Heap Abstractions for Static Analysis

Heap data is potentially unbounded and seemingly arbitrary. As a consequence, unlike stack and static memory, heap memory cannot be abstracted directly in terms of a fixed set of source variable names appearing in the program being analysed. This makes it an interesting topic of study and there is an abundance of literature employing heap abstractions. Although most studies have addressed similar concerns, their formulations and formalisms often seem dissimilar and some times even unrelated. Thus, the insights gained in one description of heap abstraction may not directly carry over to some other description. This survey is a result of our quest for a unifying theme in the existing descriptions of heap abstractions. In particular, our interest lies in the abstractions and not in the algorithms that construct them. In our search of a unified theme, we view a heap abstraction as consisting of two features: a heap model to represent the heap memory and a summarization technique for bounding the heap representation. We classify the models as storeless, store based, and hybrid. We describe various summarization techniques based on k-limiting, allocation sites, patterns, variables, other generic instrumentation predicates, and higher-order logics. This approach allows us to compare the insights of a large number of seemingly dissimilar heap abstractions and also paves way for creating new abstractions by mix-and-match of models and summarization techniques.Comment: 49 pages, 20 figure

Infrared: A Meta Bug Detector

The recent breakthroughs in deep learning methods have sparked a wave of interest in learning-based bug detectors. Compared to the traditional static analysis tools, these bug detectors are directly learned from data, thus, easier to create. On the other hand, they are difficult to train, requiring a large amount of data which is not readily available. In this paper, we propose a new approach, called meta bug detection, which offers three crucial advantages over existing learning-based bug detectors: bug-type generic (i.e., capable of catching the types of bugs that are totally unobserved during training), self-explainable (i.e., capable of explaining its own prediction without any external interpretability methods) and sample efficient (i.e., requiring substantially less training data than standard bug detectors). Our extensive evaluation shows our meta bug detector (MBD) is effective in catching a variety of bugs including null pointer dereference, array index out-of-bound, file handle leak, and even data races in concurrent programs; in the process MBD also significantly outperforms several noteworthy baselines including Facebook Infer, a prominent static analysis tool, and FICS, the latest anomaly detection method

Automatically Finding Bugs in Open Source Programs

We consider properties desirable for static analysis tools targeted at finding bugs in the real open source code, and review tools based on various approaches to defect detection. A static analysis tool is described, that includes a framework for flow-sensitive interprocedural dataflow analysis and scales to analysis of large programs. The framework enables implementation of multiple checkers searching for specific bugs, such as null pointer dereference and buffer overflow, abstracting from the checkers details such as alias analysis

Dynamic Analysis Techniques for Effective and Efficient Debugging

Debugging is a tedious and time-consuming process for software developers. Therefore, providing effective and efficient debugging tools is essential for improving programmer productivity. Existing tools for debugging suffer from various drawbacks -- general-purpose debuggers provide little guidance for the programmers in locating the bug source while specialized debuggers require knowledge of the type of bug encountered. This dissertation makes several advances in debugging leading to effective, efficient, and extensible framework for interactive debugging of singlethreaded programs and deterministic debugging of multithreaded programs.This dissertation presents the Qzdb debugger for singlethreaded programs that raises the abstraction level of debugging by introducing high-level and powerful state alteration and state inspection capabilities. Case studies on 5 real reported bugs in 5 popular real programs demonstrate its effectiveness. To support integration of specialized debugging algorithms into Qzdb, anew approach for constructing debuggers is developed that employs declarative specification of bug conditions and their root causes, and automatic generation of debugger code. Experiments show that about 3,300 lines of C code are generated automatically from only 8 lines of specification for 6 memory bugs. Thanks to the effective generated bug locators, for the 8 real-worlds bugs we have applied our approach to, users have to examine just 1 to 16 instructions. To reduce the runtime overhead of dynamic analysis used during debugging, relevant input analysis is developed and employed to carry out input simplification and execution simplification which reduce the length of analyzed execution by reducing the input size and limiting the analysis to subset of the execution. Experiments show that relevant input analysis based input simplification algorithm is both efficient and effective -- it only requires 11% to 21% test runs of that needed by standard delta debugging algorithm and generates even smaller inputs.Finally, to demonstrate that the above approach can also be used for debugging multithreaded programs, this dissertation presents DrDebug, a deterministic and cyclic debugging framework. DrDebug allows efficient debugging by tailoring the scope of replay to a buggy execution region and an execution slice of a buggy region. Case studies of real reported concurrency bugs show that the buggy execution region size is less than 1 million instructions and the lengths of buggy execution region and execution slice are less than 15% and 7% of the total execution respectively

Finding Software Vulnerabilities in Open-Source C Projects via Bounded Model Checking

Computer-based systems have solved several domain problems, including industrial, military, education, and wearable. Nevertheless, such arrangements need high-quality software to guarantee security and safety as both are mandatory for modern software products. We advocate that bounded model-checking techniques can efficiently detect vulnerabilities in general software systems. However, such an approach struggles to scale up and verify extensive code bases. Consequently, we have developed and evaluated a methodology to verify large software systems using a state-of-the-art bounded model checker. In particular, we pre-process input source-code files and guide the respective model checker to explore them systematically. Moreover, the proposed scheme includes a function-wise prioritization strategy, which readily provides results for code entities according to a scale of importance. Experimental results using a real implementation of the proposed methodology show that it can efficiently verify large software systems. Besides, it presented low peak memory allocation when executed. We have evaluated our approach by verifying twelve popular open-source C projects, where we have found real software vulnerabilities that their developers confirmed.Comment: 27 pages, submitted to STTT journa

08161 Abstracts Collection -- Scalable Program Analysis

From April 13 to April 18, 2008, the Dagstuhl Seminar 08161 ``Scalable Program Analysis\u27\u27 was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar as well as abstracts of seminar results and ideas are put together in this paper. The first section describes the seminar topics and goals in general. Links to extended abstracts or full papers are provided, if available