Verifying Finite-State Safety Properties on Millions of Lines of Code

We present a context-sensitive, flow-sensitive, field-sensitive, and intraprocedurally path-sensitive static analysis capable of verifying finite-state safety properties of very large systems. Unusually for finite- state property verifiers, our system analyzes functions separately, and it is this feature that enables scalability. We evaluate an implementation of our analysis by trying to verify the absence of unchecked, untrusted pointer dereferences in the entire Linux operating system with over 6.2 million lines of code. Our system has a 1.8% false positive rate and fails to analyze 0.17% of all procedures.