正確無誤的使用動態資料不是一件容易的事，這些使用錯誤往往是系統當機的主因，但它們卻難以被發覺，因為需要得知實際執行時指標與動態資料之間的關聯，才能在程式碼中找出這些錯誤。在本論文中，我們使用抽象模型和擁有者模型以分析指標之行為，並且對於不恰當使用指標的程式提出警告。抽象模型是源於抽象解譯法，其將一組具象數值轉換為代表著不同特性的抽象數值，並使用此數值進行程式中的運算。我們使用抽象數值以取代原先儲存位置的確切數值，抽象數值描述指標是否記錄著有效的儲存位置，並能以此判斷指標的使用是否安全。擁有者模型說明在程式執行期間指標與動態資料之間的關聯，能以此了解儲存體之間的鏈結關係，並且在得知指向相同儲存體的指標別名關聯，能更準確的更新這些指標之抽象數值。我們的方法屬於「流程敏感」和「上下文敏感」技巧，在模擬進行時，抽象模型和擁有者模型有一組初始狀態，隨著每一個指令的運算以及函數的呼叫這些資訊將會進行更新。為了提高執行效率以及降低模擬時記憶體使用量，本方法屬於「非路徑敏感」技巧。在實驗中我們檢查了幾支現實中的程式，並且和其它方法的實驗數據進行比較與討論。除了提出指標誤用的警告，我們也設法提供詳細的訊息，以協助使用者理解這些警告發生的原因。

It is not easy for programmers to manipulate dynamic data perfectly. Memory errors often lead to non-deterministic system crashes. They are hard to detect at compile time since it is difficult to make sure which memory location a pointer will access by just inspecting the statements. Abstract interpretation is a method which replaces each concrete value set with different abstract value. In our method, the abstract values which replace the original memory address represent different characteristics and can be used to determine whether the usage of the pointer is safe. In order to realize aliasing, we use owner set model to figure out the relationship between pointers and dynamic data. Also, our analyzing method is flow-sensitive and context-sensitive: variables are initialized at the beginning of the program, and then updated by our method during execution. Besides, our method is path-insensitive in order to get the better efficiency and reduce the utility of memory during testing. Furthermore we make some experiments by checking real programs. Our method not only shows some actual pointer misuse, but also provides some detailed information about the warnings to help programmers with debugging.

[1] B. Adcock, P. Bucci, W. D. Heym, J. E. Hollingsworth, T. Long, B. W. Weide, “Which Pointer Errors Do Students Make?”, ACM SIGCSE Bulletin, Vol. 39, Issue 1, pp. 9-13, March 2007
[2] M. Alt, C. Ferdinand, F. Martin, R. Wilhelm, “Cache behavior prediction by abstract interpretation,” Science of Computer Programming,” Vol. 35, Issue 2-3, pp. 163-189, November 1999
[3] Z. Alzamil, “Application of Computational Redundancy in Dangling Pointers Detection,” International Conference on Software Engineering Advances (ICSEA'06), pp. 30, 2006
[4] T. M. Austin, S. E. Breach, G. S. Sohi, “Efficient detection of all pointer and array access errors,” ACM SIGPLAN Notices, Vol. 29, Issue. 6, pp. 290-301, Jane 1994
[5] P. Chandraiah, R. Doemer, “Pointer Re-coding for Creating Definitive MPSoC Models,” Proc. of the 5th IEEE/ACM international conference on Hardware/software codesign and system synthesis, pp. 33-38, Salzburg, Austria, 2007
[6] S. Cherem, L. Princehouse, R. Rugina, “Practical Memory Leak Detection using Guarded Value-Flow Analysis,” Proc. of the 2007 ACM SIGPLAN conference on Programming language design and implementation, pp. 480-491, San Diego, California, USA, 2006
[7] J. D. Choi, M. Burke, P. Carini, “Efficient flow-sensitive interprocedural computation of pointer-induced aliases and side effects,“ Proc. of the 20th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 232-245, Charleston, South Carolina, United States, 1993
[8] P. Cousot, R. Cousot, “Abstract Interpretation: A Unified Lattice Model for Static Analysis of Programs by Construction or Approximation of Fixpoints,” Proc. of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages, pp. 238-252, Los Angeles, California, 1997
[9] M. Das, “Unification-based pointer analysis with directional assignments,” ACM SIGPLAN Notices, Vol. 35, Issue 5, pp. 35-46, May 2000
[10] N. Dor, M. Rodeh, M Sagiv, “Detecting Memory Errors via Static Pointer Analysis,“ ACM SIGPLAN Notices, Vol. 33, Issue 7, pp. 27-34, July 1998
[11] M. D. Ernst, “Static and dynamic analysis: synergy and duality,” Proc. of ICSE Workshop on Dynamic Analysis, pp. 24-27, Portland, Oregon, 2003
[12] D. Evans, “Static Detection of Dynamic Memory Errors,” ACM SIGPLAN Notices, Vol. 31, Issue 5, pp. 44-53, May 1996
[13] M. R. Guthaus, J. S. Ringenberg, D. Ernst, T. M. Austin, T. Mudge, R. B. Brown, “MiBench: A free, commercially representative embedded benchmark suite,” Workload Characterization, 2001. WWC-4. 2001 IEEE International Workshop on, pp. 3-14, December 2001
[14] B. Hackett, R. Rugina, “Region-based shape analysis with tracked locations,” Proc. of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 310-323, Long Beach, California, USA, 2005
[15] D. L. Heine, M. S. Lam, “A Practical Flow-Sensitive and Context-Sensitive C and C++ Memory Leak Detector,” ACM SIGPLAN Notices, Vol. 38, Issue 5, pp. 168-181, May 2003
[16] M. Hind, A. Pioli, “Which Pointer Analysis Should I Use?” ACM SIGSOFT Software Engineering Notes, Vol. 25, Issue 5, pp. 113-123, September 2000
[17] M. Hind, “Pointer Analysis: Haven’t We Solved This Problem Yet?” Proc. of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pp. 54-61, Snowbird, Utah, United States, 2001
[18] D. Hovemeyer, W. Pugh, “Finding More Null Pointer Bugs, But Not Too Many,” Proc. of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pp. 9-14, San Diego, California, USA, 2007
[19] W. Landi, B. G. Ryder, “A safe approximate algorithm for interprocedural pointer aliasing,” ACM SIGPLAN Notices, Vol. 39, Issue, 4, pp. 473-489, SPECIAL ISSUE: 1992, April 2004
[20] Z. Li, L. Tan, X. Wang, S. Lu, Y. Zhou, C. Zhai, “Have things changed now?” Proc. of the 1st workshop on Architectural and system support for improving software dependability, pp. 25-33, San Jose, California, 2006
[21] V. B. Livshits, M. S. Lam, “Tracking Pointers with Path and Context Sensitivity for Bug Detection in C Programs,” ACM SIGSOFT Software Engineering Notes, Vol. 28, Issue 5, pp. 317-326, September 2003
[22] A. Min□, “Field-Sensitive Value Analysis of Embedded C Programs with Union Types and Pointer Arithmetics,” Proc. of the 2006 ACM SIGPLAN/SIGBED conference on Language, compilers, and tool support for embedded systems, pp. 54-63, Ottawa, Ontario, Canada, 2006
[23] M. Mock, M. Das, C Chambers, S. J. Eggers, “Dynamic points-to sets:a comparison with static analyses and potential applications in program understanding and optimization,” proc. of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pp. 66-72, Snowbird, Utah, United States, 2001
[24] M. Orlovich, R. Rugina, “Memory Leak Analysis by Contradiction,” Lecture notes in computer science, Vol. 4134, pp. 405-424, 2006
[25] A. Pioli, M Hind, “Combining Interprocedural Pointer Analysis and Conditional Constant Propagation,” Research Report 21532, IBM T. J. Watson Research Center, pp. 99-103, Mar 1999
[26] J. Regehr, N. Cooprider, “Pluggable Abstract Domain for Analyzing Embedded Software,” Proc. of the 2006 ACM SIGPLAN/SIGBED conference on Language, compilers, and tool support for embedded systems, pp. 44-53, Ottawa, Ontario, Canada, 2006
[27] J. Regehr, U. Duongsaa, “Deriving Abstract Transfer Functions for Analyzing Embedded Software,” Proceedings of the 2006 ACM SIGPLAN/SIGBED conference on Language, compilers, and tool support for embedded systems, pp. 44-53, Ottawa, Ontario, Canada, 2006
[28] J. Regehr, A. Reid, K. Webb, “Eliminating Stack Overflow by Abstract Interpretation,“ ACM Transactions on Embedded Computing Systems (TECS), Vol. 4, Issue 4, pp. 751-778, November 2005
[29] M. Shapiro, S. Horwitz, “Fast and accurate flow-insensitive points-to analysis,” Proc. of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 1-14, Paris, France, 1997
[30] M. Shapiro, S. Horwitz, “The Effects of the Precision of Pointer Analysis,“ Lecture notes in computer science, Vol. 1302, pp. 16-34, 1997
[31] B. Steensgaard, “Points-to analysis in almost linear time,” Proc. of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 32-41, St. Petersburg Beach, Florida, United States, 1996
[32] M. N. Wegman, F. K. Zadeck, “Constant propagation with conditional branches,” ACM Transactions on Programming Languages and Systems, Vol. 13, Issue 2, pp. 181-210, April 1991
[33] Y. Xie, A. Aiken, “Context- and path-sensitive memory leak detection,” ACM SIGSOFT Software Engineering Notes, Vol. 30, Issue. 5, pp. 115-125, September 2005
[34] Y. Xie, A. Chuo, D. Engler, “ARCHER: Using Symbolic, Path-sensitive Analysis to Detect Memory Access Errors,” ACM SIGSOFT Software Engineering Notes, Vol. 28, Issue 5, pp. 327-336, September 2003
[35] 余昀龍，植基於程式語言語意之跨程序常數傳遞分析，國立東華大學資訊工程學系碩士論文，2004
[36] 呂毓閔，機率化可執行之別名分析之研究，國立中正大學資訊工程學系碩士論文，2007
[37] 孫宇安，採用 Color Petri Net 方法偵測程式原始碼緩衝區溢位問題，國立中央大學資訊管理學系碩士論文，2001
[38] 黃元欣，階層式形狀分析，國立臺灣海洋大學資訊工程學系碩士論文，2005
[39] 黃致弘，利用時間序列分析偵測Java 記憶體洩漏，國立中山大學資訊管理學系碩士論文，2007
[40] UnderC, available at http://home.mweb.co.za/sd/sdonovan/underc.html, 2008
[41] MiBench, available at http://www.eecs.umich.edu/mibench/, 2008
[42] Ptrdist, available at http://pages.cs.wisc.edu/~austin/ptr-dist.html, 2008
[43] Ansi, available at http://prolangs.rutgers.edu/software/benchmarks/ansi.pub.tar.gz, 2008