Click here to Skip to main content
Click here to Skip to main content

Cases When a Static Code Analyzer may Help You

, 27 Dec 2010
Rate this:
Please Sign up or sign in to vote.
The static code analysis method is the method of searching for places in program text that are highly probable to contain errors.

Introduction

The static code analysis method is the method of searching for places in program text that are highly probable to contain errors. Programmers use special tools called static code analyzers for this purpose. Having got a list of suspicious code lines, a programmer reviews the corresponding code and fixes errors detected.

Static code analysis is used most often for controlling the quality of a project being developed. But static code analysis can be also used to solve some more peculiar tasks. I would like to describe some of these in this post.

Education

Static analysis may be used for educational purposes. When estimating a student's work, a teacher usually reviews the code he has written and performs test launches of the program. Since there are a lot of students and only one teacher, he may additionally increase his attention by using a static code analyzer. Static analysis makes it more probable not to miss an issue a student must work on.

Another way of using a static analyzer for educational purposes is to check code written by novice programmers. This will help to find and explain errors in their code quicker. Moreover, the capability of analyzing indents, variable naming and so on, will help a person to quicker get used to writing code in the coding style accepted in the company.

Porting Software to a Different System

It is very difficult to write portable software especially if you did not intend to port your applications at first. That is why port of a program to some other operating system or hardware platform is always rather painful. You can hardly know all the specific issues awaiting your program on a different platform beforehand and you certainly cannot know how to find all the dangerous fragments in your code. Specialized code analyzers may help you by pointing to all the potentially unsafe fragments. They will tell you where you should not change types' sizes, data alignment rules, byte order or use deprecated functions and so on.

Searching for Backdoors

Static analysis may be used both for good and for bad purposes. Since code analysis helps developers to detect buffer overflows, stack overflows and other similar defects, an intruder can also do such things. By studying weak points of software, a hacker can choose an object for attack faster. That is, he does not need to review a huge amount of code - a static analyzer will do a part of the work for him. It will tell him where the code is especially vulnerable so that the hacker may go on to the next stage of his work, i.e., estimating if he can use the code defects found for his purposes and how.

Hackers often cannot get access to the source code of applications. But there are static analyzers that handle the executable binary code directly.

Of course, we can turn search of holes into a useful thing. For instance, many companies reward people who detect vulnerabilities in software. It is much easier to look for such vulnerabilities using static analyzers.

Using Third-party Source Codes

Programmers often use various open-source codes. In other words, they use open-source free libraries or their fragments. You may usually solve one task using different third-party solutions. Here the question arises, how to choose among them. Using static analysis in this sphere may appear an interesting method - the fewer errors are found, the more probable it is that this code is quality and safe.

If your team receives a third-party project for maintenance and development, static analysis will help you to detect the most dangerous fragments in the project and therefore you will be able to determine which parts of the system need maximum attention.

Proving the Necessity of Code Refactoring

Programmers often understand that a project becomes too complicated and starts to fall apart. They conclude that they need to perform code refactoring, otherwise most time will be consumed by maintenance and creating crutches to prevent code from complete breakdown. But programmers always have urgent tasks and it is not so easy for me to prove why it is more important to rewrite one of the old dialogues instead of creating a new one. A static analyzer may serve one of the arguments for you to listen to my advice by constantly screaming about too large functions, multiple use of global variables, too complicated class hierarchy and therefore unsafe functions and other horrors.

Summary

Of course, I have mentioned only some things I have managed to recall. There are a lot of other tasks static code analysis will help you to solve. Write to us if you have had interesting non-standard ways of using the static analysis methodology in your practice.

History

  • 27th December, 2010: Initial post

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

About the Author

Karpov Andrey
Architect Program Verification Systems, Co Ltd
Russian Federation Russian Federation

Andrey Karpov is technical manager of the OOO "Program Verification Systems" (Co Ltd) company developing the PVS-Studio tool which is a package of static code analyzers integrating into the Visual Studio development environment.

PVS-Studio is a static analyzer that detects errors in source code of C/C++ applications. There are 3 sets of rules included into PVS-Studio:

  1. Diagnosis of 64-bit errors (Viva64)
  2. Diagnosis of parallel errors (VivaMP)
  3. General-purpose diagnosis

Awards: MVP, Intel Black Belt

Andrey Karpov is also the author of many articles on the topic of 64-bit and parallel software development. To learn more about the PVS-Studio tool and sources concerning 64-bit and parallel software development, please visit the www.viva64.com site.

Best Articles:

My page on LinkedIn site: http://www.linkedin.com/pub/4/585/6a3

E-mail: karpov@viva64(dot)com

Follow on   Twitter

Comments and Discussions

 
-- There are no messages in this forum --
| Advertise | Privacy | Mobile
Web02 | 2.8.140718.1 | Last Updated 27 Dec 2010
Article Copyright 2010 by Karpov Andrey
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid