Haoxin Tu,Lingxiao Jiang,Jiaqi Hong,Xuhua Ding,He Jiang

DOI: https://doi.org/10.1109/tse.2024.3395412

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Memory allocation is a fundamental operation for managing memory objects in many programming languages. Misusing allocated memory objects (e.g., buffer overflow and use-after-free) can have catastrophic consequences. Symbolic execution-based approaches have been used to detect such memory errors, benefiting from their capabilities in automatic path exploration and test case generation. However, existing symbolic execution engines still suffer from fundamental limitations in modeling dynamic memory layouts; they either represent the locations of memory objects as concrete addresses and thus limit their analyses only to specific address layouts and miss errors that may only occur when the objects are located at special addresses, or represent the locations as simple symbolic variables without sufficient constraints and thus suffer from memory state explosion when they execute read/write operations involving symbolic addresses. Such limitations hinder the existing symbolic execution engines from effectively detecting certain memory errors. In this study, we propose SYMLOC, a symbolic execution-based approach that uses concretely mapped symbolic memory locations to alleviate the limitations mentioned above. Specifically, a new integration of three techniques is designed in SYMLOC: (1) the symbolization of addresses and encoding of symbolic addresses into path constraints, (2) the symbolic memory read/write operations using a symbolic-concrete memory map, and (3) the automatic tracking of the uses of symbolic memory locations. We build SYMLOC on top of the well-known symbolic execution engine KLEE and demonstrate its benefits in terms of memory error detection and code coverage capabilities. Our evaluation results show that: for address-specific spatial memory errors, SYMLOC can detect 23 more errors in GNU Coreutils , Make , and m4 programs that are difficult for other approaches to detect, and cover 15% and 48% more unique lines of code in the programs than two baseline approaches; for temporal memory errors, SYMLOC can detect 8%-64% more errors in the Juliet Test Suite than various existing state-of-the-art memory error detectors. We also present two case studies to show sample memory errors detected by SYMLOC along with their root causes and implications.

Zhe Chen,Rui Yan,Yingzi Ma,Yulei Sui,Jingling Xue

DOI: https://doi.org/10.1145/3637227

IF: 3.685

2023-12-11

ACM Transactions on Software Engineering and Methodology

Abstract:C is a dominant programming language for implementing system and low-level embedded software. Unfortunately, the unsafe nature of its low-level control of memory often leads to memory errors. Dynamic analysis has been widely used to detect memory errors at runtime. However, existing monitoring algorithms for dynamic analysis are not yet satisfactory as they cannot deterministically and completely detect some types of errors, e.g., segment confusion errors, sub-object overflows, use-after-frees and memory leaks. We propose a new monitoring algorithm, namely Smatus , short for smart status , that improves memory safety by performing comprehensive dynamic analysis. The key innovation is to maintain at runtime a small status node for each memory object. A status node records the status value and reference count of an object, where the status value denotes the liveness and segment type of this object, and the reference count tracks the number of pointer variables pointing to this object. Smatus maintains at runtime a pointer metadata for each pointer variable, to record not only the base and bound of a pointer’s referent but also the address of the referent’s status node. All the pointers pointing to the same referent share the same status node in their pointer metadata. A status node is smart in the sense that it is automatically deleted when it becomes useless (indicated by its reference count reaching zero). To the best of our knowledge, Smatus represents the most comprehensive approach of its kind. We have evaluated Smatus by using a large set of programs including the NIST Software Assurance Reference Dataset, MSBench, MiBench, SPEC and stress testing benchmarks. In terms of effectiveness (detecting different types of memory errors), Smatus outperforms state-of-the-art tools, Google’s AddressSanitizer, SoftBoundCETS and Valgrind, as it is capable of detecting more errors. In terms of performance (the time and memory overheads), Smatus outperforms SoftBoundCETS and Valgrind in terms of both lower time and memory overheads incurred, and is on par with AddressSanitizer in terms of the time and memory overhead tradeoff made (with much lower memory overheads incurred).

computer science, software engineering

蒋剑琴,黄达明,曾庆凯

DOI: https://doi.org/10.3969/j.issn.1009-3443.2009.03.013

2009-01-01

Abstract:To dectect memory access errors by combining the efficiency of program analysis technologies and the powerful mathematical foundation of program validation technologies,Cmad,a static C memory errors Detector based on semantics abstraction was proposed.By sound approximation to concrete states,accurate verification of the related constraint variable operation and information collection during the traversal of CFG,Cmad detected inter-procedural memory bound overflow errors without any annotation.Prototype implementation proves the validity.

Yunlong Lyu,Yi Fang,Yiwei Zhang,Qibin Sun,Siqi Ma,Elisa Bertino,Kangjie Lu,Juanru Li

DOI: https://doi.org/10.1109/sp46214.2022.9833613

2022-01-01

Abstract:Existing tools for the automated detection of memory corruption bugs are not very effective in practice. They typically recognize only standard memory management (MM) APIs (e.g., malloc and free) and assume a naive paired-use model—an allocator is followed by a specific deallocator. However, we observe that programmers very often design their own MM functions and that these functions often manifest two major characteristics: (1) Custom allocator functions perform multi-object or nested allocation which then requires structure-aware deallocation functions. (2) Custom allocators and deallocators follow an unpaired-use model. A more effective detection thus needs to adapt those characteristics and capture memory bugs related to non-standard MM behaviors. In this paper, we present a MM function aware memory bug detection technique by introducing the concept of structure-aware and object-centric Memory Operation Synopsis (MOS). A MOS abstractly describes the memory objects of a given MM function, how they are managed by the function, and their structural relations. By utilizing MOS, a bug detection could explore much less code but is still capable of handling multi-object or nested allocations and does not rely on the paired-use model. In addition, to extensively find MM functions and automatically generate MOS for them, we propose a new identification approach that combines natural language processing (NLP) and data flow analysis, which enables the efficient and comprehensive identification of MM functions, even in very large code bases. We implement a MOS-enhanced memory bug detection system, Goshawk, to discover memory bugs caused by complex and custom MM behaviors. We applied Goshawk to well-tested and widely-used open source projects including OS kernels, server applications, and IoT SDKs. Goshawk outperforms the state-of-the-art data flow analysis driven bug detection tools by an order of magnitude in analysis speed and the number of accurately identified MM functions, reports the discovered bugs with a developer-friendly, MOS based description, and successfully detects 92 new double-free and use-after-free bugs.

Rui Ma,Lingkui Chen,Changzhen Hu,Jingfeng Xue,Xiaolin Zhao

DOI: https://doi.org/10.1109/DASC.2013.37

2013-01-01

Abstract:Aiming at the problem of higher memory consumption and lower execution efficiency during the dynamic detecting to C/C++ programs memory vulnerabilities, this paper presents a dynamic detection method called ISC. The ISC improves the Safe-C using pointer analysis technology. Firstly, the ISC defines a simple and efficient fat pointer representation instead of the safe pointer in the Safe-C. Furthermore, the ISC uses the unification-based analysis algorithm with one level flow static pointer. This identification reduces the number of pointers that need to be converted to fat pointers. Then in the process of program running, the ISC detects memory vulnerabilities through constantly inspecting the attributes of fat pointers. Experimental results indicate that the ISC could detect memory vulnerabilities such as buffer overflows and dangling pointers. Comparing with the Safe-C, the ISC dramatically reduces the memory consumption and lightly improves the execution efficiency.

Rui Ma,Lingkui Chen,Changzhen Hu,Jingfeng Xue

DOI: https://doi.org/10.1109/DASC.2013.37

2013-01-01

Abstract:Aiming at the problem of higher memory consumption and lower execution efficiency during the dynamic detecting to C/C++ programs memory vulnerabilities, this paper presents a dynamic detection method called ISC. The ISC improves the Safe-C using pointer analysis technology. Firstly, the ISC defines a simple and efficient fat pointer representation instead of the safe pointer in the Safe-C. Furthermore, the ISC uses the unification-based analysis algorithm with one level flow static pointer. This identification reduces the number of pointers that need to be converted to fat pointers. Then in the process of program running, the ISC detects memory vulnerabilities through constantly inspecting the attributes of fat pointers. Experimental results indicate that the ISC could detect memory vulnerabilities such as buffer overflows and dangling pointers. Comparing with the Safe-C, the ISC dramatically reduces the memory consumption and lightly improves the execution efficiency.

Zhe Chen,Qi Zhang,Jun Wu,Junqi Yan,Jingling Xue

DOI: https://doi.org/10.1109/tse.2022.3210580

IF: 7.4

2023-04-21

IEEE Transactions on Software Engineering

Abstract:Low-level control makes C unsafe, resulting in memory errors that can lead to data corruption, security vulnerabilities or program crashes. Dynamic analysis tools, which have been widely used for detecting memory errors at runtime, usually perform instrumentation at the IR or binary level. However, these non-source-level instrumentation frameworks and tools suffer from two inherent drawbacks: optimization sensitivity and platform dependence. Due to optimization sensitivity, the user of these tools must trade either performance for effectiveness by compiling the program at -O0 or effectiveness for performance by compiling the program at a higher optimization level, say, -O3. In this paper, we propose a new source-level instrumentation framework to overcome these two drawbacks, and implement it in a new dynamic analysis tool, called Movec, that adopts a pointer-based monitoring algorithm. We have evaluated Movec comprehensively by using the NIST's SARD benchmark suite (1152 programs), a set of 126 microbenchmarks (with ground truth), a set of 20 MiBench benchmarks and 5 pure-C SPEC CPU 2017 benchmarks. In terms of effectiveness, Movec outperforms three state-of-the-art dynamic analysis tools, AddressSanitizer, SoftBoundCETS and Valgrind, for all the standard optimization levels (from -O0 to -O3). In terms of performance, Movec outperforms SoftBoundCETS and Valgrind, and is slower than AddressSanitizer but consumes less memory.

engineering, electrical & electronic,computer science, software engineering

Hongfa Xue,Yurong Chen,Fan Yao,Yongbo Li,Tian Lan,Guru Venkataramani

DOI: https://doi.org/10.1007/978-3-319-58469-0_28

2017-01-01

Abstract:Unsafe memory accesses in programs written using popular programming languages like C and C++ have been among the leading causes of software vulnerability. Memory safety checkers, such as Soft bound, enforce memory spatial safety by checking if accesses to array elements are within the corresponding array bounds. However, such checks often result in high execution time overhead due to the cost of executing the instructions associated with the bound checks. To mitigate this problem, techniques to eliminate redundant bound checks are needed. In this paper, we propose a novel framework, SIMBER, to eliminate redundant memory bound checks via statistical inference. In contrast to the existing techniques that primarily rely on static code analysis, our solution leverages a simple, model-based inference to identify redundant bound checks based on runtime statistics from past program executions. We construct a knowledge base containing sufficient conditions using variables inside functions, which are then applied adaptively to avoid future redundant checks at a function-level granularity. Our experimental results on real world applications show that SIMBER achieves zero false positives. Also, our approach reduces the performance overhead by up to 86.94% over Softbound, and incurs a modest 1.7% code size increase on average to circumvent the redundant bound checks inserted by Softbound.

LU Yin,QIN Shu-Dong,XI Le-Qi,DONG Yun-Wei

DOI: https://doi.org/10.21655/ijsi.1673-7288.00255

2021-01-01

International Journal of Software and Informatics

Abstract:Embedded systems have been widely applied in real-time automatic control systems, and most of these systems are safety-critical, for example, the engine control systems in an automobile and the avionics in an airplane. It is very important to verify the schedulability of such a real-time embedded system in its early design stages, so as to avoid unexpected loss for the debugging of architecture design problems. However, it has been proved to be a tough challenge to evaluate the schedulability of a Preemptive-Scheduling Real-Time (PSRT) system, especially when the constraints of system resources are taken into consideration. The cache memory built inside the processor is an exclusive-accessing resource shared by all the tasks deployed on the processor. In addition, the Cache-Related Preemption Delay (CRPD) caused by preemptive task scheduling will bring extra time to the execution time for all the tasks. Thus, the CRPD should be taken into consideration when the Worst-Case Execution Time (WCET) of tasks is estimated in a real-time system. A model-based evaluation and verification method of architecture schedulability, which is designed for priority-based PSRT systems, is proposed in this study to make cache resource constrained and CRPD related schedulability evaluation based on the AADL system architecture model. In the first step, the study enhances the property set of AADL storage elements to make it compatible with cache memory properties in a system architecture model. Secondly, the study proposes a set of algorithms to estimate the CRPDs of a task before it is completed; run system schedule simulation and construct the schedule sequence with the constraint of cache resources and CRPDs involved; and make WCET estimation of the tasks in such a CRPD considered, preemptive-scheduling execution sequence. Finally, the methods mentioned above are implemented within a prototype software toolkit, which is designed to make evaluation and verification of system schedulability within CRPD constraints. The toolkit is tested with a use case of aircraft airborne open-architecture intelligent information system. The result shows that, compared with the schedule sequence constructed without cache memory resource constraints, the WCET estimated for most tasks is extended, and the sequence order is changed. In some extreme cases, when CRPD is taken into consideration, some tasks are evaluated to be incompletable. The test shows that the method and algorithms proposed in this study are feasible.

JiaYu Li,Ye Yao,Yian Zhu,Mutitaba,Yongkai Zhang,Hang Li

DOI: https://doi.org/10.1109/icnisc60562.2023.00011

2023-01-01

Abstract:The paper presented and implemented a C-Scanner source code vulnerability detection tool, which can solve the buffer overflow problem. The main idea was to rewrite the source code of a C or C++, so that the resulting code contained the safe version of the old vulnerable functions, which may contain a buffer overflow security problem. If rewriting was not possible, due to some reasons, a warning was issued along with a hint to solve the problem if it was possible. C-Scanner in this paper took the C or C++ source code as input, and then it did a parsing process. Every time it encountered a vulnerable function call, it classified this function call. If this function call was belonging to a category of its interest, then it would rewrite this vulnerable function by a safe version, which prevented the buffer overflow vulnerability.

Dongwei Chen,Daliang Xu,Dong Tong,kang dae sun,Xuetao Guan,Chun Yang,Xu Cheng

2020-01-01

Abstract:Memory spatial errors, i.e., buffer overflow vulnerabilities, have been a well-known issue in computer security for a long time and remain one of the root causes of exploitable vulnerabilities. Most of the existing mitigation tools adopt a fail-stop strategy to protect programs from intrusions, which means the victim program will be terminated upon detecting a memory safety violation. Unfortunately, the fail-stop strategy harms the availability of software. In this paper, we propose Saturation Memory Access (SMA), a memory spatial error mitigation mechanism that prevents out-of-bounds access without terminating a program. SMA is based on a key observation that developers generally do not rely on out-of-bounds accesses to implement program logic. SMA modifies dynamic memory allocators and adds paddings to objects to form an enlarged object boundary. By dynamically correcting all the out-of-bounds accesses to operate on the enlarged protecting boundaries, SMA can tolerate out-of-bounds accesses. For the sake of compatibility, we chose tagged pointers to record the boundary metadata of a memory object in the pointer itself, and correct the address upon detecting out-of-bounds access. We have implemented the prototype of SMA on LLVM 10.0. Our results show that our compiler enables the programs to execute successfully through buffer overflow attacks. Experiments on MiBench show that our prototype incurs an overhead of 78\%. Further optimizations would require ISA supports.

Guang Chen,Min Zhou,Jiaguang Sun,Xiaoyu Song

DOI: https://doi.org/10.1109/APSEC.2018.00044

2018-01-01

Abstract:Static analysis is an effective way of checking memory safety issues in program. Usually, multiple analysis algorithms usually run together to achieve a precise analysis result. In this paper, a novel analysis frame work over access path is presented for incorporating analysis algorithms. A pointer analysis based on access path works as a base layer, alias and pointer information are automatically handled. An summary based checking algorithm is designed for checking real world project. Moreover, the framework is fully extensible and various analysis can be added as plugins. Experimental results show that our method has good precision on Juliet Test Suite and scales to large software.

Chen Dongwei,Xu Daliang,Tong Dong,Sun Kang,Guan Xuetao,Yang Chun,Cheng Xu

2020-01-01

Abstract: Memory spatial error, i.e., buffer overflow, has been a well-known issue in computer security for a long time and remains one of the root causes of exploitable vulnerabilities. Existing tools focus on the detection of memory spatial errors and prevent intrusion by terminating the execution of the victim program. However, such tools cannot eliminate the vulnerabilities without patching the program. Unfortunately, in the increasingly popular embedded environment, deploying patches becomes harder because of the enormous number of devices. The limited resource in the embedded environment also prevents many existing tools to be used in the real world. This paper proposes the Saturation Memory Access (SMA), a memory spatial error elimination tool that prevents out-of-bound access without terminating the execution of a program. We use the tagged pointer scheme to store the boundary metadata of a memory object in the pointer itself, and correct the address to the object boundary upon detecting out-of-bound access. This method is based on a key observation that developers generally do not rely on out-of-bounds access to implement the program logic, so the correction of the address does not interfere with the execution of a program. We have implemented the prototype of SMA on LLVM 4.0.1 with two pointer encoding schemes designed for different tradeoff decisions between performance and memory usage. Experiments show that our prototype can stop nearly all attack forms in the RIPE benchmark and incurs 64\%-84\% overhead on SPEC CPU2017.

Xiaohui Sun,Sihan Xu,Chenkai Guo,Jing Xu,Naipeng Dong,Xiujuan Ji,Sen Zhang

DOI: https://doi.org/10.1109/compsac.2018.10271

2018-01-01

Abstract:One of the major software safety issues is memory leak. Moreover, detecting memory leak vulnerabilities is challenging in static analysis. Existing static detection tools find bugs by collecting programs' information in the process of scanning source code. However, the current detection tools are weak in efficiency and accuracy, especially when the targeted program contains complex branches. This paper proposes a projection-based approach to detect memory leaks in C source code with complex control flows. According to the features of memory allocation and deallocation in C source code, this approach projects the original control flow graph of a program to a simpler one, and it reduces the analysis complexity. Besides, this paper implements a memory-leak detection tool—PML_Checker, and evaluates the tool by comparing with three open-source static detection tools on both public benchmarks and study test cases. The experimental results show that PML_Checker reports the most memory leak vulnerabilities among the four existing tools with complex control flows and complex data types, and PML_Checker obtains higher efficiency and accuracy on public benchmarks.

Eyasu Getahun Chekole,Unnikrishnan Cheramangalath,Sudipta Chattopadhyay,Martin Ochoa,Guo Huaqun

DOI: https://doi.org/10.48550/arXiv.1809.07477

2019-09-19

Abstract:Memory-safety attacks have been one of the most critical threats against computing systems. Although a wide-range of defense techniques have been developed against these attacks, the existing mitigation strategies have several limitations. In particular, most of the existing mitigation approaches are based on aborting or restarting the victim program when a memory-safety attack is detected, thus making the system unavailable. This might not be acceptable in systems with stringent timing constraints, such as cyber-physical systems (CPS), since the system unavailability leaves the control system in an unsafe state. To address this problem, we propose CIMA -- a resilient and light-weight mitigation technique that prevents invalid memory accesses at runtime. CIMA manipulates the compiler-generated control flow graph to automatically detect and bypass unsafe memory accesses at runtime, thereby mitigating memory-safety attacks along the process. An appealing feature of CIMA is that it also ensures system availability and resilience of the CPS even under the presence of memory-safety attacks. To this end, we design our experimental setup based on a realistic Secure Water Treatment (SWaT) and Secure Urban Transportation System (SecUTS) testbeds and evaluate the effectiveness and the efficiency of our approach. The experimental results reveal that CIMA handles memory-safety attacks effectively with low overhead. Moreover, it meets the real-time constraints and physical-state resiliency of the CPS under test.

Cryptography and Security

Qian Feng,Aravind Prakash,Heng Yin,Zhiqiang Lin

DOI: https://doi.org/10.1145/2664243.2664248

2014-01-01

Abstract:Memory forensic analysis collects evidence for digital crimes and malware attacks from the memory of a live system. It is increasingly valuable, especially in cloud computing. However, memory analysis on on commodity operating systems (such as Microsoft Windows) faces the following key challenges: (1) a partial knowledge of kernel data structures; (2) difficulty in handling ambiguous pointers; and (3) lack of robustness by relying on soft constraints that can be easily violated by kernel attacks. To address these challenges, we present MACE, a memory analysis system that can extract a more complete view of the kernel data structures for closed-source operating systems and significantly improve the robustness by only leveraging pointer constraints (which are hard to manipulate) and evaluating these constraint globally (to even tolerate certain amount of pointer attacks). We have evaluated MACE on 100 memory images for Windows XP SP3 and Windows 7 SP0. Overall, MACE can construct a kernel object graph from a memory image in just a few minutes, and achieves over 95% recall and over 96% precision. Our experiments on real-world rootkit samples and synthetic attacks further demonstrate that MACE outperforms other external memory analysis tools with respect to wider coverage and better robustness.

Jingfeng Xue,Changzhen Hu,Hongyu Ren,Rui Ma,Jian Li

DOI: https://doi.org/10.1109/NLPKE.2011.6138200

2011-01-01

Abstract:Applications written in unsafe languages like C and C++ are vulnerable to memory errors such as buffer overflows and dangling pointers. Such errors can lead to program crashes, security vulnerabilities, and unpredictable behavior. Aiming at the problem, PSC, a new probabilistic safeguard C, is proposed in this paper. At the basis of Diehard, memory allocating strategy is improved in PSC. PSC can avoid memory errors in all probability during software executing by combing random memory allocating algorithm and virtual memory. Physical memory consumption is decreased by building hot object space working set and compressing non frequently used objects. Experiments show PSC is better than Diehard for memory errors prevention and physical memory consumption. So it is a valid memory errors prevention technology based on probability. © 2011 IEEE.

LI Xiao,ZHOU Yan,LI Meng-Chen,CHEN Yuan-Jun,XU Guo-Qing,WANG Lin-Zhang,LI Xuan-Dong

DOI: https://doi.org/10.13328/j.cnki.jos.005189

2017-01-01

Abstract:Memory leak,which has perplexed software developers for a long time because of imperceptibility,is a very common bug for C/C++ programs and can do serious harm especially for long-running program or system software.Aiming at this problem,both static and dynamic program analysis techniques have been attempted.Dynamic program analysis technique detects memory leak by running the program,which has huge overhead and depends on the quality of test cases.Static analysis technology and automatic tools are widely used in the work of detecting memory leaks among academic community and industrial community.Since it uses conservative algorithm,Static analysis is able to detect a lot of defects but at the sometime increases the false positives,which needs manual confirmation.As manual confirmation is time-consuming and error prone,it limits the practicability of the technology.In this paper,a novel method to automatically validate static memory leak warnings is proposed based on concolic testing.First,drawing on the memory leak warnings given by static analysis report,the control flow of the target program is analyzed and the reachability of the target path is calculated.Then the path information is used to guide the concolic testing and execute program in the particular path.Finally,the static warnings is validated by tracking memory object during execution.Experimental results show that this method can effectively classify static warnings and significantly reduce the workload of manual validation.

Zhenpeng Lin,Zheng Yu,Ziyi Guo,Simone Campanoni,Peter Dinda,Xinyu Xing

2024-06-05

Abstract:The heap is a critical and widely used component of many applications. Due to its dynamic nature, combined with the complexity of heap management algorithms, it is also a frequent target for security exploits. To enhance the heap's security, various heap protection techniques have been introduced, but they either introduce significant runtime overhead or have limited protection. We present CAMP, a new sanitizer for detecting and capturing heap memory corruption. CAMP leverages a compiler and a customized memory allocator. The compiler adds boundary-checking and escape-tracking instructions to the target program, while the memory allocator tracks memory ranges, coordinates with the instrumentation, and neutralizes dangling pointers. With the novel error detection scheme, CAMP enables various compiler optimization strategies and thus eliminates redundant and unnecessary check instrumentation. This design minimizes runtime overhead without sacrificing security guarantees. Our evaluation and comparison of CAMP with existing tools, using both real-world applications and SPEC CPU benchmarks, show that it provides even better heap corruption detection capability with lower runtime overhead.

Cryptography and Security,Software Engineering

Yuexing Wang,Guang Chen,Min Zhou,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/ASE.2019.00129

2019-01-01

Abstract:ABSTRACTPrecise pointer analysis is desired since it is a core technique to find memory defects. There are several dimensions of pointer analysis precision, flow sensitivity, context sensitivity, field sensitivity and path sensitivity. For static analysis tools utilizing pointer analysis, considering all dimensions is difficult because the trade-off between precision and efficiency should be balanced. This paper presents TsmartGP, a static analysis tool for finding memory defects in C programs with a precise and efficient pointer analysis. The pointer analysis algorithm is flow, context, field, and quasi path sensitive. Control flow automatons are the key structures for our analysis to be flow sensitive. Function summaries are applied to get context information and elements of aggregate structures are handled to improve precision. Path conditions are used to filter unreachable paths. For efficiency, a multi-entry mechanism is proposed. Utilizing the pointer analysis algorithm, we implement a checker in TsmartGP to find uninitialized pointer errors in 13 real-world applications. Cppcheck and Clang Static Analyzer are chosen for comparison. The experimental results show that TsmartGP can find more errors while its accuracy is also higher than Cppcheck and Clang Static Analyzer. The demo video is available at https://youtu.be/IQlshemk6OA.