Abstract
This paper presents the formalism for multiple level static analysis for defect detection in source code. The first level has the program and memory model that are suitable for AST-level checks. The following levels address detection of critical errors: on the second level interprocedural partially context-sensitive analysis is performed via dataflow analysis and symbolic execution with state merging, whereas the third level adds path-sensitivity via predicate tracking for the dataflow information computed on the second. The analysis designer can freely choose the appropriate analysis level or their combination to check the desired program property. The presented methods are implemented in the Svace static analysis toolset. The first analysis levels for C/C++ and Java are implemented as extensions of corresponding production compilers (Clang and javac) and FindBugs tool plugins, while the second and third levels make the core of Svace analyzer together with 100+ implemented checkers for critical defects. The evaluation on extra large codebases of millions lines of code such as full-blown Android and Tizen OSes has shown the approach scalability and the acceptable false positives ratio (less than 40%).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Checkers that are more concerned with memory properties (like memory leaks) get benefit from attaching attributes directly to memory locations instead of value classes [8], but we do not discuss it in more details in this paper.
- 2.
In case we have nontrivial VC for glob variable, we can further improve the precision if e.g. the conditional operator will never be executed and we don’t have to consider the instruction at line 5.
- 3.
We do not use the CSA path-sensitive infrastructure, as its scope is limited by the compilation unit, but move the heavy checkers to our own analyzer engine.
- 4.
One example is the Android app fast analysis that takes into account the calculated analysis data for the full Android OS.
- 5.
The predicate representation has to be regularly reviewed as the path-sensitive analysis portion in the analyzer grows over time.
References
Cousot, P., Cousot, R., Feret, J., et al.: Why does Astrée scale up? Form Methods Syst. Des. 35, 229 (2009). https://doi.org/10.1007/s10703-009-0089-6
Xie, Y., Aiken, A.: Saturn: a scalable framework for error detection using Boolean satisfiability. ACM Trans. Program. Lang. Syst. 29(3), 1–43 (2007). Article 16
Sankaranarayanan, S., Ivančić, F., Gupta, A.: Program analysis using symbolic ranges. In: Nielson, H.R., Filé, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 366–383. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74061-2_23
Xu, Z., Kremenek, T., Zhang, J.: A memory model for static analysis of C programs. In: Margaria, T., Steffen, B. (eds.) ISoLA 2010, Part I. LNCS, vol. 6415, pp. 535–548. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16558-0_44
Ignatiev, V.: Using static analysis for customizable checks of C/C++ semantic constraints. Ph.D. thesis, Moscow (2015)
Strein, D., Kratz, H., Lowe, W.: Cross-language program analysis and refactoring. In: Proceedings of the Sixth IEEE International Workshop on Source Code Analysis and Manipulation (SCAM 2006), Washington, DC, USA, pp. 207–216. IEEE Computer Society (2006)
Zubov, M.V., Pustygin, A.N., Startsev, E.V.: Use of the intermediate software representations for static analysis of source code. Doklady TUSUR 27, 64–68 (2013). (in Russian)
Borodin, A.: Interprocedural context-sensitive static analysis for finding defects in C/C++ program source code. Ph.D. thesis, Moscow (2016)
LLVM Language Reference Manual. http://llvm.org/docs/LangRef.html
Tucker Taft. The use of value numbers in static analysis. http://www.adacore.com/knowledge/technical-papers/the-use-of-value-numbers-in-static-analysis/
MISRA C 2012 Guidelines. https://www.misra.org.uk/MISRAHome/MISRAC2012/tabid/196/Default.aspx
CERT C Coding Standard. https://www.securecoding.cert.org/confluence/display/c/SEI+CERT+C+Coding+Standard
CWE, Common Weakness Enumeration Database. https://cwe.mitre.org/
Briggs, P., Cooper, K.D., Taylor Simpson, L.: Value numbering. Softw. Pract. Exper. 27(6), 701–724 (1997). https://doi.org/10.1002/zaac.201500219
Borodin, A., Belevantsev, A.: A static analysis tool Svace as a collection of analyzers with various complexity levels. Trudy ISP RAN/Proc. ISP RAS 27(6), 111–134 (2015). (in Russian)
Ivannikov, V.P., Belevantsev, A.A., Borodin, A.E., Ignat’ev, V.N., Zhurikhin, D.M., Avetisjan, A.I., Leonov, M.I.: Staticheskij analizator Svace dlja poiska defektov v iskhodnom kode programm [Svace: static analyzer for detecting of defects in program source code]. Trudy ISP RAN [The Proceedings of ISP RAS] 26(1), 231–250 (2011). https://doi.org/10.15514/ispras-2014-26(1)-7. (in Russian)
Avetisjan, A.I., Belevantsev, A.A., Borodin, A.E., Nesov, V.S.: Ispol’zovanie staticheskogo analiza dlja poiska ujazvimostej i kriticheskikh oshibok v iskhodnom kode program [Using static analysis for searching vulnerabilities and critical errors in the source code of programs]. Trudy ISP RAN [The Proceedings of ISP RAS] 21, 23–38 (2011). (in Russian)
Koshelev, V.K., Ignatyev, V.N., Borzilov, A.I.: C# static analysis framework. Trudy ISP RAN/Proc. ISP RAS 28(1), 21–40 (2016). (in Russian)
FindBugs tool. http://findbugs.sourceforge.net/
Clang Static Analyzer. http://clang-analyzer.llvm.org/
Z3 Theorem Prover. https://github.com/Z3Prover/z3
Svace tool deployed in Samsung. Vedomosti news. http://www.vedomosti.ru/technology/articles/2016/11/17/665253-russkie-programmisti-samsung
Dudina, I.: Inter-procedural buffer overflows detection in C/C++ source code via static analysis. Trudy ISP RAN/Proc. ISP RAS 28(5), 119–134 (2016). https://doi.org/10.15514/ispras-2016-28(5)-7. (in Russian)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Belevantsev, A., Avetisyan, A. (2018). Multi-level Static Analysis for Finding Error Patterns and Defects in Source Code. In: Petrenko, A., Voronkov, A. (eds) Perspectives of System Informatics. PSI 2017. Lecture Notes in Computer Science(), vol 10742. Springer, Cham. https://doi.org/10.1007/978-3-319-74313-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-74313-4_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-74312-7
Online ISBN: 978-3-319-74313-4
eBook Packages: Computer ScienceComputer Science (R0)