When to Use Static Analysis Tools
Since static analysis tools are leveraged before build time, they can save time, money and re-testing aggravation The cost to find and fix a bug rises drastically throughout the product cycle: if a bug is found by the customer after the application has been released, it can cost literally millions of dollars. Since static analysis tools are run early in the development cycle and can point out the specific line number where a programming error has been made, the bug can be found and fixed very quickly and inexpensively. Advanced static analysis tools not only show the line number of the bug but also display the code paths that lead to execution of the bug.
Static analysis tools can and should be used throughout the product cycle. Developers can use a light weight version of the tool to check for simple bugs that may have been missed at development time. Build managers or lab technicians should use the tool to isolate the more sophisticated bugs at code integration time. After a build is created, testers can use static analysis tools to ensure code coverage and to discover complex sections of the product that should be tested more thoroughly.
Developers can run a stripped down version of the static analyzer on their local build machine before check-in to enforce coding standards, readability and check for security bugs. Enforcing coding standards and readability will ensure that code is easy to update and maintain in future releases. Many security bugs like buffer overruns, input encoding issues and use of dangerous functions can be found before the source is built into the complete shared source tree.
Once the developers check their code changes into the source tree, the build manager can run the static analyzer to check for integration bugs. In this step, the build manager can enable options that may not have been available to the developer, such as simulations, function integration options, and dependency diagrams. Simulations may require some external states to be set before running the newly added code which will only be available with the complete source tree. At this point, the build manager can send bug reports back to the developers so they can fix code integration errors before they even make it to the build. The two sided analysis, of developer and build manager, will help remove many bugs before the source is built, keeping development and bug fix costs significantly down.
After the build is complete, testers can use static analyzers to discover areas of higher cyclomatic complexity which will provide insight to where deeply hidden bugs may lie. Using the metrics and complexity features of a static analysis tool, testers can discover code paths to execute the complex function at runtime. Once the code path has been found, the tester can use that information to execute the complex function from within the built application and discover complex runtime errors.