Static analysis framework

Static analysis framework includes source code model builder and a set of analysis algorithm. This framework can be used as for defect detection and for decision of other program engineering tasks.

Source code model

Source code model contains informations about program objects and statements. Aegis uses control flow graph with single static assignment representation of nodes.


Annotations are used for description of library functions (and other functions without source code) behavior. Annotations define behavior of functions, types and states of resources (files, sockets, etc.), system environment of program. Annotations are written on C-like language PAnLang (Program Annotation Language).

Annotations allow to detect some extra defects, for example:льных дефектов, например:

  • resource leaks
  • resource protocol violations
  • dangerous function calls
  • format string defects

Analysis algorithms

Analysis algorithms use source code model that is extended by annotations. Algorithms determine possible program states, i.e. set of possible object values at some execution point. Each execution point is related to a program statement. To determine program states Aegis combine separate trace analysis and state merge at phi-functions.

The following algorithms are used:

  • points-to analysis determines sets of pointer variables
  • interval analysis determines sets of primitive type variables
  • resource analysis determines sets of resource states

Algorithms features

  • inter procedural, context-sensitive analysis
  • condition interpretation for branches
  • complex object analysis
  • pointer arithmetic analysis
  • cycles and recursions are supported
  • multi-defect programs are supported

Defect detection

Defects are detected for each program statement. Detection is based on program state analysis. Different statements have different types of possible defects. For each defect Aegis determines type, location in source code and stack context.


Primary characteristics of defect detection are:

  • defect density is the mean number of defects in 1KLOC
  • soundness is the part of true detected defects among all program defects
  • precision is the part of true detected defects among all detected defects
  • resource consumption