Myths about static analysis. The fifth myth – a small test program is enough to evaluate a tool

This is how this statement looks in discussions on forums (this is a collective image):

I’ve written a special program, its size is 100 code lines. But the analyzer doesn’t generate anything although all the warning levels are enabled. This [tool of yours] / [static analysis] in general is just rubbish.

Continue reading

Myths about static analysis. The third myth – dynamic analysis is better than static analysis

The statement is rather strange. Dynamic and static analyses are just two different methodologies which supplement each other. Programmers seem to understand it, but I hear it again and again that dynamic analysis is better than static analysis.

Let me list advantages of static code analysis.

Continue reading

Grounded Pointers

Once one of our colleagues left the team and joined one company developing software for embedded systems. There is nothing extraordinary about it: in every firm people come and go, all the time. Their choice is determined by bonuses offered, the convenience aspect, and personal preferences. What we find interesting is quite another thing. Our ex-colleague is sincerely worried about the quality of the code he deals with in his new job. And that has resulted in us writing a joint article. You see, once you have figured out what static analysis is all about, you just don’t feel like settling for “simply programming”.

1-main

 

Continue reading

Review of contemporary C/C++ static code analyzers

In this article, I’ll try to assess the current situation concerning static analysis of C/C++ code. This study has a slightly philosophical character and in no way claims to be absolutely complete and objective. There also won’t be any discussions of which analyzer is better. Such comparisons are usually a pointless action: there will always be people who disagree with the chosen methodology or suspect the researcher in being biased. To do the research, I’ll try to take the list of popular contemporary analyzers of C/C++ code (for example, from Wikipedia) and understand, which tools don’t already fit there and if there is a need to add something there.

image1

Continue reading