article

Static error detection using semantic inconsistency inference

Authors:

Alex AikenAuthors Info & Claims

ACM SIGPLAN Notices, Volume 42, Issue 6

Pages 435 - 445

https://doi.org/10.1145/1273442.1250784

Published: 10 June 2007 Publication History

Abstract

Inconsistency checking is a method for detecting software errors that relies only on examining multiple uses of a value. We propose that inconsistency inference is best understood as a variant of the older and better understood problem of type inference. Using this insight, we describe a precise and formal framework for discovering inconsistency errors. Unlike previous approaches to the problem, our technique for finding inconsistency errors is purely semantic and can deal with complex aliasing and path-sensitive conditions. We have built a nullde reference analysis of C programs based on semantic inconsistency inference and have used it to find hundreds of previously unknown null dereference errors in widely used C programs.

References

[1]

A. Aiken, E. Wimmers, and T. K. Lakshman. Soft typing with conditional types. In Proceedings of the Symposium on Principles of Programming Languages, pages 163--173, 1994.

Digital Library

[2]

T. Ball and S. Rajamani. The SLAM project: Debugging system software via static analysis. In Proc. of the Symp. on Principles of Prog. Languages, pages 1--3, January 2002.

Digital Library

[3]

D. Beyer, T. Henzinger, R. Jhala, and R. Majumdar. Checking memory safety with Blast. In Proc. of the Conf. on Fundamental Approaches to Software Engineering, pages 2--18, 2005.

Digital Library

[4]

R. Cartwright and M. Fagan. Soft typing. In Proc. of the Conf. on Prog. Language Design and Implementation, pages 278--292, 1991.

Digital Library

[5]

M. Das, S. Lerner, and M. Seigle. ESP: Path-sensitive program verification in polynomial time. In Proc. of the Conf. on Prog. Language Design and Implementation, pages 57--68, 2002.

Digital Library

[6]

D. Engler, D. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. Operating Systems Review, 35(5):57--72, 2001.

Digital Library

[7]

D. Evans. Static detection of dynamic memory errors. In Proc. of the Conf. on Prog. Language Design and Implementation, pages 44--53, 1996.

Digital Library

[8]

M. Faehndrich and K. Rustan M. Leino. Declaring and checking non-null types in an object-oriented language. In Proc. of the Conf. on Object-Oriented Programing, Systems, Languages and Applications, pages 302--312, 2003.

Digital Library

[9]

C. Flanagan, R. Leino, M. Lillibridge, G. Nelson, J. B. Saxe, and R. Stata. Extended static checking for Java. In Proc. of the Conf. on Prog. Language Design and Implementation, pages 234--245, 2002.

Digital Library

[10]

J. Foster, M. Faehndrich, and A. Aiken. A theory of type qualifiers. In Proc. of the Conf. on Prog. Language Design and Implementation, pages 192--203, 1999.

Digital Library

[11]

B. Hackett and A. Aiken. How is aliasing used in systems software? In Proceedings of the ACM International Symposium on Foundations of Software Engineering, pages 69--80, 2006.

Digital Library

[12]

D. Hovemeyer and W. Pugh. Finding bugs is easy. SIGPLAN Not., 39(12):92--106, December 2004.

Digital Library

[13]

D. Hovemeyer, J. Spacco, and W. Pugh. Evaluating and tuning a static analysis to find null pointer bugs. In Proc. of the Workshop on Program Analysis for Software Tools and Engineering, pages 13--19, 2005.

Digital Library

[14]

R. Jhala and K. McMillan. Interpolant-based transition relation approximation. In Proc. of the International Conf. on Computer Aided Verification, pages 39--51, 2005.

Digital Library

[15]

M. Naik and J. Palsberg. A type system equivalent to a model checker. In Proc. of the European Symp. on Prog., pages 374--388, 2005.

Digital Library

[16]

G. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy code. In Proc. of the Symp. on Principles of Prog. Languages, pages 128--139, 2002.

Digital Library

[17]

F. Pessaux and X. Leroy. Type-based analysis of uncaught exceptions. In Proc. of the Symp. on Principles of Prog. Languages, pages 276-- 290, 1999.

Digital Library

[18]

K. Yi and S. Ryu. Towards a cost-effective estimation of uncaught exceptions in SML programs. In Proc. of the International Symp. on Static Analysis, pages 98--113, 1997.

Digital Library

Cited By

Lee MBak JMoon SJhi YOh HFilkov VRay BZhou M(2024)Effective Unit Test Generation for Java Null Pointer ExceptionsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695484(1044-1056)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695484
Mao JChen YXiao QShi Y(2016)RIDACM SIGARCH Computer Architecture News10.1145/2980024.287238944:2(531-544)Online publication date: 25-Mar-2016
https://dl.acm.org/doi/10.1145/2980024.2872389
Mao JChen YXiao QShi Y(2016)RIDACM SIGOPS Operating Systems Review10.1145/2954680.287238950:2(531-544)Online publication date: 25-Mar-2016
https://doi.org/10.1145/2954680.2872389
Show More Cited By

Recommendations

Static error detection using semantic inconsistency inference
PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation

Inconsistency checking is a method for detecting software errors that relies only on examining multiple uses of a value. We propose that inconsistency inference is best understood as a variant of the older and better understood problem of type ...
Machine-Learning-Guided Typestate Analysis for Static Use-After-Free Detection
ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Typestate analysis relies on pointer analysis for detecting temporal memory safety errors, such as use-after-free (UAF). For large programs, scalable pointer analysis is usually imprecise in analyzing their hard "corner cases", such as infeasible paths, ...
Machine-learning-guided selectively unsound static analysis
ICSE '17: Proceedings of the 39th International Conference on Software Engineering

We present a machine-learning-based technique for selectively applying unsoundness in static analysis. Existing bug-finding static analyzers are unsound in order to be precise and scalable in practice. However, they are uniformly unsound and hence at ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 42, Issue 6

Proceedings of the 2007 PLDI conference

June 2007

491 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/1273442

Issue’s Table of Contents

PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2007
508 pages
ISBN:9781595936332
DOI:10.1145/1250734
General Chair:
Jeanne Ferrante
University of California, San Diego, USA
,
Program Chair:
Kathryn S. McKinley
University of Texas at Austin, USA

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 June 2007

Published in SIGPLAN Volume 42, Issue 6

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

87
Total Citations
View Citations
667
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Lee MBak JMoon SJhi YOh HFilkov VRay BZhou M(2024)Effective Unit Test Generation for Java Null Pointer ExceptionsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695484(1044-1056)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695484
Mao JChen YXiao QShi Y(2016)RIDACM SIGARCH Computer Architecture News10.1145/2980024.287238944:2(531-544)Online publication date: 25-Mar-2016
https://dl.acm.org/doi/10.1145/2980024.2872389
Mao JChen YXiao QShi Y(2016)RIDACM SIGOPS Operating Systems Review10.1145/2954680.287238950:2(531-544)Online publication date: 25-Mar-2016
https://doi.org/10.1145/2954680.2872389
Mao JChen YXiao QShi Y(2016)RIDACM SIGPLAN Notices10.1145/2954679.287238951:4(531-544)Online publication date: 25-Mar-2016
https://dl.acm.org/doi/10.1145/2954679.2872389
Mao JChen YXiao QShi YConte TZhou Y(2016)RIDProceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems10.1145/2872362.2872389(531-544)Online publication date: 25-Mar-2016
https://dl.acm.org/doi/10.1145/2872362.2872389
Kahsai TNavas JJovanović DSchäf M(2015)Finding Inconsistencies in Programs with LoopsProceedings of the 20th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning - Volume 945010.1007/978-3-662-48899-7_35(499-514)Online publication date: 24-Nov-2015
https://dl.acm.org/doi/10.1007/978-3-662-48899-7_35
Borodin A(2014)Summary Based Static Analysis for Practical Search for Defects in C Programs and LibrariesProceedings of the 2014 IEEE International Conference on Software Testing, Verification, and Validation Workshops10.1109/ICSTW.2014.60(231-232)Online publication date: 31-Mar-2014
https://dl.acm.org/doi/10.1109/ICSTW.2014.60
Arlt SLiu ZSchäf M(2013)Reconstructing Paths for Reachable CodeFormal Methods and Software Engineering10.1007/978-3-642-41202-8_28(431-446)Online publication date: 2013
https://doi.org/10.1007/978-3-642-41202-8_28
Simpson MBarua R(2013)MemSafe: ensuring the spatial and temporal memory safety of C at runtimeSoftware—Practice & Experience10.1002/spe.210543:1(93-128)Online publication date: 1-Jan-2013
https://dl.acm.org/doi/10.1002/spe.2105
Chen J(2012)Detecting Null Dereference with a GameProceedings of the 2012 International Conference on Information Technology and Software Engineering10.1007/978-3-642-34531-9_1(3-10)Online publication date: 6-Nov-2012
https://doi.org/10.1007/978-3-642-34531-9_1
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents