Vivek Haldar’s recent post Bug finding and static analysis in the real world covers the application of two static analysis tools, FindBugs and Coverity, on large commercial software systems. The Coverity article is a cornucopia of terrifying anecdotes from the trenches of C/C++ development. Here are some gems:
“Isn’t that bad? What happens if you hit it?”
“Oh, it’ll crash. We’ll get a call.” [Shrug.]
“I’m just the security guy.”
“That’s not a bug; it’s in third-party code.”
“A leak? Don’t know. The author left years ago…”
for (i = 1; i < 0; i++) …dead code…
“No, that’s a false positive; a loop executes at least once.”
unsigned p[4]; …; p[4] = 1;
“No, ANSI lets you write 1 past the end of the array.”
“‘Static’ analysis? What’s the performance overhead?”
The article has plenty of other horror stories, from obscure language extensions and untouchable tool chains to social issues such as managers who don’t actually want to find new bugs because that makes them look bad.
(I should add that Vivek’s post does not focus on such trivia but takes a rather broader view of static analysis, so I encourage you to read it for yourself.)
2013-08-25: Eric Lippert’s The Psychology of C# Analysis is a shorter and (even) funnier slide show version of this report.