to the top
close form

Fill out the form in 2 simple steps below:

Your contact information:

Step 1
Congratulations! This is your promo code!

Desired license type:

Step 2
Team license
Enterprise license
** By clicking this button you agree to our Privacy Policy statement
close form
Request our prices
New License
License Renewal
--Select currency--
USD
EUR
* By clicking this button you agree to our Privacy Policy statement

close form
Free PVS-Studio license for Microsoft MVP specialists
** By clicking this button you agree to our Privacy Policy statement

close form
To get the licence for your open-source project, please fill out this form
** By clicking this button you agree to our Privacy Policy statement

close form
I am interested to try it on the platforms:
** By clicking this button you agree to our Privacy Policy statement

close form
check circle
Message submitted.

Your message has been sent. We will email you at


If you haven't received our response, please do the following:
check your Spam/Junk folder and click the "Not Spam" button for our message.
This way, you won't miss messages from our team in the future.

>
>
Myths about static analysis. The first …

Myths about static analysis. The first myth - a static analyzer is a single-use product

Nov 01 2011
Author:

While communicating with people on forums, I noticed there are a few lasting misconceptions concerning the static analysis methodology. I decided to write a series of brief articles where I want to show you the real state of things.

The first myth is: "A static analyzer is a single-use product".

This is how this statement looks in discussions on forums (this is a collective image):

When you have a trial/cracked version, you can run it for free on all your projects to find several old errors and feel satisfied for some time.

Everyone's happy. People have used the tool, and the developers don't know they were cheated and robbed.

In this case, a programmer cheats himself/herself, not the tool's developers. The programmer just got a seeming profit from the work done, but not the real profit. I cannot manage to bring this idea home to programmers but I will continue trying. There is no use of launching a static analyzer occasionally.

Here is an analogy:

We set the /W0 warning level in compiler and start to develop a project. We curse, fix silly mistakes and misprints and test our code more and longer. Then we occasionally turn on the /W3 switch and fight the warnings and then again set /W0. All those errors the compiler could tell us about at the /W3 level, we were bravely and long searching for in the debugger, having spent 10-100 times more time on that. Besides, note that now the programmer does not like the results given at the /W3 level, for he/she has fixed almost all the errors through testing and debugging. The compiler generates mostly false reports at the /W3 level.

Now let's go back to static analysis. The situation is absolutely the same: an analyzer produces a lot of false reports, being launched on rare occasions. There are few real errors because they have been already found through other methods.

Like the /W3 switch, static analysis brings maximum profit when being used regularly. By the way, static analysis is kind of an extension of compiler-generated warnings. Many diagnostic rules that were once implemented in old analyzers gradually pass to compilers. Of course, analyzers will always be ahead of compilers regarding the diagnostic capabilities; they are developed for this very purpose. The compiler has a lot of other tasks; moreover, it is imposed stricter performance requirements.

Some people give the following answer in the heat of discussion:

The idea is true for novice students. But it's not so much important for expert programmers. If I set the /W0 switch, I won't write worse code. You should improve your programming style instead of getting more crutches.

I absolutely agree with the idea above. But let's play a bit and alter this text in the following way:

The idea is true for novice drivers. But it's not so much important for expert drivers. If I don't buckle up at the wheel, I won't drive worse. You should improve your driving style instead of getting more safety components.

Again, you can't argue against that. However, any adequately thinking driver understands that one still should buckle up when driving a car. The same is with static code analysis. Even a skilled programmer is not secure from mistakes and misprints. Examples given in this article confirm my idea very well. Certainly, all the professional programmers are sure that they never make such silly mistakes, but we'll speak on this point in the next post about myths.

Popular related articles
What static analysis cannot find

Date: Mar 16 2023

Author: Andrey Karpov

Static code analysis is valuable because it helps detect errors in the early stages of development. However, it is not omnipotent and there are a number of limitations that prevent it from detecting …
Under the hood of SAST: how code analysis tools look for security flaws

Date: Jan 26 2023

Author: Sergey Vasiliev

Here we'll discuss how SAST solutions find security flaws. I'll tell you about different and complementary approaches to detecting potential vulnerabilities, explain why each of them is necessary, an…
PVS-Studio's data flow analysis untangles more and more related variables

Date: Aug 08 2022

Author: Artem Rovenskii

This is the second article about related variables and how the PVS-Studio analyzer deals with them. This time, let's talk about how we enhanced the mechanism we created, and what problems of the anal…
I want to use PVS-Studio in my project. The manager is against it. How to convince them?

Date: Aug 02 2022

Author: Sergey Vasiliev

You decided to integrate PVS-Studio into your project. But suddenly it turns out that the manager is against it, because... because why, actually? Let's try to figure out what to do with potential ob…
Intermodular analysis of C and C++ projects in detail. Part 2

Date: Jul 14 2022

Author: Oleg Lisiy

In part 1 we discussed the basics of C and C++ projects compiling. We also talked over linking and optimizations. In part 2 we are going to delve deeper into intermodular analysis and discuss its ano…

Comments (0)

Next comments next comments
close comment form
Unicorn with delicious cookie
Our website uses cookies to enhance your browsing experience.
Accept