Abstract
We present a context- and path-sensitive algorithm for detecting memory leaks in programs with explicit memory management. Our leak detection algorithm is based on an underlying escape analysis: any allocated location in a procedure P that is not deallocated in P and does not escape from P is leaked. We achieve very precise context- and path-sensitivity by expressing our analysis using boolean constraints. In experiments with six large open source projects our analysis produced 510 warnings of which 455 were unique memory leaks, a false positive rate of only 10.8%. A parallel implementation improves performance by over an order of magnitude on large projects; over five million lines of code in the Linux kernel is analyzed in 50 minutes.
- W. Bush, J. Pincus, and D. Sielaff. A static analyzer for finding dynamic programming errors. Software|Practice & Experience, 30(7):775--802, June 2000.]] Google ScholarDigital Library
- T. Chilimbi and M. Hauswirth. Low-overhead memory leak detection using adaptive statistical profiling. In Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, 2004.]] Google ScholarDigital Library
- A. Chou. Static Analysis for Bug Finding in Systems Software. PhD thesis, Stanford University, 2003.]] Google ScholarDigital Library
- M. Emami, R. Ghiya, and L. Hendren. Context-sensitive interprocedural points-to analysis in the presence of function pointers. In Proceedings of the ACM SIGPLAN 1994 Conference on Programming Language Design and Implementation, 1994.]] Google ScholarDigital Library
- D. Evans. Static detection of dynamic memory errors. In Proceedings of the ACM SIGPLAN 1996 Conference on Programming Language Design and Implementation, 1996.]] Google ScholarDigital Library
- B. Hackett and R. Rugina. Region-based shape analysis with tracked locations. In Proceedings of the 32nd Annual Symposium on Principles of Programming Languages, Jan. 2005.]] Google ScholarDigital Library
- R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In Proceedings of the Winter USENIX Conference, Dec. 1992.]]Google Scholar
- D. L. Heine and M. S. Lam. A practical ow-sensitive and context-sensitive C and C++ memory leak detector. In Proceedings of the ACM SIGPLAN 2003 Conference on Programming Language Design and Implementation, pages 168--181, 2003.]] Google ScholarDigital Library
- F. Ivancic, Z. Yang, M. Ganai, A. Gupta, and P. Ashar. Efficient SAT-based bounded model checking for software verification. In Proceedings of the 1st International Symposium on Leveraging Applications of Formal Methods, 2004.]]Google Scholar
- D. Jackson and M. Vaziri. Finding bugs with a constraint solver. In Proceedings of the 2000 ACM SIGSOFT International Symposium on Software Testing and Analysis, 2000.]] Google ScholarDigital Library
- D. Kroening, E. Clarke, and K. Yorav. Behavioral consistency of C and Verilog programs using bounded model checking. In Proceedings of the 40th Design Automation Conference, pages 368--371. ACM Press, 2003.]] Google ScholarDigital Library
- W. Landi and B. Ryder. A safe approximation algorithm for interprocedural pointer aliasing. In Proceedings of the ACM SIGPLAN 1992 Conference on Programming Language Design and Implementation, 1992.]] Google ScholarDigital Library
- D. Liang and M. Harrold. Efficient computation of parameterized pointer information for interprocedural analysis. In Proceedings of the 8th Static Analysis Symposium, 2001.]] Google ScholarDigital Library
- E. Ruf. Effective synchronization removal for Java. In Proceedings of the ACM SIGPLAN 2000 Conference on Programming Language Design and Implementation, 2000.]] Google ScholarDigital Library
- L. Semeria and G. D. Micheli. SpC: synthesis of pointers in C: application of pointer analysis to the behavioral synthesis from C. In Proceedings of the 1998 IEEE/ACM international conference on Computer-aided design, pages 340--346. ACM Press, 1998.]] Google ScholarDigital Library
- J. Whaley and M. Rinard. Compositional pointer and escape analysis for Java programs. In Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, 1999.]] Google ScholarDigital Library
- R. Wilson and M. Lam. Efficient context-sensitive pointer analysis for C programs. In Proceedings of the ACM SIGPLAN 1995 Conference on Programming Language Design and Implementation, 1995.]] Google ScholarDigital Library
- Y. Xie and A. Aiken. Scalable error detection using boolean satisfiability. In Proceedings of the 32nd Annual Symposium on Principles of Programming Languages, Jan. 2005.]] Google ScholarDigital Library
- Y. Xie and A. Chou. Path sensitive analysis using boolean satisfiability. Technical report, Stanford University, Nov. 2002.]]Google Scholar
Index Terms
- Context- and path-sensitive memory leak detection
Recommendations
A practical flow-sensitive and context-sensitive C and C++ memory leak detector
PLDI '03: Proceedings of the ACM SIGPLAN 2003 conference on Programming language design and implementationThis paper presents a static analysis tool that can automatically find memory leaks and deletions of dangling pointers in large C and C++ applications.We have developed a type system to formalize a practical ownership model of memory management. In this ...
Practical memory leak detector based on parameterized procedural summaries
ISMM '08: Proceedings of the 7th international symposium on Memory managementWe present a static analyzer that detects memory leaks in C programs. It achieves relatively high accuracy at a relatively low cost on SPEC2000 benchmarks and several open-source software packages, demonstrating its practicality and competitive edge ...
Practical memory leak detection using guarded value-flow analysis
PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and ImplementationThis paper presents a practical inter-procedural analysis algorithm for detecting memory leaks in C programs. Our algorithm tracks the flow of values from allocation points to deallocation points using a sparse representation of the program consisting ...
Comments