To InformationWeek re: static code analysis

| 1 Comment

Sent to editor of DrDobbs/InformationWeek

I enjoy Sid Sidner's article on static code analysis tools, but was surprised to see two big omissions, especially as they may provide a low-cost point of entry to the organization just starting to look at static analysis.

First, PC-Lint is a relatively low-cost tool that does a fine job of C/C++ analysis. It's been around for years, and has found many C bugs in my code back in the early 90s. I've also been using the open source Splint, for years on the Perl 5 and Parrot open source projects. Although Splint's not nearly as complete a package as Coverity's Scan product (Coverity runs Scan on dozens of open source projects for free as a service to the community), it's a great introduction to the power of static code analysis tools. I also suggest readers check the "List of tools for static code analysis" page on Wikipedia.

Second, one crucial point missed is how any tool is going to require tuning. Splint will generate hundreds of errors in each source file on its first run on your code, since nobody in the real world is as pedantic as the tool is. Each organization will have to decide which policies are worth following, and which are just noise.

Finally, static code analysis isn't strictly for C++ and Java. Many dynamic languages have similar tools. For example, Perl::Critic is a fantastic tool for analysis of Perl code, as well as an extensible framework that lets each organization create custom policies to fit its own development practices.

1 Comment

You are right about lower cost ways to do static source code analysis and about other languages besides the big three. When we did the trade study, we didn't have a body of Perl that we needed to scan. Plus we wanted the reporting features of a centralized server for all our global development communities to feed into.

As Larry Wall always said "There's more that one way to do something."

And thanks for noting that I didn't mention tuning. You are so right. That is part of the educational process for the organization. All these tools have voodoo in their heuristics, and they aren't always right for your situation.

At any rate, I'm glad you liked the article.

Sid Sidner (aka TooTallSid)

Leave a comment

Job hunting for programmers


Land the Tech Job You Love, Andy Lester's guide to job hunting for programmers and other technical professionals, is available in PDF, ePub and .mobi formats, all DRM-free, as well as good old-fashioned paper.