Archive for the ‘Static Analysis’ Category

  • Leveraging static analysis

    on May 12, 10 • by Alen Zukich • with 1 Comment

    In a previous post I discussed the process where we practice dogfooding.  This is the process of using Klocwork on Klocwork (KonK).  We started this program several years back with the hopes that we would learn some valuable lessons about usability, performance and anything else that would give us an edge.  The truth is that KonK has consistently allowed us to test our design assumptions early by allowing our own developers to use Klocwork as part of their development. One of the unexpected results was inadvertently uncovering data that further validated for us the importance

    Read More »
  • Static analysis for Ruby/Python

    on Jun 29, 09 • by Denis Sidorov • with 13 Comments

    As a developer of static analysis tool for mainstream statically-typed languages, like C++ and Java, I was wondering for quite a while about how well static analysis applies to dynamically-typed languages, like Ruby and Python. And recently, I have come across this interesting project on GitHub: Reek – Code smell detector for Ruby. Well, I suppose that’s just a fancy way to name a static analysis tool. What can Reek detect? It does not do heavyweight data/control flow analysis, so the list is not very exciting: Code Duplication – AFAIU, it’s not very accurate, ’cause

    Read More »
  • Parallel Lint

    on Jun 22, 09 • by Alen Zukich • with 2 Comments

    Interesting article on static analysis tools to help find concurrency issues.  These so called “Parallel Lint” tools are specific to finding these types of issues.  Overall there are some great discussions on certain tools, and it is always nice when Klocwork gets mentioned.  But my problem is with the categorization of these tools.  It always makes me feel sick every time someone puts Klocwork in the same category of “powerful static analysis” with JLint, C++Test, FXCop and my favorite PC-Lint. This article goes deeper into PC-Lint and what they are doing with deadlocks.  The author

    Read More »
  • False positives in modern static analyzers

    on May 22, 09 • by Alen Zukich • with 1 Comment

    In response to Jason’s post about false positives.  First of all there is a general misconception of false positives.  Modern static source code analysis tools have changed the game.  It is not the Lint tool of the past, a focus with deep inter-procedural technology has placed the requirement that static tools today produce more real issues than false reports. With that said, Jason is right, large code bases never running static analysis will produce a large number of issues no matter how accurate it is.  Even though static analysis tools do provide a number of

    Read More »
  • Findbugs not recognizing exceptions? Java static analysis

    on May 4, 09 • by Alen Zukich • with 1 Comment

    We’ve posted previously on some of the differences between Findbugs’ open source Java analysis and commercial Java static analysis tools, specifically on the JSR-305 specification and source code versus byte code analysis topics. Due to these differences, many Java shops will use a commercial Java static analysis tool in conjunction with Findbugs to make sure they’re getting as complete issue detection as possible. One area that’s been discussed previously is the ability to identify situations of possible null pointer dereference. This peaked my interest and led me to do some benchmarking against a few open

    Read More »
Scroll to top