[UncleMeat]

It's good to see discussions of static analysis, but I often feel that these blog posts do a disservice to the techniques. The post leads by mentioning applications like bugfinding and security vuln detection but the examples here are barely above local syntactic checks. This is the common scenario in the majority of blog posts I see about static analysis, probably because it is just much easier to put together a quick write up on AST-linting. Heck, this article has a diagram that directly states that an AST is the input to a static analysis module, but that is true only for some kinds of things!

AST level analysis is certainly useful. Everybody should be using some sort of style checker. But AST pattern matching is a completely different technique from the stuff used to do bugfinding that I worry that these blog posts will give the wrong impression about what static analysis can do and what it can't do.

I'd love to see blog posts about interprocedural pointer analysis, for example.

[rj722]

Article author here. Agree that the post merely touches the surface for static analysis -- because it was aimed towards an audience looking for an introduction to static analysis. The scope for the examples in this post had to be limited for this reason.

Inter-procedural pointer analysis -- Yes, a lot more trickier than these, but definitely more juicier. Will try to write a post on it in the coming weeks.

[UncleMeat]

I think limiting the scope is fine in general. But one small suggestion would be to make it more clear that this is just one very simple technique. This does not come across at all in the blog post. The diagram you show, for example, seems to state that this is just how static analyses work - they are given ASTs to work with. Or at the very least include some examples of semantic properties. It seems incongruent when you describe static analysis as understanding the behavior of the program without running it and then use examples that are about syntactic style violations.

[onemoresoop]

The article is great and it is clear it is intended for beginners. Everything is explained as for beginners which is good. A second part is very welcome.

[kungato]

Hey I'll be doing a college project on static analysis and while I'm familiar with semantic analysis wrt compiling I was wondering if you might drop a few more of these terms like interprocedural pointer analysis so that I have more techniques to research

[itsspring]

I want to read more on this topic. Have you written about this anywhere, or do you have a pointer/suggestion?

[chas]

This article gets more into actual analysis of program state and execution: http://matt.might.net/articles/intro-static-analysis/

If you want to go deeper, Principles of Program Analysis is a popular reference: Principles of Program Analysis https://www.amazon.com/dp/3540654100/

[dtornabene]

I would not recommend POPA to people wanting to go down this road, its an extremely difficult text. Personally, just my 2 cents here, a far more useful text would be Practical Binary Analysis, https://practicalbinaryanalysis.com/ The Cousant's text is fascinating but requires a level of mathematical maturity at virtually post-doc researcher levels

[chas]

Principles of Program Analysis isn't the Cousot's text, but it does make significant use of abstract math. In particular, it uses tools from order theory[0] to describe many program analysis algorithms as finding fixpoints of functions between lattices[1].

This is useful because it reduces many program analysis design questions to questions of which lattice to use. It also allows you to compare algorithms by comparing their lattices, which makes it easier to see how algorithms are related.

The cost is that this approach will be pretty alien if you don't have experience with abstract algebra or related fields. If you do have that experience, I don't think it requires mathematical maturity beyond an undergraduate level.

[0] http://matt.might.net/articles/partial-orders/

[1] https://en.wikipedia.org/wiki/Lattice_(order)

[dtornabene]

You're correct on the Cousot text, thank you. I stand by the assertion that if people want to go beyond the simple PA described in the article a far better and more approachable text is the binary analysis one I listed. Practical hands on experience that doesn't require a math major in uni is a good thing!