Accurate Interprocedural Null-Dereference Analysis for Java

Nanda, Mangala Gowri; Sinha, Saurabh

doi:10.1109/icse.2009.5070515

“…contradict) the hypotheses. In contrast, previous approaches such as Xylem [15] and Salsa [13] are not able to take advantage of path-sensitive aliasing relationships as deeply as we do.…”

Section: Strong Updates In the Presence Of Aliasingcontrasting

confidence: 44%

“…Ours is a verification approach to efficiently find a superset of all potential null-dereference sites; this is in contrast with bug-finding approaches [11,15], that may miss bugs (and also report false positives). Our approach complements precise, expensive, and incomplete approaches such as Snugglebug [3] that attempt to find a concrete input to a program that disproves a desired safety property, in that these approaches could be used to try to validate our bug reports.…”

Section: Contributionsmentioning

confidence: 99%

“…Compared to previous related work on this topic, e.g., Xylem [15] and Salsa [13], our technical innovations are in terms of how we (a) perform strong updates (for precision) in the presence of aliasing, (b) handle recursion soundly in the backwards, demand-driven setting, and (c) enable more paths, and longer paths with deep call chains to be explored, by continually simplifying the formulas being propagated. Our formula simplification is based on dropping conjuncts that are less likely to eventually play a role in the validation or invalidation of the formula, and is with the intent of keeping formula sizes in check, which could otherwise explode with increasing path lengths.…”

Section: Contributionsmentioning

confidence: 99%

See 1 more Smart Citation

Null dereference verification via over-approximated weakest pre-conditions analysis

Madhavan

¹

,

KomondoorRaghavan

²

2011

View full text Add to dashboard Cite

Null dereferences are a bane of programming in languages such as Java. In this paper we propose a sound, demanddriven, inter-procedurally context-sensitive dataflow analysis technique to verify a given dereference as safe or potentially unsafe. Our analysis uses an abstract lattice of formulas to find a pre-condition at the entry of the program such that a null-dereference can occur only if the initial state of the program satisfies this pre-condition. We use a simplified domain of formulas, abstracting out integer arithmetic, as well as unbounded access paths due to recursive data structures. For the sake of precision we model aliasing relationships explicitly in our abstract lattice, enable strong updates, and use a limited notion of path sensitivity. For the sake of scalability we prune formulas continually as they get propagated, reducing to true conjuncts that are less likely to be useful in validating or invalidating the formula. We have implemented our approach, and present an evaluation of it on a set of ten real Java programs. Our results show that the set of design features we have incorporated enable the analysis to (a) explore long, inter-procedural paths to verify each dereference, with (b) reasonable accuracy, and (c) very quick response time per dereference, making it suitable for use in desktop development environments. Categories and Subject Descriptors D [2]: 4-Assertion checkers; F [3]: 1-Assertions, Mechanical verificationGeneral Terms Algorithms,Experimentation,Verification * Part of this work was done while the author was affiliated with Indian Institute of Science, Bangalore.Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

show abstract

“…The approaches of Xylem [15], Salsa [13] and Spoto [19] are the most closely related approaches to ours, in the sense that they target null-dereference analysis of real Java programs. We discuss these approaches in detail first, and later give an overview of other related techniques.…”

Section: Comparison With Related Workmentioning

confidence: 99%

Null dereference verification via over-approximated weakest pre-conditions analysis

Madhavan

¹

,

Komondoor

²

2011

Proceedings of the 2011 ACM International Conference on Object Oriented Programming Systems Languages and Applications

View full text Add to dashboard Cite

Null dereferences are a bane of programming in languages such as Java. In this paper we propose a sound, demanddriven, inter-procedurally context-sensitive dataflow analysis technique to verify a given dereference as safe or potentially unsafe. Our analysis uses an abstract lattice of formulas to find a pre-condition at the entry of the program such that a null-dereference can occur only if the initial state of the program satisfies this pre-condition. We use a simplified domain of formulas, abstracting out integer arithmetic, as well as unbounded access paths due to recursive data structures. For the sake of precision we model aliasing relationships explicitly in our abstract lattice, enable strong updates, and use a limited notion of path sensitivity. For the sake of scalability we prune formulas continually as they get propagated, reducing to true conjuncts that are less likely to be useful in validating or invalidating the formula. We have implemented our approach, and present an evaluation of it on a set of ten real Java programs. Our results show that the set of design features we have incorporated enable the analysis to (a) explore long, inter-procedural paths to verify each dereference, with (b) reasonable accuracy, and (c) very quick response time per dereference, making it suitable for use in desktop development environments. Categories and Subject Descriptors D [2]: 4-Assertion checkers; F [3]: 1-Assertions, Mechanical verificationGeneral Terms Algorithms,Experimentation,Verification * Part of this work was done while the author was affiliated with Indian Institute of Science, Bangalore.Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

show abstract

“…The burden of annotating code with qualifiers is a major obstacle to the adoption of qualifier systems. Realizing the burden of adding qualifiers, researchers have developed myriad qualifier inference tools [5], [9], [11]- [13], [18], [20], [21], [21]- [23], [26], [30], [34], [37], [38], [40]. These tools employ static analysis, dynamic analysis, or a combination of the two.…”

Section: Introductionmentioning

confidence: 99%

Cascade: A Universal Programmer-Assisted Type Qualifier Inference Tool

Vakilian¹,

Phaosawasdi²,

Ernst³

et al. 2015

2015 IEEE/ACM 37th IEEE International Conference on Software Engineering

View full text Add to dashboard Cite

Abstract-Type qualifier inference tools usually operate in batch mode and assume that the program must not be changed except to add the type qualifiers. In practice, programs must be changed to make them type-correct, and programmers must understand them. CASCADE is an interactive type qualifier inference tool that is easy to implement and universal (i.e., it can work for any type qualifier system for which a checker is implemented). It shows that qualifier inference can achieve better results by involving programmers rather than relying solely on automation.

show abstract

Accurate Interprocedural Null-Dereference Analysis for Java

Cited by 69 publications

References 14 publications

Null dereference verification via over-approximated weakest pre-conditions analysis

Null dereference verification via over-approximated weakest pre-conditions analysis

Null dereference verification via over-approximated weakest pre-conditions analysis

Cascade: A Universal Programmer-Assisted Type Qualifier Inference Tool

Contact Info

Product

Resources

About