Not so long ago one of our colleagues left the team and joined one company developing software for embedded systems. There is nothing extraordinary about it: in every firm people come and go, all the time. Their choice is determined by bonuses offered, the convenience aspect, and personal preferences. What we find interesting is quite another thing. Our ex-colleague is sincerely worried about the quality of the code he deals with in his new job. And that has resulted in us writing a joint article. You see, once you have figured out what static analysis is all about, you just don't feel like settling for "simply programming".
TDD is one of the most popular software development techniques. I like this technology in general, and we employ it to some extent. The main thing is not to run to extremes when using it. One shouldn't fully rely on it alone forgetting other methods of software quality enhancement. In this article, I will show you how the static code analysis methodology can be used by programmers using TDD to additionally secure themselves against errors.
TDD is wonderfulTest-driven development (TDD) is a technique of software development based on iteration of very short development cycles. You write a test first which covers the change you want to introduce, then you write a code to pass the test, and finally you carry out refactoring of the new code to meet the corresponding standards. I won't dwell on what TDD is: there exist many articles on this subject which you can easily find on the Internet.
I'm joking about Linux, of course. Nevertheless, this question really interests me. I understand that systems they work on in Microsoft are large and complex. I know very well that bugs may be detected by users only some time later after release. But I don't understand how can one simply not notice obvious bugs in the tools the developers themselves are meant to use regularly?
A few words about classic mistakes to start with. Everything's clear about them: developers may well miss them because they are not the end users. A good example of this is an error in one of the Microsoft Visio versions. It was the 2010 version, I suppose. When you started typing text in Russian into a Basic Flowchart block, it was being typed back to front. I can understand it. Someone has mixed up things and decided that words are written from right to left in the Russian language. Russian and Arabic are absolutely the same, or very similar at least. There were no Russians among testers, and the error got into the release version. I can understand this case.
There is no fragment in program code where you cannot make mistakes. You may actually make them in very simple fragments. While programmers have worked out the habit of testing algorithms, data exchange mechanisms and interfaces, it's much worse concerning security testing. It is often implemented on the leftover principle. A programmer is thinking: "I just write a couple of lines now, and everything will be ok. And I don't even need to test it. The code is too simple to make a mistake there!". That's not right. Since you're working on security and writing some code for this purpose, test it as carefully!
Static code analysis is the process of detecting errors and defects in software's source code.
Static analysis can be viewed as an automated code review process. Let's speak on the code review now.
Code review is one of the oldest and safest methods of defect detection. It deals with joint attentive reading of the source code and giving recommendations on how to improve it. This process reveals errors or code fragments that can become errors in future. It is also considered that the code's author should not give explanations on how a certain program part works. The program's execution algorithm should be clear directly from the program text and comments. If it is not so, the code needs improving.
I have recently gotten a web application from a nasty contractor who claimed to be a good expert in programming. Unfortunately, we believed him. Functional of the web application seemed to work okay at first glance. However, once the client started using application in the real conditions the things went bad. The contractor has gone after a payment, and I have gotten his errors to fix for a client.
I decided to document a few errors that I found along the way. These are errors that every good programmer should already know to avoid… but obviously some people need to be reminded about them.