SMT-Based Refutation of Spurious Bug Reports in the Clang Static Analyzer

  title={SMT-Based Refutation of Spurious Bug Reports in the Clang Static Analyzer},
  author={Mikhail Y. R. Gadelha and Enrico Steffinlongo and Lucas C. Cordeiro and Bernd Fischer and Denis A. Nicole},
  journal={2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion)},
  • M. R. Gadelha, Enrico Steffinlongo, +2 authors D. Nicole
  • Published 29 October 2018
  • Computer Science, Mathematics
  • 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion)
We describe and evaluate a bug refutation extension for the Clang Static Analyzer (CSA) that addresses the limitations of the existing built-in constraint solver. In particular, we complement CSA's current heuristics for removing spurious bug reports. We encode the path constraints produced by CSA as Satisfiability Modulo Theories (SMT) problems, use SMT solvers to precisely check them for satisfiability, and remove bug reports whose associated path constraints are unsatisfiable. Our refutation… Expand
Reorganizing and Optimizing Post-Inspection on Suspicious Bug Reports in Path-Sensitive Analysis
  • Xutong Ma, Jiwei Yan, Jun Yan, Jian Zhang
  • Computer Science
  • 2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS)
  • 2019
This paper categorizes the uninspected reports into disjoint sets and sort the reports in each category, which helps to decrease the number of inspection attempts and parallelizes the inspection for further speedup. Expand
Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code
An extensible bug-finding tool designed to automatically find security bugs in huge codebases, even when easy-to-find bugs have been already picked clean by years of aggressive automatic checking, is described and evaluated. Expand
Scalable and precise verification based on k-induction, symbolic execution and floating-point theory
The bkind algorithm is the main scientific contribution of this thesis, a novel extension to the kinduction algorithm that improves its bug-finding capabilities by performing backward searches in the state space and an SMT-based refutation of false bugs algorithm. Expand
Exploring Software Naturalness through Neural Language Models
This work is the first to investigate whether transformer-based language models can discover AST features automatically, and introduces a sequence labeling task that directly probes the language models understanding of AST. Expand
Survey of Approaches for Postprocessing of Static Analysis Alarms
Static analysis tools have showcased their importance and usefulness in automated detection of defects. However, the tools are known to generate a large number of alarms which are warning messages toExpand
Postprocessing of static analysis alarms
The final author version and the galley proof are versions of the publication after peer review that features the final layout of the paper including the volume, issue and page numbers. Expand


SMT-Based False Positive Elimination in Static Program Analysis
This work presents a novel abstraction refinement approach to automatically investigate and eliminate false positives in static analysis, and presents an implementation of the approach into the static analyzer Goanna and discusses a number of real-life experiments on larger C code projects, demonstrating that most false positives were removed. Expand
An user configurable clang static analyzer taint checker
The clang static analyzer architecture, the taint checker design considerations, some implementation details and some test cases are described to show the capability for detecting security vulnerabilities as the hearthbleed in a real and big open source project such as OpenSSL. Expand
ESBMC 5.0: An Industrial-Strength C Model Checker
Improvements over previous versions of ESBMC are discussed, including the description of new front- and back-ends, IEEE floating-point support, and an improved k-induction algorithm. Expand
Poster: Implementation and Evaluation of Cross Translation Unit Symbolic Execution for C Family Languages
This short paper describes a model and an implementation for cross translation unit (CTU) symbolic execution for C and was able to extend the scope of the analysis without modifying any of the existing checks. Expand
The YICES SMT Solver
SMT stands for Satisfiability Modulo Theories. An SMT solver decides the satisfiability of propositionally complex formulas in theories such as arithmetic and uninterpreted functions with equality.Expand
Precise interprocedural dataflow analysis via graph reachability
The paper shows how a large class of interprocedural dataflow-analysis problems can be solved precisely in polynomial time by transforming them into a special kind of graph-reachability problem. TheExpand
A Software Analysis Perspective
This foundational article presents a consolidated view of the platform, its main and composite analyses, and some of its industrial achievements. Expand
LLVM: a compilation framework for lifelong program analysis & transformation
  • Chris Lattner, V. Adve
  • Computer Science
  • International Symposium on Code Generation and Optimization, 2004. CGO 2004.
  • 2004
The design of the LLVM representation and compiler framework is evaluated in three ways: the size and effectiveness of the representation, including the type information it provides; compiler performance for several interprocedural problems; and illustrative examples of the benefits LLVM provides for several challenging compiler problems. Expand
The MathSAT5 SMT Solver
The latest version of MathSAT5 supports most of the SMT-LIB theories and their combinations, and provides many functionalities, including sound SAT-style Boolean formula preprocessing for SMT formulae and a framework allowing users for plugging their custom tuned SAT solvers. Expand
The system architecture, subsystems of note, and discuss some applications and continuing work of CVC4 are described, which is a lighter-weight and higher-performing tool than CVC3. Expand