Orion: High-Precision Methods for Static Error Analysis of C and C++ Programs

  • Dennis R. Dams
  • Kedar S. Namjoshi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4111)


We describe the algorithmic and implementation ideas behind a tool, Orion, for finding common programming errors in C and C++ programs using static code analysis. We aim to explore the fundamental trade-off between the cost and the precision of such analyses. Analysis methods that use simple dataflow domains run the risk of producing a high number of false error reports. On the other hand, the use of complex domains reduces the number of false errors, but limits the size of code that can be analyzed.

Orion employs a two-level approach: potential errors are identified by an efficient search based on a simple domain; each discovered error path is then scrutinized by a high-precision feasibility analysis aimed at filtering out as many false errors as possible.

We describe the algorithms used and their implementation in a GCC-based tool. Experimental results on a number of software programs bear out the expectation that this approach results in a high signal-to-noise ratio of reported errors, at an acceptable cost.


Model Check Reachable State Abstract Domain Error Path Feasibility Check 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    (FlexeLint), http://www.gimpel.com
  2. 2.
  3. 3.
  4. 4.
    Holzmann, G.: Static source code checking for user-defined properties. In: Proc. IDPT 2002, Pasadena, CA, USA (2002), http://www.cs.bell-labs.com/what/uno/index.html
  5. 5.
    Ball, T., Rajamani, S.: The SLAM toolkit. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, p. 260. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Corbett, J., Dwyer, M., Hatcliff, J., Pasareanu, C., Robby, L.S., Zheng, H.: Bandera: extracting finite-state models from Java source code. In: ICSE (2001), http://www.cis.ksu.edu/santos/bandera
  7. 7.
    Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50(5), 752–794 (2003)CrossRefMathSciNetGoogle Scholar
  8. 8.
    Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, p. 526. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: POPL, pp. 232–244 (2004)Google Scholar
  10. 10.
    Karp, R., Miller, R.: Parallel program schemata. J. CSS 3(2) (1969)Google Scholar
  11. 11.
    Merrill, J.: GENERIC and GIMPLE: A new tree representation for entire functions. In: First GCC Developers Summit (2003), At: http://www.gcc.gnu.org
  12. 12.
  13. 13.
    Stump, A., Barrett, C., Dill, D.: CVC: a Cooperating Validity Checker. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, p. 500. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  14. 14.
    Schmidt, D., Steffen, B.: Program analysis as model checking of abstract interpretations. In: Levi, G. (ed.) SAS 1998. LNCS, vol. 1503, pp. 351–380. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  15. 15.
    Aho, A.V., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, and Tools. Addison Wesley, Reading (1987)Google Scholar
  16. 16.
    Dijkstra, E.W., Lamport, L., Martin, A.J., Scholten, C.S., Steffens, E.F.M.: On-the-fly garbage collection: An excercise in cooperation. CACM 21(11) (1978)Google Scholar
  17. 17.
    Dijkstra, E.W.: Guarded commands, nondeterminacy, and formal derivation of programs. CACM 18(8) (1975)Google Scholar
  18. 18.
    Tip, F.: A survey of program slicing techniques. Journal of programming languages 3, 121–189 (1995)Google Scholar
  19. 19.
    Dams, D.: Comparing abstraction refinement algorithms. In: SoftMC: Workshop on Software Model Checking (2003)Google Scholar
  20. 20.
    Necula, G.C., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy code. In: POPL (2002)Google Scholar
  21. 21.
    Godefroid, P.: Model checking for programming languages using Verisoft. In: POPL (1997)Google Scholar
  22. 22.
    Godefroid, P., Klarlund, N., Sen, K.: Dart: Directed automated random testing. In: Proc. of the ACM SIGPLAN (2005)Google Scholar
  23. 23.
    Visser, W., Havelund, K., Brat, G., Park, S.: Model checking programs. In: ICSE (2000), http://ase.arc.nasa.gov/visser/jpf
  24. 24.
    Hallem, S., Chelf, B., Xie, Y., Engler, D.: A system and language for building system-specific, static analyses. In: PLDI (2002)Google Scholar
  25. 25.
  26. 26.
  27. 27.
    Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: PLDI (2002)Google Scholar
  28. 28.
    Brand, D.: A software falsifier. In: International symposium on Software Reliability Engineering, pp. 174–185 (2000)Google Scholar
  29. 29.
    Finkel, A.: Reduction and covering of infinite reachability trees. Information and Computation 89(2) (1990)Google Scholar
  30. 30.
    Emerson, E., Namjoshi, K.S.: On model checking for non-deterministic infinite-state systems. In: LICS (1998)Google Scholar
  31. 31.
    Flanagan, C., Leino, K.M., Lillibridge, M., Nelson, G., Saxe, J., Stata, R.: Extended static checking for Java. In: PLDI (2002)Google Scholar
  32. 32.
    Larochelle, D., Evans, D.: Statically detecting likely buffer overflow vulnerabilities. In: USENIX Security Symposium (2001)Google Scholar
  33. 33.
    Bush, W.R., Pincus, J.D., Sielaff, D.J.: A static analyzer for finding dynamic programming errors. Software: Practice and Experience 30(7), 775–802 (2000)MATHCrossRefGoogle Scholar
  34. 34.
    Benedikt, M., Godefroid, P., Reps, T.: Model checking of unrestricted hierarchical state machines. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 652–666. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  35. 35.
    Alur, R., Etessami, K., Yannakakis, M.: Analysis of recursive state machines. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, p. 207. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  36. 36.
  37. 37.
  38. 38.
    Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: The ASTRÉE Analyser. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 21–30. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  39. 39.
    Conway, C.L., Namjoshi, K.S., Dams, D., Edwards, S.A.: Incremental algorithms for inter-procedural analysis of safety properties. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 449–461. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Dennis R. Dams
    • 1
  • Kedar S. Namjoshi
    • 1
  1. 1.Bell Labs, Lucent TechnologiesMurray HillUSA

Personalised recommendations