A static analysis tool Svace as a collection of analyzers with various complexity levels

The paper describes a practical approach for finding bugs in the source code of programs using static analysis. The approach is implemented in the Svace tool that is developed by ISP RAS. Svace performs defect detection for different error types including null pointer dereferences, buffer overruns and underruns, uninitialized variables usages, memory leaks, double locks and missing locks, unreachable code, division by zero, use after free and others.
The analysis goal is to find as many defects as possible while minimizing false positives with acceptable analysis time. As a result, on large programs the approach inevitably results in missing some defects.
Even critical program defects exist because of various reasons, and the right analysis approach should be detected based on a defect type. A good analyzer will include both simple detectors using only semantic analysis on an abstract syntax tree (AST) and complex detectors using interprocedural context and path sensitive analyzers. The Svace analyzer is designed for that purpose as a collection of analyzers having various levels: an AST analyzer, a conservative data flow analyzer, flow, context and path sensitive interprocedural analysis that makes a few assumptions losing conservativeness. The interprocedural analysis is annotation based: each function is analyzed only once, and its annotation created to summarize the analysis results is used when simulating this function’s call. All described algorithms are presented and illustrated using examples of various detectors and their real warnings found on a number of open source projects.