Static Analysis

Question 1

Static Analysis

Answer 1

Testing code without executing it.

Question 2

Advantages of Dynamic testing over static

Answer 2

• Doesn’t require special tools.
• Don’t need special skills.
• Don’t require source code (blackbox)
• Testers do not have to be programmers.

Question 3

Disadvantage of dynamic testing

Answer 3

• Achieving complete code coverage can be hard or impossible.
• Some failures are hard to trigger, thus hard to find/reproduce.
• When you find a failure on a larger scale, can be hard to pinpoint.

Question 4

What are some static tools?

Answer 4

1. Typechecking
2. Code Quality analysis
3. Contract Verification

Question 5

What can we do to typecheck this function?

function onlyWorksOnNumbers(x) {
    return x*10;
}

Answer 5

can add (x: number) to parameter.

Question 6

What are some Java typecheck problems

Answer 6

• array index must be int.
• Java double to float or int fails.
• Cannot downcast objects.

Question 7

Static Type Checking

Answer 7

Checking source code prior to running to determine whether type rules have been respected.

Question 8

Name some languages with/without static type checking?

Answer 8

Java, C++, Go

JS, Python

Question 9

Why don’t all languages use strong static typing?

Answer 9

• Programmers prefer feel of languages without it.
• Risk of false positives for faults (creates error messages where there shouldn’t be.)
• Difficult to understand complex type errors.
• Evidence is inconclusive that it’s useful.

Question 10

When does strong static typing help?

Answer 10

When teams don’t understand language/ system used

Systems used a lot but not changed much (library core components).

Systems needing high integrity (low defects).

Question 11

Code Quality Analysis

Answer 11

Automated checking of source code for patterns indicative of errors.

ex. compiler warnings.

Question 12

Give an example of a compiler warning

Answer 12

if (a = b)

• Assignment in place of comparison warning.

if (launchApproved);

• Empty control flow statement
• Deprecated methods

Question 13

Why don’t compilers do most of the brunt CQA work?

Answer 13

They need to be fast and predictable.

So there are third party applications.

Question 14

Limitations of CQA

Answer 14

Can be huge output for large codebases (lots of noise). These can be slightly tuned for use. Need to build from a clean start.

Likely will not help you find serious misbehaviours of code, so perhaps an expensive waste of time.

Question 15

Contract Verification

Answer 15

Checks pre-conditions, post conditions and invariants of a class, also signals (exceptions).

Supports design by contracts style.

Question 16

Limitations of some Contract verification applications.

Answer 16

Sometimes doesn’t allow:

• Dynamic memory allocation
• Pointers
• Recursion
• Expression with side effects (print statements?)

Question 17

Where would you use Contract Verification?

Answer 17

When you need HIGH confidence of correctness. Like safety Critical systems.

• Nuclear plant
• Air Traffic control

Question 18

What are commonalities between Design By Contracts, Static Typing and CQA.

Answer 18

Provides a language to express powerful assertions that can be convincingly checked automatically or mostly so. Given the tools and expertises.