About Svace

Main Workflow

Step 1. Build

Just use your regular build command with svace build tool. Svace will launch and monitor the build process and collect all the necessary data for the analysis.

Step 2. Analyze

When the build phase is completed run svace analyze tool to start the analysis phase. Svace will perform lightweight AST checks and then will proceed to the main path– and context–sensitive interprocedural analysis of your code and produce some useful warnings.

Step 3. Review

Now you can import analysis results to Svace history storage. We provide a graphical web-based interface for reviewing warnings, comparing different runs, and hiding false warnings in subsequent runs on the same code.

Build

Build Interception

At the build phase, Svace monitors regular build process and detects particular events (e.g. invocations of a compiler, linker, archiver, etc.) for supported languages. Svace can analyze programs that are built on Intel x86/x86-64 Linux/Windows, ARM/ARM64 architectures. Popular C/C++ compilers for Linux and Windows are supported as well as a range of compilers for embedded systems.

IR Generation

Using a detailed original build process description Svace employs its own compiler to produce an IR suitable for the analysis purposes from your source code.

Analysis

Lightweight AST Checkers

IR that was obtained on the previous stage is first processed by the lightweight language–specific analyzers that look for simple coding errors.

Intraprocedural Analysis

During the main analysis phase, Svace utilizes DFA–like approach to perform an intraprocedural flow–sensitive analysis. Svace also uses static symbolic execution for path–sensitive analysis. The latter allows Svace to detect certain kinds of errors, that occur only on a specific program path.

Summary-based Interprocedural Analysis

For the interprocedural analysis, Svace uses function summaries, generated by the intraprocedural analysis. First, Svace engine constructs a program call graph. The main analysis phase is a single call graph traversal: callers are analyzed after callees. The engine utilizes the summary when it processes function calls (instead of revisiting callee's body), so it never analyzes the same function twice.

Warning Review & History

Svace Web Interface

Svace stores the results of the analysis in a database. We provide a graphical web-based interface for reviewing them. The interface allows marking the warnings as true or false positives. Your decision will be applied to the same warning for the subsequent analysis runs on the same code automatically.