SlideShare uma empresa Scribd logo

Static analysis is most efficient when being used regularly. We'll tell you why...

P
PVS-Studio

The document discusses best practices for using static code analysis tools to maximize their effectiveness. It recommends: 1) Marking false positives to reduce future messages, 2) Using incremental analysis to check modified files, 3) Checking files modified in the last few days, and 4) Running analysis nightly on a build server. Following all recommendations provides the highest return on investment in static analysis by catching errors earlier in development.

Tecnologia
1 de 3
Baixar para ler offline
Static analysis is most efficient when being used regularly. We'll tell you why... Author: Evgeniy Ryzhkov Date: 22.04.2013 Some of our users run static analysis only occasionally. They find new errors in their code and, feeling glad about this, willingly renew PVS-Studio licenses. I should feel glad too, shouldn't I? But I feel sad - because you get only 10-20% of the tool's efficiency when using it in such a way, while you could obtain at least 80-90% if you used it otherwise. In this post I will tell you about the most common mistake among users of static code analysis tools. Discovering static analysis Let's at first discuss the simplest scenario which is the most common with those who try the static code analysis technology for the first time. Some member of a developer team once came across an article, or a conference lecture, or even an advertisement of some static analyzer and decided to try it on his/her project. I'm not telling about PVS-Studio in particular - it might be any static analysis tool. Now the programmer, more or less easily, deploys a static analysis system and launches code analysis. The following consequences are possible: • The tool fails to work. It doesn't pick up the project settings, or gathers the environment parameters incorrectly, or fails in any other way. The user naturally grows less inclined to trust it. • The tool performs the check successfully and generates some diagnostic messages. The user studies them and finds them irrelevant. It doesn't mean that the tool is absolutely poor; it just has failed to demonstrate its strong points on this particular project. Perhaps it should be given a chance with another one. • The tool generates a few relevant messages (among others) which obviously indicate that genuine bugs are present in the code. Strictly speaking, it's in the third case, when something real is found, that the team starts using a tool in practice. The biggest mistake you can make when adopting static analysis But one may make a great mistake at this point when integrating static analysis into the development process: namely, you may accept a practice to run static analysis before every release, for instance. Or run it once a month. Let's see why such an approach is bad: First, since you don't use the false positive suppression mechanism, you will see the same old false positives again and again. And therefore you will have to waste time to investigate them. The more messages the analyzer generates, the less focused the programmer is. Second, diagnostic messages are generated even for the code which you didn't touch between the checks. This means you'll get even more messages to examine.
Third, and most important, with such an approach you won't get the static analyzer to find all those errors you were catching through other methods for so long and with so much sadness between two checks. This thing is very important, and I want to discuss it in detail. It should be done also because it is the thing people forget about when estimating the usefulness of static analysis. See the next section. A fallacy: "Efficiency of static analysis can be estimated by comparing analysis results for the last year's code base release and the current one" Some programmers suggest using this method to estimate efficiency of static code analysis. Imagine a team working on some project for several years. It keeps all the project release versions (1.0, 1.1., 1.2, etc.). It is suggested that they get the latest version of some code analyzer and run it on the last year's project source codes - say, version 1.3. Then the same version of the static analyzer should be run on the latest code base release - let it be version 1.7. After that we get two reports by the analyzer. We study the first report to find out that the older project contains 50 genuine errors. Then we study the second report and see that the latest project contains 20 bugs out of those 50 ones (and some new ones, of course). It means that 50-20 = 30 bugs have been fixed through alternative methods without using the analyzer. These errors could have been found, for instance, through manual testing, or by users when working with the release version, or otherwise. We draw a conclusion that the static analyzer could have helped to quickly detect and fix 30 errors. If this number is pretty large for the project and developers' time is expensive, we may estimate economic efficiency of purchasing and using the static code analyzer. This approach to economic efficiency estimation is absolutely incorrect! You cannot use it to evaluate a static analyzer! The reason is that you make several errors at once when trying to do that. First, you don't take into account those bugs which have been added into version 1.4 of the code base and eliminated in version 1.6. You may argue: "Then we should compare two releases in succession, for example 1.4 and 1.5!". But it is wrong too, since you don't take account of errors which appeared after release 1.4 and were fixed before release 1.5. Second, code base release versions are in themselves already debugged and contain few bugs - unlike the current version the developers are working on. I believe the release wasn't as buggy and crash- prone, was it? You surely fix bugs between releases, but you detect them through other methods which are naturally more expensive. Here we should remind you of the table demonstrating the dependency of the cost of bug fixes on the time they were added into the code and detected. You should understand that running static analysis only "before a release" automatically increases the cost of bug fixes. Thus, you cannot truly evaluate efficiency of static analysis by simply running it on the last year's code base release and the current one and comparing the results. Tips on how to obtain the maximum benefit when adopting static analysis During the time we have been working in the field of static code analysis, we have worked out several practices to obtain the maximum benefit from using static analysis tools. Although I will specify how these mechanisms are supported in PVS-Studio, the tips can be used with any other static analysis tool.
Mark false positives to get fewer messages to study the next time Any static code analyzer generates false positives. This is the nature of the tool and it can't be helped. Of course, everybody tries to reduce the number of false positives, but you can't make it zero. In order not to get the same false positives again and again, a good tool provides you with a mechanism to suppress them. You can simply mark a message with "false positive" and thus tell the analyzer not to generate it at the next check. In PVS-Studio, it is the "Mark As False Alarm" function responsible for this. See the documentation section Suppression of false alarms for details. Despite being very simple, this recommendation may help you to save much time. Moreover, you will stay more focused when you have fewer messages to examine. Use incremental analysis (automated check of freshly recompiled files) The effective way of handling incremental analysis is to integrate it into IDE for the tool to be able to be launched automatically when compiling freshly modified files. Ideally, incremental analysis should be run by all the developers currently working on the code base on their computers. In this case, many bugs will be detected and fixed before the code gets into the version control system. This practice greatly reduces the "cost of bug fixes". PVS-Studio supports the incremental analysis mode. Check files modified in the last several days If you for some reason cannot install the analyzer on all the developers' computers, you may check the code once in several days. In order not to get a pile of messages referring to old files, static analysis tools provide the option "check files modified in the last N days". You can set it to 3 days, for example. Although from the technical viewpoint nothing prevents you from setting this parameter to any number (say, 7 or 10 days), we don't recommend you to do that. When you check the code just once in 10 days, you repeat the "occasional use of the tool" mistake. You see, if a bug is added today, found by testers tomorrow, described in the bug-tracker the day after tomorrow, and fixed in 5 days, running analysis once in 10 days will be useless. But the capability of checking the code once in two or three days may appear very useful. PVS-Studio supports this option - see the settings command "Check only Files Modified In". Set the static analyzer to run every night on the build server Regardless of whether or not you use incremental analysis on every developer's computer, a very useful practice is to perform a complete run of the analyzer on the whole code base every night. A highly important capability of the tool is therefore the capability of command line launch, which is of course supported in PVS-Studio. The more practices you follow, the greater effect you get Let's once again enumerate the tips on how to enhance efficiency of static code analysis: 1. Mark false positives to get fewer messages to study the next time. 2. Use incremental analysis (automated check of freshly recompiled files). 3. Check files modified in the last several days. 4. Set the static analyzer to run every night on the build server. If you follow all the four recommendations, you'll get the highest payback from investing into static analysis tools. Of course, it sometimes cannot be achieved due to various reasons, but you should certainly strive for it.

Recomendados

Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Andrey Karpov
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentPVS-Studio
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentAndrey Karpov
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentPVS-Studio
 
Static Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to IntegrationStatic Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to IntegrationAndrey Karpov
 
Static analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal EngineStatic analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal EnginePVS-Studio
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzerPVS-Studio
 
Seven testing principles
Seven testing principlesSeven testing principles
Seven testing principlesVaibhav Dash
 

Recomendados

Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Static analysis is most efficient when being used regularly. We'll tell you w...
Static analysis is most efficient when being used regularly. We'll tell you w...Andrey Karpov
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentPVS-Studio
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentAndrey Karpov
 
Regular use of static code analysis in team development
Regular use of static code analysis in team developmentRegular use of static code analysis in team development
Regular use of static code analysis in team developmentPVS-Studio
 
Static Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to IntegrationStatic Analysis: From Getting Started to Integration
Static Analysis: From Getting Started to IntegrationAndrey Karpov
 
Static analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal EngineStatic analysis as part of the development process in Unreal Engine
Static analysis as part of the development process in Unreal EnginePVS-Studio
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzerPVS-Studio
 
Seven testing principles
Seven testing principlesSeven testing principles
Seven testing principlesVaibhav Dash
 
Some Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software TestingSome Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software TestingKumari Warsha Goel
 
Principles of software testing
Principles of software testingPrinciples of software testing
Principles of software testingSoftware Testing Books
 
7 testing principles
7 testing principles7 testing principles
7 testing principlesTesting Expert
 
Formal method
Formal methodFormal method
Formal methodSara Malik
 
Muwanika rogers (software testing) muni university
Muwanika rogers (software testing) muni universityMuwanika rogers (software testing) muni university
Muwanika rogers (software testing) muni universityrogers muwanika
 
TestDrivenDeveloment
TestDrivenDevelomentTestDrivenDeveloment
TestDrivenDevelomentAntonio Tapper
 
Testing a GPS application | Testbytes
Testing a GPS application | TestbytesTesting a GPS application | Testbytes
Testing a GPS application | TestbytesTestbytes
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzerPVS-Studio
 
SOFTWARE TESTING UNIT-4
SOFTWARE TESTING UNIT-4 SOFTWARE TESTING UNIT-4
SOFTWARE TESTING UNIT-4 Mohammad Faizan
 
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...TechTalks
 
FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1fadhilla elita
 
Software testing methods
Software testing methodsSoftware testing methods
Software testing methodsDonato Di Pierro
 
Effective Testing fo Startups
Effective Testing fo StartupsEffective Testing fo Startups
Effective Testing fo StartupsTestnetic
 
Lesson 4...Bug Life Cycle
Lesson 4...Bug Life CycleLesson 4...Bug Life Cycle
Lesson 4...Bug Life Cyclebhushan Nehete
 
Unit Testing
Unit TestingUnit Testing
Unit TestingFrançois Camus
 
Eclipse Day India 2015 - Eclipse RCP testing using Jubula based automation
Eclipse Day India 2015 - Eclipse RCP testing using Jubula based automationEclipse Day India 2015 - Eclipse RCP testing using Jubula based automation
Eclipse Day India 2015 - Eclipse RCP testing using Jubula based automationEclipse Day India
 
Test driven development
Test driven developmentTest driven development
Test driven developmentnamkha87
 
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsMyth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsApplitools
 
Manual testing interview questions and answers
Manual testing interview questions and answersManual testing interview questions and answers
Manual testing interview questions and answersTestbytes
 
Automated testing web application
Automated testing web applicationAutomated testing web application
Automated testing web applicationKiattikhun Prathumma
 
Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging ChallengesAaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesNed Potter
 

Mais conteúdo relacionado

Mais procurados

Some Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software TestingSome Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software TestingKumari Warsha Goel
 
Muwanika rogers (software testing) muni university
Muwanika rogers (software testing) muni universityMuwanika rogers (software testing) muni university
Muwanika rogers (software testing) muni universityrogers muwanika
 
Testing a GPS application | Testbytes
Testing a GPS application | TestbytesTesting a GPS application | Testbytes
Testing a GPS application | TestbytesTestbytes
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzerPVS-Studio
 
SOFTWARE TESTING UNIT-4
SOFTWARE TESTING UNIT-4 SOFTWARE TESTING UNIT-4
SOFTWARE TESTING UNIT-4 Mohammad Faizan
 
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...TechTalks
 
FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1fadhilla elita
 
Effective Testing fo Startups
Effective Testing fo StartupsEffective Testing fo Startups
Effective Testing fo StartupsTestnetic
 
Lesson 4...Bug Life Cycle
Lesson 4...Bug Life CycleLesson 4...Bug Life Cycle
Lesson 4...Bug Life Cyclebhushan Nehete
 
Eclipse Day India 2015 - Eclipse RCP testing using Jubula based automation
Eclipse Day India 2015 - Eclipse RCP testing using Jubula based automationEclipse Day India 2015 - Eclipse RCP testing using Jubula based automation
Eclipse Day India 2015 - Eclipse RCP testing using Jubula based automationEclipse Day India
 
Test driven development
Test driven developmentTest driven development
Test driven developmentnamkha87
 
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsMyth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsApplitools
 
Manual testing interview questions and answers
Manual testing interview questions and answersManual testing interview questions and answers
Manual testing interview questions and answersTestbytes
 

Mais procurados (20)

Some Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software TestingSome Commonly Asked Question For Software Testing
Some Commonly Asked Question For Software Testing
 
Principles of software testing
Principles of software testingPrinciples of software testing
Principles of software testing
 
7 testing principles
7 testing principles7 testing principles
7 testing principles
 
Formal method
Formal methodFormal method
Formal method
 
Muwanika rogers (software testing) muni university
Muwanika rogers (software testing) muni universityMuwanika rogers (software testing) muni university
Muwanika rogers (software testing) muni university
 
TestDrivenDeveloment
TestDrivenDevelomentTestDrivenDeveloment
TestDrivenDeveloment
 
Testing a GPS application | Testbytes
Testing a GPS application | TestbytesTesting a GPS application | Testbytes
Testing a GPS application | Testbytes
 
How we test the code analyzer
How we test the code analyzerHow we test the code analyzer
How we test the code analyzer
 
SOFTWARE TESTING UNIT-4
SOFTWARE TESTING UNIT-4 SOFTWARE TESTING UNIT-4
SOFTWARE TESTING UNIT-4
 
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
Tech talks annual 2015 izzet mustafayev_performance testing - the way to make...
 
FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1FADHILLA ELITA Ppt Chapter 1
FADHILLA ELITA Ppt Chapter 1
 
Software testing methods
Software testing methodsSoftware testing methods
Software testing methods
 
Effective Testing fo Startups
Effective Testing fo StartupsEffective Testing fo Startups
Effective Testing fo Startups
 
Lesson 4...Bug Life Cycle
Lesson 4...Bug Life CycleLesson 4...Bug Life Cycle
Lesson 4...Bug Life Cycle
 
Unit Testing
Unit TestingUnit Testing
Unit Testing
 
Eclipse Day India 2015 - Eclipse RCP testing using Jubula based automation
Eclipse Day India 2015 - Eclipse RCP testing using Jubula based automationEclipse Day India 2015 - Eclipse RCP testing using Jubula based automation
Eclipse Day India 2015 - Eclipse RCP testing using Jubula based automation
 
Test driven development
Test driven developmentTest driven development
Test driven development
 
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan LippsMyth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
Myth vs Reality: Understanding AI/ML for QA Automation - w/ Jonathan Lipps
 
Manual testing interview questions and answers
Manual testing interview questions and answersManual testing interview questions and answers
Manual testing interview questions and answers
 
Automated testing web application
Automated testing web applicationAutomated testing web application
Automated testing web application
 

Destaque

Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging ChallengesAaron Irizarry
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesNed Potter
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsLinkedIn
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with DataSeth Familian
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerLuminary Labs
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017Drift
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 

Destaque (7)

Designing Teams for Emerging Challenges
Designing Teams for Emerging ChallengesDesigning Teams for Emerging Challenges
Designing Teams for Emerging Challenges
 
UX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and ArchivesUX, ethnography and possibilities: for Libraries, Museums and Archives
UX, ethnography and possibilities: for Libraries, Museums and Archives
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
 
Visual Design with Data
Visual Design with DataVisual Design with Data
Visual Design with Data
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
 
3 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 20173 Things Every Sales Team Needs to Be Thinking About in 2017
3 Things Every Sales Team Needs to Be Thinking About in 2017
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Semelhante a Static analysis is most efficient when being used regularly. We'll tell you why...

An ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievableAn ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievablePVS-Studio
 
0136 ideal static_analyzer
0136 ideal static_analyzer0136 ideal static_analyzer
0136 ideal static_analyzerPVS-Studio
 
Three Interviews About Static Code Analyzers
Three Interviews About Static Code AnalyzersThree Interviews About Static Code Analyzers
Three Interviews About Static Code AnalyzersAndrey Karpov
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityAndrey Karpov
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityPVS-Studio
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityPVS-Studio
 
What do static analysis and search engines have in common? A good "top"!
What do static analysis and search engines have in common? A good "top"!What do static analysis and search engines have in common? A good "top"!
What do static analysis and search engines have in common? A good "top"!PVS-Studio
 
Static analysis and ROI
Static analysis and ROIStatic analysis and ROI
Static analysis and ROIPVS-Studio
 
Static analysis and ROI
Static analysis and ROIStatic analysis and ROI
Static analysis and ROIAndrey Karpov
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Applitools
 
Problems of testing 64-bit applications
Problems of testing 64-bit applicationsProblems of testing 64-bit applications
Problems of testing 64-bit applicationsPVS-Studio
 
PVS-Studio confesses its love for Linux
PVS-Studio confesses its love for LinuxPVS-Studio confesses its love for Linux
PVS-Studio confesses its love for LinuxPVS-Studio
 
War of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlowWar of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlowPVS-Studio
 
PVS-Studio for Visual C++
PVS-Studio for Visual C++PVS-Studio for Visual C++
PVS-Studio for Visual C++PVS-Studio
 
PVS-Studio for Visual C++
PVS-Studio for Visual C++PVS-Studio for Visual C++
PVS-Studio for Visual C++Andrey Karpov
 
PVS-Studio Has Finally Got to Boost
PVS-Studio Has Finally Got to BoostPVS-Studio Has Finally Got to Boost
PVS-Studio Has Finally Got to BoostAndrey Karpov
 
Testing parallel programs
Testing parallel programsTesting parallel programs
Testing parallel programsPVS-Studio
 
New Year PVS-Studio 6.00 Release: Scanning Roslyn
New Year PVS-Studio 6.00 Release: Scanning RoslynNew Year PVS-Studio 6.00 Release: Scanning Roslyn
New Year PVS-Studio 6.00 Release: Scanning RoslynPVS-Studio
 
PVS-Studio's New Message Suppression Mechanism
PVS-Studio's New Message Suppression MechanismPVS-Studio's New Message Suppression Mechanism
PVS-Studio's New Message Suppression MechanismAndrey Karpov
 

Semelhante a Static analysis is most efficient when being used regularly. We'll tell you why... (20)

An ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievableAn ideal static analyzer, or why ideals are unachievable
An ideal static analyzer, or why ideals are unachievable
 
0136 ideal static_analyzer
0136 ideal static_analyzer0136 ideal static_analyzer
0136 ideal static_analyzer
 
Three Interviews About Static Code Analyzers
Three Interviews About Static Code AnalyzersThree Interviews About Static Code Analyzers
Three Interviews About Static Code Analyzers
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usability
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usability
 
Difficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usabilityDifficulties of comparing code analyzers, or don't forget about usability
Difficulties of comparing code analyzers, or don't forget about usability
 
What do static analysis and search engines have in common? A good "top"!
What do static analysis and search engines have in common? A good "top"!What do static analysis and search engines have in common? A good "top"!
What do static analysis and search engines have in common? A good "top"!
 
Static analysis and ROI
Static analysis and ROIStatic analysis and ROI
Static analysis and ROI
 
Static analysis and ROI
Static analysis and ROIStatic analysis and ROI
Static analysis and ROI
 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ codePVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio advertisement - static analysis of C/C++ code
 
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
Testing Hourglass at Jira Frontend - by Alexey Shpakov, Sr. Developer @ Atlas...
 
Problems of testing 64-bit applications
Problems of testing 64-bit applicationsProblems of testing 64-bit applications
Problems of testing 64-bit applications
 
PVS-Studio confesses its love for Linux
PVS-Studio confesses its love for LinuxPVS-Studio confesses its love for Linux
PVS-Studio confesses its love for Linux
 
War of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlowWar of the Machines: PVS-Studio vs. TensorFlow
War of the Machines: PVS-Studio vs. TensorFlow
 
PVS-Studio for Visual C++
PVS-Studio for Visual C++PVS-Studio for Visual C++
PVS-Studio for Visual C++
 
PVS-Studio for Visual C++
PVS-Studio for Visual C++PVS-Studio for Visual C++
PVS-Studio for Visual C++
 
PVS-Studio Has Finally Got to Boost
PVS-Studio Has Finally Got to BoostPVS-Studio Has Finally Got to Boost
PVS-Studio Has Finally Got to Boost
 
Testing parallel programs
Testing parallel programsTesting parallel programs
Testing parallel programs
 
New Year PVS-Studio 6.00 Release: Scanning Roslyn
New Year PVS-Studio 6.00 Release: Scanning RoslynNew Year PVS-Studio 6.00 Release: Scanning Roslyn
New Year PVS-Studio 6.00 Release: Scanning Roslyn
 
PVS-Studio's New Message Suppression Mechanism
PVS-Studio's New Message Suppression MechanismPVS-Studio's New Message Suppression Mechanism
PVS-Studio's New Message Suppression Mechanism
 

Último

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 

Último (20)

Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 

Static analysis is most efficient when being used regularly. We'll tell you why...

  • 1. Static analysis is most efficient when being used regularly. We'll tell you why... Author: Evgeniy Ryzhkov Date: 22.04.2013 Some of our users run static analysis only occasionally. They find new errors in their code and, feeling glad about this, willingly renew PVS-Studio licenses. I should feel glad too, shouldn't I? But I feel sad - because you get only 10-20% of the tool's efficiency when using it in such a way, while you could obtain at least 80-90% if you used it otherwise. In this post I will tell you about the most common mistake among users of static code analysis tools. Discovering static analysis Let's at first discuss the simplest scenario which is the most common with those who try the static code analysis technology for the first time. Some member of a developer team once came across an article, or a conference lecture, or even an advertisement of some static analyzer and decided to try it on his/her project. I'm not telling about PVS-Studio in particular - it might be any static analysis tool. Now the programmer, more or less easily, deploys a static analysis system and launches code analysis. The following consequences are possible: • The tool fails to work. It doesn't pick up the project settings, or gathers the environment parameters incorrectly, or fails in any other way. The user naturally grows less inclined to trust it. • The tool performs the check successfully and generates some diagnostic messages. The user studies them and finds them irrelevant. It doesn't mean that the tool is absolutely poor; it just has failed to demonstrate its strong points on this particular project. Perhaps it should be given a chance with another one. • The tool generates a few relevant messages (among others) which obviously indicate that genuine bugs are present in the code. Strictly speaking, it's in the third case, when something real is found, that the team starts using a tool in practice. The biggest mistake you can make when adopting static analysis But one may make a great mistake at this point when integrating static analysis into the development process: namely, you may accept a practice to run static analysis before every release, for instance. Or run it once a month. Let's see why such an approach is bad: First, since you don't use the false positive suppression mechanism, you will see the same old false positives again and again. And therefore you will have to waste time to investigate them. The more messages the analyzer generates, the less focused the programmer is. Second, diagnostic messages are generated even for the code which you didn't touch between the checks. This means you'll get even more messages to examine.
  • 2. Third, and most important, with such an approach you won't get the static analyzer to find all those errors you were catching through other methods for so long and with so much sadness between two checks. This thing is very important, and I want to discuss it in detail. It should be done also because it is the thing people forget about when estimating the usefulness of static analysis. See the next section. A fallacy: "Efficiency of static analysis can be estimated by comparing analysis results for the last year's code base release and the current one" Some programmers suggest using this method to estimate efficiency of static code analysis. Imagine a team working on some project for several years. It keeps all the project release versions (1.0, 1.1., 1.2, etc.). It is suggested that they get the latest version of some code analyzer and run it on the last year's project source codes - say, version 1.3. Then the same version of the static analyzer should be run on the latest code base release - let it be version 1.7. After that we get two reports by the analyzer. We study the first report to find out that the older project contains 50 genuine errors. Then we study the second report and see that the latest project contains 20 bugs out of those 50 ones (and some new ones, of course). It means that 50-20 = 30 bugs have been fixed through alternative methods without using the analyzer. These errors could have been found, for instance, through manual testing, or by users when working with the release version, or otherwise. We draw a conclusion that the static analyzer could have helped to quickly detect and fix 30 errors. If this number is pretty large for the project and developers' time is expensive, we may estimate economic efficiency of purchasing and using the static code analyzer. This approach to economic efficiency estimation is absolutely incorrect! You cannot use it to evaluate a static analyzer! The reason is that you make several errors at once when trying to do that. First, you don't take into account those bugs which have been added into version 1.4 of the code base and eliminated in version 1.6. You may argue: "Then we should compare two releases in succession, for example 1.4 and 1.5!". But it is wrong too, since you don't take account of errors which appeared after release 1.4 and were fixed before release 1.5. Second, code base release versions are in themselves already debugged and contain few bugs - unlike the current version the developers are working on. I believe the release wasn't as buggy and crash- prone, was it? You surely fix bugs between releases, but you detect them through other methods which are naturally more expensive. Here we should remind you of the table demonstrating the dependency of the cost of bug fixes on the time they were added into the code and detected. You should understand that running static analysis only "before a release" automatically increases the cost of bug fixes. Thus, you cannot truly evaluate efficiency of static analysis by simply running it on the last year's code base release and the current one and comparing the results. Tips on how to obtain the maximum benefit when adopting static analysis During the time we have been working in the field of static code analysis, we have worked out several practices to obtain the maximum benefit from using static analysis tools. Although I will specify how these mechanisms are supported in PVS-Studio, the tips can be used with any other static analysis tool.
  • 3. Mark false positives to get fewer messages to study the next time Any static code analyzer generates false positives. This is the nature of the tool and it can't be helped. Of course, everybody tries to reduce the number of false positives, but you can't make it zero. In order not to get the same false positives again and again, a good tool provides you with a mechanism to suppress them. You can simply mark a message with "false positive" and thus tell the analyzer not to generate it at the next check. In PVS-Studio, it is the "Mark As False Alarm" function responsible for this. See the documentation section Suppression of false alarms for details. Despite being very simple, this recommendation may help you to save much time. Moreover, you will stay more focused when you have fewer messages to examine. Use incremental analysis (automated check of freshly recompiled files) The effective way of handling incremental analysis is to integrate it into IDE for the tool to be able to be launched automatically when compiling freshly modified files. Ideally, incremental analysis should be run by all the developers currently working on the code base on their computers. In this case, many bugs will be detected and fixed before the code gets into the version control system. This practice greatly reduces the "cost of bug fixes". PVS-Studio supports the incremental analysis mode. Check files modified in the last several days If you for some reason cannot install the analyzer on all the developers' computers, you may check the code once in several days. In order not to get a pile of messages referring to old files, static analysis tools provide the option "check files modified in the last N days". You can set it to 3 days, for example. Although from the technical viewpoint nothing prevents you from setting this parameter to any number (say, 7 or 10 days), we don't recommend you to do that. When you check the code just once in 10 days, you repeat the "occasional use of the tool" mistake. You see, if a bug is added today, found by testers tomorrow, described in the bug-tracker the day after tomorrow, and fixed in 5 days, running analysis once in 10 days will be useless. But the capability of checking the code once in two or three days may appear very useful. PVS-Studio supports this option - see the settings command "Check only Files Modified In". Set the static analyzer to run every night on the build server Regardless of whether or not you use incremental analysis on every developer's computer, a very useful practice is to perform a complete run of the analyzer on the whole code base every night. A highly important capability of the tool is therefore the capability of command line launch, which is of course supported in PVS-Studio. The more practices you follow, the greater effect you get Let's once again enumerate the tips on how to enhance efficiency of static code analysis: 1. Mark false positives to get fewer messages to study the next time. 2. Use incremental analysis (automated check of freshly recompiled files). 3. Check files modified in the last several days. 4. Set the static analyzer to run every night on the build server. If you follow all the four recommendations, you'll get the highest payback from investing into static analysis tools. Of course, it sometimes cannot be achieved due to various reasons, but you should certainly strive for it.