Pinpoint: fast and precise sparse value flow analysis for million lines of code

ShiQingkai,; Xiaoxiao,; WuRongxin,; ZhouJinguo,; FanGang,; ZhangCharles,

doi:10.1145/3296979.3192418

Cited by 25 publications

(40 citation statements)

References 51 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Figure 3 shows a running example using the value-flow graph where we check the null-deference and the free-global-pointer bugs following the workflow illustrated in Figure 2. Given a program, we first follow the previous work [12,38,42] to build the value-flow graph in order to check the two properties with the precision of path-sensitivity. Here, path-sensitivity means that when searching paths on the value-flow graph, we invoke an SMT solver to solve path conditions and other property-specific constraints to prune infeasible paths.…”

Section: Mutual Synergymentioning

confidence: 99%

“…Second, despite many studies on value-flow analysis [12,30,38,41,42], we still have a lack of general and extensible specification models that can maximize the opportunities of sharing analysis results across the processes of checking different properties. Some of the existing studies only focus on checking a specific property (e.g., memory leak [42]), while others adopt different specifications to check the same value-flow property (e.g., double free [12,38]). Preliminaries.…”

Section: Value-flow Propertiesmentioning

confidence: 99%

“…Value-flow analysis [12,30,38,41], which tracks how values are stored and loaded in a program, underpins the inspection of a very broad category of software properties, such as memory safety (e.g., null dereference, double free, etc. ), resource usage (e.g., memory leak, file usage, etc.…”

Section: Introductionmentioning

confidence: 99%

“…For example, our evaluation shows that CSA cannot path-sensitively check twenty properties for many programs in ten hours. Pinpoint [38], another recent analyzer, exhausted 256GB of memory for only eight properties.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Conquering the extensional scalability problem for value-flow analysis frameworks

Shi

Fan

et al. 2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

Self Cite

View full text Add to dashboard Cite

Modern static analyzers often need to simultaneously check a few dozen or even hundreds of value-flow properties, causing serious scalability issues when high precision is required. A major factor to this deficiency, as we observe, is that the core static analysis engine is oblivious of the mutual synergy among the properties being checked, thus inevitably losing many optimization opportunities. Our work is to leverage the inter-property awareness and to capture redundancies and inconsistencies when many properties are considered at the same time. We have evaluated our approach by checking twenty value-flow properties in standard benchmark programs and ten real-world software systems. The results demonstrate that our approach is more than 8× faster than existing ones but consumes only 1/7 of the memory. Such substantial improvement in analysis efficiency is not achieved by sacrificing the effectiveness: at the time of writing, thirty-nine bugs found by our approach have been fixed by developers and four of them have been assigned CVE IDs due to their security impact. CCS CONCEPTS • Software and its engineering → Software verification and validation.

show abstract

Section: Mutual Synergymentioning

confidence: 99%

Section: Value-flow Propertiesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Conquering the extensional scalability problem for value-flow analysis frameworks

Shi

Fan

et al. 2020

Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

Self Cite

View full text Add to dashboard Cite

show abstract

“…In verification and bug-finding, PTA is often used as a pre-analysis to limit the implicit dependencies between values stored in memory. This is typically followed by a deeper, more expensive, path-sensitive analysis (e.g., [1], [2], [3]). In both applications, the efficiency of PTA is crucial since it directly impacts compilation and verification times, while precision of the analysis determines its usability.…”

Section: Introductionmentioning

confidence: 99%

Unification-based Pointer Analysis without Oversharing

Kuderski

Navas

Gurfinkel

2019

2019 Formal Methods in Computer Aided Design (FMCAD)

View full text Add to dashboard Cite

Pointer analysis is indispensable for effectively verifying heap-manipulating programs. Even though it has been studied extensively, there are no publicly available pointer analyses that are moderately precise while scalable to large real-world programs. In this paper, we show that existing context-sensitive unification-based pointer analyses suffer from the problem of oversharing -propagating too many abstract objects across the analysis of different procedures, which prevents them from scaling to large programs. We present a new pointer analysis for LLVM, called TEADSA, without such an oversharing. We show how to further improve precision and speed of TEADSA with extra contextual information, such as flow-sensitivity at calland return-sites, and type information about memory accesses. We evaluate TEADSA on the verification problem of detecting unsafe memory accesses and compare it against two state-ofthe-art pointer analyses: SVF and SEADSA. We show that TEADSA is one order of magnitude faster than either SVF or SEADSA, strictly more precise than SEADSA, and, surprisingly, sometimes more precise than SVF.

show abstract

Per-Dereference Verification of Temporal Heap Safety via Adaptive Context-Sensitive Analysis

et al. 2019

View full text Add to dashboard Cite

We address the problem of verifying the temporal safety of heap memory at each pointer dereference. Unlike separation-logic-based approaches, our whole-program analysis approach is undertaken from the perspective of pointer analysis, allowing us to leverage the advantages of and advances in pointer analysis to improve precision and scalability. A dereference ω, say, via pointer q is unsafe iff there exists a deallocation ψ, say, via pointer p such that on a control-flow path ρ, p aliases with q (with both pointing to an object o representing an allocation), denoted A ψ ω (ρ), and ψ reaches ω on ρ via control flow, denoted R ψ ω (ρ). Applying directly any existing pointer analysis, which is typically solved separately with an associated control-flow reachability analysis, will render such verification highly imprecise, since ∃ρ.Ae., ∃ does not distribute over ∧). For precision, we solve ∃ρ.A ψ ω (ρ) ∧ R ψ ω (ρ), with a control-flow path ρ containing an allocation o, a deallocation ψ and a dereference ω abstracted by a tuple of three contexts (c o , c ψ , c ω ). For scalability, a demand-driven full context-sensitive (modulo recursion) pointer analysis, which operates on pre-computed def-use chains with adaptive context-sensitivity, is used to infer (c o , c ψ , c ω ), without losing soundness or precision. Our evaluation shows that our approach can successfully verify the safety of 81.3% (or 93,141 114,508 ) of all the dereferences in a set of 10 C programs totalling 1,166 KLOC.

show abstract

Pinpoint: fast and precise sparse value flow analysis for million lines of code

Cited by 25 publications

References 51 publications

Conquering the extensional scalability problem for value-flow analysis frameworks

Conquering the extensional scalability problem for value-flow analysis frameworks

Unification-based Pointer Analysis without Oversharing

Per-Dereference Verification of Temporal Heap Safety via Adaptive Context-Sensitive Analysis

Contact Info

Product

Resources

About