Andrey Karpov, profile picture
Uploaded byAndrey Karpov
PPTX, PDF250 views

Expanding the idea of static analysis from code check to other development processes

The document discusses the 25th International Conference on Software Quality Assurance, focusing on the expansion of static analysis from code checking to various development processes. Key topics include the importance of code analysis, metrics calculation, and source code obfuscation, highlighting static analysis's role in identifying bugs and ensuring compliance with coding standards. It concludes that the application of static analysis is rapidly increasing and will continue to grow in the future.

Embed presentation

Download to read offline
Software quality assurance days 25th International Conference on software quality issues sqadays.com St. Petersburg, May 31 – June 1, 2019 Expanding the idea of static analysis from code check to other development processes
About the speaker • Maxim Stefanov (stefanov@viva64.com) • C++/Java developer in PVS-Studio • Activity: • Participation in the development of the C++ analyzer core • Participation in the development of the Java analyzer
Content • General concepts of static analysis • Classic look • Alternative look • Conclusion
Static analysis is...
Static analysis inputs • Program code • Data in JSON, YAML, XML format • Documentation / article • Scematic, 3D model (in design) • …
Classic look: code base analysis
Code analysis is necessary for… • Searching for bugs, vulnerabilities, bottlenecks • Code formatting • Various metrics calculation • Code compliance verification • …
Abstract syntax tree while(b != 0) { if (a > b) { a = a - b; } else { b = b - a; } } return a;
Control flow graph (1) while (x < 50) { (2) if (a / b > 5) { (3) a = a - b; } else { (4) b = b - a; (5) } (6) x++; } (7) doSomething();
And… • Parsing tree • Abstract semantic graph (semantic model) • …
Search for bugs, vulnerabilities and bottlenecks
Search for bugs, vulnerabilities and bottlenecks • AST-based defect pattern search • Defects searching based on semantic model • Searching based on data flow analysis • … In details:
Code formatting Why watch code formatting? • Compliance with the coding rules in company • Easy to read • Easy to maintain and debug • Increased probability of defect detection • …
Before formatting Action doIfSkilledSpeaker(double rating, int experience) { int index = 0; while(index < speakers.length) { Speaker sp = speakers[index]; if (sp.getRating()>=rating || sp.getExperience() > experience) { if(sp.isGirl()) { return LISTEN; } else if (doThink()) { return LISTEN; } } } return GO_HOME; }
Before formatting Action doIfSkilledSpeaker(double rating, int experience) { int index = 0; while(index < speakers.length) { Speaker sp = speakers[index]; if (sp.getRating()>=rating || sp.getExperience() > experience) { if(sp.isGirl()) { return LISTEN; } else if (doThink()) { return LISTEN; } } } return GO_HOME; }
Action getNextInterestingSpeaker(double rating, int experience) { int index = 0; while(index < speakers.length) { Speaker sp = speakers[index++]; if (sp.getRating() >= rating || sp.getExperience() > experience) { if (sp.isGirl()) { return LISTEN; } else if (doThink()) { return LISTEN; } } } return GO_HOME; } After formatting
Before formatting if (A) if (B) doSomething(); else doSomething(someObject);
if (A) { if (B) { doSomething(); } else { doSomething(someObj); } } After formatting if (A) if (B) doSomething(); else doSomething(someObj);
Metrics calculation. Why measure software? • Determining the quality of an existing product or process • Predicting productprocess quality • Improving productprocess quality
Metrics calculation • Quantitive metrics • Program complexity metrics • Program size metrics • Program control flow complexity metrics • Data flow complexity metrics • Object oriented metrics ...
Quantitive metrics • SLOC – code lines (physical, logical) • Amount and percentage of comments • Average number of lines for functions (classes, files) • Code Duplication Percentage • ...
Quantitive metrics: defects in code metrics • Defect density: «Number of defects in a separate module» -------------------------------------------------------------- «Total number of defects in software» • Regression coefficient: «Number of defects in old functional» ------------------------------------------------------------------------------------- «Total number of defects, including new functional»
McCabe Metrics: Cyclomatic Complexity M = E − N + 2P where: M – cyclomatic complexity, E – number of edges in the graph, N – number of nodes in the graph, P – number of connected components.
Cyclomatic complexity Some language constructions in a graph representation
Cyclomatic complexity: example int someMethod(...){ int bot = 0; int top = n - 1; int mid, cmp; while (bot <= top) { mid = (bot + top)/2; if (table[mid] == item) { return mid; } else if (compare) { bot = mid + 1; } else { top = mid -1; } } return -1; }
Cyclomatic complexity: example E = 14 N = 12 P = 1 M = 14–12 + (2*1) M = 4
Cyclomatic complexity: what for An overly high cyclomatic complexity factor leads to complexity of: • Understanding, supporting and debugging code, • testing.
Summing up the metrics. Note • Using of metrics as punishment is dangerous • Using of metrics for information and support is useful • Metrics are better in dynamics
Source code obfuscation/deobfustation The need of protection against analysis performed by both man and machine, as well as software with increased requirements for crack resistance, for example: • DRM key protection • Game protection against extraneous code (cheats and bots) • Source protection during transfer/sale
Source code obfuscation/deobfustation int COUNT = 100; float TAX_RATE = 0.2; for (int i=0; i < COUNT; i++) { tax[i] = orig_price[i] * TAX_RATE; price[i] = orig_price[i] + tax[i]; } Before: After: for(int a=0;a<100;a++){b[a]=c[a]*0.2;d[a]=c[a]+b[a];}
Source code obfuscation/deobfustation
Validation check Known formats used for transferring data: JSON, XML, YAML Matching tools: JSONLint, XMLLint, YAMLLint Perform the analysis and reveal: • Syntax errors • Extra commas, brackets, spaces, … • Key duplication • Key definition order • …
Validation check { "warnings": [{ "title": "Some Title", "code": "V6050", "cwe": 0, "level": 1, "title": "Some message.", // Duplicate key 'title' "falseAlarm": false }] }
Publisher: internal development Task: checking articles and documentation for correctness Input data: articles and documentation . Output data: List of errors: • Matching links • Image verification • Code fragments correctness • Checking the date and authors of the documentation, articles • ...
Example: checking pictures for alpha channels Expectation Reality
Example: link validation The error is that in the documentation in Russian, a link to the English language source is used
KOMPAS - Expert: static analysis inspiration • Input data: figure and 3D-model • Output data: List of errors: • Design standards compliance • Enterprise restriction lists compliance • KOMPAS – 3D work rules compliance
KOMPAS - Expert: static analysis inspiration
Conclusion: • Static analysis is gaining momentum in recent years • In the near future its application will only grow

More Related Content

PDF
Mining Source Code Improvement Patterns from Similar Code Review Works
byYuki Ueda
 
PPTX
Java introduction
bySamsung Electronics Egypt
 
PDF
Machine learning with scikit-learn
byQingkai Kong
 
PDF
Web futures
byBrendan Eich
 
PDF
Value objects in JS - an ES7 work in progress
byBrendan Eich
 
PDF
Value Objects, Full Throttle (to be updated for spring TC39 meetings)
byBrendan Eich
 
PPTX
07. Java Array, Set and Maps
byIntro C# Book
 
PPTX
11. Java Objects and classes
byIntro C# Book
 
Mining Source Code Improvement Patterns from Similar Code Review Works
byYuki Ueda
 
Java introduction
bySamsung Electronics Egypt
 
Machine learning with scikit-learn
byQingkai Kong
 
Web futures
byBrendan Eich
 
Value objects in JS - an ES7 work in progress
byBrendan Eich
 
Value Objects, Full Throttle (to be updated for spring TC39 meetings)
byBrendan Eich
 
07. Java Array, Set and Maps
byIntro C# Book
 
11. Java Objects and classes
byIntro C# Book
 

What's hot

PPTX
19. Java data structures algorithms and complexity
byIntro C# Book
 
PDF
Extensible Operators and Literals for JavaScript
byBrendan Eich
 
PPTX
19. Data Structures and Algorithm Complexity
byIntro C# Book
 
PDF
JS Responsibilities
byBrendan Eich
 
PPTX
16. Java stacks and queues
byIntro C# Book
 
PDF
Machine learning in production with scikit-learn
byJeff Klukas
 
PDF
Numerical tour in the Python eco-system: Python, NumPy, scikit-learn
byArnaud Joly
 
PPTX
Java Foundations: Basic Syntax, Conditions, Loops
bySvetlin Nakov
 
PPTX
Variables and Data Types
byInfoviaan Technologies
 
PPTX
10. Recursion
byIntro C# Book
 
PPT
C++ Returning Objects
byJay Patel
 
PDF
Java Day-4
byPeople Strategists
 
PPTX
07. Arrays
byIntro C# Book
 
PPTX
20.1 Java working with abstraction
byIntro C# Book
 
PPTX
15. Streams Files and Directories
byIntro C# Book
 
PPTX
20.4 Java interfaces and abstraction
byIntro C# Book
 
PDF
Java Day-5
byPeople Strategists
 
PPTX
14. Java defining classes
byIntro C# Book
 
PDF
Java Day-6
byPeople Strategists
 
PDF
Java Day-7
byPeople Strategists
 
19. Java data structures algorithms and complexity
byIntro C# Book
 
Extensible Operators and Literals for JavaScript
byBrendan Eich
 
19. Data Structures and Algorithm Complexity
byIntro C# Book
 
JS Responsibilities
byBrendan Eich
 
16. Java stacks and queues
byIntro C# Book
 
Machine learning in production with scikit-learn
byJeff Klukas
 
Numerical tour in the Python eco-system: Python, NumPy, scikit-learn
byArnaud Joly
 
Java Foundations: Basic Syntax, Conditions, Loops
bySvetlin Nakov
 
Variables and Data Types
byInfoviaan Technologies
 
10. Recursion
byIntro C# Book
 
C++ Returning Objects
byJay Patel
 
Java Day-4
byPeople Strategists
 
07. Arrays
byIntro C# Book
 
20.1 Java working with abstraction
byIntro C# Book
 
15. Streams Files and Directories
byIntro C# Book
 
20.4 Java interfaces and abstraction
byIntro C# Book
 
Java Day-5
byPeople Strategists
 
14. Java defining classes
byIntro C# Book
 
Java Day-6
byPeople Strategists
 
Java Day-7
byPeople Strategists
 

Similar to Expanding the idea of static analysis from code check to other development processes

DOCX
Se unit 4
byabdulsubhan44
 
PPTX
Static analysis by tools
bywiny setya ningrum
 
PPTX
Does static analysis need machine learning?
byAndrey Karpov
 
PDF
Improving your CFML code quality
byKai Koenig
 
PPTX
Testing Technique
byAjeng Savitri
 
PPTX
White box testing
byNeethu Tressa
 
PPT
Software testing & its technology
byHasam Panezai
 
PDF
20100309 01 - Maintenance and re-engineering (McCabe)
byLeClubQualiteLogicielle
 
PDF
Sw metrics for regression testing
byJyotsna Sharma
 
PDF
Software code metrics
byPVS-Studio
 
PDF
Achieving quality with tools case study
byEosSoftware
 
PPT
Sv&amp;V Rim
bywachakhan
 
PPT
Verification and Validation in Software Engineering SE19
bykoolkampus
 
PPT
Verifcation &amp;validation
byssusere50573
 
PPTX
Software engineering
byGuruAbirami2
 
PPTX
Measuring the Code Quality Using Software Metrics
byGeetha Anjali
 
PPTX
SE2023 0401 Software Coding and Testing.pptx
byBharat Chawda
 
PPTX
Capability Building for Cyber Defense: Software Walk through and Screening
byMaven Logix
 
PDF
Software Development Metrics You Can Count On
byParasoft
 
PPTX
INGI2252 Software Measures & Maintenance
bykim.mens
 
Se unit 4
byabdulsubhan44
 
Static analysis by tools
bywiny setya ningrum
 
Does static analysis need machine learning?
byAndrey Karpov
 
Improving your CFML code quality
byKai Koenig
 
Testing Technique
byAjeng Savitri
 
White box testing
byNeethu Tressa
 
Software testing & its technology
byHasam Panezai
 
20100309 01 - Maintenance and re-engineering (McCabe)
byLeClubQualiteLogicielle
 
Sw metrics for regression testing
byJyotsna Sharma
 
Software code metrics
byPVS-Studio
 
Achieving quality with tools case study
byEosSoftware
 
Sv&amp;V Rim
bywachakhan
 
Verification and Validation in Software Engineering SE19
bykoolkampus
 
Verifcation &amp;validation
byssusere50573
 
Software engineering
byGuruAbirami2
 
Measuring the Code Quality Using Software Metrics
byGeetha Anjali
 
SE2023 0401 Software Coding and Testing.pptx
byBharat Chawda
 
Capability Building for Cyber Defense: Software Walk through and Screening
byMaven Logix
 
Software Development Metrics You Can Count On
byParasoft
 
INGI2252 Software Measures & Maintenance
bykim.mens
 

More from Andrey Karpov

PDF
60 антипаттернов для С++ программиста
byAndrey Karpov
 
PDF
60 terrible tips for a C++ developer
byAndrey Karpov
 
PPTX
Ошибки, которые сложно заметить на code review, но которые находятся статичес...
byAndrey Karpov
 
PDF
PVS-Studio in 2021 - Error Examples
byAndrey Karpov
 
PDF
PVS-Studio in 2021 - Feature Overview
byAndrey Karpov
 
PDF
PVS-Studio в 2021 - Примеры ошибок
byAndrey Karpov
 
PDF
PVS-Studio в 2021
byAndrey Karpov
 
PPTX
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
byAndrey Karpov
 
PPTX
Best Bugs from Games: Fellow Programmers' Mistakes
byAndrey Karpov
 
PPTX
Typical errors in code on the example of C++, C#, and Java
byAndrey Karpov
 
PPTX
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
byAndrey Karpov
 
PPTX
Game Engine Code Quality: Is Everything Really That Bad?
byAndrey Karpov
 
PPTX
C++ Code as Seen by a Hypercritical Reviewer
byAndrey Karpov
 
PPTX
The Use of Static Code Analysis When Teaching or Developing Open-Source Software
byAndrey Karpov
 
PPTX
Static Code Analysis for Projects, Built on Unreal Engine
byAndrey Karpov
 
PPTX
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
byAndrey Karpov
 
PPTX
The Great and Mighty C++
byAndrey Karpov
 
PPTX
Static code analysis: what? how? why?
byAndrey Karpov
 
PDF
Zero, one, two, Freddy's coming for you
byAndrey Karpov
 
PDF
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
byAndrey Karpov
 
60 антипаттернов для С++ программиста
byAndrey Karpov
 
60 terrible tips for a C++ developer
byAndrey Karpov
 
Ошибки, которые сложно заметить на code review, но которые находятся статичес...
byAndrey Karpov
 
PVS-Studio in 2021 - Error Examples
byAndrey Karpov
 
PVS-Studio in 2021 - Feature Overview
byAndrey Karpov
 
PVS-Studio в 2021 - Примеры ошибок
byAndrey Karpov
 
PVS-Studio в 2021
byAndrey Karpov
 
Make Your and Other Programmer’s Life Easier with Static Analysis (Unreal Eng...
byAndrey Karpov
 
Best Bugs from Games: Fellow Programmers' Mistakes
byAndrey Karpov
 
Typical errors in code on the example of C++, C#, and Java
byAndrey Karpov
 
How to Fix Hundreds of Bugs in Legacy Code and Not Die (Unreal Engine 4)
byAndrey Karpov
 
Game Engine Code Quality: Is Everything Really That Bad?
byAndrey Karpov
 
C++ Code as Seen by a Hypercritical Reviewer
byAndrey Karpov
 
The Use of Static Code Analysis When Teaching or Developing Open-Source Software
byAndrey Karpov
 
Static Code Analysis for Projects, Built on Unreal Engine
byAndrey Karpov
 
Safety on the Max: How to Write Reliable C/C++ Code for Embedded Systems
byAndrey Karpov
 
The Great and Mighty C++
byAndrey Karpov
 
Static code analysis: what? how? why?
byAndrey Karpov
 
Zero, one, two, Freddy's coming for you
byAndrey Karpov
 
PVS-Studio Is Now in Chocolatey: Checking Chocolatey under Azure DevOps
byAndrey Karpov
 

Recently uploaded

PDF
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
PDF
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
PDF
SiyanoAV 20GB Cloud Backup & Antivirus Protection
bysunilsiyanoav
 
PDF
DSD-INT 2025 Timor-Leste Flood exposure and Climate Change assessment - Ogunwumi
byDeltares
 
PDF
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
PDF
How Device, OS, and Network Variability Affects App Experience - And How to T...
bykalichargn70th171
 
PPTX
Future of Software Testing: AI-Powered Open Source Testing Tools
bySophie Lane
 
PDF
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
PDF
Oracle NetSuite Integration_ Automation, Benefits and Guide 2026
byTechWize
 
PDF
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
PPTX
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
PDF
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
PDF
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
PPTX
wAIred_LearnwithoutAI_KotlinDevDay_27112025.pptx
bySimonedeGijt
 
PPTX
CRM Development Company | Custom CRM Development Services
byyugababu033
 
PDF
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
PDF
DSD-INT 2025 Modelling Non-Newtonian Slurry Beaching with Delft3D-Slurry - Bi
byDeltares
 
PDF
Internship Project Training Report-3.pdf
byPawank36
 
PDF
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
PDF
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 
BCA 1st Semester Fundamentals Solved Question Paper 44121
byKuvempu University
 
DSD-INT 2025 Delft3D FM Suite 2026.01 2D3D - New features + Improvements - Sp...
byDeltares
 
SiyanoAV 20GB Cloud Backup & Antivirus Protection
bysunilsiyanoav
 
DSD-INT 2025 Timor-Leste Flood exposure and Climate Change assessment - Ogunwumi
byDeltares
 
DSD-INT 2025 Flood Early Warning System for the Trans-African Hydrometeorolog...
byDeltares
 
How Device, OS, and Network Variability Affects App Experience - And How to T...
bykalichargn70th171
 
Future of Software Testing: AI-Powered Open Source Testing Tools
bySophie Lane
 
DSD-INT 2025 Quantifying Flood Mitigation Strategies Under Sea Level Rise - H...
byDeltares
 
Oracle NetSuite Integration_ Automation, Benefits and Guide 2026
byTechWize
 
Microservices Architecture Benefits For Mobile Development.pdf
bydavidjohansen1597
 
operating sys about shells and terminals commands .pptx
byYazeedAbdullah6
 
DSD-INT 2025 Advancing Urban Flood Modeling with Delft3D FM 1D2D - A Pilot St...
byDeltares
 
DSD-INT 2025 Next-Generation Flood Inundation Mapping for Taiwan - Challenges...
byDeltares
 
wAIred_LearnwithoutAI_KotlinDevDay_27112025.pptx
bySimonedeGijt
 
CRM Development Company | Custom CRM Development Services
byyugababu033
 
DSD-INT 2025 Hydrodynamic and Morphodynamic Modeling with Delft3D FM for an I...
byDeltares
 
DSD-INT 2025 Modelling Non-Newtonian Slurry Beaching with Delft3D-Slurry - Bi
byDeltares
 
Internship Project Training Report-3.pdf
byPawank36
 
inSis suite - Laboratory Information Management System
byKondapi V Siva Rama Brahmam
 
DSD-INT 2025 Climate and impact attribution of compound flooding induced by t...
byDeltares
 

Expanding the idea of static analysis from code check to other development processes

  • 1.
    Software quality assurancedays 25th International Conference on software quality issues sqadays.com St. Petersburg, May 31 – June 1, 2019 Expanding the idea of static analysis from code check to other development processes
  • 2.
    About the speaker •Maxim Stefanov (stefanov@viva64.com) • C++/Java developer in PVS-Studio • Activity: • Participation in the development of the C++ analyzer core • Participation in the development of the Java analyzer
  • 3.
    Content • General conceptsof static analysis • Classic look • Alternative look • Conclusion
  • 4.
  • 5.
    Static analysis inputs •Program code • Data in JSON, YAML, XML format • Documentation / article • Scematic, 3D model (in design) • …
  • 6.
    Classic look: codebase analysis
  • 7.
    Code analysis isnecessary for… • Searching for bugs, vulnerabilities, bottlenecks • Code formatting • Various metrics calculation • Code compliance verification • …
  • 8.
    Abstract syntax tree while(b!= 0) { if (a > b) { a = a - b; } else { b = b - a; } } return a;
  • 9.
    Control flow graph (1)while (x < 50) { (2) if (a / b > 5) { (3) a = a - b; } else { (4) b = b - a; (5) } (6) x++; } (7) doSomething();
  • 10.
    And… • Parsing tree •Abstract semantic graph (semantic model) • …
  • 11.
    Search for bugs,vulnerabilities and bottlenecks
  • 12.
    Search for bugs,vulnerabilities and bottlenecks • AST-based defect pattern search • Defects searching based on semantic model • Searching based on data flow analysis • … In details:
  • 13.
    Code formatting Why watchcode formatting? • Compliance with the coding rules in company • Easy to read • Easy to maintain and debug • Increased probability of defect detection • …
  • 14.
    Before formatting Action doIfSkilledSpeaker(doublerating, int experience) { int index = 0; while(index < speakers.length) { Speaker sp = speakers[index]; if (sp.getRating()>=rating || sp.getExperience() > experience) { if(sp.isGirl()) { return LISTEN; } else if (doThink()) { return LISTEN; } } } return GO_HOME; }
  • 15.
    Before formatting Action doIfSkilledSpeaker(doublerating, int experience) { int index = 0; while(index < speakers.length) { Speaker sp = speakers[index]; if (sp.getRating()>=rating || sp.getExperience() > experience) { if(sp.isGirl()) { return LISTEN; } else if (doThink()) { return LISTEN; } } } return GO_HOME; }
  • 16.
    Action getNextInterestingSpeaker(double rating,int experience) { int index = 0; while(index < speakers.length) { Speaker sp = speakers[index++]; if (sp.getRating() >= rating || sp.getExperience() > experience) { if (sp.isGirl()) { return LISTEN; } else if (doThink()) { return LISTEN; } } } return GO_HOME; } After formatting
  • 17.
    Before formatting if (A) if(B) doSomething(); else doSomething(someObject);
  • 18.
    if (A) { if (B) { doSomething(); } else { doSomething(someObj); } } Afterformatting if (A) if (B) doSomething(); else doSomething(someObj);
  • 19.
    Metrics calculation. Why measuresoftware? • Determining the quality of an existing product or process • Predicting productprocess quality • Improving productprocess quality
  • 20.
    Metrics calculation • Quantitivemetrics • Program complexity metrics • Program size metrics • Program control flow complexity metrics • Data flow complexity metrics • Object oriented metrics ...
  • 21.
    Quantitive metrics • SLOC– code lines (physical, logical) • Amount and percentage of comments • Average number of lines for functions (classes, files) • Code Duplication Percentage • ...
  • 22.
    Quantitive metrics: defects incode metrics • Defect density: «Number of defects in a separate module» -------------------------------------------------------------- «Total number of defects in software» • Regression coefficient: «Number of defects in old functional» ------------------------------------------------------------------------------------- «Total number of defects, including new functional»
  • 23.
    McCabe Metrics: Cyclomatic Complexity M= E − N + 2P where: M – cyclomatic complexity, E – number of edges in the graph, N – number of nodes in the graph, P – number of connected components.
  • 24.
    Cyclomatic complexity Some languageconstructions in a graph representation
  • 25.
    Cyclomatic complexity: example intsomeMethod(...){ int bot = 0; int top = n - 1; int mid, cmp; while (bot <= top) { mid = (bot + top)/2; if (table[mid] == item) { return mid; } else if (compare) { bot = mid + 1; } else { top = mid -1; } } return -1; }
  • 26.
    Cyclomatic complexity: example E= 14 N = 12 P = 1 M = 14–12 + (2*1) M = 4
  • 27.
    Cyclomatic complexity: whatfor An overly high cyclomatic complexity factor leads to complexity of: • Understanding, supporting and debugging code, • testing.
  • 28.
    Summing up themetrics. Note • Using of metrics as punishment is dangerous • Using of metrics for information and support is useful • Metrics are better in dynamics
  • 29.
    Source code obfuscation/deobfustation Theneed of protection against analysis performed by both man and machine, as well as software with increased requirements for crack resistance, for example: • DRM key protection • Game protection against extraneous code (cheats and bots) • Source protection during transfer/sale
  • 30.
    Source code obfuscation/deobfustation intCOUNT = 100; float TAX_RATE = 0.2; for (int i=0; i < COUNT; i++) { tax[i] = orig_price[i] * TAX_RATE; price[i] = orig_price[i] + tax[i]; } Before: After: for(int a=0;a<100;a++){b[a]=c[a]*0.2;d[a]=c[a]+b[a];}
  • 31.
  • 32.
    Validation check Known formatsused for transferring data: JSON, XML, YAML Matching tools: JSONLint, XMLLint, YAMLLint Perform the analysis and reveal: • Syntax errors • Extra commas, brackets, spaces, … • Key duplication • Key definition order • …
  • 33.
    Validation check { "warnings": [{ "title":"Some Title", "code": "V6050", "cwe": 0, "level": 1, "title": "Some message.", // Duplicate key 'title' "falseAlarm": false }] }
  • 34.
    Publisher: internal development Task:checking articles and documentation for correctness Input data: articles and documentation . Output data: List of errors: • Matching links • Image verification • Code fragments correctness • Checking the date and authors of the documentation, articles • ...
  • 35.
    Example: checking pictures foralpha channels Expectation Reality
  • 36.
    Example: link validation The erroris that in the documentation in Russian, a link to the English language source is used
  • 37.
    KOMPAS - Expert: staticanalysis inspiration • Input data: figure and 3D-model • Output data: List of errors: • Design standards compliance • Enterprise restriction lists compliance • KOMPAS – 3D work rules compliance
  • 38.
    KOMPAS - Expert: staticanalysis inspiration
  • 39.
    Conclusion: • Static analysisis gaining momentum in recent years • In the near future its application will only grow