Automatic bug finding with static analysis requires precise tracking of different memory object values. This paper describes a memory modeling method for static analysis of C programs. It is particularly suitable for precise path-sensitive analyses, e.g., symbolic execution. It can handle almost all kinds of C expressions, including arbitrary levels of… (More)
This paper describes a prototype tool, called SimC, which automatically generates test data for unit testing of C programs. The tool symbolically simulates the execution of the given program. It simulates pointer operations precisely. This makes it capable of generating test data for programs involving pointer and structure operations. Experiments on… (More)
This paper presents a practical path and context sensitive inter-procedural analysis method for detecting memory leaks in C programs. A novel memory object model and function summary system are used. Preliminary experiments show that the method is effective. Several memory leaks have been found in real programs including which and wget.
Memory leak is a common type of defect that is hard to detect manually. Existing memory leak detection tools suffer from lack of precise interprocedural alias and path conditions. To address this problem, we present a static interprocedural analysis algorithm, which captures memory actions and path conditions precisely, to detect memory leak in C programs.… (More)
Exception handling is a vital but often poorly tested part of a program. Static analysis can spot bugs on exceptional paths without actually making the exceptions happen. However, the traditional methods only focus on null dereferences on exceptional paths, but do not check the states of variables, which may be corrupted by exceptions. In this paper we… (More)
Memory leaks are a common type of defect that is hard to detect manually. Existing memory leak detection tools suffer from lack of precise interprocedural analysis and path-sensitivity. To address this problem, we present a static interprocedural analysis algorithm, that performs fully pathsensitive analysis and captures precise function behaviors, to… (More)
Symbolic analysis is a commonly used approach for static bug finding. It usually performs a precise path-by-path symbolic simulation from program inputs. A major challenge is its scalability and precision on interprocedural analysis. The former limits the application to large programs. The latter may lead to many false alarms. This paper presents a… (More)
Boolean expression is a basic programming element used to evaluate the truth-values of conditions or their combinations. While Boolean expressions may have complicated logical structures, instrumenting them often needs heavyweight transformation to source code or work with low-level program implementation, which results in cumbersome code and great… (More)