What Is Differential Analysis?
Differential analysis is an emerging solution in static analysis. Here, we break down what is differential analysis and how it works in static analysis.
What Is Differential Analysis?
Differential analysis is a form of “fast feedback” static code analysis. It uses system context data from previous analysis builds to analyze only the new and changed files. At the same time, it provides results as if the entire system had been analyzed.
This approach provides the shortest possible analysis times for the new and changed code — while maintaining the accuracy and detail of the analysis data.
Differential vs. Incremental Analysis
Differential analysis is an extension and improvement over more traditional incremental analysis techniques and requires no prior analysis build of the software on your workstation. This also makes it well suited for DevOps CI/CD pipelines, where each job uses a new machine instance or container.
A Closer Look at Fast Feedback Static Code Analysis
Static analysis keeps your code free from costly security vulnerabilities and coding errors. However, it can be difficult to efficiently run an accurate pre-commit static code analysis of your codebase when codebases are large. This is due to the sheer size of the computational task.
Compare Static Analyzers
Compare static analyzers based on six requirements. Get the buyers guide.
Why Is Differential Analysis Important
Differential analysis is important to ensure shorter analysis times and faster feedback.
Without Differential Analysis...
When you write code, you likely need to comply with quality, security, or standards. In general, this involves running a local or pre-commit analysis of your code.
But what if the code is already committed when the analysis is performed? You may have already have moved on to another task. Fixing those issues could be pushed back further. It could even be pushed back as far as the final release cycle when the backlog of open issues is presented to the development team.
A local or pre-commit analysis generally involves running an analysis of the entire codebase — complete with changes. It reports back the new issues.
This works perfectly well for smaller projects, but issues arise when dealing with larger codebases and longer analysis times.
Static analysis provides incremental analysis capabilities to solve this.
This means that a code change does not require a new analysis build of the entire system. Instead, it's an analysis of the changed files and any files with dependencies upon them.
However, that can still be inefficient. In a worst-case, analyzing the dependencies is similar to analyzing your entire codebase. Depending on the project, this can range from a few minutes to several hours.
That's why it's so important.
How Differential Analysis Works With Klocwork
Here's how differential analysis works with Klocwork.
1. Connect to a Server Project
Klocwork’s analysis works automatically when a local desktop project workspace is connected to a server project.
2. Run an Integration Analysis
Each time you run a Klocwork integration analysis and push those results to the Klocwork server, they’re saved, and details of the interface behaviors of the existing codebase are then made available for the client tools.
Then each time you run an analysis from your Klocwork desktop or CI tools, this interface behavior information is then the baseline for the rest of the system context.
3. Run an Analysis of Changed Code
When performing analysis of changed code, if Klocwork detects a call to another function or method that hasn’t changed, and therefore has not also been analyzed locally, the interface behaviors from the central server data are used to inform the analysis of your code instead.
Examples of Differential Analysis With Klocwork
Here are some examples of differential analysis with Klocwork.
The null pointer initialized on line 11 will be passed through the calls on line 14 and 21 into sendMessage(..). There it will be swiftly dereferenced and cause this program to crash. If you were to use one of Klocwork’s desktop tools — the command-line kwcheck tool or the Klocwork Desktop GUI to analyze just main.c — you wouldn’t see any defects:
But, let’s say that you’ve got an integration build analysis checked into a project on your Klocwork server. If you were to connect your local project to that project and then re-analyze main.c, you would be able to see the defect:
However, the traceback doesn’t show detail from sendMessage(..) because it hasn’t been analyzed locally, but the knowledge base on the server does show that sendMessage(..) dereferences the 3rd argument passed to it.
With this, you should have enough information now to fix the defect before you commit your code — all without having to analyze your entire codebase.
Entire Project Analysis
But, what if you were to analyze the whole project at once? You would see the detail in the traceback about the sendMessage(..):
The knowledgebase that’s on the server is based on the most recent analysis checked in there. This is likely the last analysis of your project’s main codebase.
However, the knowledgebase records for certain functions may be different than the records that would result from analyzing the code within your own workspace.
This is beneficial as the code you’re committing will soon be merged into your mainline. The defects you see now will likely appear after that merge.
With this type of analysis, you get:
- A preview of the defects you’ll get after merging.
- A chance to fix them ahead of time.
Why Use Klocwork For Differential Analysis?
In addition to differential analysis, Klocwork has other analysis and DevOps features that can enable you to:
- Ensure that complex software is secure, safe, and reliable.
- Reduce the cost of finding and fixing defects earlier in development.
- Prove compliance by enforcing software coding standards.
- Improve developer productivity, testing efforts, and velocity of software delivery.
- Report on quality over time and across product versions.
See for yourself why Klocwork is the best solution for fast feedback static code analysis and beyond. Sign up for our next live demo to learn more.