Static Analysis Software Engineering 4 12.2HX3 Julian Richardson [email protected]

Software Engineering 4, Julian Richardson, 30 April 2002

1

Static Analysis

Software Engineering 4

12.2HX3

Julian Richardson

[email protected]


2

Learning Outcomes

• In this lecture you will learn:– static analysis concerns the detection of bugs in a

program without executing it,– bugs can be divided into a number of classes,

including: data faults, control faults, input/output faults, interface faults, storage management faults, exception management faults.

– faults from each of these classes can be detected by program inspection.

• You should be able to identify bugs from each of these classes in Java programs .


3

What is Static Analysis

• Static analysis concerns the detection of errors in a program without executing it.

• Some advantages:– no overhead is introduced into program execution,– some static analysis can be performed

automatically - this saves time testing,– 60% of program errors can be detected using

informal program inspections (Fagan, 1986),– 90% of program errors can be detected using formal

program verification (Mills, 1987)!


4

Classes of Program Faults

• A number of classes of program faults (i.e. bugs) can be identified. The following six classes of faults are reproduced from (Sommerville, 1996):

• Data faults:– Are all program variables initialised before their values are

used?– Have all constants been named?– Should the lower bound of arrays be 0, 1 or something else?– Should the upper bound of arrays be equal to the size of the

array, or one less than the size of the array?


5

public class DataFaults

{

public static void main(String[] Args) {

int x;

double sintable[] = new double[90];

System.out.println(x);

for (int angle=1; angle <= 90; angle++)

{

sintable[angle] = Math.sin(3.14150*(double)angle/180.0);

}

} }

Example: Find The Data Faults


6


7

public class DataFaults

{

public static void main(String[] Args) {

int x;

double sintable[] = new double[90];

System.out.println(x);

for (int angle=1; angle <= 90; angle++)

{

sintable[angle] = Math.sin(3.14150*

(double)angle/180.0);

} } }

Variable not initialised before use!

Array indices start at at 0, not 1!

Array indices go up to (size of array) - 1!

Unnamed constant!


8

Classes of Program Faults (2)

• Interface faults:– Do all function and procedure calls have the correct number

of parameters?– Do formal and actual parameter types match?– Are the parameters in the right order?– If two components access shared memory, do they have the

same model of shared memory structure?

• For example, find the interface faults in the following program:


9

public class InterfaceFaults

{

private static final int SIZE = 1000;

private int[] graphicsdata;

private int n;

public InterfaceFaults()

{

graphicsdata = new int[SIZE];

n = 0;

}

public void draw(double angle, int distance)

{

graphicsdata[n++] = 1;

graphicsdata[n++] = (int)(distance * Math.cos(angle));

graphicsdata[n++] = (int)(distance * Math.sin(angle));

}

Find

The

Interface

Faults


10

public void printpoint(int pointnumber) { System.out.println("Point is " + graphicsdata[pointnumber*2] + "," + graphicsdata[1+pointnumber*2] + "\n"); }

public static void main(String[] args) { InterfaceFaults a = new InterfaceFaults();

a.draw(100);

a.draw(10, "SS Uganda");

a.draw(100, 1.0);

a.draw(1.0, 100);

a.printpoint(0); }}


11

public void printpoint(int pointnumber) { System.out.println("Point is " + graphicsdata[pointnumber*2] + "," + graphicsdata[1+pointnumber*2] + "\n"); }

public static void main(String[] args) { InterfaceFaults a = new InterfaceFaults();

a.draw(100);

a.draw(10, "SS Uganda");

a.draw(100, 1.0);

a.draw(1.0, 100);

a.printpoint(0); }}

printpoint(…) and draw(…) have a different model of how points are stored!Wrong number of

parameters!

Parameter has wrong type!

Parameters are in the wrong order!


12


• Control faults:– For each conditional statement is the condition correct?– Is each loop certain to terminate?– Are bracketed compound statements correctly bracketed?– Is case statements, are all possible cases accounted for?

• For example, find the control faults in the following program:


13

public class ControlFaults

{

public int x;

public int sign;

public ControlFaults(int _x)

{

x = _x;

if (x == 0) sign = 0;

else sign = x/Math.abs(x);

}

Find The Control Faults


14

public static void main(String[] args)

{

int i;

ControlFaults a = new ControlFaults(Integer.parseInt(args[0]));

if (a.x < 1) System.out.println("Negative");

for (i=0; i>a.x; i++)

System.out.println(i);

System.out.println(i+1);

switch (a.sign)

{

case -1: System.out.println("Negative."); break;

case 1: System.out.println("Positive."); break;

}

}}


15

public static void main(String[] args)

{

int i;

ControlFaults a = new ControlFaults(Integer.parseInt(args[0]));

if (a.x < 1) System.out.println("Negative");

for (i=0; i>a.x; i++)

System.out.println(i);

System.out.println(i+1);

switch (a.sign)

{

case -1: System.out.println("Negative."); break;

case 1: System.out.println("Positive."); break;

}

}}

Condition is incorrect!Loop will not

terminate if a.x < 0!

These two lines are wrongly bracketed!

Case when sign=0 not accounted for!


16


• Input/output faults:– are all input variables used?– Are all output variables assigned a value before they are

output?

• Storage management faults:– If a linked structure is modified, are the links correctly

reassigned?– If dynamic storage is used, has space been allocated

properly?– Is space properly deallocated when it is no longer

required?


17


• Exception management faults:– have all possible error conditions been taken into

account?


18

Reducing Faults

• Some classes of faults can be eliminated or reduced by good programming language design.

• For example Java deallocates space automatically (cf. C++ which does not).

• Others can be emilinated by code inspection. This is:– effective, but– can be time-consuming.


19

Using Static Checking (2)

• Static checking can be implemented as part of the language compiler.

• The standard javac compiler performs some static checking.

• Compilers normally only perform limited static checking.

• There are tools which do static checking:– lint (for C)– ESC Java (for Java)


20

ESC Java

• ESC (“Extended Static Checking”) Java.• ESC Java is particularly good at spotting possible

null pointer errors.• In order to help the analysis, programs can be

annotated with special comments to state logical properties.

• In next lecture we will start looking at ESC Java.• We will consider how it can help you, and what its

strengths and shortcomings are.


21

Conclusions

• Static analysis concerns the detection of bugs in a program without executing it,

• Bugs can be divided into a number of classes, including: data faults, control faults, input/output faults, interface faults, storage management faults, exception management faults.

• Faults from each of these classes can be detected by program inspection.

• Compilers can perform some static analysis. • Tools such as ESC Java perform more.


22

References

(Sommerville, 1996): Software Engineering, 5th Edition, Ian Sommerville, Addison-Wesley, 1996. – An authoritative and readable book on everything about

software engineering. Static analysis is covered in chapter 24.

(ESC, 2000): ESC Java manual, http://gatekeeper.dec.com/pub/DEC/SRC/technical-notes/SRC-2000-002.html

(Fagan, 1986): Advances in Software Inspections, IEEE Trans. on Software Engineering, SE-12 (7), 744-51.

(Mills, 1987): Cleanroom Software Engineering, Mills, H. D., Dyer, M., Linger, R.,IEEE Software, 4 (5), 19-25.


23

» 2.0.0 ESC/Java pragmas must occur within pragma-containing comments.

• ESC/Java looks for pragmas within certain specially formatted comments. Specifically:

When the character @ is the first character after the initial // or /* of a Java comment, ESC/Java expects the rest of the comment's body to consist entirely of a sequence of (zero or more) ESC/Java pragmas.

Inside a documentation comment [JLS, 18], a sequence ESC/Java pragmas can be bracketed by <esc> and </esc>.

Static Analysis Software Engineering 4 12.2HX3 Julian Richardson [email protected]

Documents

classes of faults

program errors

julian richardson

following program

inputoutput faults

control faults

angle software engineering

program execution