Statfier: Automated Testing of Static Analyzers via Semantic-Preserving Program Transformations

Zhang, Huaien1,2; Pei, Yu2; Chen, Junjie3; Tan, Shin Hwei4

10.1145/3611643.3616272

2023

31st ACM Joint Meeting of the European Software Engineering Conference / Symposium on the Foundations-of-Software-Engineering (ESEC/FSE)

PROCEEDINGS OF THE 31ST ACM JOINT MEETING EUROPEAN SOFTWARE ENGINEERING CONFERENCE AND SYMPOSIUM ON THE FOUNDATIONS OF SOFTWARE ENGINEERING, ESEC/FSE 2023

DEC 03-09, 2023

null,San Francisco,CA

1601 Broadway, 10th Floor, NEW YORK, NY, UNITED STATES

ASSOC COMPUTING MACHINERY

Static analyzers reason about the behaviors of programs without executing them and report issues when they violate pre-defined desirable properties. One of the key limitations of static analyzers is their tendency to produce inaccurate and incomplete analysis results, i.e., they often generate too many spurious warnings and miss important issues. To help enhance the reliability of a static analyzer, developers usually manually write tests involving input programs and the corresponding expected analysis results for the analyzers. Meanwhile, a static analyzer often includes example programs in its documentation to demonstrate the desirable properties and/or their violations. Our key insight is that we can reuse programs extracted either from the official test suite or documentation and apply semantic-preserving transformations to them to generate variants. We studied the quality of input programs from these two sources and found that most rules in static analyzers are covered by at least one input program, implying the potential of using these programs as the basis for test generation. We present Statfier, a heuristic-based automated testing approach for static analyzers that generates program variants via semantic-preserving transformations and detects inconsistencies between the original program and variants (indicate inaccurate analysis results in the static analyzer). To select variants that are more likely to reveal new bugs, Statfier uses two key heuristics: (1) analysis report guided location selection that uses program locations in the reports produced by static analyzers to perform transformations and (2) structure diversity driven variant selection that chooses variants with different program contexts and diverse types of transformations. Our experiments with five popular static analyzers show that Statfier can find 79 bugs in these analyzers, of which 46 have been confirmed.

software testing rule-based static analysis program transformation

第一

英语

EI ; CPCI-S

National Natural Science Foundation of China["62002256","62232001"]

Computer Science

Computer Science, Software Engineering ; Computer Science, Theory & Methods

WOS:001148157800021

Web of Science

1.Southern University of Science and Technology, Shenzhen, China
2.The Hong Kong Polytechnic University, Hong Kong
3.College of Intelligence and Computing, Tianjin University, Tianjin, China
4.Concordia University, Montreal, Canada

Zhang, Huaien,Pei, Yu,Chen, Junjie,et al. Statfier: Automated Testing of Static Analyzers via Semantic-Preserving Program Transformations[C]. 1601 Broadway, 10th Floor, NEW YORK, NY, UNITED STATES:ASSOC COMPUTING MACHINERY,2023.