Resource Leak Checker (RLC#) for C# Code using CodeQL

Pritam Gharat,Narges Shadab,Shrey Tiwari,Shuvendu Lahiri,Akash Lal
2023-12-05
Abstract:Resource leaks occur when a program fails to release a finite resource after it is no longer needed. These leaks are a significant cause of real-world crashes and performance issues. Given their critical impact on software performance and security, detecting and preventing resource leaks is a crucial problem. Recent research has proposed a specify-and-check approach to prevent resource leaks. In this approach, programmers write resource management specifications that guide how resources are stored, passed around, and released within an application. We have developed a tool called RLC#, for detecting resource leaks in C# code. Inspired by the Resource Leak Checker (RLC) from the Checker Framework, RLC# employs CodeQL for intraprocedural data flow analysis. The tool operates in a modular fashion and relies on resource management specifications integrated at method boundaries for interprocedural analysis. In practice, RLC# has successfully identified 24 resource leaks in open-source projects and internal proprietary Azure microservices. Its implementation is declarative, and it scales well. While it incurs a reasonable false positive rate, the burden on developers is minimal, involving the addition of specifications to the source code.
Programming Languages
What problem does this paper attempt to address?
The problem that this paper attempts to solve is to detect and prevent resource leakage in C# code. Resource leakage means that a program fails to release a limited resource correctly when it no longer needs it, which can lead to serious problems such as resource exhaustion, performance degradation, crashes, and even denial - of - service attacks. ### Specific Problem Description 1. **Hazards of Resource Leakage**: - Resource leakage has a significant impact on software performance and security. - They are an important cause of software crashes and performance problems in the real world. 2. **Limitations of Existing Solutions**: - Although there are some existing tools and methods to detect resource leakage, effective resource leakage detection in C# code remains a challenge. 3. **Research Motivation**: - The author's research motivation is to develop a tool that can effectively detect resource leakage problems in C# code in Azure microservices. ### Main Contributions of the Paper To address the above challenges, the author has developed a tool named RLC# (Resource Leak Checker for C#). RLC# is based on CodeQL for data - flow analysis and draws on the ideas of the Resource Leak Checker (RLC) in Java. Specifically: - **Tool Design**: RLC# uses CodeQL for modular data - flow analysis and relies on resource management specifications at method boundaries for cross - procedure analysis. - **Detection Mechanism**: RLC# detects resource leakage by ensuring that methods such as `Close` or `Dispose` are correctly called on relevant objects. - **Practical Application**: RLC# has successfully identified 24 resource leakage problems in open - source projects and internal Azure microservices. ### Key Technical Points 1. **Data - Flow Analysis**: - RLC# utilizes the powerful pattern - matching capabilities of CodeQL to specify source and sink nodes in the data - flow graph. - Source nodes usually represent resource allocation operations (such as constructor calls), while sink nodes represent resource release operations (such as `Dispose` method calls). 2. **Must - Call Property Verification**: - RLC# ensures that all allocated resources are correctly released before the end of their life cycle. - If there is at least one control - flow path on which the resource is not released, a resource leakage is reported. 3. **Resource Management Specifications**: - Developers can specify the management and transfer methods of resources by adding specific attributes (such as `[MustCall]`, `[Owning]`, etc.). - These specifications help the tool perform more accurate cross - procedure data - flow analysis. Through these methods, RLC# not only improves the accuracy of resource leakage detection but also reduces the burden on developers, allowing them to add only a few specifications in the code.