20
Path-sensitive Memory Leak Detector Yungbum Jung Programming Research Laboratory Seoul National University ROSAEC 2nd Workshop 1
Path-sensitive Memory Leak Detector
Yungbum JungProgramming Research Laboratory
Seoul National University
ROSAEC 2nd Workshop
1
fopen
fclose
escape
False Alarm from Tar
2
Alarm Explanation
successfalse
failtrue
allocated
escape
void foo(){int *p1 = malloc(...);if(!p1) return;int *p2 = malloc(...);if(!p2) return;
}
3
4
Practical Memory Leak Detector Based on ParameterizedProcedural Summaries !
Yungbum Jung Kwangkeun Yi
Seoul National University
{dreameye,kwang}@ropas.snu.ac.kr
Abstract
We present a static analyzer that detects memory leaks in C pro-grams. It achieves relatively high accuracy at a relatively low coston SPEC2000 benchmarks and several open-source software pack-ages, demonstrating its practicality and competitive edge againstother reported analyzers: for a set of benchmarks totaling 1,777KLOCs, it found 332 bugs with 47 additional false positives (a12.4% false-positive ratio), and the average analysis speed was 720LOC/sec.We separately analyze each procedure’s memory behavior into
a summary that is used in analyzing its call sites. Each proceduralsummary is parameterized by the procedure’s call context so that itcan be instantiated at different call sites. What information to cap-ture in each procedural summary has been carefully tuned so thatthe summary should not lose any common memory-leak-relatedbe-haviors in real-world C programs.Because each procedure is summarized by conventional fixpoint
iteration over the abstract semantics (à la abstract interpretation),the analyzer naturally handles arbitrary call cycles from direct orindirect recursive calls.
Categories and Subject Descriptors D.2.4 [Software Engineer-ing]: Software/Program Verification; D.2.5 [Software Engineer-ing]: Testing and Debugging—Symbolic Execution; D.3.4 [Pro-gramming Languages]: Processors—MemoryManagement(garbagecollection)
General Terms Experimentation, Languages, Verification.
Keywords program analysis, memory management, error detec-tion, abstract interpretation, memory leaks, shape analysis.
1. Introduction
A memory leak in a C program is sometimes fatal; it may silentlyail the program until memory is exhausted and the program isaborted. A procedure leaks heap memory whenever (1) memoryis allocated while the procedure is active and (2) this memory isneither recycled nor visible to its caller after its return.
!This work was partially supported by Brain Korea 21 Project of KoreaMinistry of Education and Human Resources, and by Fasoo.com.
Permission to make digital or hard copies of all or part of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage and that copies bear this notice and the full citationon the first page. To copy otherwise, to republish, to post on servers or to redistributeto lists, requires prior specific permission and/or a fee.
ISMM’08, June 7-8, 2008, Tuscon, Arizona, USA.Copyright c! 2008 ACM 978-1-60558-134-7/08/06. . . $5.00
In this article, we present a practical, fully automatic static an-alyzer (called SPARROW ) that locates memory leaks in C pro-grams. In comparison with other published memory leak detec-tors [14, 8, 2, 11], our analyzer consistently detects more bugsfor the same published benchmark software. Our analysis speedis 720LOC/sec, next to that of the fastest analyzer, FastCheck [2].Our false-positive ratio (the percentage of alarms that are not truebugs) is 12.4%, which is beaten only by Saturn [14].
C program Tool Bug False AlarmCount Count
SPEC2000 SPARROW 81 15benchmark FastCheck [2] 59 8
binutils-2.13.1 SPARROW 246 29& Saturn [14] 165 5
openssh-3.5.p1 Clouseau [8] 84 269
Table 1. Performance comparison for the same C programs. Othertools’ data are from the cited papers. SPARROW found more bugsthan others with a reasonable false-alarm ratio.
Tool C Size Speed Bug False AlarmKLOC LOC/s Count Ratio(%)
Saturn [14] 6,822 50 455 10%Clouseau [8] 1,086 500 409 64%FastCheck [2] 671 37,900 63 14%Contradiction [11] 321 300 26 56%SPARROW 1,777 720 332 12%
Table 2. Overall comparison with other memory leak detectors.Other tools’ data are from [2]. Note that these tools are applied todifferent programs.
SPARROW separately analyzes each procedure’s memory be-havior into a summary. Each procedure’s analysis summary is usedat its call sites. The summary is parameterized so that it can be in-stantiated differently depending on the memory state at each callsite.Because extracting each procedure’s summary is done by the
conventional fixpoint iterations over abstract semantics (à la ab-stract interpretation), the analyzer naturally handles loops, arbitrarycall cycles, and aliases within the abstract semantics.The choice of summary categories has been empirically tuned.
The summary categories are chosen after other choices have beentested against realistic C programs. The abstraction decision fo-cuses on not neglecting common memory-leak-related behaviorsin realistic C programs.SPARROW cannot soundly determine that a program is free from
memory leaks; it detects some memory leaks but not all.
ISMM’08
Summary Based Memory Leak Detector
List * next(List *head) {List * cur = head->next;free(head);return cur;
}
Introduction Estimating Memory-E!ects Procedural Summary Experiment Results Unsound Decisions Conclusion
Example of Explorations
Exploring Unknown Memory
List * next(List *head) {List * cur = head->next;free(head);return cur;
}
head !" !!.next !" "
cur !" "
Symbolic addresses ! and " represent some addresses that alreadyexisted before the procedure is called
! = arg *" = arg *.next
Programming Research Lab. Seoul National University, Korea 8
Introduction Estimating Memory-E!ects Procedural Summary Experiment Results Unsound Decisions Conclusion
Example of Explorations
Exploring Unknown Memory
List * next(List *head) {List * cur = head->next;free(head);return cur;
}
head !" !!.next !" "
cur !" "ret !" "
Return address ret contains return value
Programming Research Lab. Seoul National University, Korea 10
Introduction Estimating Memory-E!ects Procedural Summary Experiment Results Unsound Decisions Conclusion
Summarization from Memory
From
List *next(List *head) {List *cur = head->next;free(head);return cur;
}
head !" !!.next !" "
cur !" "ret !" "
To
Arg2Free
Arg2Ret
arg*
ret
next
*
! = arg *" = arg *.next" = ret *
Programming Research Lab. Seoul National University, Korea 18
next
5
Summary CategoriesIntroduction Estimating Memory-E!ects Procedural Summary Experiment Results Unsound Decisions Conclusion
8 Summary Categories
• To detect more leaks
• To avoid false positives
• To capture interprocedural aliasing
free global argument returnallocation - - Alloc2Arg Alloc2Ret
global - - Glob2Arg Glob2Retargument Arg2Free Arg2Glob Arg2Arg Arg2Ret
Programming Research Lab. Seoul National University, Korea 14
allocation safe aliasing
6
Instantiation
void foo(){List * p = malloc(...);p->next = malloc(...);free(next(p));
}
Introduction Estimating Memory-E!ects Procedural Summary Experiment Results Unsound Decisions Conclusion
Summarization from Memory
From
List *next(List *head) {List *cur = head->next;free(head);return cur;
}
head !" !!.next !" "
cur !" "ret !" "
To
Arg2Free
Arg2Ret
arg*
ret
next
*
! = arg *" = arg *.next" = ret *
Programming Research Lab. Seoul National University, Korea 18
next
Path-sensitive Mairac
Yungbum Jung
July 6, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
p !" !1!1.next !" !2
2 G Constructs
cmd # Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le # LExp ::= x | *e | e.fe # Exp ::= c | le | e$ e | ¬e | &le
grd # Guard ::= e % e | ¬grd& # LOpeartor ::= ' |(% # Relation ::= = | )= | > | < | * | + | &$ # BOperator ::= + | , | - | ÷ | % | %
1
Path-sensitive Mairac
Yungbum Jung
July 6, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
p !" !1!1.next !" !2
2 G Constructs
cmd # Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le # LExp ::= x | *e | e.fe # Exp ::= c | le | e$ e | ¬e | &le
grd # Guard ::= e % e | ¬grd& # LOpeartor ::= ' |(% # Relation ::= = | )= | > | < | * | + | &$ # BOperator ::= + | , | - | ÷ | % | %
1
Path-sensitive Mairac
Yungbum Jung
July 6, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
p !" !1!1.next !" !2
2 G Constructs
cmd # Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le # LExp ::= x | *e | e.fe # Exp ::= c | le | e$ e | ¬e | &le
grd # Guard ::= e % e | ¬grd& # LOpeartor ::= ' |(% # Relation ::= = | )= | > | < | * | + | &$ # BOperator ::= + | , | - | ÷ | % | %
1
7
Path-sensitive Analysis
Mairac
PSMairac
if(need_malloc)
x = malloc(...) x = &global
if(need_malloc)
free(x)
...
return
Path-sensitive Mairac
Yungbum Jung
July 6, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
x !" {!, global}x !" {! !" need malloc, global !" ¬need malloc}
2 G Constructs
cmd # Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le # LExp ::= x | *e | e.fe # Exp ::= c | le | e$ e | ¬e | &le
grd # Guard ::= e % e | ¬grd& # LOpeartor ::= ' |(% # Relation ::= = | )= | > | < | * | + | &$ # BOperator ::= + | , | - | ÷ | % | %
1
8
Path-sensitive Mairac
Yungbum Jung
July 8, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
x !" {!/need malloc, global/¬need malloc}
¬(a > 10) # ¬(a < 0 $ (a % 10 # a > 0))
head !" &", true'".next !" &#, true'
cur !" &#, true'a !" &$, true'
ret !" {&0, $ > 0', &#,¬($ > 0)'}¬(a > 0)
x !" {!, global}x !" {! !" need malloc, global !" ¬need malloc}
2 G Constructs
cmd ( Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le ( LExp ::= x | *e | e.fe ( Exp ::= c | le | e) e | ¬e | &le
grd ( Guard ::= e * e | ¬grd+ ( LOpeartor ::= # |$* ( Relation ::= = | ,= | > | < | - | % | +) ( BOperator ::= + | . | / | ÷ | % | *
1
Symbolic Guard
• Remembering the history
• Preserving expression as value
Path-sensitive Mairac
Yungbum Jung
May 28, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
2 G Constructs
cmd ! Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le ! LExp ::= x | *e | e.fe ! Exp ::= c | le | e" e | ¬e | &le
grd ! Guard ::= e # e | ¬grd$ ! LOpeartor ::= % |&# ! Relation ::= = | '= | > | < | ( | ) | $" ! BOperator ::= + | * | + | ÷ | % | #
3 Domains
M ! Memory = Addrfin, GuardedV alues
gv ! GuardedV alues = V aluefin, Guard
g ! Guard = (V alue-Relation- V alue) + (Guard- LOperator-Guard)+ ¬Guard + true + false
v ! V alue = N + (V alue- BOperator- V alue) + Addr +.l ! Addr = V ar + Explore + AllocSite + (Addr - Field) + Ret + Null
Explore = AddrRet = FunctionName
S ! State = Assert-Memory -Minfoast ! Assert = Guard
Minfo = Alloc- Free
al ! Alloc = Addrfin, Guard
fr ! Free = Addrfin, Guard
1
Path-sensitive Mairac
Yungbum Jung
May 28, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
2 G Constructs
cmd ! Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le ! LExp ::= x | *e | e.fe ! Exp ::= c | le | e" e | ¬e | &le
grd ! Guard ::= e # e | ¬grd$ ! LOpeartor ::= % |&# ! Relation ::= = | '= | > | < | ( | ) | $" ! BOperator ::= + | * | + | ÷ | % | #
3 Domains
M ! Memory = Addrfin, GuardedV alues
gv ! GuardedV alues = V aluefin, Guard
g ! Guard = (V alue-Relation- V alue) + (Guard- LOperator-Guard)+ ¬Guard + true + false
v ! V alue = N + (V alue- BOperator- V alue) + Addr +.l ! Addr = V ar + Explore + AllocSite + (Addr - Field) + Ret + Null
Explore = AddrRet = FunctionName
S ! State = Assert-Memory -Minfoast ! Assert = Guard
Minfo = Alloc- Free
al ! Alloc = Addrfin, Guard
fr ! Free = Addrfin, Guard
1
Path-sensitive Mairac
Yungbum Jung
May 28, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
2 G Constructs
cmd ! Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le ! LExp ::= x | *e | e.fe ! Exp ::= c | le | e" e | ¬e | &le
grd ! Guard ::= e # e | ¬grd$ ! LOpeartor ::= % |&# ! Relation ::= = | '= | > | < | ( | ) | $" ! BOperator ::= + | * | + | ÷ | % | #
3 Domains
M ! Memory = Addrfin, GuardedV alues
gv ! GuardedV alues = V aluefin, Guard
g ! Guard = (V alue-Relation- V alue) + (Guard- LOperator-Guard)+ ¬Guard + true + false
v ! V alue = N + (V alue- BOperator- V alue) + Addr +.l ! Addr = V ar + Explore + AllocSite + (Addr - Field) + Ret + Null
Explore = AddrRet = FunctionName
S ! State = Assert-Memory -Minfoast ! Assert = Guard
Minfo = Alloc- Free
al ! Alloc = Addrfin, Guard
fr ! Free = Addrfin, Guard
1
Path-sensitive Mairac
Yungbum Jung
May 28, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
2 G Constructs
cmd ! Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le ! LExp ::= x | *e | e.fe ! Exp ::= c | le | e" e | ¬e | &le
grd ! Guard ::= e # e | ¬grd$ ! LOpeartor ::= % |&# ! Relation ::= = | '= | > | < | ( | ) | $" ! BOperator ::= + | * | + | ÷ | % | #
3 Domains
M ! Memory = Addrfin, GuardedV alues
gv ! GuardedV alues = V aluefin, Guard
g ! Guard = (V alue-Relation- V alue) + (Guard- LOperator-Guard)+ ¬Guard + true + false
v ! V alue = N + (V alue- BOperator- V alue) + Addr +.l ! Addr = V ar + Explore + AllocSite + (Addr - Field) + Ret + Null
Explore = AddrRet = FunctionName
S ! State = Assert-Memory -Minfoast ! Assert = Guard
Minfo = Alloc- Free
al ! Alloc = Addrfin, Guard
fr ! Free = Addrfin, Guard
1
9
Path-sensitive Summary
List * next(List *head) {List * cur = head->next;if (a > 0) {free(head);return 0;
}return cur;
}
Introduction Estimating Memory-E!ects Procedural Summary Experiment Results Unsound Decisions Conclusion
Summarization from Memory
From
List *next(List *head) {List *cur = head->next;free(head);return cur;
}
head !" !!.next !" "
cur !" "ret !" "
To
Arg2Free
Arg2Ret
arg*
ret
next
*
! = arg *" = arg *.next" = ret *
Programming Research Lab. Seoul National University, Korea 18
next
Path-sensitive Mairac
Yungbum Jung
July 6, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
head !" #!, true$!.next !" #", true$
cur !" #", true$a !" ##, true$
ret !" {#0, # > 0$, #",¬(# > 0)$}a > 0
x !" {$, global}x !" {$ !" need malloc, global !" ¬need malloc}
2 G Constructs
cmd % Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le % LExp ::= x | *e | e.fe % Exp ::= c | le | e& e | ¬e | &le
grd % Guard ::= e ' e | ¬grd( % LOpeartor ::= ) |*' % Relation ::= = | += | > | < | , | - | (& % BOperator ::= + | . | / | ÷ | % | '
1
Path-sensitive Mairac
Yungbum Jung
July 6, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
head !" #!, true$!.next !" #", true$
cur !" #", true$a !" ##, true$
ret !" {#0, # > 0$, #",¬(# > 0)$}¬(a > 0)
x !" {$, global}x !" {$ !" need malloc, global !" ¬need malloc}
2 G Constructs
cmd % Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le % LExp ::= x | *e | e.fe % Exp ::= c | le | e& e | ¬e | &le
grd % Guard ::= e ' e | ¬grd( % LOpeartor ::= ) |*' % Relation ::= = | += | > | < | , | - | (& % BOperator ::= + | . | / | ÷ | % | '
1
10
Path-sensitive Mairac
Yungbum Jung
July 8, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
x !" {!/need malloc, global/¬need malloc}
¬(a > 10) # ¬(a < 0 $ (a % 10 # a > 0))
head !" {"/true}".next !" {#/true}
cur !" {#/true}a !" {$/true}
ret !" {0/$ > 0, #/¬($ > 0)}¬(a > 0)
x !" {!, global}x !" {! !" need malloc, global !" ¬need malloc}
2 G Constructs
cmd & Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le & LExp ::= x | *e | e.fe & Exp ::= c | le | e' e | ¬e | &le
grd & Guard ::= e ( e | ¬grd) & LOpeartor ::= # |$( & Relation ::= = | *= | > | < | + | % | )' & BOperator ::= + | , | - | ÷ | % | (
1
Constraint Solver• Removing Infeasible path
• Leak condition = allocated and not (reachable from return values, arguments or global variables)
int *foo(){ int *p = malloc(...); if(a > 10) free(p); if(a < 0 ) return p;if(a <= 10 && a > 0) gp = p;
return 0; }
Path-sensitive Mairac
Yungbum Jung
July 8, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
¬(a > 10) ! ¬(a < 0 " (a # 10 ! a > 0))
head $% &!, true'!.next $% &", true'
cur $% &", true'a $% &#, true'
ret $% {&0, # > 0', &",¬(# > 0)'}¬(a > 0)
x $% {$, global}x $% {$ $% need malloc, global $% ¬need malloc}
2 G Constructs
cmd ( Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le ( LExp ::= x | *e | e.fe ( Exp ::= c | le | e) e | ¬e | &le
grd ( Guard ::= e * e | ¬grd+ ( LOpeartor ::= ! |"* ( Relation ::= = | ,= | > | < | - | # | +) ( BOperator ::= + | . | / | ÷ | % | *
1
with condition [&& [|| (*(a)<0), !{(*(a)<=10)}, !{(*(a)>0)}], !{(*(a)<0)}, !{(*(a)>10)}] position false(file: "function_test/tmp.i", line: 10) false(file: "function_test/tmp.i", line: 11) false(file: "function_test/tmp.i", line: 12)
11
Path-sensitive Mairac
Yungbum Jung
July 9, 2009
1 Target Defects
1. Memory Leak
2. Null Dereference
3. Double Free
4. Use After Free
5. Return Pointer to Local Variable
6. Return Pointer to Freed Address
7. Free Non-Heap Variables
8. Uninitialized Variable Access
x !" {!/need malloc, global/¬need malloc}
¬(a > 10) # ¬(a < 0 $ (a % 10 # a > 0))¬(0 > 10) # ¬(0 < 0 $ (0 % 10 # 0 > 0))
¬false # ¬(false $ (true # false)
head !" {"/true}".next !" {#/true}
cur !" {#/true}a !" {$/true}
ret !" {0/$ > 0, #/¬($ > 0)}¬(a > 0)
x !" {!, global}x !" {! !" need malloc, global !" ¬need malloc}
2 G Constructs
cmd & Cmd ::= assert grd | le := e | call(le, e, e)| return e | Alloc le | Free e
le & LExp ::= x | *e | e.fe & Exp ::= c | le | e' e | ¬e | &le
grd & Guard ::= e ( e | ¬grd) & LOpeartor ::= # |$( & Relation ::= = | *= | > | < | + | % | )' & BOperator ::= + | , | - | ÷ | % | (
1
Handling Path Explosion
• Leaf functions are first analyzed
• Only parameter and global variables appear on summary
summary
12
Handling Path Explosion
• The average number of condition expressions in one function < 7
• Threshold of the size of “Guard” = 27
13
Limitations
• Only effective behavior of procedure for detecting memory leak
• Top value for bounding explosion of symbolic values
while(1){ a++; }
void foo(int a){if(a) g = 1;else g = 0;
}
((a + 1) + 1 ) + 1 ...
14
Implementation1 Performance History
All experiments are performed on “fold” machine.
Name Size(.i) PSMairac MairacTime(s) Alarms Time(s) Alarms
gzip 29,308 25 0 8 0/1sed 38,649 109 31/46 167 28/116grep 40,999 71 1/4 197 1/10rmt 50,312 23 0 7 0/2gnuchess 112,686 82 3/6 44 3/4hanterm 217,310 57 0 9 0bison 230,887 224 0/15 186 0/10openssh 1,066,226 146 1/4 103 1/20tcl 1,662,431 977 3/3 988 3/3zebos7 38,789,607 10,172 216/344 6,827 198/772
Name Size(.i)bison 230,887function-test 411gnuchess 112,686grep 40,999gzip 29,308hanterm 217,310openssh 1,066,226rmt 50,312sed 38,649tcl 1,662,431ZebOs7 38,789,607
• r226(May 27)Done:
– implementing guard bounding with preserving allocation related guards– return value related procedural summary
Todo:
– classifying alarms from ZebOS(T:96, F:60, U:190)
Name Time(!) Alarms(") Bugs(")bison 248 16 0function-test 2 12 11gnuchess 108 5 2grep 85 5 1gzip 28 0 0hanterm 54 0 0openssh 146 4 1rmt 23 1 1sed 156 52 31tcl 1,103 3 3ZebOs7 10,526 346 96
• r218(May 19)Done:
– classifying alarms from sed
1
3.2 GHz CPU 4.0 Gb machine 15
89
34
199
3144
54
13636
14
34
14 ~ 60%
Commercial SW
Commercialize
16
More Bugs? Removing False alarms?
17
More Features
18
User Friendly?
In procedure compute_file_name_parts allocated at (file: " src/files.c", line: 268) by xstrdup (file: " lib/xmalloc.c", line: 240) by xmemdup (file: " lib/xmalloc.c", line: 232) by xmalloc (file: " lib/xmalloc.c", line: 65) by xnmalloc_inline (file: " lib/xmalloc.c", line: 49) by malloc escaped at (file: " src/files.c", line: 288)
with condition [&& (*(ext)!=0), (*(spec_file_prefix)!=0), , [|| (-1<(return-strlen+1)), [&& !{(-1<(return-strlen+1))}, !{((return-strlen+1)!=0)}], !{(-1<(return-strlen+1))}], [|| [&& (*(spec_file_prefix)!=0), !{(*(spec_outfile)!=0)}], [&& (*(yacc_flag)!=0), !{(*(spec_file_prefix)!=0)}, !{(*(spec_outfile)!=0)}]], [|| [&& !{(-1<(return-strlen+1))}, !{((return-strlen+1)!=0)}], !{(-1<(return-strlen+1))}], [|| [&& (*(spec_file_prefix)!=0), !{(*(spec_outfile)!=0)}], [&& (*(yacc_flag)!=0), !{(*(spec_file_prefix)!=0)}, !{(*(spec_outfile)!=0)}], [&& (*(ext)!=0), !{(*(spec_file_prefix)!=0)}, !{(*(spec_outfile)!=0)}, !{(*(yacc_flag)!=0)}], [&& !{(*(ext)!=0)}, !{(*(spec_file_prefix)!=0)}, !{(*(spec_outfile)!=0)}, !{(*(yacc_flag)!=0)}]], !{(*(spec_outfile)!=0)}, !{(*(yacc_flag)==0)}]
position false(file: " src/files.c", line: 241) true(file: " src/files.c", line: 264) false(file: " src/files.c", line: 264) success of xstrdup(file: " src/files.c", line: 268) fail of xstrdup(file: " src/files.c", line: 268) true(file: " src/files.c", line: 270) false(file: " src/files.c", line: 270) true(file: " src/files.c", line: 282) false(file: " src/files.c", line: 282) true(file: " src/files.c", line: 288) false(file: " src/files.c", line: 288)
19
Summary
• Path-sensitive Summary Based Memory Leak Detector
• Commercialized Analyzer
20
