George Gribkov presented on how to introduce static analysis to make programmers' and QA engineers' lives easier. Static analysis automatically checks code for bugs without executing it. While initial attempts to analyze Unreal Engine 4 failed, monitoring compiler calls directly succeeded in finding over 1800 warnings. Epic Games now uses continuous static analysis to receive early warnings. The best practices are to start analysis early and regularly in development and CI/CD pipelines, and to gradually fix old warnings using suppression files to ratchet down reported issues over time. Static and dynamic analysis complement each other to thoroughly check for errors.
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Engine 4)
1. Make Your and Other Programmer’s Life Easier
with Static Analysis
(Unreal Engine 4)
Speaker:
George Gribkov
2. George Gribkov
C++ programmer, one of the static
analyzer developers in PVS-Studio
Developing analyzer’s core and new
rules. Providing user support.
Publishes articles on Habr and
speaks at conferences.
gribkov@viva64.com
About the Speaker
2
3. 1. What is static analysis and what is it for?
2. How does static analysis work? (Unreal Engine 4)
3. How to introduce static analysis in your project: best
practices
Content
3
29. Integer overflow caused the explosion
Rocket had four satellites
Losses amounted to $ 370 000 000
Example of Very Expensive Error
29
30. Unit testing
Integration testing
System testing
…
Ways to Find Error
30
31. Unit testing
Integration testing
System testing
…
Dynamic analysis
Static analysis
Ways to Find Error
31
32. Static analysis tools: check code when it’s not
executed
Dynamic analysis tools: check code when it’s
being executed
Automated Code Analysis Tools
32
Both approaches complement each other very
well
33. Static analysis tools: check code when it’s not
executed
Dynamic analysis tools: check code when it’s
being executed
Automated Code Analysis Tools
33
Both approaches complement each other very
well
36. Covers the entire code
Works fast
Is convenient for all sizes of projects
Saves programmer’s time
Saves QA Engineers’ time
Static Analysis Pros
36
37. Modern Static Analysis Tools
37
• PVS-Studio
• ReSharper
• Coverity
• SonarQube
• Klocwork
• Clang Static Analyzer
• IntelliJ IDEA
• ...
• A full list of static analysis
tools:
40. My boss found errors in UE 4
and wrote an article
The developers of Epic Games
liked the article a lot
They wanted to fix more errors
and entrusted it to us
How It Started
40
45. Generated project files are just wrappers
These wrappers call the Unreal Build Tool
Unreal Build Tool calls cl.exe (or clang for Linux
builds)
Unreal Engine Build System
45
46. Generated project files are just wrappers
These wrappers call the Unreal Build Tool
Unreal Build Tool calls cl.exe (or clang for Linux
builds)
The analyzer cannot collect the parameters
required for compilation because of all these
layers
Unreal Engine Build System
46
48. What if we try to find compiler calls directly?
The Second Check
48
49. What if we try to find compiler calls directly?
We’re lucky to have a special utility to monitor
compilation
The Second Check
49
50. 1.Start the compilation monitoring
utility before building the project
2.The utility builds all the necessary
data
3.Right after build run the analysis
4.???????
5.
The Second Analysis Attempt
50
51. The Second Analysis Attempt
51
1.Start the compilation monitoring
utility before building the project
2.The utility builds all the necessary
data
3.Right after build run the analysis
4.???????
5. EPIC WIN!!!
59. At night we built the final version of UE 4
We analyzed each build
In the morning, we got a new report with errors found
What’s more, we could check the build right away
How We Fixed Bugs
59
62. After we fixed errors, we
found four new warnings
The Icing on The Cake
62
63. The developers of Epic Games were pleased
They started using a continuous static code analysis, as we
did
Now they receive warnings about errors in time
As for us… we wrote another article :)
Results
63
64. Best Way to Introduce Static Analysis in
Your Project
64
65. Run the analysis in the early
stages
Run the analysis regularly
Two Main Approaches
65
83. Suppress files introduce the "mass suppression of
analyzer messages" mechanism.
Suppress files
83
84. Hide old errors – work as usual
Have only new warnings from now on
Gain analysis benefits RIGHT AWAY
Don’t forget about hidden errors! Get back to them and
gradually fix.
Suppress files allow you to
84
85. A very convenient method is a “ratchet mechanism”
Suppress file commits to the version control system
Changes are allowed only if they don’t increase warnings total
number
What to Do With Suppress files
85