Why we need static analysis

  • reliability
  • security
  • compiler optimization(编译优化)
  • program understanding

Static Analysis

Static analysis analyzes a program P to reason about its behaviors and determines whether it satisfies some properties before runnning P.


Useful static analysis

mostly compromising completensee:Sound(overapproximate) but not fully-precise static analysis.


  • Soundness(全面) is critical to a collection of important(static-analysis) applications such as compiler optimization and program verification.


  • Soundness is also preferable to other(static-analysis) applications for which soundness is not demanded,e.g.,bug detection,as better soundness implies more bugs could be found.

Static analysis:ensure(or get close to)soundness,while making good trade-offs between analysis precision and analysis speed.在确保全面的情况下,在精度和速度之间平衡

Conclude static analysis

  • abstraction 抽象

    • 将程序从原始的、高维的源代码空间,映射到一个抽象的、低维的符号空间。符号化后,后续的优化、分析、处理都会更加方便。
  • over-approximation 过近似 -> be sound

    • transfer funtions 转换函数

      • in static analysis,transfer functions define how to evaluate different program statements on abstract values.
      • transfer functions are defined according to “analysis problem” and the “semantics” of different statements.
    • control flows 控制流


      As it’s impossible to enumerate all paths in practice,flow merging (as a way of over-approximation) is taken for granted in most static analyses. 分支流合并,提升soundness,降低completeness,导致误报

Self test

  • what the differences between static analysis and dynamic testing?


  • understand soundness ,completeness,false negatives,false positives

    soundness 完全性 completeness 正确性

    false negatives(保证正确性,损失完整性,造成漏报)


    false positives(保证完整性,损失正确性,造成误报)


  • why soundness is usually required by static analysis


  • how to understand abstraction and over-approximation

    abstraction 抽象

    over-approximation 转化函数+控制流