Journal "Software Engineering"
a journal on theoretical and applied science and technology
ISSN 2220-3397

Issue N10 2025 year

DOI: 10.17587/prin.16.517-531
A Holistic Static Analysis for Finding Errors in Source Code
V. N. Ignatyev, Senior Researcher1, Associate Professor2, valery.ignatyev@ispras.ru,
1 Ivannikov Institute for System Programming RAS, Moscow, 109004, Russian Federation
2 CMC faculty of Lomonosov Moscow State University, Moscow, 119192, Russian Federation
Corresponding author: Valery N. Ignatyev, Senior Researcher1, Associate Professor2,
1 Ivannikov Institute for System Programming RAS, Moscow, 109004, Russian Federation,
2 CMC faculty of Lomonosov Moscow State University, Moscow, 119192, Russian Federation,
E-mail: valery.ignatyev@ispras.ru
Received on July 07, 2025
Accepted on July 23, 2025

We propose a holistic comprehensive static analysis system that addresses modern challenges of code complexity growth and supporting many popular languages while being capable of utilizing source code metainformation during analysis (e.g., commit history, merge request discussions). The system includes classical methods, such as abstract syntax tree search, dataflow analysis, symbolic execution, and new methods based on machine learning and large language models for error detection and cross-verification. We discuss the system's design and its implementation in the SharpChecker, an industrial static analyzer, including an ensemble of relevant analysis methods. The system considers the main use cases for the analyzer, proposes a scheme for interaction and data exchange between its components. The paper presents brief results of performance, precision, and recall of the system on the set of open source projects with more than 5 million LOC, illustrating high performance.

Keywords: static source code analysis, machine learning in code analysis, error detection, Svace, SharpChecker
pp. 517—531
For citation:
Ignatyev V. N. A Holistic Static Analysis for Finding Errors in Source Code, Programmnaya Ingeneria, 2025, vol. 16, no. 10, pp. 517—531. DOI: 10.17587/prin.16.517-531. (in Russian).
References:
  1. Ivannikov V. P., Belevantsev A. A., Borodin A. E. et al. Static analyzer Svace for finding defects in a source program code, Programming and Computer Software, 2014, vol. 40, pp. 265—275. DOI: 10.1134/S0361768814050041.
  2. Arzt S., Rasthofer S., Fritz C. et al. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps, Acm Sigplan Notices, 2014, vol. 49, no. 6, pp. 259—269. https://doi.org/10.1145/2666356.2594299.
  3. Calcagno C., Distefano D. Infer: An automatic program verifier for memory safety of C programs, NASA Formal Methods Symposium, Springer, 2011, pp. 459—465.
  4. Calcagno C., Distefano D., O'Hearn P., Yang H. Compositional shape analysis by means of biabduction, POPL '09: Proceedings of the 36th annual ACM SIGPLAN-SIGACT sympo­sium on Principles of programming languages, 2009, pp. 289—300. DOI: 10.1145/1480881.1480917.
  5. Hou X., Zhao Y., Liu Y. et al. Large language models for software engineering: A systematic literature review, ACM Transactions on Software Engineering and Methodology, 2024, vol. 33, no. 8, pp. 1—79. DOI: 10.1145/3695988.
  6. Sharma T., Kechagia M., Georgiou S. et al. A survey on machine learning techniques for source code analysis, arXiv preprint arXiv:2110.09610. 2021.
  7. Allamanis M., Brockschmidt M., Khademi M. Learning to Represent Programs with Graph s, CoRR abs/1711.00740, 2017. DOI: 10.48550/arXiv.1711.00740.
  8. GOST Р 71207—2024 Information security. Secure Software Development. Software static analysis. General Requirements, Moscow, Rossijskij institut standartizacii, 2024, 20 p. (in Russian).
  9. Koshelev V. K., Ignatiev V. N., Borzilov A. I., Belevantsev A. A. SharpChecker: Static analysis tool for C# programs, Programming and Computer Software, 2017, vol. 43, pp. 268—276. DOI: 10.1134/S0361768817040041.
  10. Kildall G. A. A unified approach to global program optimization, Proceedings of the 1st annual ACM SIGACT-SIGPLAN symposium on Principles of programming languages, 1973, pp. 194—206. DOI: 10.1145/512927.512945.
  11. De Moura L., Bjerner N. Z3: An efficient SMT solver, International conference on Tools and Algorithms for the Construction and Analysis of Systems, Springer Berlin Heidelberg, 2008, pp. 337—340.
  12. Allamanis M., Barr E. T., Devanbu P. et al. A survey of ma­chine learning for big code and naturalness, ACM Computing Surveys (CSUR), 2018, vol. 51, no. 4, pp. 1—37. DOI: 10.1145/3212695.
  13. Bader J., Scott A., Pradel M., Chandra S. Getafix: Learning to fix bugs automatically, Proceedings of the ACM on Programming Languages, 2019, vol. 3, no. OOPSLA, pp. 1—27. DOI: 10.1145/3360585.
  14. Alon U., Zilberstein M., Levy O. et al. code2vec: Learning distributed representations of code, Proceedings of the ACM on Programming Languages, 2019, vol. 3, no. POPL, pp. 1—29.
  15. Feng Z., Guo D., Tang D. et al. Codebert: A pre-trained model for programming and natural languages, arXiv preprint, arXiv:2002.08155. 2020.
  16. Koshelev V. K., Dudina I. A., Ignatyev V. N., Borzilov A. I. Path-sensitive defect detection in C# programs using null pointer dereference as an example, Trudy Instituta sistemnogo program-mirovanija RAN, 2015, vol. 27, no. 5, pp. 59—86. DOI: 10.15514/ISPRAS-2015-27(5)-5 (in Russian).
  17. Belyaev M., Ignatyev V. Exception Analysis for Errors Detection in the SharpChecker Static Analyzer for C#, 2021 Ivannikov Ispras Open Conference (ISPRAS OPEN), IEEE, 2021, pp. 8—16.
  18. Biktimirov M. G., Ignatyev V. N., Belyaev M. V. Improving the accuracy of library function modeling in the static analyzer, 2023 Ivannikov Ispras Open Conference (ISPRAS), IEEE, 2023, pp. 26—32.
  19. Ignatyev V. N., Shimchik N. V., Panov D. D. et al. Large language models in source code static analysis, 2024 Ivannikov Memorial Workshop (IVMEM), IEEE, 2024, pp. 28—35.
  20. Morgachev G., Ignatyev V., Belevantsev A. Detection of variable misuse using static analysis combined with machine learning, 2019 Ivannikov Ispras Open Conference (ISPRAS), IEEE, 2019, pp. 16—24. DOI: 10.1109/ISPRAS47671.2019.00009.
  21. Koryabkin D.A, Ignatyev V. N. Automatic Mining of Code Fix Patterns from Code Repositories, 2022 Ivannikov Memorial Workshop (IVMEM), IEEE, 2022, pp. 27—34.
  22. Tsiazhkorob U. V., Ignatyev V. N. Classification of Static Analyzer Warnings using Machine Learning Methods, 2024 Ivannikov Memorial Workshop (IVMEM), IEEE, 2024, pp. 69—74.