Types of bugs found by ControlFlag

[nhasabni]

Why is ControlFlag not finding typical bugs (e.g., double free) that could be found by typical static analysis tools?

[nhasabni]

Note that ControlFlag is not a typical bug detection system in that it is not designed to catch specific types of bugs (e.g., double free). In fact, ControlFlag does not even know what a bug looks like. All that it knows are typical programming patterns and it then flags any deviations with respect to those patterns as anomalies. It is more often the case that these anomalies lead to bugs.

That being said, we have seen that ControlFlag can find bugs directly also. For instance, ControlFlag found a possible NULL pointer dereference in production-quality code because the code was using abnormal expression of the form

if (ptr == NULL && ptr->field == NULL) {
  // error
}

where instead of &&, it should have been ||.

Feel free to refer to our research paper (link) for more details.

[Deng-Xian-Sheng]

I don't understand machine learning

But I have a strange idea. At present, we use standard code to find non-standard code. If a code is strange, it is an error.

Whether it can be reversed. The dataset uses non-standard code. If the current code matches the non-standard code, it is an error

[nhasabni]

That is a interesting thought, @Deng-Xian-Sheng! I believe though the problem would be finding enough examples of "non-standard" code. Let me know if you have any thoughts in that regard.

Thanks.