To get a trial key
fill out the form below
Team License (a basic version)
Enterprise License (an extended version)
* By clicking this button you agree to our Privacy Policy statement

Request our prices
New License
License Renewal
--Select currency--
USD
EUR
RUB
* By clicking this button you agree to our Privacy Policy statement

Free PVS-Studio license for Microsoft MVP specialists
* By clicking this button you agree to our Privacy Policy statement

To get the licence for your open-source project, please fill out this form
* By clicking this button you agree to our Privacy Policy statement

I am interested to try it on the platforms:
* By clicking this button you agree to our Privacy Policy statement

Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
Myths about static analysis. The first …

Myths about static analysis. The first myth - a static analyzer is a single-use product

Nov 01 2011
Author:

While communicating with people on forums, I noticed there are a few lasting misconceptions concerning the static analysis methodology. I decided to write a series of brief articles where I want to show you the real state of things.

The first myth is: "A static analyzer is a single-use product".

This is how this statement looks in discussions on forums (this is a collective image):

When you have a trial/cracked version, you can run it for free on all your projects to find several old errors and feel satisfied for some time.

Everyone's happy. People have used the tool, and the developers don't know they were cheated and robbed.

In this case, a programmer cheats himself/herself, not the tool's developers. The programmer just got a seeming profit from the work done, but not the real profit. I cannot manage to bring this idea home to programmers but I will continue trying. There is no use of launching a static analyzer occasionally.

Here is an analogy:

We set the /W0 warning level in compiler and start to develop a project. We curse, fix silly mistakes and misprints and test our code more and longer. Then we occasionally turn on the /W3 switch and fight the warnings and then again set /W0. All those errors the compiler could tell us about at the /W3 level, we were bravely and long searching for in the debugger, having spent 10-100 times more time on that. Besides, note that now the programmer does not like the results given at the /W3 level, for he/she has fixed almost all the errors through testing and debugging. The compiler generates mostly false reports at the /W3 level.

Now let's go back to static analysis. The situation is absolutely the same: an analyzer produces a lot of false reports, being launched on rare occasions. There are few real errors because they have been already found through other methods.

Like the /W3 switch, static analysis brings maximum profit when being used regularly. By the way, static analysis is kind of an extension of compiler-generated warnings. Many diagnostic rules that were once implemented in old analyzers gradually pass to compilers. Of course, analyzers will always be ahead of compilers regarding the diagnostic capabilities; they are developed for this very purpose. The compiler has a lot of other tasks; moreover, it is imposed stricter performance requirements.

Some people give the following answer in the heat of discussion:

The idea is true for novice students. But it's not so much important for expert programmers. If I set the /W0 switch, I won't write worse code. You should improve your programming style instead of getting more crutches.

I absolutely agree with the idea above. But let's play a bit and alter this text in the following way:

The idea is true for novice drivers. But it's not so much important for expert drivers. If I don't buckle up at the wheel, I won't drive worse. You should improve your driving style instead of getting more safety components.

Again, you can't argue against that. However, any adequately thinking driver understands that one still should buckle up when driving a car. The same is with static code analysis. Even a skilled programmer is not secure from mistakes and misprints. Examples given in this article confirm my idea very well. Certainly, all the professional programmers are sure that they never make such silly mistakes, but we'll speak on this point in the next post about myths.

Popular related articles
PVS-Studio evolution: data flow analysis for related variables

Date: Apr 28 2022

Author: Nikita Lipilin

Related variables are one of the main problems of static analysis. This article covers this topic and describes how PVS-Studio developers are fighting false positives caused by different relationship…
SAST in Secure SDLC: 3 reasons to integrate it in a DevSecOps pipeline

Date: Apr 19 2022

Author: Sergey Vasiliev

Vulnerabilities produce enormous reputational and financial risks. That's why many companies are fascinated by security and desire to build a secure development life cycle (SSDLC). So, today we're go…
PVS-Studio: static code analysis technology

Date: Jan 11 2022

Author: Andrey Karpov, Paul Eremeev

PVS-Studio provides static analyzers for C, C++, C# and Java languages on Windows, Linux and macOS platforms. PVS-Studio analyzers can vary slightly due to certain features that the languages have. H…
How to speed up building and analyzing of your project with Incredibuild?

Date: May 17 2021

Author: Maxim Zvyagintsev

"How much longer are you going to build it?" - a phrase that every developer has uttered at least once in the middle of the night. Yes, a build can be long and there is no escaping it. One does not s…
GTK: the first analyzer run in figures

Date: Jan 04 2021

Author: Svyatoslav Razmyslov

For some people, the introduction of a static analyzer into a project seems like an insurmountable obstacle. It is widely believed that the amount of analysis results issued after the first run is so…

Comments (0)

Next comments
This website uses cookies and other technology to provide you a more personalized experience. By continuing the view of our web-pages you accept the terms of using these files. If you don't want your personal data to be processed, please, leave this site.
Learn More →
Accept