the polyspace® family of products now offers a feature designed explicitly for software developers: polyspace as you code. this feature brings the code checking capabilities of polyspace bug finder into integrated development environments (ides) and saves you from finding bugs late in the software development cycle.
cost of finding bugs late in development cycle
software bugs can be detected at various stages of development. while some bugs show up only in the integration stage, a significant number of bugs can be found much earlier. fixing bugs as soon as they are found saves debugging tasks later in the development cycle.
the chart below shows that the cost of fixing a defect increases exponentially as you move through the development cycle. it is more cost-effective to find and fix defects at the coding stage of the development cycle.
polyspace as you code
polyspace as you code lets you check for code quality even before submitting code changes to a source code repository. you can get the benefits of running polyspace within the familiar environment of your ide or editor by installing polyspace as you code as a plugin or extension. plugins are available for ides such as visual studio®, visual studio code, or eclipse™. you can also integrate polyspace as you code with other ides or editors using a simple api.
polyspace as you code analyzes the files being modifed, either on demand or on save, extracting analysis settings from your build environment. new vulnerabilities and coding rule violations are then reported directly in the ide. you can review findings that already existed in the file when you want to focus on increasing the quality of your code. for instance, in visual studio code, you may see a defect reported like the one shown below after your c or c file is analyzed:
for each finding reported by payc, you get extensive context information to help understand the root cause of the vulnerability, such as:
- brief description of the defect: an implicit conversion leads to an overflow.
- data types involved: an unsigned integer variable (size: 32 bits) is converted to another unsigned integer type (size: 16 bits).
- expected values: the expected range of the unsigned integer type (size: 16 bits) is [0 ... 65535].
- actual values: the actual values that the variable has acquired are higher than expected.
- related events: the issue appears on line 138. another line relevant to the issue is an assignment on line 134. remember, you may need to fix a bug on a previous line and not at the immediate location of the problem.
with these details, along with context-sensitive help showing possible fixes, you can now resolve the error. if your fix works, then the highlight on the token will go away the next time you save your code.
you can use polyspace as you code to perform other related actions within your ide. for instance, if you decide not to fix an issue, you can add polyspace-specific code comments with one click to justify the result. this is a helpful tool if your quality management process requires you to fix or justify all vulnerabilities or coding rule violations of specific types. processes that are tedious later in the development cycle can now be completed with less effort while you are developing in your ide. also, code reviewers can verify your justifications, making the code review process more efficient.
if you hook up your polyspace as you code installations to a polyspace access server, you can use the latest run on the server as a baseline for the results in your ide. that way, your ide only shows results directly caused by your code changes since the last server run and hides issues that were already present in legacy code. you can also temporarily disable the baseline and see all issues in the current file.
like other polyspace products, the key features of polyspace as you code are fully customizable.
- don’t like the default set of checkers? you can set the checkers that you want. you can also maintain standards across your team or organization by sharing a common checkers file.
- don’t want to run analysis on every save? you can disable automatic analysis when saving and explicitly run an analysis at will from your ide.
- want to use your scripts in running the analysis? you can set up polyspace as you code to bypass the ide plugin options and run your scripts on each save.
how polyspace as you code prevents late bugs
polyspace as you code prevents late bugs by enabling you to find and fix vulnerabilities and enforce coding standards as soon as possible. this is achieved by providing you with easy-to-use code checking capabilities:
- no context switch required: polyspace as you code detects software vulnerabilities, coding standard violations, overly complex code, and other issues in the current file that is open in your ide and highlights the relevant source code tokens. the highlights are similar to what you may see in your ide for syntax errors. hovering on the highlighted tokens shows additional details of the issue, so you can investigate and quickly fix it.
- faster runs: polyspace as you code runs on the current file being edited. the runs are faster than a full project analysis and produce immediate and meaningful results.
- minimal setup required: polyspace as you code extracts all required information from your ide (assuming your ide is already setup to build your source code). the setup effort required to perform code analysis is minimal.
- tool runs automatically: each time you save your code, polyspace as you code runs in the background and shows you any bug or coding standard violation caused by your latest changes. there is no overhead of remembering to run the tool.
in summary, polyspace as you code enables you to develop faster, higher-quality c and c code. code analysis capabilities are available directly in your coding environment and can run as soon as the code is modified. as a result, the feedback-loop on code vulnerabilities and code quality is as short as possible, and it reduces the time spent on code-reviews.
you can use polyspace as you code together with polyspace server products for component-level or system-level code analysis. while polyspace as you code enables you to remove single-unit defects or coding rule violations before submitting to a code repository, polyspace server products can run in a continuous integration pipeline after submission and detect more complex integration issues. this is the most efficient way to keep your code quality level high across all developers and teams during the complete lifecycle of your development project.
for more information, see the release notes for polyspace bug finder. polyspace as you code was released in r2021a.