Static Code Analysis

Static Code Analysis

0 2135

Modern object oriented softwares are complex and hence there is scope of misuse of language features. Even experienced developers can inadvertently write error-prone code. Software is an integral part of the service and application industry. If one were to deploy defective code, it can easily cause huge monetary losses.

Projects can have millions of lines of code and hence a manual review or test of the complete source code can take a long time [5]. Automated bug detection explores all possible program behaviors and hence is not limited by the lines of code or the quality of test cases.

So what is static analysis?

Static code analysis is an analysis of software code without actually executing it. These tools look for a specific set of patterns or rules in the software code or bytecode, very similar to how antivirus programs search for viruses. They try to detect bug patterns which are nothing but  error-prone coding practices [4].

Some common issues that this analysis can uncover are –

  • Concurrency issues
  • Unchecked method return values
  • Unused fields and constants
  • Mutable static data
  • Null pointer dereferences

On the contrary, in dynamic analysis we actually execute the programs and check the execution for inconsistencies [1]. It is worth noting that most warnings do not indicate actual bugs. Hence these tools also categorize and prioritize the results to help the developer make the final decision [ 6, 11].

How can we use automation to conduct static analysis?

Commonly used tools to analyse software codes in the industry are –

FindBugs uses byte code analysis to implement bug detectors. Simple analysis is used to recognize over 300 types of programming mistakes and dubious coding idioms [2].

PMD performs syntactic checks on program source code and is more suited to checking stylistic rules than for checking low-level code features such as access to fields [3].

Jlint checks the given java byte code and finds bugs, inconsistencies and synchronization problems by performing data flow analysis and building lock graph [1].

How can static analysis be used in the industry?

Static analysis is becoming an industry standard and Google has even incorporated FindBugs into its standard testing and code-review process, fixing more than 1,000 issues in its internal code base [4]

Static analysis can be used in conjunction with data mining and provide interesting applications. For example, analyzing code and bug fixes from different revisions can reveal which warning categories are most important [6]. Such an analysis can also be used to distinguish between good and bad source code [3]. This knowledge can be leveraged in the future for improving the quality of source codes over a period of time. It can also provides developers guidance during the initial phases of software development.

According to the evaluation done by the creators of FindBugs, the code written in undergraduate courses is often buggy, which illustrates the role of tools in steering novices towards correct use of difficult language features [2]

On a concluding note, although these tools are very effective, they may still miss out on detecting some violations. The tools are only as effective as the rules they use to scan the code. [7]

Reference List:

[1] Gomes, I., Morgado, P., Gomes, T., Moreira, R.: An overview on the static code analysis approach in software development. Tech. rep., Faculdade de Engenharia da Universidade do Porto (2009) Link

[2] David Hovemeyer, William Pugh, Finding bugs is easy, Companion to the 19th annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications, October 24-28, 2004, Vancouver, BC, CANADA Link

[3] S. Kim, K. Pan and E.J. Whitehead Jr., Memories of Bug Fixes, Proc. 14th ACM Symp. Foundations of Software Eng. 2006 Link

[4] Ayewah, N.; Hovemeyer, D.; Morgenthaler, J.D.; Penix, J.; Pugh, William, “Using Static Analysis to Find Bugs,” Software, IEEE , vol.25, no.5, pp.22,29, Sept.-Oct. 2008 Link

[5] Novak, J.; Krajnc, A.; Žontar, R., “Taxonomy of static code analysis tools,” MIPRO, 2010 Proceedings of the 33rd International Convention , vol., no., pp.418,422, 24-28 May 2010 Link

[6] Sunghun Kim , Michael D. Ernst, Which warnings should I fix first?, Proceedings of the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering, September 03-07, 2007, Dubrovnik, Croatia Link

[7] Michael S. Ware, Christopher J. Fox, Securing Java code: heuristics and an evaluation of static analysis tools, Proceedings of the 2008 workshop on Static analysis, p.12-21, June 12-12, 2008, Tucson, Arizona Link


Leave a Reply