Java: static analysis

Tools that analyze source code without running it

Let’s start with the definition of static analysis, and then a pragmatic definition.

Definition: static analyzers are programs that tells us something about some program’s source code without running it.

The errors and warnings from a compiler are a kind of static analysis, but we typically only talk about static analysis of syntactically correct programs. So, really lets thrown out the “error messages” that cause you to not be able to even run your program, and we’ll start with this:

It turns out that static analysis can do many more things than just what you see in the warning messages of the compiler. It may not do all of the following things “perfectly”, but it can be quite helpful.

Static analysis can:

How can I run static analysis on my Java code?

One tool that you can use for open source projects in Java is called Codacy. Click the link to learn more.

For languages other than Java, see: pconrad-webapps static analysis

Some theory: the halting problem.

Static analysis tools examine your source code without actually running it.

We know from the proof of the halting problem (a topic of CMPSC 138) that it is no algorithm to predict with 100% accuracy whether a given program will terminate or not (i.e. whether it has an infinite loop or not.)

This is a barrier to many types of analysis we might do that involve running the code—there is no guarantee that the process will ever terminate with an “answer”.

Static analysis typically involves running some algorithm over the code that has a predictable running time and will definitely terminate with an answer, ideally something like O(n) where n is the length of the file—certainly something bounded by a polynomial running time.