SlideShare a Scribd company logo

Quantifying the Value of Static Analysis

Download as PPTX, PDF
T
TechWell

During the past ten years, static analysis tools have become a vital part of software development for many organizations. However, the question arises, “Can we quantify the benefits of static analysis?” William Oliver presents the results of a Lawrence Livermore National Laboratory study that first measured the cost of finding software defects using formal testing on a system without static analysis; then, they integrated a static analysis tool into the process and, over a period of time, recalculated the cost of finding software defects. Join William as he shares the results of their study and discusses the value and benefits of static testing. Learn how commercial and open source analysis tools can perform sophisticated source code analysis over large code bases. Take back proof that employing static analysis can not only reduce the time and cost of finding defects and their subsequent debugging but ultimately can reduce the number of defects making their way into your releases.

Technology
1 of 31
Lawrence Livermore National Laboratory Quantifying the Value of Static Analysis Date 5/19/2011 William B. Oliver Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344 LLNL-PRES-490136
What is Static Analysis  The use of tools during pre-testing to remove structural defects Software Developer Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 2
What is Static Analysis  Static analysis tools provide an in-depth analysis of source code to find defects. Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 3
What is Static Analysis  Finds Defects that compilers and traditional testing miss Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 4
What is Static Analysis  Defect types include but not limited to • Use of uninitialized variables Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 5
What is Static Analysis  Defect types include but not limited to • Use of uninitialized variables • Memory leaks Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 6
What is Static Analysis  Defect types include but not limited to • Use of uninitialized variables • Memory leaks • Null Pointer dereferences Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 7
What is Static Analysis  Defect types include but not limited to • Use of uninitialized variables • Memory leaks • Null Pointer dereferences • Array Bounds Overflows (and many others) Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 8
Why Incorporate Static Analysis  Static Analysis finds additional defects  Better Code Coverage  Reduced Developer Debug Time  Advanced Tools find Defects Inter-Procedurally  Uncovers structural defects that can cause Functional Defects  Finds defects missed during code reviews/walk thrus Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 9
Inter-Procedural Analysis File A foo(x) File B bar(y) File C foobar(z) Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 10
Why Incorporate Static Analysis Enhances Dynamic Testing • Dynamic testing does not generally uncover memory leaks and other structural defects • Static Analysis provides 100 % code coverage • Structural defects such as Array Bounds Overflows can cause Functional Defects “They are best used in combination with traditional dynamic testing techniques, and can even reduce the cost to create and manage test cases for stringent run-time coverage..” Dr. Paul Anderson PhD Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 11
Structural Defects vs Functional Defects Relate to conformance to the Programming Language rules and syntax SD FD Uninitialized Data Memory/Resource Leaks Array Bounds Overflows Null Pointer Dereferences Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 12
Structural Defects vs Functional Defects Associated with Features, Performance, Availability etc. SD FD Found During Dynamic Testing Some Causes Include: Solving the wrong problem Code Logic Errors System Integration Issues Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 13
Uninitialized Data Correct Set of Values Set of Right Answers y z x Random Set of Values Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 14
Memory/Resource Leaks Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 15
Array Bounds Overflow Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 16
NULL Pointer Dereference This memory location contains the address of this memory location Pointer Value of the contents of address pointed to by the pointer Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 17
NULL Pointer Dereference Pointer = NULL Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 18
Typical Static Analysis Work Flow Perform Static Analysis Add Features Test Fixes Analyze Defects Fix Defects Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 19
Advantages for Testers o Less Wasted Time o Allows more time for test case development o Better Test Cases Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 20
Assumptions About Time to Find Defects One Million Lines of Code Static Analysis 1000 Defects 20 Percent False Positives 800 Valid Defects Time to Run Code Thru Tool Negligable Ten Minutes Per Defect to Triage Dynamic Testing Automated Testing: 1 hour per defect Includes Test Case Development Test Evaluation Test Report Generation Manual Testing: 2 hours per Defect 1000 Defects Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 21
Automated Testing TD = Total Defects = SD + FD Time = Time to Find SD + Time to find FD TD = 800 + 1000 = 1800 SD Time = (1000 Defects * 10 min/defect)/60min/hour = 166.67 hours Time = 166.67 + 1000 = 1166.67 hours Time/TD = 1166.67/1800 = .65 hours/defect = 39 minutes per defect Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 22
Test Case: Automated Testing Code Type: Programming Language: Number of Developers: Source Lines of Code Analyzed: Scientific Simulation C++ 4 161,880 Total Number SD found: 528 Total Number SD Analyzed: 190 Number of False Positives: 55 Average Analysis Time/Defect: 8.9 minutes Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 23
Test Case: Automated Testing TD = Total Defects = SD + FD FD = 297 for dynamic testing and 1 hour per defect TD = 135 + 297 = 432 SD Time = (190 Defects * 8.9 min/defect)/60min/hour = 28 hours Time = 28 + 297 = 325 hours Time/TD = 325/432 = .75 hours/defect = 45 minutes per defect Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 24
Just For Fun What If All 528 defects were triaged Assuming 28 % False Positive Rate Total Number SD found: 528 Total Number SD Analyzed: 528 Number of False Positives: 148 Average Analysis Time/Defect: 8.9 minutes Estimated number of real defects = 380 Estimated Time = (528 * 8.9) / 60 = 78 hours TD = 380 + 297 = 677 Time = 78 + 297 = 375 hours Time/TD = 375/677 = .55 hours/defect = 33 minutes per defect Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 25
Manual Testing Code Type: Programming Language: Security Access C# Number of Developers: Total Number SD found: 76 Total Number SD Analyzed: 35 Number of False Positives: 0 Average Analysis Time/Defect: 3.4 minutes Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 26
Manual Testing FD = 339 for dynamic testing and 5 hours per defect TD = 35 + 339 = 374 SD Time = (35 Defects * 3.4 min/defect)/60min/hour = 2 hours Time = 2 + 1695 = 1697 hours Time/TD = 1697/374 = 4.5 hours/defect Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 27
Bottom Line Combined with dynamic testing Static Analysis results in finding more Defects And the organization spends less time per defect in the process Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 28
Summary For Static Analysis the time to Find a defect is less than or equal to 10 minutes Dynamic Testing: Automated: 1 hour per Defect Manual: 4 – 5 hours per Defect Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 29
New Breed of Tester Perform Static Analysis Analyze Defects Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 30
Questions??? Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 31

Recommended

Software Testing:
 A Research Travelogue 
(2000–2014)
Software Testing:
 A Research Travelogue 
(2000–2014)Software Testing:
 A Research Travelogue 
(2000–2014)
Software Testing:
 A Research Travelogue 
(2000–2014)
Alex Orso
 
Evaluating the Usefulness of IR-Based Fault LocalizationTechniques
Evaluating the Usefulness of IR-Based Fault LocalizationTechniquesEvaluating the Usefulness of IR-Based Fault LocalizationTechniques
Evaluating the Usefulness of IR-Based Fault LocalizationTechniques
Alex Orso
 
ISSTA 2017 Impact Paper Award Presentation
ISSTA 2017 Impact Paper Award PresentationISSTA 2017 Impact Paper Award Presentation
ISSTA 2017 Impact Paper Award Presentation
Alex Orso
 
Inaugural Addresses
Inaugural AddressesInaugural Addresses
Inaugural Addresses
Booz Allen Hamilton
 
Teaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & TextspeakTeaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & Textspeak
Shelly Sanchez Terrell
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
Luminary Labs
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
LinkedIn
 
Optimal+ GSA 2014
Optimal+ GSA 2014Optimal+ GSA 2014
Optimal+ GSA 2014
OptimalPlus
 

Recommended

Software Testing:
 A Research Travelogue 
(2000–2014)
Software Testing:
 A Research Travelogue 
(2000–2014)Software Testing:
 A Research Travelogue 
(2000–2014)
Software Testing:
 A Research Travelogue 
(2000–2014)
Alex Orso
 
Evaluating the Usefulness of IR-Based Fault LocalizationTechniques
Evaluating the Usefulness of IR-Based Fault LocalizationTechniquesEvaluating the Usefulness of IR-Based Fault LocalizationTechniques
Evaluating the Usefulness of IR-Based Fault LocalizationTechniques
Alex Orso
 
ISSTA 2017 Impact Paper Award Presentation
ISSTA 2017 Impact Paper Award PresentationISSTA 2017 Impact Paper Award Presentation
ISSTA 2017 Impact Paper Award Presentation
Alex Orso
 
Inaugural Addresses
Inaugural AddressesInaugural Addresses
Inaugural Addresses
Booz Allen Hamilton
 
Teaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & TextspeakTeaching Students with Emojis, Emoticons, & Textspeak
Teaching Students with Emojis, Emoticons, & Textspeak
Shelly Sanchez Terrell
 
Hype vs. Reality: The AI Explainer
Hype vs. Reality: The AI ExplainerHype vs. Reality: The AI Explainer
Hype vs. Reality: The AI Explainer
Luminary Labs
 
Study: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving CarsStudy: The Future of VR, AR and Self-Driving Cars
Study: The Future of VR, AR and Self-Driving Cars
LinkedIn
 
Optimal+ GSA 2014
Optimal+ GSA 2014Optimal+ GSA 2014
Optimal+ GSA 2014
OptimalPlus
 
Wastian, Brunmeir - Data Analyses in Industrial Applications: From Predictive...
Wastian, Brunmeir - Data Analyses in Industrial Applications: From Predictive...Wastian, Brunmeir - Data Analyses in Industrial Applications: From Predictive...
Wastian, Brunmeir - Data Analyses in Industrial Applications: From Predictive...
Vienna Data Science Group
 
David Parnas - Documentation Based Software Testing - SoftTest Ireland
David Parnas - Documentation Based Software Testing - SoftTest IrelandDavid Parnas - Documentation Based Software Testing - SoftTest Ireland
David Parnas - Documentation Based Software Testing - SoftTest Ireland
David O'Dowd
 
PASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTION
PASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTIONPASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTION
PASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTION
butest
 
李育杰/The Growth of a Data Scientist
李育杰/The Growth of a Data Scientist李育杰/The Growth of a Data Scientist
李育杰/The Growth of a Data Scientist
台灣資料科學年會
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
Jaap van Ekris
 
Automatic Features Generation And Model Training On Spark: A Bayesian Approach
Automatic Features Generation And Model Training On Spark: A Bayesian ApproachAutomatic Features Generation And Model Training On Spark: A Bayesian Approach
Automatic Features Generation And Model Training On Spark: A Bayesian Approach
Spark Summit
 
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
Jaap van Ekris
 
[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem
[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem
[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem
Stowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
Vlsi testing
Vlsi testingVlsi testing
Vlsi testing
Dilip Mathuria
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
Ashwini Almad
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
EndgameInc
 
Software testing foundation
Software testing foundationSoftware testing foundation
Software testing foundation
Anirudh503501
 
Introduction to Software Testing
Introduction to Software TestingIntroduction to Software Testing
Introduction to Software Testing
Henry Muccini
 
Google, quality and you
Google, quality and youGoogle, quality and you
Google, quality and you
nelinger
 
Big Data Makes The Flake Go Away
Big Data Makes The Flake Go AwayBig Data Makes The Flake Go Away
Big Data Makes The Flake Go Away
Dave Cadwallader
 
Orthogonal array approach a case study
Orthogonal array approach a case studyOrthogonal array approach a case study
Orthogonal array approach a case study
Karthikeyan Rajendran
 
L1_Introduction.ppt
L1_Introduction.pptL1_Introduction.ppt
L1_Introduction.ppt
Varsha506533
 
Diffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ TwitterDiffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ Twitter
Puneet Khanduri
 
Diffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ TwitterDiffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ Twitter
Puneet Khanduri
 
Storage, Virtual, and Server Profiler Training
Storage, Virtual, and Server Profiler TrainingStorage, Virtual, and Server Profiler Training
Storage, Virtual, and Server Profiler Training
SolarWinds
 
Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
TechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
TechWell
 

More Related Content

Similar to Quantifying the Value of Static Analysis

PASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTION
PASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTIONPASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTION
PASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTION
butest
 
李育杰/The Growth of a Data Scientist
李育杰/The Growth of a Data Scientist李育杰/The Growth of a Data Scientist
李育杰/The Growth of a Data Scientist
台灣資料科學年會
 
[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem
[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem
[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem
Stowarzyszenie Jakości Systemów Informatycznych (SJSI)
 
Diffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ TwitterDiffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ Twitter
Puneet Khanduri
 
Diffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ TwitterDiffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ Twitter
Puneet Khanduri
 

Similar to Quantifying the Value of Static Analysis (20)

Wastian, Brunmeir - Data Analyses in Industrial Applications: From Predictive...
Wastian, Brunmeir - Data Analyses in Industrial Applications: From Predictive...Wastian, Brunmeir - Data Analyses in Industrial Applications: From Predictive...
Wastian, Brunmeir - Data Analyses in Industrial Applications: From Predictive...
 
David Parnas - Documentation Based Software Testing - SoftTest Ireland
David Parnas - Documentation Based Software Testing - SoftTest IrelandDavid Parnas - Documentation Based Software Testing - SoftTest Ireland
David Parnas - Documentation Based Software Testing - SoftTest Ireland
 
PASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTION
PASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTIONPASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTION
PASCAL PASCAL CHALLENGE ON INFORMATION EXTRACTION
 
李育杰/The Growth of a Data Scientist
李育杰/The Growth of a Data Scientist李育杰/The Growth of a Data Scientist
李育杰/The Growth of a Data Scientist
 
2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems2011-05-02 - VU Amsterdam - Testing safety critical systems
2011-05-02 - VU Amsterdam - Testing safety critical systems
 
Automatic Features Generation And Model Training On Spark: A Bayesian Approach
Automatic Features Generation And Model Training On Spark: A Bayesian ApproachAutomatic Features Generation And Model Training On Spark: A Bayesian Approach
Automatic Features Generation And Model Training On Spark: A Bayesian Approach
 
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
2010-03-31 - VU Amsterdam - Experiences testing safety critical systems
 
[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem
[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem
[TestWarez 2017] Okiem testera – tam gdzie hardware łączy się z softwarem
 
Vlsi testing
Vlsi testingVlsi testing
Vlsi testing
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
 
Software testing foundation
Software testing foundationSoftware testing foundation
Software testing foundation
 
Introduction to Software Testing
Introduction to Software TestingIntroduction to Software Testing
Introduction to Software Testing
 
Google, quality and you
Google, quality and youGoogle, quality and you
Google, quality and you
 
Big Data Makes The Flake Go Away
Big Data Makes The Flake Go AwayBig Data Makes The Flake Go Away
Big Data Makes The Flake Go Away
 
Orthogonal array approach a case study
Orthogonal array approach a case studyOrthogonal array approach a case study
Orthogonal array approach a case study
 
L1_Introduction.ppt
L1_Introduction.pptL1_Introduction.ppt
L1_Introduction.ppt
 
Diffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ TwitterDiffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ Twitter
 
Diffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ TwitterDiffy : Automatic Testing of Microservices @ Twitter
Diffy : Automatic Testing of Microservices @ Twitter
 
Storage, Virtual, and Server Profiler Training
Storage, Virtual, and Server Profiler TrainingStorage, Virtual, and Server Profiler Training
Storage, Virtual, and Server Profiler Training
 

More from TechWell

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
TechWell
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
TechWell
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
TechWell
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
TechWell
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
TechWell
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
TechWell
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
TechWell
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
TechWell
 
Ma 15
Ma 15Ma 15
Ma 15
TechWell
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
TechWell
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
TechWell
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
TechWell
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
TechWell
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
TechWell
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
TechWell
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
TechWell
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
TechWell
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
TechWell
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
TechWell
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
TechWell
 

More from TechWell (20)

Failing and Recovering
Failing and RecoveringFailing and Recovering
Failing and Recovering
 
Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization Instill a DevOps Testing Culture in Your Team and Organization
Instill a DevOps Testing Culture in Your Team and Organization
 
Test Design for Fully Automated Build Architecture
Test Design for Fully Automated Build ArchitectureTest Design for Fully Automated Build Architecture
Test Design for Fully Automated Build Architecture
 
System-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good StartSystem-Level Test Automation: Ensuring a Good Start
System-Level Test Automation: Ensuring a Good Start
 
Build Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test StrategyBuild Your Mobile App Quality and Test Strategy
Build Your Mobile App Quality and Test Strategy
 
Testing Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for SuccessTesting Transformation: The Art and Science for Success
Testing Transformation: The Art and Science for Success
 
Implement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlowImplement BDD with Cucumber and SpecFlow
Implement BDD with Cucumber and SpecFlow
 
Develop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your SanityDevelop WebDriver Automated Tests—and Keep Your Sanity
Develop WebDriver Automated Tests—and Keep Your Sanity
 
Ma 15
Ma 15Ma 15
Ma 15
 
Eliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps StrategyEliminate Cloud Waste with a Holistic DevOps Strategy
Eliminate Cloud Waste with a Holistic DevOps Strategy
 
Transform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOpsTransform Test Organizations for the New World of DevOps
Transform Test Organizations for the New World of DevOps
 
The Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—LeadershipThe Fourth Constraint in Project Delivery—Leadership
The Fourth Constraint in Project Delivery—Leadership
 
Resolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile TeamsResolve the Contradiction of Specialists within Agile Teams
Resolve the Contradiction of Specialists within Agile Teams
 
Pin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile GamePin the Tail on the Metric: A Field-Tested Agile Game
Pin the Tail on the Metric: A Field-Tested Agile Game
 
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile TeamsAgile Performance Holarchy (APH)—A Model for Scaling Agile Teams
Agile Performance Holarchy (APH)—A Model for Scaling Agile Teams
 
A Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps ImplementationA Business-First Approach to DevOps Implementation
A Business-First Approach to DevOps Implementation
 
Databases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery ProcessDatabases in a Continuous Integration/Delivery Process
Databases in a Continuous Integration/Delivery Process
 
Mobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to AutomateMobile Testing: What—and What Not—to Automate
Mobile Testing: What—and What Not—to Automate
 
Cultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for SuccessCultural Intelligence: A Key Skill for Success
Cultural Intelligence: A Key Skill for Success
 
Turn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile TransformationTurn the Lights On: A Power Utility Company's Agile Transformation
Turn the Lights On: A Power Utility Company's Agile Transformation
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Quantifying the Value of Static Analysis

  • 1. Lawrence Livermore National Laboratory Quantifying the Value of Static Analysis Date 5/19/2011 William B. Oliver Lawrence Livermore National Laboratory, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract DE-AC52-07NA27344 LLNL-PRES-490136
  • 2. What is Static Analysis  The use of tools during pre-testing to remove structural defects Software Developer Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 2
  • 3. What is Static Analysis  Static analysis tools provide an in-depth analysis of source code to find defects. Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 3
  • 4. What is Static Analysis  Finds Defects that compilers and traditional testing miss Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 4
  • 5. What is Static Analysis  Defect types include but not limited to • Use of uninitialized variables Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 5
  • 6. What is Static Analysis  Defect types include but not limited to • Use of uninitialized variables • Memory leaks Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 6
  • 7. What is Static Analysis  Defect types include but not limited to • Use of uninitialized variables • Memory leaks • Null Pointer dereferences Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 7
  • 8. What is Static Analysis  Defect types include but not limited to • Use of uninitialized variables • Memory leaks • Null Pointer dereferences • Array Bounds Overflows (and many others) Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 8
  • 9. Why Incorporate Static Analysis  Static Analysis finds additional defects  Better Code Coverage  Reduced Developer Debug Time  Advanced Tools find Defects Inter-Procedurally  Uncovers structural defects that can cause Functional Defects  Finds defects missed during code reviews/walk thrus Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 9
  • 10. Inter-Procedural Analysis File A foo(x) File B bar(y) File C foobar(z) Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 10
  • 11. Why Incorporate Static Analysis Enhances Dynamic Testing • Dynamic testing does not generally uncover memory leaks and other structural defects • Static Analysis provides 100 % code coverage • Structural defects such as Array Bounds Overflows can cause Functional Defects “They are best used in combination with traditional dynamic testing techniques, and can even reduce the cost to create and manage test cases for stringent run-time coverage..” Dr. Paul Anderson PhD Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 11
  • 12. Structural Defects vs Functional Defects Relate to conformance to the Programming Language rules and syntax SD FD Uninitialized Data Memory/Resource Leaks Array Bounds Overflows Null Pointer Dereferences Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 12
  • 13. Structural Defects vs Functional Defects Associated with Features, Performance, Availability etc. SD FD Found During Dynamic Testing Some Causes Include: Solving the wrong problem Code Logic Errors System Integration Issues Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 13
  • 14. Uninitialized Data Correct Set of Values Set of Right Answers y z x Random Set of Values Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 14
  • 15. Memory/Resource Leaks Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 15
  • 16. Array Bounds Overflow Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 16
  • 17. NULL Pointer Dereference This memory location contains the address of this memory location Pointer Value of the contents of address pointed to by the pointer Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 17
  • 18. NULL Pointer Dereference Pointer = NULL Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 18
  • 19. Typical Static Analysis Work Flow Perform Static Analysis Add Features Test Fixes Analyze Defects Fix Defects Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 19
  • 20. Advantages for Testers o Less Wasted Time o Allows more time for test case development o Better Test Cases Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 20
  • 21. Assumptions About Time to Find Defects One Million Lines of Code Static Analysis 1000 Defects 20 Percent False Positives 800 Valid Defects Time to Run Code Thru Tool Negligable Ten Minutes Per Defect to Triage Dynamic Testing Automated Testing: 1 hour per defect Includes Test Case Development Test Evaluation Test Report Generation Manual Testing: 2 hours per Defect 1000 Defects Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 21
  • 22. Automated Testing TD = Total Defects = SD + FD Time = Time to Find SD + Time to find FD TD = 800 + 1000 = 1800 SD Time = (1000 Defects * 10 min/defect)/60min/hour = 166.67 hours Time = 166.67 + 1000 = 1166.67 hours Time/TD = 1166.67/1800 = .65 hours/defect = 39 minutes per defect Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 22
  • 23. Test Case: Automated Testing Code Type: Programming Language: Number of Developers: Source Lines of Code Analyzed: Scientific Simulation C++ 4 161,880 Total Number SD found: 528 Total Number SD Analyzed: 190 Number of False Positives: 55 Average Analysis Time/Defect: 8.9 minutes Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 23
  • 24. Test Case: Automated Testing TD = Total Defects = SD + FD FD = 297 for dynamic testing and 1 hour per defect TD = 135 + 297 = 432 SD Time = (190 Defects * 8.9 min/defect)/60min/hour = 28 hours Time = 28 + 297 = 325 hours Time/TD = 325/432 = .75 hours/defect = 45 minutes per defect Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 24
  • 25. Just For Fun What If All 528 defects were triaged Assuming 28 % False Positive Rate Total Number SD found: 528 Total Number SD Analyzed: 528 Number of False Positives: 148 Average Analysis Time/Defect: 8.9 minutes Estimated number of real defects = 380 Estimated Time = (528 * 8.9) / 60 = 78 hours TD = 380 + 297 = 677 Time = 78 + 297 = 375 hours Time/TD = 375/677 = .55 hours/defect = 33 minutes per defect Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 25
  • 26. Manual Testing Code Type: Programming Language: Security Access C# Number of Developers: Total Number SD found: 76 Total Number SD Analyzed: 35 Number of False Positives: 0 Average Analysis Time/Defect: 3.4 minutes Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 26
  • 27. Manual Testing FD = 339 for dynamic testing and 5 hours per defect TD = 35 + 339 = 374 SD Time = (35 Defects * 3.4 min/defect)/60min/hour = 2 hours Time = 2 + 1695 = 1697 hours Time/TD = 1697/374 = 4.5 hours/defect Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 27
  • 28. Bottom Line Combined with dynamic testing Static Analysis results in finding more Defects And the organization spends less time per defect in the process Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 28
  • 29. Summary For Static Analysis the time to Find a defect is less than or equal to 10 minutes Dynamic Testing: Automated: 1 hour per Defect Manual: 4 – 5 hours per Defect Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 29
  • 30. New Breed of Tester Perform Static Analysis Analyze Defects Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 30
  • 31. Questions??? Lawrence Livermore National Laboratory Option:UCRL# Option:Additional Information 31

Editor's Notes

  1. Perform Static Analysis: Check out code and build with static analysis tool (Usually automated via nightly run after all code has been checked into the repository) Supports continuous integrationAnalyze Defects: Developers review results and mark defects as either False Positives or Defects Needed to be Fixed and sets prioritiesFix Defects: Developers fix defects from the analysis phaseTest Fixes: Developers perform necessary unit tests to verify that the code provides the required functionality. Add Functionality: Developers continue the development process. Code check-in occurs here.
  2. Less Wasted Time: By applying static analysis the code is more testable the first time it is delivered to the test team. Allowing the test team to test more functionality early on in the test cycle. Also by fixing structural defects during software development some functional defects get fixed.Allows more time for test case development: Testers can now focus on what they do best, develop test cases.Better Test cases: Testers have more time to add test cases that improve code coverage.
  3. Time Per Defect varied considerable among developers from a little over 52 minutes per defect to as low as 3.58 minutes per defect. Attributable to the learning curve.Above number reflect the top three severity levels (Critical, Severe, Error) only