Practical memory leak detector based on parameterized procedural summaries

We present a static analyzer that detects memory leaks in C pro-grams. It achieves relatively high accuracy at a relatively low cost on SPEC2000 benchmarks and several open-source software pack-ages, demonstrating its practicality and competitive edge against other reported analyzers: for a set of benchmarks totaling 1,777 KLOCs, it found 332 bugs with 47 additional false positives (a 12.4 % false-positive ratio), and the average analysis speed was 720 LOC/sec. We separately analyze each procedure’s memory behavior into a summary that is used in analyzing its call sites. Each procedural summary is parameterized by the procedure’s call context so that it can be instantiated at different call sites. What information to cap-ture in each procedural summary has been carefully tuned so that the summary should not lose any common memory-leak-related be-haviors in real-world C programs. Because each procedure is summarized by conventional fixpoint iteration over the abstract semantics (à la abstract interpretation), the analyzer naturally handles arbitrary call cycles from direct or indirect recursive calls

Efficient and linear static approach for finding the memory leak in C

Code analysis has discovered that memory leaks are common in the C programming language. In the literature, there exist various approaches for statically analyzing and detecting memory leaks. The complexity and diversity of memory leaks make it difficult to find an approach that is both effective and simple. In embedded systems, costly resources like memory become limited as the system’s size diminishes. As a result, memory must be handled effectively and efficiently too. To obtain precise analysis, we propose a novel approach that works in a phase-wise manner. Instead of examining all possible paths for finding memory leaks, we use a program slicing to check for a potential memory leak. We introduce a source-sink flow graph (SSFG) based on source-sink properties of memory allocation-deallocation within the C code. To achieve simplicity in analysis, we also reduce the complexity of analysis in linear time. In addition, we utilize a constraint solver to improve the effectiveness of our approach. To evaluate the approach, we perform manual scanning on various test cases: link list applications, Juliet test cases, and common vulnerabilities and exposures found in 2021. The results show the efficiency of the proposed approach by preparing the SSFG with linear complexity

Empirical study of inter-procedural data flow (IDF) patterns for memory leak analysis in Linux

Analysis of inter-procedural data flow (IDF) is a commonly encountered challenge for verifying safety and security properties of large software. In order to address this challenge, a pragmatic approach is to identify IDF patterns that are known to occur in practice, and develop algorithms to detect and handle those patterns correctly. We perform an empirical study to gather the IDF patterns in Linux, which is essential to support such a pragmatic approach. In our study, we first analyzed the Linux code to study how reference to dynamically allocated memory in a function flows out of the function. We analyzed instances of memory allocation and identified 6 IDF patterns. Second, we mined and analyzed memory leak bug fixes from the Linux git repository. Third, we surveyed the literature for static analysis tools that can detect memory leaks. Based on these studies, we found that the set of IDF patterns associated with the memory leak bug fixes in Linux and those that can be detected by the current static analysis tools is a subset of the 6 IDF patterns we identified

Evidence-enabled verification for the Linux kernel

Formal verification of large software has been an elusive target, riddled with problems of low accuracy and high computational complexity. With growing dependence on software in embedded and cyber-physical systems where vulnerabilities and malware can lead to disasters, an efficient and accurate verification has become a crucial need. The verification should be rigorous, computationally efficient, and automated enough to keep the human effort within reasonable limits, but it does not have to be completely automated. The automation should actually enable and simplify human cross-checking which is especially important when the stakes are high. Unfortunately, formal verification methods work mostly as automated black boxes with very little support for cross-checking. This thesis is about a different way to approach the software verification problem. It is about creating a powerful fusion of automation and human intelligence by incorporating algorithmic innovations to address the major challenges to advance the state of the art for accurate and scalable software verification where complete automation has remained intractable. The key is a mathematically rigorous notion of verification-critical evidence that the machine abstracts from software to empower human to reason with. The algorithmic innovation is to discover the patterns the developers have applied to manage complexity and leverage them. A pattern-based verification is crucial because the problem is intractable otherwise. We call the overall approach Evidence-Enabled Verification (EEV). This thesis presents the EEV with two challenging applications: (1) EEV for Lock/Unlock Pairing to verify the correct pairing of mutex lock and spin lock with their corresponding unlocks on all feasible execution paths, and (2) EEV for Allocation/Deallocation Pairing to verify the correct pairing of memory allocation with its corresponding deallocations on all feasible execution paths. We applied the EEV approach to verify recent versions of the Linux kernel. The results include a comparison with the state-of-the-art Linux Driver Verification (LDV) tool, effectiveness of the proposed visual models as verification-critical evidence, representative examples of verification, the discovered bugs, and limitations of the proposed approach

Selectively Sensitive Static Analysis by Impact Pre-analysis and Machine Learning

학위논문 (박사)-- 서울대학교 대학원 공과대학 전기·컴퓨터공학부, 2017. 8. 이광근.이 학위 논문에서는 정적 분석 성능을 결정짓는 세 가지 축인 안전성 (soundness), 정확도 (precision), 확장성 (scalability) 을 최대한 달성할 수 있는 방법을 제시한다. 정적 분석에는 여러가지 정확도 상승 기법들이 있지만, 무턱대고 적용할 시에는 분 석이 심각하게 느려지거나 실제 실행 의미를 지나치게 많이 놓치는 문제가 있다. 이 논문의 핵심은, 이렇게 정확하지만 비용이 큰 분석 기법이 꼭 필요한 곳만을 선별해 내는 기술이다. 먼저, 정확도 상승 기법이 꼭 필요한 부분을 예측하는 또 다른 정적 분석인 예비 분석을 제시한다. 본 분석은 이 예비 분석의 결과를 바탕으로 정확도 상 승 기법을 선별적으로 적용함으로서 효율적으로 분석을 할 수 있다. 또한, 기계학습 을 이용하여 과거 분석 결과를 학습함으로써 더욱 효율적으로 선별할수 있는 기법을 제시한다. 학습에 쓰이는 데이터는 앞서 제시한 예비 분석과 본 분석을 여러 학습 프 로그램에 미리 적용한 결과로부터 자동으로 얻어 낸다. 여기서 제시한 방법들은 실제 C 소스 코드 분석기에 적용하여 그 효과를 실험적으로 입증했다.1. Introduction 1 1.1 Goal 1 1.2 Solution 2 1.3 Outline 4 2. Preliminaries 5 2.1 Program 5 2.2 Collecting Semantics 6 2.3 Abstract Semantics 6 3 Selectively X-sensitive Analysis by Impact Pre-Analysis 9 3.1 Introduction 9 3.2 Informal Description 11 3.3 ProgramRepresentation 17 3.4 Selective Context-Sensitive Analysis with Context-Sensitivity Parameter K 18 3.5 Impact Pre-Analysis for Finding K 22 3.5.1 Designing an Impact Pre-Analysis 22 3.5.2 Use of the Pre-Analysis Results 28 3.6 Application to Selective Relational Analysis 35 3.7 Experiments 40 3.8 Summary 42 4 Selectively X-sensitive analysis by learning data generated by impact pre-analysis 47 4.1 Introduction 47 4.2 Informal Explanation 50 4.2.1 Octagon Analysis with Variable Clustering 50 4.2.2 Automatic Learning of a Variable-Clustering Strategy 52 4.3 Octagon Analysis with Variable Clustering 56 4.3.1 Programs 56 4.3.2 Octagon Analysis 56 4.3.3 Variable Clustering and Partial Octagon Analysis 58 4.4 Learning a Strategy for Clustering Variables 59 4.4.1 Automatic Generation of Labeled Data 60 4.4.2 Features and Classier 63 4.4.3 Strategy for Clustering Variables 64 4.5 Experiments 66 4.5.1 Effectiveness 67 4.5.2 Generalization 68 4.5.3 Feature Design 69 4.5.4 Choice of an Off-the-shelf Classification Algorithm 70 4.6 Summary 70 5 Selectively Unsound Analysis by Machine Learning 75 5.1 Introduction 75 5.2 Overview 78 5.2.1 Uniformly Unsound Analysis 78 5.2.2 Uniformly Sound Analysis 79 5.2.3 Selectively Unsound Analysis 80 5.2.4 Our Learning Approach 80 5.3 Our Technique 81 5.3.1 Parameterized Static Analysis 82 5.3.2 Learning a Classifier 83 5.4 Instance Analyses 87 5.4.1 A Generic, Selectively Unsound Static Analysis 87 5.4.2 Instantiation 1: Interval Analysis 91 5.4.3 Instantiation 2: TaintAnalysis 91 5.5 Experiments 92 5.5.1 Setting 92 5.5.2 Effectiveness of Our Approach 93 5.5.3 Efficacy of OC-SVM 96 5.5.4 Feature Design 97 5.5.5 Time Cost 98 5.5.6 Discussion 98 5.6 Summary 100 6 Related Work 106 6.1 Parametric Static Analysis 106 6.2 Goal-directed Static Analysis 107 6.3 Data-driven Static Analysis 108 6.4 Context-sensitivity and Relational Analysis 108 6.5 Unsoundness in Static Analysis 110 7 Conclusion 112Docto