Think static analysis cures all ills? Think again.
Mark Pitchford, LDRA
EETimes (3/1/2011 11:15 AM EST)
Static code analysis has been around as long as software itself, but you'd swear from current tradeshows that it was just invented. Here's how to choose the right code-analysis tools for your project.
Static analysis (or static code analysis) is a field full of contradictions and misconceptions. It's been around as long as software itself, but you'd swear from current trade shows that it was just invented. Static analysis checks the syntactic quality of high-level source code, and yet, as you can tell from listening to the recent buzz, its findings can be used to predict dynamic behavior. It is a precision tool in some contexts and yet in others, it harbors approximations.
With this extent of contradiction, it's hard to believe that all of these statements are accurate. Static analysis, a generic term, only indicates that the analysis of the software is performed without executing the code. So, simple peer review of source code fits the definition just as surely as the latest tools with their white papers full of various incantations of technobabble.
There isn't much point in any such analysis existing in isolation since even if code is perfectly written, it's only correct if it meets project requirements. It's therefore also important to understand how well any such analysis fits within the development lifecycle.
No analysis is good or bad simply by virtue of being static or dynamic in nature. It follows that each analysis tool is neither good nor bad or perhaps more pertinently, appropriate or inappropriate just because they're statically or dynamically based. It's, then, important to look past the subtle advertising and self-congratulatory white paper proclamations to consider the relevant merits and demerits of static analysis and its ability to predict dynamic behavior. Can a solid static-analysis engine bypass the need for dynamic analysis? In this article, I explore current technologies and explain how static analysis predicts dynamic behavior. This article will help developers understand which method to use under which circumstances.
E-mail This Article | Printer-Friendly Page |
Related Articles
- Five steps to reliable, low-cost, bug-free software with static code analysis
- Using formal methods for sophisticated static code analysis
- Best insurance for your design? System performance analysis
- Do you really need source code?
- Using static analysis to detect coding errors in open source security-critical server applications