A code browser that understands pointers, indirect function calls, and whole-program effects.

Static Analysis from GrammaTech

CodeSurfer is the most sophisticated code browser available for C/C++ or x86 machine code; it is the static analysis tool of choice for organizations that manually review software for critical applications. While CodeSonar is an automated static analysis tool that finds bugs and generates a report of defects in the code, CodeSurfer is a program-understanding tool that makes manually analyzing code more efficient.

Why CodeSurfer?

Many program-understanding tools interpret code loosely. In contrast, CodeSurfer does a precise analysis. Program constructs — including preprocessor directives, macros, and C++ templates (in the case of source code) and machine instructions (in the case of Intel x86 binaries) — are analyzed correctly. CodeSurfer calculates a variety of representations that can be explored through the graphical user interface or accessed through the optional programming API.

Notable features include:

  • Whole-Program Analysis. See any interactions among source files or within a whole binary executable.
  • Pointer Analysis. See which pointers point to which variables and procedures.
  • Call Graphs. See a complete call graph, including functions called indirectly via pointers.
  • GMOD/GREF Analysis. See all the globals a function uses or modifies.
  • Impact Analysis. See what statements depend on a selected statement or instruction..
  • Powerful Searching. Find information easily with precise searches.
  • Dataflow Analysis. Pinpoint where a variable was assigned its value.
  • Control Dependence Analysis. See the code that influences a statement's execution.
  • Macro Processing. Navigate from the use of a macro to its definition (for source code).
  • Preprocessor Effects. See what code was compiled out of the build (for source code).

CodeSurfer Path Inspector

A CodeSurfer extension that helps you understand sequencing properties in programs.

The CodeSurfer Path Inspector™ is an optional extension for CodeSurfer that answers complex questions about the flow of execution, to help you understand a program's behavior.

Example Application:

Suppose that your application uses a DNS library, and the library contains an initialization function called initialize_dns. Before calling any other routines in the library, a program must call initialize_dns. You wonder if it is always true that initialize_dns is called before the other routines. Instead of manually wading through the code to answer this question, you can ask the CodeSurfer Path Inspector. The Path Inspector will either tell you that initialize_dns is always called first, or it will show you a counter example — an execution path of the program that calls one of the other functions in the DNS library without first calling initialize_dns.

Query Construction and Evaluation

Twenty-five query templates are provided. Each template is in the form of a state machine. The user specifies the transitions of the state machine by associating a set of program points with each transition. In the DNS example above, the query template used is called P occurs before R and is illustrated below.

P and R are sets of program points that the user specifies. For the DNS check, P and R are the following:

P = {entry of initialize_dns}

R = {entry of lookup_ip, entry of lookup_name, entry of check_reverse_dns}

Although all the program points in this example are the entries of functions, a program point can be almost anything, including any statement in the program. Once the query is specified, it can be run immediately or queued for batch processing at a later time. To evaluate the query, the Path Inspector takes the query automaton, crosses it with an automaton representing the program, and then does a reachability analysis.

If you're interested in purchasing CodeSurfer, contact

CodeSurfer API

An optional programmatic interface that provides access to all CodeSurfer internal representations.

CodeSurfer's API enables you to extend and customize CodeSurfer to meet your project-specific needs. For example, you can build specialized analyses or integrate CodeSurfer with other tools. The API is provided for both C and Scheme. Leading companies worldwide have licensed the CodeSurfer Programmable Package for their program-analysis needs, and the CodeSurfer Programmable Package has been used by researchers at over 100 universities.

Included Features

The programming API is bundled with the CodeSurfer Programmable Package, which includes:

  • Full programmatic access to all program representations calculated by CodeSurfer. The Core API consists of 19 libraries that contain 322 fully-documented program-analysis functions. In addition, an Abstract Syntax Tree (AST) library with pattern matching is provided.
  • Development shell. An interactive script interpreter is provided so you can rapidly prototype your scripts.
  • Development tools. When you write a script, it is useful to view the details of CodeSurfer’s representation of a sample project. A collection of browsers is provided for this purpose.
  • Batch-mode processing. You can run scripts from the command line.

Program Representations

Deep-Structure Representations:

  • Normalized ASTs
  • Points-to information
  • Call graph
  • Indirect variable usage
  • Control and data dependence
  • Per-procedure non-local variable usage
  • Per-procedure I/O dependence

Surface-Structure Representations:

  • ASTs
  • Symbol table
  • Direct variable usage
  • CFGs
  • Basic blocks

Need CodeSurfer for your Academic project?

Request an Academic License