Conquering the Extensional Scalability Problem for Value-Flow Analysis FrameworksTechnical
With an increasing number of value-flow properties to check, existing static program analysis still tends to have scalability issues when high precision is required. We observe that the key design flaw behind the scalability problem is that the core static analysis engine is unaware of the properties being checked and, thus, inevitably loses the opportunities to exploit the mutual synergies among different properties. Our approach is inter-property-aware and able to capture possible overlaps and inconsistencies among the properties to check. Thus, before analyzing a program, we can make an optimization plan which decides how to reuse the specific analysis results of a property to speed up checking other properties. Such a synergistic interaction among the properties significantly improves the analysis performance.
We have evaluated our approach by checking twenty value-flow properties in standard benchmark programs and ten real-world software systems. The results demonstrate that our approach is more than 8$\times$ faster than existing ones but consumes only 1/7 memory. Such a substantial improvement in analysis efficiency is not achieved by sacrificing effectiveness: at the time of writing, 39 bugs found by our approach have been fixed by developers and four of them have been assigned CVE IDs due to their security impact.
Fri 10 Jul Times are displayed in time zone: (UTC) Coordinated Universal Time change
08:05 - 09:05: I23-Code Artifact AnalysisPaper Presentations / Journal First / Technical Papers at Goguryeo Chair(s): Benoit BaudryKTH Royal Institute of Technology | |||
| 08:05 - 08:17 Talk | Conquering the Extensional Scalability Problem for Value-Flow Analysis FrameworksTechnical Technical Papers Qingkai ShiThe Hong Kong University of Science and Technology, Rongxin WuDepartment of Cyber Space Security, Xiamen University, Gang FanHong Kong University of Science and Technology, Charles ZhangThe Hong Kong University of Science and Technology | ||
| 08:17 - 08:29 Talk | Pipelining Bottom-up Data Flow AnalysisTechnical Technical Papers Qingkai ShiThe Hong Kong University of Science and Technology, Charles ZhangThe Hong Kong University of Science and Technology | ||
| 08:29 - 08:37 Talk | An Empirical Validation of Oracle ImprovementJ1 Journal First Gunel JahangirovaUniversità della Svizzera italiana, David ClarkUniversity College London, Mark Harman, Paolo TonellaUniversità della Svizzera italiana | ||
| 08:37 - 08:45 Talk | Is Static Analysis Able to Identify Unnecessary Source Code?J1 Journal First Roman HaasCQSE GmbH, Rainer NiedermayrCQSE GmbH, Tobias RoehmCQSE GmbH, Sven ApelSaarland University Pre-print | ||
| 08:45 - 08:53 Talk | Memory and Resource Leak Defects and Their Repairs in Java ProjectsJ1 Journal First Mohammadreza GhanavatiHeidelberg University, Diego CostaConcordia University, Canada, Janos SeboekHeidelberg University, David LoSingapore Management University, Artur AndrzejakHeidelberg University | ||
| 08:53 - 09:01 Talk | Towards Understanding and Detecting Fake Reviews in App StoresJ1 Journal First | ||