Static code analysis. A methodology of detecting errors in program code based on the programmer's reviewing the code marked by the analyzer in those places where potential errors may occur. In other words the static analysis tool detects in the program text the places containing or likely to contain errors, subject to errors or possessing bad formatting. Such code sections are to be considered by the programmer and he can decide whether to modify this program section or not. Static analyzers can be both of general purpose (for example, Microsoft PREFast, Gimpel PC-Lint, Parasoft C++Test) and specialized for searching certain error classes (for example, Chord for verifying parallel Java programs). Static analysis tools are usually rather expensive, they demand knowledge in using them and have rather complicated subsystems of setting and suppressing false messages. That's why static analyzers are usually used by companies with high development culture and mature software development processes. In return of complicated usage, static code analyzers allow developers to detect a lot of errors on the early steps of developing program code. Using static analysis methodology also disciplines programmers and helps control young employees' work.
The main advantage of static code analyzers use lies in the possibility of considerable cost saving of defects elimination in a program. The earlier an error is determined, the lower is the cost of its correction. Thus, according to the facts given in the book "Code Complete" by McConnell, correction of an error at the testing stage is ten times more expensive than its correction at the construction (coding) stage:
Figure 1. Average cost of defects correction depending on their time of writing and detection (data for the table taken from the book "Code Complete" by C. McConnell).
Static analysis tools allow to detect a large number of errors at the construction stage, and this considerably reduces the cost of the whole project development.
Our company, "Program Verification Systems", is engaged in the creation of solutions in the sphere of verification and static code analysis. The main program product of our company, PVS-Studio, is a static code analyzer for testing up-to-date and resource-intensive applications.
The PVS-Studio analyzer is intended for detecting a wide range of errors in C/C++/C++11 programs. Besides general diagnostic rules, there are specialized rule sets to check 64-bit and parallel OpenMP software. The analyzer can also help you in software code optimization.
References
- Wikipedia. "Static code analysis"
- Wikipedia. "List of tools for static code analysis"
- Steve McConnell, "Code Complete, 2nd Edition" Microsoft Press, Paperback, 2nd edition, Published June 2004, 914 pages, ISBN: 0-7356-1967-0.
- By Walter W. Schilling, Jr. and Mansoor Alam. "Integrate static analysis into a software development process".
