Dr. Dobbs


Issue link: http://dc.ubm-us.com/i/300036

Contents of this Issue


Page 2 of 24

Keep Connected More and more development teams are standard- izing on static code analysis tools to improve testing efficiency and build better code. Are they more trouble than they're worth? Here's the real story. What do static code analysis tools do? They find bugs so you don't have to. It's as simple as that. SCA boils down to three things: better code at check-in, less costly development cycles and shorter time-to-market. Why? Because you don't have to worry about finding these bugs. How efficient are they? There are two ways to think about this. First, it's easy to save time on finding the most common defects (null pointer use, buffer overflow, unreach- able code, etc.) through automation. Second, finding the most complex problems is best solved by proven algorithms that understand inter-procedural depen- dencies and cover every execution path better than any person can. What's a good example of SCA? Consider a function that dereferences a pointer set by another function. Manual unit testing of either function in isolation may not reveal that the pointer being dereferenced could be NULL. Static code analysis, on the other hand, would find the prob- lem. Going further, consider the same situation but having the two functions developed by two different teams. The chances of the NULL pointer dereference reaching the customer becomes higher if the test coverage isn't there. Again, SCA covers everything. Capers Jones of Namcook Analytics found that, without tools and processes like static code analysis, developers are less than 50 percent efficient at finding bugs in their own software. What about false positives? Static analysis tools emphasize reducing false negatives rather than false positives, so that you get the most rigorous coverage possible. It's critical then, to allow easy tuning of the analysis to account for the unique rules of your project and include or exclude code (such as macros or condition- ally compiled code) appropriately. We're great programmers already, why waste time with SCA? SCA follows a strict set of rules and never gets tired, allowing developers to focus on the right things. A busy developer may miss an issue or think that it'll never happen. How many times have you miscounted loop iterations or got lost when tracing conditional logic? Because static code analysis understands the entire state space of your software, it never gets lost or assumes a problem is too insignificant. Development timelines are short, how do I fit SCA in? The best SCA tools aren't standalone products, rather ones that allow you to work within your exist- ing environments (such as your command line or IDE). Even better, they give you feedback at the earliest possible point: as you're typing code. This way, the tool fits you. Overall, how do I get the best measure of security and reliability in my code? Modern SCA pushes code quality onto the desk- top, as code is written, well before it's checked in. But it's just one piece of the puzzle. Combine it with deep scanning tools for open source software and visual debugging for multi-CPU apps and you'll have a bullet- proof analysis strategy for efficient and reliable testing. Sponsor Adver tisement T E C H FAQ Fitting static code analysis into your testing toolkit isn't as hard as you thought Previous Next Previous Next Download Download Register Register Subscribe Subscribe Previous Next Previous Next Q Q Q Q Q Q Q Effective code analysis doesn't mean absolute paralysis Challenge more misconceptions about static code analysis: Read the Myths About Static Code Analysis white paper www.klocwork.com

Articles in this issue

Links on this page

view archives of Dr. Dobbs - 423_DrDobbs