I think one of the unstated problems with static analysis is just keeping track of the results. I know that when I started working with these tools, it was a huge PITA just dealing with the various output files.<p>That's why I created tools to convert the output from different tools into a common CSV format that can be databased and used to compare output from different tools, or from different versions of the code (e.g., after fixing errors reported by the tools).<p>These tools currently work with cppcheck, clang and PVS-Studio and can be found here: <a href="http://btorpey.github.io/blog/categories/static-analysis/" rel="nofollow">http://btorpey.github.io/blog/categories/static-analysis/</a>
One of the things I like about this article is that it gives another example showing how formal methods catches deep errors unlikely to be caught with human review or testing:<p>"Overall, the error trace found by Infer has <i>61 steps</i>, and the source of null, the call to X509 _ gmtime _ adj () goes five procedures deep and it eventually encounters a return of null at call-depth 4. "<p>I think the example Amazon gave for TLA+ was thirty-something steps. Most people's minds simply can't track 61 steps into software. Tests always have a coverage issue.
> Zoncolan catches more SEVs than either manual security reviews or bug bounty reports. We measured that 43.3% of the severe security bugs are detected via Zoncolan. At press time, Zoncolan's "action rate" is above 80% and we observed about 11 "missed bugs."<p>>. For the server-side, we have over 100-million lines of Hack code, which Zoncolan can process in less than 30 minutes. Additionally, we have 10s of millions of both mobile (Android and Objective C) code and backend C++ code<p>> All codebases see thousands of code modifications each day and our tools run on each code change. For Zoncolan, this can amount to analyzing one trillion lines of code (LOC) per day.<p>11 "missed bugs" on the 100 mm server-side lines of code per run, or ever?
Is there something wrong with acm's load balancer or whatever? First managed to read to the end of the article, but to download the PDF showed "Oops!
This website is under heavy load." Now article page is under heavy load too.<p>Edit: It worked again right after I posted this comment.