Practical null pointer dereference detection via value-dependence analysis

This paper proposes a practical static analysis tool named LUKE, for detecting null pointer dereferences (NPD) in C programs. LUKE first uses a guarded value-dependence graph (VDG) to track the dependence relations of values, and then detects NPD by solving the graph reachability problem on its VDG. To improve accuracy as well as scalability, the detection algorithm leverages heuristic inference algorithms and the results of control dependences analysis. We evaluated LUKE on 10 large-scale open source projects, and the results show that LUKE has a false positive rate of only 4.3%, which is much lower than Clang, Saturn and Calysto. The analysis speed is also 4.6X, 15.5X and 17.9X faster, respectively. On the evaluated benchmarks, LUKE succeeds in finding a superset of the bugs reported by the published tools we investigated. We also show that LUKE scales to 416,500 lines of code, the largest benchmark we had.