10,000 Bugs Found - A Milestone for Static Analysis
Written by Alex Armstrong   
Tuesday, 23 August 2016

Eliminating bugs from software requires attention to detail - or a good set of tools. In order to promote static analysis methodology in general and its own static analyzer in particular, PVS-Studio does free code analysis of open source code. Having inspected 262 projects it has now logged 10,000 bugs.

 

 

pvschar

 

According Andrey Karpov co-founder and CTO of Program Verification Systems:

The bugs we found demonstrate that nobody is immune from misprints, inattention or other mistakes. Absolutely nobody, and we find confirmations to this point in such projects as Microsoft Code Contracts, Qt, Linux kernel, CryEngine, VirtualBox, LibreOffice, Firefox, Boost, Tor and so on.

The database of open source project bugs organized by over 250 PVS-Studio error codes, with examples for each is available for your inspection and edification.

OK so 10000 issues in 262 projects is not that many - it works out at 38 issues per project on average - but there could be many more. Karpov points out:

to promote static analysis and PVS-Studio we do not need to find as many bugs as possible. We need to find enough interesting issues to write an article. That is why we always suggest project contributors examine their code more carefully.

In fact, non-recurrent inspections are good for demonstration of analyzer capabilities, but in real development process they are of very little use. The whole point of the static analysis is to run it on a regular basis. In this case most of errors can be detected during code writing, and not after hours of debugging or after user's complaints.

One thing that PVS-Studio has discovered is that code base and quality may vary from project to project. Some projects contain hundreds of issues but last week PVS-Studio analyst Ilya Ivanov wrote a report about a project that yielded just a single issue!

 

nunitpvsbus

 

The project was NUnit, itself testing framework for .NET projects ported from Java to C# and it would have been embarrassing had it been riddled with bugs - so even one is enough and PVS-Studio was jubilant writing:

NUnit crashed with NullReferenceException. PVS-Studio managed to find a real bug even in such a well-tested product as NUnit is. Note that it was no harder than writing a unit-test: you just run project analysis from the menu and check the grid with the results.

You can read the full report here. Other interesting analyses include Finding Bugs In The First C++ Compiler, with a response from Bjarne Stroustrup and Locating Bugs In ChakraCore.

Andrey Karpov has compiled a large collection of tips for programmers as a result of checking open source projects and presented a small selection on I Programmer, see Four Tips For C++ Programmers

pvsbug

Banner


Google Opensources Privacy Library
08/11/2024

Google is making a new differential privacy library available as open source. PipelineDP4J is a Java-based library that can be used to analyse data sets while preserving privacy.



CSS Ecosystem In the Spotlight
06/11/2024

The 2024 edition of the State of CSS has been posted, revealing that the latest features of the language not only do away with extra tooling, but even start taking on tasks that previously requir [ ... ]


More News

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

Last Updated ( Tuesday, 23 August 2016 )