Comments on: Static Code Analysis: Inherently Labour-Intensive, Little Gain http://tech.chickenandporn.com/2009/07/10/static-code-analysis-inherently-labour-intensive-little-gain/ The Tech Part of my World Wed, 01 Feb 2012 09:21:12 +0000 hourly 1 http://wordpress.org/?v=3.3 By: allanc http://tech.chickenandporn.com/2009/07/10/static-code-analysis-inherently-labour-intensive-little-gain/comment-page-1/#comment-18 allanc Sat, 11 Jul 2009 16:17:21 +0000 http://tech.chickenandporn.com/?p=36#comment-18 Thanks, Andy. The re-birth of my blogging might only have one or two readers yet. I notice (in the VOIP testimonial) that your company includes Coverity tuning, Coverity being the tool preferred by the Original post that triggered my opinions. How do the tools you see get around the fact that edited code tends to require re-validation on false-positives that are already discussed, inspected? (the thing for which I suggest #pragmas above) Thanks, Andy. The re-birth of my blogging might only have one or two readers yet. I notice (in the VOIP testimonial) that your company includes Coverity tuning, Coverity being the tool preferred by the Original post that triggered my opinions.

How do the tools you see get around the fact that edited code tends to require re-validation on false-positives that are already discussed, inspected? (the thing for which I suggest #pragmas above)

]]> By: Andy http://tech.chickenandporn.com/2009/07/10/static-code-analysis-inherently-labour-intensive-little-gain/comment-page-1/#comment-17 Andy Sat, 11 Jul 2009 15:47:32 +0000 http://tech.chickenandporn.com/?p=36#comment-17 Thanks for pointing out the issues! One of the hidden costs of static analysis is the cost of inspection. It's a common mistake to think that static analysis tools are going to spit out only killer bugs. It shouldn't ever be expected from an analysis tool that doesn't even run the code. Just like bugs found by other methods, a static analysis tool is going to report medium, low, don't care (e.g. bugs in 3rd party or test code) and false positive results where the tool just got it plain wrong. Because these tools can report a lot of results, the challenge is in knowing WHICH are the problems you should fix and that's where inspection comes in to take a chunk of time. Configuring the tool to understand the codebase better, using filters and several other strategies can help make the tool more cost effective, but they don't come for free - some time/effort/resource/help may be needed. Thanks for pointing out the issues! One of the hidden costs of static analysis is the cost of inspection. It’s a common mistake to think that static analysis tools are going to spit out only killer bugs. It shouldn’t ever be expected from an analysis tool that doesn’t even run the code. Just like bugs found by other methods, a static analysis tool is going to report medium, low, don’t care (e.g. bugs in 3rd party or test code) and false positive results where the tool just got it plain wrong. Because these tools can report a lot of results, the challenge is in knowing WHICH are the problems you should fix and that’s where inspection comes in to take a chunk of time. Configuring the tool to understand the codebase better, using filters and several other strategies can help make the tool more cost effective, but they don’t come for free – some time/effort/resource/help may be needed.

]]>