Memory allocation is a fundamental operation for managing memory objects in many programming languages. Misusing allocated memory objects (e.g., buffer overflow and use-after-free ) can have catastrophic consequences. Symbolic execution-based approaches have been used to detect such memory errors, benefiting from their capabilities in automatic path exploration and test case generation. However, existing symbolic execution engines still suffer from fundamental limitations in modeling dynamic memory layouts; they either represent the locations of memory objects as concrete addresses and thus limit their analyses only to specific address layouts and miss errors that may only occur when the objects are located at special addresses, or represent the locations as simple symbolic variables without sufficient constraints and thus suffer from memory state explosion when they execute read/write operations involving symbolic addresses. Such limitations hinder the existing symbolic execution engines from effectively detecting certain memory errors. In this study, we propose SymLoc , a symbolic execution-based approach that uses concretely mapped symbolic memory locations to alleviate the limitations mentioned above. Specifically, a new integration of three techniques is designed in SymLoc : (1) the symbolization of addresses and encoding of symbolic addresses into path constraints, (2) the symbolic memory read/write operations using a symbolic-concrete memory map, and (3) the automatic tracking of the uses of symbolic memory locations. We build SymLoc on top of the well-known symbolic execution engine KLEE and demonstrate its benefits in terms of memory error detection and code coverage capabilities. Our evaluation results show that: for address-specific spatial memory errors, SymLoc can detect 23 more errors in GNU Coreutils , Make , and m4 programs that are difficult for other approaches to detect, and cover 15% and 48% more unique lines of code in the programs than two baseline approaches; for temporal memory errors, SymLoc can detect 8%-64% more errors in the Juliet Test Suite than various existing state-of-the-art memory error detectors. We also present two case studies to show sample memory errors detected by SymLoc along with their root causes and implications.

中文翻译：

---

用于内存错误检测的具体映射符号内存位置


内存分配是许多编程语言中管理内存对象的基本操作。滥用分配的内存对象（例如缓冲区溢出和释放后使用）可能会带来灾难性的后果。基于符号执行的方法已被用来检测此类内存错误，受益于其自动路径探索和测试用例生成的功能。然而，现有的符号执行引擎在动态内存布局建模方面仍然受到基本限制；它们要么将内存对象的位置表示为具体地址，从而将其分析仅限于特定的地址布局，并错过只有当对象位于特殊地址时才可能发生的错误，要么将位置表示为没有足够约束的简单符号变量，因此当它们执行涉及符号地址的读/写操作时，会遭受内存状态爆炸。这些限制阻碍了现有的符号执行引擎有效地检测某些内存错误。在本研究中，我们提出了 SymLoc ，一种基于符号执行的方法，它使用具体映射的符号内存位置来减轻上述限制。具体来说，SymLoc 中设计了三种技术的新集成：（1）地址的符号化和符号地址的编码到路径约束中，（2）使用符号具体内存映射的符号内存读/写操作，以及（3） ）自动跟踪符号存储位置的使用。我们在著名的符号执行引擎 KLEE 之上构建 SymLoc，并展示了其在内存错误检测和代码覆盖能力方面的优势。 我们的评估结果表明：对于地址特定的空间内存错误，SymLoc 可以在 GNU Coreutils 、 Make 和 m4 程序中检测到其他方法难以检测的 23 个错误，并覆盖 15% 和 48% 的独特代码行在计划中多于两种基线方法；对于临时内存错误，SymLoc 在 Juliet 测试套件中可以检测到比各种现有最先进的内存错误检测器多 8%-64% 的错误。我们还提出了两个案例研究，以展示 SymLoc 检测到的样本内存错误及其根本原因和影响。