Scaling Symbolic Execution to Large Software Systems

TL;DR

This paper discusses techniques to scale symbolic execution for large software systems, focusing on the Clang Static Analyzer and CodeChecker to improve efficiency, usability, and integration in continuous development workflows.

Contribution

It introduces scalable methods for symbolic execution, enhancing performance and usability of static analysis tools like Clang Static Analyzer and CodeChecker.

Findings

Achieved end-to-end scalability in static analysis workflows

Reduced runtime and memory consumption of analysis tools

Enhanced bug detection and false positive suppression

Abstract

Static analysis is the analysis of a program without executing it, usually carried out by an automated tool. Symbolic execution is a popular static analysis technique used both in program verification and in bug detection software. It works by interpreting the code, introducing a symbol for each value unknown at compile time (e.g. user-given inputs), and carrying out calculations symbolically. The analysis engine strives to explore multiple execution paths simultaneously, although checking all paths is an intractable problem, due to the vast number of possibilities. We focus on an error finding framework called the Clang Static Analyzer, and the infrastructure built around it named CodeChecker. The emphasis is on achieving end-to-end scalability. This includes the run time and memory consumption of the analysis, bug presentation to the users, automatic false positive suppression, incremental analysis, pattern discovery in the results, and usage in continuous integration loops. We also outline future directions and open problems concerning these tools. While a rich literature exists on program verification software, error finding tools normally need to settle for survey papers on individual techniques. In this paper, we not only discuss individual methods, but also how these decisions interact and reinforce each other, creating a system that is greater than the sum of its parts. Although the Clang Static Analyzer can only handle C-family languages, the techniques introduced in this paper are mostly language-independent and applicable to other similar static analysis tools.