Skip to main content

Orion: High-Precision Methods for Static Error Analysis of C and C++ Programs

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNCS,volume 4111)

Abstract

We describe the algorithmic and implementation ideas behind a tool, Orion, for finding common programming errors in C and C++ programs using static code analysis. We aim to explore the fundamental trade-off between the cost and the precision of such analyses. Analysis methods that use simple dataflow domains run the risk of producing a high number of false error reports. On the other hand, the use of complex domains reduces the number of false errors, but limits the size of code that can be analyzed.

Orion employs a two-level approach: potential errors are identified by an efficient search based on a simple domain; each discovered error path is then scrutinized by a high-precision feasibility analysis aimed at filtering out as many false errors as possible.

We describe the algorithms used and their implementation in a GCC-based tool. Experimental results on a number of software programs bear out the expectation that this approach results in a high signal-to-noise ratio of reported errors, at an acceptable cost.

Keywords

  • Model Check
  • Reachable State
  • Abstract Domain
  • Error Path
  • Feasibility Check

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/11804192_7
  • Chapter length: 23 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-540-36750-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.00
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. (FlexeLint), http://www.gimpel.com

  2. (Coverity), http://www.coverity.com

  3. (Fortify), http://www.fortifysoftware.com/products/sca.jsp

  4. Holzmann, G.: Static source code checking for user-defined properties. In: Proc. IDPT 2002, Pasadena, CA, USA (2002), http://www.cs.bell-labs.com/what/uno/index.html

  5. Ball, T., Rajamani, S.: The SLAM toolkit. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, p. 260. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  6. Corbett, J., Dwyer, M., Hatcliff, J., Pasareanu, C., Robby, L.S., Zheng, H.: Bandera: extracting finite-state models from Java source code. In: ICSE (2001), http://www.cis.ksu.edu/santos/bandera

  7. Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement for symbolic model checking. J. ACM 50(5), 752–794 (2003)

    CrossRef  MathSciNet  Google Scholar 

  8. Henzinger, T.A., Jhala, R., Majumdar, R., Necula, G.C., Sutre, G., Weimer, W.: Temporal-safety proofs for systems code. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, p. 526. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  9. Henzinger, T.A., Jhala, R., Majumdar, R., McMillan, K.L.: Abstractions from proofs. In: POPL, pp. 232–244 (2004)

    Google Scholar 

  10. Karp, R., Miller, R.: Parallel program schemata. J. CSS 3(2) (1969)

    Google Scholar 

  11. Merrill, J.: GENERIC and GIMPLE: A new tree representation for entire functions. In: First GCC Developers Summit (2003), At: http://www.gcc.gnu.org

  12. (Simplify), http://research.compaq.com/SRC/esc/Simplify.html

  13. Stump, A., Barrett, C., Dill, D.: CVC: a Cooperating Validity Checker. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, p. 500. Springer, Heidelberg (2002)

    CrossRef  Google Scholar 

  14. Schmidt, D., Steffen, B.: Program analysis as model checking of abstract interpretations. In: Levi, G. (ed.) SAS 1998. LNCS, vol. 1503, pp. 351–380. Springer, Heidelberg (1998)

    CrossRef  Google Scholar 

  15. Aho, A.V., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, and Tools. Addison Wesley, Reading (1987)

    Google Scholar 

  16. Dijkstra, E.W., Lamport, L., Martin, A.J., Scholten, C.S., Steffens, E.F.M.: On-the-fly garbage collection: An excercise in cooperation. CACM 21(11) (1978)

    Google Scholar 

  17. Dijkstra, E.W.: Guarded commands, nondeterminacy, and formal derivation of programs. CACM 18(8) (1975)

    Google Scholar 

  18. Tip, F.: A survey of program slicing techniques. Journal of programming languages 3, 121–189 (1995)

    Google Scholar 

  19. Dams, D.: Comparing abstraction refinement algorithms. In: SoftMC: Workshop on Software Model Checking (2003)

    Google Scholar 

  20. Necula, G.C., McPeak, S., Weimer, W.: CCured: type-safe retrofitting of legacy code. In: POPL (2002)

    Google Scholar 

  21. Godefroid, P.: Model checking for programming languages using Verisoft. In: POPL (1997)

    Google Scholar 

  22. Godefroid, P., Klarlund, N., Sen, K.: Dart: Directed automated random testing. In: Proc. of the ACM SIGPLAN (2005)

    Google Scholar 

  23. Visser, W., Havelund, K., Brat, G., Park, S.: Model checking programs. In: ICSE (2000), http://ase.arc.nasa.gov/visser/jpf

  24. Hallem, S., Chelf, B., Xie, Y., Engler, D.: A system and language for building system-specific, static analyses. In: PLDI (2002)

    Google Scholar 

  25. (PolySpace), http://www.polyspace.com

  26. (Klocwork), http://www.klocwork.com

  27. Das, M., Lerner, S., Seigle, M.: ESP: Path-sensitive program verification in polynomial time. In: PLDI (2002)

    Google Scholar 

  28. Brand, D.: A software falsifier. In: International symposium on Software Reliability Engineering, pp. 174–185 (2000)

    Google Scholar 

  29. Finkel, A.: Reduction and covering of infinite reachability trees. Information and Computation 89(2) (1990)

    Google Scholar 

  30. Emerson, E., Namjoshi, K.S.: On model checking for non-deterministic infinite-state systems. In: LICS (1998)

    Google Scholar 

  31. Flanagan, C., Leino, K.M., Lillibridge, M., Nelson, G., Saxe, J., Stata, R.: Extended static checking for Java. In: PLDI (2002)

    Google Scholar 

  32. Larochelle, D., Evans, D.: Statically detecting likely buffer overflow vulnerabilities. In: USENIX Security Symposium (2001)

    Google Scholar 

  33. Bush, W.R., Pincus, J.D., Sielaff, D.J.: A static analyzer for finding dynamic programming errors. Software: Practice and Experience 30(7), 775–802 (2000)

    MATH  CrossRef  Google Scholar 

  34. Benedikt, M., Godefroid, P., Reps, T.: Model checking of unrestricted hierarchical state machines. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 652–666. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  35. Alur, R., Etessami, K., Yannakakis, M.: Analysis of recursive state machines. In: Berry, G., Comon, H., Finkel, A. (eds.) CAV 2001. LNCS, vol. 2102, p. 207. Springer, Heidelberg (2001)

    CrossRef  Google Scholar 

  36. (CVC Lite), http://chicory.stanford.edu/CVCL/

  37. (CBMC), http://www.cs.cmu.edu/~modelcheck/cbmc/

  38. Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Monniaux, D., Rival, X.: The ASTRÉE Analyser. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 21–30. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  39. Conway, C.L., Namjoshi, K.S., Dams, D., Edwards, S.A.: Incremental algorithms for inter-procedural analysis of safety properties. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 449–461. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dams, D.R., Namjoshi, K.S. (2006). Orion: High-Precision Methods for Static Error Analysis of C and C++ Programs. In: de Boer, F.S., Bonsangue, M.M., Graf, S., de Roever, WP. (eds) Formal Methods for Components and Objects. FMCO 2005. Lecture Notes in Computer Science, vol 4111. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11804192_7

Download citation

  • DOI: https://doi.org/10.1007/11804192_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-36749-9

  • Online ISBN: 978-3-540-36750-5

  • eBook Packages: Computer ScienceComputer Science (R0)