Moved Permanently

The document has moved here.

Static code analysis

Static code analysis. A methodology of detecting errors in program code based on the programmer's reviewing the code marked by the analyzer in those places where potential errors may occur. In other words the static analysis tool detects in the program text the places containing or likely to contain errors, subject to errors or possessing bad formatting. Such code sections are to be considered by the programmer and he can decide whether to modify this program section or not. Static analyzers can be both of general purpose (for example, Microsoft PREFast, Gimpel PC-Lint, Parasoft C++Test) and specialized for searching certain error classes (for example, Chord for verifying parallel Java programs). Static analysis tools are usually rather expensive, they demand knowledge in using them and have rather complicated subsystems of setting and suppressing false messages. That's why static analyzers are usually used by companies with high development culture and mature software development processes. In return of complicated usage, static code analyzers allow developers to detect a lot of errors on the early steps of developing program code. Using static analysis methodology also disciplines programmers and helps control young employees' work.

The main advantage of static code analyzers use lies in the possibility of considerable cost saving of defects elimination in a program. The earlier an error is determined, the lower is the cost of its correction. Thus, according to the facts given in the book "Code Complete" by McConnell, correction of an error at the testing stage is ten times more expensive than its correction at the construction (coding) stage:

Figure 1. Average cost of defects correction depending on their time of writing and detection (data for the table taken from the book "Code Complete" by C. McConnell).

Static analysis tools allow to detect a large number of errors at the construction stage, and this considerably reduces the cost of the whole project development.

Our company, "Program Verification Systems", is engaged in the creation of solutions in the sphere of verification and static code analysis. The main program product of our company, PVS-Studio, is a static code analyzer for testing up-to-date and resource-intensive applications. The analyzer allows to diagnose the errors typical of 64-bit and parallel solutions, to help with applications optimization, and improve their security.

Besides, our company provides the following services on the basis of the available experience and projects in the sphere of code analysis:

• specialized code analyzers creation;
• application porting to 64-bit systems;
• code optimization and paralleling;
• program code quality assurance.

You can find more details about the possible variants of cooperation in the section "Services".

References

• Wikipedia "Static code analysis"
• Wikipedia "List of tools for static code analysis"
• Steve McConnell, "Code Complete, 2nd Edition" Microsoft Press, Paperback, 2nd edition, Published June 2004, 914 pages, ISBN: 0-7356-1967-0.
• By Walter W. Schilling, Jr. and Mansoor Alam. "Integrate static analysis into a software development process".