AN INITIAL PROTOTYPE OF TIERED CONSTRAINT SOLVING IN THE CLANG STATIC ANALYZER
DOI:
https://doi.org/10.24193/subbi.2018.2.06Keywords:
Static analysis, symbolic execution, Clang, SMT solver.Abstract
Static analysis is a widely used method for finding bugs in large code bases. One of the most popular static analysis tools used for software written in C/C++ languages is the Clang Static Analyzer [1]. During symbolic execution [2] of the source code, the analyzer models path sensitivity by keeping track of constraints on symbolic variables. The built-in constraint manager module, while granting excellent performance, only handles constraints on certain types of integer expressions, which has a detrimental effect on the quality of the analysis, as the infeasibility of certain execution paths cannot be proved. This often leads to false positive findings, i.e. error reports issued for code parts that are actually correct.
This paper records the first milestone in an effort to integrate the state-of-the-art Z3 theorem prover [3] into the Clang Static Analyzer in order to post-process bug reports. While full integration is hindered by the burden Z3 places on the duration of the analysis, the refutation of false positive reports using information collected by the default pass can improve analysis quality substantially while introducing only a moderate regression in performance. We present an initial prototype of the tiered constraint solving solution that is already capable of filtering out some bogus reports, evaluate it on real-world software projects, and explore possible improvements we plan to accomplish in our future work.
References
Clang Static Analyzer. https://clang-analyzer.llvm.org
HAMPAPURAM, Hari; YANG, Yue; DAS, Manuvir. Symbolic path simulation in pathsensitive dataflow analysis. In: ACM SIGSOFT Software Engineering Notes. ACM, 2005. p. 52-58.
DE MOURA, Leonardo; BJØRNER, Nikolaj. Z3: An efficient SMT solver. In: International conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, Berlin, Heidelberg, 2008. p. 337-340.
”clang” C language family frontend for LLVM. https://clang.llvm.org/
RICE, Henry Gordon. Classes of recursively enumerable sets and their decision problems. Transactions of the American Mathematical Society, 1953, 74.2: 358-366.
REPS, Thomas; HORWITZ, Susan; SAGIV, Mooly. Precise interprocedural dataflow analysis via graph reachability. In: Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages. ACM, 1995. p. 49-61.
XU, Zhongxing; KREMENEK, Ted; ZHANG, Jian. A memory model for static analysis of C programs. In: International Symposium On Leveraging Applications of Formal Methods, Verification and Validation. Springer, Berlin, Heidelberg, 2010. p. 535-548.
Artem Dergachev: Clang Static Analyzer - A Checker Developer’s Guide. 2016. https://github.com/haoNoQ/clang-analyzer-guide
Dominic Chen: Add new Z3 constraint manager backend. Differential Review. 2017. https://reviews.llvm.org/D28952
Tmux, a terminal multiplexer. https://github.com/tmux/tmux/
Redis, an open source, in-memory data structure store. https://redis.io/ [12] Xerces-C++ XML Parser. https://xerces.apache.org/xerces-c/
WebM, an open web media project. https://www.webmproject.org/
Curl, a command line tool for transferring data with URLs. https://curl.haxx.se/ [15] Memcached, a distributed memory object caching system. https://memcached.org/
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2018 Studia Universitatis Babeș-Bolyai Informatica
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
