Software has too many stupid bugs. Some for technical reasons, and some for human reasons. However, many of them are easily avoidable, if we only use the right technology. With this blog, I want to talk about that technology, and how to apply it in “more human” ways that make our life easier, not harder. This blog is about Static Analysis, and how to make it work for you, not against you.
Who am I?
But first, let me briefly introduce myself: My name is Martin, and I am a software engineer since age 13. I started coding on my i386 machine, by copy & past’ing someone’s code that I found on the early internet, and worked my way up to building safety-critical systems like aircraft and medical devices in languages like Pascal, C++, Ada, Python, Esterel, Lustre, Java, and Rust. Today, more than 25 years later, I am a still a software engineer, and my day job is helping others to make their software more safe and secure, in particular the critical stuff that needs to work properly and protect lives. But this blog is not about my day job (find me on LinkedIn if you need to know more). This blog is rather personal.
My journey to writing good software was not easy. I have accidentally deleted my disk while creating my own Trojan horse, I have barbecued a hand-built robot by setting the wrong register bit, and I have developed and verified professional flight control software with printf-debugging. Yikes. I certainly created my fair share of bugs. Now I know, that this could have been avoided.
Over the years, I have learned how to do it much better. I have studied and discovered powerful verification approaches that were not mentioned during my engineering degree, namely static analysis. I have conducted my own academic research around it, I have used tools from different vendors, and I have taught hundreds if not thousands of students and engineers how to leverage them. The result is always the same: Once humans understand how limited they are in writing software and how to use the right methods, the same humans start to become better developers, regardless of their background.
My mission: Static Analysis that works…
I want to share with you the power of static analysis, so that you can write better software, too. If you don’t know yet what it is, no worries, I will explain later. But in a nutshell: Static analysis reads your code or design, and points at some of your bugs. Typos, logical errors, security vulnerabilities…static analysis finds what humans are often missing. It is an eye-opening technology, and it can feel like magic. Yet, tragically, it is not used often enough. Therefore, I want to spread the word.
Any sufficiently advanced technology is indistinguishable from magic – A.C. Clarke
… Practical Advice
But static analysis can also feel like a nuisance or even a burden. Sometimes it creates false alarms, sometimes it misses bugs, and sometimes it provides no results at all. At other times, it is used at the wrong time, and creates days of boring after-work, with diminishing returns. In such situations, many people get frustrated and stop using it. Back to zero. I will show you how to make static analysis work for you, with practical advice. Towards that, we will discuss important concepts like analysis assumptions, blocking semantics and aliases, and learn how to leverage them for better results.
… The Human Aspect
I will also talk about some psychological aspects in daily use, because eventually it’s humans who use it, and we are not always rational. Towards that, we must consider some cognitive and behavioral effects that may appear. Don’t worry, this is not a blog about psychology. I am an engineer. But to really use the methods efficiently, we will have to discuss situations like paralysis when too many bugs are found, how to overcome cognitive bias when the results contradict our expectations, and how to overcome our inertia and build clean coding habits.
… Brief & Useful
Last but not least, I want to make it brief. Nobody has the time to read much. Every post will only discuss a specific topic, and that helps during your own projects. Be it a hobby, or your job. My goal is to stay below five minutes reading time. With that being said, let’s stop here for today.
What you won’t get here
Another goal for myself, and maybe some relief for you: There will be no marketing for specific tool vendors here, and neither will I provide recommendations or affiliate links to any products. This is also not a research blog. I want to keep things practical and informative, so that more people have a chance to find bugs in their software, and maybe also to capture some my of own thoughts that occur during my daily work.
What’s next?
In my next post, I will explain what static analysis is and how it works. There are a lot of misconceptions to clean up.