Detecting memory access errors with flow-sensitive conditional range analysis

Authors:
Yimin Xia;Jun Luo;Minxuan Zhang
Affiliations:
School of Computer Science, National University of Defense Technology, Changsha, P.R. China;School of Computer Science, National University of Defense Technology, Changsha, P.R. China;School of Computer Science, National University of Defense Technology, Changsha, P.R. China
Venue:
ICESS'05 Proceedings of the Second international conference on Embedded Software and Systems
Year:
2005

Citing 11
Cited 0

Points-to analysis in almost linear time

POPL '96 Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Unification-based pointer analysis with directional assignments

PLDI '00 Proceedings of the ACM SIGPLAN 2000 conference on Programming language design and implementation
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints

POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Improving Security Using Extensible Lightweight Static Analysis

IEEE Software
Symbolic range propagation

IPPS '95 Proceedings of the 9th International Symposium on Parallel Processing
CSSV: towards a realistic tool for statically detecting all buffer overflows in C

PLDI '03 Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementation
Tracking pointers with path and context sensitivity for bug detection in C programs

Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
ARCHER: using symbolic, path-sensitive analysis to detect memory access errors

Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
Buffer overrun detection using linear programming and static analysis

Proceedings of the 10th ACM conference on Computer and communications security
LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation

Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization
Precise and efficient static array bound checking for large embedded C programs

Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementation

Quantified Score

Hi-index	0.01

Visualization

Abstract

Accessing an out-of-bounds memory address can lead to nondeterministic behaviors or elusive crashes. Static analysis can detect memory access errors from program source codes without runtime overhead, but existing techniques are either very imprecise or exponential cost. This paper proposes a precise and effective method to detect memory access errors. Firstly, it generates a state for each statement with a flow-sensitive, inter-procedural algorithm. A state includes not only range constraints like the traditional range analysis, but also occurrence conditions of the range constraints. Secondly, it solves states of memory access statement to evaluate the sizes of accessed memory bounds. The costs of state generation and state resolution are polynomial. We have implemented a prototype of the analysis method. Applied to 7 popular programs, the prototype found 40 memory access errors with a high precision of 80%.