Collaborative Research: SHF: Small: An Automated Full-Lifecycle Approach for Improving the Development and Use of Static Analysis

合作研究：SHF：小型：改进静态分析开发和使用的自动化全生命周期方法

• 批准号: 2008905
• 负责人: Shiyi Wei
• 金额: $ 24.99万
• 依托单位: University of Texas at Dallas
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2008905&HistoricalAwards=false
• 关键词: Collaborative; Research; SHF; Small; Automated

Because software failures can and do cause severe, even life-threatening losses, effective quality assurance remains a constant concern for software developers. In fact, over the past decades, numerous software analysis techniques have been developed to address this concern. These techniques represent a powerful means of detecting bugs or proving their absence. Despite their theoretical superiority, static program analysis tools have had relatively limited industry adoption. Static analysis tools aiming for practical solutions are forced to approximate, trading off precision (i.e., better modeling to ensure correctness) against performance (i.e., faster analysis). Finding the right balance of the complex tradeoffs between performance and precision when developing and using static analysis tools is extremely challenging. This project seeks to reduce practical barriers to conquering this tradeoff. Successful outcomes of this project are likely to improve static analysis tool adoption rates, and thereby improve the safety, security and functionality of critical software that society depends upon. This project aims to achieve more effective static analysis design and usage through cohesive development and usage lifecycle that is powerfully augmented with automated support. This automated support includes systematic evaluation and generation of benchmarks for static analysis tools, localizing sources of imprecision and performance bottlenecks, configuring tool settings that are likely to produce correct and timely results, using machine learning approaches to identify and filter false positives, and integrating these improvements into a demonstration system that leverages information and experiences coming from both tool developers and tool users. This augmented and automated lifecycle will identify frequently occurring code patterns that significantly affect performance/precision tradeoffs in specific tools, allowing tool developers to quickly improve their tools. It will also enable tools designed to customize their behavior and analysis approaches to specific target programs. At the same time, this will provide static analysis tool users with automated support for tuning tool configurations to quickly get more effective results. This is supported by automated classification of tool error reports, reducing effort wasted investigating false positives. These improvements used in concert with each other will result in greatly improved static analysis tools, and much-increased use of these tools in analyzing real-world software.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

由于软件故障可能并且确实会导致严重的、甚至危及生命的损失，有效的质量保证仍然是软件开发人员始终关注的问题。事实上，在过去的几十年里，已经开发了许多软件分析技术来解决这一问题。这些技术代表了一种检测错误或证明它们不存在的强大手段。尽管静态程序分析工具在理论上具有优势，但其在行业中的应用相对有限。着眼于实际解决方案的静态分析工具被迫近似，在精度(即，更好的建模以确保正确性)与性能(即，更快的分析)之间进行权衡。在开发和使用静态分析工具时，在性能和精度之间找到复杂的权衡是非常具有挑战性的。这个项目寻求减少克服这种权衡的实际障碍。该项目的成功结果可能会提高静态分析工具的采用率，从而提高社会所依赖的关键软件的安全性、安全性和功能。该项目旨在通过强大的自动化支持增强的内聚性开发和使用生命周期来实现更有效的静态分析、设计和使用。这种自动化支持包括系统地评估和生成静态分析工具的基准，定位不精确度和性能瓶颈的来源，配置可能产生正确和及时结果的工具设置，使用机器学习方法来识别和过滤误报，以及将这些改进集成到利用来自工具开发人员和工具用户的信息和经验的演示系统中。这种扩展和自动化的生命周期将识别频繁出现的代码模式，这些模式显著影响特定工具的性能/精度权衡，使工具开发人员能够快速改进他们的工具。它还将启用旨在针对特定目标程序定制其行为和分析方法的工具。同时，这将为静态分析工具用户提供对调优工具配置的自动化支持，以快速获得更有效的结果。工具错误报告的自动分类支持这一点，从而减少了调查误报所浪费的精力。这些改进相互配合使用，将大大改进静态分析工具，并更多地使用这些工具来分析真实世界的软件。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

ECSTATIC: Automatic Configuration-Aware Testing and Debugging of Static Analysis Tools

• DOI: 10.1145/3597926.3604918
• 发表时间: 2023-07
• 期刊: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
• 作者: Austin Mordahl;Dakota Soles;Miao Miao-Miao;Zenong Zhang;Shiyi Wei

An empirical assessment of machine learning approaches for triaging reports of static analysis tools

• DOI: 10.1007/s10664-022-10253-z
• 发表时间: 2023-03-01
• 期刊: EMPIRICAL SOFTWARE ENGINEERING
• 影响因子: 4.1
• 作者: Yerramreddy，Sai;Mordahl，Austin;Porter，Adam A.
• 通讯作者: Porter，Adam A.

SATune: A Study-Driven Auto-Tuning Approach for Configurable Software Verification Tools

• DOI: 10.1109/ase51524.2021.9678761
• 发表时间: 2021-11
• 期刊: 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE)
• 作者: Ugur Koc;Austin Mordahl;Shiyi Wei;J. Foster;A. Porter

The impact of tool configuration spaces on the evaluation of configurable taint analysis for Android

• DOI: 10.1145/3460319.3464823
• 发表时间: 2021-07
• 期刊: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
• 作者: Austin Mordahl;Shiyi Wei

ECSTATIC: An Extensible Framework for Testing and Debugging Configurable Static Analysis

• DOI: 10.1109/icse48619.2023.00056
• 发表时间: 2023-05
• 期刊: 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)
• 作者: Austin Mordahl;Zenong Zhang;Dakota Soles;Shiyi Wei