-
27.01.2012
In this short post, the author tells us about his experience of using two static analysis tools each of which provides its own technique - Address Sanitizer (ASan) and Clang Static Analyzer.
-
06.01.2012
The post focuses on the false idea that static analysis tools are testing tools or can be a good substitute for them. The author explains the difference between various kinds of testing and static analysis bringing out the point of the latter and its role in development. He agrees that static analyzers are necessary tools, but they are intended for detecting a "narrow band of code-related defects".
-
13.12.2011
This short post gives you some tips about how to choose a static analysis tool for your projects. Following these tips will help you to maximize your choice.
-
07.11.2011
The post refers us to an article by Coverity describing the benefits of static analysis and mentioning three analysis techniques it can provide: dataflow analysis, interprocedural analysis and false-path pruning. Each of this technique is illustrated by a code sample.
-
05.10.2011
Static analysis includes many techniques each of which helps developers to find various bugs and issues at different stages of the development process. In his article, Arthur Hicken describes these techniques (peer code review, pattern based analysis, flow analysis, metrics, compiler/build output) and the types of problems they are meant to solve.
-
11.09.2011
The article concerns the C++ code analyzer integrated into the Visual Studio 2012 development environment. The author speaks on the improvements introduced into the new version of the application and cites several code samples to show how it works and demonstrate various features of the analyzer. The text is complemented with screenshots explaining how to handle the analyzer.
-
01.09.2011
The article deals with the technology of static analysis. The main principle of static analysis tools' operation is explained and different techniques that comprise static analysis are described. Among them are bug pattern matching, data-flow analysis, abstract interpretation, model checking and program querying. The author also mentions tools specializing in each of these techniques. Information given in the article can help students in trying to make their own tools.
-
27.07.2011
Compliance with coding standards accepted in a company or a development team helps developers to avoid bugs and focus their attention on the general and more efficient review of the code. Unfortunately, the human factor often interferes with the necessity of following the rules, so there should be techniques of automated enforcement of coding standards. The article describes two widely-used static analysis tools that can be useful in solving this task - PC-Lint and RSM.
-
22.06.2011
This item includes an interview with Jill Britton who tells about the trends in the static analysis field, most common problems they meet when testing code, testing approaches applied in different areas and the exclusive method of code analysis created by the PRQA company.
-
04.06.2011
In his article, Magnus Unemyr discusses the problem of lack of up-to-date tools for embedded developers. According to him, while embedded software systems get more complex, tools intended to help developers in the development process still remain at the same level as 20 years ago, addressing common tasks (editing, compiling and debugging) without getting more flexible and powerful and capable of addressing a wider set of tasks. Among these are tasks of preliminary graphical modeling of the project's code to come, tracking changes in code and creation of version control systems, bug reports, automated unit-test development and many other things.
-
01.06.2011
The author of this article gives recommendations on how to improve quality of embedded software using static analysis. These recommendations include establishing software quality models and objectives, using language subsets complying with coding standards and proving absence of run-time errors.
-
20.05.2011
The article concerns the method of code review and explains the principles, types, steps and levels of this process as well as tools to be used for code review. The author also provides a list of examples demonstrating most common programming mistakes of different sorts.
-
07.05.2011
The post describes the FlexeLint tool which is, according to the author, one of the best and least expensive static analyzers for analyzing C and C++ code. The article contains numerous code samples illustrating errors the tool can detect and some of its specific features.
-
04.04.2011
Microsoft has added the new Code Analysis feature in the Visual Studio 2010 development environment. This feature performs static analysis on code and will help developers to find various potential problems at different levels. This course is intended for developers to get acquainted with Code Analysis and learn the principles of handling this feature completing some exercises.
-
22.03.2011
The author tries to bust the myth about static analysis saying that it gives 100% code coverage and can find all vulnerabilities and defects. To explain why it is not so, he gives examples of what static analysis is unable to do or cannot do well. In general, these examples come to issues of testing an outside located code the analysis cannot access to.
-
27.02.2011
In his post, the author speaks on various static code analysis tools intended to perform code auditing as an alternative to formal methods. He gives tips on how to use these tools according to programmers' needs and circumstances.
-
31.01.2011
Static analysis tools being able to find security vulnerabilities in source code, many firms adopting the static analysis technology feel the urge to compare different static analyzers to each other to find the best solution. Gary McGraw explains why this task is not so easy at it may seem and why comparing any tools without bearing in mind crucial pitfalls resembles comparing fruit and aardvarks. The author also gives advice on what to choose as the best criteria for tool comparison.
-
06.01.2011
Walter Bright describes an interesting approach he took from the sphere of flight mechanical design and started applying to programming. What he does and suggests other programmers should do is to look for certain patterns of bugs occurring persistently and once some pattern is found, think how to change the programming process to avoid this pattern in future. Among possible ways, he offers changing coding standards, programming language, testing methodology and so on. The post is supplied with code samples containing various bugs, the author suggesting certain ways of solving for each of them.
-
04.12.2010
The article was created in an attempt to cover all information concerning Code Analysis integrated into Visual Studio. It is divided into three sections: "The need of Code Analysis", "Performing Code Analysis on your code" and "Making your own code Analyzable". The first section explains why developers need Code Analysis, while the second section contains code samples on the main patterns of bugs and errors the Analyzer can detect. The third section tells you how to write and edit your code so that the analyzer could check it fully and not fail to emit important warnings. The article includes numerous code samples to illustrate the main points.
-
24.04.2010
Sid Sidner, director of security engineering in the ACI Worldwide company, tells about static code analysis as the best way to ensure software quality and security. He explains the working principle of static analysis tools and gives a list of questions and recommendations for developers to choose the right static analysis tool to integrate into development processes. The author also shares his experience of working with some of static analysis tool vendors and explains by the example of his company by what considerations they were guided when choosing a tool.
-
01.01.2010
In this article, the Coverity developers share their experience of developing and commercializing their own static analyzer as well as conclusions and lessons they draw from this experience. The authors formulate what they have called "laws of bug finding" and discuss various specifics of implementing a good static analysis tool.
-
03.09.2009
Wiki-resource devoted to static code analysis. It describes the essence of this technology and provides a lot of links to other materials on static analysis tools and related domains.
-
02.09.2009
This short post describes some C++ static analysis tools that can help developers to find some specific errors related to code duplication, cyclomatic complexity as well as general programming errors. The author also gives some tips on how to integrate static analysis tools into the development process and find newly introduced errors as soon as possible.
-
27.08.2009
This article will be interesting for every user involved in C++ programming while it describes the authors' effort to investigate the most popular C++ code analyzers on the basis of special rules and sample error patterns to be analyzed by the tools. The description of the testing base and the results are thoroughly commented and shown in various tables and code samples.
-
21.08.2009
This is one more article devoted to using static analysis to test medical devices' software. The authors explain how static analysis may be helpful in post-market testing and maintenance of medical devices and study the results of tests performed by the tool CodeSonar as an example.
-
06.08.2009
In his article written with much irony, Jack Ganssle touches upon the topic of inefficient tools provided by dishonest vendors. He explains the complicated situation in the field of software development and describes thinking and behavior stereotypes spread among developers, company bosses and vendors that lead to this vicious cycle when customers' needs are left unsatisfied despite a great many of ads and promises.
-
14.06.2009
The author of the article focuses on improving the process of C++ code development. He describes the main things to be considered while analyzing, debugging and enhancing the code. These include using static analysis tools, creating a suite of unit and regression tests and so on. The article is divided into four sections devoted to various techniques and contains code samples.
-
23.05.2009
This article presents a study of how Linux kernel developers respond to bug reports generated by a static analyzer. The authors find out that most developers prefer to sort bug reports in several categories and show what factors affect decisions made about triaging certain types of errors or, on the contrary, what makes developers refrain from triaging and reviewing corresponding code fragments. The authors' conclusions are supported by plenty of graphs and tables.
-
29.03.2009
The author of this note provides a list of tools for C++ analysis where he describes various commercial and open-source tools. For each item there are a brief description and a link to the related site.
-
19.02.2009
Nowadays, when system reliability depends upon software rather than hardware, it is very important to improve quality of embedded software. Static analysis is a perfect technique for this purpose. The article discusses the classification of static analysis tools and describes some of the most popular tools used for various purposes (general-purpose, Java-oriented and security control tools). Another section of the article is devoted to the issues of integrating static analysis into the software development process and explains each step of this procedure. The text contains illustrative schemes and code samples.
-
03.11.2008
Since various code vulnerabilities make the code insecure, it should be thoroughly analyzed and made secure. The author discusses such common implementation-level vulnerabilities as race conditions, input validation, exceptions, SQL injection, buffer overflow; then he touches upon the question of code review technique, white box and black box analysis techniques and metrics analysis. At the end there are some links to a list of code analysis tools and related materials.
-
08.08.2008
In this interview, Adam Kolawa, CEO and co-founder of Parasoft, shares practical tips on how to use static code analysis with best efficiency. He tells in detail about the three main sorts of static analysis such as pattern-based static analysis, data flow static analysis and code metrics calculation, and also gives recommendations on how to use a static analyzer in a development process to obtain the desired effect and how the process of code analysis can be automated.
-
20.05.2008
The paper is devoted to Parasoft Corporation's technology BugDetective for flow analysis that provides developers with many benefits such as the possibility of quick modification of code, flexible testing system, focusing on actual defects and errors, etc. The paper describes very thoroughly the working principle of BugDetective and how it can be used in combination with other testing techniques and includes many illustrative code samples and screenshots.
-
14.05.2008
Stack overflows might be very dangerous in high-integrity systems and are difficult to detect and debug, so it is very important to prevent them by analyzing the stack beforehand. This article explains how static stack analysis can help accomplish this task and what obstacles can threaten it and also gives some tips on how to use the compiler and special AdaCoreТs GNATstack tool for stack analysis.
-
29.04.2008
The paper concerns static analysis and the IBM static analysis tool IBM Rational Software Analyzer. It describes the static analysis technique in general and its benefits, discusses implementation of the IDM Rational Software Analyzer and provides the user with a thorough step-by-step instruction on how to specify the analysis rules for the tool, configure the analysis, run the analysis and view the results, export and report data and some other things. Every step is illustrated by screenshots.
-
01.11.2006
Integrating static analysis into software development provides the programmer with many advantages. The article reviews the most popular static analysis tools in several classifications including tools for Java analysis, security tools, etc. The authors also focus on various aspects of integrating static analysis such as creation of a coding standard, implementation of automated checking, the process of code review, results retention, managing new and existing code, and training engineers.
-
06.10.2006
This blog-post concerns the technique of searching bugs in source-code lines of various projects with the help of the new tool Google Code Search. The author explains how one can easily use this tool to detect flaws in code by typing particular expressions and characters in the search line. There are some examples provided that illustrate this technique very clear.
-
01.08.2006
This wiki-resource is devoted to static code analysis tools for the most popular programming languages. There you will find a large list of various tools, both open-source and commercial, with brief descriptions and useful links for more information.
-
01.03.2006
Nick Wienholt offers his help to you in mastering the C/C++ Code Analyzer that ships with Visual Studio Team System (VSTS). The article explains why static analysis is essential for C/C++ applications and how to launch and use this function in VSTS.