SlideShare a Scribd company logo

The Use of Static Code Analysis When Teaching or Developing Open-Source Software

Download as PPTX, PDF
Andrey Karpov, profile picture
Andrey Karpov

The document discusses using static code analysis when teaching or developing open-source software. It outlines how static analysis can help instructors check student homework and projects more efficiently, and help students learn about error patterns. When using static analysis for open-source projects, it recommends integrating it into developers' workflows locally and via continuous integration systems. Regular use is key to maximizing its benefits for finding and fixing bugs.

Education
Related topics:
Insights on Software Development
1 of 51
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
The Use of Static Code Analysis When Teaching or Developing Open-Source Software Presenter: George Gribkov
1. Static analysis: short overview 2. Use of static analysis at colleges and universities 3. Use of static analysis in student and open projects Contents 2
Static Analysis: Short Overview 3
 Write correct code  Unit tests  Regression testing  Code review  …is there some other way?  Yes! For example – tools for automated analysis. How to Improve Code Quality 4
 Static analysis tools: check code when it’s not executed  Dynamic analysis tools: check code when it’s being executed Automated Code Analysis Tools 5  Both approaches compliment each other very well.
Cost to Fix a Bug 6
 Issues false positives  Difficulties with multithreading  Does not eliminate the need for code review Static Analysis Disadvantages 7
 Covers the entire code  Significantly faster than dynamic code analysis  More convenient for large projects Static Analysis Advantages 8
 Can check code style or whether the code complies with a coding standard (MISRA, AUTOSAR C++)  Easy to use  Helps developers learn and teach Static Analysis Advantages 9
Use of Static Analysis at Colleges and Universitites 10
 Helps check homework  Helps check final projects  Saves instructors’ time For Instructors 11
 Provides a chance to learn a new approach  Helps with self-study and problem solving  Facilitates development  Shows and helps study error patterns For Students 12
Pattern Examples (Vangers) 13 void aciPackFile(....) { int sz,sz1; char *p,*p1; .... p = new char[sz]; p1 = new char[sz1]; .... delete p; delete p1; }
Pattern Examples (Vangers) 14 void aciPackFile(....) { int sz,sz1; char *p,*p1; .... p = new char[sz]; p1 = new char[sz1]; .... delete p; // <= delete p1; // <= }
Pattern Examples (Vangers) 15 void aciPackFile(....) { int sz,sz1; char *p,*p1; .... p = new char[sz]; p1 = new char[sz1]; .... delete [] p; delete [] p1; }
Pattern Examples (Apache HTTP Server) 16 static void MD4Transform( apr_uint32_t state[4], const unsigned char block[64]) { apr_uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[APR_MD4_DIGESTSIZE]; .... /* Zeroize sensitive information. */ memset(x, 0, sizeof(x)); }
Pattern Examples (Apache HTTP Server) 17 static void MD4Transform( apr_uint32_t state[4], const unsigned char block[64]) { apr_uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[APR_MD4_DIGESTSIZE]; .... /* Zeroize sensitive information. */ memset(x, 0, sizeof(x)); // <= }
Pattern Examples (Apache HTTP Server) 18 static void MD4Transform( apr_uint32_t state[4], const unsigned char block[64]) { apr_uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[APR_MD4_DIGESTSIZE]; .... /* Zeroize sensitive information. */ memset_s(x, 0, sizeof(x)); } *Or use the following flag: -fno-builtin-memset!
 Provides a chance to learn a new approach  Helps with self-study and problem solving  Facilitates development  Shows and helps study error patterns For Students 19
Use of Static Analysis in Student and Open Projects 20
 Static analysis provides its maximum benefit only when used regularly! Regular Use is the Main Thing 21
Regular Use is the Main Thing 22
Efficient Static Analyzers 23 β€’ PVS-Studio β€’ Clang Static Analyzer β€’ Cppcheck β€’ Infer β€’ IntelliJ IDEA β€’ FindBugs β€’ ... β€’ A detailed list of static analyzers:
1. A classic development scenario (in office) 2. Developing student and open-source projects Introducing Analysis 24
 Locally on developers’ computer (plugins for IDE, compilation monitoring system) A Typical Scenario 25
 Continuous integration systems (command-line utilities, plugins for CI systems, monitoring systems) A Typical Scenario 26
A Typical Scenario 27
What’s the difference? Student and Open-Source Projects 28
A Typical Scenario 29
Student and Open-Source Projects 30
Student and Open-Source Projects 31
Student and Open-Source Projects 32
Student and Open-Source Projects 33
Using an Analyzer on Open-Source Projects 34
Using an Analyzer on Open-Source Projects 35
How to Analyze Community Contribution? 36
What to Do After the First Check? 37
Using an Analyzer on Open-Source Projects 38
Using an Analyzer on Open-Source Projects 39
Pull Request Analysis 40
How to Analyze Community Contribution? 41
 Suppress bases are a mass suppression tool for the analyzer’s warnings. After the First Check 42
 Suppress bases are a mass suppression tool for the analyzer’s warnings. After the First Check 43
 Hide old errors – keep up the normal pace  See only the latest warnings starting from this moment  Get immediate benefits from the analyzer  Do not forget about the old errors! Come back and fix them one-by-one. The Purpose of Suppress Bases 44
 A very convenient approach: the β€œratcheting” method  The number of errors in the base is committed to the repository.  Changes are allowed only when they do not increase the total number of errors. How to Work with Suppress Base 45
How to Work with Suppress Base 46
 https://habr.com/en/post/440610/ An Article on the Topic 47
Conclusion 48
 Static analysis helps study programming  It’s important to use static analysis regularly  It’s okay to use static analysis in open-source projects! Recap 49
A Free PVS-Studio License for Open-Source Project Developers 50
END Q&A51

More Related Content

PDF
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
Iosif Itkin
Β 
PDF
TMPA-2017: Vellvm - Verifying the LLVM
Iosif Itkin
Β 
PDF
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
Iosif Itkin
Β 
PDF
TMPA-2015: A Need To Specify and Verify Standard Functions
Iosif Itkin
Β 
PDF
Cppcheck
PVS-Studio
Β 
PPTX
Reverse Engineering automation
Positive Hack Days
Β 
PDF
TMPA-2017: Evolutionary Algorithms in Test Generation for digital systems
Iosif Itkin
Β 
PPT
Testing
Steve Loughran
Β 
TMPA-2015: The Application of Parameterized Hierarchy Templates for Automated...
Iosif Itkin
Β 
TMPA-2017: Vellvm - Verifying the LLVM
Iosif Itkin
Β 
TMPA-2017: Regression Testing with Semiautomatic Test Selection for Auditing ...
Iosif Itkin
Β 
TMPA-2015: A Need To Specify and Verify Standard Functions
Iosif Itkin
Β 
Cppcheck
PVS-Studio
Β 
Reverse Engineering automation
Positive Hack Days
Β 
TMPA-2017: Evolutionary Algorithms in Test Generation for digital systems
Iosif Itkin
Β 
Testing
Steve Loughran
Β 

What's hot (20)

PDF
Symbolic Execution (introduction and hands-on)
Emilio Coppa
Β 
PPTX
Loops in c
shubhampandav3
Β 
PDF
Program errors occurring while porting C++ code from 32-bit platforms on 64-b...
Andrey Karpov
Β 
PPT
Code Analysis-run time error prediction
NIKHIL NAWATHE
Β 
PPTX
Static analysis
GowriLatha1
Β 
PDF
Search-driven String Constraint Solving for Vulnerability Detection
Lionel Briand
Β 
PDF
SherLog: Error Diagnosis by Connecting Clues from Run-time Logs
Dacong (Tony) Yan
Β 
PPTX
IEEE SCAM 2017 Revisiting Exception Handling Practices with Exception Flow An...
Gui Padua
Β 
PPT
Templates exception handling
sanya6900
Β 
PPT
9781285852744 ppt ch14
Terry Yoast
Β 
PPTX
Extending C# with Roslyn and Code Aware Libraries
Carlo Pescio
Β 
PPT
Unit iii
snehaarao19
Β 
PDF
Mock object
Hiroyuki Ohnaka
Β 
PDF
Java 8 - Lambdas and much more
Alin Pandichi
Β 
PPTX
STAMP
Saswat Anand
Β 
PPTX
C programming language tutorial
Dr. SURBHI SAROHA
Β 
PPT
Storage classes
Shanmughaneethi Velu
Β 
DOCX
Qtp certification questions2
Ramu Palanki
Β 
PPTX
C language (Part 2)
Dr. SURBHI SAROHA
Β 
PDF
Headache from using mathematical software
PVS-Studio
Β 
Symbolic Execution (introduction and hands-on)
Emilio Coppa
Β 
Loops in c
shubhampandav3
Β 
Program errors occurring while porting C++ code from 32-bit platforms on 64-b...
Andrey Karpov
Β 
Code Analysis-run time error prediction
NIKHIL NAWATHE
Β 
Static analysis
GowriLatha1
Β 
Search-driven String Constraint Solving for Vulnerability Detection
Lionel Briand
Β 
SherLog: Error Diagnosis by Connecting Clues from Run-time Logs
Dacong (Tony) Yan
Β 
IEEE SCAM 2017 Revisiting Exception Handling Practices with Exception Flow An...
Gui Padua
Β 
Templates exception handling
sanya6900
Β 
9781285852744 ppt ch14
Terry Yoast
Β 
Extending C# with Roslyn and Code Aware Libraries
Carlo Pescio
Β 
Unit iii
snehaarao19
Β 
Mock object
Hiroyuki Ohnaka
Β 
Java 8 - Lambdas and much more
Alin Pandichi
Β 
STAMP
Saswat Anand
Β 
C programming language tutorial
Dr. SURBHI SAROHA
Β 
Storage classes
Shanmughaneethi Velu
Β 
Qtp certification questions2
Ramu Palanki
Β 
C language (Part 2)
Dr. SURBHI SAROHA
Β 
Headache from using mathematical software
PVS-Studio
Β 
Ad

Similar to The Use of Static Code Analysis When Teaching or Developing Open-Source Software (20)

PDF
Stale pointers are the new black - white paper
Vincenzo Iozzo
Β 
PPTX
Static code analysis: what? how? why?
Andrey Karpov
Β 
PDF
Videos about static code analysis
PVS-Studio
Β 
PPTX
Does static analysis need machine learning?
Andrey Karpov
Β 
PDF
Secure Programming With Static Analysis
ConSanFrancisco123
Β 
PDF
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
Β 
PDF
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio
Β 
PDF
Static Analysis: From Getting Started to Integration
Andrey Karpov
Β 
PDF
What's the Difference Between Static Analysis and Compiler Warnings?
Andrey Karpov
Β 
PDF
0136 ideal static_analyzer
PVS-Studio
Β 
PDF
An ideal static analyzer, or why ideals are unachievable
PVS-Studio
Β 
PPTX
Static Analysis Primer
Coverity
Β 
PDF
Static Code Analysis and Cppcheck
Zachary Blair
Β 
PPTX
Static-Analysis-in-Industry.pptx
ShivashankarHR1
Β 
PDF
Achieving quality with tools case study
EosSoftware
Β 
PDF
PVS-Studio advertisement - static analysis of C/C++ code
Andrey Karpov
Β 
PDF
Peddle the Pedal to the Metal
C4Media
Β 
PDF
Static and Dynamic Code Analysis
Andrey Karpov
Β 
PPTX
200 Open Source Projects Later: Source Code Static Analysis Experience
Andrey Karpov
Β 
PPTX
PVS-Studio and static code analysis technique
Andrey Karpov
Β 
Stale pointers are the new black - white paper
Vincenzo Iozzo
Β 
Static code analysis: what? how? why?
Andrey Karpov
Β 
Videos about static code analysis
PVS-Studio
Β 
Does static analysis need machine learning?
Andrey Karpov
Β 
Secure Programming With Static Analysis
ConSanFrancisco123
Β 
Static Analysis Techniques For Testing Application Security - Houston Tech Fest
Denim Group
Β 
PVS-Studio advertisement - static analysis of C/C++ code
PVS-Studio
Β 
Static Analysis: From Getting Started to Integration
Andrey Karpov
Β 
What's the Difference Between Static Analysis and Compiler Warnings?
Andrey Karpov
Β 
0136 ideal static_analyzer
PVS-Studio
Β 
An ideal static analyzer, or why ideals are unachievable
PVS-Studio
Β 
Static Analysis Primer
Coverity
Β 
Static Code Analysis and Cppcheck
Zachary Blair
Β 
Static-Analysis-in-Industry.pptx
ShivashankarHR1
Β 
Achieving quality with tools case study
EosSoftware
Β 
PVS-Studio advertisement - static analysis of C/C++ code
Andrey Karpov
Β 
Peddle the Pedal to the Metal
C4Media
Β 
Static and Dynamic Code Analysis
Andrey Karpov
Β 
200 Open Source Projects Later: Source Code Static Analysis Experience
Andrey Karpov
Β 
PVS-Studio and static code analysis technique
Andrey Karpov
Β 
Ad

More from Andrey Karpov (20)

PDF
60 Π°Π½Ρ‚ΠΈΠΏΠ°Ρ‚Ρ‚Π΅Ρ€Π½ΠΎΠ² для Π‘++ программиста
Andrey Karpov
Β 
PDF
60 terrible tips for a C++ developer
Andrey Karpov
Β 
PPTX
Ошибки, ΠΊΠΎΡ‚ΠΎΡ€Ρ‹Π΅ слоТно Π·Π°ΠΌΠ΅Ρ‚ΠΈΡ‚ΡŒ Π½Π° code review, Π½ΠΎ ΠΊΠΎΡ‚ΠΎΡ€Ρ‹Π΅ находятся статичСс...
Andrey Karpov
Β 
PDF
PVS-Studio in 2021 - Error Examples
Andrey Karpov
Β 
PDF
PVS-Studio in 2021 - Feature Overview
Andrey Karpov
Β 
PDF
PVS-Studio Π² 2021 - ΠŸΡ€ΠΈΠΌΠ΅Ρ€Ρ‹ ошибок
Andrey Karpov
Β 
PDF
PVS-Studio Π² 2021
Andrey Karpov
Β 
PPTX
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
Andrey Karpov
Β 
PPTX
Best Bugs from Games: Fellow Programmers' Mistakes
Andrey Karpov
Β 
PPTX
Typical errors in code on the example of C++, C#, and Java
Andrey Karpov
Β 
PPTX
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
Andrey Karpov
Β 
PPTX
Game Engine Code Quality: Is Everything Really That Bad?
Andrey Karpov
Β 
PPTX
C++ Code as Seen by a Hypercritical Reviewer
Andrey Karpov
Β 
PPTX
Static Code Analysis for Projects, Built on Unreal Engine
Andrey Karpov
Β 
PPTX
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Andrey Karpov
Β 
PPTX
The Great and Mighty C++
Andrey Karpov
Β 
PDF
Zero, one, two, Freddy's coming for you
Andrey Karpov
Β 
PDF
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
Andrey Karpov
Β 
PDF
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
Andrey Karpov
Β 
PDF
Analysis of commits and pull requests in Travis CI, Buddy and AppVeyor using ...
Andrey Karpov
Β 
60 Π°Π½Ρ‚ΠΈΠΏΠ°Ρ‚Ρ‚Π΅Ρ€Π½ΠΎΠ² для Π‘++ программиста
Andrey Karpov
Β 
60 terrible tips for a C++ developer
Andrey Karpov
Β 
Ошибки, ΠΊΠΎΡ‚ΠΎΡ€Ρ‹Π΅ слоТно Π·Π°ΠΌΠ΅Ρ‚ΠΈΡ‚ΡŒ Π½Π° code review, Π½ΠΎ ΠΊΠΎΡ‚ΠΎΡ€Ρ‹Π΅ находятся статичСс...
Andrey Karpov
Β 
PVS-Studio in 2021 - Error Examples
Andrey Karpov
Β 
PVS-Studio in 2021 - Feature Overview
Andrey Karpov
Β 
PVS-Studio Π² 2021 - ΠŸΡ€ΠΈΠΌΠ΅Ρ€Ρ‹ ошибок
Andrey Karpov
Β 
PVS-Studio Π² 2021
Andrey Karpov
Β 
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
Andrey Karpov
Β 
Best Bugs from Games: Fellow Programmers' Mistakes
Andrey Karpov
Β 
Typical errors in code on the example of C++, C#, and Java
Andrey Karpov
Β 
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
Andrey Karpov
Β 
Game Engine Code Quality: Is Everything Really That Bad?
Andrey Karpov
Β 
C++ Code as Seen by a Hypercritical Reviewer
Andrey Karpov
Β 
Static Code Analysis for Projects, Built on Unreal Engine
Andrey Karpov
Β 
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
Andrey Karpov
Β 
The Great and Mighty C++
Andrey Karpov
Β 
Zero, one, two, Freddy's coming for you
Andrey Karpov
Β 
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
Andrey Karpov
Β 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
Andrey Karpov
Β 
Analysis of commits and pull requests in Travis CI, Buddy and AppVeyor using ...
Andrey Karpov
Β 

Recently uploaded (20)

PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
Β 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
Β 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
Β 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
Β 
PDF
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
Β 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
Β 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
Β 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
Β 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
Β 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
Β 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
Β 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
Β 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
Β 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
Β 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
Β 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
Β 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
Β 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
Β 
PDF
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
Β 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
Β 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
Β 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
Β 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
Β 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
Β 
Origin of periodic table-Mendeleev’s Periodic-Modern Periodic table
Mithil Fal Desai
Β 
Pharma ospi slides which help in ospi learning
rameetkumar304
Β 
Basic Mud Logging Guide for educational purpose
wdandworks
Β 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
Β 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
Β 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
Β 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
Β 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
Β 
Complications of Minimal Access Surgery at WLH
mohitsuren827
Β 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
Β 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
Β 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
Β 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
Β 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
Β 
Supply Chain Operations Speaking Notes -ICLT Program
labyankof
Β 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
Β 

The Use of Static Code Analysis When Teaching or Developing Open-Source Software

  • 1. The Use of Static Code Analysis When Teaching or Developing Open-Source Software Presenter: George Gribkov
  • 2. 1. Static analysis: short overview 2. Use of static analysis at colleges and universities 3. Use of static analysis in student and open projects Contents 2
  • 4.  Write correct code  Unit tests  Regression testing  Code review  …is there some other way?  Yes! For example – tools for automated analysis. How to Improve Code Quality 4
  • 5.  Static analysis tools: check code when it’s not executed  Dynamic analysis tools: check code when it’s being executed Automated Code Analysis Tools 5  Both approaches compliment each other very well.
  • 6. Cost to Fix a Bug 6
  • 7.  Issues false positives  Difficulties with multithreading  Does not eliminate the need for code review Static Analysis Disadvantages 7
  • 8.  Covers the entire code  Significantly faster than dynamic code analysis  More convenient for large projects Static Analysis Advantages 8
  • 9.  Can check code style or whether the code complies with a coding standard (MISRA, AUTOSAR C++)  Easy to use  Helps developers learn and teach Static Analysis Advantages 9
  • 10. Use of Static Analysis at Colleges and Universitites 10
  • 11.  Helps check homework  Helps check final projects  Saves instructors’ time For Instructors 11
  • 12.  Provides a chance to learn a new approach  Helps with self-study and problem solving  Facilitates development  Shows and helps study error patterns For Students 12
  • 13. Pattern Examples (Vangers) 13 void aciPackFile(....) { int sz,sz1; char *p,*p1; .... p = new char[sz]; p1 = new char[sz1]; .... delete p; delete p1; }
  • 14. Pattern Examples (Vangers) 14 void aciPackFile(....) { int sz,sz1; char *p,*p1; .... p = new char[sz]; p1 = new char[sz1]; .... delete p; // <= delete p1; // <= }
  • 15. Pattern Examples (Vangers) 15 void aciPackFile(....) { int sz,sz1; char *p,*p1; .... p = new char[sz]; p1 = new char[sz1]; .... delete [] p; delete [] p1; }
  • 16. Pattern Examples (Apache HTTP Server) 16 static void MD4Transform( apr_uint32_t state[4], const unsigned char block[64]) { apr_uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[APR_MD4_DIGESTSIZE]; .... /* Zeroize sensitive information. */ memset(x, 0, sizeof(x)); }
  • 17. Pattern Examples (Apache HTTP Server) 17 static void MD4Transform( apr_uint32_t state[4], const unsigned char block[64]) { apr_uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[APR_MD4_DIGESTSIZE]; .... /* Zeroize sensitive information. */ memset(x, 0, sizeof(x)); // <= }
  • 18. Pattern Examples (Apache HTTP Server) 18 static void MD4Transform( apr_uint32_t state[4], const unsigned char block[64]) { apr_uint32_t a = state[0], b = state[1], c = state[2], d = state[3], x[APR_MD4_DIGESTSIZE]; .... /* Zeroize sensitive information. */ memset_s(x, 0, sizeof(x)); } *Or use the following flag: -fno-builtin-memset!
  • 19.  Provides a chance to learn a new approach  Helps with self-study and problem solving  Facilitates development  Shows and helps study error patterns For Students 19
  • 20. Use of Static Analysis in Student and Open Projects 20
  • 21.  Static analysis provides its maximum benefit only when used regularly! Regular Use is the Main Thing 21
  • 22. Regular Use is the Main Thing 22
  • 23. Efficient Static Analyzers 23 β€’ PVS-Studio β€’ Clang Static Analyzer β€’ Cppcheck β€’ Infer β€’ IntelliJ IDEA β€’ FindBugs β€’ ... β€’ A detailed list of static analyzers:
  • 24. 1. A classic development scenario (in office) 2. Developing student and open-source projects Introducing Analysis 24
  • 25.  Locally on developers’ computer (plugins for IDE, compilation monitoring system) A Typical Scenario 25
  • 26.  Continuous integration systems (command-line utilities, plugins for CI systems, monitoring systems) A Typical Scenario 26
  • 28. What’s the difference? Student and Open-Source Projects 28
  • 30. Student and Open-Source Projects 30
  • 31. Student and Open-Source Projects 31
  • 32. Student and Open-Source Projects 32
  • 33. Student and Open-Source Projects 33
  • 34. Using an Analyzer on Open-Source Projects 34
  • 35. Using an Analyzer on Open-Source Projects 35
  • 36. How to Analyze Community Contribution? 36
  • 37. What to Do After the First Check? 37
  • 38. Using an Analyzer on Open-Source Projects 38
  • 39. Using an Analyzer on Open-Source Projects 39
  • 41. How to Analyze Community Contribution? 41
  • 42.  Suppress bases are a mass suppression tool for the analyzer’s warnings. After the First Check 42
  • 43.  Suppress bases are a mass suppression tool for the analyzer’s warnings. After the First Check 43
  • 44.  Hide old errors – keep up the normal pace  See only the latest warnings starting from this moment  Get immediate benefits from the analyzer  Do not forget about the old errors! Come back and fix them one-by-one. The Purpose of Suppress Bases 44
  • 45.  A very convenient approach: the β€œratcheting” method  The number of errors in the base is committed to the repository.  Changes are allowed only when they do not increase the total number of errors. How to Work with Suppress Base 45
  • 46. How to Work with Suppress Base 46
  • 49.  Static analysis helps study programming  It’s important to use static analysis regularly  It’s okay to use static analysis in open-source projects! Recap 49
  • 50. A Free PVS-Studio License for Open-Source Project Developers 50