【Static Program Analysis - Chapter 1】 Introduction

 

Regarding correctness, programmers routinely use testing to gain confidence that their programs works as intended, but as famously stated by Dijkstra: “Program testing can be used to show the presence of bugs, but never to show their absence.” Ideally we want guarantees about what our programs may do for all possible inputs, and we want these guarantees to be provided automatically, that is, by programs. A program analyzer is such a program that takes other programs as input and decides whether or not they have a given property. 

 

 

Ideally, the approximations we use are conservative (or safe), meaning that all errors lean to the same side, which is determined by our intended application.

We say that a program analyzer is sound if it never gives incorrect results (but it may answer maybe). Thus, the notion of soundness depends on the intended application of the analysis output, which may cause some confusion.

For example, a verification tool is typically called sound if it never misses any errors of the kinds it has been designed to detect, but it is allowed to produce spurious warnings (also called false positives), whereas an automated testing tool is called sound if all reported errors are genuine, but it may miss errors.