Detecting memory errors via static pointer analysis

We study the applicability of pointer analysis algorithms (originally aimed at optimizing compilers) to identify potential errors such as dereferencing NULL pointers in C programs, by statically analyzing the behavior of programs on all their input data. The algorithms are conservative, i.e., they never miss an error but may also create \false alarms". Our goal is to identify the \core program analysis techniques" that are needed to develop a realistic tool that does not generate too many false alarms. Our experience indicates that the following techniques are necessary: (i) nding aliases between pointers, (ii) ow sensitive techniques that account for the program control ow constructs, (iii) partial interpretation of conditional statements, (iv) analysis of relationships between pointers, and sometimes (v) analysis of the underlying data structures manipulated by the C program. Our experimental work shows that the combination of these techniques yields better results than those achieved by state of the art tools. ACKNOWLEDGMENTS I would like to thank all those who contributed to the completion of my thesis. Special thanks are dedicated to Dr. Mooly Sagiv, for his profound guidance and tutoring and for his constant support and encouragement. To Prof. Michael Rodeh, who has dedicated considerable time to supervise and review the course of the research. and the whole PAG development team from Saarlandes University for providing me their tool and to Prof. Susan Horowitz for the support with PAG's C-frontend, all of which have enabled the easy and fast implementation of the analysis. I would also like to thank Prof. Tom Reps for all those valuable advice throughout the thesis.

[1]  Susan Horwitz,et al.  Using static single assignment form to improve flow-insensitive pointer analysis , 1998, PLDI '98.

[2]  Lars Ole Andersen Binding-time analysis and the taming of C pointers , 1993, PEPM '93.

[3]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[4]  Barbara G. Ryder,et al.  Pointer-induced aliasing: a problem classification , 1991, POPL '91.

[5]  Thomas W. Reps,et al.  The use of program dependence graphs in software engineering , 1992, International Conference on Software Engineering.

[6]  Alain Deutsch,et al.  Interprocedural may-alias analysis for pointers: beyond k-limiting , 1994, PLDI '94.

[7]  Alexandru Nicolau,et al.  Parallelizing Programs with Recursive Data Structures , 1989, IEEE Trans. Parallel Distributed Syst..

[8]  A. Deutsch,et al.  A storeless model of aliasing and its abstractions using finite representations of right-regular equivalence relations , 1992, Proceedings of the 1992 International Conference on Computer Languages.

[9]  David R. Hanson C Interfaces and Implementations , 1997 .

[10]  Daniel Jackson ASPECT: an economical bug-detector , 1991, [1991 Proceedings] 13th International Conference on Software Engineering.

[11]  Neil D. Jones,et al.  A flexible approach to interprocedural data flow analysis and programs with recursive data structures , 1982, POPL '82.

[12]  Gary Lindstrom,et al.  Scanning List Structures Without Stacks or Tag Bits , 1973, Information Processing Letters.

[13]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[14]  Laurie J. Hendren,et al.  Is it a tree, a DAG, or a cyclic graph? A shape analysis for heap-directed pointers in C , 1996, POPL '96.

[15]  Jan Stransky,et al.  A Lattice for Abstract Interpretation of Dynamic (LISP-Like) Structures , 1992, Inf. Comput..

[16]  SagivMooly,et al.  Detecting memory errors via static pointer analysis (preliminary experience) , 1998 .

[17]  Martin Alt,et al.  Generation of Efficient Interprocedural Analyzers with PAG , 1995, SAS.

[18]  Todd M. Austin,et al.  Efficient detection of all pointer and array access errors , 1994, PLDI '94.

[19]  P. Gács,et al.  Algorithms , 1992 .

[20]  Andrew A. Chien,et al.  Analysis of Dynamic Structures for Efficient Parallel Execution , 1993, LCPC.

[21]  Michel Sintzoff,et al.  Calculating properties of programs by valuations on specific models , 1972, Proving Assertions About Programs.

[22]  Mark N. Wegman,et al.  An efficient method of computing static single assignment form , 1989, POPL '89.

[23]  Laurie J. Hendren,et al.  Extended SSA numbering: introducing SSA properties to languages with multi-level pointers , 1996, CASCON.

[24]  Laurie J. Hendren,et al.  Context-sensitive interprocedural points-to analysis in the presence of function pointers , 1994, PLDI '94.

[25]  William Landi,et al.  Interprocedural aliasing in the presence of pointers , 1992 .

[26]  Frank Tip,et al.  Parametric program slicing , 1995, POPL '95.

[27]  M. Burke,et al.  Eecient Flow-sensitive Interprocedural Computation of Pointer-induced Aliases and Side Eeects , 1993 .

[28]  Neil D. Jones,et al.  Flow analysis and optimization of LISP-like structures , 1979, POPL.

[29]  James R. Larus,et al.  Detecting conflicts between structure accesses , 1988, PLDI '88.

[30]  Alexandru Nicolau,et al.  Abstractions for recursive pointer data structures: improving the analysis and transformation of imperative programs , 1992, PLDI '92.

[31]  Barbara G. Ryder,et al.  Interprocedural modification side effect analysis with pointer aliasing , 1993, PLDI '93.

[32]  Reinhard Wilhelm,et al.  Solving shape-analysis problems in languages with destructive updating , 1998, TOPL.

[33]  David E. Evans,et al.  Static detection of dynamic memory errors , 1996, PLDI '96.

[34]  Pascal Fradet,et al.  Static Detection of Pointer Errors: An Axiomatisation and a Checking Algorithm , 1996, ESOP.

[35]  Peter Naur,et al.  Checking of operand types in algol compilers , 1965 .

[36]  Michael Hind,et al.  Assessing the Effects of Flow-Sensitivity on Pointer Alias Analyses , 1998, SAS.

[37]  Eugene W. Myers,et al.  A precise inter-procedural data flow algorithm , 1981, POPL '81.

[38]  Susan Horwitz,et al.  Fast and accurate flow-insensitive points-to analysis , 1997, POPL '97.