Design Article
Using static code analysis for Agile software development
Andrew Yang
3/23/2010 2:10 AM EDT
One of the most prominent commercial uses of static analysis is for defect detection. Vendors like Coverity, Klocwork, Fortify Software and others have sophisticated products that analyze the structure of the code and detect anomalies that can lead to real bugs.
For instance, many of these products can analyze paths in the code to find situations where memory may be allocated but not freed, signaling a potential memory leak. There are many other types of checks that can be performed to detect program crashes, security vulnerabilities, concurrency problems and more just by examining the source code.
Source code analysis appears to be a silver bullet for software quality and security. It doesn't operate at runtime so it requires no test cases. Therefore, you can find interesting problems even before the code is remotely operational.
It also finds problems right in the source code, pointing to the specific line in the code to where the problem exists. It doesn't get much easier to identify and fix problems. By contrast, fixing a bug reported in the field often requires a good testcase and a debugging process to locate the specific problem. It can take days to find and fix a bug.
Of course, source code analysis is not without its challenges, namely that it finds problems by making educated guesses. While the algorithms may be sophisticated, it has no knowledge of artifacts outside of the actual source code, such as assumptions in the environment or code that might be linked in afterwards.
The analysis may simply not have strong enough algorithms to handle strange and complex code. This can lead to false positives " bugs reported by the tool which are not in fact, bugs.
Older static analysis tools were notoriously "noisy", producing thousands of false positives that rendered the tools unusable. Modern source code analysis tools are significantly better but can still generate a lot of noise if not configured properly for the specific code they are analyzing.
In addition, process, organizational, tool chain integration, performance, tool configuration and other such considerations greatly affect the effective use and adoption of source code analysis.
Keep in mind also that source code analysis is designed to find defects in coding. It is a highly useful verification tool in the quality and security arsenal but not a good validation tool. It does not determine that code has met business requirements. Source code analysis helps existing quality practices, such as code review, but does not replace them.
|
|
|
|
|
Ray Keefe
3/26/2010 6:53 PM EDT
There are basic practices that are constantly shown to improve software development efficiency and to shorten software development cycles yet it seems so hard to get them adopted in daily practice.
We develop custom electronics and the embedded software that ruins on it and find that design reviews, code reviews, unit testing and static analysis saves us a lot of time. We also do system simulation using mocks which allows development testing prior to hardware availability.
Yet I recently had to let someone go because they would just not do it. They were intelligent, worked really hard and poured them selves into everything they did but after 2 months still would not do any of it. Their productivity was half of anybody else on the team, and nearly all the defects we are now fixing are in the code they wrote.
So we are completely convinced of the advantages of using these methods and the mindset that goes with them. It both reduces development time and defects at the same time.
Ray Keefe
Successful Endeavours Pty Ltd
http://www.successful.com.au
Sign in to Reply