Accelerating Dynamic Detection of Uses of Undefined Values with Static Value-Flow Analysis

Ye, Ding; Sui, Yulei; Xue, Jingling

doi:10.1145/2544137.2544154

Cited by 13 publications

(6 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By explicitly modelling the definition-use relations among program variables, valueflow analysis enables or enhances a series of crucial tasks, including compiler optimization [7,67], pointer analysis [40,51,62,69,70,73,74], bug detection [14,71], software debugging [80,82], and validation and verification [19,21]. In recent years, for example, the potential for value-flow analysis has been widely explored in detecting a variety of critical bugs, including memory leaks [14,71], uses of uninitialized variables [46,91], use-after-free errors [61,90], and information leaks [5,26]. While many existing approaches track the flow of values iteratively at each program point along the control-flow [6,57,63,64], VFIX uses a fully-sparse value-flow analysis for both variables and fields.…”

Section: B Value-flow Analysismentioning

confidence: 99%

VFix: Value-Flow-Guided Precise Program Repair for Null Pointer Dereferences

Sui

Yan

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

Automated Program Repair (APR) faces a key challenge in efficiently generating correct patches from a potentially infinite solution space. Existing approaches, which attempt to reason about the entire solution space, can be ineffective (by often producing no plausible patches at all) and imprecise (by often producing plausible but incorrect patches).We present VFIX, a new value-flow-guided APR approach, to fix null pointer exception (NPE) bugs by considering a substantially reduced solution space in order to greatly increase the number of correct patches generated. By reasoning about the data and control dependences in the program, VFIX can identify bug-relevant repair statements more accurately and generate more correct repairs than before. VFIX outperforms a set of 8 state-of-the-art APR tools in fixing the NPE bugs in Defects4j in terms of both precision (by correctly fixing 3 times as many bugs as the most precise one and 50% more than all the bugs correctly fixed by these 8 tools altogether) and efficiency (by producing a correct patch in minutes instead of hours).

show abstract

Section: B Value-flow Analysismentioning

confidence: 99%

VFix: Value-Flow-Guided Precise Program Repair for Null Pointer Dereferences

Sui

Yan

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Dependence analyses are the cornerstones of many optimizations/analyses in compilers. For instance, dependences are used for Taint Analysis [10,11,12] to determine how program inputs may affect the program execution and exploit security vulnerabilities, Information Flow Tracking [13,14,15,16] to prevent confidential information from leaking, static Bug Detection [17,18] or code optimization and parallelization (e.g. the polyhedral model [19]).…”

Section: Dependence Analyses Techniquesmentioning

confidence: 99%

Multi-valued Expression Analysis for Collective Checking

Huchant

Saillard²,

Barthou

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Determining if a parallel program behaves as expected on any execution is challenging due to non-deterministic executions. Static analyses help to detect all execution paths that can be executed concurrently by identifying multi-valued expressions, i.e. expressions evaluated differently among processes. This can be used to find collective errors in parallel programs. In this paper, we propose a new method that combines a control-flow analysis with a multi-valued expressions detection to find such errors. We implemented our method in the PARCOACH framework and successfully analyzed parallel applications using MPI, OpenMP, UPC and CUDA.

show abstract

“…Pointer Analysis Substantial progress has been made for whole-program [35,26,49] and demand-driven [23,48,52] pointer analyses, with flow-sensitivity [22,34], call-sitesensitivity [42,60], object-sensitivity [39,55] and type-sensitivity [47,28]). These recent advances in both precision and scalability have resulted in their widespread adoption in detecting memory bugs [3,21], such as memory leaks [13,53], null dereferences [38,36], uninitialized variables [59,37] and buffer overflows [33,14], and typestate verification [20,16]. Recent pointer-analysis-based tools [46,56] can detect TH-safety violations with low false-positive rates, but at the expense of missing true bugs.…”

Section: Related Workmentioning

confidence: 99%

“…Memory errors can also be found by other techniques, such as data-flow analysis [43,18] and model checking [27,29,40]. Notably, pointer analysis [28,47,61,48,50] has recently made significant strides, providing a solid foundation for developing many pointer-analysis-based static analyses for detecting memory errors [13,33,46,56,59]. In this paper, we present a fully-automated pointer-analysis-based approach, called D 3 (a Disprover of Dangling pointer Dereferences), to verifying absence of (i.e., disproving presence of) dangling pointers on a per dereference basis.…”

Section: Introductionmentioning

confidence: 99%

Per-Dereference Verification of Temporal Heap Safety via Adaptive Context-Sensitive Analysis

et al. 2019

Self Cite

View full text Add to dashboard Cite

We address the problem of verifying the temporal safety of heap memory at each pointer dereference. Unlike separation-logic-based approaches, our whole-program analysis approach is undertaken from the perspective of pointer analysis, allowing us to leverage the advantages of and advances in pointer analysis to improve precision and scalability. A dereference ω, say, via pointer q is unsafe iff there exists a deallocation ψ, say, via pointer p such that on a control-flow path ρ, p aliases with q (with both pointing to an object o representing an allocation), denoted A ψ ω (ρ), and ψ reaches ω on ρ via control flow, denoted R ψ ω (ρ). Applying directly any existing pointer analysis, which is typically solved separately with an associated control-flow reachability analysis, will render such verification highly imprecise, since ∃ρ.Ae., ∃ does not distribute over ∧). For precision, we solve ∃ρ.A ψ ω (ρ) ∧ R ψ ω (ρ), with a control-flow path ρ containing an allocation o, a deallocation ψ and a dereference ω abstracted by a tuple of three contexts (c o , c ψ , c ω ). For scalability, a demand-driven full context-sensitive (modulo recursion) pointer analysis, which operates on pre-computed def-use chains with adaptive context-sensitivity, is used to infer (c o , c ψ , c ω ), without losing soundness or precision. Our evaluation shows that our approach can successfully verify the safety of 81.3% (or 93,141 114,508 ) of all the dereferences in a set of 10 C programs totalling 1,166 KLOC.

show abstract

Accelerating Dynamic Detection of Uses of Undefined Values with Static Value-Flow Analysis

Cited by 13 publications

References 40 publications

VFix: Value-Flow-Guided Precise Program Repair for Null Pointer Dereferences

VFix: Value-Flow-Guided Precise Program Repair for Null Pointer Dereferences

Multi-valued Expression Analysis for Collective Checking

Per-Dereference Verification of Temporal Heap Safety via Adaptive Context-Sensitive Analysis

Contact Info

Product

Resources

About