All geek questions in one place

Static and dynamic code analysis

I found several questions on this topic, and all of them with a large number of links, but still I do not have a clear idea about this, because most links refer to specific tools, and not to the concept of Analysis in general. So I have a few questions:

About static analysis: 1. I would like to receive a link, or a summary of which methods are successful and have great relevance these days. 2. What can they really do to detect errors, can we make a resume, or does it depend on the tool?

About symbolic performance: 1. Where can I conclude a symbolic performance? I think, depending on the approach, I would like to know if they are dynamic analysis or a combination of static and dynamic analysis, if possible.

I found problems to differentiate two different methods in the tools, even I think I know the theoretical differences.

I really work with C Thank you in advance

+4
source share
2 answers

I am trying to give a short answer:

Static analysis examines the syntactic structure of the code and draws conclusions about the behavior of the program. These findings do not always have to be correct.

A typical example of static analysis is data flow analysis, where you compute sets of type used , read , write for each statement. This will help find, for example, uninitialized values.

You can also analyze code related to code patterns. Thus, these tools can be used to verify that you are following a particular coding standard. A typical example of standard coding is MISRA. This coding standard is used for critical security systems and avoids problematic designs in C. Thus, you can already say a lot about the reliability of your applications against memory leaks, dangling pointers, etc.

Dynamic analysis does not only consider syntax, but takes into account state information. In symbolic execution, you add assumptions about the possible values ​​of all variables for the operators.

The most expensive and powerful method of dynamic analysis is to test the model, where you really look at all the possible states of the system. You can come up with a model tested by a system as a system that is tested with 100% coverage - but, of course, there are many practical problems that prevent the verification of real systems in this way.

These methods are very effective, and you can learn a lot from static code analysis tools, especially when combined with a good coding standard.

The feature that my development team is really impressive, for example, is that it will tell you in C ++ when a class with virtual methods does not have a virtual destructor. Easy to check actually, but very useful.

Commercial tools are very expensive, but they cost money once you learn how to use them. A typical problem in the beginning is that you will get a lot of false alarms and don’t know where to look for the real problem.

Note that g ++ currently contains some of these materials that are already built-in, and that you can use something like free pclint.

Sorry - this is quite a long time ... I hope this is interesting.

+7
source

The term "static analysis" means that the analysis does not actually run the code. On the other hand, "dynamic analysis" runs the code, and also requires some types of real test inputs. This is the definition. Nothing more.

Static analysis uses various formal methods, such as abstract interpretation, model validation, and symbolic execution. In general, abstract interpretation or model validation is suitable for software validation. Symbolic execution is more suitable for detecting errors.

Character execution classified in static analysis. However, there is a hybrid method called concolic, which uses both symbolic execution and dynamic testing.

Added for comment by Zane:

Perhaps my explanation was a bit confusing.

The difference between checking the software and detecting errors is whether the analysis is reasonable or not. For example, when we say that the buffer overflow analyzer sounds, this means that the analyzer should report possible buffer overflows all . If the analyzer does not report anything, this proves that there is no buffer overflow in the target program. Since model validation is a method that guarantees reliability, it is mainly used for software validation.

On the other hand, the symbolic execution, which is actively used today by most commercial static analyzers, does not guarantee reliability, since as a result of the analysis of sound, batches and a lot of false positives initially arise. To detect errors, it is more important to reduce false positives, even if some true positive results are also lost.

In this way,

  • : no false negatives

  • completeness: no false positives

  • software testing: reliability is more important than completeness

  • error detection: completeness is more important than reliability

+2
source

Source: https://habr.com/ru/post/1439662/

More articles:


All Articles