Software // Enterprise Applications
01:40 PM

Q&A: 'Aha!' Moments And The Holy Grail

Gwyn Fisher is chief technical officer at Klocwork, a provider of static code analysis tools.

Gwyn Fisher is chief technical officer at Klocwork, a provider of static code analysis tools. He recently spoke with Dr. Dobb's editor-in-chief Jonathan Erickson.

Dr. Dobb's: What's the hard part of static analysis?

Fisher: There's a tipping point in using a static analysis tool, and it depends on finding that "aha!" moment as quickly as possible. This might be a bug you'd never have found yourself, or it might be an architectural recommendation that slipped past you. Whatever it is, it has to happen pretty quickly.

Dr. Dobb's: As a tool builder, how do you cope with new technologies?

Fisher: It might be a technology paradigm shift, such as multicore, it might be a new standard or a new de facto adoption of a framework such as Boost--all of these form the core of what we invest in over time. Developers buy a static analysis tool because it finds bugs in their code. Anything else we do differentiates our approach from our competitors, but if we don't support their language, platform, or libraries, then the product isn't worth implementing.

Dr. Dobb's: Does parallelization make static analysis faster, better, more accurate?

Fisher: Yes indeed. Any competent analysis product can process nodes in the control flow graph that occur at the same level in the hierarchy in parallel. We provide both multicore parallelism as well as a multimachine parallelism, both of which can be used to scale the analysis task almost linearly across hardware resources.

Dr. Dobb's: When it comes to static analysis, what's the Holy Grail?

Fisher: What we're all working hard at is trying to actually completely solve the problem of static analysis. Today's commercial tools all work in an unsound model of analysis, whereby we claim to find some bugs in your code, and we don't--and can't--claim to find all the bugs in your code, and only the bugs in your code. Any tools--mostly academic--that perform sound analysis, and therefore claim to find all bugs in your code, do so at the cost of vast false-positive numbers, upward of 80% to 90%. Obviously that's not tractable for real usage, so the Holy Grail here is a technology that not only can find all bugs, but has a 0% false-positive rate at the same time. ... But don't hold your breath.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.