STatic Analysis

WHAT IS STATIC ANALYSIS?


            Static analysis is the examination of code to 
            identify potential issues with it without having to run the 
            software.
            
 

Why Do we want to use IT?

  • Identify potential bugs
  • Enforcing Standards
  • Highlight syntax issues
  • Mentoring new developers
        

Examples



C++ ExampleS

Static Analysis found following issues in our C++ code         Project->R_KiaProbDxInclude                                                                         File->MaintainRelatedProblemsDlg.h                                                                   CBitmap m_bmpButtons[5]
m_bmpButtons[0].LoadBitmap(MAKEINTRESOURCE(IDB_CHECKED_BITMAP)); m_bmpButtons[1].LoadBitmap(MAKEINTRESOURCE(IDB_UNCHECKED_BITMAP)); m_bmpButtons[2].LoadBitmap(MAKEINTRESOURCE(IDB_DOWN)); m_bmpButtons[3].LoadBitmap(MAKEINTRESOURCE(IDB_UP)); m_bmpButtons[4].LoadBitmap(MAKEINTRESOURCE(IDB_DISABLED_CHECKED_BITMAP)); m_bmpButtons[5].LoadBitmap(MAKEINTRESOURCE(IDB_DISABLED_UNCHECKED_BITMAP)); <- ISSUE
Location 5 is out of Array Bounds.
  • Memory leak
    • CString str(“MyValue”);
    Put_Value(str.AllocSysString()); //this will cause memory leak     
 
 
  • Null Reference
    • ClassA *obj = new ClassA();
    obj = getObj();
    obj->setValue(); // obj may be null, obj is used without validation
 
  • Resource handle leak
    • CDC * pDC = pWnd->GetDC();
    //stuff
    return; // pDC will be lost and lead to resource handle/GDI leak

C# Examples

  • NullReferenceException
string value = null;
 int len = value.Length;

  • Hard coding locale specific strings

string path = "C:\Application Data";



    • Cost of defect repair
    • Styling rules keep code clean
    • Frustration avoided
Tools

   Cerner -> Klocwork 
Klocwork

  • Can be integrated with your I.D.E.
  • Can be customized to check only certain rules
  • We have a Jenkins server that has Klocwork
  • If you find patterns/mistakes not detected by klocworks you can log a JIRA to Development Insight team to help you make a rule.
  • It can show false issues so verification is required.

FxCop



FxCop

  • Reports following information
    • Design improvements
    • Globalization improvements
    • Performance improvements
    • Security improvements

DEMO

 

QuestionS

STatic Analysis

By staticanalysis

Made with Slides.com

STatic Analysis

  • 241

More from staticanalysis