Static code analysis

Static code analysis is a software analysis that is performed (as opposed to dynamic analysis ) without actually executing the programs under investigation. In most cases, the analysis is performed on some version of the source code , although sometimes some kind of object code is analyzed, for example, P-code or MSIL code. The term is usually applied to the analysis produced by special software (software), while manual analysis is called “program understanding”, “program comprehension” ( understanding or comprehension of the program).

Depending on the tool used, the depth of analysis can vary from determining the behavior of individual operators to analysis, including all available source code. The methods for using the information obtained during the analysis are also different - from identifying places that may contain errors (utilities such as Lint ) to formal methods that mathematically prove any properties of the program (for example, compliance with specification behavior).

Some people consider software metrics and reverse engineering forms of static analysis. Obtaining metrics ( English software quality objectives ) and static analysis are often combined, especially when creating embedded systems. ^[one]

Static Analysis Principles

Most compilers (for example, the GNU C Compiler ) display “ warnings ” - messages that the code, being syntactically correct, most likely contains an error. For example:

  int x ;
 int y = x + 2 ;  // The variable x is not initialized!

This is the simplest static analysis. The compiler has many other important characteristics - first of all, the speed of work and the quality of machine code, so the compilers only check the code for obvious errors. Static analyzers are designed for a more detailed study of the code.

Types of Errors Detected by Static Analyzers

Undefined behavior - uninitialized variables, access to NULL-pointers. The simplest cases are also signaled by compilers.
Violation of the library use algorithm. For example, fclose needed for each fopen . And if the file variable is lost before the file is closed, the analyzer may report an error.
Typical scenarios leading to undocumented behavior . The standard C library is known for a large number of unsuccessful technical solutions. Some functions, for example, gets , are basically unsafe. sprintf and strcpy safe only under certain conditions.
Buffer overflow - when a computer program writes data outside the buffer allocated in memory.

  void doSomething ( const char * x )
 {
     char s [ 40 ];
     sprintf ( s , "[% s]" , x );  // sprintf to local buffer, overflow possible
     ....
 }

Typical scenarios that interfere with cross-platform .

  Object * p = getObject ();
 int pNum = reinterpret_cast < int > ( p );  // on x86-32 is true, on x64 part of the pointer will be lost;  need intptr_t

Errors in duplicate code. Many programs execute the same thing several times with different arguments. Usually repeating fragments do not write from scratch, but multiply and correct.

  dest .  x = src .  x + dx ;
 dest .  y = src .  y + dx ;  // Error, you need dy!

Format string errors - in functions like printf may be errors with the format string mismatching with the actual type of parameters.

  std :: wstring s ;
 printf ( "s is% s" , s );

The unchanged parameter passed to the function is a sign of changing requirements for the program. The parameter was once used, but now it is no longer needed. In this case, the programmer can completely get rid of this parameter - and the logic associated with it.

  void doSomething ( int n , bool flag ) // flag is always true
 {
    if ( flag )
    {
        // some kind of logic
    } else
    {
        // the code is there, but not involved
    }
 }

 doSomething ( n , true );
 ...
 doSomething ( 10 , true );
 ...
 doSomething ( x . size (), true );

Memory leaks and other resources. For the sake of justice, it should be noted that, in general, static analyzers lose out in the field of leak detection to dynamic code analyzers. ^[2]

  Traverser * t = new Traverser ( Name );
 if ( ! t -> Valid ())
 {
   return FALSE ;  // Randomly write return before delete.
   delete t ;
 }

Other errors - many functions from standard libraries do not have a side effect , and calling them as procedures does not make sense.

  std :: string s ;
 ...
 s .  empty ();  // the code does nothing;  probably you like s.clear ()?

Application

Recently, static analysis has been increasingly used in verifying the properties of software used in high-reliability computer systems that are especially critical for life ( safety-critical ). It is also used to search for code that potentially contains vulnerabilities (sometimes called Static Application Security Testing , SAST). ^[3]

Static analysis is constantly used for critical software in the following areas:

Software for medical devices. ^[four]
Software for nuclear power plants and reactor protection systems ( Reactor Protection Systems ) ^[5]
Software for aviation (in combination with dynamic analysis) ^[6]
Software in automobile or railway transport ^[7]

According to VDC for 2012, approximately 28% of developers of embedded software use static analysis tools, and 39% are going to start using them within 2 years. ^[eight]

Formal Methods

Static Analysis Tools

C / C ++:

BLAST
Clang Static Analyzer (built into Clang ) ^[9]
Coverity
PC-Lint
lint and lock_lint included with Sun Studio
Cppcheck ( cppcheck on sf )
Parasoft C / C ++ Test
SourceAnalyzer (also Fortran and x86 asm)
PVS-Studio
LDRA Testbed
Polyspace
QA-C
Cantata ++

Java:

PVS-Studio
FindBugs ( FindBugs on sf )
Parasoft JTest
RIPS
fbinfer

.NET:

The .NET Compiler Platform ( Roslyn ) is a compiler framework for C # and VB.NET that provides an interface for the analyzer.
Fxcop
Ndepend
PVS-Studio
ReSharper
Stylecop

PHP:

RIPS

Python: ^[10] ^[11]

Pychecker
Pylint
Mccabe
Pyflakes
Pycodestyle
Flake8

Others:

T-SQL Analyzer is a tool that can view program modules in databases running Microsoft SQL Server 2005 or 2008 and detect potential problems associated with poor code quality.
AK-VS 2 from Echelon NPO CJSC (Search for NDV, identification of dangerous patterns by CWE ^[12] )
SonarQube is a code analysis and quality management platform with support for various programming languages through a plug-in system.
AppChecker is a commercial static code analyzer from NPO ECHELON, designed to automatically search for defects in the source code of applications developed in C #, C / C ++, Java, PHP.
Svace is a static analysis tool developed at ISP RAS . Supports programming languages C / C ++, Java, C #. ^[13]

Notes

↑ Software Quality Objectives for Source Code. Proceedings Embedded Real Time Software and Systems 2010 Conference , ERTS2, Toulouse, France: Patrick Briand, Martin Brochet, Thierry Cambois, Emmanuel Coutenceau, Olivier Guetta, Daniel Mainberte, Frederic Mondot, Patrick Munier, Loic Noury, Philippe Spozio, Frederic Retailleau http: //www.erts2010.org/Site/0ANDGY78/Fichier/PAPIERS%20ERTS%202010/ERTS2010_0035_final.pdf Archived March 12, 2012 on the Wayback Machine
↑ Yes, PVS-Studio can detect memory leaks / PVS Studio Blog
↑ Improving Software Security with Precise Static and Runtime Analysis, Benjamin Livshits, section 7.3 "Static Techniques for Security," Stanford doctoral thesis, 2006. http://research.microsoft.com/en-us/um/people/livshits/papers /pdf/thesis.pdf
↑ FDA Infusion Pump Software Safety Research at FDA (Neopr.) . Food and Drug Administration (September 8, 2010). Date of treatment September 9, 2010.
↑ Computer based safety systems - technical guidance for assessing software aspects of digital computer based protection systems, http://www.hse.gov.uk/nuclear/operational/tech_asst_guides/tast046.pdf Archived October 9, 2012 on Wayback Machine
↑ Position Paper CAST-9. Considerations for Evaluating Safety Engineering Approaches to Software Assurance // FAA, Certification Authorities Software Team (CAST), January, 2002: “Verification. A combination of both static and dynamic analyses should be specified by the applicant / developer and applied to the software. ”
↑ Bill Graham. Static Analysis, Safety-Critical Railway Software, and EN 50128 (neopr.) . Date of treatment September 2, 2016.
↑ VDC Research Automated Defect Prevention for Embedded Software Quality (Neopr.) . VDC Research (February 1, 2012). Date of treatment April 10, 2012.
↑ Clang Static Analyzer (neopr.) . clang-analyzer.llvm.org. Date of appeal May 14, 2016.
↑ Anand Balachandran Pillai. Software Architecture with Python. - Packt Publishing Ltd, 2017 .-- S. 63-64.
↑ Adam Goucher, Tim Riley. Beautiful Testing: Leading Professionals Reveal How They Improve Software. - O'Reilly Media, Inc., 2009 .-- P. 126.
↑ Program code audit on security requirements - Information security, audit, program code, security, Alexey Markov, Valentin Tsirlov, CISSP, security code ... , NPO Echelon CJSC
↑ Svace Static Analyzer. Search for critical errors in a secure software development cycle

Links

About error-free programs // "Open Systems", No. 07, 2004
The first steps to solving the problem of program verification // "Open Systems", No. 08, 2006
Static analysis of code security // Software Engineering and Information Security. 2013 No. 1, p. 50 (npo-echelon.ru)
http://www.drdobbs.com/testing/deploying-static-analysis/240003801
Collection of errors detected in Open Source projects using static code analysis // PVS-Studio (viva64.com)

[1] Software Quality Objectives for Source Code. Proceedings Embedded Real Time Software and Systems 2010 Conference , ERTS2, Toulouse, France: Patrick Briand, Martin Brochet, Thierry Cambois, Emmanuel Coutenceau, Olivier Guetta, Daniel Mainberte, Frederic Mondot, Patrick Munier, Loic Noury, Philippe Spozio, Frederic Retailleau http: //www.erts2010.org/Site/0ANDGY78/Fichier/PAPIERS%20ERTS%202010/ERTS2010_0035_final.pdf Archived March 12, 2012 on the Wayback Machine

[2] Yes, PVS-Studio can detect memory leaks / PVS Studio Blog

[3] Improving Software Security with Precise Static and Runtime Analysis, Benjamin Livshits, section 7.3 "Static Techniques for Security," Stanford doctoral thesis, 2006. http://research.microsoft.com/en-us/um/people/livshits/papers /pdf/thesis.pdf

[4] FDA Infusion Pump Software Safety Research at FDA (Neopr.) . Food and Drug Administration (September 8, 2010). Date of treatment September 9, 2010.

[5] Computer based safety systems - technical guidance for assessing software aspects of digital computer based protection systems, http://www.hse.gov.uk/nuclear/operational/tech_asst_guides/tast046.pdf Archived October 9, 2012 on Wayback Machine

[6] Position Paper CAST-9. Considerations for Evaluating Safety Engineering Approaches to Software Assurance // FAA, Certification Authorities Software Team (CAST), January, 2002: “Verification. A combination of both static and dynamic analyses should be specified by the applicant / developer and applied to the software. ”

[7] Bill Graham. Static Analysis, Safety-Critical Railway Software, and EN 50128 (neopr.) . Date of treatment September 2, 2016.

[8] VDC Research Automated Defect Prevention for Embedded Software Quality (Neopr.) . VDC Research (February 1, 2012). Date of treatment April 10, 2012.

[9] Clang Static Analyzer (neopr.) . clang-analyzer.llvm.org. Date of appeal May 14, 2016.

[10] Anand Balachandran Pillai. Software Architecture with Python. - Packt Publishing Ltd, 2017 .-- S. 63-64.

[11] Adam Goucher, Tim Riley. Beautiful Testing: Leading Professionals Reveal How They Improve Software. - O'Reilly Media, Inc., 2009 .-- P. 126.

[12] Program code audit on security requirements - Information security, audit, program code, security, Alexey Markov, Valentin Tsirlov, CISSP, security code ... , NPO Echelon CJSC

[13] Svace Static Analyzer. Search for critical errors in a secure software development cycle