State of the Field
The field of static analysis tools is becoming heavily populated and very competitive. Companies like Klocwork, Fortify and Compuware have created some very interesting and diverse offerings for static analysis. The techniques used by static analysis tools are often guarded as the key intellectual property of the company; simple pattern matching is not enough.
Some of the techniques employed by static analysis tools are:
- Semantic checking
- Strong type checking
- Memory allocation checking
- Logical statement checking
- Interface and include problem checking
- Security checking
- Metrics
- Simulation
Should we call out each tool before the respective paragraphs to allow the reader to fulfill the expectation of covering each of the tools listed above? You could include examples of each kind of tool at the end of each description.
Semantic analysis allows the analyzer to discover the basic structure and relation of each method within the application. The static analysis engine can then build a syntax tree that the simulator will use later to calculate how the application will execute at runtime. This allows the static analyzer to find bugs deeper in the application by traversing the syntax tree for method context that approximates what would occur at runtime.
Strong type checking helps prevent dangerous type casting assumptions such as trying to cast a decimal to an integer and losing precision at runtime. This can cause many security vulnerabilities in memory allocation and rounding. Remember the adage one plus one may equal 3 for very large values of 1.
Within the strong type checks the static analysis engine also ensures that each variable is properly initialized before use. Since it can quickly discover how and when the variable is to be used, it can easily warn the developer of cases when uninitialized variables could cause problems. These problems often manifest themselves as "divide by zero" errors or other improper function calls.
Many modern static analysis tools attempt to match memory allocations with deallocations. This helps uncover many memory leak problems where a developer forgets to deallocate small bits of memory which, over time, may build up and cause the system to become unstable or develop a security flaw. Memory leaks are notoriously difficult to find at runtime, and can require many hours of repetitive, pedantic testing.
Logical statement checking can help the developer or whitebox tester to discover cases in which an 'if' or 'while' statement may always evaluate to the same result. Often logical statements can be built up, version after version, until simply getting one correct output is enough. Developers sometimes get it working then step slowly away, trying not to touch their 'if' statement with seven "ands" and five "ors." These under-tested "if" statements may have fallen into the case when no matter what inputs are given it will always result in the same outcome. Static analysis tools can quickly evaluate these statements by simulating all possible values of each variable and discover which logical statements should be redesigned.
