views:

973

answers:

5

There are many options for static analysis, and it's a hot topic, so:

What is static analysis?

When should you use it, and when shouldn't it be used?

What are potential gotchas regarding proper and improper usage/application of static analysis?

Any languages that don't have a good static analysis tool, and what do you do when you don't have an option for automated analysis?

+11  A: 

What is static analysis?

Analyzing code without executing it. Generally used to find bugs or ensure conformance to coding guidelines. The classic example is a compiler which finds lexical, syntactic and even some semantic mistakes.

When should you use it, and when shouldn't it be used?

Static analysis tools should be used when they help maintain code quality. If they're used, they should be integrated into the build process, otherwise they will be ignored.

What are potential gotchas regarding proper and improper usage/application of static analysis?

Two common pathologies occur when using static analysis tools:

  1. The tools produces spurious warnings/errors that the developers cannot silence. Eventually, most of the warnings are spurious and the developers stop paying attention to the output. This is why many teams require that code compile cleanly. If developers feel comfortable ignoring compiler warnings, the compile phase will eventually be filled with warning nobody ever pays attention to, even though they may be bugs.

  2. The tools take too long to run and developers never bother to run them.

Any languages that don't have a good static analysis tool, and what do you do when you don't have an option for automated analysis?

For a number of reasons, many of the dynamic languages (ruby, python, perl) don't have static analysis tools that are as strong as those available in static languages. The standard method of finding bugs and making sure the code is working in dynamic languages are unit tests which help build confidence that the code actually works (hat-tip: Chris Conway).

Aaron Maenpaa
"unit tests which (theoretically) prove that the code actually works."Not to be a pedant (oh, OK, to be a pedant), unit tests don't "prove" anything, not even "theoretically." Tests build confidence in correctness, but they can't possibly cover every behavior of the
Chris Conway
"they should be integrated into the build process" agreed. However, debug and release builds, or one or the other?
scottmarlowe
+1  A: 

Static analysis is looking at source-code for potential problems. It's called static because the code isn't executed to find the problems, the source is analysed analytically.

At the moment, static analysis is very immature. Most tools find only the most stupid of bugs. For example, no tools that I know of can find all null pointer dereferences, yet this is an obvious bug you'd want to target with static analysis. You can forget trying to find harder bugs such as race conditions with static analysis, for the moment at least.

Static Analysis is particularly useful for enforcing coding standards. FXCop, which analyses .NET code, contains rules for all sorts of coding standards defects.

As you say, there are many tools that do static analysis. Here is a list of free products that I have personally used:

  • FindBugs (Java)
  • FXCop (.NET)
  • PyLint (Python)

I can recommend all of them.

Simon Johnson
Static analysis needn't actually look at the source code. It may well look at object or intermediate code. For instance, you mention FindBugs which looks at class (bytecode) files.
Tom Hawtin - tackline
Static analysis, immature? I see you never used IntelliJ IDEA... ;^)
Rogerio
Yes, Tom Reps gave a talk last week at Stanford on static analysis of machine code, http://www.cs.wisc.edu/wpis/abstracts/wysinwyx.submission.abs.html. For an example of a vulnerability not visible in source, see <http://isc.sans.org/diary.html?storyid=6820>, <http://www.linux-magazine.com/Online/News/Root-Exploit-Vulnerability-in-Kernel-2.6.30>, <http://blogs.computerworld.com/a_linux_security_story>, and <http://lwn.net/Articles/341773/>.
Flash Sheridan
A: 

In addition to finding bugs in your code (such as guaranteed null pointer dereferencing, infinite loops, etc.), static analysis can be used for security analysis of the code. I'd highly recommend watching the "Secure Programming with Static Analysis" presentation from Brian Chess of Fortify software.

David Schlosnagle
+1  A: 

Other questions on static analysis (each with tool recommendations):

Chris Conway
+1  A: 

Check out http://www.ouncelabs.com if you are looking for an enterprise class tool.

jm04469