Value-Flow-Based Demand-Driven Pointer Analysis for C and C++

Sui, Yulei; Xue, Jingling

doi:10.1109/tse.2018.2869336

Cited by 29 publications

(15 citation statements)

References 70 publications

(129 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…After performing the RBC search algorithm provided in Section III on the constructed directed bipartite network, we obtained the numbers and the proportions for RBCs shown in Table IV. The number of hybrid nodes (i.e., a commit is both and memory-related bugs (e.g., null pointer dereference: bug ID-14030, memory leak: bug ID-13518), it is useful to apply some static code analysis tools for detecting these types of bugs [27]- [29].…”

Section: Discussionmentioning

confidence: 99%

An Empirical Study of Regression Bug Chains in Linux

et al. 2020

Self Cite

View full text Add to dashboard Cite

show abstract

Section: Discussionmentioning

confidence: 99%

An Empirical Study of Regression Bug Chains in Linux

et al. 2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…A recent analysis [96] has leveraged the idea of sparsity to refine the flow-insensitive results into a path-sensitive one on demand. It first constructs the flow-insensitive def-use chains with a pre-analysis, which then enable the primary path-sensitive analysis to be performed sparsely [84,86,96]. For instance, as shown in Fig.…”

Section: Overviewmentioning

confidence: 99%

“…-In building value-flow graphs, Falcon outperforms Svf [85], Sfs [36], and Dsa [47], achieving on average 17×, 25×, and 4.4× speedups, respectively. -Compared with Supa [84,86], the state-of-the-art demand-driven flow-and context-sensitive pointer analysis for C/C++, Falcon is 54× in answering thin slicing queries, and it improves the precision by 1.6×. -In comparison with Cred [96], a state-of-the-art path-sensitive value flow analysis for bug hunting, Falcon is on average 6× faster, and finds more real bugs (21 vs. 12) with a lower false-positive rate (25% vs. 47.8%).…”

Section: Introductionmentioning

confidence: 99%

Efficient Path-Sensitive Data-Dependence Analysis

Yao¹,

Zhou²,

Xiao³

et al. 2021

Preprint

View full text Add to dashboard Cite

This paper presents a scalable path-and context-sensitive data-dependence analysis. The key is to address the aliasingpath-explosion problem via a sparse, demand-driven, and fused approach that piggybacks the computation of pointer information with the resolution of data dependence. Specifically, our approach decomposes the computational efforts of disjunctive reasoning into 1) a context-and semi-pathsensitive analysis that concisely summarizes data dependence as the symbolic and storeless value-flow graphs, and 2) a demand-driven phase that resolves transitive data dependence over the graphs. We have applied the approach to two clients, namely thin slicing and value flow analysis. Using a suite of 16 programs ranging from 13 KLoC to 8 MLoC, we compare our techniques against a diverse group of state-of-the-art analyses, illustrating significant precision and scalability advantages of our approach.CCS Concepts: • Theory of computation → Program analysis.

show abstract

“…Flow-sensitive analysis [7]- [10] considers the order in which statements are executed. Traditional data flow analysis is flow-sensitive, whereas flow-insensitive analysis appears mainly in points-to analysis [11], [12].…”

Section: B Data Flow Analysismentioning

confidence: 99%

Memory Leak Detection in IoT Program Based on an Abstract Memory Model SeqMM

et al. 2019

View full text Add to dashboard Cite

With the rapid growth of the Internet-of-Things (IoT), security issues for the IoT are becoming increasingly serious. Memory leaks are a common and harmful software defect for IoT programs running on resource-limited devices. Static analysis is an effective method for memory leak detection, however, because the existing methods cannot fully describe the memory state of IoT programs at run time, false positives and false negatives frequently occur. To improve the precision of memory leak detection, we propose an abstract memory model SeqMM to describe sequential storage structures. SeqMM differs from other abstract memory models in its ability to handle both points-to analysis and numerical analysis of pointers, which contributes to eliminating false positives in defect detection. In addition, based on the analysis of the sequential storage structure, we introduce the analysis of its operations in C programs, including transfer operations and predicate operations. Moreover, we present a memory leak detection algorithm by determining the state of the program points related to allocated memory blocks. The experimental results of five real projects indicate that the false positive rates of DTSC_SeqMM, Klocwork12 and DTSC_RSTVL are 29.0%, 15.0% and 40.6% respectively, and the corresponding false negative rates are 0%, 22.7% and 13.6%. INDEX TERMS Memory leak, sequential storage structure, abstract memory model, data flow analysis.

show abstract

Value-Flow-Based Demand-Driven Pointer Analysis for C and C++

Cited by 29 publications

References 70 publications

An Empirical Study of Regression Bug Chains in Linux

An Empirical Study of Regression Bug Chains in Linux

Efficient Path-Sensitive Data-Dependence Analysis

Memory Leak Detection in IoT Program Based on an Abstract Memory Model SeqMM

Contact Info

Product

Resources

About