|
This article is cited in 3 scientific papers (total in 3 papers)
Symbolic execution based intra-procedural analysis for search for defects
A. E. Borodina, I. A. Dudinaba a Ivannikov Institute for System Programming of the RAS
b Lomonosov Moscow State University
Abstract:
Svace is a static analysis tool for bug detection in C/C++/Java source code. To analyze a program, Svace performs an intra-procedure analysis of individual functions, starting from the leaves of a call-graph and moving towards the roots, and uses summaries of previously analyzed procedures at call-cites. In this paper, we overview the approaches and techniques employed by Svace for the intra-procedural analysis. This phase is performed by an analyzer engine and an extensible set of detectors. The core engine employs a symbolic execution approach with state merging. It uses value numbering to reduce the set of symbolic expressions, maintains points-to relationship graph for memory modeling, and performs strong and weak updates of program values. Detectors are responsible for discovering and reporting bugs. They calculate different properties of program values using a variety of abstract domains. All detectors work simultaneously orchestrated by the engine. Svace analysis is unsound and employs a variety of heuristics to speed-up. We designed Svace to analyze big projects (several MLOCs) in just a few hours and report as many warnings as possible, while keeping a good quality of reports ($\ge$ 65% of true positives). For example, Tizen 5.5 (20MLOC) analysis takes 8.6 hours and produces 18,920 warnings, more than 70% of which are true-positive.
Keywords:
static analysis, symbolic execution, svace, search for defects.
Citation:
A. E. Borodin, I. A. Dudina, “Symbolic execution based intra-procedural analysis for search for defects”, Proceedings of ISP RAS, 32:6 (2020), 87–100
Linking options:
https://www.mathnet.ru/eng/tisp560 https://www.mathnet.ru/eng/tisp/v32/i6/p87
|
Statistics & downloads: |
Abstract page: | 72 | Full-text PDF : | 47 | References: | 9 |
|