Dynamic program analysis
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these template messages)
|Types of code|
|Notable compilers & toolchains|
Dynamic program analysis is the analysis of computer software that is performed by executing programs on a real or virtual processor. For dynamic program analysis to be effective, the target program must be executed with sufficient test inputs to cover almost all possible outputs. Use of software testing measures such as code coverage helps ensure that an adequate slice of the program's set of possible behaviors has been observed.[why?] Also, care must be taken to minimize the effect that instrumentation has on the execution (including temporal properties) of the target program.[why?][needs context] Dynamic analysis is in contrast to static program analysis. Unit tests, integration tests, system tests and acceptance tests use dynamic testing.
Types of dynamic analysis
Computing the code coverage according to a test suite or a workload is a standard dynamic analysis technique.
- Gcov is the GNU source code coverage program.
- VB Watch injects dynamic analysis code into Visual Basic programs to monitor code coverage, call stack, execution trace, instantiated objects and variables.
Memory error detection
- Intel Inspector: Dynamic memory error debugger for C, C++, and Fortran applications that run on Windows* and Linux*..
- AddressSanitizer: Memory error detection for Linux, macOS, Windows, and more. Part of LLVM.
- BoundsChecker: Memory error detection for Windows based applications. Part of Micro Focus DevPartner.
- Dmalloc, library for checking memory allocation and leaks. Software must be recompiled, and all files must include the special C header file dmalloc.h.
- Purify: mainly memory corruption detection and memory leak detection.
- Valgrind runs programs on a virtual processor and can detect memory errors (e.g., misuse of malloc and free) and race conditions in multithread programs.
Fault localization refers to locating the buggy code (for example the buggy statement) according to failing and passing test cases. For example, Tarantula is a well-known fault localization approach based on the covered code. Fault localization illustrates an important property of dynamic analysis: the results on the analysis depend on the considered workload, inputs or test cases. For fault localization, it has been shown that one can refactor the test cases in order to get better results.
Daikon is an implementation of dynamic invariant detection. Daikon runs a program, observes the values that the program computes, and then reports properties that were true over the observed executions, and thus likely true over all executions.
Dynamic analysis can be used to detect security problems.
- IBM Rational AppScan is a suite of application security solutions targeted for different stages of the development lifecycle. The suite includes two main dynamic analysis products - IBM Rational AppScan Standard Edition, and IBM Rational AppScan Enterprise Edition. In addition, the suite includes IBM Rational AppScan Source Edition - a static analysis tool.
- Parasoft Jtest uses runtime error detection to expose defects such as race conditions, exceptions, resource & memory leaks, and security attack vulnerabilities.
- Intel Inspector performs run time threading and memory error analysis in Windows.
- Parasoft Insure++ is runtime memory analysis and error detection tool. Its Inuse component provides a graphical view of memory allocations over time, with specific visibility into overall heap usage, block allocations, possible outstanding leaks, etc.
- Google's Thread Sanitizer is a data race detection tool. It instruments LLVM IR to capture racy memory accesses.
For a given subset of a program’s behavior, program slicing consists of reducing the program to the minimum form that still produces the selected behavior. The reduced program is called a “slice” and is a faithful representation of the original program within the domain of the specified behavior subset. Generally, finding a slice is an unsolvable problem, but by specifying the target behavior subset by the values of a set of variables, it is possible to obtain approximate slices using a data-flow algorithm. These slices are usually used by developers during debugging to locate the source of errors.
- Prism from CriticalBlue is a tool that dynamically traces software applications at runtime and captures data that can be used to analyze and identify the causes of poor performance.
Most dynamic analysis techniques are based on some kind of code instrumentation or transformation.
- DynInst is a runtime code-patching library that is useful in developing dynamic program analysis probes and applying them to compiled executables. Dyninst does not require source code or recompilation in general, however, non-stripped executables and executables with debugging symbols are easier to instrument.
- Abstract interpretation
- Dynamic load testing
- Profiling (computer programming)
- Runtime verification
- Program analysis (computer science)
- Static code analysis
- Time Partition Testing
- Khatiwada, Saket; Tushev, Miroslav; Mahmoud, Anas (2018-01-01). "Just enough semantics: An information theoretic approach for IR-based software bug localization". Information and Software Technology. 93: 45–57. doi:10.1016/j.infsof.2017.08.012.
- Myers, G. J. (1979). The Art of Software Testing. John Wiley and Sons.
- Jones, James A.; Harrold, Mary Jean (2005). "Empirical evaluation of the tarantula automatic fault-localization technique". Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering - ASE '05. ACM. pp. 273–282. doi:10.1145/1101908.1101949. ISBN 1581139934.
- Xuan, Jifeng; Monperrus, Martin (2014). "Test case purification for improving fault localization". Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering - FSE 2014. pp. 52–63. CiteSeerX 10.1.1.477.2525. doi:10.1145/2635868.2635906. ISBN 9781450330565.