Static analysis is a technique for analyzing source code structure without executing the program. It constructs symbol tables and control flow graphs to determine properties like variable initialization, usage, and flows. Symbolic execution assigns symbolic values to inputs instead of concrete values, propagating the symbols through computations to represent all outcomes with expressions over the symbols. It can derive path conditions for branches as functions of inputs to find input values that execute particular paths when the conditions are linear. Both techniques help validate programs by finding errors, anomalies, and deviations from standards.

1. By
G.Gowrilatha,MSc(info Tech)
Department Of CS& IT
Nadar Saraswathi College Of Arts And Science,
Theni
Static analysis & Symbolic
execution

2. 1.Static analysis is A technique for assessing the structural
characteristics of source code, or any notational representation that
conforms to well-defined syntactic rules.
2.The present discussion is restricted to static analysis of source
code.
3.Static analysis can be performed manually using walkthrough or
inspection techniques; however, the term "static analysis" is most
often used to a program structure by an automated tool (RAM75,
MIL75,, FOS76, SOF80, GRC83).
4.A static analyzer will typically construct A symbol table and A
graph of control flow for each subprogram, as well as A call graph
for the entire program.
Static analysis

3. 4.The symbol table contains information about each variable: its type
attributes, the statement where declared, statements where set to A
new value, and statements where used to provide values.
5.The nodes in a control-flow graph correspond to basic blocks of
source code, and the arcs represent possible transfers of control
between blocks.
6.A basic block of source code has the property that if the first
statement in the block is executed, every statement in the block will
be executed.
7.A control-flow graph and a symbol table that contains, for each
variable in a subprogram, the statement numbers where the variables
are declared, set, and used, a static analyzer can determine data flow
information.

4. Static analyzers typically produce lists of errors, questionable
coding practices.
Start
READY
Y<0
XX+Y XY
STOP…..
…...
READY
IF Y < 0 then
X <- X + Y;
else
X <- Y; STOP
end if;
…….
…….

5.  such as uninitialized variables (on some control paths or on all
paths), variables that are declared but never used, and variables
that are set but not subsequently used (on some paths on all
paths).
A variable that is set but not used on any subsequent control
path, or a variable that is declared but never used, is not an error,
but it is an anomaly that may be symptomatic of an error.
Departures from coding standards, such as using non-ansi
FORTRAN constructs, backward GOTO transfers of control, or
jumps into loop bodies, can also be detected by static analysis.

6. Symbolic execution is a validation technique in which the input
variables of a program unit are assigned symbolic values rather
than literal values.
A program is analyzed by propagating the symbolic values of
the inputs into the operands in expressions. The resulting symbolic
expressions are simplified at each step in the computation so that
all intermediate computations and decisions are always expressed
in terms of the symbolic inputs.
When that variable is used in subsequent expressions, the
current symbolic value is used. In this manner, all computations
and decisions arc expressed as symbolic values of the inputs.
Symbolic Execution

7. PROGRAM SYMBOLIC EXECUTION
READ(B,C);
A:=B + C;
X:=A*C;
IF(A <, X) THEN
- - - - - - - - - - - I
- - - - - - - - - - -
ELSE IF (B ;> 1) OR (B <, - 1) THEN
- - - - - - - - - -II
- - - - - - - - - -
ELSE
- - - - - - - - - -III
- - - - - - - - - -
B<-b;C<-c;
B<-b;C<-c;
A<- b+c;
X<- (b+c) *c;
(b+c) < (b+c)*c
(b £ 1) OR (b <, -1)

8. IF statements can be conjoined to form path conditions that
describe the constraints under which various segments of code will
be executed.
The boundaries between regions I, II, and III as functions of
symbolic input values b and c. Any literal values of b and c chosen
from region I, II, or III will result in execution of code segment I,
II, or III.
Symbolic execution can thus be used to derive path conditions
that can be solved to find input data values that will drive a
program along a particular execution path, provided all predicates
in the corresponding path condition are linear.

9. I: [(b+.c) < (b+c)*c]
II: [(b+c) > (b + c) *c] AND [(b ;> 1) OR (b <-l)l
III: [(b+c)>(b + c) *c) AND [(-Kb<+1)] Figure

10. Functions of the symbolic input values. When the predicates are
nonlinear in the input values, the path condition may or may not be
solvable because systems of nonlinear inequalities are in general
unsolvable.
The execution requires a selection of paths that are exercised by a
set of data values. A program, which is executed using actual data,
results in the output of a series of values.
In symbolic execution, the data is replaced by symbolic values
with set of expressions, one expression per output variable.

11. Thank You