Static Analysis

Deliver More Reliable and Secure Applications

Static code analysis and security analysis are effective tools for finding latent errors that are missed by conventional testing. There is a high return on investment, as errors can be found early in the development cycle when they are less expensive to fix.

Deliver More Reliable and Secure Applications

Static Code Analysis uses the same productive user interface as Intel Inspector XE. It takes you to the source locations of the error and provides a traceback to help you determine how you got there.

Easily Conduct Static Code Analysis and Security Analysis
Use these effective static code analysis tools to quickly find over 250 different kinds of coding errors and security risks such as:

Coding Errors:

  • Memory and resource leaks
  • Incorrect use of OpenMP* directives
  • Incorrect use of Intel® Cilk™ Plus language features
  • Pointer and array errors
  • Error-prone C++ and Fortran language usage

Security Errors:

  • Buffer overflows and boundary violations
  • Use of uninitialized variables and objects
  • Incorrect usage of pointers and dynamically allocated memory
  • Dangerous use of unchecked input
  • Arithmetic overflow and divide by zero
  • Misuse of string, memory, and formatting library routines

Quotes

“Intel’s static analysis allows us to close issues before the product ships. It locates “hard to find” errors (e.g., potential null pointers on conditional paths) that are unfortunately quite typical.”
Mikael Le Guerroué,
Senior Codec Architecture Engineer,
Envivio

“I inherited 20 - 30,000 lines of mostly uncommented Fortran 77 code that contained a bug that showed up ‘down-the-road’. After more than a week of pure frustration, I gave up on finding it. Later, I tried Intel’s Static Analysis and found the bug, along with at least 10 other error prone portions of code. Time saved? No idea, maybe I’d still be fighting it.”
Dr. Artur Guzik,
Senior Engineer,
R&D, Neubrex Co., Ltd.

Finds over 250 common security violations

Finds over 250 common security violations

When conducting static code analysis, errors are listed with a short explanation and initially sorted by weight. State is set to "new" the first time an error is detected. You can change this to "confirmed," "fixed," or "not a problem" as you investigate the errors.
Examples of errors

Quickly locate the error in your source code

Double click the error to see it highlighted in the source with its traceback. Errors with multiple source locations show both the focus code location and the related code location.

Quickly locate the error in your source code

Easy Setup in Visual Studio

Easy Setup in Visual Studio

Set up is automated with a simple menu/dialog driven approach that automatically configures your solution for static analysis. From the menus choose: “Build > Build Solution for Intel Static Analysis”

Setup for Linux* or Windows* command line builds
Please see the eval guide or the documentation.

Focus on the most important errors first

Extensive filtering lets you see all the errors, or show only the errors in one source file. Just click to add filters for conditions like state, severity, type, category, suppressed and more. Focus on just your code, or just the new errors in the latest build, or just the confirmed errors you plan to fix. You have full control.

Focus on the most important errors first

Explains the problem and suggests a fix

Explains the problem and suggests a fix

Choose "Explain Problem" from the pop-up menu to get a detailed explanation of a problem and how to fix it.

Microsoft Source Annotation Language*
Dynamic Libraries

Static analysis provides the best results when it has all the source code. On Linux* dynamic libraries are supported. On Windows* Microsoft Source Annotation Language* (SAL) gives static analysis the data it needs even if the source is unavailable.

Fewer False Positives

Choose from three levels of filtering. “Precise” reports very few false positives at the expense of reduced error checking. “Full” reports all suspected errors, with more false positives. “Concise” is in between. It reduces false positives more than it reduces false negatives.

Better Scaling with Large Code Bases

Static analysis now runs faster on large code bases.

Technical Specifications

For additional details, please see the release notes.

Easy Setup in Visual Studio

Easy Setup in Visual Studio

Set up is automated with a simple menu/dialog driven approach that automatically configures your solution for static analysis. From the menus choose: “Build > Build Solution for Intel Static Analysis”

Setup for Linux* or Windows* command line builds
Please see the eval guide or the documentation.

Microsoft Source Annotation Language*
Dynamic Libraries

Static analysis provides the best results when it has all the source code. On Linux* dynamic libraries are supported. On Windows* Microsoft Source Annotation Language* (SAL) gives static analysis the data it needs even if the source is unavailable.

Fewer False Positives

Choose from three levels of filtering. “Precise” reports very few false positives at the expense of reduced error checking. “Full” reports all suspected errors, with more false positives. “Concise” is in between. It reduces false positives more than it reduces false negatives.

Better Scaling with Large Code Bases

Static analysis now runs faster on large code bases.

 

Review the resources below to learn how to use Intel® Parallel tools. Be sure to go to the Intel® Learning Lab Portal for a complete offering of videos, whitepapers, and other resources to learn how to take advantage of this product. Visit the Evaluation Guide Portal for concise, step by step guides to see the power of Intel Development Products.

Videos

Nenhum conteúdo foi encontrado

Documents

Nenhum conteúdo foi encontrado

Technical Articles

Nenhum conteúdo foi encontrado
  • Do I have to use the Intel Compiler to build my project to be able to use static analysis?
  • No. You may continue to use the compiler of your choice to build your executable code. Static analysis uses the front end of the Intel Compiler operating in a special mode. Your project should compile without error with the Intel Compiler in order to do a full analysis.

  • What products include static analysis?
  • Static analysis is available with any Intel® Studio XE product:

    • Intel® Parallel Studio XE
    • Intel® C++ Studio XE
    • Intel® Fortran Studio XE
    • Intel® Cluster Studio XE.
  • If I have just the Intel Compiler can I use static analysis?
  • No. You must have an Intel® Studio XE product to view the analysis results.

  • On Windows, what should I do to setup static analysis for my MS VS project?
  • When using Microsoft Visual Studio*, set up is automated with a simple menu/dialog driven approach that automatically configures your solution for static analysis. From the menus choose: “Build > Build Solution for Intel Static Analysis”

    There is an eval guide to walk you through the process.

  • On Linux, what should I do to setup static analysis?
  • There is an eval guide to walk you through the process.
    For Linux* OS we recommend you modify your build procedure (whatever it is) to create a new build configuration for static analysis. The term build configuration refers to a mode of building your application, using specific compiler options and directing the intermediate files to specific directories. Most applications have at least two build configurations: debug and release. You will want to create one more for SA. The SA configuration must build with the Intel compiler with additional options set to enable SA.

    If your application build is very complex and you don’t feel confident that it can be modified safely, there is an alternative set up method. You can execute your normal build under a “watcher” utility called inspxe-inject. This application intercepts process creations and recognizes all the compilation and link steps performed during your build. It records this information in a build specification file. This file can be supplied as input to another utility, inspxe-runsc, which invokes the Intel compiler to repeat the same build steps as your original build did. These utilities are explained in the documentation.

  • On Windows, can I use static analysis if I do not have MS VS?
  • When building with a make file or command line script in Windows we recommend you modify your build procedure (whatever it is) to create a new build configuration for SA as you would for Linux (see previous question).

  • I build my project from command line. How can I start using static analysis?
  • There is an eval guide to walk you through the process and more information in the documentation.

    Add the compiler option /Qdiag-enable:sc[n] for Windows or –diag-enable sc[n] for Linux. This enables static analysis and determines which diagnostics to emit based on severity. n can be any of the following: 1, 2, 3. ‘1’ reports only diagnostics with a severity level of "critical". Diagnostics with a severity level of "error" or "warning" are not displayed. ‘2’ reports all diagnostics with a severity level of "critical" and "error". Diagnostics with a severity level of "warning" are not reported. This is the default. ‘3’ reports all diagnostics regardless of the severity level.

    You can also specify the analysis mode by adding /Qdiag-enable:sc-mode for Windows or –diag-enable sc-mode for Linux. The mode can be any of the following: full, concise, or precise. ‘full’ attempts to find all program weaknesses, even at the expense of more false positives. Full mode is recommended when using the tool for security assurance. ‘concise’ attempts to reduce false positives somewhat more than reducing false negatives. Concise mode is recommended when using the tool for general error detection. ‘precise’ attempts to avoid all false positives, even at the expense of substantially reduced error checking. Precise mode is recommended when using the tool for acceptance screening.

  • I cannot setup static analysis for my project. How can I get assistance?
  • Please check the support knowledge base, search support articles, visit the forums or post your questions to Intel® Premier Support (Registration is required).

  • Do I have to use the Intel Compiler to build my project to be able to use static analysis?
  • No. You may continue to use the compiler of your choice to build your executable code. Static analysis uses the front end of the Intel Compiler operating in a special mode. Your project should compile without error with the Intel Compiler in order to do a full analysis.

  • What products include static analysis?
  • Static analysis is available with any Intel® Studio XE product:

    • Intel® Parallel Studio XE
    • Intel® C++ Studio XE
    • Intel® Fortran Studio XE
    • Intel® Cluster Studio XE.
  • If I have just the Intel Compiler can I use static analysis?
  • No. You must have an Intel® Studio XE product to view the analysis results.

  • On Windows, what should I do to setup static analysis for my MS VS project?
  • When using Microsoft Visual Studio*, set up is automated with a simple menu/dialog driven approach that automatically configures your solution for static analysis. From the menus choose: “Build > Build Solution for Intel Static Analysis”

    There is an eval guide to walk you through the process.

  • On Linux, what should I do to setup static analysis?
  • There is an eval guide to walk you through the process.

    For Linux* OS we recommend you modify your build procedure (whatever it is) to create a new build configuration for static analysis. The term build configuration refers to a mode of building your application, using specific compiler options and directing the intermediate files to specific directories. Most applications have at least two build configurations: debug and release. You will want to create one more for SA. The SA configuration must build with the Intel compiler with additional options set to enable SA.

    If your application build is very complex and you don’t feel confident that it can be modified safely, there is an alternative set up method. You can execute your normal build under a “watcher” utility called inspxe-inject. This application intercepts process creations and recognizes all the compilation and link steps performed during your build. It records this information in a build specification file. This file can be supplied as input to another utility, inspxe-runsc, which invokes the Intel compiler to repeat the same build steps as your original build did. These utilities are explained in the documentation.

  • On Windows, can I use static analysis if I do not have MS VS?
  • When building with a make file or command line script in Windows we recommend you modify your build procedure (whatever it is) to create a new build configuration for SA as you would for Linux (see previous question).

  • I build my project from command line. How can I start using static analysis?
  • There is an eval guide to walk you through the process and more information in the documentation.

    Add the compiler option /Qdiag-enable:sc[n] for Windows or –diag-enable sc[n] for Linux. This enables static analysis and determines which diagnostics to emit based on severity. n can be any of the following: 1, 2, 3. ‘1’ reports only diagnostics with a severity level of "critical". Diagnostics with a severity level of "error" or "warning" are not displayed. ‘2’ reports all diagnostics with a severity level of "critical" and "error". Diagnostics with a severity level of "warning" are not reported. This is the default. ‘3’ reports all diagnostics regardless of the severity level.

    You can also specify the analysis mode by adding /Qdiag-enable:sc-mode for Windows or –diag-enable sc-mode for Linux. The mode can be any of the following: full, concise, or precise. ‘full’ attempts to find all program weaknesses, even at the expense of more false positives. Full mode is recommended when using the tool for security assurance. ‘concise’ attempts to reduce false positives somewhat more than reducing false negatives. Concise mode is recommended when using the tool for general error detection. ‘precise’ attempts to avoid all false positives, even at the expense of substantially reduced error checking. Precise mode is recommended when using the tool for acceptance screening.

  • I cannot setup static analysis for my project. How can I get assistance?
  • Please check the support knowledge base, search support articles, visit the forums or post your questions to Intel® Premier Support (Registration is required).

Static Analysis

Getting Started?

Click the Learn tab for guides and links that will quickly get you started.

Get Help or Advice

Search Support Articles
Forums - The best place for timely answers from our technical experts and your peers. Use it even for bug reports.
Support - For secure, web-based, engineer-to-engineer support, visit our Intel® Premier Support web site. Intel Premier Support registration is required.
Download, Registration and Licensing Help - Specific help for download, registration, and licensing questions.

Resources

Product Documentation

Featured Support Topics

Nenhum conteúdo foi encontrado