyze the code of the whole project regularly, for instance, during everyday builds. 5. Absent capability of integrating the tool with the version control system. Although analysis of new code when adding it into the version control system as described in the example above caused the developers to refuse using such tools, still the possibility of such integration is useful in itself. 6. Too complicated or, vice versa, too simple settings of the code analyzer. A good solution is cooperation of the company that wants to use static code analysis technologies with the company that provides these technologies. That is, their relations must turn from "buy the tool and use it" into "buy the solution, integrate it and only then use it". Whether you like it or not, in most cases you will not manage to get benefit from simply buying and using an "analyzer-applet". You must pull up the development process in your company and together with the vendor of static analysis solutions integrate the tool it offers into the permanent regular team development process. This scheme is employed by the leaders of static analysis market like Coverity or Klocwork. By the way its signs might be not very visible - it is not so easy to get any demo version from the sites of these companies. And to get an answer to the question "how much does it cost?" is impossible at all until their sales-managers get maximum information about the customer. Summary If your company plans to employ static code analysis, you must consider the following things: 1. Integration of static code analysis influences the whole development process. 2. A static analyzer is not an "applet" and not another copy of Windows that you may buy and use without any relations with the vendor. You must always keep in mind that you will have to establish close communication with the analyzer's developers and that the integration procedure demands much effort and time. 3. A static analyzer increases the general culture of software development in a team - but only if the team is ready for this. So, this is a mutual process. 4. Increase of the development's culture through using static code analyzers is an expensive process. You must be ready for it and understand that it will require large investments.
References 1. Alexey Kolosov. Using Static Analysis in Program Development. http://www.viva64.com/en/a/0017/ 2. Andrey Karpov. Changes in programmer tools' infrastructure. http://www.viva64.com/en/a/0062/

Recommended

Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentPVS-Studio
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentAndrey Karpov
 
Static analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal EngineStatic analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal EnginePVS-Studio
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzerPVS-Studio
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzerPVS-Studio
 
Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...PVS-Studio
 
0136 ideal static_analyzer
0136 ideal static_analyzer0136 ideal static_analyzer
0136 ideal static_analyzerPVS-Studio
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio
 

Recommended

Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentPVS-Studio
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentAndrey Karpov
 
Static analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal EngineStatic analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal EnginePVS-Studio
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzerPVS-Studio
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzerPVS-Studio
 
Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...PVS-Studio
 
0136 ideal static_analyzer
0136 ideal static_analyzer0136 ideal static_analyzer
0136 ideal static_analyzerPVS-Studio
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio
 
Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Andrey Karpov
 
Three Interviews About Static Code Analyzers
Three Interviews About Static Code AnalyzersThree Interviews About Static Code Analyzers
Three Interviews About Static Code AnalyzersAndrey Karpov
 
27 000 Errors in the Tizen Operating System
27 000 Errors in the Tizen Operating System27 000 Errors in the Tizen Operating System
27 000 Errors in the Tizen Operating SystemPVS-Studio
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
test
testtest
testswankydesert4614
 
Test driven development
Test driven developmentTest driven development
Test driven developmentnamkha87
 
TestDrivenDeveloment
TestDrivenDevelomentTestDrivenDeveloment
TestDrivenDevelomentAntonio Tapper
 
Testing parallel programs
Testing parallel programsTesting parallel programs
Testing parallel programsPVS-Studio
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asidePVS-Studio
 
Meetup of test mini conference on ai in testing
Meetup of test mini conference on ai in testingMeetup of test mini conference on ai in testing
Meetup of test mini conference on ai in testingKai Lepler
 
When will ai take my job as a tester
When will ai take my job as a testerWhen will ai take my job as a tester
When will ai take my job as a testerSAP SE
 
We continue checking Microsoft projects: analysis of PowerShell
We continue checking Microsoft projects: analysis of PowerShellWe continue checking Microsoft projects: analysis of PowerShell
We continue checking Microsoft projects: analysis of PowerShellPVS-Studio
 
Comparing PVS-Studio with other code analyzers
Comparing PVS-Studio with other code analyzersComparing PVS-Studio with other code analyzers
Comparing PVS-Studio with other code analyzersPVS-Studio
 
64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...
64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...
64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...Andrey Karpov
 
test
testtest
testswankydesert4614
 
How to apply AI to Testing
How to apply AI to TestingHow to apply AI to Testing
How to apply AI to TestingSAP SE
 
General technical interview questions
General technical interview questionsGeneral technical interview questions
General technical interview questionsKevalkumar Shah
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Aditya Bhuyan
 
Videos about static code analysis
Videos about static code analysisVideos about static code analysis
Videos about static code analysisPVS-Studio
 
Inaugural Addresses
Inaugural AddressesInaugural Addresses
Inaugural AddressesBooz Allen Hamilton
 
How to think like a startup
How to think like a startupHow to think like a startup
How to think like a startupLoic Le Meur
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your BusinessBarry Feldman
 

More Related Content

What's hot

Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Andrey Karpov
 
Three Interviews About Static Code Analyzers
Three Interviews About Static Code AnalyzersThree Interviews About Static Code Analyzers
Three Interviews About Static Code AnalyzersAndrey Karpov
 
27 000 Errors in the Tizen Operating System
27 000 Errors in the Tizen Operating System27 000 Errors in the Tizen Operating System
27 000 Errors in the Tizen Operating SystemPVS-Studio
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis toolscmGalaxy Inc
 
Test driven development
Test driven developmentTest driven development
Test driven developmentnamkha87
 
Testing parallel programs
Testing parallel programsTesting parallel programs
Testing parallel programsPVS-Studio
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asidePVS-Studio
 
Meetup of test mini conference on ai in testing
Meetup of test mini conference on ai in testingMeetup of test mini conference on ai in testing
Meetup of test mini conference on ai in testingKai Lepler
 
When will ai take my job as a tester
When will ai take my job as a testerWhen will ai take my job as a tester
When will ai take my job as a testerSAP SE
 
We continue checking Microsoft projects: analysis of PowerShell
We continue checking Microsoft projects: analysis of PowerShellWe continue checking Microsoft projects: analysis of PowerShell
We continue checking Microsoft projects: analysis of PowerShellPVS-Studio
 
Comparing PVS-Studio with other code analyzers
Comparing PVS-Studio with other code analyzersComparing PVS-Studio with other code analyzers
Comparing PVS-Studio with other code analyzersPVS-Studio
 
64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...
64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...
64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...Andrey Karpov
 
How to apply AI to Testing
How to apply AI to TestingHow to apply AI to Testing
How to apply AI to TestingSAP SE
 
General technical interview questions
General technical interview questionsGeneral technical interview questions
General technical interview questionsKevalkumar Shah
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Aditya Bhuyan
 
Videos about static code analysis
Videos about static code analysisVideos about static code analysis
Videos about static code analysisPVS-Studio
 

What's hot (19)

Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...
 
Three Interviews About Static Code Analyzers
Three Interviews About Static Code AnalyzersThree Interviews About Static Code Analyzers
Three Interviews About Static Code Analyzers
 
27 000 Errors in the Tizen Operating System
27 000 Errors in the Tizen Operating System27 000 Errors in the Tizen Operating System
27 000 Errors in the Tizen Operating System
 
Top 10 static code analysis tool
Top 10 static code analysis toolTop 10 static code analysis tool
Top 10 static code analysis tool
 
test
testtest
test
 
Test driven development
Test driven developmentTest driven development
Test driven development
 
TestDrivenDeveloment
TestDrivenDevelomentTestDrivenDeveloment
TestDrivenDeveloment
 
Testing parallel programs
Testing parallel programsTesting parallel programs
Testing parallel programs
 
Konstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from asideKonstantin Knizhnik: static analysis, a view from aside
Konstantin Knizhnik: static analysis, a view from aside
 
Meetup of test mini conference on ai in testing
Meetup of test mini conference on ai in testingMeetup of test mini conference on ai in testing
Meetup of test mini conference on ai in testing
 
When will ai take my job as a tester
When will ai take my job as a testerWhen will ai take my job as a tester
When will ai take my job as a tester
 
We continue checking Microsoft projects: analysis of PowerShell
We continue checking Microsoft projects: analysis of PowerShellWe continue checking Microsoft projects: analysis of PowerShell
We continue checking Microsoft projects: analysis of PowerShell
 
Comparing PVS-Studio with other code analyzers
Comparing PVS-Studio with other code analyzersComparing PVS-Studio with other code analyzers
Comparing PVS-Studio with other code analyzers
 
64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...
64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...
64 bits, Wp64, Visual Studio 2008, Viva64 and all the rest...
 
test
testtest
test
 
How to apply AI to Testing
How to apply AI to TestingHow to apply AI to Testing
How to apply AI to Testing
 
General technical interview questions
General technical interview questionsGeneral technical interview questions
General technical interview questions
 
Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)Code-Review-Principles-Process-and-Tools (1)
Code-Review-Principles-Process-and-Tools (1)
 
Videos about static code analysis
Videos about static code analysisVideos about static code analysis
Videos about static code analysis
 

Viewers also liked

How to think like a startup
How to think like a startupHow to think like a startup
How to think like a startupLoic Le Meur
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your BusinessBarry Feldman
 
Teaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & TextspeakTeaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & TextspeakShelly Sanchez Terrell
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 

Viewers also liked (6)

Inaugural Addresses
Inaugural AddressesInaugural Addresses
Inaugural Addresses
 
How to think like a startup
How to think like a startupHow to think like a startup
How to think like a startup
 
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business32 Ways a Digital Marketing Consultant Can Help Grow Your Business
32 Ways a Digital Marketing Consultant Can Help Grow Your Business
 
Teaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & TextspeakTeaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & Textspeak
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
 

Similar to Regular use of static code analysis in team development

An ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievableAn ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievablePVS-Studio
 
Machine Learning in Static Analysis of Program Source Code
Machine Learning in Static Analysis of Program Source CodeMachine Learning in Static Analysis of Program Source Code
Machine Learning in Static Analysis of Program Source CodeAndrey Karpov
 
Traps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit WindowsTraps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit WindowsPVS-Studio
 
Problems of testing 64-bit applications
Problems of testing 64-bit applicationsProblems of testing 64-bit applications
Problems of testing 64-bit applicationsPVS-Studio
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityAndrey Karpov
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityPVS-Studio
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityPVS-Studio
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codeAndrey Karpov
 
The Development History of PVS-Studio for Linux
The Development History of PVS-Studio for LinuxThe Development History of PVS-Studio for Linux
The Development History of PVS-Studio for LinuxPVS-Studio
 
What do static analysis and search engines have in common? A good "top"!
What do static analysis and search engines have in common? A good "top"!What do static analysis and search engines have in common? A good "top"!
What do static analysis and search engines have in common? A good "top"!PVS-Studio
 
If the coding bug is banal, it doesn't meant it's not crucial
If the coding bug is banal, it doesn't meant it's not crucialIf the coding bug is banal, it doesn't meant it's not crucial
If the coding bug is banal, it doesn't meant it's not crucialPVS-Studio
 
Comparing static analysis in Visual Studio 2012 (Visual C++ 2012) and PVS-Studio
Comparing static analysis in Visual Studio 2012 (Visual C++ 2012) and PVS-StudioComparing static analysis in Visual Studio 2012 (Visual C++ 2012) and PVS-Studio
Comparing static analysis in Visual Studio 2012 (Visual C++ 2012) and PVS-StudioPVS-Studio
 
How the PVS-Studio analyzer began to find even more errors in Unity projects
How the PVS-Studio analyzer began to find even more errors in Unity projectsHow the PVS-Studio analyzer began to find even more errors in Unity projects
How the PVS-Studio analyzer began to find even more errors in Unity projectsAndrey Karpov
 
Diving into VS 2015 Day2
Diving into VS 2015 Day2Diving into VS 2015 Day2
Diving into VS 2015 Day2Akhil Mittal
 
Static Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to IntegrationStatic Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to IntegrationAndrey Karpov
 
Adaptation of the technology of the static code analyzer for developing paral...
Adaptation of the technology of the static code analyzer for developing paral...Adaptation of the technology of the static code analyzer for developing paral...
Adaptation of the technology of the static code analyzer for developing paral...PVS-Studio
 
PVS-Studio for Visual C++
PVS-Studio for Visual C++PVS-Studio for Visual C++
PVS-Studio for Visual C++Andrey Karpov
 
PVS-Studio confesses its love for Linux
PVS-Studio confesses its love for LinuxPVS-Studio confesses its love for Linux
PVS-Studio confesses its love for LinuxPVS-Studio
 
Searching for bugs in Mono: there are hundreds of them!
Searching for bugs in Mono: there are hundreds of them!Searching for bugs in Mono: there are hundreds of them!
Searching for bugs in Mono: there are hundreds of them!PVS-Studio
 
Lesson 7. The issues of detecting 64-bit errors
Lesson 7. The issues of detecting 64-bit errorsLesson 7. The issues of detecting 64-bit errors
Lesson 7. The issues of detecting 64-bit errorsPVS-Studio
 

Similar to Regular use of static code analysis in team development (20)

An ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievableAn ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievable
 
Machine Learning in Static Analysis of Program Source Code
Machine Learning in Static Analysis of Program Source CodeMachine Learning in Static Analysis of Program Source Code
Machine Learning in Static Analysis of Program Source Code
 
Traps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit WindowsTraps detection during migration of C and C++ code to 64-bit Windows
Traps detection during migration of C and C++ code to 64-bit Windows
 
Problems of testing 64-bit applications
Problems of testing 64-bit applicationsProblems of testing 64-bit applications
Problems of testing 64-bit applications
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usability
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usability
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usability
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ code
 
The Development History of PVS-Studio for Linux
The Development History of PVS-Studio for LinuxThe Development History of PVS-Studio for Linux
The Development History of PVS-Studio for Linux
 
What do static analysis and search engines have in common? A good "top"!
What do static analysis and search engines have in common? A good "top"!What do static analysis and search engines have in common? A good "top"!
What do static analysis and search engines have in common? A good "top"!
 
If the coding bug is banal, it doesn't meant it's not crucial
If the coding bug is banal, it doesn't meant it's not crucialIf the coding bug is banal, it doesn't meant it's not crucial
If the coding bug is banal, it doesn't meant it's not crucial
 
Comparing static analysis in Visual Studio 2012 (Visual C++ 2012) and PVS-Studio
Comparing static analysis in Visual Studio 2012 (Visual C++ 2012) and PVS-StudioComparing static analysis in Visual Studio 2012 (Visual C++ 2012) and PVS-Studio
Comparing static analysis in Visual Studio 2012 (Visual C++ 2012) and PVS-Studio
 
How the PVS-Studio analyzer began to find even more errors in Unity projects
How the PVS-Studio analyzer began to find even more errors in Unity projectsHow the PVS-Studio analyzer began to find even more errors in Unity projects
How the PVS-Studio analyzer began to find even more errors in Unity projects
 
Diving into VS 2015 Day2
Diving into VS 2015 Day2Diving into VS 2015 Day2
Diving into VS 2015 Day2
 
Static Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to IntegrationStatic Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to Integration
 
Adaptation of the technology of the static code analyzer for developing paral...
Adaptation of the technology of the static code analyzer for developing paral...Adaptation of the technology of the static code analyzer for developing paral...
Adaptation of the technology of the static code analyzer for developing paral...
 
PVS-Studio for Visual C++
PVS-Studio for Visual C++PVS-Studio for Visual C++
PVS-Studio for Visual C++
 
PVS-Studio confesses its love for Linux
PVS-Studio confesses its love for LinuxPVS-Studio confesses its love for Linux
PVS-Studio confesses its love for Linux
 
Searching for bugs in Mono: there are hundreds of them!
Searching for bugs in Mono: there are hundreds of them!Searching for bugs in Mono: there are hundreds of them!
Searching for bugs in Mono: there are hundreds of them!
 
Lesson 7. The issues of detecting 64-bit errors
Lesson 7. The issues of detecting 64-bit errorsLesson 7. The issues of detecting 64-bit errors
Lesson 7. The issues of detecting 64-bit errors
 

Recently uploaded

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 

Recently uploaded (20)

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 

Regular use of static code analysis in team development

  • 1. Regular use of static code analysis in team development Authors: Evgeniy Ryzhkov, Andrey Karpov Date: 09.08.2010 Abstract Static code analysis technologies are used in companies with mature software development processes. However, there might be different levels of using and introducing code analysis tools into a development process: from manual launch of an analyzer "from time to time" or when searching for hard-to-find errors to everyday automatic launch or launch of a tool when adding new source code into the version control system. The article discusses different levels of using static code analysis technologies in team development and shows how to "move" the process from one level to another. The article refers to the PVS-Studio code analyzer developed by the authors as an example. Introduction Static code analyzer is a tool to search for software errors throughout source code. This tool helps avoid errors at the early stage of developing a software solution instead of later stages of testing or using it. However, companies do not often manage to get benefit from such tools. There are different reasons for that. Some projects are merely not suitable for introducing a code analyzer from the economic point of view, some others are not large enough for the effect to be visible. That is why you should understand when integrating static code analysis into the development process can be beneficial and when not before doing this. Relying on the authors' experience (developing, promoting and selling their own static code analyzer), the article formulates main considerations that you should take into account when introducing such tools into the development process. About static code analysis Static code analysis is a technology of searching for errors in programs by parsing source code and seeking for patterns of known errors in it. This technology is implemented in special tools called static code analyzers. The word "static" means that code is parsed without executing the program. Tools that analyze a program while it is running are called dynamic code analyzers. The most popular static analyzers are produced by companies Coverity, Klocwork, Gimpel Software. Popular dynamic analyzers are produced by Intel (Intel Parallel Inspector) and Micro Focus (DevPartner Bounds Checker) companies. We should also mention a specialized static code analyzer PVS-Studio developed and promoted by the authors of this article.
  • 2. The result of a static code analyzer's operation is a list of potential errors found in code with reference to a particular file and line. In other words, this is a list of errors that very much resembles the list generated by the compiler. The term "potential errors (issues)" is used here not accidentally: unfortunately, a static analyzer cannot be absolutely precise and tell you if some potential error is a real issue in your code. Only programmer knows this. That is why code analyzers sometimes generate false alarms (alas, and there is no way to avoid them). Static code analyzers are distinguished according to the type of programming languages they support (Java, C#, C, C++) and issues they can diagnose (general-purpose analyzers or specialized analyzers, for instance, intended for 64-bit or parallel software development). Kinds of projects static code analysis is relevant for It is reasonable to employ static code analysis not in all the projects but only in medium and large ones. The discussion of what to consider small/medium/large projects is obviously outside the scope of this article, but we recommend, relying on our experience, to take static analysis into account when dealing with projects taking more than 30 person-months. If a software project takes less, it is better just to have several skilled developers in this project instead of using static analysis. A team of two-four skilled workers will well manage such a project and provide its good quality from the viewpoint of software. But if there are either more people working on a project or it takes more than half a year, it is very naïve to hope that "all we need to do is just write without errors". Ways (scenarios) of using static code analyzers Let's consider cases when a developer team may find it necessary to use static code analysis. We intentionally take a case when static analysis is only being integrated into the development process, for if it has been employed for a long time, there is no sense in discussing the issues of introducing it. So, suppose there is a team of 5 persons whose job is to port the code of a software project to 64 bits. Suppose also that the project is written in C/C++. We note beforehand that these assumptions are made deliberately so that we can employ our code analyzer PVS-Studio in the example. So, the developers fix main compilation errors, build the application and make the distribution package. They begin to test it and find out that there are very mysterious errors in the program which appear only in the 64-bit version. Developers go to Google, type "64-bit platform C++ issues" and among 8.5 million results, on the first page they see a link to our article "20 issues of porting C++ code on the 64-bit platform" from which they learn that, as it turns out, there are various issues in C/C++ applications that were not seen before but appear in their 64-bit versions. In the same article they read that there is a PVS-Studio tool that will let them find and fix these issues. Then the developers download the tool, study its demo version, purchase it if it suits, find a number of errors in their code with the help of our analyzer, correct them and the program gets rid of issues. After that the developers consider the task of creating the 64- bit version of their program solved and refuse to use the analyzer further since they think they do not need it anymore. Here is another scenario close to the previous one. A team of 5 developers encounters an error in one of third-party modules when developing a Java-application. Unfortunately, they do not manage to find the error "with their eyes", so they download a demo version of some code analyzer, find the error in this third-party module, fix it but do not purchase the license for this tool due to limitations of the project's budget. The results are: the error is fixed, the application is released, and the license agreement for the
  • 3. tool is not violated. Everything looks well but this way of using static analyzers cannot be called right as well. The third way of using static analysis. Developers start to use Visual Studio Team Foundation Server that provides a capability of launching code analysis for files being added into the version control system. Some weeks later, the developers turn off the code analysis since adding new code turned into a game "make the analyzer let us add the file". All these three scenarios discussed above are not good ways of using static analysis, even despite the fact that the analyzer helped to find real errors in code in the first two cases and in the third case the code seems to be absolutely poor. What are the reasons for these failures? What prevents developers from using static code analyzers to the full extent Let's study the reasons why all the ways of using static analysis described above are not good. If a team employs a specialized code analyzer (as in the described case when searching for 64-bit issues), the temptation to stop using the tool after all the issues seem to be found and fixed is very great. Certainly, if the 64-bit version of a software product is released, it may seem that there is no much sense to use a special tool further. However, it is not so. If you refuse to use such an analyzer, some time (actually some months) later you will encounter those errors that could be detected by the code analyzer in your new code. That is, although you have the 64-bit version of your application and it was debugged (some time ago), still the new code might have errors typical of 64-bit applications. The conclusion from the first scenario: refusing to employ a specialized code analyzer after its work is done leads to appearance of new similar software errors rather soon. In the second case, the team decided to use a specialized tool only when they understood that their project contained hard-to-find errors. After fixing those errors the team refused the tool. The problem about this approach is that hard-to-find errors will appear in the project again, sooner or later. But the next time it might be users who will notice them first and not developers or testers. The conclusion from the second scenario coincides with that in the first case: refusing to use a tool will inevitably lead to new hard-to-find errors. In the third scenario when developers refused to use static analysis when adding new code because of troubles they encountered when adding new code into the version control system, the problem is not in the static analyzer at all. The problem is in the insufficient skill level of the team. First, the team did not manage to set the tool so that its warnings helped them. Second, maybe their code was really rather bad since the analyzer produced so many diagnostic messages. So, let's formulate the main problems that prevent developers from permanently using static code analyzers in their work: 1. High price of static code analyzers does not allow developers to use them in small (especially from the budget's viewpoint) projects. You should just understand that there are projects static analysis is not suitable for due to economic reasons and not technological ones. 2. A static code analyzer produces many false alarms. Alas, any code analyzer generates false alarms and in some cases their number might be very large. The reason for this lies in the philosophy of such tools: it is better to generate ten or hundred false messages than miss one
  • 4. real error. You should not hope that some analyzers produce fewer false alarms than some others. It is better to choose a tool that can somehow handle them. For instance, our PVS-Studio analyzer has the "Mark as False Alarm" function. With its help you can mark false alarms of the analyzer right in your code, i.e. specify that the analyzer must not generate some type of messages in some particular line. 3. Bad integration into the development environment. If a static analyzer does not provide for smooth "seamless" integration into the development environment, hardly will anyone use it. 4. Absent capability of automated launch of the tool from the command line. This limitation does not let developers analyze the code of the whole project regularly, for instance, during everyday builds. 5. Absent capability of integrating the tool with the version control system. Although analysis of new code when adding it into the version control system as described in the example above caused the developers to refuse using such tools, still the possibility of such integration is useful in itself. 6. Too complicated or, vice versa, too simple settings of the code analyzer. A good solution is cooperation of the company that wants to use static code analysis technologies with the company that provides these technologies. That is, their relations must turn from "buy the tool and use it" into "buy the solution, integrate it and only then use it". Whether you like it or not, in most cases you will not manage to get benefit from simply buying and using an "analyzer-applet". You must pull up the development process in your company and together with the vendor of static analysis solutions integrate the tool it offers into the permanent regular team development process. This scheme is employed by the leaders of static analysis market like Coverity or Klocwork. By the way its signs might be not very visible - it is not so easy to get any demo version from the sites of these companies. And to get an answer to the question "how much does it cost?" is impossible at all until their sales-managers get maximum information about the customer. Summary If your company plans to employ static code analysis, you must consider the following things: 1. Integration of static code analysis influences the whole development process. 2. A static analyzer is not an "applet" and not another copy of Windows that you may buy and use without any relations with the vendor. You must always keep in mind that you will have to establish close communication with the analyzer's developers and that the integration procedure demands much effort and time. 3. A static analyzer increases the general culture of software development in a team - but only if the team is ready for this. So, this is a mutual process. 4. Increase of the development's culture through using static code analyzers is an expensive process. You must be ready for it and understand that it will require large investments.
  • 5. References 1. Alexey Kolosov. Using Static Analysis in Program Development. http://www.viva64.com/en/a/0017/ 2. Andrey Karpov. Changes in programmer tools' infrastructure. http://www.viva64.com/en/a/0062/