Tools exist for analyzing software, whether in source code format or in binary code format, to identify errors or possible problems in the software or program. Such program analysis tools may output warnings or errors, thus allowing a developer of the program to make changes to the program to fix the program, if necessary.
One type of program analysis tool for source code or binary code is a lock analysis tool, sometimes known as a concurrency analysis tool, which exists to detect possible errors that may arise due to incorrect use of locks in multi-threaded applications. An exclusive lock may be used to “guard” a shared variable from concurrent access from different threads that would allow one thread to change the variable in a way that would interfere with the other thread.
When a thread acquires a lock, the thread becomes the lock owner, which blocks other threads from accessing the shared variable until the owner thread releases the lock. Thus, in order to ensure that accesses to a shared variable are protected, all accesses to the shared variable in the program may need to be preceded by a lock acquisition and succeeded by a lock release. In some programming languages, the burden may fall on the developer to ensure that accesses to a shared variable are always protected by a lock.
The situation when a shared variable is accessed by at least two threads concurrently without being protected by a lock, in which at least one of the accesses is a write, is often known as a “race condition.” Lock analysis tools may detect potentially problematic locking behavior, such as possible race conditions by detecting when a variable is accessed without being protected by a lock.
Another type of program analysis tool is a typestate analysis tool, which may perform typestate analysis on variables in the program. Typestate analysis may uncover errors in a sequential program flow that may indicate potential problems when particular operations intended to be invoked only on variables with appropriate states are invoked with variables having an inappropriate state for the operation. That is, typestate analysis may identify patterns in programs to indicate possible errors that arise when a state-dependent operation accesses a variable that is in a state in which the state-dependent operation may fail or cause an error condition to occur. Thus, accessing a variable in a state-dependent operation may lead to an error condition when that variable is associated with a particular set of type states. Yet, when the variable is associated with another set of type states, accessing that variable in a state-dependent operation may not cause an error.
One example of typestate analysis is NULL pointer analysis, which may detect if a pointer variable is being dereferenced when the type state of the pointer variable is NULL. As is known in the art, a pointer variable is intended to have a value indicating a memory location, so that dereferencing a pointer value attempts to access the memory contents at the value of the memory location. Dereferencing a pointer variable with a value of 0 (or NULL) in a program, however, may often lead to an error condition, including a possible program crash. A pointer with a value of 0 (or NULL) usually points to memory in a protected location (e.g., a protected memory page), and as such, an access to a memory location of 0 by a user-mode program will often cause an access violation exception, which may lead to a crash. Higher-level programming languages, such as C#, may have a more abstract interpretation of NULL in which an exception is generated in the runtime software.
Besides program analysis tools, developers may also make use of annotations. Annotations, such as those in the format of the program annotation language (SAL), designed by Microsoft Corporation, may describe the intended usage of certain aspects of the program. For example, annotations may describe how a function uses its parameters or return values—the assumptions the function makes about the parameters, and the guarantees the function makes upon its return.