To get a trial key
fill out the form below
Team License (standard version)
Enterprise License (extended version)
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
GBP
RUB
* By clicking this button you agree to our Privacy Policy statement

** This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
Myths about static analysis. The first …

Myths about static analysis. The first myth - a static analyzer is a single-use product

Nov. 1, 2011
Author:

While communicating with people on forums, I noticed there are a few lasting misconceptions concerning the static analysis methodology. I decided to write a series of brief articles where I want to show you the real state of things.

The first myth is: "A static analyzer is a single-use product".

This is how this statement looks in discussions on forums (this is a collective image):

When you have a trial/cracked version, you can run it for free on all your projects to find several old errors and feel satisfied for some time.

Everyone's happy. People have used the tool, and the developers don't know they were cheated and robbed.

In this case, a programmer cheats himself/herself, not the tool's developers. The programmer just got a seeming profit from the work done, but not the real profit. I cannot manage to bring this idea home to programmers but I will continue trying. There is no use of launching a static analyzer occasionally.

Here is an analogy:

We set the /W0 warning level in compiler and start to develop a project. We curse, fix silly mistakes and misprints and test our code more and longer. Then we occasionally turn on the /W3 switch and fight the warnings and then again set /W0. All those errors the compiler could tell us about at the /W3 level, we were bravely and long searching for in the debugger, having spent 10-100 times more time on that. Besides, note that now the programmer does not like the results given at the /W3 level, for he/she has fixed almost all the errors through testing and debugging. The compiler generates mostly false reports at the /W3 level.

Now let's go back to static analysis. The situation is absolutely the same: an analyzer produces a lot of false reports, being launched on rare occasions. There are few real errors because they have been already found through other methods.

Like the /W3 switch, static analysis brings maximum profit when being used regularly. By the way, static analysis is kind of an extension of compiler-generated warnings. Many diagnostic rules that were once implemented in old analyzers gradually pass to compilers. Of course, analyzers will always be ahead of compilers regarding the diagnostic capabilities; they are developed for this very purpose. The compiler has a lot of other tasks; moreover, it is imposed stricter performance requirements.

Some people give the following answer in the heat of discussion:

The idea is true for novice students. But it's not so much important for expert programmers. If I set the /W0 switch, I won't write worse code. You should improve your programming style instead of getting more crutches.

I absolutely agree with the idea above. But let's play a bit and alter this text in the following way:

The idea is true for novice drivers. But it's not so much important for expert drivers. If I don't buckle up at the wheel, I won't drive worse. You should improve your driving style instead of getting more safety components.

Again, you can't argue against that. However, any adequately thinking driver understands that one still should buckle up when driving a car. The same is with static code analysis. Even a skilled programmer is not secure from mistakes and misprints. Examples given in this article confirm my idea very well. Certainly, all the professional programmers are sure that they never make such silly mistakes, but we'll speak on this point in the next post about myths.

Popular related articles
The way static analyzers fight against false positives, and why they do it

Date: 03.20.2017

Author: Andrey Karpov

In my previous article I wrote that I don't like the approach of evaluating the efficiency of static analyzers with the help of synthetic tests. In that article, I give the example of a code fragment…
How PVS-Studio Proved to Be More Attentive Than Three and a Half Programmers

Date: 10.22.2018

Author: Andrey Karpov

Just like other static analyzers, PVS-Studio often produces false positives. What you are about to read is a short story where I'll tell you how PVS-Studio proved, just one more time, to be more atte…
The Evil within the Comparison Functions

Date: 05.19.2017

Author: Andrey Karpov

Perhaps, readers remember my article titled "Last line effect". It describes a pattern I've once noticed: in most cases programmers make an error in the last line of similar text blocks. Now I want t…
Appreciate Static Code Analysis!

Date: 10.16.2017

Author: Andrey Karpov

I am really astonished by the capabilities of static code analysis even though I am one of the developers of PVS-Studio analyzer myself. The tool surprised me the other day as it turned out to be sma…
The Ultimate Question of Programming, Refactoring, and Everything

Date: 04.14.2016

Author: Andrey Karpov

Yes, you've guessed correctly - the answer is "42". In this article you will find 42 recommendations about coding in C++ that can help a programmer avoid a lot of errors, save time and effort. The au…
The Last Line Effect

Date: 05.31.2014

Author: Andrey Karpov

I have studied many errors caused by the use of the Copy-Paste method, and can assure you that programmers most often tend to make mistakes in the last fragment of a homogeneous code block. I have ne…
Characteristics of PVS-Studio Analyzer by the Example of EFL Core Libraries, 10-15% of False Positives

Date: 07.31.2017

Author: Andrey Karpov

After I wrote quite a big article about the analysis of the Tizen OS code, I received a large number of questions concerning the percentage of false positives and the density of errors (how many erro…
Free PVS-Studio for those who develops open source projects

Date: 12.22.2018

Author: Andrey Karpov

On the New 2019 year's eve, a PVS-Studio team decided to make a nice gift for all contributors of open-source projects hosted on GitHub, GitLab or Bitbucket. They are given free usage of PVS-Studio s…
PVS-Studio ROI

Date: 01.30.2019

Author: Andrey Karpov

Occasionally, we're asked a question, what monetary value the company will receive from using PVS-Studio. We decided to draw up a response in the form of an article and provide tables, which will sho…
PVS-Studio for Java

Date: 01.17.2019

Author: Andrey Karpov

In the seventh version of the PVS-Studio static analyzer, we added support of the Java language. It's time for a brief story of how we've started making support of the Java language, how far we've co…

Comments (0)

Next comments

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept