research-article

Generating analyses for detecting faults in path segments

Authors:
Wei Le

University of Virginia, Charlottesville, VA

University of Virginia, Charlottesville, VA
View Profile

,
Mary Lou Soffa

University of Virginia, Charlottesville, VA

University of Virginia, Charlottesville, VA
View Profile

ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and AnalysisJuly 2011Pages 320–330https://doi.org/10.1145/2001420.2001459

Published:17 July 2011Publication History

ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and Analysis

Pages 320–330

ABSTRACT

Although static bug detectors are extensively applied, there is a cost in using them. One challenge is that static analysis often reports a large number of false positives but little diagnostic information. Also, individual bug detectors need to be built in response to new types of faults, and tuning a static tool for precision and scalability is time-consuming. This paper presents a novel frame-work that automatically generates scalable, interprocedural, path-sensitive analyses to detect user-specified faults. The framework consists of a specification technique that expresses faults and information needed for their detection, a scalable, path-sensitive algorithm, and a generator that unifies the two. The analysis produced identifies not only faults but also the path segments where the root causes of a fault are located. The generality of the framework is accomplished for both data- and control-centric faults. We implemented our framework and generated fault detectors for identifying buffer overflows, integer violations, null-pointer dereferences and memory leaks. We experimentally demonstrate that the generated analyses scales to large deployed software, and its detection capability is comparable to tools that target a specific type of fault. In our experiments, we identify a total of 146 faults of the four types. While the length of path segments for the majority of faults is 1--4 procedures, we are able to detect faults deeply embedded in the code across 35 procedures.

References

D. Babic and A. J. Hu. Calysto: scalable and precise extended static checking. In Proceedings of the 30th international conference on Software engineering, 2008. Google ScholarDigital Library
R. Bodik, R. Gupta, and M. L. Soffa. Interprocedural conditional branch elimination. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, 1997. Google ScholarDigital Library
D. Brumley, T. cker Chiueh, R. Johnson, H. Lin, and D. Song. Rich: Automatically protecting against integer-based vulnerabilities. In In Symposium on Network and Distributed Systems Security, 2007.Google Scholar
W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Software Practice and Experience, 2000. Google ScholarDigital Library
H. Chen and D. Wagner. Mops: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002. Google ScholarDigital Library
S. Cherem, L. Princehouse, and R. Rugina. Practical memory leak detection using guarded value-flow analysis. In Proceedings of the 2007 ACM SIGPLAN conference on Programming language design and implementation, 2007. Google ScholarDigital Library
J. Clause and A. Orso. Leakpoint: pinpointing the causes of memory leaks. In Proceedings of the 32nd International Conference on Software Engineering, 2010. Google ScholarDigital Library
M. Das, S. Lerner, and M. Seigle. ESP: path-sensitive program verification in polynomial time. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming language design and implementation, 2002. Google ScholarDigital Library
R. J. David and D. Wagner. Finding user/kernel pointer bugs with type inference. In In Usenix Security Symposium, 2004. Google ScholarDigital Library
E. Duesterwald, R. Gupta, and M. L. Soffa. A practical framework for demand-driven interprocedural data flow analysis. ACM Transactions on Programming Languages and Systems, 1997. Google ScholarDigital Library
D. Evans. Static detection of dynamic memory errors. In Proceedings of the ACM SIGPLAN 1996 Conference on Programming Language Design and Implementation, 1996. Google ScholarDigital Library
FindBugs. http://findbugs.sourceforge.net/.Google Scholar
B. Hackett, M. Das, D. Wang, and Z. Yang. Modular checking for buffer overflows in the large. In Proceeding of the International Conference on Software Engineering, 2006. Google ScholarDigital Library
S. Hallem, B. Chelf, Y. Xie, and D. Engler. A system and language for building system-specific, static analyses. In In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, 2002. Google ScholarDigital Library
Y. Hamadi. Disolver: A Distributed Constraint Solver. Technical Report MSR-TR-2003-91, Microsoft Research.Google Scholar
N. Heintze and O. Tardieu. Demand-driven pointer analysis. In Proceedings of the ACM SIGPLAN 2002 Conference on Programming Language Design and Implementation, 2001. Google ScholarDigital Library
W. Le and M. L. Soffa. Marple: a demand-driven path-sensitive buffer overflow detector. In Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering, 2008. Google ScholarDigital Library
W. Le and M. L. Soffa. Path-based fault correlation. In Proceedings of the 18th ACM SIGSOFT International Symposium on Foundations of software engineering, 2010. Google ScholarDigital Library
V. B. Livshits and M. S. Lam. Tracking pointers with path and context sensitivity for bug detection in c programs. In Proceedings of 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2003. Google ScholarDigital Library
S. Lu, Z. Li, F. Qin, L. Tan, P. Zhou, and Y. Zhou. Bugbench: Benchmarks for evaluating bug detection tools. In Proceedings of Workshop on the Evaluation of Software Defect Detection Tools, 2005.Google Scholar
G. C. Necula, S. McPeak, and W. Weimer. Ccured: type-safe retrofitting of legacy code. In POPL '02: Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 128--139, 2002. Google ScholarDigital Library
M. Orlovich and R. Rugina. Memory leak analysis by contradiction. In Static Analysis, 13th International Symposium, 2006. Google ScholarDigital Library
Phoenix. http://research.microsoft.com/phoenix/.Google Scholar
W. Visser, K. Havelund, G. Brat, and S. Park. Model checking programs. In Proceedings of the IEEE international conference on Automated software engineering, 2000. Google ScholarDigital Library
M. Weiser. Program slicing. In ICSE 81: Proceedings of the 5th international conference on Software engineering, 1981. Google ScholarDigital Library
Y. Xie and A. Aiken. Saturn: A scalable framework for error detection using boolean satisfiability. ACM Trans. Program. Lang. Syst., 29(3), 2007. Google ScholarDigital Library
Y. Xie, A. Chou, and D. Engler. ARCHER: Using symbolic, path-sensitive analysis to detect memory access errors. In Proceedings of 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2003. Google ScholarDigital Library
M. Zitser, R. Lippmann, and T. Leek. Testing static analysis tools using exploitable buffer overflows from open source code. In Proceedings of the International Symposium on Foundations of Software Engineering, 2004. Google ScholarDigital Library

Index Terms

Generating analyses for detecting faults in path segments

Recommendations

Marple: Detecting faults in path segments using automatically generated analyses
In memoriam, fault detection and localization, formal methods, modeling and design

Generally, a fault is a property violation at a program point along some execution path. To obtain the path where a fault occurs, we can either run the program or manually identify the execution paths through code inspection. In both of the cases, only ...
Read More
Precise and scalable context-sensitive pointer analysis via value flow graph
ISMM '13: Proceedings of the 2013 international symposium on memory management

In this paper, we propose a novel method for context-sensitive pointer analysis using the value flow graph (VFG) formulation. We achieve context-sensitivity by simultaneously applying function cloning and computing context-free language reachability (...
Read More
Refining buffer overflow detection via demand-driven path-sensitive analysis
PASTE '07: Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering

Although static analysis is an important technique for detecting buffer overflow before software deployment, current static tools rely on considerable human effort for annotating code to help analysis, or for diagnosing warnings, many of which are false ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and Analysis
July 2011
394 pages
ISBN:9781450305624
DOI:10.1145/2001420
General Chair:
Matthew Dwyer
University of Nebraska
,
Program Chair:
Frank Tip
IBM T.J. Watson Research Center
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 17 July 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
demand-driven
generate analysis
path segment
specification
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate58of213submissions,27%
Upcoming Conference
ISSTA '24

Sponsor:

sigsoft

33rd ACM SIGSOFT International Symposium on Software Testing and Analysis

September 16 - 20, 2024

Vienna , Austria
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 14
  Total Citations
  View Citations
- 286
  Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Generating analyses for detecting faults in path segments

ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and Analysis

ABSTRACT

References

Cited By

Index Terms

Recommendations

Marple: Detecting faults in path segments using automatically generated analyses

Precise and scalable context-sensitive pointer analysis via value flow graph

Refining buffer overflow detection via demand-driven path-sensitive analysis