Precise null-pointer analysis

• Published in: Software and systems modeling Vol. 10; no. 2; pp. 219 - 252
• Main Author: Spoto, Fausto
• Format: Journal Article
• Language: English
• Published: Berlin/Heidelberg Springer-Verlag 01.05.2011; Springer Nature B.V
• Subjects: Annotations; C (programming language); Compilers; Computer programs; Computer Science; Construction; Information Systems Applications (incl.Internet); Interpreters; IT in Business; Java (programming language); Mathematical analysis; Mathematical models; Programming Languages; Programming Techniques; Segmentation; Software Engineering; Software Engineering/Programming and Operating Systems; Special Section Paper; Abstract interpretation; Java bytecode; Null-pointer analysis; Automatic software verification; Static analysis
• ISSN: 1619-1366; 1619-1374
• DOI: 10.1007/s10270-009-0132-5

In Java, C or C++, attempts to dereference the null value result in an exception or a segmentation fault. Hence, it is important to identify those program points where this undesired behaviour might occur or prove the other program points (and possibly the entire program) safe . To that purpose, null-pointer analysis of computer programs checks or infers non-null annotations for variables and object fields. With few notable exceptions, null-pointer analyses currently use run-time checks or are incorrect or only verify manually provided annotations. In this paper, we use abstract interpretation to build and prove correct a first, flow and context-sensitive static null-pointer analysis for Java bytecode (and hence Java) which infers non-null annotations. It is based on Boolean formulas, implemented with binary decision diagrams. For better precision, it identifies instance or static fields that remain always non-null after being initialised. Our experiments show this analysis faster and more precise than the correct null-pointer analysis by Hubert, Jensen and Pichardie. Moreover, our analysis deals with exceptions, which is not the case of most others; its formulation is theoretically clean and its implementation strong and scalable. We subsequently improve that analysis by using local reasoning about fields that are not always non-null, but happen to hold a non-null value when they are accessed . This is a frequent situation, since programmers typically check a field for non-nullness before its access. We conclude with an example of use of our analyses to infer null-pointer annotations which are more precise than those that other inference tools can achieve.