Affiliation:
1. University College London, UK / Meta, UK
2. Imperial College London, UK / Meta, UK
3. Meta, UK
4. MPI-SWS, Germany
5. Meta, UK / University College London, UK
Abstract
Incorrectness Logic (IL) has recently been advanced as a logical theory for compositionally proving the presence of bugs—dual to Hoare Logic, which is used to compositionally prove their absence. Though IL was motivated in large part by the aim of providing a logical foundation for bug-catching program analyses, it has remained an open question: is IL useful only retrospectively (to explain existing analyses), or can it actually be useful in developing new analyses which can catch real bugs in big programs?
In this work, we develop Pulse-X, a new, automatic program analysis for catching memory errors, based on ISL, a recent synthesis of IL and separation logic. Using Pulse-X, we have found 15 new real bugs in OpenSSL, which we have reported to OpenSSL maintainers and have since been fixed. In order not to be overwhelmed with potential but false error reports, we develop a compositional bug-reporting criterion based on a distinction between latent and manifest errors, which references the under-approximate ISL abstractions computed by Pulse-X, and we investigate the fix rate resulting from application of this criterion. Finally, to probe the potential practicality of our bug-finding method, we conduct a comparison to Infer, a widely used analyzer which has proven useful in industrial engineering practice.
Funder
a UKRI Future Leaders Fellowship
UK?s Engineering and Physical Sciences Research Council
European Research Council (ERC) Consolidator Grant
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,Software
Reference31 articles.
1. Polynomial reachability witnesses via Stellensätze
2. Abstraction for Falsification
3. Fraser Brown , Deian Stefan , and Dawson Engler . 2020 . Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code. In 29th USENIX Security Symposium (USENIX Security 20) . USENIX Association, 199–216. isbn:978-1-939133-17-5 https://www.usenix.org/conference/usenixsecurity20/presentation/brown Fraser Brown, Deian Stefan, and Dawson Engler. 2020. Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code. In 29th USENIX Security Symposium (USENIX Security 20). USENIX Association, 199–216. isbn:978-1-939133-17-5 https://www.usenix.org/conference/usenixsecurity20/presentation/brown
4. Compositional shape analysis by means of bi-abduction
5. Compositional Shape Analysis by Means of Bi-Abduction
Cited by
24 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Precise Compositional Buffer Overflow Detection via Heap Disjointness;Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis;2024-09-11
2. ProveNFix: Temporal Property-Guided Program Repair;Proceedings of the ACM on Software Engineering;2024-07-12
3. Hyper Hoare Logic: (Dis-)Proving Program Hyperproperties;Proceedings of the ACM on Programming Languages;2024-06-20
4. Quiver: Guided Abductive Inference of Separation Logic Specifications in Coq;Proceedings of the ACM on Programming Languages;2024-06-20
5. Automatically Inspecting Thousands of Static Bug Warnings with Large Language Model: How Far Are We?;ACM Transactions on Knowledge Discovery from Data;2024-06-19