Introduction to Program Analysis

figure from: https://blog.codacy.com/everything-you-need-to-know-about-static-code-analysis/

If you are a software engineer, you know how software bugs are making your job harder and harder every day, but they do not make it hard on you only.

Software bugs can be extremely costly, and there have been numerous incidents where they have resulted in significant financial losses. One egregious instance is the Knight Capital Group trading glitch in 2012, which cost the company $460 million in just 45 minutes. Due to the issue, Knight Capital’s trading algorithm purchased and sold equities at incorrect prices, which led to significant losses. Hundreds of homeowners lost their homes in 2018 as a result of a Wells Fargo software error that led the bank to mistakenly reject or approve about 870 mortgage modification requests. The bank was required to make remediation and penalty payments totaling $8 million. These examples underscore the value of extensive testing and quality assurance procedures in software development and show the considerable financial impact that software flaws may have. Therefore, software programs have to have a kind of accurate procedure along with software testing to prevent such incidents from happening, and that is when program analysis comes to the scene.

What is Program Analysis?

Program analysis is a technique used in computer science to automatically analyze and understand computer programs. It involves looking at a program’s code and producing data about its performance, behavior, and potential issues using a range of techniques and tools. Program analysis can be used to find bugs, security vulnerabilities, performance bottlenecks, and other potential issues that might affect a software system’s dependability or security. With the aid of program analysis, developers can enhance the quality of their code, lower the likelihood of mistakes and security problems, and enhance the functionality of their product.

Static Analysis vs Dynamic Analysis

As you may have guessed, we can analyze a program’s behavior in two ways, one of them is to just run the program and analyze its behavior, and the other way is to analyze the source code itself. Seems hard, right? not really!

Static Analysis

It is the type of analysis that looks at the code without actually running it. The code is analyzed using static analysis tools using a variety of methodologies, including data flow analysis, control flow analysis, and abstract interpretation. Before the program runs, it is intended to find potential bugs and vulnerabilities in the code.

Dynamic Analysis

Dynamic analysis, as opposed to static analysis, looks at how a program behaves while it is really running. The values of variables at various points in the program or the frequency of function calls are only two examples of the many behaviors that dynamic analysis tools can track and examine. The objective is to locate potential issues that static analysis could miss.

How does static analysis actually work?

If you are into automata theory having a good idea about Rice’s theorem, you may be wondering, how is the static analysis problem decidable? Rice's theorem states that any non-trivial property of a Turing machine's behavior is undecidable. This means that it is impossible to develop an algorithm that can determine all possible behaviors of a Turing machine. In the context of static analysis, this means that it is impossible to develop a single tool or algorithm that can detect all possible errors or issues in a program.

The answer is “tolerate false positives”.

Let me explain, static analysis tools may produce warnings or errors for code that is not actually incorrect or potentially problematic which are false positives. It is actually possible to have an algorithm that detects bugs (true positives) and there is no problem with having some false warnings (false positives). You can not be 100% accurate, but you can be accurate enough to detect actual bugs at the end of the day.

figure from: https://www.bugseng.com/blog/what-are-costs-false-positives-and-false-negatives

What are the types of static analysis?

Now that we have a good high-level understanding of how static analysis works, let’s dive into its types. There are several types of static analyses that are commonly used in software development:

1. Control Flow Analysis: Control flow analysis examines how the program executes under different conditions. This type of analysis can detect issues such as infinite loops, dead code, and unreachable code.
2. Data Flow Analysis: Data flow analysis is used to identify how data is passed between different parts of the program. This type of analysis can detect issues such as uninitialized variables, null pointer dereferences, and buffer overflows.
3. Semantic Analysis: Semantic analysis involves examining the meaning and intent of the program’s code. This type of analysis can detect issues such as incorrect variable assignments, type mismatches, and missing or incorrect function arguments.
4. Type Checking: Type checking is a form of semantic analysis that verifies that the types of variables and expressions are used correctly in the program. This type of analysis can detect issues such as type mismatches, undefined variables, and invalid casts.
5. Security Analysis: Security analysis is used to identify potential security vulnerabilities in the program’s code. This type of analysis can detect issues such as SQL injection, cross-site scripting, and buffer overflow vulnerabilities.
6. Code Style Analysis: Code style analysis is used to enforce coding standards and best practices. This type of analysis can detect issues such as inconsistent formatting, use of deprecated functions, and use of unsafe constructs.

Each of these types of static analyses has its own strengths and limitations, and they are often used in combination to provide a comprehensive analysis of the program’s code. By using these techniques, developers can identify and resolve issues before the program is executed, improving its reliability, security, and maintainability.

Summary

Program analysis is a set of techniques used to analyze software programs to identify issues such as bugs, performance problems, security vulnerabilities, and non-compliance with coding standards. There are several types of program analysis, including static analysis and dynamic analysis. Static analysis is performed without executing the program and can detect issues such as coding errors, security vulnerabilities, and performance bottlenecks. Dynamic analysis, on the other hand, involves running the program to detect issues such as memory leaks, resource usage, and performance bottlenecks. By using program analysis techniques, developers can improve the quality, reliability, and security of their software programs, leading to better performance and user experience.