On the Applicability of Static Analysis for System Software using CodeChecker

On the Applicability of Static Analysis for System Software using CodeChecker

연구 분야: Verification

학회: 2024 7th International Conference on Software and System Engineering (ICoSSE)

In the last decade, static analysis has been gaining more and more ground as it is a powerful method to detect errors in software code early during development. However, most tools primarily focus on the application layer and therefore try to enforce the use of higher-level abstractions. These design decisions often result in low-level code being marked as dangerous. In this paper, we examine the effect of static analysers’ design on their applicability for system software, where direct access to hardware resources requires the use of very low-level methods. These codes, while idiomatic for the field, are considered as “hacks” or dangerous constructs by static analysers, resulting in an increased number of false positives. We present the list of Clang Static Analyzer, Clang-Tidy, and Cppcheck checkers which we observed to produce low false positive rate for system software. Based on these observations, we suggest developers to use these checks, as they can be efficiently used to detect real bugs. We implemented our suggestions as an analysis profile in the CodeChecker static analysis driver framework.