what is program analysis?
body of work to discover useful facts about programs (e.g. errors)
3 types of program analysis
- dynamic (execution time)
- static (compile time)
- hybrid (combines dynamic and static)
dynamic program analysis
infers facts about the program by monitoring its runs
- purify: array bound checking
- memory leak detection: valgrind
- data race detection: eraser
- finding likely invariants: daikon
static analysis
infers facts about the program by inspecting its source or binary code
- suspicious error patterns: lint, findbugs, coverity
- checking api usage rules: microsoft slam
- memory leak detection: facebook infer
- verifying invariants: ESC/Java
program invariant
a fact that is true in every run of the program
static analysis: can determine that something is definitely an invariant
dynamic analysis: can determine that something is likely an invariant
components of static analysis
- program representation: e.g. control-flow graph, AST, or bytecode
- abstract domain: e.g. how to approximate program values
- transfer function: e.g. assignments, conditionals, merge points
- fixed point computation algorithm: e.g. iterative approximation
components of static analysis
- program representation: e.g. control-flow graph, AST, or bytecode
- abstract domain: e.g. how to approximate program values
- transfer function: e.g. assignments, conditionals, merge points
- fixed point computation algorithm: e.g. iterative approximation
how can static analysis be sound even though it sacrifices completeness?
even though the abstraction causes us to lose some information, when the analysis concludes something about the program, it is true in all runs of the program
when is a program sound?
if it never accepts bad programs
when is a program complete?
if it never rejects a good program
decide if the analysis (depicted by the blue oval) is sound or complete:
sound
not complete
false positive
a good program that is rejected by an analysis
is this analysis sound or complete?
not sound
complete
false negative
bad program that is accepted by an analysis
precision and recall (a method of measuring the usefulness of an analysis)
f-measure
f-measure of best possible program analysis
1
f-measure of worst possible program analysis
0
3 consumers of program ananlysis
compilers
IDE’s
software quality tools (testing, debugging, verification) - main focus of course
