A novel analysis space for pointer analysis and its application for bug finding

The size of today's programs continues to grow, as does the number of bugs they contain. Testing alone is rarely able to flush out all bugs, and many lurk in difficult-to-test corner cases. An important alternative is static analysis, in which correctness properties of a program are checked without running it. While it cannot catch all errors, static analysis can catch many subtle problems that testing would miss. We propose a new space of abstractions for pointer analysis-an important component of static analysis for C and similar languages. We identify two main components of any abstraction-how to model statement order and how to model conditionals, then present a new model of programs that enables us to explore different abstractions in this space. Our assign-fetch graph represents reads and writes to memory instead of traditional points-to relations and leads to concise function summaries that can be used in any context. Its flexibility supports many new analysis techniques with different trade-offs between precision and speed. We present the details of our abstraction space, explain where existing algorithms fit, describe a variety of new analysis algorithms based on our assign-fetch graphs, and finally present experimental results that show our flow-aware abstraction for statement ordering both runs faster and produces more precise results than traditional flow-insensitive analysis.

[1]  Monica S. Lam,et al.  Efficient context-sensitive pointer analysis for C programs , 1995, PLDI '95.

[2]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[3]  F. Krohm Arithmetic Reasoning for Static Analysis of Software , 2003 .

[4]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[5]  Bjarne Steensgaard,et al.  Points-to analysis in almost linear time , 1996, POPL '96.

[6]  Bruno Blanchet,et al.  Escape analysis for object-oriented languages: application to Java , 1999, OOPSLA '99.

[7]  Jong-Deok Choi,et al.  Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects , 1993, POPL '93.

[8]  Jong-Deok Choi,et al.  Flow-Insensitive Interprocedural Alias Analysis in the Presence of Pointers , 1994, LCPC.

[9]  Mark N. Wegman,et al.  Analysis of pointers and structures , 1990, SIGP.

[10]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[11]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[12]  Vikram S. Adve,et al.  Making context-sensitive points-to analysis with heap cloning practical for the real world , 2007, PLDI '07.

[13]  Lars Ole Andersen,et al.  Program Analysis and Specialization for the C Programming Language , 2005 .

[14]  Barbara G. Ryder,et al.  Program decomposition for pointer aliasing: a step toward practical analyses , 1996, SIGSOFT '96.

[15]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI '03.

[16]  Seth D. Bergmann,et al.  Compilers , 1973, CSC '73.

[17]  Barbara G. Ryder,et al.  Comparing flow and context sensitivity on the modification-side-effects problem , 1998, ISSTA '98.

[18]  Barbara G. Ryder,et al.  Experiments with combined analysis for pointer aliasing , 1998, PASTE '98.

[19]  Barbara G. Ryder,et al.  A safe approximate algorithm for interprocedural aliasing , 1992, PLDI '92.

[20]  Reinhard Wilhelm,et al.  Solving shape-analysis problems in languages with destructive updating , 1998, TOPL.

[21]  Ben Hardekopf,et al.  The ant and the grasshopper: fast and accurate pointer analysis for millions of lines of code , 2007, PLDI '07.

[22]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[23]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[24]  Michael Hind,et al.  Assessing the Effects of Flow-Sensitivity on Pointer Alias Analyses , 1998, SAS.

[25]  Daniel Brand,et al.  Evidence-Based Analysis and Inferring Preconditions for Bug Detection , 2007, 2007 IEEE International Conference on Software Maintenance.

[26]  Stephan Merz,et al.  Model Checking , 2000 .

[27]  Manu Sridharan,et al.  Demand-driven points-to analysis for Java , 2005, OOPSLA '05.

[28]  Michael G. Burke An interval-based approach to exhaustive and incremental interprocedural data-flow analysis , 1990, TOPL.

[29]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[30]  Ken Kennedy,et al.  Interprocedural side-effect analysis in linear time , 1988, PLDI '88.

[31]  Manu Sridharan,et al.  Refinement-based context-sensitive points-to analysis for Java , 2006, PLDI '06.

[32]  Sigmund Cherem,et al.  A Practical Escape and Effect Analysis for Building Lightweight Method Summaries , 2007, CC.

[33]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[34]  Hong-Seok Kim,et al.  Bottom-Up and Top-Down Context-Sensitive Summary-Based Pointer Analysis , 2004, SAS.

[35]  Barbara G. Ryder,et al.  Relevant context inference , 1999, POPL '99.

[36]  Daniel Brand,et al.  A software falsifier , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[37]  Stephen A. Edwards,et al.  Flexible pointer analysis using assign-fetch graphs , 2008, SAC '08.

[38]  KennedyKen,et al.  Interprocedural side-effect analysis in linear time , 2004 .

[39]  Reinhard Wilhelm,et al.  Shape Analysis , 2000, CC.

[40]  Jong-Deok Choi,et al.  Interprocedural pointer alias analysis , 1999, TOPL.

[41]  Glenford J. Myers,et al.  Art of Software Testing , 1979 .

[42]  Dawson R. Engler,et al.  Static Analysis Versus Model Checking for Bug Finding , 2005, CONCUR.

[43]  Satish Chandra,et al.  Searching for points-to analysis , 2002, SIGSOFT '02/FSE-10.

[44]  Stephen A. Edwards,et al.  Summary-based pointer analysis framework for modular bug finding , 2008 .

[45]  Dawson R. Engler,et al.  Static Analysis versus Software Model Checking for Bug Finding , 2004, VMCAI.

[46]  Susan Horwitz,et al.  Fast and accurate flow-insensitive points-to analysis , 1997, POPL '97.

[47]  Subhas C. Misra,et al.  Relationships Between Selected Software Measures and Latent Bug-Density: Guidelines for Improving Quality , 2003, ICCSA.

[48]  Jong-Deok Choi,et al.  Escape analysis for Java , 1999, OOPSLA '99.

[49]  Manuvir Das,et al.  Unification-based pointer analysis with directional assignments , 2000, PLDI '00.

[50]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[51]  John Banning,et al.  : An Efficient , 2022 .

[52]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.