Finding real bugs in big programs with incorrectness logic
Incorrectness Logic (IL) has recently been advanced as a logical theory for compositionally proving the presence of bugs—dual to Hoare Logic, which is used to compositionally prove their absence. Though IL was motivated in large part by the aim of providing a logical foundation for bug-catching prog...
Gespeichert in:
| Veröffentlicht in: | Proceedings of ACM on programming languages Jg. 6; H. OOPSLA1; S. 1 - 27 |
|---|---|
| Hauptverfasser: | , , , , , |
| Format: | Journal Article |
| Sprache: | Englisch |
| Veröffentlicht: |
29.04.2022
|
| ISSN: | 2475-1421, 2475-1421 |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| Abstract | Incorrectness Logic (IL) has recently been advanced as a logical theory for compositionally proving the presence of bugs—dual to Hoare Logic, which is used to compositionally prove their absence. Though IL was motivated in large part by the aim of providing a logical foundation for bug-catching program analyses, it has remained an open question: is IL useful only retrospectively (to explain existing analyses), or can it actually be useful in developing new analyses which can catch real bugs in big programs?
In this work, we develop Pulse-X, a new, automatic program analysis for catching memory errors, based on ISL, a recent synthesis of IL and separation logic. Using Pulse-X, we have found 15 new real bugs in OpenSSL, which we have reported to OpenSSL maintainers and have since been fixed. In order not to be overwhelmed with potential but false error reports, we develop a compositional bug-reporting criterion based on a distinction between latent and manifest errors, which references the under-approximate ISL abstractions computed by Pulse-X, and we investigate the fix rate resulting from application of this criterion. Finally, to probe the potential practicality of our bug-finding method, we conduct a comparison to Infer, a widely used analyzer which has proven useful in industrial engineering practice. |
|---|---|
| AbstractList | Incorrectness Logic (IL) has recently been advanced as a logical theory for compositionally proving the presence of bugs—dual to Hoare Logic, which is used to compositionally prove their absence. Though IL was motivated in large part by the aim of providing a logical foundation for bug-catching program analyses, it has remained an open question: is IL useful only retrospectively (to explain existing analyses), or can it actually be useful in developing new analyses which can catch real bugs in big programs?
In this work, we develop Pulse-X, a new, automatic program analysis for catching memory errors, based on ISL, a recent synthesis of IL and separation logic. Using Pulse-X, we have found 15 new real bugs in OpenSSL, which we have reported to OpenSSL maintainers and have since been fixed. In order not to be overwhelmed with potential but false error reports, we develop a compositional bug-reporting criterion based on a distinction between latent and manifest errors, which references the under-approximate ISL abstractions computed by Pulse-X, and we investigate the fix rate resulting from application of this criterion. Finally, to probe the potential practicality of our bug-finding method, we conduct a comparison to Infer, a widely used analyzer which has proven useful in industrial engineering practice. |
| Author | Berdine, Josh O'Hearn, Peter W. Villard, Jules Raad, Azalea Le, Quang Loc Dreyer, Derek |
| Author_xml | – sequence: 1 givenname: Quang Loc orcidid: 0000-0002-6220-7539 surname: Le fullname: Le, Quang Loc organization: University College London, UK / Meta, UK – sequence: 2 givenname: Azalea orcidid: 0000-0002-2319-3242 surname: Raad fullname: Raad, Azalea organization: Imperial College London, UK / Meta, UK – sequence: 3 givenname: Jules orcidid: 0000-0001-8637-0712 surname: Villard fullname: Villard, Jules organization: Meta, UK – sequence: 4 givenname: Josh orcidid: 0000-0002-9691-1348 surname: Berdine fullname: Berdine, Josh organization: Meta, UK – sequence: 5 givenname: Derek orcidid: 0000-0002-3884-6867 surname: Dreyer fullname: Dreyer, Derek organization: MPI-SWS, Germany – sequence: 6 givenname: Peter W. orcidid: 0000-0001-8730-5496 surname: O'Hearn fullname: O'Hearn, Peter W. organization: Meta, UK / University College London, UK |
| BookMark | eNplj0tLAzEYRYNUsNbiX8jO1Whe30zGnRRbhUI3dT3kNWNkmpQkIv57R-xCdHUvl8OFc4lmIQaH0DUlt5QKuOPAGs7gDM2ZaKCigtHZr36Bljm_EUJoy4Xk7Rzdr32wPgw4OTVi_T5k7APWfsDHFIekDhl_-PI6jSam5EwJLmc8xsGbK3TeqzG75SkX6GX9uF89Vdvd5nn1sK0MA1kqaRqjKVE9h1rXThqnJKs17yUIUjdEW8Za2hPLteCggatpgNZaRSwwx_gC3fz8mhRzTq7vjskfVPrsKOm-rbuT9URWf0jjiyo-hpKUH__xX86BWSM |
| CitedBy_id | crossref_primary_10_1145_3643737 crossref_primary_10_1109_TSE_2023_3281275 crossref_primary_10_1145_3689756 crossref_primary_10_1145_3720420 crossref_primary_10_1145_3720486 crossref_primary_10_1016_j_infsof_2024_107427 crossref_primary_10_1145_3656413 crossref_primary_10_1145_3728887 crossref_primary_10_1145_3656437 crossref_primary_10_1145_3591271 crossref_primary_10_1145_3632849 crossref_primary_10_1109_TDSC_2022_3192419 crossref_primary_10_1145_3704850 crossref_primary_10_1145_3666014 crossref_primary_10_1145_3704854 crossref_primary_10_1145_3704879 crossref_primary_10_1145_3632909 crossref_primary_10_1145_3689788 crossref_primary_10_1145_3689745 crossref_primary_10_1145_3689720 crossref_primary_10_1145_3582267 crossref_primary_10_1145_3729303 crossref_primary_10_1145_3743131 crossref_primary_10_1145_3586045 crossref_primary_10_1145_3732933 crossref_primary_10_1145_3653718 crossref_primary_10_1145_3649821 |
| Cites_doi | 10.1145/3453483.3454076 10.1145/3371078 10.1145/3385412.3386014 10.1007/978-3-319-21690-4_19 10.1145/2254064.2254087 10.1007/3-540-44802-0_1 10.1145/3188720 10.1109/ICST.2015.7102580 10.1145/1592434.1592438 10.1145/1480881.1480917 10.1007/11691372_19 10.1007/978-3-030-88701-8_20 10.1145/3338112 10.5555/1765871.1765924 10.1145/1190216.1190226 10.1145/2049697.2049700 10.1007/11513988_8 10.1007/978-3-030-53291-8_14 10.5281/zenodo.6342311 10.1145/1706299.1706307 10.1145/3498695 10.1016/j.tcs.2006.12.035 |
| ContentType | Journal Article |
| DBID | AAYXX CITATION |
| DOI | 10.1145/3527325 |
| DatabaseName | CrossRef |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | CrossRef |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISSN | 2475-1421 |
| EndPage | 27 |
| ExternalDocumentID | 10_1145_3527325 |
| GroupedDBID | AAKMM AAYFX AAYXX ACM AEFXT AEJOY AIKLT AKRVB ALMA_UNASSIGNED_HOLDINGS CITATION GUFHI LHSKQ M~E OK1 ROL |
| ID | FETCH-LOGICAL-c258t-8c7cb10af356b6e8cea826b3f8540670bd2291f0d3b435b53ad2259dda0d52e23 |
| ISICitedReferencesCount | 39 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=000790329300017&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| ISSN | 2475-1421 |
| IngestDate | Sat Nov 29 07:49:37 EST 2025 Tue Nov 18 20:44:37 EST 2025 |
| IsDoiOpenAccess | false |
| IsOpenAccess | true |
| IsPeerReviewed | true |
| IsScholarly | true |
| Issue | OOPSLA1 |
| Language | English |
| LinkModel | OpenURL |
| MergedId | FETCHMERGED-LOGICAL-c258t-8c7cb10af356b6e8cea826b3f8540670bd2291f0d3b435b53ad2259dda0d52e23 |
| ORCID | 0000-0002-9691-1348 0000-0002-2319-3242 0000-0001-8730-5496 0000-0002-3884-6867 0000-0002-6220-7539 0000-0001-8637-0712 |
| OpenAccessLink | https://dl.acm.org/doi/pdf/10.1145/3527325 |
| PageCount | 27 |
| ParticipantIDs | crossref_primary_10_1145_3527325 crossref_citationtrail_10_1145_3527325 |
| PublicationCentury | 2000 |
| PublicationDate | 2022-04-29 |
| PublicationDateYYYYMMDD | 2022-04-29 |
| PublicationDate_xml | – month: 04 year: 2022 text: 2022-04-29 day: 29 |
| PublicationDecade | 2020 |
| PublicationTitle | Proceedings of ACM on programming languages |
| PublicationYear | 2022 |
| References | Le Quang Loc (e_1_2_1_19_1) e_1_2_1_20_1 e_1_2_1_23_1 e_1_2_1_24_1 e_1_2_1_21_1 e_1_2_1_22_1 Ispoglou Kyriakos K. (e_1_2_1_16_1) 2020 e_1_2_1_28_1 e_1_2_1_25_1 e_1_2_1_29_1 Pham Long H. (e_1_2_1_27_1) 2019 David (e_1_2_1_30_1) e_1_2_1_31_1 de Vries Edsko (e_1_2_1_7_1) e_1_2_1_8_1 e_1_2_1_5_1 e_1_2_1_6_1 e_1_2_1_12_1 e_1_2_1_4_1 e_1_2_1_13_1 e_1_2_1_1_1 Brown Fraser (e_1_2_1_3_1) 2020 e_1_2_1_10_1 e_1_2_1_2_1 e_1_2_1_11_1 e_1_2_1_17_1 e_1_2_1_14_1 e_1_2_1_15_1 e_1_2_1_9_1 e_1_2_1_18_1 Pendergrass J.A. (e_1_2_1_26_1); 32 |
| References_xml | – volume-title: Under-Constrained Symbolic Execution: Correctness Checking for Real Code. In 24th USENIX Security Symposium (USENIX Security 15) ident: e_1_2_1_30_1 – ident: e_1_2_1_1_1 doi: 10.1145/3453483.3454076 – ident: e_1_2_1_24_1 doi: 10.1145/3371078 – volume-title: FuzzGen: Automatic Fuzzer Generation. In 29th USENIX Security Symposium, USENIX Security 2020 year: 2020 ident: e_1_2_1_16_1 – volume-title: Quoc-Sang Phan, Jun Sun, and Shengchao Qin. year: 2019 ident: e_1_2_1_27_1 – ident: e_1_2_1_12_1 doi: 10.1145/3385412.3386014 – ident: e_1_2_1_6_1 doi: 10.1007/978-3-319-21690-4_19 – ident: e_1_2_1_8_1 doi: 10.1145/2254064.2254087 – volume-title: Shape Analysis via Second-Order Bi-Abduction ident: e_1_2_1_19_1 – ident: e_1_2_1_25_1 doi: 10.1007/3-540-44802-0_1 – ident: e_1_2_1_31_1 doi: 10.1145/3188720 – ident: e_1_2_1_15_1 doi: 10.1109/ICST.2015.7102580 – ident: e_1_2_1_17_1 doi: 10.1145/1592434.1592438 – ident: e_1_2_1_23_1 – ident: e_1_2_1_4_1 doi: 10.1145/1480881.1480917 – ident: e_1_2_1_10_1 doi: 10.1007/11691372_19 – ident: e_1_2_1_21_1 doi: 10.1007/978-3-030-88701-8_20 – ident: e_1_2_1_9_1 doi: 10.1145/3338112 – ident: e_1_2_1_18_1 doi: 10.5555/1765871.1765924 – ident: e_1_2_1_13_1 doi: 10.1145/1190216.1190226 – ident: e_1_2_1_5_1 doi: 10.1145/2049697.2049700 – volume-title: Sys: A Static/Symbolic Tool for Finding Good Bugs in Good (Browser) Code. In 29th USENIX Security Symposium (USENIX Security 20) year: 2020 ident: e_1_2_1_3_1 – volume: 32 volume-title: Theory and Practice of Mechanized Software Analysis. In Johns Hopkins APL Technical Digest ident: e_1_2_1_26_1 – ident: e_1_2_1_2_1 doi: 10.1007/11513988_8 – ident: e_1_2_1_11_1 – volume-title: Reverse Hoare Logic ident: e_1_2_1_7_1 – ident: e_1_2_1_28_1 doi: 10.1007/978-3-030-53291-8_14 – ident: e_1_2_1_20_1 doi: 10.5281/zenodo.6342311 – ident: e_1_2_1_14_1 doi: 10.1145/1706299.1706307 – ident: e_1_2_1_29_1 doi: 10.1145/3498695 – ident: e_1_2_1_22_1 doi: 10.1016/j.tcs.2006.12.035 |
| SSID | ssj0001934839 |
| Score | 2.4751053 |
| Snippet | Incorrectness Logic (IL) has recently been advanced as a logical theory for compositionally proving the presence of bugs—dual to Hoare Logic, which is used to... |
| SourceID | crossref |
| SourceType | Enrichment Source Index Database |
| StartPage | 1 |
| Title | Finding real bugs in big programs with incorrectness logic |
| Volume | 6 |
| WOSCitedRecordID | wos000790329300017&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVHPJ databaseName: ROAD: Directory of Open Access Scholarly Resources customDbUrl: eissn: 2475-1421 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0001934839 issn: 2475-1421 databaseCode: M~E dateStart: 20170101 isFulltext: true titleUrlDefault: https://road.issn.org providerName: ISSN International Centre |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwtV1Jb9QwFLaGwoELUBZRNvmAuKU4XhK7t2lFhVCXqdqi3kbxMu1IQ1pNZ6qqB_jrfV6SSYdKwIFLlFi2leR9epvfgtBHQyqSGzBLNDE240yLTDut4VFJYlWh5Sg2myj39uTJiRr0er-aXJirSVnX8vpaXfxXUsMYENunzv4DudtNYQDugehwBbLD9a8Ivz2OiSpTXzJYz09DwKsenzahWCmfzVdlmHp2F3hd4IBdRXXQCrYQ69Hf2vXHCmmLH37_xtPZKuU7wTd6MK983tS5WZwgRRT1b0AWtULgu-92FMPqv80ni002HSC2To79y7OuUwLsWcKz5LkIvIvyUmQ5j8nP6-6escR8iw7G9vcHhzv9vMNO845cjiUEfuf43BfHYL6OXMygvltTe0nWtRGIMR9bDNPCB-ghLYXyMYG7PztOOsW4DN3o2pePidd-7ee0tqPRdFSTo2foSbIpcD9iYRX1XP0cPW36deDEvl-gjQQN7KGBPTTwuMYADdxAA3to4DvQwAEaL9Hx9pejra9Z6p2RGSrkLJOmNDon1YiJQhdOGleBIanZSIKKXpREW0pVPiKWaVCYtWAVDAhlbUWsoI6yV2ilPq_da4TBQLCMSqOJ5pxQUxEQ1ow7rXILP0iuoU_N9w9NKizv-5tMhks_eQ3hduJFrKWyPOXNn6e8RY8XiHuHVmbTuXuPHpmr2fhy-iHQ7xZVH2Yi |
| linkProvider | ISSN International Centre |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Finding+real+bugs+in+big+programs+with+incorrectness+logic&rft.jtitle=Proceedings+of+ACM+on+programming+languages&rft.au=Le%2C+Quang+Loc&rft.au=Raad%2C+Azalea&rft.au=Villard%2C+Jules&rft.au=Berdine%2C+Josh&rft.date=2022-04-29&rft.issn=2475-1421&rft.eissn=2475-1421&rft.volume=6&rft.issue=OOPSLA1&rft.spage=1&rft.epage=27&rft_id=info:doi/10.1145%2F3527325&rft.externalDBID=n%2Fa&rft.externalDocID=10_1145_3527325 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2475-1421&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2475-1421&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2475-1421&client=summon |