Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Static Analysis API's?

I am interested in static analysis tools that are out there. Or rather the API's that are supported to allow me to write my own tools using these API's. I've written dozens over the years at my present employment that scrutinize our source code (C++) for various things. But one thing I want to know is if there are other static analysis API's that are available. So

My question are

  1. What static analysis API's do you use?
  2. Why do you use it?
  3. Name one thing you have written with it?

As for me, my answers are:

What: I use an API for understand 4 c++.

Why: I use it because:

  1. The C API for it is one header file (Very small)
  2. The C API requires almost no memory management
  3. I wrote a managed wrapper around it so I can use c# with it!
  4. The API is very small but powerful in finding various things.

One Tool: Well, last week I wrote a tool to take a virtual function on a base class and then to change the accessibility on it and all virtual overrides on derived classes. This would have taken me a week to do by hand. Using the tool which took me a very short time to write I was able to change almost a thousand files with one push of a button. Cool

Note: I've also played around with the C++ code model that is available with Visual studio and have been successful in writing macros to target that.

Thanks, and I look forward to any answers you may have.

like image 337
C Johnson Avatar asked Dec 09 '22 14:12

C Johnson


2 Answers

clang attempts to provide a useful set of libraries for static analysis of the languages it supports. Unfortunately, although its C support is pretty good, its C++ support is currently pretty incomplete. (Clang C++ support is now mature and even many C++11 features are working)

Why use it? It's a full-blown compiler, so you can get full visibility into the code you're working with. The APIs are (at least mostly) pretty nicely designed C++.

I haven't written anything particularly serious with it yet. I'm currently working on a tool that uses the Index library to find headers that are included but never referenced, but it's not finished yet (and may never be -- I only really intended it as an excuse to do some exploring, not really a useful tool).

like image 166
Jerry Coffin Avatar answered Dec 12 '22 03:12

Jerry Coffin


Our tool, named CodeSonar, is a commercial advanced static analysis tool for C/C++ programs. It offers several APIs that can be used to extend its functionality. Note that it is designed for doing analysis, not for doing program transformations.

There are APIs (in both C and Scheme) that allow access to the program's ASTs (which comprise symbol tables), the CFGs for each subprogram, the whole-program call graph, compilation units, include files, etc. All these representations are cross-associated with position information, so it is possible to get back to the line of code responsible.

The analysis engine visits all of these data structures, and a user can write a checker by specifying a callback to be invoked during the visit.

CodeSonar is a path-sensitive analysis tool. Path exploration is hard because some paths are infeasible and excluding those from consideration takes some effort. It is important to exclude infeasible paths to keep false positives low. CodeSonar allows users to piggyback on its path exploration, again using a visitor pattern, which allows them to write path-sensitive checkers without having to implement feasible-path exploration themselves.

This mechanism has been used to implement a checker that finds deviations from a fairly complex error reporting idiom.

Another way to write checks is to use a different special-purpose API whose purpose is not to be executed, but to educate the analysis engine about properties of the program. Roughly speaking you can use this API to write code that is similar to what you would write for a dynamic check for the property, but which is instead "interpreted" by the symbolic execution engine. You can decorate your own code with calls to this API, or keep it all off to the side.

Many of CodeSonar's built-in checkers for API usage are specified exactly this way.

Writing checks is only half the battle. Once you have a checker in production you need a way to manage what it finds. All of the mechanisms described above generate reports that populate a database, and there is a web-client based UI for looking at the results, attaching notes, integrating with other tools, etc.

I hope this helps!

like image 45
Paul Anderson Avatar answered Dec 12 '22 05:12

Paul Anderson