| In recent years,with the rapid development of computer technology,the demand of people for software system is increasing day by day,and the scale of software is constantly expanding.Using the software with defects will not only increase the cost of software maintenance,but also may cause disastrous consequences.Software testing is an important means to ensure the quality of software,which is the process of functional verification in the program development.How to detect and eliminate software defects as early as possible has become the focus of attention of developers,testers and researchers.As an emerging software testing technology,code static analysis technology can perform analysis based on program fragments without executing programs.It is an effective means to build trusted software.However,according to Rice theorem,the result of code static analysis can not be both complete and reliable,which may lead to a large number of false positives in the analysis results.The confirmation of false positives not only requires a lot of time,manpower and material resources,but also causes testers to refuse to use static analysis tools for software testing.How to improve the efficiency of confirmation about the code static analysis results(suspected faults)has become one of the hotspots in the field of software testing.The research work in this paper is supported by the national natural science foundation of China "research on source code vulnerability analysis,detection and verification technology(U1736110)",and based on the static defect detection tool DTS(Defect Testing System).In terms of automatic confirmation of code suspected fault,this paper mainly does the following three aspects:1.Research on the false positive elimination technique.Based on the path sensitive and demand-driven analysis,this paper proposes an approach to eliminate some false positives in static defect detection results.In this approach,the correlation functions of the defect feature are calculated in the local program(within the suspected fault function)according to the defect feature of suspected fault,and only these correlation functions are analyzed in detail in the backward analysis.In this way,not only the accuracy of program analysis can be guaranteed,but also the false positives caused by using function summary of callee instead of the callee in static analysis can be identified.And it can improve the analysis speed over detailed analysis of all callees.Then,the "whole-section-whole" strategy is used to generate the path from the fault function entry to the suspected fault statement.This strategy uses the path within the correlation function as a fragment of the overall path,which can prevent the infeasible path transfer to the overall path by detecting the infeasible path within the correlation function,and reduces the number of overall path generation.Finally,the constraint conditions of each path are extracted and combined with the trigger condition of suspected fault to calculate whether the path can trigger this suspected fault,and then determine whether the suspected fault is a false positive.In order to verify the effectiveness of the proposed approach,this paper conducts experimental verification on five open source C programs.The experimental results show that the proposed approach can accurately eliminate some of the false positives in the static analysis results,and is superior to the function inline method in terms of time overhead and number of false positives.2.Research on the interprocedural infeasible paths detection.The infeasible paths in the program not only affect the generation of test cases and code coverage testing during the software testing,but also affect the efficiency and accuracy of automatic confirmation of suspected faults.In this paper,an infeasible path detection approach based on unsatisfiable constraint patterns is proposed.Firstly,by mining the common constraint features of 12695 infeasible paths,nine unsatisfiable path constraint patterns are obtained.Then,in the process of program analysis,the path constraint of the detected path is extracted,clustered and simplified sequentially,and the simplified constraint conditions is obtained.Finally,the interprocedural infeaible path is detected by matching the simplified constraint condition with the unsatisfiable constraint pattern.In this paper,the effectiveness of the proposed method is verified by a randomly selected path in an open source program.The experimental results show that,the 89.6%interprocedural infeasible paths in a given set of paths can be accurately detected by the proposed approach.Compared with the code pattern approach,the number of interprocedural infeasible paths detected by the proposed approach is large and the time overhead is small.3.Research on the trigger path generation of suspected fault.In the process of automatic confirmation of code suspected faults,generating an interprocedural path that can trigger suspected fault can not only confirm this suspected fault,but also assist the developers to fix the fault.Based on the demand-driven analysis and interprocedural data flow analysis for a suspected fault,this paper proposes an approach to generate the trigger path of suspected fault.The approach firstly calculates the influence predicates of suspected fault according to its defect feature and simplifies the control flow graph of the function where the influence predicates are located,it can greatly reduce the number of paths generated when backward traversing the CFG,and reduce the risk of path explosion and the time overhead accordingly.T hen,the "section-whole" strategy is adopted to generate the trigger path by traversing the simplified CFG of the correlation function.The simplification of CFG and the use of "section-whole" strategy can effectively prevent the transmission of infeasible path and reduce the number of judgment on path infeasibility,thereby improving the efficiency of trigger path generation.In this paper,the real and non-real faults in open source programs are taken as the benchmark faults to verify the approach.The experimental results show that,for the 64%real faults,the proposed approach can generate their trigger paths,and it is superior to the traditional method in terms of the number and efficiency of trigger path generation. |
PDF Full Text Request