Abstract
Inconsistency checking is a method for detecting software errors that relies only on examining multiple uses of a value. We propose that inconsistency inference is best understood as a variant of the older and better understood problem of type inference. Using this insight, we describe a precise and formal framework for discovering inconsistency errors. Unlike previous approaches to the problem, our technique for finding inconsistency errors is purely semantic and can deal with complex aliasing and path-sensitive conditions. We have built a nullde reference analysis of C programs based on semantic inconsistency inference and have used it to find hundreds of previously unknown null dereference errors in widely used C programs.
- A. Aiken, E. Wimmers, and T. K. Lakshman. Soft typing with conditional types. In Proceedings of the Symposium on Principles of Programming Languages, pages 163--173, 1994. Google Scholar
Digital Library
- T. Ball and S. Rajamani. The SLAM project: Debugging system software via static analysis. In Proc. of the Symp. on Principles of Prog. Languages, pages 1--3, January 2002. Google Scholar
Digital Library
- D. Beyer, T. Henzinger, R. Jhala, and R. Majumdar. Checking memory safety with Blast. In Proc. of the Conf. on Fundamental Approaches to Software Engineering, pages 2--18, 2005. Google Scholar
Digital Library
- R. Cartwright and M. Fagan. Soft typing. In Proc. of the Conf. on Prog. Language Design and Implementation, pages 278--292, 1991. Google Scholar
Digital Library
- M. Das, S. Lerner, and M. Seigle. ESP: Path-sensitive program verification in polynomial time. In Proc. of the Conf. on Prog. Language Design and Implementation, pages 57--68, 2002. Google Scholar
Digital Library
- D. Engler, D. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. Operating Systems Review, 35(5):57--72, 2001. Google Scholar
Digital Library
- D. Evans. Static detection of dynamic memory errors. In Proc. of the Conf. on Prog. Language Design and Implementation, pages 44--53, 1996. Google Scholar
Digital Library
- M. Faehndrich and K. Rustan M. Leino. Declaring and checking non-null types in an object-oriented language. In Proc. of the Conf. on Object-Oriented Programing, Systems, Languages and Applications, pages 302--312, 2003. Google Scholar
Digital Library
- C. Flanagan, R. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In Proc. of the Conf. on Prog. Language Design and Implementation, pages 234--245, 2002. Google Scholar
Digital Library
- J. Foster, M. Faehndrich, and A. Aiken. A theory of type qualifiers. In Proc. of the Conf. on Prog. Language Design and Implementation, pages 192--203, 1999. Google Scholar
Digital Library
- B. Hackett and A. Aiken. How is aliasing used in systems software? In Proceedings of the ACM International Symposium on Foundations of Software Engineering, pages 69--80, 2006. Google Scholar
Digital Library
- D. Hovemeyer and W. Pugh. Finding bugs is easy. SIGPLAN Not., 39(12):92--106, December 2004. Google Scholar
Digital Library
- D. Hovemeyer, J. Spacco, and W. Pugh. Evaluating and tuning a static analysis to find null pointer bugs. In Proc. of the Workshop on Program Analysis for Software Tools and Engineering, pages 13--19, 2005. Google Scholar
Digital Library
- R. Jhala and K. McMillan. Interpolant-based transition relation approximation. In Proc. of the International Conf. on Computer Aided Verification, pages 39--51, 2005. Google Scholar
Digital Library
- M. Naik and J. Palsberg. A type system equivalent to a model checker. In Proc. of the European Symp. on Prog., pages 374--388, 2005. Google Scholar
Digital Library
- G. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In Proc. of the Symp. on Principles of Prog. Languages, pages 128--139, 2002. Google Scholar
Digital Library
- F. Pessaux and X. Leroy. Type-based analysis of uncaught exceptions. In Proc. of the Symp. on Principles of Prog. Languages, pages 276-- 290, 1999. Google Scholar
Digital Library
- K. Yi and S. Ryu. Towards a cost-effective estimation of uncaught exceptions in SML programs. In Proc. of the International Symp. on Static Analysis, pages 98--113, 1997. Google Scholar
Digital Library
Index Terms
Static error detection using semantic inconsistency inference
Recommendations
Static error detection using semantic inconsistency inference
PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and ImplementationInconsistency checking is a method for detecting software errors that relies only on examining multiple uses of a value. We propose that inconsistency inference is best understood as a variant of the older and better understood problem of type ...
Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications ConferenceTypestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, ...
Machine-learning-guided selectively unsound static analysis
ICSE '17: Proceedings of the 39th International Conference on Software EngineeringWe present a machine-learning-based technique for selectively applying unsoundness in static analysis. Existing bug-finding static analyzers are unsound in order to be precise and scalable in practice. However, they are uniformly unsound and hence at ...







Comments