What is the difference between implementation of static analysis and symbolic execution?
Static analysis vs. symbolic execution in implementation
4.6k Views Asked by any At
2
There are 2 best solutions below
3
Ben Holland
On
I really like this slide by Julian Cohen's Contemporary Automatic Program Analysis talk. In a nutshell, people like to divide program analysis into two broad categories of static and dynamic analysis. But there is really a broad spectrum of program analysis techniques that range from static to dynamic and manual to fully automatic. Symbolic execution is an interesting technique that falls somewhere in between static and dynamic analysis and is generally applied as a fully automatic approach.
Related Questions in VALIDATION
- Terraform valdiate that one of N variables is set to "true"
- How to validate if Confirm Password is same or not with the Password in React Native using ValidateJS?
- How to create yup schema for dynamic array of different objects
- Quintic Number Number Counting Hash Function
- DropdownButtonFormField doesn't apply custom InputDecoration style
- Is there a way to set a cells value based on the value this cell held at a certain time, even when the cell value changes over time?
- Multiple regex expressions to check mobile number in javascript
- Java Pojos - Setter-Call (Field Touched) Detection
- Input Field Required
- Angular restore ngModel input field to it's previous value
- Bean Validaton : org.springframework.web.bind.MethodArgumentNotValidException
- javax validation not working on spring boot
- How to show warning message for unmatched confirm password
- Flutter TextFormField validation with Firestore
- eval_set in CatBoostRegressor
Related Questions in TESTING
- Using ES Modules with TS, and Jest testing(cannot use import statement outside module)
- Mocking AmazonS3 listObjects function in scala
- How to refer to the filepath of test data in test sourcecode?
- No tests found for given includes: [com.bright.TwitterAnalog.AuthenticationControllerSpec.Register user with valid request](--tests filter)
- Error WebMock::NetConnectNotAllowedError in testing with stub using minitest in rails (using Faraday)
- How to use Mockito for WebClient get call?
- Jest + JavaScript ES Modules
- How to configure api http request with load testing
- How can I make asserts on outbound HTTP requests?
- higher coefficient of determination values in the testing phase compared to the training phase
- Writing test methods with shared expensive set-up
- Slow performance when testing non-local IP services with Playwright
- uiState not updating in Tests
- Incorrect implementation of calloc() introduces division by zero and how to detect it via testing?
- How to test Creating and Cancelling Subscription in ThriveCart in Test Mode
Related Questions in STATIC-ANALYSIS
- Ansible role analysis with Checkov - facts evaluation?
- Flutter SonarQube: "The main branch has no lines of code."
- the expressionType and includePath of CDT parser
- Adding entry to program header table
- Static checker that number of arguments to python logging matches number of placeholders
- Why am I getting this error when using dataflow in Codeql
- How to disallow exception to curly_braces_in_flow_control_structures linter rule in dart?
- Security scan flagged local variable for heap inspection in C Function
- Is it possible to use Eclipse JDT static analysis for null annotations when compiling from the command line?
- Remove directory from sonar analyzer
- Sonar qube issue in using aes-256-cbc algoritm, stating Make sure that encrypting data is safe here
- Programming language/library that uses dataflow analysis to fetch only required data from the database
- Export comments from Fortify Software Security Center
- Changing lint configuration based on Cargo profile
- Can I reproduce eslint's "prefer-object-spread" rule using ast-grep?
Related Questions in VERIFICATION
- Error 553 5.7.2 [TSS09] When Sending Emails to Yahoo and Outlook
- Firebase/Google Cloud projects verification has no answer
- LinkedIn Posting API verification
- keep has_each for a list in Specman
- UVM agents - single/multiple?
- Meta for developers - Verification code too short
- UVM RAL: NULL pointer is dereference
- Check if a path exist in React Native
- Verification failed for Tuya IOS sdk in Flutter after Integration
- Add account verification and password recovery using tokens with react and postgres
- there is this problem in my next-oauthcongiguration it give me this error
- how to use python to split a logical statement and verify it one by one?
- How to generate a .dat file for verilator_coverage?
- delay-google-cloud-console-app-verification for 2 weeks without feedback
- Dafny linked queue implementation
Related Questions in SYMBOLIC-EXECUTION
- Is Symbolic Execution a formal Verification technique?
- How Can I execute a function in angr using concrete value?
- How can I translate z3::expr(bv_val) into a bit representation of a number?
- Why IR is needed for symbolic execution?
- How do I create a testcase that targets a specified branch?
- I am unable to get back the file I saved after exiting from the Klee
- Is this how to test a stateful API with klee symbolic execution?
- How to annotate a program to detect dead-code with z3-solver?
- how to apply constraints to heap side effects in angr
- How is Symbolic Execution different from Whitebox Fuzzing?
- Why is this Symbolic Execution with Z3 resulting in an error?
- In which circumstances we cannot use symbolic execution?
- instrument a java lambda using ASM
- how to use 'stdin' in angr
- Analyzing firmware file with angr
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Popular # Hahtags
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Static analysis is any off-line computation that inspects code and produces opinions about the code quality. You can apply this to source code, to virtual machine code for Java/C#/... virtual machine instruction sets, and even to binary object code. There is no "one" static analysis (although classic compiler control and dataflow often figure prominently as foundation machinery for SA); the term collectively applies to all types of mechanisms that might be used offline.
Symbolic execution is a specific kind of off-line computation that computes some approximation of what the program actually does by constructing formulas representing the program state at various points. It is called "symbolic" because the approximation is usually some kind of formula involving program variables and constraints on their values.
Static analysis may use symbolic execution and inspect the resulting formula. Or it may use some other technique (regular expressions, classic compiler flow analyses, ...) or some combination. But static analysis does not have to use symbolic execution.
Symbolic execution may be used just to show an expected symbolic result of a computation. That isn't static analysis by the above definition because there isn't any opinion formed about how good that result is. Or, the formula may be subjected to analysis, at which point it becomes part of a static analysis. As a practical matter, one may use other program analysis techniques to support symbolic execution ("this formula for variable is propagated to which reads of variable x?" is a question usually answered well by flow analysis).
You may insist that static analysis is any offline computation over your source code, at which point symbolic execution is just a special case. I don't find this definition helpful, because it doesn't discriminate between use cases well enough.