The Community for Technology Leaders
RSS Icon
Issue No.03 - May-June (2012 vol.10)
pp: 16-23
Cristina Cifuentes , Oracle Labs
Nathan Keynes , Oracle Labs
Lian Li , Oracle Labs
Nathan Hawes , Oracle Labs
Manuel Valdiviezo , Oracle Labs
The Parfait static-code-analysis tool started as a research project at Sun Labs (now Oracle Labs) to address runtime and precision shortcomings of C and C++ static-code-analysis tools. After developers started to see and verify the research outcomes, they made further requests to ensure the tool would be easy to use and integrate. This helped transition Parfait from a research artifact to a developer tool. Developers use Parfait daily to prevent the introduction of defects into code bases and to report defects in existing code. Several organizations at Oracle have integrated it into build processes.
static code analysis, bug checking, program analysis, experience report, Project Parfait, Parfait Server, computer security
Cristina Cifuentes, Nathan Keynes, Lian Li, Nathan Hawes, Manuel Valdiviezo, "Transitioning Parfait into a Development Tool", IEEE Security & Privacy, vol.10, no. 3, pp. 16-23, May-June 2012, doi:10.1109/MSP.2012.30
1. C. Cifuentes, and B. Scholz, "Parfait—Designing a Scalable Bug Checker," Proc. ACM SIGPLAN Static Analysis Workshop, ACM, 2008, pp. 4–11.
2. C. Cifuentes et al., "Program Analysis for Bug Checking in Parfait," Proc. 2009 ACM SIGPLAN Symp. Partial Evaluation and Program Manipulation (PEPM 09), ACM, 2009, pp. 7–8.
3. L. Li, C. Cifuentes, and N. Keynes, "Practical and Effective Symbolic Analysis for Buffer Overflow Detection," Proc. 18th ACM SIGSOFT Int'l Symp. Foundations of Software Eng. (FSE 10), ACM, 2010, pp. 317–326.
4. L. Li, C. Cifuentes, and N. Keynes, "Boosting the Performance of Flow-Sensitive Points-to Analysis Using Value Flow," Proc. 19th ACM SIGSOFT Symp. and 13th European Conf. Foundations of Software Eng. (ESEC/FSE 11), ACM, 2011, pp. 343–353.
5. C. Lattner and V. Adve, "LLVM: A Compilation Framework for Lifelong Program Analysis and Transformation," Proc. 2004 Int'l Symp. Code Generation and Optimization, IEEE CS, 2004, pp. 75–86;
6. M. Pistoia et al., "A Survey of Static Analysis Methods for Identifying Security Vulnerabilities in Software Systems," IBM Systems J., vol. 46, no. 2, 2007, pp. 265–288.
7. C. Cifuentes et al., "BegBunch: Benchmarking for C Bug Detection Tools," Proc. 2009 Int'l Workshop Defects in Large Software Systems, ACM, 2009, pp. 16–20.
8. K. Kratkiewicz and R. Lippmann, "Using a Diagnostic Corpus of C Programs to Evaluate Buffer Overflow Detection by Static Analysis Tools," Proc. Workshop Evaluation of Software Defect Detection Tools, 2005; publications050610_Kratkiewicz.pdf.
9. M. Zitser, R. Lippmann, and T. Leek, "Testing Static Analysis Tools Using Exploitable Buffer Overflows from Open Source Code," Proc. Int'l Symp. Foundations of Software Eng., ACM, 2004, pp. 97–106; corpora04_TestingStatic_Zitser.pdf.
10. A. Bessey et al., "A Few Billion Lines of Code Later—Using Static Analysis to Find Bugs in the Real World," Comm. ACM, vol. 53, no. 2, 2010, pp. 66–75.
11. S. McConnell, Code Complete, 2nd ed., Microsoft Press, 2004.
4 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool