Software static analysis and tool Klocwork Introduction
1. Software static analysis
Software static analysis does not need to execute program code, can discover the code quality and the security question, this technique can move the flaw discovery and the resolution time to the coding phase. Thus, the cost of the defect solution is greatly reduced and the software quality is improved.
In general, the access condition for static analysis is that the code can be compiled, and its exit condition is that the possible defects reported are reasonably evaluated.
2. Software static analysis and compilation, code review, dynamic testing of the relationship
Compilation mainly carries on the syntax and the semantic analysis to the source code.
The static analysis tool analyzes the code after it has been compiled and can often be embedded in the IDE or, by editing makefile (c + +), to reconstruct the project's integration. Static analysis tools are more rigorous in checking code than compilers, such as null pointer references, memory management, array overrun stacks, uninitialized data references, and programmatic styles can be checked by static analysis tools. These are beyond the scope of the compiler's functionality.
As mentioned above, static analysis is used to detect more common programming problems, with professional tools, while code reviews rely on developers, which, in addition to covering common programming problems in static analysis, include, of course, analysis and understanding of specific scenarios. Static analysis can simplify code review and reduce the workload of code review.
Static analysis does not require the execution of source code, while dynamic testing tests the running program, which relies on specific inputs to determine whether the output meets expectations.
3. klocwork Static Analysis tool
A lot of static analysis tools, business Tools are more famous klocwork,coverity,pc-lint, open source has splint,findbugs and so on. Here is a brief introduction to Klocwork.
Klocwork helps developers build more secure and reliable software, early detection of quality flaws in code. It determines whether the code is problematic by traversing all the execution paths, especially for large projects.
Klocwork provides the following components, as shown in the blue section of the figure, and the main installation package is divided into Server package and user package.
Server package mainly includes license server, database server, Klocwork server, build tools and projects Root, the specific features of each module can be referred to http:// Www.klocwork.com/products/documentation/current/About_the_Klocwork_packages_and_components
We need to complete the integration build, which relies primarily on the builds tools component, and requires the installation of the server package
The main process of klocwork integration construction, for example, C + +, see the following figure
· Create a project-> (Create Project database)
Kwadmin--url Http://server2:8080/create-project My_project
· Get compilation settings-> (build spec)
Kwinject <my_build_command>
Input is often makefile series files
· Run->results in Tables
Kwbuildproject--urlhttp://server2:8080/my_project--tables-directory/my_tables Kwinject.out
Get analysis results and reports, stored in tables folder
· Upload to Database (update project database)
Kwadmin--url http://server2:8080/load My_project/my_tables
See Klocwork Developer website Documentation http://www.klocwork.com/products/documentation/current/Klocwork_Insight_Documentation