Abstract
We present a precise, path-sensitive static analysis for reasoning about heap reachability, that is, whether an object can be reached from another variable or object via pointer dereferences. Precise reachability information is useful for a number of clients, including static detection of a class of Android memory leaks. For this client, we found the heap reachability information computed by a state-of-the-art points-to analysis was too imprecise, leading to numerous false-positive leak reports. Our analysis combines a symbolic execution capable of path-sensitivity and strong updates with abstract heap information computed by an initial flow-insensitive points-to analysis. This novel mixed representation allows us to achieve both precision and scalability by leveraging the pre-computed points-to facts to guide execution and prune infeasible paths. We have evaluated our techniques in the Thresher tool, which we used to find several developer-confirmed leaks in Android applications.
- L. O. Andersen. phProgram Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, DIKU, 1994.Google Scholar
- T. Ball and S. K. Rajamani. Automatically validating temporal safety properties of interfaces. In SPIN, 2001. Google Scholar
Digital Library
- T. Ball, O. Kupferman, and G. Yorsh. Abstraction for falsification. In CAV, 2005. Google Scholar
Digital Library
- N. Beckman, A. V. Nori, S. K. Rajamani, and R. J. Simmons. Proofs from tests. In ISSTA, 2008. Google Scholar
Digital Library
- J. Berdine, C. Calcagno, and P. W. O'Hearn. Symbolic execution with separation logic. In APLAS, 2005. Google Scholar
Digital Library
- J. Berdine, C. Calcagno, B. Cook, D. Distefano, P. W. O'Hearn, T. Wies, and H. Yang. Shape analysis for composite data structures. In CAV, 2007. Google Scholar
Digital Library
- D. Beyer, T. A. Henzinger, R. Majumdar, and A. Rybalchenko. Path invariants. In PLDI, 2007. Google Scholar
Digital Library
- S. Blackshear, B.-Y. E. Chang, S. Sankaranarayanan, and M. Sridharan. The flow-insensitive precision of andersen's analysis in practice. In SAS, 2011. Google Scholar
Digital Library
- F. Bourdoncle. Abstract debugging of higher-order imperative languages. In PLDI, 1993. Google Scholar
Digital Library
- C. Calcagno, D. Distefano, P. W. O'Hearn, and H. Yang. Compositional shape analysis by means of bi-abduction. In POPL, 2009. Google Scholar
Digital Library
- S. Chandra, S. J. Fink, and M. Sridharan. Snugglebug: a powerful approach to weakest preconditions. In PLDI, 2009. Google Scholar
Digital Library
- B.-Y. E. Chang and X. Rival. Relational inductive shape analysis. In POPL, 2008. Google Scholar
Digital Library
- E. M. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement for symbolic model checking. J. ACM, 50 (5), 2003. Google Scholar
Digital Library
- P. Cousot and R. Cousot. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In POPL, 1977. Google Scholar
Digital Library
- P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. The ASTREÉ analyzer. In ESOP, 2005.Google Scholar
Digital Library
- P. Cousot, P. Ganty, and J.-F. Raskin. Fixpoint-guided abstraction refinements. In SAS, 2007. Google Scholar
Digital Library
- P. Cousot, R. Cousot, and F. Logozzo. Precondition inference from intermittent assertions and application to contracts on collections. In VMCAI, 2011. Google Scholar
Digital Library
- M. Das, S. Lerner, and M. Seigle. ESP: Path-sensitive program verification in polynomial time. In PLDI, 2002. Google Scholar
Digital Library
- I. M. de Moura and N. Bjørner. Z3: An efficient SMT solver. In TACAS, 2008. Google Scholar
Digital Library
- I. Dillig, T. Dillig, and A. Aiken. Sound, complete and scalable path-sensitive analysis. In PLDI, 2008. Google Scholar
Digital Library
- I. Dillig, T. Dillig, and A. Aiken. Fluid updates: Beyond strong vs. weak updates. In ESOP, 2010. Google Scholar
Digital Library
- I. Dillig, T. Dillig, and A. Aiken. Precise reasoning for programs using containers. In POPL, 2011. Google Scholar
Digital Library
- I. Dillig, T. Dillig, and A. Aiken. Automated error diagnosis using abductive inference. In PLDI, 2012. Google Scholar
Digital Library
- D. Distefano and I. Filipović. Memory leaks detection in Java by bi-abductive inference. In FASE, 2010. Google Scholar
Digital Library
- N. Dor, S. Adams, M. Das, and Z. Yang. Software validation via scalable path-sensitive value flow analysis. In ISSTA, 2004. Google Scholar
Digital Library
- S. J. Fink, E. Yahav, N. Dor, G. Ramalingam, and E. Geay. Effective typestate verification in the presence of aliasing. ACM Trans. Softw. Eng. Methodol., 17 (2), 2008. Google Scholar
Digital Library
- C. Flanagan, K. R. M. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In PLDI, 2002. Google Scholar
Digital Library
- S. Z. Guyer and C. Lin. Error checking with client-driven pointer analysis. Sci. Comput. Program., 58 (1--2), 2005. Google Scholar
Digital Library
- B. Hackett and A. Aiken. How is aliasing used in systems software? In FSE, 2006. Google Scholar
Digital Library
- W. R. Harris, S. Sankaranarayanan, F. Ivancic, and A. Gupta. Program analysis via satisfiability modulo path programs. In POPL, 2010. Google Scholar
Digital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and G. Sutre. Lazy abstraction. In POPL, 2002. Google Scholar
Digital Library
- S. S. Ishtiaq and P. W. O'Hearn. BI as an assertion language for mutable data structures. In POPL, 2001. Google Scholar
Digital Library
- S. Khurshid, C. S. Pasareanu, and W. Visser. Generalized symbolic execution for model checking and testing. In TACAS, 2003. Google Scholar
Digital Library
- A. S. Köksal, P. Suter, and V. Kuncak. Scala to the Power of Z3: Integrating SMT and Programming. In CADE, 2011.Google Scholar
Cross Ref
- K. R. M. Leino and F. Logozzo. Loop invariants on demand. In APLAS, 2005. Google Scholar
Digital Library
- P. Liang and M. Naik. Scaling abstraction refinement via pruning. In PLDI, 2011. Google Scholar
Digital Library
- P. Liang, O. Tripp, M. Naik, and M. Sagiv. A dynamic evaluation of the precision of static heap abstractions. In OOPSLA, 2010. Google Scholar
Digital Library
- P. Liang, O. Tripp, and M. Naik. Learning minimal abstractions. In POPL, 2011. Google Scholar
Digital Library
- R. Manevich, M. Sridharan, S. Adams, M. Das, and Z. Yang. PSE: explaining program failures via postmortem static analysis. In FSE, 2004. Google Scholar
Digital Library
- A. Milanova, A. Rountev, and B. G. Ryder. Parameterized object sensitivity for points-to analysis for Java. ACM Trans. Softw. Eng. Methodol., 14 (1), 2005. Google Scholar
Digital Library
- J. C. Reynolds. Separation logic: A logic for shared mutable data structures. In LICS, 2002. Google Scholar
Digital Library
- X. Rival. Understanding the origin of alarms in Astrée. In SAS, 2005. Google Scholar
Digital Library
- M. Sagiv, T. Reps, and R. Wilhelm. Solving shape-analysis problems in languages with destructive updating. ACM Trans. Program. Lang. Syst., 20 (1), 1998. Google Scholar
Digital Library
- M. Sridharan and R. Bodik. Refinement-based context-sensitive points-to analysis for Java. In PLDI, 2006. Google Scholar
Digital Library
- B. Woolf. Null object. In Pattern languages of program design 3. Addison-Wesley Longman Publishing Co., Inc., 1997. Google Scholar
Digital Library
Index Terms
Thresher: precise refutations for heap reachability
Recommendations
Thresher: precise refutations for heap reachability
PLDI '13: Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and ImplementationWe present a precise, path-sensitive static analysis for reasoning about heap reachability, that is, whether an object can be reached from another variable or object via pointer dereferences. Precise reachability information is useful for a number of ...
Tracking pointers with path and context sensitivity for bug detection in C programs
This paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively ...
Tracking pointers with path and context sensitivity for bug detection in C programs
ESEC/FSE-11: Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineeringThis paper proposes a pointer alias analysis for automatic error detection. State-of-the-art pointer alias analyses are either too slow or too imprecise for finding errors in real-life programs. We propose a hybrid pointer analysis that tracks actively ...







Comments