Verifying dereference safety via expanding-scope analysis

This paper addresses the challenging problem of verifying the safety of pointer dereferences in real Java programs. We provide an automatic approach to this problem based on a sound interprocedural analysis. We present a staged expanding-scope algorithm for interprocedural abstract interpretation, which invokes sound analysis with partial programs of increasing scope. This algorithm achieves many benefits typical of whole-program interprocedural analysis, but scales to large programs by limiting analysis to small program fragments. To address cases where the static analysis of program fragments fails to prove safety, the analysis also suggests possible annotations which, if a user accepts, ensure the desired properties. Experimental evaluation on a number of Java programs shows that we are able to verify 90% of all dereferences soundly and automatically, and further reduce the number of remaining dereferences using non-nullness annotations.

[1]  R. Wilhelm,et al.  Parametric Shape Analysis via 3 - valued Logic TOPLAS , 2002 .

[2]  Thomas W. Reps,et al.  Precise interprocedural dataflow analysis via graph reachability , 1995, POPL '95.

[3]  Willem Visser,et al.  Variably interprocedural program analysis for runtime error detection , 2007, ISSTA '07.

[4]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[5]  Monica S. Lam,et al.  Automatic inference of stationary fields: a generalization of java's final fields , 2008, POPL '08.

[6]  Barbara G. Ryder,et al.  Data-flow analysis of program fragments , 1999, ESEC/FSE-7.

[7]  K. Rustan M. Leino,et al.  Houdini, an Annotation Assistant for ESC/Java , 2001, FME.

[8]  William G. Griswold,et al.  Dynamically discovering likely program invariants to support program evolution , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[9]  Amer Diwan,et al.  Type-based alias analysis , 1998, PLDI.

[10]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[11]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[12]  Michael Rodeh,et al.  Detecting memory errors via static pointer analysis (preliminary experience) , 1998, PASTE '98.

[13]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[14]  David Hovemeyer,et al.  Finding bugs is easy , 2004, SIGP.

[15]  James R. Larus,et al.  Righting software , 2004, IEEE Software.

[16]  K. Rustan M. Leino,et al.  Declaring and checking non-null types in an object-oriented language , 2003, OOPSLA 2003.

[17]  David R. Cok,et al.  ESC/Java2: Uniting ESC/Java and JML , 2004, CASSIS.

[18]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[19]  Eran Yahav,et al.  Effective typestate verification in the presence of aliasing , 2006, TSEM.

[20]  William R. Bush,et al.  A static analyzer for finding dynamic programming errors , 2000, Softw. Pract. Exp..

[21]  Michael Rodeh,et al.  Checking Cleanness in Linked Lists , 2000, SAS.

[22]  Alexander Aiken,et al.  Saturn: A scalable framework for error detection using Boolean satisfiability , 2007, TOPL.

[23]  K. Rustan M. Leino,et al.  Declaring and checking non-null types in an object-oriented language , 2003, OOPSLA.

[24]  David Grove,et al.  Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis , 1995, ECOOP.