-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathprogram-analysis.bib
139 lines (113 loc) · 6.89 KB
/
program-analysis.bib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Resource leaks
%%%
@inproceedings{TorlakC10,
title={Effective interprocedural resource leak detection},
author={Torlak, Emina and Chandra, Satish},
crossref="ICSE2010",
pages={535--544},
doi = {10.1145/1806799.1806876},
}
@inproceedings{zuo2019grapple,
title={Grapple: A graph system for static finite-state property checking of large-scale systems code},
author={Zuo, Zhiqiang and Thorpe, John and Wang, Yifei and Pan, Qiuhong and Lu, Shenming and Wang, Kai and Xu, Guoqing Harry and Wang, Linzhang and Li, Xuandong},
crossref="EuroSys2019",
pages={1--17},
year={2019},
doi = {10.1145/3302424.3303972},
}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%% Other
%%%
@InProceedings{GangeNSSS2013,
author = "Graeme Gange and Jorge A. Navas and Peter Schachte and Harald S{\o}ndergaard and Peter J. Stuckey",
authorNONASCII = "Graeme Gange and Jorge A. Navas and Peter Schachte and Harald Søndergaard and Peter J. Stuckey",
authorASCII = "Graeme Gange and Jorge A. Navas and Peter Schachte and Harald Sondergaard and Peter J. Stuckey",
title = "Abstract interpretation over non-lattice abstract domains",
crossref = "SAS2013",
pages = "6-24",
}
@InProceedings{VerbaereHdM2007,
author = "Verbaere, Mathieu and Hajiyev, Elnar and de Moor, Oege",
title = "Improve Software Quality with {SemmleCode}: An {Eclipse} Plugin for Semantic Code Search",
crossref = "OOPSLACompanion2007",
pages = "880–881",
abstract =
"Navigate code, find bugs, compute metrics, check style rules, and
enforce coding conventions in Eclipse with SemmleCode. SemmleCode
is a new free Eclipse plugin that allows you to phrase these tasks
as queries over the codebase - it thus takes the search facilities
in Eclipse to a whole new level. A large library of queries for
common operations is provided, including metrics and Java EE style
rules. Query results can be displayed as a tree view, a table view,
in the problem view, as charts or graphs, all with links to the
source code.",
}
@InProceedings{deMoorSAV2008,
author = "de Moor, Oege and Sereni, Damien and Avgustinov, Pavel and Verbaere, Mathieu",
title = "Type Inference for {Datalog} and Its Application to Query Optimisation",
crossref = "PODS2008",
pages = "291–300",
}
@inproceedings{10.1145/3533767.3534374,
author = {Nachtigall, Marcus and Schlichtig, Michael and Bodden, Eric},
title = {A Large-Scale Study of Usability Criteria Addressed by Static Analysis Tools},
year = {2022},
isbn = {9781450393799},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3533767.3534374},
doi = {10.1145/3533767.3534374},
abstract = {Static analysis tools support developers in detecting potential coding issues, such as bugs or vulnerabilities. Research on static analysis emphasizes its technical challenges but also mentions severe usability shortcomings. These shortcomings hinder the adoption of static analysis tools, and in some cases, user dissatisfaction even leads to tool abandonment. To comprehensively assess the current state of the art, this paper presents the first systematic usability evaluation in a wide range of static analysis tools. We derived a set of 36 relevant criteria from the scientific literature and gathered a collection of 46 static analysis tools complying with our inclusion and exclusion criteria - a representative set of mainly non-proprietary tools. Then, we evaluated how well these tools fulfill the aforementioned criteria. The evaluation shows that more than half of the considered tools offer poor warning messages, while about three-quarters of the tools provide hardly any fix support. Furthermore, the integration of user knowledge is strongly neglected, which could be used for improved handling of false positives and tuning the results for the corresponding developer. Finally, issues regarding workflow integration and specialized user interfaces are proved further. These findings should prove useful in guiding and focusing further research and development in the area of user experience for static code analyses.},
booktitle = {Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis},
pages = {532–543},
numpages = {12},
keywords = {program analysis, user experience, static analysis, explainability, tool support},
location = {Virtual, South Korea},
series = {ISSTA 2022}
}
@InProceedings{MangalNY2014,
author = "Mangal, Ravi and Naik, Mayur and Yang, Hongseok",
title = "A correspondence between two approaches to interprocedural analysis in the presence of join",
crossref = "ESOP2014",
pages = "513--533",
}
@TechReport{SharirP1978,
author = "Sharir, Micha and Pnueli, Amir",
title = "Two approaches to interprocedural data flow analysis",
institution = "Courant Institute of Mathematical Sciences, New York University",
year = 1978,
number = 002,
}
@InProceedings{CalcagnoDDGHLOPPR2015,
author = "Cristiano Calcagno and Dino Distefano and J{\'{e}}r{\'{e}}my Dubreil and Dominik Gabi and Pieter Hooimeijer and Martino Luca and Peter W. O'Hearn and Irene Papakonstantinou and Jim Purbrick and Dulma Rodriguez",
title = "Moving fast with software verification",
crossref = "NFM2015",
pages = "3--11",
doi = {10.4204/eptcs.188.2},
}
@InProceedings{SunSWZ2015,
author = "Hao Sun and Chao Su and Yue Wang and Qingkai Zeng",
title = "Improving the accuracy of integer signedness error detection using data flow analysis",
crossref = "SEKE2015",
pages = "601-606",
doi = "10.18293/SEKE2015-123",
abstract =
"Integer signedness errors can be exploited by adversaries to cause severe
damages to computer systems. Despite the significant advances in automating
the detection of integer signedness errors, accurately differentiating
exploitable and harmful signedness errors from unharmful ones is an
important challenge. In this paper, we present the design and
implementation of SignFlow, an instrumentation-based integer signedness
error detector to reduce the reports for unharmful signedness
errors. SignFlow first utilizes static data flow analysis to identify
unharmful integer sign conversions from the view of where the source
operands originate and whether the conversion results can propagate to
security-related program points, and then inserts security checks for the
remaining conversions so as to accomplish runtime protection. We evaluated
SignFlow on 8 real-world harmful integer signedness bugs, SPECint 2006
benchmarks together with 5 real-world applications. The experimental
results show that SignFlow correctly detected all harmful integer
signedness bugs (i.e. no false negatives) and achieved a reduction of 41\%
in false positives over IntFlow, the state of the art."
}