Static code analysis (also known as static analysis) is a software verification activity in which source code is analyzed for quality and reliability. This analysis enables software developers and testers to identify and diagnose run-time errors such as overflows, divide by zero, and illegally dereferenced pointers. Metrics produced by static code analysis provide a means by which software quality can be measured and improved. In contrast to other verification techniques, static code analysis is automated, and can therefore be done without executing the program or developing test cases.
Basic static code analysis techniques include:
Sophisticated techniques couple static code analysis with formal methods. Formal methods apply theoretical computer science fundamentals to solve difficult problems in software, such as proving that the software will not fail with a run-time error.
The combination of static code analysis and formal methods enables developers to:
This approach is comprehensive and complete, because every failure point in the code is identified as proven to fail, proven not to fail, may never execute (dead code), or unproven.
Polyspace products are an example of the class of static code analysis tools that utilize formal methods. They perform static code analysis to detect run-time errors and prove the absence of certain run-time errors in C/C++ and Ada source code. The products also produce code quality metrics and check source code for compliance to coding standards such as MISRA-C/C++ and JSF++.