C程序中的内存泄漏机制分析与检测方法设计

内核中的引用计数缺陷会引起内存泄露、释放后使用漏洞等严重安全问题. 针对这类缺陷，提出基于错误路径行为一致性分析的缺陷检测方案. 相比已有工作，该方案引入错误路径的语义信息来推断合理的引用计数行为，从而检出以往难以覆盖的引用计数缺陷.具体而言，首先，该方案基于代码特征识别函数中所有的错误路径. 其次，采用路径敏感的静态分析对各条错误路径上的引用计数行为进行分析汇总，以推断该函数在错误路径上引用计数操作的主流倾向.最终，基于一致性分析原理，将与主流倾向不一致的路径标识为潜在缺陷.实验表明，该方案在Linux内核版本5.6-rc2和版本5.17上分别发现21个和9个引用计数缺陷，且大部分都被开发者确认；其中，在内核版本5.6-rc2上有9个缺陷是已有工作无法覆盖的.

Memory leak mechanism analysis and detection of C programs

Reference counting (refcount) bugs in the kernel could cause critical security problems including memory leak and use-after-free vulnerabilities. To detect such defects, we propose a refcount bug detection system based on consistency analysis of error path behavior. Compared with the existing work, our method introduces semantic information of the error paths to infer the appropriate refcount behavior on these paths, thus detecting refcount defects cannot be covered by the existing work. First, the system identifies all the error paths in the target function based on the function return value and fault handling code. Second, path-sensitive analysis is performed to collect the specific refcount behavior on each error path within the target function, which is aggregated to infer the dominant tendency of refcount behavior of the error paths in the target function. Finally, based on the idea of consistency checking, the error paths whose refcount behavior is inconsistent with the dominant tendency are identified as potential refcount bugs. In the evaluation, the proposed system finds 21 and 9 bugs on Linux kernel version 5.6-rc2 and version 5.17, respectively, most of which have been confirmed by the kernel developers. In addition, on kernel version 5.6-rc2, the system detects 9 new refcount bugs that could not be identified by existing work.