Follow this blog:: RSS; Email Alert

Software Engineer

Overview of Coverity Prevent Static Analysis

September 17, 2009, 3:56 AM PDT

Takeaway: In this quick look at Coverity Prevent Static Analysis, Justin James discusses what static analysis is and shares details about the tool.

A few weeks ago, I spoke with Mark Donsky, Director of Product Management, and Dave Peterson, Chief Marketing Officer, of Coverity to learn a little more about static analysis, particularly how it can help developers and how Coverity’s product, Coverity Prevent Static Analysis, fits into the marketplace. Coverity also performs a regular scanning of various open source projects, which has yielded some interesting results.

Static analysis is when you examine code to look for patterns without compiling the code. Early static analysis applications only checked the style of code for things such as variable naming, but modern static analysis tools do much more. For example, static analysis tools are able to look for patterns that will lead to performance issues or security holes. Using a static analysis program can significantly improve the quality of your code, although it will never be a replacement for a code review by an experienced developer.

Coverity’s tools look for the things that a QA team either will not find or would work very hard to find. Compared to other tools on the market, Coverity uses a significantly more sophisticated analysis that covers many more types of defects and has a lower rate of false positives. Lowering the rate of false positives is important because it wastes time for developers to check them out, and eventually the software gets ignored as a “boy who cried wolf.” To reduce the false positive rate, Coverity’s tools also perform path simulation, inter-procedural analysis, and check Boolean Satisfiability (SAT), which verifies if a found defect can be triggered in usage.

Visit the Coverity site for more information and to learn about the free trial of Coverity Prevent Static Analysis.

J.Ja

Disclosure of Justin’s industry affiliations: Justin James has a contract with Spiceworks to write product buying guides.

—————————————————————————————

Get weekly development tips in your inbox
Keep your developer skills sharp by signing up for TechRepublic’s free Web Developer newsletter, delivered each Tuesday. Automatically subscribe today!

Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.

About Justin James

Justin James is an employee of Levit & James, Inc. in a multidisciplinary role that combines programming, network management, and system administration. He has been blogging at TechRepublic since 2005.

Full Bio
Disclosure
Contact

Hands-on programming: Using Bing from .NET

Programming news: Bug Battle results, PHP 5.2.11, MonoTouch

People who read this...

Comments

Add Your Opinion

Join the conversation!

Follow via:: RSS; Email Alert

See All Comments

Staff Picks
Top Rated
Most Recent
My Contacts

No messages found

0 Votes

+ -

Great Tool To Add To Your Process

cettech 22nd Sep 2009

We are just now implementing this product in our development process and it is a great tool to help weed out hard-to-find coding errors. The kinds of errors that it can find are amazing and they are ones that would be nearly impossible to adequately cover with a suite of test cases at runtime (since you couldn't possibly test every path in your code in an economical time).

As mentioned already, you should not rely solely on this product, but it should be part of a larger quality control process. It can be instrumental in improving your software during coding rather than later in testing or as rework via bug fixes which cost more.

There is one correction to the article -- the product DOES require compilation of your code. The C/C++ version requires a concurrent compilation with your compiler and Coverity's native compiler. The Java and C# versions use the respective native compiler.

View in thread

0 Votes

+ -

We use them as a standard part of the process

jslarochelle Updated - 20th Sep 2009

Both as part of the actual coding cycle and as part of the code review process (mandatory).
In Java we are lucky because there is an abundance of good open source tools. Findbugs is my favourite one. It detects violations to a number of Joshua Bloch's Effective Java Programming recommendations (items). It can detect resource leaks and a good number of other problems. At work it is mandatory as part of the code review process.
I also like to run a Metrics tool. This is now automated in the Ant build of a number of modules. I like to watch Cyclomatic complexity and more basic things like method length.
Recently I have added JDeodorant to the list of tools included in our Eclipse image. I like its Feature envy detector.
In code reviews I also use PMD's copy paste detector.
Of course as you pointed out those tools have limitations and in no way replace review by other programmer and other human intervention. But they are a great help.
Looking at C# world I see that it is catching up. This is a good thing for all users. I hope it eventually gets as many good open source projects.
JS

View in thread

0 Votes

+ -

Pro

Agreed..

QAonCall 17th Sep 2009

The last line hits the nail on the head! 'It is a good supplement'.

Your examples could have been found with other analysis, and better process first, before it was ever in code.

The problem is companies look for silver bullets they can buy, rather than developing stable processes, specifically in SDLC.

A PSP for the developers in Redmond would incorporate a checklist of their and their departments top 10 'opportunities' and before the developer checked in his code, if 'strcpy' was on the list, the developer would have reviewed the list, and made the correction, if he didn't, then he is 'sub par' in his performance, with a measurable way of fixing the underlying problem.

People fix things, tools point them out.

I guess the question is really about cost...and whether you believe that tools will ever keep up with human learning...

View in thread

Once logged in, adding contacts is simple. Just mouse over any member's photo or click any member's name then click the "Follow" button. You can easily manage your contacts within your account contacts page.

See all comments