Stories
Slash Boxes
Comments

SoylentNews is people

No Static Analysis

posted by martyb on Wednesday May 10 2017, @04:18AM   Printer-friendly
from the better-get-moving dept.

isj writes:

O'Reilly and Software Improvement Group conducted a survey about secure coding: https://www.oreilly.com/ideas/the-alarming-state-of-secure-coding-neglect
Much of it is as expected but I stumbled upon this tidbit:

"[Static analysis] was reported as being used by 25% of respondents. One-third of those who didn't use it said it was too expensive. The rest of the non-users were fairly evenly divided among other explanations: tools were not available for their technology, were too hard to use, had too many false positives, or were not usable in Agile development."

When developing I have almost always used compiler warnings (gcc/acc/icc/cxx/clang) and dedicated tools cppcheck/flexelint/coverity-scan/pvs-studio/clang-analyze so the above snippet depressed me because catching errors sooner rather than later makes them much cheaper to fix. Static analysis tools can require much configuration, can be expensive, and be time-consuming, and I guess that for some languages such tools don't even exist. The part about static analysis tools not fitting a development process struck me as downright odd.

What is your take on this? Why aren't you using static analysis (and if you do: which one and for what?)

Original Submission

 
This discussion has been archived. No new comments can be posted.
No Static Analysis | Log In/Create an Account | Top | 32 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Informative) by Andrey_Karpov on Wednesday May 10 2017, @02:45PM (5 children)

    by Andrey_Karpov (6589) on Wednesday May 10 2017, @02:45PM (#507561) Homepage

    I am one of the developers of PVS-Studio analyzer. I am not going to dispute here, but would like to note one moment.

    Now we have 11000 errors in our "bug-base", which we found in open source projects. I mean really errors, not just warnings issued by the analyzer. You may have a look at all these errors: https://www.viva64.com/en/examples/ [viva64.com]

    These errors were found as a byproduct of our articles: https://www.viva64.com/en/examples/ [viva64.com] . We have never had a goal to find as many errors as possible. Still, we have found these 11000 errors. This is quite a result.

    Here is what I am leaning to. If the compilers were so great, and the analyzers so awful, we wouldn’t be able to fill the base with such a number of errors. So, there is definitely some use in the static analysis. :)

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   2  

  • (Score: 1, Interesting) by Anonymous Coward on Wednesday May 10 2017, @05:21PM (3 children)

    by Anonymous Coward on Wednesday May 10 2017, @05:21PM (#507645)

    I think most people don't realize they are doing different jobs. Static analyzers are specifically designed to find errors or maybe-errors. Compilers are designed to turn one language into another. Why should my compiler complain about the construct (if A || B || A) or when the then and else clause do the same thing? Those are both examples of perfectly valid code. While it is true that the examples both stink to high heaven, they aren't necessarily bad. However, errors like "comparison between signed and unsigned integer expressions" or "'InsertNameHere' undeclared (first use this function)" can, and should, be caught by the compiler. In fact, I firmly believe that some errors shouldn't be detected by static analysis at all and only be spit out by the compiler.

    • (Score: 2) by hendrikboom on Wednesday May 10 2017, @11:39PM (1 child)

      by hendrikboom (1125) on Wednesday May 10 2017, @11:39PM (#507811) Homepage Journal

      Said code that stinks to high heaven could very well be generated by any kind of automated code synthesis,

      • (Score: 2) by Pino P on Thursday May 11 2017, @11:58AM

        by Pino P (4721) on Thursday May 11 2017, @11:58AM (#508039) Journal

        Then the source code is the input to the code synthesis, not its output.

    • (Score: 0) by Anonymous Coward on Thursday May 11 2017, @06:32AM

      by Anonymous Coward on Thursday May 11 2017, @06:32AM (#507958)

      I firmly believe that some errors shouldn't be detected by static analysis at all and only be spit out by the compiler.

      I firmly believe there are also interpreted languages!

      /snipe

  • (Score: 0) by Anonymous Coward on Thursday May 11 2017, @02:38AM

    by Anonymous Coward on Thursday May 11 2017, @02:38AM (#507891)

    I like the combination of static and dynamic analyzers. Dynamic ones are pretty good at finding memory/thread/functional errors. Static is pretty good at finding poor patterns. Both of which have their place and BOTH should be used.

    I can count on one hand the number of false positives I actually have found over the years with these sorts of tools. Many times they are right. You just have to dig into it. They usually only go sideways when you obscure the creation/destruction of memory in someway. Which in of itself is an anti pattern which many of those errors on your site are.

    The tool is telling you something. You just have to listen and willing to trust that you are not the hotshot you think you are.