I am really astonished by the capabilities of static code analysis. The tool surprised me the other day as it turned out to be smarter and more attentive than I am. I found I must be careful when working with static analysis tools. Code reported by the analyzer often looks fine and I'm tempted to discard the warning as a false positive and move on. I fell into this trap and failed to spot bugs...Even I, one of the PVS-Studio developers.
So, appreciate and use static code analyzers! They will help save your time and nerve cells.
[Ed note: I debated running this story as there was an element of self-promotion (aka Bin Spam), but the submitter has been with the site for a while and has posted informative comments. Besides, I know there have been far too many times when I've seen a compiler complain about some section of my code and I'm thinking there is nothing wrong with it — and then I, finally, see my mistake. Anyone have samples of code where you just knew the compiler or static analyzer was wrong, only to find out otherwise? --martyb]
(Score: 2) by TheRaven on Tuesday October 24 2017, @08:47AM
That's my point. The cost of developing a good test suite is high. The cost of running a static analyser (particularly something like the Clang analyser, rather than something like PVS, or Coverity which is free for open source projects) is very cheap. The bug reports that you get from a static analyser are much easier to fix, because they already show you the chain of flow control that leads to the possible failure case, whereas failing tests just tell you that something is broken and require developer time to track down exactly why it's broken.
The correct time to run a static analyser is early on in development, more or less the same time as fixing compiler warnings. They give you the low-hanging fruit. If static analysis can find a bug, it can do so with a more helpful report and with a lot less effort than either a robust test suite or a fuzzing tool. If you have finite resources, that leaves you with more time to find the difficult bugs with a test suite.
sudo mod me up