Static Analysis with CodePeer

Arnaud CharletOctober 1st 2015

What is Static Analysis?• Basic Static Analysis: coding standard checking, metrics, compiler

warnings and style checks

• Advanced Static Analysis: symbolic execution/interpretation of source code, whole program analysis to perform software verification

• Formal Verification: verify high level or abstract properties on your application, give strong guarantees

Why Use Static Analysis?• Make software more reliable at reasonable cost

– Full coverage of your code (detect corner cases)

– No missing check when needed (no “false negatives”)

• Anticipate problems (get results before testing)

• Automate part of code review

• Express and verify your requirements and architecture

CodePeer Overview• Advanced static analysis tool for Ada

– Includes also basic static analysis (gnatcheck, gnatmetric)

• Detects runtime and logic errors

– Buffer overflow, division by zero, dead code, …

• Analyzes complete or partial programs (e.g. libraries)

– Supports all versions of Ada

– Supports most Ada compilers and targets

– Can tune level of analysis and accuracy

CodePeer Overview• Generates human readable annotations

• Support for IEEE 754 floating point semantics

• Integrated in GPS, GNATbench and third party tools

• Uses project files (.gpr)

• Comes with an HTML server

A Qualifiable ToolDO178C (Avionics)• Automate part of DO178C 6.3.4.f - determine the correctness and

consistency of the Source Code• Qualified as a verification tool (TQL 5 in DO178C)• Generation of a detailed report file (date of run, switches,

messages, limitations, …)

EN50128 (Railway)• Qualified as a tool class T2• Used for boundary value analysis, control flow and data flow

analysis

CodePeer Use Cases1. Early testing: detect errors earlier on code modifications/new

code

2. Find bugs (on existing code)

3. Impact analysis (before making a change)

4. Code review: help focusing on potential problems/complex code

5. Check consistent use of (third party) libraries:Detect inconsistencies between assumptions in callee and caller

6. Identify race conditions7. Provide evidence for program verification

CodePeer 3.1• Integration with Jenkins - Continuous Builder• Integration with Sonar, Squore - Dashboards• CWE compatibility – Security Analysis• Detection of dangling references• Static Debugger• Incremental (re)analysis

Integration with Jenkins

Integration with Jenkins

Integration with Dashboards

Integration with Dashboards

CWE - Security Analysis• cwe.mitre.org• Filters on 36 detected

CWE ids

Detection of Dangling References• Detect use after free

with Unchecked_Deallocation;

procedure Dangling is type Ref is access Integer; procedure Free_Int is new Unchecked_Deallocation (Integer, Ref); Ptr1 : constant Ref := new Integer; Ptr2 : Ref := Ptr1;begin Free_Int (Ptr2); Ptr1.all := 123; -- high: validity check fails here: requires not Ptr1’Freedend;

Static DebuggerDisplay possible values of variables

Static DebuggerBacktrace capability on messages related to preconditions

Incremental Analysis• Ability to re-analyze only impacted files

On a 10K SLOC project, 75 files

Time to analyze from scratch: 75 files in 18 minutes

Time to re-analyze and update the database: 9 seconds

Modifying a few files and re-analyzing: 44 files in 2 minutes

• Ability to refine analysis (more precise on new runs)