In contrast to dynamic testing, which requires the execution of the software, static testing techniques are based on the manual examination (review) and on automatic analysis (static analysis) of the Code or other project documentation without the code execution.
Defects detected during audits carried out at the beginning of the life cycle are often much cheaper to remove than those detected during the execution of the tests.
The revisions, the static analysis and the dynamic testing have the same objective, the identification of defects. Compared to dynamic testing, static techniques find the causes of potential ‘failures’ (or defects) rather than the ‘failures’ themselves.
STATIC ANALYSIS MANUAL OR REVIEW
The main manual activity is to examine a work product and comment on it properly. Every product of software development work, may be subject to review.
Typical defects that are easier to find in reviews than the dynamic testing are: deviations from standards, requirements defects, design flaws, incorrect specification of the interfaces.
A formal review typically follows the following main steps:
Schedule, Kick-off, Individual preparation, Identification of potential defects and preparations for possible questions and comments, Examination/assessment/reporting of results (Review meeting), Rework, Corrections of defects found (typically carried out by the author), Follow-up.
STATIC ANALYSIS WITH TOOLS
The static analysis tools analyze the program code (eg, control flow and data flow), as much as the generated output, such as HTML and XML.
Typical defects discovered by static analysis tools include:
- references to variables with undefined value;
- inconsistency of the interfaces between modules and components;
- variables that are never used;
- unreachable code (often called dead code);
- complicated constructs overlay;
- violations of standards of programming;
- points of security vulnerabilities;
- syntactic violations of code and software models.
The static analysis tools are typically used by developers before and during the testing of components and integration or in the promotion code with configuration management tools, and by designers during software modeling. The static analysis tools can produce a large number of alarm/signaling messages, which is important to handle in a timely manner to allow a more efficient use of the instrument.