static-analysis

Measuring the complexity of SQL statements

The complexity of methods in most programming languages can be measured in cyclomatic complexity with static source code analyzers. Is there a similar metric for measuring the complexity of a SQL query? It is simple enough to measure the time it takes a query to return, but what if I just want to be able to quantify how complicated a qu...

Code Contracts: Why are some invariants not considered outside the class?

Consider this immutable type: public class Settings { public string Path { get; private set; } [ContractInvariantMethod] private void ObjectInvariants() { Contract.Invariant(Path != null); } public Settings(string path) { Contract.Requires(path != null); Path = path; } } Two th...

Suggested thresholds for some software metrics

Hi everybody, I was searching the internet for some suggestions for thresholds for the following well-known software product metrics: Lack of Cohesion in Methods (for the Henderson-Sellers variant of the metric) Number of Inherited Methods in a Class Number of Overriden Methods in a Class Number of Newly Added Methods in a Class H...

Static Analysis API's?

I am interested in static analysis tools that are out there. Or rather the API's that are supported to allow me to write my own tools using these API's. I've written dozens over the years at my present employment that scrutinize our source code (C++) for various things. But one thing I want to know is if there are other static analysis A...

Any static analysis tools that help detect CPU endian issues?

Hello, Our team has managed a code base on an embedded big endian CPU for many years (10+). We have generally not bothered to consider endian issues during this development and maintenance of this embedded code. Soon, we will be moving this code base from a big endian CPU to a little endian CPU. We are curious if anyone has experien...

Tools for generating Haskell function dependency (control flow) graph?

Note not "functional dependency". Are there tools available that allow me to build a static function dependency graph from source code? Something which indicates to me which functions depend on which other ones in a graphical manner. ...

Static code analysis methodology

What methodology would you use with a static code analysis tool? When and where would you run the analysis? How frequent? How would you integrate it to a continues build environment, on daily builds? only nightly? ...

Static code memory leak detection for visual studio vc++

Hello, is there a way to detect simple memory leaks like this one with a static analysis tool? I cannot change the code to include the tipical includes used in runtime memory leak detection (struc1 is a simple structure with some fields). void noRelease(void) { struc1 *memoryLeak; memoryLeak = (struc1 *) malloc(sizeof struc1);...

How to create custom static analysis rule that checks a specific property value

Hi, I would like to use the FXCop introspection API to create a custom rule that verifies the following: in MethodA, the code sets a property B on a static class C to value D : void MethodA() { C.B=D; } how can I write this? also how can I debug through a rule? ...

Why in this call to AfxWinInit I get a warning C6309 ???

Hello, while doing some static code analysis I've found a weird one. On a call like this one: if(!AfxWinInit(moduleHandle,NULL,::GetCommandLine(),0) I get the warning C6309 at the second parameter (C6309: argument 2 is null: it does not adhere to function specification of AfxWinInit) Docs say that for Win32 applications the second p...

How to create custom FXCop static analysis rule that checks a specific property value

Hi, I would like to use the FXCop introspection API to create a custom rule that verifies the following: in MethodA, the code sets a property B on a static class C to value D : void MethodA() { C.B=D; } what i would like is that inside override ProblemCollection Check(member m) I want to check: if m == MethodA { Assert: m assign...

Finding deprecated code in dojo

I am currently migrating a large project from dojo 1.3.2 to 1.4.2. I need to port all deprecated code so a way to find it all would be nice. Managed to get some warnings in the console earlier but that only seems to work for some dijits. For example, the code is cluttered with 'widget.attr(...,...) code, which is deprecated. Anyone hav...

Is it possible to tell whether or not some javascript code call particular function?

I am trying to build some sort of a javascript "antivirus" that would try to catch particular function calls. So lets say I've got some random javascript file, can I check if it doesn't use function jQuery.trim() (just for example sake) anywhere? It seems like pretty complicated task, plus there are eval and base encodings which could...

static code analysis for assembly language

Are there any open-source tools or libraries for static code analysis of simple custom assembly-like languages (for automatically generated programs) and what are they capable of (detecting unused code/registers, giving high-level expressions for code segments, call graphs etc.)? Which algorithms do exist in this field? ...

How to check that bytecode operation PUTFIELD is reassigning a field belonging to 'this' object using ObjectWeb ASM?

I am using the ASM bytecode manipulation framework to perform static analysis on Java code. I wish to detect when fields of an object are reassigned, i.e. when this kind of code occurs: class MyObject { private int value; void setValue(int newValue) { this.value = newValue; } } Using the following code (in a class implementing...

Determining missing dependencies statically when using dependency injection container

When using a dependency injection container, missing dependencies are detected when you execute resolve. This is at runtime. This article describes a partial solution. It would help simplify test, debug, and maintenance, but it still requires tests to be executed to validate your behavior (especially if you use the abstract factory su...

Gimpel's PC-lint can't trace dangling pointer?

Hi, I've been using PC-lint9 to find out different errors recently and it really blow my mind, but it seems PC-lint9 can't trace dangling pointer, here is snapshot of the code I exam with. int* pkInt = new int; int* pkDangInt = pkInt; delete pkInt; ( *pkDangInt ) = 1; there is no error detected by PC-Lint. I think there may be somet...

GrammaTech CodeSonar - output to CSV

I need to export GrammaTech CodeSonar's analysis from my browser's hub to a CSV. However, I want to include my Notes, but don't know how to include them in the export. Please tell me how to export my Notes, along with the other rows. Thanks ...

Proper choice of rules in VS2010's static analyzer

There are many groups in VS2010's static analyzer: All Rules Basic Correctness Rules Basic Design Guideline Rules Extended Correctness Rules Extended Design Guideline Rules Globalization Rules Minimum Recommended Rules Security Rules But it is too hard to decide on a proper option. What option do you use? What option do most of...

Adobe Flex static analysis tool

Can anyone recommend a static analysis/code complexity/code metrics tool for Adobe Flex (MXML and Actionscript)? Something like Sonar or Clover? ...