BT

NStatic: Advanced Code Analysis for .NET

| by Jonathan Allen Follow 553 Followers on Feb 26, 2007. Estimated reading time: 2 minutes |

Code analysis tools like FXCop are often cited as ways to improve code quality. While they do check for a large number of potential faults, in theory there is a lot more that can be done. Wesner Moise intends to try out these theories with an advanced code analysis tool called NStatic.

Unlike FXCop, whose output is essentially compiler warnings, NStatic looks like a full IDE. The code is overlaid with a graphical representation of the analysis. This allows you to actually see the execution flow that resulted in the warning.

Like many projects these days, patents are both limiting Wesner Moise's options and forcing him to try to find better routes.

I mentioned that there were two major changes that I made last November and December. One was IL Interpretation and the other was a change to my interprocedural analysis due to an Microsoft/Intrinsa patent on interprocedural analysis. The Microsoft patents show how one could avoid doing a full interprocedural analysis by storing function summaries in order to make analysis proceed quickly. I heard that Prefix can still take a day to run on large codebases; that's why they built a scaled down intraprocedural version called Prefast. Instead of taking shortcuts by summarizing each method, I just tried to figure out how to do full interprocedural analysis quickly; my new approach might even be faster than the earlier one.

FXCop checks for unnecessary parameters by seeing if the parameter is ever read. NStatic goes further and determines if the parameter is unnecessary because it is a function of other parameters or the global state. For example, if you assert that a = b + c, then logically the parameter c has to equal a-b. NStatic detects that and flags c as being redundant.

The NStatic analyzer converts traditional imperative code into a functional notation that avoids side-effects and loops. It relies heavily on higher order functions and lambdas, as well as a set of transformations to create canonical forms for the code. This conversion gives NStatic the ability to perform symbolic manipulation of the code.

Using these techniques, NStatic can detect errors such as:

  • Complex expressions (including function calls) that evaluate to constants 
  • Assignment to a variables is same as current value 
  • Redundant parameter - parameter is a function of other parameters/globals 
  • Infinite loops, no side effects

Unlike FXCop, which works solely on IL, NStatic analyzes the source code as well. This means that support for other languages is not automatically free. Currently NStatic only supports C#, but support for VB and other .NET languages are being considered.

One feature that is in high demand right now is a tool that detects multi-threading issues such as potential dead locks and race conditions. Unfortunately there are no currently plans to support this in NStatic. Wesner Moise writes

I haven't seriously thought about threads; I need to see how other products like FindBugs, TeamSuite deal with threading first. I suspect any bugs found in those products would be possible to implement inside my product.
If any error manifests itself as a recognizable pattern within the code, this would be something easy for me to catch.
However, I dont think I would be able to capture any errors that require "lane" analysis, which I think in used in RaceTrack and Spec#.

You can learn more about NStatic from Wesner Moise's recap of his presentation.

NStatic is not currently available and will most like be released as a commercial product by SoftPerson, LLC.

InfoQ asks: Is code analysis currently part of your development cycle?

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Normally I like these kind of articles but by TR Hockamier

Even if the name NStatic is semantically similar to those like NCover, NUnit and NAnt this tool has no bearing on open source.

What is so irritating is that you read the article then at the bottom you find: "NStatic is not currently available and will most like be released as a commercial product by SoftPerson, LLC."

Why not just say it is shameless advertising and be done with it...?

Re: Normally I like these kind of articles but by Jonathan Allen

I am sorry that you feel that way. At InfoQ, we don't distinguish between open source and commercial products when determining whether or not something should be covered.

I personally made the decision to run this particular article based solely on what the technology claims to do. I do not believe the fact that Wesner Moise wants to profit from his research in any way reduces the importance of what he is doing. (Though I have to admit I was disappointed that a trial version is not yet available.)

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

2 Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT