skip to main content
research-article

Thresher: precise refutations for heap reachability

Published:16 June 2013Publication History
Skip Abstract Section

Abstract

We present a precise, path-sensitive static analysis for reasoning about heap reachability, that is, whether an object can be reached from another variable or object via pointer dereferences. Precise reachability information is useful for a number of clients, including static detection of a class of Android memory leaks. For this client, we found the heap reachability information computed by a state-of-the-art points-to analysis was too imprecise, leading to numerous false-positive leak reports. Our analysis combines a symbolic execution capable of path-sensitivity and strong updates with abstract heap information computed by an initial flow-insensitive points-to analysis. This novel mixed representation allows us to achieve both precision and scalability by leveraging the pre-computed points-to facts to guide execution and prune infeasible paths. We have evaluated our techniques in the Thresher tool, which we used to find several developer-confirmed leaks in Android applications.

References

  1. L. O. Andersen. phProgram Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, DIKU, 1994.Google ScholarGoogle Scholar
  2. T. Ball and S. K. Rajamani. Automatically validating temporal safety properties of interfaces. In SPIN, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. T. Ball, O. Kupferman, and G. Yorsh. Abstraction for falsification. In CAV, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. N. Beckman, A. V. Nori, S. K. Rajamani, and R. J. Simmons. Proofs from tests. In ISSTA, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. J. Berdine, C. Calcagno, and P. W. O'Hearn. Symbolic execution with separation logic. In APLAS, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. J. Berdine, C. Calcagno, B. Cook, D. Distefano, P. W. O'Hearn, T. Wies, and H. Yang. Shape analysis for composite data structures. In CAV, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. D. Beyer, T. A. Henzinger, R. Majumdar, and A. Rybalchenko. Path invariants. In PLDI, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. S. Blackshear, B.-Y. E. Chang, S. Sankaranarayanan, and M. Sridharan. The flow-insensitive precision of andersen's analysis in practice. In SAS, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. F. Bourdoncle. Abstract debugging of higher-order imperative languages. In PLDI, 1993. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. C. Calcagno, D. Distefano, P. W. O'Hearn, and H. Yang. Compositional shape analysis by means of bi-abduction. In POPL, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. S. Chandra, S. J. Fink, and M. Sridharan. Snugglebug: a powerful approach to weakest preconditions. In PLDI, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. B.-Y. E. Chang and X. Rival. Relational inductive shape analysis. In POPL, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement for symbolic model checking. J. ACM, 50 (5), 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL, 1977. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. The ASTREÉ analyzer. In ESOP, 2005.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. P. Cousot, P. Ganty, and J.-F. Raskin. Fixpoint-guided abstraction refinements. In SAS, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. P. Cousot, R. Cousot, and F. Logozzo. Precondition inference from intermittent assertions and application to contracts on collections. In VMCAI, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. M. Das, S. Lerner, and M. Seigle. ESP: Path-sensitive program verification in polynomial time. In PLDI, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. I. M. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. I. Dillig, T. Dillig, and A. Aiken. Sound, complete and scalable path-sensitive analysis. In PLDI, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. I. Dillig, T. Dillig, and A. Aiken. Fluid updates: Beyond strong vs. weak updates. In ESOP, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. I. Dillig, T. Dillig, and A. Aiken. Precise reasoning for programs using containers. In POPL, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. I. Dillig, T. Dillig, and A. Aiken. Automated error diagnosis using abductive inference. In PLDI, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. D. Distefano and I. Filipović. Memory leaks detection in Java by bi-abductive inference. In FASE, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. N. Dor, S. Adams, M. Das, and Z. Yang. Software validation via scalable path-sensitive value flow analysis. In ISSTA, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. S. J. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay. Effective typestate verification in the presence of aliasing. ACM Trans. Softw. Eng. Methodol., 17 (2), 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In PLDI, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. S. Z. Guyer and C. Lin. Error checking with client-driven pointer analysis. Sci. Comput. Program., 58 (1--2), 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. B. Hackett and A. Aiken. How is aliasing used in systems software? In FSE, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. W. R. Harris, S. Sankaranarayanan, F. Ivancic, and A. Gupta. Program analysis via satisfiability modulo path programs. In POPL, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In POPL, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. S. S. Ishtiaq and P. W. O'Hearn. BI as an assertion language for mutable data structures. In POPL, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. S. Khurshid, C. S. Pasareanu, and W. Visser. Generalized symbolic execution for model checking and testing. In TACAS, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. A. S. Köksal, P. Suter, and V. Kuncak. Scala to the Power of Z3: Integrating SMT and Programming. In CADE, 2011.Google ScholarGoogle ScholarCross RefCross Ref
  35. K. R. M. Leino and F. Logozzo. Loop invariants on demand. In APLAS, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. P. Liang and M. Naik. Scaling abstraction refinement via pruning. In PLDI, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. P. Liang, O. Tripp, M. Naik, and M. Sagiv. A dynamic evaluation of the precision of static heap abstractions. In OOPSLA, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. P. Liang, O. Tripp, and M. Naik. Learning minimal abstractions. In POPL, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. R. Manevich, M. Sridharan, S. Adams, M. Das, and Z. Yang. PSE: explaining program failures via postmortem static analysis. In FSE, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. A. Milanova, A. Rountev, and B. G. Ryder. Parameterized object sensitivity for points-to analysis for Java. ACM Trans. Softw. Eng. Methodol., 14 (1), 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In LICS, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. X. Rival. Understanding the origin of alarms in Astrée. In SAS, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. M. Sagiv, T. Reps, and R. Wilhelm. Solving shape-analysis problems in languages with destructive updating. ACM Trans. Program. Lang. Syst., 20 (1), 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. M. Sridharan and R. Bodik. Refinement-based context-sensitive points-to analysis for Java. In PLDI, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. B. Woolf. Null object. In Pattern languages of program design 3. Addison-Wesley Longman Publishing Co., Inc., 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Thresher: precise refutations for heap reachability

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            • Published in

              cover image ACM SIGPLAN Notices
              ACM SIGPLAN Notices  Volume 48, Issue 6
              PLDI '13
              June 2013
              515 pages
              ISSN:0362-1340
              EISSN:1558-1160
              DOI:10.1145/2499370
              Issue’s Table of Contents
              • cover image ACM Conferences
                PLDI '13: Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation
                June 2013
                546 pages
                ISBN:9781450320146
                DOI:10.1145/2491956

              Copyright © 2013 ACM

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 16 June 2013

              Check for updates

              Qualifiers

              • research-article

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!