BT

InfoQ Homepage News NStatic: Advanced Code Analysis for .NET

NStatic: Advanced Code Analysis for .NET

Bookmarks

Code analysis tools like FXCop are often cited as ways to improve code quality. While they do check for a large number of potential faults, in theory there is a lot more that can be done. Wesner Moise intends to try out these theories with an advanced code analysis tool called NStatic.

Unlike FXCop, whose output is essentially compiler warnings, NStatic looks like a full IDE. The code is overlaid with a graphical representation of the analysis. This allows you to actually see the execution flow that resulted in the warning.

Like many projects these days, patents are both limiting Wesner Moise's options and forcing him to try to find better routes.

I mentioned that there were two major changes that I made last November and December. One was IL Interpretation and the other was a change to my interprocedural analysis due to an Microsoft/Intrinsa patent on interprocedural analysis. The Microsoft patents show how one could avoid doing a full interprocedural analysis by storing function summaries in order to make analysis proceed quickly. I heard that Prefix can still take a day to run on large codebases; that's why they built a scaled down intraprocedural version called Prefast. Instead of taking shortcuts by summarizing each method, I just tried to figure out how to do full interprocedural analysis quickly; my new approach might even be faster than the earlier one.

FXCop checks for unnecessary parameters by seeing if the parameter is ever read. NStatic goes further and determines if the parameter is unnecessary because it is a function of other parameters or the global state. For example, if you assert that a = b + c, then logically the parameter c has to equal a-b. NStatic detects that and flags c as being redundant.

The NStatic analyzer converts traditional imperative code into a functional notation that avoids side-effects and loops. It relies heavily on higher order functions and lambdas, as well as a set of transformations to create canonical forms for the code. This conversion gives NStatic the ability to perform symbolic manipulation of the code.

Using these techniques, NStatic can detect errors such as:

  • Complex expressions (including function calls) that evaluate to constants 
  • Assignment to a variables is same as current value 
  • Redundant parameter - parameter is a function of other parameters/globals 
  • Infinite loops, no side effects

Unlike FXCop, which works solely on IL, NStatic analyzes the source code as well. This means that support for other languages is not automatically free. Currently NStatic only supports C#, but support for VB and other .NET languages are being considered.

One feature that is in high demand right now is a tool that detects multi-threading issues such as potential dead locks and race conditions. Unfortunately there are no currently plans to support this in NStatic. Wesner Moise writes

I haven't seriously thought about threads; I need to see how other products like FindBugs, TeamSuite deal with threading first. I suspect any bugs found in those products would be possible to implement inside my product.
If any error manifests itself as a recognizable pattern within the code, this would be something easy for me to catch.
However, I dont think I would be able to capture any errors that require "lane" analysis, which I think in used in RaceTrack and Spec#.

You can learn more about NStatic from Wesner Moise's recap of his presentation.

NStatic is not currently available and will most like be released as a commercial product by SoftPerson, LLC.

InfoQ asks: Is code analysis currently part of your development cycle?

Rate this Article

Adoption
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Community comments

  • Normally I like these kind of articles but

    by TR Hockamier /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    Even if the name NStatic is semantically similar to those like NCover, NUnit and NAnt this tool has no bearing on open source.

    What is so irritating is that you read the article then at the bottom you find: "NStatic is not currently available and will most like be released as a commercial product by SoftPerson, LLC."

    Why not just say it is shameless advertising and be done with it...?

  • Re: Normally I like these kind of articles but

    by Jonathan Allen /

    Your message is awaiting moderation. Thank you for participating in the discussion.

    I am sorry that you feel that way. At InfoQ, we don't distinguish between open source and commercial products when determining whether or not something should be covered.

    I personally made the decision to run this particular article based solely on what the technology claims to do. I do not believe the fact that Wesner Moise wants to profit from his research in any way reduces the importance of what he is doing. (Though I have to admit I was disappointed that a trial version is not yet available.)

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

BT

Is your profile up-to-date? Please take a moment to review and update.

Note: If updating/changing your email, a validation request will be sent

Company name:
Company role:
Company size:
Country/Zone:
State/Province/Region:
You will be sent an email to validate the new email address. This pop-up will close itself in a few moments.