Ivannikov Institute for System Programming of the RAS

SharpChecker. Static analysis toolkit for defect detection in C# source code

SharpChecker is the platform for static analysis of C# programs, aimed at finding bugs. The tool contains both a code analyzer engine as well as components ready for integration into industrial development processes. SharpChecker can be used not only by programmers to fix errors in the project, but also by managers as another dynamic metric to evaluate the quality of the product.

Scope of application

SharpChecker does not completely replace, but complements testing and other error detection approaches. Like any other static analyzer, it allows to fix errors as early as possible, thereby significantly reducing the overall cost of the product. In addition, all branches of the program are analyzed, which is difficult to achieve by other testing methods. Another advantage of the static analyzer is the ability to quickly detect errors in a variety of different product configurations without the need to deploy the software and hardware environment for the program execution.

First of all, SharpChecker will be useful for developers. There are several typical scenarios for using a static analyzer.

Regular analysis is the most effective approach. By integrating into the project CI SharpChecker allows to achieve complete absence of new warnings for each commit in the project repository. This could be implemented using specially developed technologies for comparison and sorting of the analysis results. Integration with Microsoft Visual Studio allows to perform standalone analysis on the developer's workstation. CI integration checks commit before adding into the version control system.

Stabilization before release. By using an "intelligent" comparison of the latest release analysis results with the current project state, SharpChecker can quickly identify only new warnings, and the sorting of warnings allows to correct the most important defects first.

SharpChecker can also be used to find a specific error. This is necessary in the case of a defect, which is hard to reproduce, for example, if the problem is reported by a user with an unknown configuration of the environment or is related to a multithreaded program execution. Even in the category of errors traditionally detected by dynamic analysis, for example, memory leaks, SharpChecker has the upper hand because it immediately shows the location in the source code and the conditions for the problem occurrence.

SharpChecker is also useful for project managers. It allows them to continuously monitor project status, to measure the stability and to estimate time needed for stabilization. Additional utility helps calculate various metrics and relations in the source code, which can be used, for example, during refactoring. Thus, the combination of various subsystems of the SharpChecker platform makes it convenient to use the analyzer in all scenarios and meets all requirements for industrial quality tools.

Main features of SharpChecker

Studies on static analysis technologies have been conducted at ISP RAS since 2002, so the SharpChecker tool uses the most advanced scientific approaches in the field of program analysis. This makes it possible to achieve high productivity and high quality results, in comparison with its commercial analogs exploited industrially.

In 2015, SharpChecker as part of the Svace tool was deployed at Samsung as the main tool for static analysis, having replaced the world's well-known leader in the industry.

The main features of the tool are:

  • good quality of the results (60-100% of true positives);
  • high performance (Roslyn 1.7 MLoS ~ 35min on the Core i7 6700 4 core);
  • more than 100 different types of defects, the search of which is based on three levels of analysis: syntax, data-fiow, symbolic execution, incl. interprocedural;
  • clear and detailed error messages contain traces that show not only explicit error location, but also the reasons and conditions (path in the program);
  • the centralized history server with web interface and public API and Microsoft Visual Studio extension are developed for warning management and presentation;
  • support for Windows 7, 8, 10 32- and 64-bit (recommended), Linux;
  • build interception provides transparent support of various build-configurations of the analyzed project;
  • functions without source code can be modeled (more than 40 thousand models of library functions are implemented).

Error categories

SharpChecker is able to detect more than 100 different types of errors, ranging from common syntax errors to resource leaks, null dereferences. One of the fundamental principles of analyzer is the focus on error detection, rather than testing for compliance with programming standards or "best practices". This makes it possible to produce fewer warnings that are more likely to point to real errors. The most interesting are the following error groups.

  1. Resource leaks.

    The most common case for C# is to skip 'Dispose()' method call for 'IDisposable' object, which can lead to a run-time error due to early violation of memory limits or other system resources, such as file descriptors. The search for leaks is performed along all possible execution paths, taking into account possible exceptions.

  2. Null dereference.

    This frequent issue results in NullReferenceException, which is usually followed by a runtime error or an abnormal program termination. This group includes various subcategories:

    • dereferencing a variable that was assigned the value null (possibly implicitly);
    • dereferencing a variable that was assigned the result of a function capable of returning null (including statistical analysis);
    • dereferencing a variable after comparison with null without a check;
    • comparison of a variable with null after it was dereferenced;
    • dereferencing after the 'as' operator without a check.
  3. Incorrect usage of locks, revealing missing synchronizations, deadlocks, incorrect use of the ThreadStatic attribute.

    It's usually very difficult to reproduce and localize errors of the specified types. Static analyzer messages significantly reduce the risk of the mentioned issues.

  4. Identification of branching conditions and non-trivial expressions with constant value result and unreachable code.

    After warnings filtering using the experimentally deduced heuristics, an essential part of the remaining ones' points to an algorithmic error.

  5. Type casting errors.

    There are several groups of specified warnings: some are aimed to detect InvalidCastException at runtime, others allow us to simplify or improve the code.

  6. Errors that occurred as a result of copying a piece of code, in which not all necessary changes were made.
  7. Errors that lead to performance problems, for example, not using the result of resource-intensive function calculation or string concatenation inside a loop.
  8. Contracts violation of the user-written or the standard library methods.

    For example, skipping the call of base class method in the inherited one; using obsolete methods, weak cryptography. For methods with accessible source code, such rules are deduced based on statistical analysis, and for library methods, they are obtained from the documentation.

  9. Frequent errors detection.

    For example, virtual calls in constructors; common mistypes, such as the operator ";" between the condition and the body of the cycle; infinite cycles, invalid code indentation, leading to erroneous interpretation of the algorithm by the programmer.

Warning traces

Complex methods of program analysis detect errors that are very difficult to verify, that is why it's very important to maximize the amount of related details for the found issue: conditions for its occurrence, important source locations, possible execution path. Therefore, in the SharpChecker, warnings contain detailed descriptions of the error reasons, the program execution paths that inevitably lead to an error, and detailed messages for each trace point.

Modeling functions

To achieve good analysis results, the information about methods without source code is needed. The analyzer has interface for creating models of such functions. For the most common library functions (more than 40000), models have already been developed.

Warnings interface

Various use cases for a static analyzer result in need to use various systems for analysis results presentation: centralized or standalone. The capabilities of these systems practically coincide and include: navigation, highlighting errors in the code browser, various sorting, searching and filtering by various criteria, marking up false positives, comparing two analysis results. The centralized code browser involves an analysis history server, which has a web interface and API to interact with subsystems of continuous user integration. In addition, the Microsoft Visual Studio extension has been developed to perform analysis and evaluate results on the developer's machine. Thus, the SharpChecker tool created in ISP RAS is based on advanced scientific approaches in the field of static analysis and fully meets the requirements of the industrial quality analyzer and is used in the industry.



Compiler Technology

Back to the list of technologies of ISP RAS