Static error detection using semantic inconsistency inference

Inconsistency checking is a method for detecting software errors that relies only on examining multiple uses of a value. We propose that inconsistency inference is best understood as a variant of the older and better understood problem of type inference. Using this insight, we describe a precise and formal framework for discovering inconsistency errors. Unlike previous approaches to the problem, our technique for finding inconsistency errors is purely semantic and can deal with complex aliasing and path-sensitive conditions. We have built a nullde reference analysis of C programs based on semantic inconsistency inference and have used it to find hundreds of previously unknown null dereference errors in widely used C programs.

[1]  Sriram K. Rajamani,et al.  The SLAM project: debugging system software via static analysis , 2002, POPL '02.

[2]  David Hovemeyer,et al.  Evaluating and tuning a static analysis to find null pointer bugs , 2005, PASTE '05.

[3]  Alexander Aiken,et al.  How is aliasing used in systems software? , 2006, SIGSOFT '06/FSE-14.

[4]  François Pessaux,et al.  Type-based analysis of uncaught exceptions , 2000, TOPL.

[5]  David E. Evans,et al.  Static detection of dynamic memory errors , 1996, PLDI '96.

[6]  Jack Brickhouse Thanks for Listening , 1986 .

[7]  Robert Cartwright,et al.  Soft typing , 2004, SIGP.

[8]  Ranjit Jhala,et al.  Interpolant-Based Transition Relation Approximation , 2007, Log. Methods Comput. Sci..

[9]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[10]  Kwangkeun Yi,et al.  Towards a Cost-Effective Estimation of Uncaught Exceptions in SML Programs , 1997, SAS.

[11]  Sorin Lerner,et al.  ESP: path-sensitive program verification in polynomial time , 2002, PLDI '02.

[12]  Alexander Aiken,et al.  Soft typing with conditional types , 1994, POPL '94.

[13]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[14]  K. Rustan M. Leino,et al.  Declaring and checking non-null types in an object-oriented language , 2003, OOPSLA 2003.

[15]  Alexander Aiken,et al.  A theory of type qualifiers , 1999, PLDI '99.

[16]  Thomas A. Henzinger,et al.  Checking Memory Safety with Blast , 2005, FASE.

[17]  Jens Palsberg,et al.  A type system equivalent to a model checker , 2008, TOPL.

[18]  Dawson R. Engler,et al.  Bugs as deviant behavior: a general approach to inferring errors in systems code , 2001, SOSP.

[19]  K. Rustan M. Leino,et al.  Declaring and checking non-null types in an object-oriented language , 2003, OOPSLA.