Abstract
Assertions are helpful in program analysis, such as software testing and verification. The oracles encoded in the assertions help detect potential flaws and release engineers from the manually check of the reported weaknesses, which is error-prone, burdensome and time-consuming. While in practice, few engineers would write assertions during programming, and it is challenging to generate assert statements, and insert them into proper locations automatically. In this paper, we propose a statically directed assertion recommendation approach for C programs. It combines static analysis, dynamic testing, and program verification to automatically recommend and validate weakness-oriented assertions, which is defined as an assert statement used to detect program weaknesses. Firstly, we integrate a static analysis tool such as FlawFinder and some learned patterns about CWE (Common Weakness Enumeration) to report potential program flaws. Secondly, we insert the corresponding assertions into the suspicious locations of those flaws. Then, we validate the program inserted with the assertions through two methods, the first is to execute the code with some test cases generated by automatic test-case generators such as Klee and Dart, and the second is to verify the program with some automatic verifier such as CPAchecker and Smack. Finally, we report on whether those flaws could be a real weakness. Experimental results show that our approach helps to find 125 real weaknesses in open source software from Github. Furthermore, our performance in detecting static analysis' true positives can reach 81.42%.