Tutorial :Static Analysis API's?


I am interested in static analysis tools that are out there. Or rather the API's that are supported to allow me to write my own tools using these API's. I've written dozens over the years at my present employment that scrutinize our source code (C++) for various things. But one thing I want to know is if there are other static analysis API's that are available. So

My question are

  1. What static analysis API's do you use?
  2. Why do you use it?
  3. Name one thing you have written with it?

As for me, my answers are:

What: I use an API for understand 4 c++.

Why: I use it because:

  1. The C API for it is one header file (Very small)
  2. The C API requires almost no memory management
  3. I wrote a managed wrapper around it so I can use c# with it!
  4. The API is very small but powerful in finding various things.

One Tool: Well, last week I wrote a tool to take a virtual function on a base class and then to change the accessibility on it and all virtual overrides on derived classes. This would have taken me a week to do by hand. Using the tool which took me a very short time to write I was able to change almost a thousand files with one push of a button. Cool

Note: I've also played around with the C++ code model that is available with Visual studio and have been successful in writing macros to target that.

Thanks, and I look forward to any answers you may have.


Our DMS Software Reengineering Toolkit is commercially available, general purpose machinery for parsing/analyzing/transforming source code for many languages, including C, C++, C#, Java, COBOL, ...

It uses explicit langauge definitions (e.g., BNF) to drive parsing machinery to build ASTs directly; DMS supports multiple dialects for some languages. There are built in analyzers to support symbol table construction, control and data flow anlaysis, points-to analysis, symbolic range analysis ...

For C, Java and COBOL, the built-in analysis machinery is tied to the language definitions so that you can use these analyzers as a foundation for a custom analysis you might want to build. C++ does have the symbol tables but isn't yet tied to the other internal analyzers, but the machinery is there.

DMS also provides procedural and source-to-source transformations, conditioned by analysis results, on top of all of this; the modified ASTs can be prettyprinted to regenerate compilable source complete with the original comments.

Your three questions:

1.What static analysis API's do you use?

  • DMS + the APIs I've described above.
  • You can use the transformational aspect to get dynamic analysis.

2.Why do you use it?

  • Mostly to support custom tool construction. Its amazing how many different questions people have about code, and how many ways they want to reshape a large application.

3.Name one thing you have written with it?

  • B-2 Stealth Bomber JOVIAL-to-C translator (seriously, see website).
  • IBM Mainframe application architecture extraction.
  • Automated C++ component restructuring.
  • Clone Detection.
  • Test Coverage and Profilers
  • Smart Differencer
  • (See website for longer more detailed list)


clang attempts to provide a useful set of libraries for static analysis of the languages it supports. Unfortunately, although its C support is pretty good, its C++ support is currently pretty incomplete. (Clang C++ support is now mature and even many C++11 features are working)

Why use it? It's a full-blown compiler, so you can get full visibility into the code you're working with. The APIs are (at least mostly) pretty nicely designed C++.

I haven't written anything particularly serious with it yet. I'm currently working on a tool that uses the Index library to find headers that are included but never referenced, but it's not finished yet (and may never be -- I only really intended it as an excuse to do some exploring, not really a useful tool).


Our tool, named CodeSonar, is a commercial advanced static analysis tool for C/C++ programs. It offers several APIs that can be used to extend its functionality. Note that it is designed for doing analysis, not for doing program transformations.

There are APIs (in both C and Scheme) that allow access to the program's ASTs (which comprise symbol tables), the CFGs for each subprogram, the whole-program call graph, compilation units, include files, etc. All these representations are cross-associated with position information, so it is possible to get back to the line of code responsible.

The analysis engine visits all of these data structures, and a user can write a checker by specifying a callback to be invoked during the visit.

CodeSonar is a path-sensitive analysis tool. Path exploration is hard because some paths are infeasible and excluding those from consideration takes some effort. It is important to exclude infeasible paths to keep false positives low. CodeSonar allows users to piggyback on its path exploration, again using a visitor pattern, which allows them to write path-sensitive checkers without having to implement feasible-path exploration themselves.

This mechanism has been used to implement a checker that finds deviations from a fairly complex error reporting idiom.

Another way to write checks is to use a different special-purpose API whose purpose is not to be executed, but to educate the analysis engine about properties of the program. Roughly speaking you can use this API to write code that is similar to what you would write for a dynamic check for the property, but which is instead "interpreted" by the symbolic execution engine. You can decorate your own code with calls to this API, or keep it all off to the side.

Many of CodeSonar's built-in checkers for API usage are specified exactly this way.

Writing checks is only half the battle. Once you have a checker in production you need a way to manage what it finds. All of the mechanisms described above generate reports that populate a database, and there is a web-client based UI for looking at the results, attaching notes, integrating with other tools, etc.

I hope this helps!


NDepend is a .NET static analyzer that comes with a complete NDepend.API to write your own static analyzer.

Disclaimer: I am one of the developer of the tool

NDepend.API is LINQ friendly. More than 200 code rules are proposed. They are based on LINQ queries over NDepend.API, what we call CQLinq . These code rules cover a wide range of needs (API, evolution/diff, naming, architecture/design, code metric/quality, dead code, code coverage, OOP...) You can adapt them to your own needs and create your own ones.

14 Power Tools open source base on NDepend.API are proposed. Power Tools are actually custom static analyzers. Here also you can adapt them or create your own ones. If you download the NDepend bits, the code source of these Power Tools is in the VisualStudio solution: $NDependInstallPath$\NDepend.PowerTools.SourceCode\NDepend.PowerTools.sln

NDepend Power Tools List

Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Next Post »