Re: [android-developers] Re: can _ever_ the intent received by a BroadcastReceiver onReceive() method be null?

I agree with pretty much with everything you said, but:

-Since this is Android Developers, we can probably agree that current static analysis tools for android are not that helpful for the vast majority of applications... I did not try to imply it is worthless for everyone :)

- I also didnt imply that static analysis is supposed to test UI, these are a whole different set of tools as both of us agree. But static analysis can be used to figure out if the UI model works with the codebehind it has. I'm not looking for correctness of intended used, but the correctness of the implemented code, with relation to its attached UI. This is exactly what google are doing little by little with LINT.

- My last paragraph meant exactly what you said... Since the code does not have the proper summaries (as the OP mentioned), static analysis tools would still need to parse the source just to tell whether a returned value will actually return. If anything, if an SA tool would rely on google apis, there would probably be quite a bit of mistakes due to the fact some of the documentation is just wrong.

In short - SA is very cool, but not very useful currently for the average android developer :)

On Monday, July 15, 2013 3:04:31 PM UTC+3, Kristopher Micinski wrote:

On Mon, Jul 15, 2013 at 3:20 AM, Piren <gpi...@gmail.com> wrote:
> I've played around with some tools that do static analysis, one of the
> bigger developers that deal with those tools also ran some "beta" testing
> with us for a toolset for Android.
> Seems like this isn't even close to being a big help... a short while after
> i just stopped using it.
>

As an FYI, my research is (in part) driven by static analysis (for
Android apps); since there's a lot of FUD surrounding it I'd like to
try to dispel as much as I can.

This is most people's impression about static analysis, but usually
because they're using bad tools.  Integrating static analysis into
your production cycle is complicated (because the tools are
complicated) and usually something that doesn't pay off since the need
for correctness on Android is almost never life threatening.

By contrast, the use of static analysis is generally involved in some
very core code, and the rest is tested using a much more traditional
development methodology.  (E.g., you may want to verify security
related parts of your app dealing with information leakage, but the
UI, etc.., can be tested.)

> Other than pointing out some very glaring design decisions, it wasn't really
> helpful at all. This is especially true since it can only check the M and C
> parts of the MVC design model and has big issues making sure they work well
> with the V.

This is by no means all of static analysis, but it does highlight the
current scope of Android: people take production tools verbatim and
apply them to the Android API.  A major part of what I said applies
here: static analysis isn't *meant* to test UI.  There are
technologies that do this, but they aren't the norm, and most suites
don't focus production on those since they are hard to get right.
(I.e., testing UI vs. model integration is already somewhat hard on
Android to begin with, adding in the vast numbers of configuration
options makes it much harder in the static case.)

> I also doubt they'd be able to check the Android API without actually
> attaching it's entire source (in java and c++, and in all possible
> configurations and ROM variants) and compiling the whole thing. So either
> way, even with these tools, the OP won't get any real answer.

This isn't true either, most real static analyses rely on API
summaries: doing so would include millions of lines of code.  At the
current state of the art, there are ways to derive API summaries in a
pretty efficient and systematic manner.  While it's very hard to do so
(lots of manual labor involved in writing a correct API spec) it's
definitely the most important part of a static analysis for real world
applications.

It's true that with some static analysis engines you won't get an
immediate answer, but it's patently false that no tools can offer such
an answer.  (However, it may be true that no currently existing static
analysis tool has sufficient coverage of the Android API.)

Kris

--
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
---
You received this message because you are subscribed to the Google Groups "Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.