Software & Systems Modeling

, Volume 10, Issue 2, pp 219–252 | Cite as

Precise null-pointer analysis

  • Fausto SpotoEmail author
Special Section Paper


In Java, C or C++, attempts to dereference the null value result in an exception or a segmentation fault. Hence, it is important to identify those program points where this undesired behaviour might occur or prove the other program points (and possibly the entire program) safe. To that purpose, null-pointer analysis of computer programs checks or infers non-null annotations for variables and object fields. With few notable exceptions, null-pointer analyses currently use run-time checks or are incorrect or only verify manually provided annotations. In this paper, we use abstract interpretation to build and prove correct a first, flow and context-sensitive static null-pointer analysis for Java bytecode (and hence Java) which infers non-null annotations. It is based on Boolean formulas, implemented with binary decision diagrams. For better precision, it identifies instance or static fields that remain always non-null after being initialised. Our experiments show this analysis faster and more precise than the correct null-pointer analysis by Hubert, Jensen and Pichardie. Moreover, our analysis deals with exceptions, which is not the case of most others; its formulation is theoretically clean and its implementation strong and scalable. We subsequently improve that analysis by using local reasoning about fields that are not always non-null, but happen to hold a non-null value when they are accessed. This is a frequent situation, since programmers typically check a field for non-nullness before its access. We conclude with an example of use of our analyses to infer null-pointer annotations which are more precise than those that other inference tools can achieve.


Null-pointer analysis Java bytecode Static analysis Abstract interpretation Automatic software verification 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aho A.V., Sethi R., Ullman J.D.: Compilers, Principles Techniques and Tools. Addison-Wesley, Reading (1986)Google Scholar
  2. 2.
    Albert, E., Arenas, P., Genaim, S., Puebla, G.: Dealing with numeric fields in termination analysis of Java-like languages. In: Huisman, M. (ed.) Proceedings of the 10th Workshop on Formal Techniques for Java-like Programs (FTfJP’08), July 2008.
  3. 3.
    Armstrong T., Marriott J., Schachte P., Søndergaard H.: Two classes of Boolean functions for dependency analysis. Sci. Comput. Program. 31(1), 3–45 (1998)CrossRefzbMATHGoogle Scholar
  4. 4.
    Bloch, J.: Jsr 175: A Metadata Facility for the Java Programming Language (2004).
  5. 5.
    Bryant R.E.: Graph-based algorithms for Boolean function manipulation. IEEE Trans. Comput. 35(8), 677–691 (1986)CrossRefzbMATHGoogle Scholar
  6. 6.
    Chalin, P., James, P.R.: Non-null references by default in Java: alleviating the nullity annotation burden. In: Ernst, E. (ed.) Proceedings of the 21st European Conference on Object-Oriented Programming (ECOOP’07). Lecture Notes in Computer Science, Berlin, Germany, July–August 2007, vol. 4609, pp. 227–247. Springer, Berlin (2007)Google Scholar
  7. 7.
    Cielecki, M., Fulara, J., Jakubczyk, K., Jancewicz, Ł.: Propagation of JML non-null annotations in Java programs. In: Gitzel, R., Aleksy, M., Schader, M. (eds.) Proceedings of the 4th International Symposium on Principles and Practice of Programming in Java (PPPJ’06), Mannheim, Germany, August–September 2006, pp. 135–140. ACM, New York (2006)Google Scholar
  8. 8.
    Cousot, P., Cousot, R.: Static determination of dynamic properties of programs. In: Proceedings of the 2nd International Symposium on Programming, Paris, France, April 1976, pp. 106–130. Dunod, Paris (1976)Google Scholar
  9. 9.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’77), pp. 238–252 (1977)Google Scholar
  10. 10.
    Ekman T., Hedin, G.: The jastadd extensible Java compiler. In: Ernst, E. (ed.) Proceedings of the 21st European Conference on Object-Oriented Programming (ECOOP’07). Lecture Notes in Computer Science, Berlin, Germany, July–August 2007, vol. 4609, pp. 1–18. Springer, Berlin (2007)Google Scholar
  11. 11.
    Engelen, A.F.M.: Nullness Analysis of Java Source Code. PhD thesis, University of Nijmegen, Department of Computer Science (2006)Google Scholar
  12. 12.
    Ernst M.D., Perkins J.H., Guo P.J., McCamant S., Pacheco C., Tschantz M.S., Xiao C.: The Daikon system for dynamic detection of likely invariants. Sci. Comput. Program. 69(1–3), 35–45 (2007)CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    Fähndrich, M., Leino, K.R.M.: Declaring and checking non-null types in an object-oriented language. In: Crocker, R., Steel, G.L. Jr. (eds.) Proceedings of the 2003 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages and Applications (OOPSLA’03), Anaheim, CA, USA, October 2003, pp. 302–312. ACM, New York (2003)Google Scholar
  14. 14.
    Fähndrich, M., Xia, S.: Establishing object invariants with delayed types. In: Gabriel, R.P., Bacon, D.F., Videira Lopes, C., Steele, G.L. Jr. (eds.) Proceedings of the 2007 ACM SIGPLAN Conference on Object-Oriented Programming Systems, Languages and Applications (OOPSLA’07), Montreal, Quebec, Canada, October 2007, pp. 337–350. ACM, New York (2007)Google Scholar
  15. 15.
    Flanagan, C., Leino, K.R.M.: Houdini, an annotation assistant for ESC/Java. In: Oliveira, J.N., Zave, P. (eds.) Proceedings of the 2001 International Symposium of Formal Methods Europe (FME’01). Lecture Notes in Computer Science, Berlin, Germany, March 2001, vol. 2021, pp. 500–517. Springer, Berlin (2001)Google Scholar
  16. 16.
    Hill P.M., Spoto F.: Deriving escape analysis by abstract interpretation. High. Order Symb. Comput. 19(4), 415–463 (2006)CrossRefzbMATHGoogle Scholar
  17. 17.
    Hovemeyer, D., Pugh, W.: Finding more null pointer bugs, but not too many. In: Das, M., Grossman, D. (eds.) Proceedings of the 7th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE’07), San Diego, CA, USA, June 2007, pp. 9–14. ACM, New York (2007)Google Scholar
  18. 18.
    Hovemeyer, D., Spacco, J., Pugh, W.: Evaluating and tuning a static analysis to find null pointer bugs. In: Ernst, M., Jensen, T.P. (eds.) Proceedings of the 2005 ACM SIGPLAN-SIGSOFT Workshop on Program Analysis For Software Tools and Engineering (PASTE’05), Lisbon, Portugal, September 2005, pp. 13–19. ACM, New York (2005)Google Scholar
  19. 19.
    Hubert, L., Jensen, T., Pichardie, D.: Semantic foundations and inference of non-null annotations. In: Barthe, G., de Boer, F.S. (eds.) Proceedings of the 10th International Conference on Formal Methods for Open Object-based Distributed Systems (FMOODS’08). Lecture Notes in Computer Science, vol. 5051, pp. 132–149. Springer, Berlin (2008)Google Scholar
  20. 20.
    Leino, K.R.M., Saxe, J.B., Stata, R.: ESC/Java User’s Manual. Compaq Systems Research Center, technical note 2000-002 edition, October (2000)Google Scholar
  21. 21.
    Lindholm T., Yellin F.: The Java Virtual Machine Specification, 2nd edn. Addison-Wesley, Reading (1999)Google Scholar
  22. 22.
    Male, C., Pearce, D.J., Potanin, A., Dymnikov, C.: Java bytecode verification for @NonNull types. In: Hendren, L. (ed.) Proceedings of the 17th Int. Conference on Compiler Construction (CC’2008). Lecture Notes in Computer Science, Budapest, Hungary, March–April 2008, vol. 4959, pp. 229–244. Springer, Budapest (2008)Google Scholar
  23. 23.
    Palsberg, J., Schwartzbach, M.I.: Object-oriented type inference. In: Proceedings of OOPSLA’91. ACM SIGPLAN Notices, vol. 26(11), pp. 146–161. ACM, New York (1991)Google Scholar
  24. 24.
    Papi, M.M., Ali, M., Correa, T.L., Perkins, J.H., Ernst, M.D.: Practical pluggable types for Java. In: Ryder, B.G., Zeller, A. (eds.) Proceedings of the ACM/SIGSOFT 2008 International Symposium on Software Testing and Analysis (ISSTA’08), Seattle, WA, USA, July 2008, pp. 201–212. ACM, New York (2008)Google Scholar
  25. 25.
    Payet, É, Spoto, F.: Magic-sets transformation for the analysis of Java bytecode. In: Nielson, H.R., Filé, G. (eds.) Proceedings of the 14th International Static Analysis Symposium (SAS’07). Lecture Notes in Computer Science, Kongens Lyngby, Denmark, August 2007, vol. 4634, pp. 452–467. Springer, Berlin (2007)Google Scholar
  26. 26.
    Secci S., Spoto, F.: Pair-sharing analysis of object-oriented programs. In: Hankin, C. (ed.) Proceedings of Static Analysis Symposium (SAS). Lecture Notes in Computer Science, London, UK, September 2005, vol. 3672, pp. 320–335. Springer, Berlin (2005)Google Scholar
  27. 27.
    Spoto, F.: Nullness Analysis in Boolean form. In: Proceedings of the 6th IEEE International Conference on Software Engineering and Formal Methods (SEFM’08), Cape Town, South Africa, November 2008, pp. 21–30. IEEE Press, New York (2008)Google Scholar

Copyright information

© Springer-Verlag 2009

Authors and Affiliations

  1. 1.Università di VeronaVeronaItaly

Personalised recommendations