Techniques for Efficient Automated Elimination of False Positives

Static analysis tools are useful to detect common programming errors. However, they generate a large number of false positives. Postprocessing of these alarms using a model checker has been proposed to automatically eliminate false positives from them. To scale up the automated false positives elimination (AFPE), several techniques, e.g., program slicing, are used. However, these techniques increase the time taken by AFPE, and the increased time is a major concern during application of AFPE to alarms generated on large systems.To reduce the time taken by AFPE, we propose two techniques. The techniques achieve the reduction by identifying and skipping redundant calls to the slicer and model checker. The first technique is based on our observation that, (a) combination of application-level slicing, verification with incremental context, and the context-level slicing helps to eliminate more false positives; (b) however, doing so can result in redundant calls to the slicer. In this technique, we use data dependencies to compute these redundant calls. The second technique is based on our observation that (a) code partitioning is commonly used by static analysis tools to analyze very large systems, and (b) applying AFPE to alarms generated on partitioned-code can result in repeated calls to both the slicer and model checker. We use memoization to identify the repeated calls and skip them.The first technique is currently under evaluation. Our initial evaluation of the second technique indicates that it reduces AFPE time by up to 56%, with median reduction of 12.15%.

[1]  Guy E. Blelloch,et al.  Selective memoization , 2003, POPL '03.

[2]  Isil Dillig,et al.  Automated error diagnosis using abductive inference , 2012, PLDI.

[3]  Tukaram Muske Improving Review of Clustered-Code Analysis Warnings , 2014, 2014 IEEE International Conference on Software Maintenance and Evolution.

[4]  Kumar Madhukar,et al.  Efficient Elimination of False Positives Using Bounded Model Checking , 2013 .

[5]  Robert W. Bowdidge,et al.  Why don't software developers use static analysis tools to find bugs? , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[6]  Theresa Swift Tabling for non‐monotonic programming , 2004, Annals of Mathematics and Artificial Intelligence.

[7]  James R. Wright,et al.  Why Do Software Developers Use Static Analysis Tools? A User-Centered Study of Developer Needs and Motivations , 2020, IEEE Transactions on Software Engineering.

[8]  Priyanka Darke,et al.  Statically relating program properties for efficient verification (short WIP paper) , 2018, LCTES.

[9]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[10]  Andy Zaidman,et al.  Analyzing the State of Static Analysis: A Large-Scale Evaluation in Open Source Software , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[11]  Ravindra Metta,et al.  Over-approximating loops to prove properties using bounded model checking , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[12]  Priyanka Darke,et al.  Efficient Safety Proofs for Industry-Scale Code Using Abstractions and Bounded Model Checking , 2017, 2017 IEEE International Conference on Software Testing, Verification and Validation (ICST).

[13]  Alexander Serebrenik,et al.  Reducing Static Analysis Alarms Based on Non-impacting Control Dependencies , 2019, APLAS.

[14]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[15]  EmanuelssonPär,et al.  A Comparative Study of Industrial Static Analysis Tools , 2008 .

[16]  Qiang Zhang,et al.  Automated Detection of Code Vulnerabilities Based on Program Analysis and Model Checking , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[17]  Shrawan Kumar,et al.  Static program analysis of large embedded code base: an experience , 2011, ISEC.

[18]  Ulf Nilsson,et al.  A Comparative Study of Industrial Static Analysis Tools , 2008, SSV.

[19]  Tukaram Muske,et al.  Efficient elimination of false positives using static analysis , 2015, 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE).

[20]  Carsten Sinz,et al.  Reducing False Positives by Combining Abstract Interpretation and Bounded Model Checking , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[21]  Christian Bird,et al.  What developers want and need from program analysis: An empirical study , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[22]  Ciera Jaspan,et al.  Tricorder: Building a Program Analysis Ecosystem , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[23]  Sarah Smith Heckman,et al.  A systematic literature review of actionable alert identification techniques for automated static code analysis , 2011, Inf. Softw. Technol..