Static Analysis Flashcards
Static Analysis
Testing code without executing it.
Advantages of Dynamic testing over static
- Doesn’t require special tools.
- Don’t need special skills.
- Don’t require source code (blackbox)
- Testers do not have to be programmers.
Disadvantage of dynamic testing
- Achieving complete code coverage can be hard or impossible.
- Some failures are hard to trigger, thus hard to find/reproduce.
- When you find a failure on a larger scale, can be hard to pinpoint.
What are some static tools?
- Typechecking
- Code Quality analysis
- Contract Verification
What can we do to typecheck this function?
function onlyWorksOnNumbers(x) { return x*10; }
can add (x: number) to parameter.
What are some Java typecheck problems
- array index must be int.
- Java double to float or int fails.
- Cannot downcast objects.
Static Type Checking
Checking source code prior to running to determine whether type rules have been respected.
Name some languages with/without static type checking?
Java, C++, Go
JS, Python
Why don’t all languages use strong static typing?
- Programmers prefer feel of languages without it.
- Risk of false positives for faults (creates error messages where there shouldn’t be.)
- Difficult to understand complex type errors.
- Evidence is inconclusive that it’s useful.
When does strong static typing help?
When teams don’t understand language/ system used
Systems used a lot but not changed much (library core components).
Systems needing high integrity (low defects).
Code Quality Analysis
Automated checking of source code for patterns indicative of errors.
ex. compiler warnings.
Give an example of a compiler warning
if (a = b)
- Assignment in place of comparison warning.
if (launchApproved);
- Empty control flow statement
- Deprecated methods
Why don’t compilers do most of the brunt CQA work?
They need to be fast and predictable.
So there are third party applications.
Limitations of CQA
Can be huge output for large codebases (lots of noise). These can be slightly tuned for use. Need to build from a clean start.
Likely will not help you find serious misbehaviours of code, so perhaps an expensive waste of time.
Contract Verification
Checks pre-conditions, post conditions and invariants of a class, also signals (exceptions).
Supports design by contracts style.
Limitations of some Contract verification applications.
Sometimes doesn’t allow:
- Dynamic memory allocation
- Pointers
- Recursion
- Expression with side effects (print statements?)
Where would you use Contract Verification?
When you need HIGH confidence of correctness. Like safety Critical systems.
- Nuclear plant
- Air Traffic control
What are commonalities between Design By Contracts, Static Typing and CQA.
Provides a language to express powerful assertions that can be convincingly checked automatically or mostly so. Given the tools and expertises.