Search code examples
code-analysisfxcop

Static code analysis WITH dynamic code analysis tools?

Why have I never seen an analysis tool that has both static code analysis AND dynamic code analysis, therefore checking them both?

A side note, FxCop uses CIL parsing and call graph analysis to run its checks. Does anyone know if it uses dynamic or static call graph analysis?

I admit, I have limited knowledge of these tools, but have been doing some research and can't seem to find the two together... if you do know of some tools that do both, please list them.

Thanks!

Solution

  • It does make sense to combine both: you clearly want static analysis to detect real problems (not just plausible problems) and report them. For those places where the static analyzer is sure there is NOT a problem, nothing needs to be done or said. For those places where the static analyzer can't figure it out... you want dynamic analysis to watch for bad events at runtime.

    The basic answer is that tools that do static analysis are generally not well provisioned to instrument application codes, and those that instrument don't have lot of support for static analysis.

    Our DMS Software Reengineering Toolkit is a set of infrastructure that has both capabilites and can be used to build such tools. At its core, DMS is a program analysis and transformation system. The analysis side parses code and builds models (ASTs, symbol tables, control/data flow graphs, etc.) on which to base analyzers. The transformation side can modify the ASTs (using the analyzers to determine what to change) and spit out modified source code with arbitrary changes; for the purpose of this discussion, instrumented code.

    A clear overview of how DMS can be used to instrument code (dynamic analysis) is provided in this paper: Branch Coverage for Arbitrary Languages Made Easy.

    A more sophisticated example that combines both static and dynamic analyis is our CheckPointer tool, which detects pointer errors where made (as opposed to downstream damage). CheckPointer combines (at this early time of its life) primarly dynamic analysis to achieve this effect coupled with some (and planned further) static analysis to eliminate as many of the dynamic checks as possible.