Usage of static analysis tools in the software development is new black.
Tools were around for years but recent advancement in both algorithms and raw processing horsepower made them practical.
There are a lot of tools available on the market, of varying quality and price. There is quite a number of so called open software 'source code scanners' that will go over your source looking for suspicious places. Hit rate is usually too low to justify their application to large code bases.
However there is one thing you can do to get a boost in bug discovery rate, sometimes even for free.
Upgrade your compiler.
New versions of compilers are usually more picky and more sophisticated, do more analysis.
Recently I was compiling open source project that builds ok, with gcc 3.2, but miserably fails with gcc 4.0.2. Newer gcc issued legitimate errors, many of which are apparent logical defects.
If you are a manager or just a developer who wants to make code cleaner, remember this. Before you spend money on expensive static analysis tool, make sure you clean up warnings issued by your compiler first. Upgrade your compiler. Rinse and repeat. Now when you have your code that is squeaky clean for your compiler go and buy static analysis tool.
Because there are only so many things compiler may find. Commercial tools have frameworks built specifically for defect detection whereas any non-trivial compiler warnings are mostly byproducts of their optimization passes. And by their nature compilers must be very, very conservative in their optimization, so they will never be as aggressive.
Posted in frolov's blog | add new comment
Submitted by frolov on Tue, 2006-03-21 12:00.
