CMPUT 620 - Static Program Analysis


One can ask many interesting questions about a given program such as:

  • Does this program terminate?
  • Can the pointer `p` be null?
  • Will the value of the variable `v` be read in the future?
  • Do the variables `x` and `y` point to the same location in the heap?
  • Could the secret data pointed to by `s` leak to some unauthorized party?

The answer to all those interesting questions about a program is undecidable as stated by Rice’s Theorem. However, people usually use static program analysis to get approximate answers to those questions, which works well in many cases. For example, many bug finding tools (e.g., FindBugs) use various static analysis techniques to detect, and possibly fix, bugs in a given program. Additionally, security analysis tools (e.g., AppScan, FlowDroid) also use static analysis to detect security vulnerabilities and data leakages.

This course will introduce the main concepts behind static program analysis as well as discuss research papers that introduce the state-of-the-art in the field. The course will also discuss the static program analyses that work and those that do not work in practice. The course will be a mix of hands-on lectures and tool demos, paper discussions/presentations that are lead by the students, assignments, and a course project at the end of the semester.


  • Understand the basic concepts of static program analysis.
  • Explore the wide range of research that either directly or indirectly contribute to advancing the state-of-the-art of static program analysis.
  • Gain hands-on experience developing static program analyses.
  • Conduct research to solve a real-world problem using static program analysis.

Course Work

  • Presentations
  • Peer reviews
  • Paper reviews
  • Assignments
  • Project