Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News NStatic: Advanced Code Analysis for .NET

NStatic: Advanced Code Analysis for .NET

Code analysis tools like FXCop are often cited as ways to improve code quality. While they do check for a large number of potential faults, in theory there is a lot more that can be done. Wesner Moise intends to try out these theories with an advanced code analysis tool called NStatic.

Unlike FXCop, whose output is essentially compiler warnings, NStatic looks like a full IDE. The code is overlaid with a graphical representation of the analysis. This allows you to actually see the execution flow that resulted in the warning.

Like many projects these days, patents are both limiting Wesner Moise's options and forcing him to try to find better routes.

I mentioned that there were two major changes that I made last November and December. One was IL Interpretation and the other was a change to my interprocedural analysis due to an Microsoft/Intrinsa patent on interprocedural analysis. The Microsoft patents show how one could avoid doing a full interprocedural analysis by storing function summaries in order to make analysis proceed quickly. I heard that Prefix can still take a day to run on large codebases; that's why they built a scaled down intraprocedural version called Prefast. Instead of taking shortcuts by summarizing each method, I just tried to figure out how to do full interprocedural analysis quickly; my new approach might even be faster than the earlier one.

FXCop checks for unnecessary parameters by seeing if the parameter is ever read. NStatic goes further and determines if the parameter is unnecessary because it is a function of other parameters or the global state. For example, if you assert that a = b + c, then logically the parameter c has to equal a-b. NStatic detects that and flags c as being redundant.

The NStatic analyzer converts traditional imperative code into a functional notation that avoids side-effects and loops. It relies heavily on higher order functions and lambdas, as well as a set of transformations to create canonical forms for the code. This conversion gives NStatic the ability to perform symbolic manipulation of the code.

Using these techniques, NStatic can detect errors such as:

  • Complex expressions (including function calls) that evaluate to constants 
  • Assignment to a variables is same as current value 
  • Redundant parameter - parameter is a function of other parameters/globals 
  • Infinite loops, no side effects

Unlike FXCop, which works solely on IL, NStatic analyzes the source code as well. This means that support for other languages is not automatically free. Currently NStatic only supports C#, but support for VB and other .NET languages are being considered.

One feature that is in high demand right now is a tool that detects multi-threading issues such as potential dead locks and race conditions. Unfortunately there are no currently plans to support this in NStatic. Wesner Moise writes

I haven't seriously thought about threads; I need to see how other products like FindBugs, TeamSuite deal with threading first. I suspect any bugs found in those products would be possible to implement inside my product.
If any error manifests itself as a recognizable pattern within the code, this would be something easy for me to catch.
However, I dont think I would be able to capture any errors that require "lane" analysis, which I think in used in RaceTrack and Spec#.

You can learn more about NStatic from Wesner Moise's recap of his presentation.

NStatic is not currently available and will most like be released as a commercial product by SoftPerson, LLC.

InfoQ asks: Is code analysis currently part of your development cycle?

Rate this Article