What is Static Analysis

• Static analysis is the process of examining source code prior to compilation (and execution)

• Static analysis can diagnose for: – Quality aspects such as maintainability, reliability,

understandability and complexity– Testing issues– Coding standard compliance issues– Best programming practices and unsafe programming

constructs and coding defects

Static Analysis• Automated Static Analysis

– Syntactic Analysis– Data Use Analysis– Interface Analysis– Control Flow Analysis– Information Flow Analysis– Program Slicing– Path Analysis

• Reviews– Requirements Review– Use Case Review– Architecture Review– High Level Design Review– Code Review and Inspections– Test Review

• Software Metrics– Cyclomatic Complexity– Halstead Suite– LOC – Etc.

Automated Static AnalysisAnalyzes your program without executing it• Doesn’t depend on having good test cases or even any

test cases• Generally, doesn’t know what your software is

supposed to do• Looks for violations of reasonable programming – Shouldn’t throw NPE– Shouldn’t allow SQL injection

• Not a replacement for testing• Very good at finding problems on untested paths• But many defects can’t be found with static analysis

Can you Find the Bug?

if (listeners == null)listeners.remove(listener);

JDK1.6.0, b105, sun.awt.x11.XMSelectionlines 243-244

Can you Find the Bug?1 import java.io.InputStreamReader;2 import java.io.BufferedReader;3 import java.io.IOException;45 public class CodingHorror {67 public static void main(String args[]) {89 InputStreamReader isr = new InputStreamReader(System.in);10 BufferedReader br = new BufferedReader(isr);11 String input = null;12 try {13 input = br.readLine(); // e.g., peel14 } catch (IOException ioex) {15 System.err.println(ioex.getMessage());16 }17 input.replace(‘e’, ‘o’);18 if (input == “pool”) {19 System.out.println(“User entered peel.”);20 } else {21 System.out.println(“User entered something else.”);22 }23 }24 }

What is the Bug here?

/** Construct a WebSpider */public WebSpider() {WebSpider w = new WebSpider();}

What is the Bug here?

public String foundType() {return this.foundType();}

Why do Bugs Occur?Nobody is perfect• Common types of errors:• Misunderstood language features, API methods• Typos (using wrong boolean operator, forgettingparentheses or brackets, etc.)• Misunderstood class or method invariants• Everyone makes syntax errors, but the compilercatches them• What about bugs one step removed from a syntaxerror?

What is Static Testing

• Static testing is using static analysis as part of the test trajectory

• Static and Dynamic testing are supplementary – static analysis does not replace dynamic testing but can significantly reduce dynamic testing effort

• Static testing achieves 100% statement coverage• Including explicit static analysis in test coverage:

– Improves overall test quality and test planning– Results in shorter dynamic testing time– Allows stronger focus testing on complex and crucial modules

Defect Removal Cost

Cost of defect removal risesexponentially for defects foundlater in the development cycle

Static Analysis

Unit Testing

Integration Testing

Acceptance Testing

Dynamic TestingStatic Testing

coding timeautomatedstaticanalysis (ASA)time

compiling timedynamic testing time

Time (cost) required for ASA is low

Impact (benefit) of ASA is high

0

20000

40000

60000

80000

100000

120000

140000

1M 2M 3M 4M 5M 6M 7M 9M 10M

Lines of code

Def

ects

Without Static Analysis With Static Analysis

Source: Capers Jones, Software Productivity Group, Inc.

Static Analysis may reduce defects by a factor of 6!Static Analysis may reduce defects by a factor of 6!

Software Manager Findings on Static Analysis

• We proved the tight relationship between static analysis and the reduction of support efforts on released software products.

Dr. Thomas Liedtke and Dr. Christian EbertAlcatel AG in Stuttgart, Germany

On the Benefits of Reinforcing Code Inspection Activities, EuroStar 1995

Analyst Findings on Static Analysis

• 60% of the software faults that were found in released software products could have been detected by means of static analysis

Bloor Research Ltd., UK CAST Tools report of 1996

Researcher Findings on Static Analysis

• On average, 40% of the faults that could be found through static analysis will eventually become a defect in the field.

Professor Dr. Les Hatton, University of Kent

Stages of Automated Static Analysis

• Syntactic Analysis• Data Use Analysis• Control Flow Analysis• Interface Analysis• Program Slicing• Information Flow Analysis• Path Analysis

Stages of Static Analysis

• Syntactic analysis – Coding standards– Missing statements i.e. switch statements

switch (expr) { case c1: statements // do these if expr == c1

break; case c2: statements // do these if expr == c2 break; case c2:

}

class TestResourceLeak { public CoreResponse process(Entit entity) throws ResourceException { CoreResponse coreresponse = new CoreResponse(); DatabaseConnection dbcon = new DatabaseConnection(); Connection con1 = null; Connection con2 = null; //getting the Data Base Connection try { con1 = dbcon.getConnection(); con2 = dbcon.getConnection(); ... } catch(Exception e) { con1.close(); throw new ResourceException(e.getMessage(),e) ; } con1.close(); return coreresponse; } }

What is the Error in this Code?

Data Use Analysis• Aim is to identify data flows that do not conform to sound

programming practices, e.g. variables are not read before they are written; inactive code.

• A purely symbolic form of analysis, i.e. no specific data values are considered.

• Based upon a number of relationships between variables and expressions.

• Process involves annotating a program flow graph with each data object definition (D), usage (U) and elimination (E).

• Analysis involves flow graph traversal, e.g. DD paths suggest redundancy, DE paths are most likely to be bugs.

Control Flow Analysis

• Aim is to detect poorly structured code, e.g. multiple exits from a loop, dead code etc

• Process again typically involves translating the program into a flow graph.

• By a process of repeated reduction inaccessible code and certain classes of non-termination can be identified

Program Slicing• Program slicing involves focusing on a particular

subset of variables within a given program.• The parts of the program that are relevant to the

subset of variables denotes a program slice.• Some applications:– Program testing & re-testing: provides focus with

respect to test case design and the selection of regression tests.

– Program comprehension: slicing provides a useful aid to understanding code where no documentation exists.

Types of program Slicing• Backward:

– For a given statement S, a backward slice through a program contains all statements that effect whether control reaches S and also all statements that effect the value of variables that occur in S.

• Forward: – For a given statement S, a forward slice through a program contains all

statements that are affected by S.• Static:

– A static program slice is calculated symbolically, i.e. takes no account of concrete data values.

• Dynamic: – A dynamic program slice is calculated based upon particular data values.

Note that forward and backward slices can be calculated either statically or dynamically.

Program Slicing ExampleProgram

read(X);read(Y);Q := 0;R := X;while R >= Y do

beginR := R - Y;Q := Q + 1

end;print(Q);print(R);

A Program Sliceread(X);read(Y);R := X;while R >= Y do

beginR := R - Y;

end;print(R);

Program Slice for the variable ‘R’

Information Flow• Exploits software annotations, i.e. meta-data that asserts properties that should

hold at particular points during program execution.

SPARK based example:

procedure Exchange(X, Y:in out Float)--# derives X from Y &--# Y from X;isT:Float;begin

T:=X; X:=Y; Y:=T;end Exchange;

• Note: derives defines a dependency relation between variables that is checked against the code automatically by the Spark Examiner static analyzer.

Use of Static Analysis in Secure Coding

• Security Vulnerabilities:– Cross-site Scripting (XSS)– SQL Injection– Command Injection– Buffer Overflows– Memory Leaks– Integer Overflows

FindBugsJDK1.6.0-b105• 379 correctness warnings• we judge that at least 213 of these are serious issues

that should be fixed

Google's Java codebase• over a 6 month period, using various versions of

FindBugs• 1,127 warnings• 807 filed as bugs• 518 fixed in code