Software analysis is an essential part of software development processes and to become an expert in it, you need to learn all about its theory and practices. This type of analysis will involve diagnosing bugs, testing, debugging, and more modification of software.
Ensuring that programs are working the way it is supposed to be is the main reason why this [course_title] is created. Taking this course will give you techniques on how to conduct dataflow analysis, constraint-based analysis, and other implementing tools.
Assessment
This course does not involve any written exams. Students need to answer 5 assignment questions to complete the course, the answers will be in the form of written work in pdf or word. Students can write the answers in their own time. Each answer needs to be 200 words (1 Page). Once the answers are submitted, the tutor will check and assess the work.
Certification
Edukite courses are free to study. To successfully complete a course you must submit all the assignment of the course as part of the assessment. Upon successful completion of a course, you can choose to make your achievement formal by obtaining your Certificate at a cost of £49.
Having an Official Edukite Certification is a great way to celebrate and share your success. You can:
- Add the certificate to your CV or resume and brighten up your career
- Show it to prove your success
Course Credit: Georgia Institute of Technology
Course Curriculum
| Introduction to Software Analysis | |||
| Intro to Software Analysis and Testing | 00:01:00 | ||
| Why Take This Course? | 00:01:00 | ||
| Ariane Rocket Disaster | 00:01:00 | ||
| Ariane Disaster Post-Mortem | 00:01:00 | ||
| Security Vulnerabilities | 00:01:00 | ||
| What Is Program Analysis? | 00:01:00 | ||
| Dynamic Program Analysis | 00:01:00 | ||
| Static Program Analysis | 00:01:00 | ||
| Program Invariants | 00:01:00 | ||
| Discovering Invariants 1 | 00:02:00 | ||
| Discovering Invariants 2 | 00:01:00 | ||
| Terminology | 00:02:00 | ||
| Example Static Analysis Problem | 00:01:00 | ||
| Iterative Approximation 1 | 00:02:00 | ||
| Iterative Approximation | 00:01:00 | ||
| Dynamic vs. Static Analysis | 00:01:00 | ||
| Undecidability of Program Properties | 00:01:00 | ||
| Who Needs Program Analysis? | 00:01:00 | ||
| 00:00 | |||
| Software Quality Tools | 00:01:00 | ||
| Integrated Development Environments | 00:01:00 | ||
| What Have We Learned? | 00:02:00 | ||
| Introduction to Software Testing | |||
| Introduction to Software Testing | 00:01:00 | ||
| Software Development Today | 00:01:00 | ||
| Key Observations | 00:01:00 | ||
| The Need for Specifications | 00:01:00 | ||
| Developer != Tester | 00:01:00 | ||
| Other Observations | 00:01:00 | ||
| Outline of This Lesson | 00:01:00 | ||
| Classification of Testing Approaches | 00:01:00 | ||
| Automated vs. Manual Testing | 00:01:00 | ||
| Black Box vs. White Box Testing | 00:02:00 | ||
| An Example: Mobile App Security | 00:01:00 | ||
| The Automated Testing Problem | 00:01:00 | ||
| Using Pre- and Post-Conditions | 00:01:00 | ||
| Conditions Example | 00:01:00 | ||
| More on Pre- and Post-Conditions | 00:01:00 | ||
| Using Pre- and Post-Conditions | 00:01:00 | ||
| Pre-Conditions | 00:01:00 | ||
| Post-Conditions | 00:01:00 | ||
| Executable Post-Condition | 00:01:00 | ||
| How Good Is Your Test Suite? | 00:02:00 | ||
| Code Coverage Metrics | 00:02:00 | ||
| Types of Code Coverage | 00:01:00 | ||
| Mutation Analysis | 00:02:00 | ||
| Mutation Analysis 1 | 00:01:00 | ||
| Mutation Analysis 2 | 00:01:00 | ||
| A Problem | 00:01:00 | ||
| What Have We Learned? | 00:01:00 | ||
| Reality | 00:01:00 | ||
| Random Testing | |||
| Introduction to Random Testing | 00:01:00 | ||
| Random Testing (Fuzzing) | 00:01:00 | ||
| The Infinite Monkey Theorem | 00:01:00 | ||
| Random Testing: Case Studies | 00:01:00 | ||
| A Popular Fuzzing Study | 00:01:00 | ||
| Fuzzing UNIX Utilities: Aftermath | 00:01:00 | ||
| A Silver Lining: Security Bugs | 00:02:00 | ||
| Fuzz Testing for Mobile Apps | 00:03:00 | ||
| Generating Multiple Input Events | 00:01:00 | ||
| Generating Gestures | 00:01:00 | ||
| Grammar of Monkey Events | 00:01:00 | ||
| Monkey Events | 00:01:00 | ||
| Testing Concurrent Programs | 00:03:00 | ||
| Cuzz: Fuzzing Thread Schedules | 00:01:00 | ||
| Depth of a Concurrency Bug 1 | 00:01:00 | ||
| Depth of a Concurrency Bug 2 | 00:01:00 | ||
| Concurrency Bug Depth | 00:01:00 | ||
| Cuzz Algorithm | 00:02:00 | ||
| Probabilistic Guarantee | 00:01:00 | ||
| Proof of Guarantee (Sketch) | 00:03:00 | ||
| Measured vs. Worst-Case Probability | 00:02:00 | ||
| Cuzz: Case Study | 00:01:00 | ||
| Cuzz: Key Takeaways | 00:01:00 | ||
| Random Testing: Pros and Cons | 00:02:00 | ||
| Coverage of Random Testing | 00:01:00 | ||
| What Have We Learned? | 00:01:00 | ||
| Automated Test Generation | |||
| Intro to Automated Test Generation | 00:01:00 | ||
| Outline AN | 00:01:00 | ||
| The Problem | 00:01:00 | ||
| An Insight | 00:01:00 | ||
| How Do We Generate Test Inputs? | 00:01:00 | ||
| Scheme for Representing Shapes | 00:01:00 | ||
| Representing Shapes | 00:01:00 | ||
| A Simple Algorithm | 00:01:00 | ||
| Enumerating Shapes | 00:01:00 | ||
| The General Case for Binary Trees | 00:01:00 | ||
| A Lot of Trees! | 00:01:00 | ||
| An Overestimate | 00:01:00 | ||
| How Many Trees? | 00:01:00 | ||
| Another Insight | 00:01:00 | ||
| The Technique | 00:01:00 | ||
| The Pre-Condition for Binary Trees 1 | 00:01:00 | ||
| The Pre-Condition for Binary Trees 2 | 00:04:00 | ||
| Example Using the Pre-Condition | 00:01:00 | ||
| Enumerating Tests | 00:02:00 | ||
| Example: Enumerating Binary Trees | 00:03:00 | ||
| Enumerating Binary Trees 1 | 00:01:00 | ||
| Enumerating Binary Trees 2 | 00:01:00 | ||
| Experimental Results | 00:01:00 | ||
| Strengths and Weaknesses | 00:02:00 | ||
| Weaknesses | 00:02:00 | ||
| Feedback-Directed Random Testing | 00:02:00 | ||
| Overview | 00:01:00 | ||
| Randoop | 00:02:00 | ||
| Randoop Algorithm | 00:03:00 | ||
| Classifying a Sequence | 00:01:00 | ||
| Illegal Sequences | 00:01:00 | ||
| Redundant Sequences | 00:02:00 | ||
| Some Errors Found by Randoop | 00:02:00 | ||
| Randoop Test Generation 1 | 00:01:00 | ||
| Randoop Test Generation 2 | 00:01:00 | ||
| Randoop Test Generation 3 | 00:01:00 | ||
| Korat and Randoop | 00:01:00 | ||
| Test Generation: The Bigger Picture | 00:01:00 | ||
| What Have We Learned? | 00:01:00 | ||
| Dataflow Analysis | |||
| Introduction to Dataflow Analysis | 00:01:00 | ||
| What Is Dataflow Analysis? | 00:01:00 | ||
| The While Language | 00:03:00 | ||
| Control-Flow Graphs | 00:01:00 | ||
| Control-Flow Graphs 2 | 00:01:00 | ||
| Soundness, Completeness & Termination | 00:01:00 | ||
| Abstracting Control-Flow Conditions | 00:01:00 | ||
| Applications of Dataflow Analysis | 00:01:00 | ||
| Reaching Definitions Analysis | 00:05:00 | ||
| Reaching Definitions Analysis 2 | 00:03:00 | ||
| Result of Dataflow Analysis (Informally) | 00:01:00 | ||
| Result of Dataflow Analysis (Formally) | 00:01:00 | ||
| RDA Operation 1 | 00:01:00 | ||
| RDA Operation 2 | 00:02:00 | ||
| RDA Chaotic Iteration Algorithm | 00:01:00 | ||
| Reaching Definitions Analysis Example | 00:02:00 | ||
| Reaching Definitions Analysis 3 | 00:01:00 | ||
| Does It Always Terminate? | 00:01:00 | ||
| Very Busy Expressions Analysis | 00:01:00 | ||
| VBEA Operation 1 | 00:01:00 | ||
| VBEA Operation 2 | 00:02:00 | ||
| VBEA Chaotic Iteration Algorithm | 00:01:00 | ||
| Very Busy Expressions Analysis Example | 00:02:00 | ||
| Very Busy Expressions Analysis 2 | 00:01:00 | ||
| Available Expressions Analysis | 00:01:00 | ||
| Available Expressions Analysis 2 | 00:03:00 | ||
| Live Variables Analysis | 00:01:00 | ||
| Live Variables Analysis 2 | 00:02:00 | ||
| Overall Pattern of Dataflow Analysis | 00:02:00 | ||
| Reaching Definitions Analysis 4 | 00:01:00 | ||
| Very Busy Expression Analysis | 00:01:00 | ||
| Available Expressions Analysis 3 | 00:01:00 | ||
| Live Variables Analysis 3 | 00:01:00 | ||
| Classifying Dataflow Analyses | 00:01:00 | ||
| What Have We Learned? | 00:01:00 | ||
| Pointer Analysis | |||
| Introduction to Pointer Analysis | 00:01:00 | ||
| Introducing Pointers | 00:03:00 | ||
| Pointer Aliasing | 00:01:00 | ||
| May-Alias Analysis | 00:02:00 | ||
| Why Is Pointer Analysis Hard? | 00:02:00 | ||
| Approximation to the Rescue | 00:03:00 | ||
| Approximation to the Rescue 2 | 00:01:00 | ||
| Example Java Program | 00:03:00 | ||
| Abstracting the Heap | 00:02:00 | ||
| Abstracting Control Flow | 00:02:00 | ||
| Chaotic Iteration Algorithm | 00:01:00 | ||
| Kinds of Statements | 00:01:00 | ||
| Is This Grammar Enough? | 00:02:00 | ||
| Example Program in Normal Form | 00:01:00 | ||
| Normal Form of Programs | 00:01:00 | ||
| Rule for Object Allocation Sites | 00:02:00 | ||
| Rule for Object Copy | 00:01:00 | ||
| Rule for Field Writes | 00:02:00 | ||
| Rule for Field Reads | 00:02:00 | ||
| Pointer Analysis Example 2 | 00:01:00 | ||
| Pointer Analysis Example 2 | 00:01:00 | ||
| Classifying Pointer Analysis Algorithms | 00:01:00 | ||
| Flow Sensitivity AN | 00:02:00 | ||
| Context Sensitivity | 00:02:00 | ||
| Heap Abstraction | 00:01:00 | ||
| Scheme #1: Allocation Site-Based | 00:01:00 | ||
| Scheme #2: Type-Based | 00:02:00 | ||
| Scheme #3: Heap-Insensitive | 00:01:00 | ||
| Tradeoffs in Heap Abstraction Schemes | 00:01:00 | ||
| May-Alias Analysis | 00:01:00 | ||
| Modeling Aggregate Data Types: Arrays | 00:01:00 | ||
| Modeling Aggregate Data Types: Records | 00:02:00 | ||
| Pointer Analysis Classification | 00:01:00 | ||
| What Have We Learned? | 00:02:00 | ||
| Constraint-based Analysis | |||
| Intro to Constraint-based Analysis | 00:01:00 | ||
| Motivation | 00:02:00 | ||
| What Is Constraint-based Analysis? | 00:01:00 | ||
| Benefits of Constraint-based Analysis | 00:01:00 | ||
| Specification & Implementation Quiz | 00:01:00 | ||
| Outline of the Lesson | 00:01:00 | ||
| A Constraint Language: Datalog | 00:01:00 | ||
| Syntax of Datalog: Example | 00:03:00 | ||
| Semantics of Datalog: Example | 00:04:00 | ||
| Computation Using Datalog | 00:01:00 | ||
| Outline Revisited | 00:01:00 | ||
| Reaching Definitions Analysis | 00:05:00 | ||
| Reaching Definitions Analysis 2 | 00:03:00 | ||
| Live Variables Analysis AN | 00:01:00 | ||
| Outline Revisited Again | 00:01:00 | ||
| Pointer Analysis in Datalog | 00:01:00 | ||
| Intra-procedural Pointer Analysis | 00:03:00 | ||
| Inter-procedural Pointer Analysis | 00:04:00 | ||
| Querying Pointer Analysis | 00:02:00 | ||
| Context Sensitivity | 00:02:00 | ||
| Cloning-based Inter-procedural Analysis | 00:02:00 | ||
| What About Recursion? | 00:01:00 | ||
| Summary-based Inter-procedural Analysis | 00:01:00 | ||
| Other Constraint Languages | 00:02:00 | ||
| What Have We Learned? | 00:02:00 | ||
| Type Systems | |||
| Introduction to Type Systems | 00:01:00 | ||
| Type Systems | 00:01:00 | ||
| Motivation AN | 00:01:00 | ||
| Type Systems 2 | 00:01:00 | ||
| What Is a Type? | 00:01:00 | ||
| More Examples | 00:01:00 | ||
| Abstraction | 00:01:00 | ||
| What Is a Type? 2 | 00:01:00 | ||
| A Simple Typed Language | 00:03:00 | ||
| Programs and Types | 00:01:00 | ||
| Next Steps | 00:01:00 | ||
| Notation for Inference Rules | 00:01:00 | ||
| From English to Inference Rule | 00:02:00 | ||
| Notation for Inference Rules 2 | 00:01:00 | ||
| Rules for Integers | 00:02:00 | ||
| Example: 1+2 | 00:01:00 | ||
| A Problem | 00:01:00 | ||
| A Solution | 00:01:00 | ||
| Type Environments | 00:01:00 | ||
| Modified Rules | 00:01:00 | ||
| A New Rule | 00:01:00 | ||
| Rules for Functions | 00:02:00 | ||
| All Rules Together | 00:01:00 | ||
| Type Derivations Example | 00:04:00 | ||
| Type Derivations | 00:02:00 | ||
| Back to the Original Example | 00:01:00 | ||
| A More Complex Rule | 00:01:00 | ||
| Soundness | 00:01:00 | ||
| Comments on Soundness | 00:01:00 | ||
| Constraints | 00:01:00 | ||
| Another Example | 00:01:00 | ||
| Type-Checking Algorithm | 00:01:00 | ||
| Global Analysis | 00:02:00 | ||
| Local Analysis | 00:03:00 | ||
| Global vs. Local Analysis AN | 00:01:00 | ||
| Properties of Type Systems AN | 00:02:00 | ||
| Static Analysis Using Type Rules AN | 00:01:00 | ||
| An Example: The Rule of Signs | 00:01:00 | ||
| Example Rules AN | 00:01:00 | ||
| Another Problem | 00:01:00 | ||
| More Example Rules AN | 00:01:00 | ||
| Flow Insensitivity AN | 00:01:00 | ||
| Comments on Flow Insensitivity | 00:01:00 | ||
| Flow Sensitivity AN | 00:02:00 | ||
| Comments on Flow Sensitivity | 00:01:00 | ||
| Path Sensitivity AN | 00:02:00 | ||
| Comments on Path Sensitivity | 00:01:00 | ||
| Flow & Path Sensitivity AN | 00:03:00 | ||
| Summary AN | 00:01:00 | ||
| What Have We Learned? AN l8 | 00:01:00 | ||
| Statistical Debugging | |||
| Intro to Statistical Debugging AN | 00:01:00 | ||
| Motivation AN l9 | 00:01:00 | ||
| An Idea: Statistical Debugging | 00:01:00 | ||
| Benefits of Statistical Debugging | 00:01:00 | ||
| Two Key Questions AN | 00:01:00 | ||
| Practical Challenges AN | 00:02:00 | ||
| The Approach AN | 00:02:00 | ||
| Overall Architecture AN | 00:02:00 | ||
| Model Behavior AN | 00:01:00 | ||
| Branches Are Interesting | 00:01:00 | ||
| Return Values Are Interesting AN | 00:02:00 | ||
| What Other Behaviors Are Interesting? AN | 00:01:00 | ||
| Identify the Predicates AN | 00:01:00 | ||
| Summarization and Reporting 1 AN | 00:01:00 | ||
| Summarization and Reporting 2 AN | 00:02:00 | ||
| Abstracting Predicate Counts | 00:01:00 | ||
| Populate the Predicates AN | 00:01:00 | ||
| The Need for Sampling AN | 00:01:00 | ||
| A Naive Sampling Approach | 00:01:00 | ||
| Some Other Problematic Approaches AN | 00:01:00 | ||
| Amortized Coin Tossing | 00:01:00 | ||
| An Efficient Approach | 00:01:00 | ||
| Feedback Reports with Sampling AN | 00:01:00 | ||
| Uncertainty Due to Sampling AN | 00:02:00 | ||
| Overall Architecture Revisited AN | 00:01:00 | ||
| Finding Causes of Bugs 2 AN | 00:03:00 | ||
| Tracking Context AN | 00:01:00 | ||
| A Useful Measure: Increase() | 00:01:00 | ||
| Increase() Works AN | 00:02:00 | ||
| Computing Increase() | 00:01:00 | ||
| Isolating the Bug 1 AN | 00:01:00 | ||
| A First Algorithm | 00:02:00 | ||
| Isolating the Bug 2 AN | 00:01:00 | ||
| Isolating a Single Bug in bc AN | 00:01:00 | ||
| It Works AN | 00:01:00 | ||
| Using the Information AN | 00:01:00 | ||
| Sample Report AN | 00:01:00 | ||
| Multiple Bugs: The Goal AN | 00:01:00 | ||
| Another Idea | 00:01:00 | ||
| Revised Algorithm AN | 00:01:00 | ||
| Ranking by Increase(P) AN | 00:01:00 | ||
| Ranking by F(P) AN | 00:01:00 | ||
| A Helpful Analogy | 00:01:00 | ||
| Combining Precision and Recall | 00:01:00 | ||
| Sorting by the Harmonic Mean AN | 00:01:00 | ||
| What Have We Learned? AN l9 | 00:02:00 | ||
| Key Takeaway AN | 00:01:00 | ||
| Delta Debugging | |||
| Introduction to Delta Debugging AN | 00:01:00 | ||
| Simplification AN | 00:01:00 | ||
| Why Simplify? AN | 00:01:00 | ||
| Real World Scenario AN | 00:01:00 | ||
| How Do We Go from This… to This? AN | 00:01:00 | ||
| Your Solution AN | 00:01:00 | ||
| Binary Search | 00:01:00 | ||
| Complex Input | 00:01:00 | ||
| Simplified Input AN | 00:01:00 | ||
| Binary Search 2 | 00:01:00 | ||
| Two Conflicting Solutions AN | 00:01:00 | ||
| Impact of Input Granularity AN | 00:01:00 | ||
| General Delta Debugging Algorithm AN | 00:01:00 | ||
| Inputs and Failures AN | 00:01:00 | ||
| Example of Delta Debugging AN | 00:01:00 | ||
| Changes | 00:01:00 | ||
| Decomposing Changes AN | 00:01:00 | ||
| Summary AN | 00:01:00 | ||
| Testing Test Cases AN | 00:01:00 | ||
| Minimizing Test Cases AN | 00:01:00 | ||
| Search for 1-Minimal Input AN | 00:02:00 | ||
| Minimizing Test Cases 2 AN | 00:02:00 | ||
| Naive Algorithm AN | 00:02:00 | ||
| Work Smarter Not Harder AN | 00:01:00 | ||
| Minimization Algorithm AN | 00:01:00 | ||
| Steps of the Minimization Algorithm AN | 00:02:00 | ||
| Asymptotic Analysis | 00:01:00 | ||
| Minimization Algorithm 2 AN | 00:01:00 | ||
| Case Study: GNU C Compiler | 00:03:00 | ||
| Case Study: GNU C Compiler 2 | 00:02:00 | ||
| Case Study: Minimizing Fuzz Input | 00:01:00 | ||
| Another Application | 00:01:00 | ||
| Delta Debugging Wrap-Up AN | 00:01:00 | ||
| What Have We Learned? AN l10 | 00:01:00 | ||
| Dynamic Symbolic Execution | |||
| Intro to Dynamic Symbolic Execution | 00:01:00 | ||
| Motivation | 00:05:00 | ||
| The Approach AN | 00:02:00 | ||
| Execution Path of a Program | 00:02:00 | ||
| Cognitive Development | 00:30:00 | ||
| Existing Approach I | 00:01:00 | ||
| Existing Approach II | 00:04:00 | ||
| Combined Approach | 00:02:00 | ||
| An Illustrative Example | 00:06:00 | ||
| Computation Tree | 00:01:00 | ||
| A More Complex Example | 00:04:00 | ||
| Example Application | 00:01:00 | ||
| A Third Example | 00:04:00 | ||
| Properties of DSE | 00:01:00 | ||
| Testing Data Structures | 00:02:00 | ||
| Data Structure Example | 00:04:00 | ||
| Approach in a Nutshell | 00:01:00 | ||
| Characteristics of DSE | 00:01:00 | ||
| Case Study: SGLIB C Library | 00:02:00 | ||
| Case Study: Needham-Schroeder Protocol | 00:01:00 | ||
| Realistic Implementations | 00:01:00 | ||
| Case Study: SAGE Tool at Microsoft | 00:01:00 | ||
| SAGE Crashing a Media Parser | 00:01:00 | ||
| What Have We Learned? | 00:02:00 | ||
| Assessment | |||
| Submit Your Assignment | 00:00:00 | ||
| Certification | 00:00:00 | ||
Course Reviews
No Reviews found for this course.
Related Courses
18 STUDENTS ENROLLED
