{"id":461,"date":"2011-10-05T13:27:17","date_gmt":"2011-10-05T20:27:17","guid":{"rendered":"http:\/\/codecurmudgeon.com\/wp\/?p=461"},"modified":"2015-08-04T10:24:49","modified_gmt":"2015-08-04T17:24:49","slug":"what-is-static-analysis-and-what-is-it-good-for","status":"publish","type":"post","link":"https:\/\/codecurmudgeon.com\/wp\/2011\/10\/what-is-static-analysis-and-what-is-it-good-for\/","title":{"rendered":"What is Static Analysis&#8230; and What is it Good For?"},"content":{"rendered":"<p><a href=\"http:\/\/codecurmudgeon.com\/wp\/wp-content\/uploads\/2011\/10\/tesla_coil.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-medium wp-image-501\" title=\"Tesla Coil \" src=\"http:\/\/codecurmudgeon.com\/wp\/wp-content\/uploads\/2011\/10\/tesla_coil-190x300.jpg\" alt=\"\" width=\"190\" height=\"300\" srcset=\"https:\/\/codecurmudgeon.com\/wp\/wp-content\/uploads\/2011\/10\/tesla_coil-190x300.jpg 190w, https:\/\/codecurmudgeon.com\/wp\/wp-content\/uploads\/2011\/10\/tesla_coil.jpg 634w\" sizes=\"auto, (max-width: 190px) 100vw, 190px\" \/><\/a> As I talk to people about <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span>, I get a lot of questions and it seems that <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> means different things to different people. The definitions people use for <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10013\">can<\/span> be any or all of the things in this list:<\/p>\n<ul>\n<li><span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10031\">Peer Review<\/span> \/ Manual <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-30\">Code Review<\/span> \/ Code Inspection<\/li>\n<li>Pattern-based code scanners<\/li>\n<li>Flow-based code scanners<\/li>\n<li>Metrics-based code scanners<\/li>\n<li>Compiler \/ build output<\/li>\n<\/ul>\n<p>A working definition of <em><span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10062\"><span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10063\"><span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10064\"><span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10065\">static code analysis<\/span><\/span><\/span><\/span><\/em> is the analysis of computer software that is performed without actually executing the software being tested. I&#8217;d like to talk briefly about each of these techniques, when\/where to use it, and why it\u2019s helpful.<\/p>\n<p>Perhaps the oldest version of <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> is Metrics-based code scanners where we look at things like complexity or even simply number of lines or methods in a file. Pattern based code scanners are what some think of as the traditional <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> technique. A more modern offshoot of this is Flow-based code scanners where they look at paths through the code and say \u201cOh this could happen to you or that could happen to you\u201d. The last is, which most people don\u2019t think about, it output from your compiler or your build process which is a very valuable thing.<\/p>\n<h3>Peer Code Review<\/h3>\n<p>Let&#8217;s start with what we would call <em>peer <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-30\">code review<\/span><\/em> or <em><span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-30\">code review<\/span><\/em> or <em>manual <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-30\">code review<\/span><\/em> or <em>code inspection<\/em>. The idea is that humans are looking over each other\u2019s shoulders, the idea being to check to see if the code is doing what you are trying to do. And there\u2019s some really cool stuff out there to help you do this more efficiently. What you don&#8217;t want <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-30\">code review<\/span> to be is checking syntax, or in fact anything that could be checked by an automated tool.<\/p>\n<p>What we want to do is in some point, get some other eyeballs into some other\u2019s code beyond the people who write for themselves, so we don\u2019t get some kind of self-sustained mechanism that someone decides to do something in certain way.<\/p>\n<p>Peer <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-30\">Code Review<\/span> will help you finding problems early and functional problems. Most important part of Peer <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-30\">Code Review<\/span> is have an access to mentoring process where other people look over your shoulder and <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10013\">can<\/span> give you feedback like \u201cyou know\u2026 I would do that differently for this case. Here is better way to do it\u201d.<\/p>\n<p>You learn from <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-30\">code review<\/span> because you benefit from the experience of others. In addition it helps you learn the code base because you are looking at other pieces of an application rather than just your own.<\/p>\n<h3>Pattern based analysis<\/h3>\n<p>Pattern based <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> is finding a specific pattern from your code. This could be a good pattern meaning something you <em>want<\/em> in you code, or a bad pattern meaning something you don&#8217;t want to be in your code (bugs).<\/p>\n<p>For example, I may have a branding issue. I want to make sure when my code prints out copyright statement. In this case the pattern is that certain code exists where I expect it to be, such as the footer of a web page.<\/p>\n<p>Or the pattern might be a bad one, such as code that doesn&#8217;t free up resources when it&#8217;s done, causing memory leaks.<\/p>\n<p>It may also be formatting issues that curly is here and under bar used there and case sensitive names used here and there. But we have to remember that it&#8217;s not just syntax problems but really things could cause a bug, for example when we try to internationalize our product or it may cause performance issue things like that.<\/p>\n<p>Additionally the really cool thing about pattern based <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> is that it improves the developers themselves. For example, a developer writes code for accessing a database. The code includes a <code>try\/catch block<\/code> but he forgot to free up resources with a <code>finally block<\/code>.<\/p>\n<p>The pattern based <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> tool catches it and lets the developer know. After a few times with this warning, the developer will learn from it and start right code with a <code>finally block<\/code> to avoid the violation (and the nagging from the tool).<\/p>\n<p>In other words, the tool is actually teaching the developer by suggesting a best practice\u00a0 over and over again. Ideally, you encapsulate intelligence of your best developers into pattern based rules.<\/p>\n<p>Pattern based <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> is not just to check syntax and code formatting. It\u2019s designed to save you time, not to \u201ctake time\u201d. Some people say they don\u2019t have enough time to perform <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span>, but generally, you don\u2019t have enough time to skip it.<\/p>\n<h3>Flow Analysis<\/h3>\n<p><span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-29\">Flow analysis<\/span> is the idea that instead of looking for a specific pattern in a particular file or class, we are going to look for a pattern based on trying to follow particular path through the application. But rather than run the application, it simulates the application execution.<\/p>\n<p><span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-29\">Flow analysis<\/span> looks possible paths of the logic and then manipulates the data to see if the bad pattern appears. For instance, it might try to inject bad data to see if it causes a problem, such as a SQL injection.<\/p>\n<p>The paths are hypothetical in that they may or may not actually occur when you use the application, but they are at least possible. The cool thing is that it find real bugs in your application.<\/p>\n<p>One of the things that <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-29\">flow analysis<\/span> <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10013\">can<\/span> find is uncaught exceptions. This may always be a problem because sometimes you handle the exception another way. For example, web application servers commonly have a wrapper to catch all exceptions. This is important because system uncaught exception acts basically same way as <code>system exit<\/code>.<\/p>\n<p>Sometimes you have application stability issues, and very frequently it is related to unhandled exceptions. In such a case, <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-29\">flow analysis<\/span> is a big help in improving your application.<\/p>\n<p>API misuse is another common source of problems that are handled with <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-29\">flow analysis<\/span>. Where the API not well understood or poorly documented it <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10013\">can<\/span> lead to memory leaks or corruption.<\/p>\n<p>With security, it finds the some potential types of problems for you that you <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10013\">can<\/span> start to work on. It\u2019s a great first pass, but it\u2019s not as powerful as pattern based analysis for preventing issues and for giving thorough coverage, being limited to the hypothetical paths that the testing tool <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10013\">can<\/span> figure out.<\/p>\n<h3>Metrics<\/h3>\n<p>Metrics falls into two goals: you want to understand what\u2019s going on in the code and the other is find possible problems. They do this by measuring something in the code. Sometimes when they people talk about metrics, they mean KLOC, cyclomatic complexity, number of methods or classes, things like that.<\/p>\n<p>Metrics <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10013\">can<\/span> point you to potentially dangerous design issue which is very helpful. They are generally more useful more at the design level than the debugging level.<\/p>\n<p>When tools started doing <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> about 20 years ago, there were a lot of metrics in place. When people had a bug in field and couldn\u2019t reproduce it they tried to use metrics to suggest where the problem might be, then use a debugger to check the area suggested by the metrics.<\/p>\n<p>The problem is that sometimes it gives you a good idea and sometimes it doesn\u2019t. It really depends on what metrics you are looking for. If you&#8217;re using metrics to try and find bugs, it <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10013\">can<\/span> be difficult and time-consuming. But if you&#8217;re trying to use them to understand your application, they actually end up telling you things.<\/p>\n<p>So let&#8217;s assume you have a metric that measures the number of lines in files in your application and you start notice giant files. It probably means that design is not as good as it should be, because components should be very discrete and they should have known inputs and they should produce known outputs. When files get large they probably have a lot of complicated logic in the middle of them. Typically it is a good time to look at and refactor and build them down.<\/p>\n<h3>Compiler \/ build output<\/h3>\n<p>You should think of compiler warnings as a useful form of <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span>. Internally we set a policy many years ago that our products must compile without compiler warnings. It turns out that many of the compiler warnings are traceable to real problems in the field. At best, they mask real problems buried within your code. If you think that you <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10013\">can<\/span> ignore compiler warnings, you\u2019re assuming you know as much about the language as a compiler programmer. They put compiler warnings in place because they think about the code in terms of how the language is supposed to be used. If they give you a warning, it means they\u2019re concerned that the code won\u2019t operate properly. It\u2019s best to pay attention to such warnings.<\/p>\n<p>All of these types of <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-10013\">can<\/span> be valuable in improving your code and your development process, and even your developers as I discussed. I&#8217;ll go more in depth on these techniques in future posts.<\/p>\n<p>[Disclaimer]<br \/>\nAs a reminder, I work for <a href=\"http:\/\/www.parasoft.com\/jsp\/capabilities\/static_analysis.jsp?itemId=547\" target=\"company\">Parasoft<\/a>, a company that among other things make <span class=\"explanatory-dictionary-highlight\" data-definition=\"explanatory-dictionary-definition-65\">static analysis<\/span> tools. This is however my personal blog, and everything said here is my personal opinion and in no way the view or opinion of Parasoft or possibly anyone else at all.<br \/>\n[\/Disclaimer]<\/p>\n<p><i>Resources<\/i><\/p>\n<ul>\n<li><a href=\"http:\/\/www.amazon.com\/gp\/product\/0321601912\/ref=as_li_tl?ie=UTF8&#038;camp=1789&#038;creative=9325&#038;creativeASIN=0321601912&#038;linkCode=as2&#038;tag=codecurmu-20&#038;linkId=IJ46FEKEPLUP4XV2\">Continuous Delivery: Reliable Software Releases through Build, Test, and Deployment Automation (Addison-Wesley Signature Series (Fowler))<\/a><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/ir-na.amazon-adsystem.com\/e\/ir?t=codecurmu-20&#038;l=as2&#038;o=1&#038;a=0321601912\" width=\"1\" height=\"1\" border=\"0\" alt=\"\" style=\"border:none !important; margin:0px !important;\" \/><\/li>\n<li><a href=\"http:\/\/www.amazon.com\/gp\/product\/0132582201\/ref=as_li_tl?ie=UTF8&#038;camp=1789&#038;creative=390957&#038;creativeASIN=0132582201&#038;linkCode=as2&#038;tag=codecurmu-20&#038;linkId=GXRFEHWQ3ZK5FGKZ\">The Economics of Software Quality<\/a><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/ir-na.amazon-adsystem.com\/e\/ir?t=codecurmu-20&#038;l=as2&#038;o=1&#038;a=0132582201\" width=\"1\" height=\"1\" border=\"0\" alt=\"\" style=\"border:none !important; margin:0px !important;\" \/>\n<\/li>\n<li><a href=\"http:\/\/www.amazon.com\/gp\/product\/0201835959\/ref=as_li_tl?ie=UTF8&#038;camp=1789&#038;creative=390957&#038;creativeASIN=0201835959&#038;linkCode=as2&#038;tag=codecurmu-20&#038;linkId=QPTZ5VCYUOPL6YYT\">The Mythical Man-Month: Essays on Software Engineering, Anniversary Edition (2nd Edition)<\/a><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/ir-na.amazon-adsystem.com\/e\/ir?t=codecurmu-20&#038;l=as2&#038;o=1&#038;a=0201835959\" width=\"1\" height=\"1\" border=\"0\" alt=\"\" style=\"border:none !important; margin:0px !important;\" \/>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>As I talk to people about static analysis, I get a lot of questions and it seems that static analysis means different things to different people. The definitions people use for static analysis can be any or all of the things in this list: Peer Review \/ Manual Code Review \/ Code Inspection Pattern-based code [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"nf_dc_page":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[7],"tags":[19,20],"class_list":["post-461","post","type-post","status-publish","format-standard","hentry","category-software-development","tag-softwaredevelopment","tag-staticanalysis"],"_links":{"self":[{"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/posts\/461","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/comments?post=461"}],"version-history":[{"count":43,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/posts\/461\/revisions"}],"predecessor-version":[{"id":3204,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/posts\/461\/revisions\/3204"}],"wp:attachment":[{"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/media?parent=461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/categories?post=461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codecurmudgeon.com\/wp\/wp-json\/wp\/v2\/tags?post=461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}