Static Analysis Background
The term static analysis means different things to different people in the software industry. In this paper, static analysis is defined as analysis of source code without execution. There are two principle approaches to static analysis: (1) pattern-based analysis and (2) program execution or flow-based analysis.
Pattern-Based Static Analysis
Pattern-based static analysis supports implementation of a set of coding practices, or a coding policy. For C++, many such "best practices" are defined in reference books and de facto industry standards such as Ellemtel, MISRA, and common guidelines for 32- and 64-bit portability. In addition to supporting the common C++ guidelines, static analysis tools should also allow you to customize rules to suit your specific application and implementation context, as well as help you identify code patterns indicative of application-specific defects.
Flow-Based Static Analysis
Flow-based static analysis is the technique of logically executing the program to track the propagation of data values, their effects on control flow, and the legality and cleanliness of data at multiple points in the code. Flow analysis attempts to simulate the runtime condition of data objects across functions, modules, and files. The goal is to uncover code problems such as memory corruption, leaks, invalid pointer dereferences, unsafe or tainted data propagation, and security vulnerabilities. Whereas pattern-based analysis focuses on looking for local syntactical anomalies, flow analysis explores the potential execution paths of the larger code context. This bug-prevention technique is powerful because it does not depend on user input to identify bugs that, in reality, are data dependent.
By identifying code problems without creating test cases, flow-based analysis provides developers with the "instant feedback" they need to quickly address defects and security vulnerabilities on the desktop while they are still working on the code and it is fresh in their minds. Additionally, it prevents defects and vulnerabilities from making their way further downstream in the software development process, which is where they are much more expensive to identify and remediate.
Parasoft Data Flow Static Analysis for C and C++
Parasofts static analysis technologies support both flow-based static analysis and pattern-based static analysis. Parasofts flow-based static analysis technology, called BugDetective, provides effortless early detection of runtime problems and application. Parasoft BugDetective technology is available in C++test (for C and C++ code), as well as in Jtest (for Java code) and .TEST (for .NET code).
By automatically tracing and simulating execution paths through even the most complex applicationsthose with paths that span multiple methods, classes, and/or modules and contain dozens of sequence callsBugDetective exposes defects that would be very difficult and time-consuming to find through manual testing or inspections, and would be exponentially more costly to fix if they were not detected until runtime. Using BugDetective, developers can find, diagnose, and fix classes of software errors that can evade pattern-based static analysis and/or unit testing. Exposing these defects early in the software development lifecycle saves hours of diagnosis and potential rework.
Data Flow Static Analysis Rule Set for C and C++
BugDetective utilizes a rule-based test configuration to apply specific tests to the source code. Rule categories built in to BugDetective include:
- Resource Leaks Rules that detect potential allocation misuse of memory, pipes, file descriptors, and other system resources.
- Memory Rules that detect usage of uninitialized or invalid memory.
- Bugs Rules that find potential runtime errors such as division by zero, array bounding and indexing flaws, NULL pointer dereferencing, and data initialization errors.
- Security Vulnerabilities Rules that detect read, write or indexing of potentially tainted data as well as potential buffer overflows.
- Threads and Synchronization Rules that detect potential thread management errors.
These rules can be easily customized to map the rule logic to the organizations specific policy requirements...
To read more, download the complete Data Flow Static Analysis paper as a PDF.