Content deleted Content added
m Aready in Category:Software review, WP:SUBCAT |
Citation bot (talk | contribs) Alter: title. Add: date, s2cid, authors 1-1. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by Whoop whoop pull up | #UCB_toolbar |
||
Line 1:
{{Short description|Establishing properties of computer programs without executing them}}
{{Software development process}}
'''Static program analysis''' is the [[program analysis (computer science)|analysis of computer software]] performed without executing any programs, in contrast with [[dynamic program analysis|dynamic analysis]], which is performed on programs during their execution.<ref>{{cite journal |archive-url=https://web.archive.org/web/20110927010304/http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf |archive-date=2011-09-27 | title=Industrial Perspective on Static Analysis. |journal=Software Engineering Journal |date=Mar 1995 |pages=69–75 |last1=Wichmann |first1=B. A. |first2=A. A. |last2=Canning |first3=D. L. |last3=Clutterbuck |first4=L. A. |last4=Winsbarrow |first5=N. J. |last5=Ward |first6=D. W. R. |last6=Marsh |volume=10 |issue=2 |doi=10.1049/sej.1995.0010 |url=http://www.ida.liu.se/~TDDC90/papers/industrial95.pdf}}</ref><ref>{{Cite journal|
The term is usually applied to analysis performed by an [[List of tools for static code analysis|automated tool]], with human analysis typically being called "program understanding", [[program comprehension]], or [[code review]]. In the last of these, [[software inspection]] and [[software walkthrough]]s are also used. In most cases the analysis is performed on some version of a program's [[source code]], and, in other cases, on some form of its [[object code]].
== Rationale ==
The sophistication of the analysis performed by tools varies from those that only consider the behaviour of individual statements and declarations,<ref>{{Cite journal|
[[Software metric]]s and [[reverse engineering]] can be described as forms of static analysis. Deriving software metrics and static analysis are increasingly deployed together, especially in creation of embedded systems, by defining so-called ''software quality objectives''.<ref>[http://web1.see.asso.fr/erts2010/Site/0ANDGY78/Fichier/PAPIERS%20ERTS%202010/ERTS2010_0035_final.pdf "Software Quality Objectives for Source Code"] {{webarchive|url=https://web.archive.org/web/20150604203133/http://web1.see.asso.fr/erts2010/Site/0ANDGY78/Fichier/PAPIERS%20ERTS%202010/ERTS2010_0035_final.pdf |date=2015-06-04 }} (PDF). ''Proceedings: Embedded Real Time Software and Systems 2010 Conference'', ERTS2010.org, Toulouse, France: Patrick Briand, Martin Brochet, Thierry Cambois, Emmanuel Coutenceau, Olivier Guetta, Daniel Mainberte, Frederic Mondot, Patrick Munier, Loic Noury, Philippe Spozio, Frederic Retailleau.</ref>
Line 26:
== Tool types==
The OMG ([[Object Management Group]]) published a study regarding the types of software analysis required for [[software quality]] measurement and assessment. This document on "How to Deliver Resilient, Secure, Efficient, and Easily Changed IT Systems in Line with CISQ Recommendations" describes three levels of software analysis.<ref>{{cite web |url=http://www.omg.org/CISQ_compliant_IT_Systemsv.4-3.pdf |title=
; Unit Level: Analysis that takes place within a specific program or subroutine, without connecting to the context of that program.
Line 52:
== Data-driven static analysis ==
Data-driven static analysis uses large amounts of code to infer coding rules.<ref name="dewes">{{cite web |title=Learning from other's mistakes: Data-driven code analysis. |url=https://www.slideshare.net/japh44/talk-handout-46938511 |website=www.slideshare.net |date=13 April 2015 |language=en}}</ref>{{Better source needed|date=September 2020}} For instance, one can use all Java open-source packages on GitHub to learn a good analysis strategy. The rule inference can use machine learning techniques.<ref name="OhYang2015">{{cite book|last1=Oh|first1=Hakjoo|title=Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications - OOPSLA 2015|last2=Yang|first2=Hongseok|last3=Yi|first3=Kwangkeun|chapter=Learning a strategy for adapting a program analysis via bayesian optimisation|year=2015|pages=572–588|doi=10.1145/2814270.2814309|isbn=9781450336895|s2cid=13940725|url=https://ora.ox.ac.uk/objects/uuid:f656bcfd-ec1b-477c-9185-ff2c7490a207}}</ref> For instance, it has been shown that when one deviates too much in the way one uses an object-oriented API, it is likely to be a bug.<ref name="MonperrusMezini2013">{{cite journal|last1=Monperrus|first1=Martin|last2=Mezini|first2=Mira|title=Detecting missing method calls as violations of the majority rule|journal=ACM Transactions on Software Engineering and Methodology|volume=22|issue=1|year=2013|pages=1–25|url=https://hal.archives-ouvertes.fr/hal-00702196/document|doi=10.1145/2430536.2430541|arxiv=1306.0762|s2cid=1212778}}</ref> It is also possible to learn from a large amount of past fixes and warnings.<ref name="dewes"/>{{Better source needed|date=September 2020}}
== See also ==
| |||