{"id":257,"date":"2017-11-21T22:52:19","date_gmt":"2017-11-21T22:52:19","guid":{"rendered":"http:\/\/cppdepend.com\/blog\/?p=257"},"modified":"2018-02-02T18:25:30","modified_gmt":"2018-02-02T18:25:30","slug":"c-static-analysis-bug-vs-bug-prone-situations","status":"publish","type":"post","link":"https:\/\/cppdepend.com\/blog\/c-static-analysis-bug-vs-bug-prone-situations\/","title":{"rendered":"C++ Static analysis: Bug vs Bug-prone situations"},"content":{"rendered":"<p>Static analysis is not only about directly finding bugs, but also about finding bug-prone situations that can decrease code understanding and maintainability.\u00a0Static analysis can handle many other properties of the code:<!--more--><\/p>\n<ul>\n<li><strong>Code metrics<\/strong>: for example, methods with too many loops, if, else, switch, case\u2026 end up being non-understandable, hence non-maintainable. Counting these through the code metric\u00a0Cyclomatic Complexity\u00a0is a great way to assess when a method becomes too complex.<\/li>\n<li><strong>Dependencies<\/strong>: if the classes of your program are entangled, effects of any changes in the code becomes unpredictable. Static analysis can help to assess when classes and components are entangled.<\/li>\n<li><strong>Immutability<\/strong>: types that are used concurrently by several threads should be immutable, else you\u2019ll have to protect state read\/write access with complex lock strategies that will end up being un-maintainable. Static analysis can make sure that some classes remain immutable.<\/li>\n<li><strong>Dead code<\/strong>: dead code is code that can be removed safely, because it is not invoked anymore at runtime. Not only\u00a0<em>can\u00a0<\/em>it be removed, but it\u00a0<em>must<\/em>\u00a0be removed, because this extra code\u00a0add unnecessary\u00a0complexity to the program. Static analysis can find most of dead code in your program (yet not all).<\/li>\n<li><strong>API breaking change<\/strong>: if you present an API to your client, it is very easy to remove a public member without noticing and thus, breaking your clients code. Static analysis can compare two states of a program and can warn about this pitfall.<\/li>\n<li><strong>API usage<\/strong>: some APIs are intended to be used carefully. For example, a class that hold disposable fields must be itself disposable in general, except when\u00a0the disposable field lifetime is not aligned with\u00a0the class instances lifetime, which then sounds like\u00a0a\u00a0design problem.<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<p><!--more--><\/p>\n<p>Many interesting tools exist to detect bugs in your C++ code base \u00a0like cppcheck, Clang and visual studio analyzer. But what about the detection of the bug-prone situations?<\/p>\n<p>If the static analysis tools creators could decide which situations are considered as bugs, it\u2019s not the case of the bug-prone situations which depends on the development team choices. For example a team could consider that a method with more than \u00a020 lines is c0mplex, another team could define the max to 30. If a tool provides the detection of some bug-prone situations,\u00a0it\u00a0must provides also the possibility to customize it.<\/p>\n<p><strong>Code as Data is the better way to detect the Bug-prone situations\u00a0<\/strong><\/p>\n<p>Static analysis is the idea of analyzing source code \u00a0for various properties and reporting on those properties, but it\u2019s also, philosophically, the idea of treating code as data.\u00a0 This is deeply weird to us as application developers, since we\u2019re very much used to thinking of source code as instructions, procedures, and algorithms.\u00a0 But it\u2019s also deeply powerful.<\/p>\n<p>After the source code analysis of a source file, we can extract its AST and generate a model containg many interesting infos about the code. This way we can query it using a code query language similar to SQL.<\/p>\n<p><a href=\"http:\/\/www.cppdepend.com\">CppDepend <\/a>provides a powerful code query language named CQLinq to query the code base like a database. Developers, designers and architects could define their custom queries to find easily the bug-prone situations.<\/p>\n<p>With CQlinq we can \u00a0combine the data from teh code metrics, dependencies, api usage and other model infos to\u00a0\u00a0define very advanced queries that match some bug-prone situations.<\/p>\n<p>Here\u2019s an example \u00a0of a CQLinq query that matches the most complex methods:<\/p>\n<p><a href=\"http:\/\/www.codergears.com\/Blog\/wp-content\/uploads\/bugs.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-1978\" src=\"http:\/\/www.codergears.com\/Blog\/wp-content\/uploads\/bugs.png\" alt=\"bugs\" width=\"461\" height=\"537\" \/><\/a><\/p>\n<p><strong>Summary<\/strong><\/p>\n<p>It\u2019s better to combine many C++ tools to detect some problems in your C++ code base, some tools detect bugs, some others detect also the bug-prone situations .With CppDepend we try to combine between many tools, indeed we provides an easy way to define your queries, but also we added recently the feature to import the result from other static analysis tools to query them with CQLinq.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Static analysis is not only about directly finding bugs, but also about finding bug-prone situations that can decrease code understanding and maintainability.\u00a0Static analysis can handle many other properties of the code:<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[7,34],"class_list":["post-257","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-c","tag-static-analysis"],"_links":{"self":[{"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/posts\/257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/comments?post=257"}],"version-history":[{"count":3,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/posts\/257\/revisions"}],"predecessor-version":[{"id":260,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/posts\/257\/revisions\/260"}],"wp:attachment":[{"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/media?parent=257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/categories?post=257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cppdepend.com\/blog\/wp-json\/wp\/v2\/tags?post=257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}