Code Browser

CodeSurfer is a code-understanding tool for C and C++ source code and for Intel x86 machine code. CodeSurfer performs a deep semantic analysis of a program and provides sophisticated queries for understanding your code. It enables you to effortlessly identify and navigate the deep structure of your program: the semantic threads that reveal exactly how your program works. CodeSurfer can be used either interactively or programmatically.

Motivation for Development: 

CodeSurfer is both a tool for code-understanding as well as a platform on which to build other technologies. At its heart, CodeSurfer provides an intermediate representation (IR) that enables visibility into the structure and semantic behavior of software.

Features of the Technology: 
  • Code Surfing: Navigating the semantic threads of your code with CodeSurfer is as easy as surfing the World Wide Web. CodeSurfer automatically generates hyperlinks and provides Web-like controls so you can explore multiple paths without losing context.
  • Program Information: Each statement in a program may be influenced by previous statements, and may itself influence subsequent statements. CodeSurfer provides easy access to information about these dependences.
  • Pointer Analysis: Statements or instructions that involve pointers have even more complex dependences. CodeSurfer performs pointer analysis to determine these dependences.
  • System-Wide Dependence Graph: In a complex system, the web of relationships between the components can be extremely complicated. CodeSurfer provides automated queries that allow various perspectives on these relationships.
  • Customization: You can create your own extensions to CodeSurfer with the Application Programming Interface (API), which is provided in both C and Scheme.

CodeSurfer® is a code browser that understands pointers, indirect function calls, and whole-program effects.

Static Analysis from GrammaTech

CodeSurfer is the most sophisticated code browser available for C/C++ or x86 machine code; it is the static analysis tool of choice for organizations that manually review software for critical applications.

While CodeSonar®, GrammaTech's flagship static analysis tool, is an automated tool that finds bugs and generates a report of defects in the code, CodeSurfer® is a program-understanding tool that makes manually analyzing code more efficient.

Why CodeSurfer

Many program-understanding tools interpret code loosely. In contrast, CodeSurfer does a precise analysis. Program constructs — including preprocessor directives, macros, and C++ templates (in the case of source code) and machine instructions (in the case of Intel x86 binaries) — are analyzed correctly. CodeSurfer calculates a variety of representations that can be explored through the graphical user interface or accessed through the optional programming API.

Notable features include:

  • Whole-Program Analysis. See any interactions among source files or within a whole binary executable.
  • Pointer Analysis. See which pointers point to which variables and procedures.
  • Call Graphs. See a complete call graph, including functions called indirectly via pointers.
  • GMOD/GREF Analysis. See all the globals a function uses or modifies.
  • Impact Analysis. See what statements depend on a selected statement or instruction..
  • Powerful Searching. Find information easily with precise searches.
  • Dataflow Analysis. Pinpoint where a variable was assigned its value.
  • Control Dependence Analysis. See the code that influences a statement's execution.
  • Macro Processing. Navigate from the use of a macro to its definition (for source code).
  • Preprocessor Effects. See what code was compiled out of the build (for source code).

Click on the tabs above for screenshots of CodeSurfer's user interface and more information about the Programming API.


CodeSurfer call graphs include functions called indirectly via pointers. Layouts can be modified and saved.

GMOD analysis provides a list of all non-local variables that are modified or conditionally modified by a function (either immediately in the given function or transitively in one of its callees). The list includes heap-allocated variables. CodeSurfer also performs GREF analysis, which shows all the non-local variables a function uses (reads).

CodeSurfer shows where a variable gets its value. Right-clicking on an occurrence of a variable allows you to navigate to the statements that can assign its value. (Indirect assignments through pointers where the variable name does not occur textually also show up.) Only those assignments that can affect the value of the variable at this point in the program are displayed.

All CodeSurfer windows are cross-referenced. For example, right-clicking on a link in the call graph enables you to navigate to the call site in the code viewer. If there are several sites, a selection menu is provided. Even indirect call sites (via function pointers) show up.

The Finder provides advanced searching capabilities. For example, you can find all the uses of a specified variable's value—including indirect uses via pointers (where the variable name does not occur textually). Results are hyperlinked to the code.

CodeSurfer® Path Inspector

A CodeSurfer extension that helps you understand sequencing properties in programs.

The CodeSurfer Path Inspector™ is an optional extension for CodeSurfer that answers complex questions about the flow of execution, to help you understand a program's behavior.

Example Application:

Suppose that your application uses a DNS library, and the library contains an initialization function called initialize_dns. Before calling any other routines in the library, a program must call initialize_dns. You wonder if it is always true that initialize_dns is called before the other routines. Instead of manually wading through the code to answer this question, you can ask the CodeSurfer Path Inspector. The Path Inspector will either tell you that initialize_dns is always called first, or it will show you a counter example — an execution path of the program that calls one of the other functions in the DNS library without first calling initialize_dns.

Query Construction and Evaluation

Twenty-five query templates are provided. Each template is in the form of a state machine. The user specifies the transitions of the state machine by associating a set of program points with each transition. In the DNS example above, the query template used is called P occurs before R and is illustrated below.

P and R are sets of program points that the user specifies. For the DNS check, P and R are the following:

P = {entry of initialize_dns}

R = {entry of lookup_ip, entry of lookup_name, entry of check_reverse_dns}

Although all the program points in this example are the entries of functions, a program point can be almost anything, including any statement in the program. Once the query is specified, it can be run immediately or queued for batch processing at a later time. To evaluate the query, the Path Inspector takes the query automaton, crosses it with an automaton representing the program, and then does a reachability analysis.

CodeSurfer® API

An optional programmatic interface that provides access to all CodeSurfer internal representations.

CodeSurfer's API enables you to extend and customize CodeSurfer to meet your project-specific needs. For example, you can build specialized analyses or integrate CodeSurfer with other tools. The API is provided for both C and Scheme.

Leading companies worldwide have licensed the CodeSurfer Programmable Package for their program-analysis needs, and the CodeSurfer Programmable Package has been used by researchers at over 100 universities.

Included Features

The programming API is bundled with the CodeSurfer Programmable Package, which includes:

  • Full programmatic access to all program representations calculated by CodeSurfer. The Core API consists of 19 libraries that contain 322 fully-documented program-analysis functions. In addition, an Abstract Syntax Tree (AST) library with pattern matching is provided.
  • Development shell. An interactive script interpreter is provided so you can rapidly prototype your scripts.
  • Development tools. When you write a script, it is useful to view the details of CodeSurfer’s representation of a sample project. A collection of browsers is provided for this purpose.
  • Batch-mode processing. You can run scripts from the command line.

Program Representations

Deep-Structure Representations:

  • Normalized ASTs
  • Points-to information
  • Call graph
  • Indirect variable usage
  • Control and data dependence
  • Per-procedure non-local variable usage
  • Per-procedure I/O dependence

Surface-Structure Representations:

  • ASTs
  • Symbol table
  • Direct variable usage
  • CFGs
  • Basic blocks

Purchase CodeSurfer®

U.S. Pricing

CodeSurfer for C and C++ is available on terms detailed below. CodeSurfer/x86 is not currently available for sale to the public.

The CodeSurfer Programmable Package includes the GUI, the Path Inspector, and the scripting language / API.

U.S. pricing for a floating license is $6990, including the first year of maintenance. A minimum number of licenses is required.

International Pricing

Prices and terms may be different outside the United States. Please contact GrammaTech or one of our international distributors for more information.


A maintenance contract includes support via telephone or e-mail and access to new versions of CodeSurfer at no additional charge. Note that the standard maintenance contract does not include onsite support or training. Onsite support and/or training are available from GrammaTech or your distributor for an additional charge.


Currently CodeSurfer is available for Windows, Solaris on Sparc, and Linux.

System Requirements:

Languages: C and C++

Platforms: Windows XP SP2 or later, Linux, Solaris (8 or later)

Hardware: A 1.8GHz processor with 2GB RAM or better is recommended.

CodeSurfer® Academic Program

GrammaTech is pleased to offer qualified faculty members the CodeSurfer for C and C++ Programmable Package (one builder and three viewers) at no cost. CodeSurfer/x86 is not currently available to the public. Use of CodeSurfer is limited to non-profit use within academic units only. Maintenance is not included under this program; however, technical questions may be emailed to GrammaTech at

In exchange for the use of CodeSurfer, we ask that you please reference GrammaTech and our home page ( in papers and web pages in which you mention CodeSurfer.

If you are a non-faculty member who wishes to participate in this program, we ask that a faculty colleague complete the application on your behalf.

Interested? Check out some notable academic projects that are using CodeSurfer.

Apply to our Academic Program:

To apply for an academic license for CodeSurfer, please complete and submit the application form below.

Submitting the form will send your credentials to our sales representative, who will email you the following license agreement that must be signed by an authorized signer of your organization: Academic Program License.

Fields marked with * are required; we would greatly appreciate responses to the optional fields. We respect your privacy and will not provide this information to anyone else unless you allow us to do so.

Faculty Information
If you are a student who wishes to participate in this program, it is required that a faculty colleague complete the application on your behalf.
A valid academic email address is required.
Student Information
Will CodeSurfer be used for research or in a class?
Description of research in which CodeSurfer may be used
Description of Planned Educational Use for CodeSurfer
CodeSurfer Programmable Package

Part Number

The x in each part number is a placeholder for the selected platform. Currently CodeSurfer is available for Windows, Solaris on Sparc, and Linux.


CodeSurfer Programmable Package (Floating)
1 Front End, 1 Builder, 3 Viewer


Price Waived

This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the characters shown in the image.