The use of static analysis in validation and verification of safety-critical software applications becomes more important. However, static analysis of the software applications may result in many falsely reported warnings, commonly referred to as false positives. All the warnings generated by the static analysis may thus require a manual review in order to check if the warnings are safe or unsafe. Manually reviewing a large number of warnings is time consuming and associated with high cost. The large number of warnings is a result of using abstractions and/or conscious design decisions such as excluding array handling or performing analysis intra-procedurally. Additionally, the inability of the static analysis for determining actual values that a variable can take at run-time may lead to a high number of warnings generated.
Currently, a user analyzing or reviewing the warnings generated by static analysis has to review each of the warnings individually. Some existing techniques, such as abstract interpretation, difference bound matrix, and model-checking, may attempt to make the static analysis more precise. However, the existing techniques may still generate a large number of warnings, and may thus fail to reduce the manual review efforts required to analyze the warnings.
Moreover, other existing techniques may provide groupings of warnings based on severity or priority of the warnings. But these techniques fail to reduce the review efforts of the warnings.