Building a Graph-Based Code Analysis Engine: Architecture Deep Dive
Most code analysis tools treat your codebase like a collection of isolated files. They parse each file into an Abstract Syntax Tree (AST), analyze it in isolation, and call it a day. But real software doesn't work in isolation—it's a web of interconnected relationships, dependencies, and data flows that span multiple files, modules, and even languages.
CodePrism takes a radically different approach: graph-based code analysis with a Universal AST. Instead of analyzing files in isolation, we build a unified graph representation of your entire codebase, enabling analysis that understands relationships, patterns, and behaviors that emerge at the system level.
Here's how we built an engine that can index 1000+ files per second and answer complex queries in sub-millisecond time.
The Problem with Traditional AST Approaches
Limitation 1: Language Silos
Traditional tools use language-specific ASTs:
JavaScript Parser → JavaScript AST
Python Parser → Python AST
TypeScript Parser → TypeScript AST
Each language has its own AST structure, making cross-language analysis nearly impossible:
// client.js
import { UserService } from './services/UserService';
class UserManager {
async getUser(id) {
return await UserService.fetchUser(id);
}
}
# services/user_service.py
class UserService:
def fetch_user(self, user_id):
return User.objects.get(id=user_id)
Traditional tools see these as completely separate entities. They can't understand that UserService.fetchUser() in JavaScript calls UserService.fetch_user() in Python (via an API), missing critical architectural relationships.
Limitation 2: Isolated File Analysis
Even within a single language, traditional ASTs analyze files independently:
# models/user.py
class User(Model):
def get_permissions(self):
return self.role.permissions
# services/auth.py
def check_permission(user, action):
return action in user.get_permissions() # This relationship is invisible to file-level AST
Traditional AST tools can tell you about the check_permission function and the User.get_permissions method separately, but they can't trace the data flow between them.
Limitation 3: Static Snapshots
Traditional ASTs represent code at a single point in time. When you modify a file, the entire AST needs to be rebuilt, making real-time analysis prohibitively expensive for large codebases.
The Universal AST Revolution
CodePrism's Universal AST solves these problems by creating a language-agnostic graph representation of code structures:
Universal Node Types
Instead of language-specific AST nodes, we use universal concepts:
#[derive(Debug, Clone)]
pub enum UniversalNode {
// Structural elements
Module { name: String, path: PathBuf, exports: Vec<Symbol> },
Class { name: String, methods: Vec<NodeId>, fields: Vec<NodeId> },
Function { name: String, parameters: Vec<Parameter>, return_type: Option<Type> },
// Relationship elements
Import { source: String, symbols: Vec<String>, kind: ImportKind },
Call { target: NodeId, arguments: Vec<NodeId> },
Reference { target: NodeId, context: ReferenceContext },
// Data flow elements
Assignment { target: NodeId, value: NodeId },
DataFlow { from: NodeId, to: NodeId, flow_type: FlowType },
}
This allows us to represent concepts from any language in a unified way:
// Python class representation
{
"type": "Class",
"name": "UserManager",
"language": "python",
"methods": ["authenticate", "get_profile"],
"base_classes": ["BaseManager"]
}
// JavaScript class representation
{
"type": "Class",
"name": "UserManager",
"language": "javascript",
"methods": ["authenticate", "getProfile"],
"extends": ["BaseManager"]
}
Both map to the same Universal AST structure, enabling cross-language analysis.
Relationship-First Design
Traditional ASTs focus on structure. Universal ASTs focus on relationships:
pub struct CodeGraph {
// Nodes store the "what"
nodes: HashMap<NodeId, UniversalNode>,
// Edges store the "how they connect"
edges: HashMap<NodeId, Vec<Edge>>,
// Indexes for fast queries
symbol_index: HashMap<String, Vec<NodeId>>,
type_index: HashMap<String, Vec<NodeId>>,
dependency_index: HashMap<NodeId, Vec<NodeId>>,
}
#[derive(Debug, Clone)]
pub struct Edge {
pub target: NodeId,
pub relationship: RelationshipType,
pub metadata: EdgeMetadata,
}
#[derive(Debug, Clone)]
pub enum RelationshipType {
Calls, // Function A calls Function B
Imports, // Module A imports from Module B
Inherits, // Class A inherits from Class B
References, // Symbol A references Symbol B
DataFlow, // Data flows from A to B
Controls, // A controls execution of B (if/loop/try)
}
This enables queries like:
- "Find all functions that call
authenticatedirectly or indirectly" - "Trace data flow from user input to database query"
- "Show all classes that inherit from
BaseModelacross all languages"
Cross-Language Intelligence
Language Adapters
Each language has an adapter that translates language-specific ASTs to Universal AST:
pub trait LanguageAdapter {
fn parse_file(&self, content: &str, path: &Path) -> Result<Vec<UniversalNode>>;
fn extract_relationships(&self, nodes: &[UniversalNode]) -> Vec<Edge>;
fn get_semantic_info(&self, node: &UniversalNode) -> SemanticInfo;
}
// Python Adapter
impl LanguageAdapter for PythonAdapter {
fn parse_file(&self, content: &str, path: &Path) -> Result<Vec<UniversalNode>> {
let python_ast = python_parser::parse(content)?;
let mut universal_nodes = Vec::new();
for py_node in python_ast.body {
match py_node {
// Convert Python class to Universal class
ast::Stmt::ClassDef(class) => {
universal_nodes.push(UniversalNode::Class {
name: class.name,
methods: self.extract_methods(&class.body),
fields: self.extract_fields(&class.body),
});
}
// Convert Python function to Universal function
ast::Stmt::FunctionDef(func) => {
universal_nodes.push(UniversalNode::Function {
name: func.name,
parameters: self.convert_parameters(&func.args),
return_type: self.infer_return_type(&func),
});
}
// ... handle other Python constructs
}
}
Ok(universal_nodes)
}
}
Cross-Language Pattern Recognition
With Universal AST, we can recognize patterns that span languages:
# Python: Repository pattern
class UserRepository:
def find_by_id(self, user_id):
return User.objects.get(id=user_id)
// JavaScript: Same pattern, different syntax
class UserRepository {
async findById(userId) {
return await User.findOne({ _id: userId });
}
}
Universal AST representation:
{
"pattern": "repository_pattern",
"instances": [
{
"language": "python",
"class": "UserRepository",
"method": "find_by_id"
},
{
"language": "javascript",
"class": "UserRepository",
"method": "findById"
}
],
"semantic_equivalence": 0.95
}
Real-Time Incremental Indexing
The Challenge
Large codebases change constantly. Rebuilding the entire Universal AST on every change is prohibitively expensive:
Traditional approach:
File changes → Rebuild entire AST → Re-analyze everything
Time: O(n) where n = total files
Our requirement:
File changes → Update only affected nodes → Sub-second response
Time: O(k) where k = affected nodes (typically k << n)
Incremental Update Algorithm
CodePrism uses a sophisticated incremental update system:
pub struct IncrementalIndexer {
graph: Arc<RwLock<CodeGraph>>,
file_hashes: HashMap<PathBuf, u64>,
dependency_graph: HashMap<PathBuf, Vec<PathBuf>>, // File A depends on File B
update_queue: Arc<Mutex<VecDeque<UpdateRequest>>>,
}
impl IncrementalIndexer {
pub async fn handle_file_change(&self, path: PathBuf) -> Result<()> {
// 1. Calculate what needs updating
let affected_files = self.calculate_affected_files(&path).await?;
// 2. Parse only changed files
let new_nodes = self.parse_affected_files(&affected_files).await?;
// 3. Update graph atomically
let mut graph = self.graph.write().await;
for (file_path, nodes) in new_nodes {
self.replace_file_nodes(&mut graph, &file_path, nodes).await?;
}
// 4. Update relationship indexes
self.rebuild_affected_indexes(&mut graph, &affected_files).await?;
Ok(())
}
async fn calculate_affected_files(&self, changed_file: &Path) -> Result<Vec<PathBuf>> {
let mut affected = HashSet::new();
let mut queue = VecDeque::new();
queue.push_back(changed_file.to_path_buf());
// BFS to find all files that might be affected
while let Some(file) = queue.pop_front() {
if affected.contains(&file) { continue; }
affected.insert(file.clone());
// Add files that depend on this file
if let Some(dependents) = self.dependency_graph.get(&file) {
for dependent in dependents {
queue.push_back(dependent.clone());
}
}
}
Ok(affected.into_iter().collect())
}
}
Dependency Tracking
We maintain a bidirectional dependency graph to know what needs updating:
# user.py changes
class User(Model): # <- This change affects everything that imports User
# Added new method
def get_full_name(self):
return f"{self.first_name} {self.last_name}"
Dependency analysis:
{
"changed_file": "models/user.py",
"direct_dependents": [
"services/user_service.py", // imports User
"views/user_views.py", // imports User
"tests/test_user.py" // imports User
],
"indirect_dependents": [
"api/user_api.py", // imports user_service
"templates/user_profile.html" // rendered by user_views
],
"update_strategy": "incremental",
"estimated_time": "45ms"
}
Performance Optimizations
Memory-Efficient Graph Storage
For large repositories (10M+ nodes), memory usage is critical:
// Instead of storing full nodes everywhere, use IDs with memory pools
pub struct CompactGraph {
// Memory pools for different node types
classes: Pool<ClassNode>,
functions: Pool<FunctionNode>,
variables: Pool<VariableNode>,
// Sparse adjacency lists for relationships
edges: HashMap<NodeId, SmallVec<[EdgeId; 4]>>, // Most nodes have few edges
// Compressed indexes using bloom filters for fast negative lookups
symbol_bloom: BloomFilter,
symbol_index: HashMap<u64, Vec<NodeId>>, // Hash-based symbol lookup
}
// Memory pool prevents fragmentation and enables cache-friendly access
pub struct Pool<T> {
items: Vec<T>,
free_slots: Vec<usize>,
generation: Vec<u32>, // Handle reuse detection
}
Query Optimization
Complex queries need sophisticated optimization:
pub struct QueryOptimizer {
statistics: GraphStatistics,
index_hints: HashMap<QueryPattern, IndexStrategy>,
}
impl QueryOptimizer {
pub fn optimize_query(&self, query: &Query) -> ExecutionPlan {
match query {
// "Find all functions that call X"
Query::FindCallers { target } => {
if self.statistics.call_fanout(target) < 100 {
ExecutionPlan::DirectIndex { index: "call_targets" }
} else {
ExecutionPlan::BidirectionalSearch {
from_target: true,
max_depth: 3
}
}
}
// "Trace data flow from A to B"
Query::TraceDataFlow { from, to } => {
let path_estimate = self.estimate_path_length(from, to);
if path_estimate < 50 {
ExecutionPlan::BreadthFirstSearch { max_depth: path_estimate + 2 }
} else {
ExecutionPlan::BidirectionalSearch {
from_source: true,
meet_in_middle: true
}
}
}
}
}
}
Parallel Processing
Heavy analysis operations use work-stealing parallelism:
pub async fn analyze_complexity_parallel(
&self,
paths: Vec<PathBuf>
) -> Result<HashMap<PathBuf, ComplexityReport>> {
use rayon::prelude::*;
let results: Result<Vec<_>, _> = paths
.par_iter() // Parallel iterator
.map(|path| {
let nodes = self.get_file_nodes(path)?;
let complexity = self.calculate_complexity_metrics(&nodes)?;
Ok((path.clone(), complexity))
})
.collect();
Ok(results?.into_iter().collect())
}
Sub-Millisecond Query Performance
Benchmark Results
Real performance numbers from CodePrism's engine:
Repository: 3,247 files, 1.2M nodes, 4.8M edges
Query Performance:
┌─────────────────────────────────────┬──────────┬─────────────┐
│ Query Type │ Time │ Cache Hit % │
├─────────────────────────────────────┼──────────┼─────────────┤
│ Simple symbol lookup │ 0.12ms │ 94% │
│ Function call tracing (depth 3) │ 0.48ms │ 67% │
│ Cross-file dependency analysis │ 2.1ms │ 23% │
│ Complex inheritance tracing │ 4.7ms │ 12% │
│ Full repository statistics │ 8.2ms │ 89% │
└─────────────────────────────────────┴──────────┴─────────────┘
Indexing Performance:
- Initial indexing: 1,247 files/second
- Incremental updates: 0.3ms average per file change
- Memory usage: 340MB for 1.2M nodes (284 bytes/node average)
Caching Strategy
Multi-level caching ensures fast repeated queries:
pub struct QueryCache {
// L1: Hot queries (LRU, 1000 entries)
hot_cache: Arc<Mutex<LruCache<QueryHash, QueryResult>>>,
// L2: Warm queries (compressed, 10k entries)
warm_cache: Arc<RwLock<HashMap<QueryHash, CompressedResult>>>,
// L3: Statistical cache (query patterns and hints)
stats_cache: Arc<RwLock<HashMap<QueryPattern, QueryStatistics>>>,
}
impl QueryCache {
pub async fn get_or_compute<F, R>(&self, query: Query, compute: F) -> Result<R>
where
F: FnOnce() -> Result<R>,
R: Clone + Serialize + for<'de> Deserialize<'de>,
{
let query_hash = self.hash_query(&query);
// L1 check
if let Some(result) = self.hot_cache.lock().await.get(&query_hash) {
return Ok(result.clone());
}
// L2 check
if let Some(compressed) = self.warm_cache.read().await.get(&query_hash) {
let result = self.decompress_result(compressed)?;
// Promote to L1
self.hot_cache.lock().await.put(query_hash, result.clone());
return Ok(result);
}
// Compute and cache
let result = compute()?;
// Store in both L1 and L2
self.hot_cache.lock().await.put(query_hash, result.clone());
let compressed = self.compress_result(&result)?;
self.warm_cache.write().await.insert(query_hash, compressed);
Ok(result)
}
}
Index Design
Multiple specialized indexes for different query patterns:
pub struct GraphIndexes {
// Symbol resolution
pub symbol_to_nodes: HashMap<String, Vec<NodeId>>,
pub fuzzy_symbol_index: FuzzyIndex,
// Relationship traversal
pub call_graph: AdjacencyList, // Who calls whom
pub dependency_graph: AdjacencyList, // Who depends on whom
pub inheritance_tree: Tree<NodeId>, // Class hierarchies
// Content search
pub content_index: InvertedIndex, // Full-text search
pub pattern_index: RegexIndex, // Pattern matching
// Performance-critical paths
pub hot_path_cache: HashMap<(NodeId, NodeId), Vec<NodeId>>, // Common traversals
}
Real-World Performance Case Study
Before: Traditional AST Analysis
Client repository: 2,847 Python files, Django web application
Analysis performance:
Full repository scan: 34.2 seconds
Symbol lookup: 230ms average
Dependency analysis: 4.1 seconds
Inheritance tracing: 1.8 seconds
Memory usage: 1.2GB
Total analysis workflow: 42.3 seconds
After: Universal AST + Graph Analysis
Same repository with CodePrism's engine:
Analysis performance:
Initial indexing: 2.8 seconds
Symbol lookup: 0.15ms average
Dependency analysis: 12ms
Inheritance tracing: 8ms
Memory usage: 187MB
Total analysis workflow: 0.9 seconds (47x faster!)
The Difference
# Traditional approach: Re-parse everything for each query
def find_all_subclasses(class_name):
subclasses = []
for file_path in all_python_files(): # 2,847 iterations
ast = parse_file(file_path) # Parse every file
for node in ast_walker(ast): # Walk every node
if isinstance(node, ClassDef) and inherits_from(node, class_name):
subclasses.append(node)
return subclasses
# Time: O(files × nodes_per_file) = O(n²)
# CodePrism approach: Use pre-built graph indexes
def find_all_subclasses(class_name):
base_class_id = self.symbol_index.get(class_name)
return self.inheritance_tree.get_descendants(base_class_id)
# Time: O(log n) for lookup + O(k) for results where k = number of subclasses
Language-Specific Optimizations
Python: Handling Dynamic Features
Python's dynamic nature requires special handling:
impl PythonAdapter {
fn handle_dynamic_imports(&self, node: &ast::Import) -> Vec<UniversalNode> {
match &node.module {
// Static import: easy case
Some(module) if module.chars().all(|c| c.isalnum() || c == '_' || c == '.') => {
vec![UniversalNode::Import {
source: module.clone(),
kind: ImportKind::Static
}]
}
// Dynamic import: harder case
_ => {
// Use heuristics and runtime analysis
let possible_modules = self.resolve_dynamic_import(node);
possible_modules.into_iter().map(|module| {
UniversalNode::Import {
source: module,
kind: ImportKind::Dynamic { confidence: 0.7 }
}
}).collect()
}
}
}
fn analyze_metaclasses(&self, class_def: &ast::ClassDef) -> Option<MetaclassInfo> {
// Handle complex metaclass hierarchies
for keyword in &class_def.keywords {
if keyword.arg.as_ref().map(|s| s.as_str()) == Some("metaclass") {
return Some(self.resolve_metaclass(&keyword.value));
}
}
// Check for implicit metaclasses from base classes
for base in &class_def.bases {
if let Some(metaclass) = self.infer_metaclass_from_base(base) {
return Some(metaclass);
}
}
None
}
}
JavaScript: Handling Prototypal Inheritance
JavaScript's prototype chain requires special graph representation:
impl JavaScriptAdapter {
fn build_prototype_chain(&self, class_node: &UniversalNode) -> Vec<Edge> {
let mut edges = Vec::new();
// Handle ES6 class inheritance
if let Some(extends_clause) = self.extract_extends_clause(class_node) {
edges.push(Edge {
target: self.resolve_symbol(&extends_clause),
relationship: RelationshipType::Inherits,
metadata: EdgeMetadata::new("es6_class_inheritance"),
});
}
// Handle prototype-based inheritance
if let Some(prototype_assignment) = self.find_prototype_assignment(class_node) {
edges.push(Edge {
target: self.resolve_prototype_target(&prototype_assignment),
relationship: RelationshipType::Inherits,
metadata: EdgeMetadata::new("prototype_inheritance"),
});
}
edges
}
}
Future Optimizations
Machine Learning-Based Query Optimization
pub struct MLQueryOptimizer {
model: LoadedModel,
feature_extractor: QueryFeatureExtractor,
performance_history: HashMap<QuerySignature, PerformanceMetrics>,
}
impl MLQueryOptimizer {
pub fn predict_optimal_strategy(&self, query: &Query) -> ExecutionStrategy {
let features = self.feature_extractor.extract(query);
let prediction = self.model.predict(&features);
match prediction.strategy_class {
0 => ExecutionStrategy::DirectIndex,
1 => ExecutionStrategy::BreadthFirstSearch,
2 => ExecutionStrategy::BidirectionalSearch,
_ => ExecutionStrategy::Adaptive,
}
}
}
GPU-Accelerated Graph Traversal
For extremely large codebases (100M+ nodes), GPU acceleration becomes valuable:
pub struct GpuGraphTraversal {
cuda_context: CudaContext,
adjacency_matrix: GpuMatrix,
node_features: GpuTensor,
}
impl GpuGraphTraversal {
pub async fn parallel_bfs(&self, start_nodes: &[NodeId], max_depth: u32) -> Result<Vec<Path>> {
// Upload graph data to GPU
let gpu_graph = self.upload_graph_to_gpu().await?;
// Run parallel BFS kernel
let kernel = self.cuda_context.load_kernel("parallel_bfs.cu")?;
let results = kernel.launch(gpu_graph, start_nodes, max_depth).await?;
// Download results
self.download_paths_from_gpu(results).await
}
}
Conclusion: The Graph Advantage
CodePrism's graph-based Universal AST approach fundamentally changes what's possible in code analysis:
Traditional AST: "What does this file contain?"
Universal AST: "How does this code connect to everything else?"
Traditional Analysis: File-by-file, language-specific, batch processing
Graph Analysis: System-wide, language-agnostic, real-time updates
Traditional Performance: O(n) scaling, expensive queries, cold starts
Graph Performance: Sub-linear scaling, cached results, incremental updates
The result is a code intelligence platform that doesn't just analyze code—it understands code as part of a living, breathing system of relationships and dependencies.
When your AI assistant can see these connections, it can provide insights that go far beyond what any traditional tool can offer. It can trace data flows across languages, identify architectural patterns that span modules, and understand the true impact of proposed changes.
That's the power of thinking in graphs instead of trees. That's the CodePrism difference.
Want to see graph-based analysis in action? Try CodePrism's tools and experience the difference that true code intelligence makes.
Next in our series: "18 Tools, Zero Failures: How We Built Production-Ready MCP Integration"