Libraries offer reusable functionality through application programming interfaces (APIs) with usage constraints such as call conditions and orders. Constraint violations, i.e., API misuses, commonly lead to bugs and even security issues. In this paper, we introduce IMChecker, a constraint-directed static analysis toolkit to vet API usages in C programs powered by a domain-specific language (DSL) to specify the API usages. First, we propose a DSL, which covers most API usage constraint types and enables straightforward but precise specification by studying real-world API-misuse bug patches. Then, we design and implement a static analysis engine to automatically parse specifications into checking targets, identify potential API misuses and prune the false positives with rich semantics. We have instantiated IMChecker for C programs with user-friendly graphic interfaces and evaluated the widely used benchmarks and real-world projects. The results show that IMChecker outperforms 4.78-36.25% in precision and 40.25-55.21% w.r.t. state-of-the-arts toolkits. We also found 75 previously unknown bugs in Linux kernel, OpenSSL and applications of Ubuntu, 61 of which have been confirmed by the corresponding development communities.
Fri 31 May Times are displayed in time zone: Eastern Time (US & Canada) change
14:00 - 15:30: API AnalysisPapers / Technical Track / Demonstrations at Duluth Chair(s): Sam MalekUniversity of California, Irvine | |||
14:00 - 14:20 Talk | Exposing Library API Misuses via Mutation AnalysisTechnical Track Technical Track Ming WenThe Hong Kong University of Science and Technology, Yepang LiuSouthern University of Science and Technology, Rongxin WuDepartment of Computer Science and Engineering, The Hong Kong University of Science and Technology, Xuan XieSchool of Data and Computer Science, Sun Yat-sen University, Guangzhou, China, Shing-Chi CheungDepartment of Computer Science and Engineering, The Hong Kong University of Science and Technology, Zhendong SuETH Zurich | ||
14:20 - 14:40 Demonstration | Vetting API Usages in C Programs with IMCheckerDemos Demonstrations Zuxing GuSchool of Software, Tsinghua University, Jiecheng WuTsinghua University, Li ChiTsinghua University, Min ZhouTsinghua University, Yu Jiang, Ming GuTsinghua University, Jiaguang Sun Pre-print | ||
14:40 - 15:00 Talk | PIVOT: Learning API-Device Correlations to Facilitate Android Compatibility Issue Detection Technical Track Lili WeiThe Hong Kong University of Science and Technology, Yepang LiuSouthern University of Science and Technology, Shing-Chi CheungDepartment of Computer Science and Engineering, The Hong Kong University of Science and Technology Pre-print | ||
15:00 - 15:20 Talk | SafeCheck: Safety Enhancement of Java Unsafe APITechnical Track Technical Track Shiyou HuangTexas A&M University, Jianmei GuoAlibaba Group, Sanhong LiAlibaba Inc., Xiang LiAlibaba, Yumin QiAlibaba, Kingsum Chow, Jeff HuangTexas A&M University | ||
15:20 - 15:30 Talk | Discussion Period Papers |