STatic Analysis
WHAT IS STATIC ANALYSIS?
Static analysis is the examination of code to
identify potential issues with it without having to run the
software.
Why Do we want to use IT?
- Identify potential bugs
- Enforcing Standards
- Highlight syntax issues
- Mentoring new developers
Examples
C++ ExampleS
Static Analysis found following issues in our C++ code Project->R_KiaProbDxInclude File->MaintainRelatedProblemsDlg.h
CBitmap
m_bmpButtons[5]
m_bmpButtons[0].LoadBitmap(MAKEINTRESOURCE(IDB_CHECKED_BITMAP)); m_bmpButtons[1].LoadBitmap(MAKEINTRESOURCE(IDB_UNCHECKED_BITMAP)); m_bmpButtons[2].LoadBitmap(MAKEINTRESOURCE(IDB_DOWN)); m_bmpButtons[3].LoadBitmap(MAKEINTRESOURCE(IDB_UP)); m_bmpButtons[4].LoadBitmap(MAKEINTRESOURCE(IDB_DISABLED_CHECKED_BITMAP)); m_bmpButtons[5].LoadBitmap(MAKEINTRESOURCE(IDB_DISABLED_UNCHECKED_BITMAP)); <- ISSUE
Location 5 is out of Array Bounds.
m_bmpButtons[0].LoadBitmap(MAKEINTRESOURCE(IDB_CHECKED_BITMAP)); m_bmpButtons[1].LoadBitmap(MAKEINTRESOURCE(IDB_UNCHECKED_BITMAP)); m_bmpButtons[2].LoadBitmap(MAKEINTRESOURCE(IDB_DOWN)); m_bmpButtons[3].LoadBitmap(MAKEINTRESOURCE(IDB_UP)); m_bmpButtons[4].LoadBitmap(MAKEINTRESOURCE(IDB_DISABLED_CHECKED_BITMAP)); m_bmpButtons[5].LoadBitmap(MAKEINTRESOURCE(IDB_DISABLED_UNCHECKED_BITMAP)); <- ISSUE
Location 5 is out of Array Bounds.
- Memory leak
Put_Value(str.AllocSysString()); //this will cause memory leak
- Null Reference
obj = getObj();
obj->setValue(); // obj may be null, obj is used without validation
- Resource handle leak
//stuff
return; // pDC will be lost and lead to resource handle/GDI leak
C# Examples
- NullReferenceException
string value = null;int len = value.Length;
- Hard coding locale specific strings
string path = "C:\Application Data";
- Cost of defect repair
- Styling rules keep code clean
- Frustration avoided
Cerner -> Klocwork 
- Can be integrated with your I.D.E.
- Can be customized to check only certain rules
- We have a Jenkins server that has Klocwork
- If you find patterns/mistakes not detected by klocworks you can log a JIRA to Development Insight team to help you make a rule.
- It can show false issues so verification is required.
FxCop
FxCop
- Reports following information
- Design improvements
- Globalization improvements
- Performance improvements
- Security improvements
DEMO
QuestionS
STatic Analysis
STatic Analysis
By staticanalysis
STatic Analysis
- 254
