Collaborative Research: SHF: Small: An Automated Full-Lifecycle Approach for Improving the Development and Use of Static Analysis

合作研究：SHF：小型：改进静态分析开发和使用的自动化全生命周期方法

• 批准号: 2008905
• 负责人: Shiyi Wei
• 金额: $ 24.99万
• 依托单位: University of Texas at Dallas
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2008905&HistoricalAwards=false
• 关键词: Collaborative; Research; SHF; Small; Automated

Because software failures can and do cause severe, even life-threatening losses, effective quality assurance remains a constant concern for software developers. In fact, over the past decades, numerous software analysis techniques have been developed to address this concern. These techniques represent a powerful means of detecting bugs or proving their absence. Despite their theoretical superiority, static program analysis tools have had relatively limited industry adoption. Static analysis tools aiming for practical solutions are forced to approximate, trading off precision (i.e., better modeling to ensure correctness) against performance (i.e., faster analysis). Finding the right balance of the complex tradeoffs between performance and precision when developing and using static analysis tools is extremely challenging. This project seeks to reduce practical barriers to conquering this tradeoff. Successful outcomes of this project are likely to improve static analysis tool adoption rates, and thereby improve the safety, security and functionality of critical software that society depends upon. This project aims to achieve more effective static analysis design and usage through cohesive development and usage lifecycle that is powerfully augmented with automated support. This automated support includes systematic evaluation and generation of benchmarks for static analysis tools, localizing sources of imprecision and performance bottlenecks, configuring tool settings that are likely to produce correct and timely results, using machine learning approaches to identify and filter false positives, and integrating these improvements into a demonstration system that leverages information and experiences coming from both tool developers and tool users. This augmented and automated lifecycle will identify frequently occurring code patterns that significantly affect performance/precision tradeoffs in specific tools, allowing tool developers to quickly improve their tools. It will also enable tools designed to customize their behavior and analysis approaches to specific target programs. At the same time, this will provide static analysis tool users with automated support for tuning tool configurations to quickly get more effective results. This is supported by automated classification of tool error reports, reducing effort wasted investigating false positives. These improvements used in concert with each other will result in greatly improved static analysis tools, and much-increased use of these tools in analyzing real-world software.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

由于软件故障可能并且确实会造成严重甚至危及生命的损失，因此有效的质量保证仍然是软件开发人员始终关注的问题。事实上，在过去的几十年里，已经开发了许多软件分析技术来解决这个问题。这些技术代表了检测错误或证明错误不存在的强大方法。尽管静态程序分析工具具有理论优势，但其行业采用率相对有限。针对实际解决方案的静态分析工具被迫进行近似，在精度（即更好的建模以确保正确性）与性能（即更快的分析）之间进行权衡。在开发和使用静态分析工具时，在性能和精度之间的复杂权衡中找到适当的平衡是极具挑战性的。该项目旨在减少克服这种权衡的实际障碍。该项目的成功成果可能会提高静态分析工具的采用率，从而提高社会所依赖的关键软件的安全性和功能性。该项目旨在通过紧密结合的开发和使用生命周期（通过自动化支持得到有力增强）来实现更有效的静态分析设计和使用。这种自动化支持包括系统评估和生成静态分析工具的基准、定位不精确的来源和性能瓶颈、配置可能产生正确和及时结果的工具设置、使用机器学习方法来识别和过滤误报以及集成这些改进演示系统，利用来自工具开发人员和工具用户的信息和经验。这种增强和自动化的生命周期将识别经常出现的代码模式，这些代码模式会显着影响特定工具的性能/精度权衡，从而使工具开发人员能够快速改进他们的工具。它还将使旨在针对特定目标程序定制其行为和分析方法的工具成为可能。同时，这将为静态分析工具用户提供调整工具配置的自动化支持，以快速获得更有效的结果。这得到了工具错误报告自动分类的支持，减少了调查误报所浪费的精力。这些改进相互配合使用将大大改进静态分析工具，并在分析实际软件时更多地使用这些工具。该奖项反映了 NSF 的法定使命，并通过使用基金会的评估进行评估，被认为值得支持。智力价值和更广泛的影响审查标准。

项目成果

ECSTATIC: Automatic Configuration-Aware Testing and Debugging of Static Analysis Tools

ECSTATIC：静态分析工具的自动配置感知测试和调试

• DOI: 10.1145/3597926.3604918
• 发表时间: 2023-07-12
• 期刊: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
• 作者: Austin Mordahl;Dakota Soles;Miao Miao;Zenong Zhang;Shiyi Wei
• 通讯作者: Shiyi Wei

The impact of tool configuration spaces on the evaluation of configurable taint analysis for Android

工具配置空间对 Android 可配置污点分析评估的影响

• DOI: 10.1145/3460319.3464823
• 发表时间: 2021-07-11
• 期刊: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis
• 作者: Austin Mordahl;Shiyi Wei
• 通讯作者: Shiyi Wei

ECSTATIC: An Extensible Framework for Testing and Debugging Configurable Static Analysis

ECSTATIC：用于测试和调试可配置静态分析的可扩展框架

• DOI: 10.1109/icse48619.2023.00056
• 发表时间: 2023-05-01
• 期刊: 2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)
• 作者: Austin Mordahl;Zenong Zhang;Dakota Soles;Shiyi Wei
• 通讯作者: Shiyi Wei

SATune: A Study-Driven Auto-Tuning Approach for Configurable Software Verification Tools

SATune：一种研究驱动的可配置软件验证工具自动调优方法

• DOI: 10.1109/ase51524.2021.9678761
• 发表时间: 2021-11-01
• 期刊: 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE)
• 作者: Ugur Koc;Austin Mordahl;Shiyi Wei;J. Foster;A. Porter
• 通讯作者: A. Porter

An empirical assessment of machine learning approaches for triaging reports of static analysis tools

对静态分析工具分类报告的机器学习方法的实证评估

• DOI: 10.1007/s10664-022-10253-z
• 发表时间: 2023-01-10
• 期刊: Empirical Software Engineering
• 影响因子: 4.1
• 作者: Sai Yerramreddy;Austin Mordahl;Ugur Koc;Shiyi Wei;J. Foster;Marine Carpuat;A. Porter
• 通讯作者: A. Porter