2.1 Overview of static analysis program
· Definition: without running the program, the program only through a process of analyzing the syntax analysis or inspection procedures, structures, processes, interfaces, and so on.
· Objective: To detect software defects.
2.1.1 Code Review
Common code review project | |
· Are all design requirements are achieved? | · Each function has its purpose whether or comments? |
· Whether the code is compiled in compliance with coding standards? | · Whether to write a comment by comment type format? |
· All code is consistent style? | · Code Comments amount has reached a predetermined value? |
• All comments Is it clear and correct? | · Named whether all variables in accordance with the rules? |
· Exception handling code for all whether there are comments? | · Whether the loop nest optimization to a minimum? |
· Desktop check:
· Developer by reading a program, control error list, the defect detection method of derivation of test data, etc. on the code;
Disadvantages: inefficient, arbitrary;
· Code Review:
· Several developers and testers composition of the review team, through reading, discussion, evaluation and deliberation, the program static analysis;
· Walkthrough:
· Computer role played by the people, the simulation data into the program and run the code, the process is to observe the normal operation of the program;
· Test cases prepared in advance.
2.1.2 Structural Analysis
Help testers understand the overall architecture of the software.
{{Drive system configuration file call graph
{Data structure sequence analysis generates {flow control module of FIG.
Source - {Data Interface ------ '- {class dependency between FIG.
{{Internal control logic on behalf of the function call graph
code{ ... { ...
2.2 program flow analysis
2.2.1 Control Flow Analysis
· Objective: Expression construct a control flow graph of the program structure;
· By control flow analysis, the defect can be detected efficiently, thereby ensuring program works, and to reduce consumption of resources management.
2.2.2 Data Flow Analysis
· A software validation technique for analysis variables defined in the program, the use and transmission case, the variable definition detection / error using an error and exception;
· Includes three errors:
① variable is defined, but has not been used;
② variable is used, but has not yet been defined;
③ variables are defined a plurality of times before use.
· A control flow analysis requires a program control flow graph and system flow diagram contained in each statement defines variables and the variables were analyzed.
2.3 symbolic execution
· One way between running programs and prove the correctness of the range.
· Role:
• Check whether the program execution results in line with expectations;
· Generating program execution path by symbols, provide a further constraint to automatic generation of test data;
* According to whether the value of the specific symbol during execution , may perform the techniques of symbols into static symbolic execution and dynamic symbolic execution .
2.3.1 Static Symbolic Analysis
* Definition: without executing a program, symbolic values as input , and by a process of symbolic execution simulation code to run, and finally identify which input variables can execute the program given path , to reach the target results of the statement; (white box static analysis)
· Popular point that is, if a program than the output for LOL hero, the hero of the final property value of the program (including attack, defense, blood groove, blue tank), the hero of a loaded weapon for the program input (the ice stick or sword). Then the symbolic execution of the task is given a hero's final attribute value, analyze the hero can achieve this final attribute value which results by way of attire.
· Path conditions: a built symbolic input Boolean formula is input limit must be met when performing a path accumulation ;
· Each symbol in the implementation of branch points (like if statements) , the path condition will be updated:
① If the path condition becomes not satisfied, then the corresponding program path is not feasible;
② If any program a solution path condition is satisfied, the execution of the path condition is an input condition;
· A specific value not used at runtime using the general procedure as an input;
· Vulnerability Analysis: The condition of vulnerability to produce the results of the program objectives, in theory, it is easy to dig out the vulnerability of the input variables.
Read Symbolic Analysis: https://www.anquanke.com/post/id/157928
2.3.2 Dynamic Symbolic Analysis
* Definition: combined with the symbol input and the specific input to analyze the program;
· Practice: On the basis of the input symbols, when faced with a complex path or a path to large-scale use of specific input values instead of the symbol input , in order to continue to drive backward symbolic execution, and can be obtained solving constrained path;
• When dynamic symbolic execution, run a tool to keep track of the status symbols and operating conditions of the current path;
·在一条路径运行结束后,运行工具将路径中未覆盖分支的最后一个路径条件约束 取反 ,再将新的路径条件传递给约束求解器进行求解;
·如果约束求解器可以给出一个满足新路径条件的解,运行工具会运行该条路径并重复上述路径,直至所有路径被覆盖,或覆盖特定目标,或满足时间需求。
2.4 编程规范和规则
比赛的一些编程规范。
2.5 程序静态分析工具
介绍工具。