Abstract
Accessing an out-of-bounds memory address can lead to nondeterministic behaviors or elusive crashes. Static analysis can detect memory access errors from program source codes without runtime overhead, but existing techniques are either very imprecise or exponential cost. This paper proposes a precise and effective method to detect memory access errors. Firstly, it generates a state for each statement with a flow-sensitive, inter-procedural algorithm. A state includes not only range constraints like the traditional range analysis, but also occurrence conditions of the range constraints. Secondly, it solves states of memory access statement to evaluate the sizes of accessed memory bounds. The costs of state generation and state resolution are polynomial. We have implemented a prototype of the analysis method. Applied to 7 popular programs, the prototype found 40 memory access errors with a high precision of 80%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
CERT/CC. Advisories, http://www.cert.org/advisories
Yichen, X., Andy, C., Dawson, E.: ARCHER: Using Symbolic, Path-sensitive Analysis to Detect Memory Access Errors. In: European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE), Helsinki, Finland (2003)
Benjamin Livshits, V., Monica, S.L.: Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs. In: ESEC/FSE, Helsinki, Finland (2003)
Wagner, D., Foster, J., Brewer, E., Aiken, A.: A first step towards automated detection of buffer overrun vulnerabilities. In: The Symposium on Network and Distributed Systems Security, USA (2000)
Vinod, G., Somesh, J., David, C., David, M., David, V.: Buffer Overrun Detection using Linear Programming and Static Analysis. In: ACM conference on computer and communications security, USA (2003)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: ACM Symposium on PLDI, USA (1977)
Wunderling, R.: Paralleler und Objektorientierter Simplex-Algorithmus. PhD thesis, Konrad-Zuse-Zentrum fur Informationstechnik Berlin, TR (1996)
Blume, W., Eigenmann, R.: Symbolic range propagation. In: The 9th International Parallel Processing Symposium, USA (1995)
Suan, H.Y., Susan, H.: Pointer-Range analysis. In: Static Analysis Symposium, Italy (2004)
Chris, L., Vikram, A.: LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In: 2nd IEEE / ACM International Symposium on Code Generation and Optimization, USA (2004)
LLVM Language Reference Manual, http://llvm.cs.uiuc.edu/docs
Hastings, R., Joyce, B.: Purify: Fast detection of memory leaks and access errors. In: The Winter USENIX Conference, USA (1992)
Jones, R., Kelly, P.: Backwards-compatible bounds checking for arrays and pointers in C programs. In: The International Workshop on Automatic Debugging, Sweden (1997)
Greg, M.: Bounds Checking Projects, http://gcc.gnu.org/projects/bp/main.html
Olatunji, R., Monica, S.L.: A Practical Dynamic Buffer Overrun Detector. In: Network and Distributed System Security Symposium, USA (2004)
John, W., Mariam, K.: A Comparison of Publicly Available Tools for Dynamic Buffer Overrun Prevention. In: Network and Distributed System Security Symposium, USA (2003)
Nurit, D., Michael, R., Mooly, S.: CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overruns in C. In: ACM Conference on PLDI, USA (2003)
David, E., David, L.: Improving Security Using Extensible Lightweight Static Analysis. IEEE Software (January/February 2002)
Arnaud, V., Guillaume, B.: Precise and Efficient Static Array Bound Checking for Large Embedded C Programs. In: ACM Conference on PLDI, USA (2004)
Steensgaard, B.: Points-to Analysis in Almost Linear Time. In: ACM Conference on PLDI, USA (1996)
Manuvir, D.: Unification-based pointer analysis with directional assignments. In: ACM Conference on PLDI, USA (2000)
Thomas, H.C., Charles, E.L., Ronald, L.R., Clifford, S.: Introduction to algorithms. The MIT Press, Cambridge (2001)
Rice, H.G.: Classes of Recursively Enumerable Sets and their Decision Problems. Transactions of the American Mathematical Society (89), 25–29 (1953)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Xia, Y., Luo, J., Zhang, M. (2005). Detecting Memory Access Errors with Flow-Sensitive Conditional Range Analysis. In: Yang, L.T., Zhou, X., Zhao, W., Wu, Z., Zhu, Y., Lin, M. (eds) Embedded Software and Systems. ICESS 2005. Lecture Notes in Computer Science, vol 3820. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11599555_32
Download citation
DOI: https://doi.org/10.1007/11599555_32
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-30881-2
Online ISBN: 978-3-540-32297-9
eBook Packages: Computer ScienceComputer Science (R0)