Clang SA is a great tool for discovering defects. From a program testing
perspective, it would be nice to leverage it for test case
generation. A first step could be to make Clang
SA spit out path constraints alongside bug reports, and use a solver to
generate (synthesize) test input.
Has anyone else toyed with this idea or fancies having a go? Pointers to
previous work in this direction much appreciated
I am aware that KLEE does exactly this using full-program SE but sadly,
it hasn't been demonstrated on anything bigger than coreutils. Since
Clang SA performs under-constrained SE, it scales up against large
codebases, so it is a good candidate to tease out test cases for more
complex programs. Naturally, at some point under-constraining may prove
an obstacle for program input generation but the point is to at least
get to a point where we can focus on the problem of ``extrapolating"
under-constrained input to program input.