Friday, August 20, 2004

Static Analysis tools for the uninitiated.

We have all used tools like purify for automated leak detection, out of bounds memory access, free memory reads etc (essentially certain types of code patterns which are considered as bugs). These tools are great productivity enhancers and cost savers since we can and fix more bugs before the product reaches the customer.

However, there are a lot of other bugs like deadlocks, race conditions, resource leaks like unfreed sockets, database connections etc which are hard to find and generally can be hit at customer deployments which are costly both for the customer and the software vendor. Such bugs can also be auto-detected using static analysis and dynamic analysis to some extent. There are two hard problems though:
1) The algorithms do not scale well for large code bases, and
2) The number of "false positives" tends to be very high in static analysis.

However several people have now worked on these problems and have come up with usable tools. e.g Coverity. It will be that you run a tool like this from your IDE once you want your code to be checked and viola you get quality bugs reported in a small time.
Posted by Neeraj Bhope at 7:11 AM

2 comments:

Automotivix said...

First of all...why did I had to sign in before posting a message here?????? I guess for posting comments blogger needs a login/passwd on blogger...jeez...pain...figure it out and let me know...
anyway, what does this tool coverity exactly do?? by static analysis do you mean it works like PC Lint? how does it know that I am using a socket and not freed it just by 'looking' at the code? does it need to be customized for particular platform?..if yes then that itself can be a painful process...

5:35 PM
Digital Signage Solutions said...

The blog is well versed with the basics and concept because security static analysis tools have become more sophisticated and their role in the security and software development process has become a subject of debate.

10:35 AM

Post a Comment

Subscribe to: Post Comments (Atom)