Accurate Interprocedural Null-Dereference Analysis for Java

Mangala Gowri Nanda and Saurabh Sinha

Gokulan R

CS15B033

27 April 2020

Summary of the paper

interprocedural, path-sensitive, context-sensitive analysis
backward driven driven analysis
- starts from the target statement and explores all the way till the entry node of CFG
- to analyse a given statement, the algorithm analyses less code than other algorithms
compared to prior works, detects more true-positives and less false-positives
Analysis Parameters
- Traversal time
- Number of predicates tracked
- Number of paths stored

Key Algorithm

analyseMethod(node):
    initialise worklist with target node
    while worklist is not null
        node n removed from worklist
        for each predcessor p of n
        if p is not call/entry node or p calls external function
            process p, update state, add to worklist
        else if p is a function call
            analyse method and update state
        else
            p is entry node
    if called recursively, return updated state
    if entry method // analysis performed so far is context insensitive
    	update predicates
    else
    	trace back upwards from each call site of current method
    return (path explored, current state)

Future Work

Sound analysis: The given analysis is not sound, can be extended to guarantee soundness
When a path is discarded owing to the limit on max paths which can be tracked
- Store the current context (path, state)
- Once analysis completes, try to validate it
Heurestics to handle discarded paths / heuristic to choose a path to be discarded
Extending the algorithm to other types of bugs - eg: resource leak bugs
Can be used as an automated program solver