An empirical study on classification methods for alarms from a bug-finding static C analyzer
نویسندگان
چکیده
A key application for static analysis is automatic bug-finding. Given the program source, a static analyzer computes an approximation of dynamic program states occurring at each program point, and reports possible bugs by examining the approximate states. From such static bug-finding analysis, false alarms are inevitable. Because static analysis is done at compile-time, exact computation of the program’s run-time states is impossible. Hence some approximation must be involved, so that the detected bugs can contain some false positives. Methodologies such as the abstract interpretation framework [6–8] counsel us to design a correct (conservative) static analyzer. The correctness criterion exacerbates the false alarm problem, because whenever in doubt the analysis must err on the pessimistic side.
منابع مشابه
Soundness by Static Analysis and False-alarm Removal by Statistical Analysis: Our Airac Experience∗
We present our experience of combining, in a realistic setting, a static analysis for soundness and a statistical analysis for false-alarm removal. The static analyzer is Airac that we have developed in the abstract interpretation framework for detecting buffer overruns in ANSI + GNU C programs. Airac is sound (finding all bugs) but with false alarms. Airac raised, for example, 970 buffer-overr...
متن کاملTaming False Alarms from a Domain-Unaware C Analyzer by a Bayesian Statistical Post Analysis
We present our experience of combining, in a realistic setting, a static analyzer with a statistical analysis. This combination is in order to reduce the inevitable false alarms from a domain-unaware static analyzer. Our analyzer named Airac(Array Index Range Analyzer for C) collects all the true buffer-overrun points in ANSI C programs. The soundness is maintained, and the analysis’ cost-accur...
متن کاملCombining Static Analysis and Test Generation for C Program Debugging
This paper presents our ongoing work on a tool prototype called SANTE (Static ANalysis andTEsting), implementing a combination of static analysis and structural program testing for detection of run-time errors in C programs. First, a static analysis tool (Frama-C) is called to generate alarms when it cannot ensure the absence of run-time errors. Second, these alarms guide a structural test gene...
متن کاملTowards Scalable Translation Validation of Static Analyzers
Static analyzers, which have been successfully deployed in real world to statically find software errors, are complex pieces of software whose reliability is very hard to establish by testing. Testing is not so effective because analysis results are hard to validate manually for the following reasons: (i) even valid outputs can contain false alarms (or even false negatives if the analyzer is de...
متن کامل—An Extended Empirical Study of False Negatives in Static Bug-Finding Tools
Software defects can cause much loss. Static bug-finding tools are designed to detect and remove software defects and believed to be effective. However, do such tools in fact help prevent actual defects that occur in the field and reported by users? If these tools had been used, would they have detected these field defects, and generated warnings that would direct programmers to fix them? To an...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- Inf. Process. Lett.
دوره 102 شماره
صفحات -
تاریخ انتشار 2007