Stories
Slash Boxes
Comments

SoylentNews is people

Code Analyzer Turned Out to be Smarter Than One of its Creators

posted by martyb on Monday October 23 2017, @06:48AM   Printer-friendly
from the MY-code-is-perfect! dept.

Andrey_Karpov writes:

I am really astonished by the capabilities of static code analysis. The tool surprised me the other day as it turned out to be smarter and more attentive than I am. I found I must be careful when working with static analysis tools. Code reported by the analyzer often looks fine and I'm tempted to discard the warning as a false positive and move on. I fell into this trap and failed to spot bugs...Even I, one of the PVS-Studio developers.

So, appreciate and use static code analyzers! They will help save your time and nerve cells.

[Ed note: I debated running this story as there was an element of self-promotion (aka Bin Spam), but the submitter has been with the site for a while and has posted informative comments. Besides, I know there have been far too many times when I've seen a compiler complain about some section of my code and I'm thinking there is nothing wrong with it — and then I, finally, see my mistake. Anyone have samples of code where you just knew the compiler or static analyzer was wrong, only to find out otherwise? --martyb]

Original Submission

 
This discussion has been archived. No new comments can be posted.
Code Analyzer Turned Out to be Smarter Than One of its Creators | Log In/Create an Account | Top | 91 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by TheRaven on Tuesday October 24 2017, @08:47AM

    by TheRaven (270) on Tuesday October 24 2017, @08:47AM (#586776) Journal

    You need a better test suite than that. If you haven't already spent 10x the cost of PVS studio developing your test suite, your priorities need a rethink.

    That's my point. The cost of developing a good test suite is high. The cost of running a static analyser (particularly something like the Clang analyser, rather than something like PVS, or Coverity which is free for open source projects) is very cheap. The bug reports that you get from a static analyser are much easier to fix, because they already show you the chain of flow control that leads to the possible failure case, whereas failing tests just tell you that something is broken and require developer time to track down exactly why it's broken.

    The correct time to run a static analyser is early on in development, more or less the same time as fixing compiler warnings. They give you the low-hanging fruit. If static analysis can find a bug, it can do so with a more helpful report and with a lot less effort than either a robust test suite or a fuzzing tool. If you have finite resources, that leaves you with more time to find the difficult bugs with a test suite.

    --
    sudo mod me up
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2