Skip to main content
SpringerLink
Log in

Model checking driven static analysis for the real world: designing and tuning large scale bug detection

  • SI:Theories & Tool Support for Software
  • Published:
Innovations in Systems and Software Engineering Aims and scope Submit manuscript

Abstract

Model checking and static analysis are traditionally seen as two separate approaches to software analysis and verification. In this work we define a model, checking approach for the static analysis of large C/C++ source code bases to detect potential run-time issues such as program crashes, security vulnerabilities and memory leaks. Working on the intersection of software model checking and automated static bug detection for real-life systems, we address a number of issues: how to scale for real-life systems of 1,000,000 LoC or more, how to quickly write new checks, and most importantly how to distinguish between relevant and irrelevant bugs and fine tune the analysis accordingly. We define our model checking-based static analysis approach implemented in our tool Goanna, illustrate a number of design and implementation decisions to obtain practical outcomes and relevant results, and present our findings by empirical data obtained from regularly analyzing large industrial and open source code bases such as the Firefox Web browser.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Aho AV, Sethi R, Ullman JD (1986) Compilers: principles, techniques and tools. Addison-Wesley, Reading

  2. Nielson F, Nielson HR, Hankin CL (1999) Principles of program analysis. Springer, Berlin

    Book  MATH  Google Scholar 

  3. Engler D, Chelf B, Chou A, Hallem S (2000) Checking system rules using system-specific, programmer-written compiler extensions. In: Proceedings of the symposium on operating systems design and implementation. USENIX Association, San Diego

  4. Holzmann G (2002) Static source code checking for user-defined properties. In: Proceedings of the IDPT 2002, Pasadena

  5. Dams D, Namjoshi K (2004) Orion: high-precision methods for static error analysis of C and C++ programs. Bell Labs Tech. Mem. ITD-04-45263Z, Lucent Technologies

  6. Schmidt DA, Steffen B (1998) Program analysis as model checking of abstract interpretations. In: Proceedings of the SAS ’98. Springer, Berlin, pp 351–380

  7. Clarke EM, Emerson EA (1982) Design and synthesis of synchronization skeletons for branching time temporal logic. In: Logics of programs workshop, LNCS, vol 131. Springer, Berlin, pp 52–71

  8. Queille JP, Sifakis J (1982) Specification and verification of concurrent systems in CESAR. In: Proceedings of the international symposium on programming, Turin, April 6–8, 1982. Springer, Berlin, pp 337–350

  9. Fehnker A, Huuck R, Jayet P, Lussenburg M, Rauch F (2007) Model checking software at compile time. In: Proceedings of the TASE 2007, IEEE Computer Society

  10. Gawlitza T, Seidl H (2007) Precise fixpoint computation through strategy iteration. In: De Nicola R (ed) Proceedings of the 16th European conference on programming (ESOP’07). Springer, Berlin, pp 300–315

  11. Clarke E, Kroening D, Sharygina N, Yorav K (2005) SATABS: SAT-based predicate abstraction for ANSI-C. In: Proceedings of the TACAS 2005. LNCS, vol 3440, Springer, Berlin, pp 570–574

  12. Fehnker A, Huuck R, Seefried S (2010) Counterexample guided path reduction for static program analysis. Concurrency, compositionality, and correctness. Essays in Honor of Willem-Paul de Roever. Lecture Notes in Computer Science, vol 5930

  13. Cimatti A, Clarke E, Giunchiglia E, Giunchiglia F, Pistore M, Roveri M, Sebastiani R, Tacchella A (2002) NuSMV Version 2: an OpenSource tool for symbolic model checking. In: International conference on computer-aided verification (CAV 2002), LNCS, vol 2404. Springer, Berlin

  14. Coverity: Prevent for C and C++. http://www.coverity.com

  15. Klocwork: K7. http://www.klocwork.com/

  16. Fortify: Fortify static code analysis. http://www.fortifysoftware.com/

  17. Gray J (1986) Why do computers stop and what can be done about it? In: Symposium on reliability in distributed software and database systems, pp 3–12

  18. Mozilla: Source code for firefox, nightly build. ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/

  19. NIST SAMATE: Static analysis tool exposition (SATE), 2010. http://samate.nist.gov/SATE2010.html

  20. Hovemeyer D, Spacco J, Pugh W (2005) Evaluating and tuning a static analysis to find null pointer bugs. In: PASTE ’05: proceedings of the 6th ACM SIGPLAN-SIGSOFT workshop on program analysis for software tools and engineering. ACM, New York, pp 13–19

  21. Reimer D, Schonberg E, Srinivas K, Srinivasan H, Alpern B, Johnson RD, Kershenbaum A, Koved L (2004) Saber: smart analysis based error reduction. In: ISSTA ’04: proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis. ACM, New York, pp 243–251

  22. Ayewah N, Pugh W, Morgenthaler JD, Penix J, Zhou Y (2007) Evaluating static analysis defect warnings on production software. In: PASTE ’07: proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on program analysis for software tools and engineering. ACM, New York, pp 1–8

  23. Emanuelsson P, Nilsson U (2008) A comparative study of industrial static analysis tools. In: 3rd International workshop on systems software verification (SSV 08), ENTCS 217. Elsevier, Amsterdam

  24. Kratkiewicz K (2005) Evaluating static analysis tools for detecting buffer overflows in C code. Master’s thesis, Harvard University, Cambridge

  25. Cousot P, Cousot R, Feret J, Mine A, Mauborgne L, Monniaux D, Rival X (2007) Varieties of static analyzers: a comparison with ASTREE. In: TASE ’07: proceedings of the first joint IEEE/IFIP symposium on theoretical aspects of software engineering, IEEE Computer Society, pp 3–20

  26. Zitser M, Lippmann R, Leek T (2004) Testing static analysis tools using exploitable buffer overflows from open source code. In: SIGSOFT ’04/FSE-12: proceedings of the 12th ACM SIGSOFT international symposium on foundations of software engineering. ACM, New York, pp 97–106

Download references

Author information

Authors and Affiliations

  1. National ICT Australia Ltd. (NICTA), University of New South Wales, Locked Bag 6016, Sydney, NSW, 1466, Australia

    Ansgar Fehnker & Ralf Huuck

  2. SCIMS, University of the South Pacific, Suva, Fiji

    Ansgar Fehnker

Authors
  1. Ansgar Fehnker
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ralf Huuck
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ralf Huuck.

Additional information

NICTA is funded by the Australian Government as represented by the Department of Broadband, Communications and the Digital Economy and the Australian Research Council through the ICT Centre of Excellence program.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Fehnker, A., Huuck, R. Model checking driven static analysis for the real world: designing and tuning large scale bug detection. Innovations Syst Softw Eng 9, 45–56 (2013). https://doi.org/10.1007/s11334-012-0192-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11334-012-0192-5

Keywords

Search

Navigation