290 likes | 593 Views
What is Static Analysis. Static analysis is the process of examining source code prior to compilation (and execution) Static analysis can diagnose for: Quality aspects such as maintainability, reliability, understandability and complexity Testing issues Coding standard compliance issues
E N D
What is Static Analysis • Static analysis is the process of examining source code prior to compilation (and execution) • Static analysis can diagnose for: • Quality aspects such as maintainability, reliability, understandability and complexity • Testing issues • Coding standard compliance issues • Best programming practices and unsafe programming constructs and coding defects
Static Analysis • Automated Static Analysis • Syntactic Analysis • Data Use Analysis • Interface Analysis • Control Flow Analysis • Information Flow Analysis • Program Slicing • Path Analysis • Reviews • Requirements Review • Use Case Review • Architecture Review • High Level Design Review • Code Review and Inspections • Test Review • Software Metrics • Cyclomatic Complexity • Halstead Suite • LOC • Etc.
Automated Static Analysis Analyzes your program without executing it • Doesn’t depend on having good test cases or even any test cases • Generally, doesn’t know what your software is supposed to do • Looks for violations of reasonable programming • Shouldn’t throw NPE • Shouldn’t allow SQL injection • Not a replacement for testing • Very good at finding problems on untested paths • But many defects can’t be found with static analysis
Can you Find the Bug? if (listeners == null) listeners.remove(listener); JDK1.6.0, b105, sun.awt.x11.XMSelection lines 243-244
Can you Find the Bug? 1 import java.io.InputStreamReader; 2 import java.io.BufferedReader; 3 import java.io.IOException; 4 5 public class CodingHorror { 6 7 public static void main(String args[]) { 8 9 InputStreamReader isr = new InputStreamReader(System.in); 10 BufferedReader br = new BufferedReader(isr); 11 String input = null; 12 try { 13 input = br.readLine(); // e.g., peel 14 } catch (IOException ioex) { 15 System.err.println(ioex.getMessage()); 16 } 17 input.replace(‘e’, ‘o’); 18 if (input == “pool”) { 19 System.out.println(“User entered peel.”); 20 } else { 21 System.out.println(“User entered something else.”); 22 } 23 } 24 }
What is the Bug here? /** Construct a WebSpider */ public WebSpider() { WebSpider w = new WebSpider(); }
What is the Bug here? public String foundType() { return this.foundType(); }
Why do Bugs Occur? Nobody is perfect • Common types of errors: • Misunderstood language features, API methods • Typos (using wrong boolean operator, forgetting parentheses or brackets, etc.) • Misunderstood class or method invariants • Everyone makes syntax errors, but the compiler catches them • What about bugs one step removed from a syntax error?
What is Static Testing • Static testing is using static analysis as part of the test trajectory • Static and Dynamic testing are supplementary – static analysis does not replace dynamic testing but can significantly reduce dynamic testing effort • Static testing achieves 100% statement coverage • Including explicit static analysis in test coverage: • Improves overall test quality and test planning • Results in shorter dynamic testing time • Allows stronger focus testing on complex and crucial modules
Acceptance Testing Integration Testing Unit Testing Static Analysis Defect Removal Cost Cost of defect removal rises exponentially for defects found later in the development cycle Dynamic Testing Static Testing
coding time automated static analysis (ASA) time compiling time dynamic testing time Time (cost) required for ASA is low
Source: Capers Jones, Software Productivity Group, Inc. 140000 Without Static Analysis 120000 With Static Analysis 100000 80000 Defects 60000 40000 20000 0 1M 2M 3M 4M 5M 6M 7M 9M 10M Lines of code Impact (benefit) of ASA is high Static Analysis may reduce defects by a factor of 6!
Software Manager Findings on Static Analysis • We proved the tight relationship between static analysis and the reduction of support efforts on released software products. Dr. Thomas Liedtke and Dr. Christian EbertAlcatel AG in Stuttgart, GermanyOn the Benefits of Reinforcing Code Inspection Activities, EuroStar 1995
Analyst Findings on Static Analysis • 60% of the software faults that were found in released software products could have been detected by means of static analysis Bloor Research Ltd., UK CAST Tools report of 1996
Researcher Findings on Static Analysis • On average, 40% of the faults that could be found through static analysis will eventually become a defect in the field. Professor Dr. Les Hatton, University of Kent
Stages of Automated Static Analysis • Syntactic Analysis • Data Use Analysis • Control Flow Analysis • Interface Analysis • Program Slicing • Information Flow Analysis • Path Analysis
Stages of Static Analysis • Syntactic analysis • Coding standards • Missing statements i.e. switch statements switch (expr) { case c1: statements // do these if expr == c1 break; case c2: statements // do these if expr == c2 break; case c2: }
What is the Error in this Code? class TestResourceLeak { public CoreResponse process(Entit entity) throws ResourceException { CoreResponse coreresponse = new CoreResponse(); DatabaseConnection dbcon = new DatabaseConnection(); Connection con1 = null; Connection con2 = null; //getting the Data Base Connection try { con1 = dbcon.getConnection(); con2 = dbcon.getConnection(); ... } catch(Exception e) { con1.close(); throw new ResourceException(e.getMessage(),e) ; } con1.close(); return coreresponse; } }
Data Use Analysis • Aim is to identify data flows that do not conform to sound programming practices, e.g. variables are not read before they are written; inactive code. • A purely symbolic form of analysis, i.e. no specific data values are considered. • Based upon a number of relationships between variables and expressions. • Process involves annotating a program flow graph with each data object definition (D), usage (U) and elimination (E). • Analysis involves flow graph traversal, e.g. DD paths suggest redundancy, DE paths are most likely to be bugs.
Control Flow Analysis • Aim is to detect poorly structured code, e.g. multiple exits from a loop, dead code etc • Process again typically involves translating the program into a flow graph. • By a process of repeated reduction inaccessible code and certain classes of non-termination can be identified
Program Slicing • Program slicing involves focusing on a particular subset of variables within a given program. • The parts of the program that are relevant to the subset of variables denotes a program slice. • Some applications: • Program testing & re-testing: provides focus with respect to test case design and the selection of regression tests. • Program comprehension: slicing provides a useful aid to understanding code where no documentation exists.
Types of program Slicing • Backward: • For a given statement S, a backward slice through a program contains all statements that effect whether control reaches S and also all statements that effect the value of variables that occur in S. • Forward: • For a given statement S, a forward slice through a program contains all statements that are affected by S. • Static: • A static program slice is calculated symbolically, i.e. takes no account of concrete data values. • Dynamic: • A dynamic program slice is calculated based upon particular data values. Note that forward and backward slices can be calculated either statically or dynamically.
Program Slicing Example Program read(X); read(Y); Q := 0; R := X; while R >= Y do begin R := R - Y; Q := Q + 1 end; print(Q); print(R); A Program Slice read(X); read(Y); R := X; while R >= Y do begin R := R - Y; end; print(R); Program Slice for the variable ‘R’
Information Flow • Exploits software annotations, i.e. meta-data that asserts properties that should hold at particular points during program execution. SPARK based example: procedure Exchange(X, Y:in out Float) --# derives X from Y & --# Y from X; is T:Float; begin T:=X; X:=Y; Y:=T; end Exchange; • Note: derives defines a dependency relation between variables that is checked against the code automatically by the Spark Examiner static analyzer.
Use of Static Analysis in Secure Coding • Security Vulnerabilities: • Cross-site Scripting (XSS) • SQL Injection • Command Injection • Buffer Overflows • Memory Leaks • Integer Overflows
FindBugs JDK1.6.0-b105 • 379 correctness warnings • we judge that at least 213 of these are serious issues that should be fixed Google's Java codebase • over a 6 month period, using various versions of FindBugs • 1,127 warnings • 807 filed as bugs • 518 fixed in code