Abstract
The term static code analysis is used these days to refer to tools that find bugs and/or security vulnerabilities in source or executable code by performing static analysis of the code. In the past years, several static code analysis tools have transitioned from a research environment onto production mode; examples include Coverity [1], SLAM [2]and Goanna [3].
Parfait was developed as a research project at Sun Microsystems Laboratories with the aim to look into precision and scalability of static bug-detection analyses over millions of lines of source code (MLOC). The Oracle acquisition of Sun brought Parfait into a new playground where, in the course of one year, a small team of researchers and students showed “value for money” against codebases from “legacy” Oracle. Key to this value proposition was not only showing that the tool reported real bugs of interest to developers, but also that there was a high hit rate of reports and that it scaled well, allowing for not only nightly integration but also incremental, commit-time integration.
In this talk we summarise our experiences in the transitioning of Parfait from a research prototype at Oracle Labs, onto production mode at Oracle, as well as its deployment throughout the company, where it is used on a day-to-day basis by thousands of developers. We also elaborate on our recent experiences on extending Parfait to support the JavaTMlanguage, for the purposes of detecting vulnerabilities in the Java Platform.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Bessey, A., Block, K., Chelf, B., Chou, A., Fulton, B., Hallem, S., Henri-Gros, C., Kamsky, A., McPeak, S., Engler, D.: A few billion lines of code later – using static analysis to find bugs in the real world. Communications of the ACM 53, 66–75 (2010)
Ball, T., Levin, V., Rajamani, S.K.: A decade of software model checking with slam. Communications of the ACM 54, 68–76 (2011)
Huuck, R.: Formal verification, engineering and business value. In: Proceedings of the First International Workshop on Formal Techniques for Safety-Critical Systems, Electronic Proceedings in Theoretical Computer Science, pp. 1–4 (2012)
Cifuentes, C., Scholz, B.: Parfait – designing a scalable bug checker. In: Proceedings of the ACM SIGPLAN Static Analysis Workshop, June 12, pp. 4–11 (2008)
Scholz, B., Zhang, C., Cifuentes, C.: User-input dependence analysis via graph reachability. In: Proceedings of the Eighth IEEE Working Conference on Source Code Analysis and Manipulation, September 28-29, pp. 25–34 (2008)
Li, L., Cifuentes, C., Keynes, N.: Practical and effective symbolic analysis for buffer overflow detection. In: roceedings of the ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 317–326. ACM, New York (2010)
Li, L., Cifuentes, C., Keynes, N.: Boosting the performance of flow-sensitive points-to analysis using value flow. In: Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering, pp. 343–353. ACM (2011)
Li, L., Cifuentes, C., Keynes, N.: Precise and scalable context-sensitive pointer analysis via value flow graph. In: Proceedings of the 2013 International Symposium on Memory Management (ISMM), pp. 85–96. ACM (2013)
Valdiviezo, M., Cifuentes, C., Krishnan, P.: A method for scalable and precise bug finding using program analysis and model checking techniques (2012) (unpublished manuscript)
Cifuentes, C., Hoermann, C., Keynes, N., Li, L., Long, S., Mealy, E., Mounteney, M., Scholz, B.: BegBunch: Benchmarking for C bug detection tools. In: Proceedings of the 2009 International Workshop on Defects in Large Software Systems (July 2009)
Lattner, C., Adve, V.: LLVM: A compilation framework for lifelong program analysis & transformation. In: Proceedings of the International Symposium on Code Generation and Optimization. IEEE Computer Society, Washington, DC (2004)
Clang: a C language family frontend for LLVM, http://clang.llvm.org
Cifuentes, C., Keynes, N., Li, L., Hawes, N., Valdiviezo, M.: Transitioning Parfait into a development tool. IEEE Security and Practice (May/June 2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer International Publishing Switzerland
About this paper
Cite this paper
Cifuentes, C., Keynes, N. (2013). Internal Deployment of the Parfait Static Code Analysis Tool at Oracle. In: Shan, Cc. (eds) Programming Languages and Systems. APLAS 2013. Lecture Notes in Computer Science, vol 8301. Springer, Cham. https://doi.org/10.1007/978-3-319-03542-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-03542-0_12
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-03541-3
Online ISBN: 978-3-319-03542-0
eBook Packages: Computer ScienceComputer Science (R0)