A range-reduced static definition-use (def-use) fault detection framework is proposed to improve the scalability, but still retain its accuracy, when applied to large application programs. It casts common faults, such as null pointer dereferences, undefined references, buffer overflows, and memory leaks into a common def-use fault pattern, and uses a two-level path-insensitive approach to classify variable uses that can trigger faults into must-trigger, must-not-trigger, and may-trigger categories depending on whether the unsafe uses can actually be, never be, or may be executed. For those must-trigger unsafe uses, faults are immediately reported, and those must-not-trigger uses are dropped from further analysis. The already reduced program range that is relevant to the may-trigger unsafe uses is further reduced by using a binary decision diagram encoded path extraction scheme for more accurate, but more expensive, path-sensitive analysis. A prototype has been built using this approach, and a set of large realistic applications (a total of more than 4.8 MLOC) was tested for such common types of def-use faults. Compared with existing popular path-sensitive detection tools such as Clang Static Analyzer, we find our approach incurs less analysis time, but achieves good accuracy with a low false positive rate and no false negative.
Bibliographical noteFunding Information:
This work was supported in part by the National Natural Science Foundation of China under Grant 61402303 and in part by the Project of Beijing Municipal Commission of Education under Grant KM201510028016.
- fault detection
- software reliability