SafeDrop: Detecting Memory Deallocation Bugs of Rust Programs via Static Data-Flow Analysis

Rust is an emerging programming language that aims to prevent memory-safety bugs. However, the current design of Rust also brings side effects which may increase the risk of dangling pointers. In particular, it employs OBRM (ownership-based resource management) and enforces automatic deallocation of unused resources base on a static lifetime inference mechanism. It may therefore falsely reclaim memory and lead to use-after-free or double-free issues. In this paper, we study the problem of false memory deallocation and propose SafeDrop, a static path-sensitive data-flow analysis approach to detect such bugs. Our approach analyzes each public API of a Rust crate iteratively by traversing the control-flow graph and extracting all aliases of each data flow. To guarantee precision and scalability, we leverage Tarjan algorithm to achieve scalable path-sensitive analysis, and a cache-based strategy to achieve efficient inter-procedural analysis. Our experiment results show that our approach can successfully detect all existing CVEs of such issues with a limited number of false positives. The analysis overhead ranges from 4.4% to 87.2% in comparison with the original program compilation time. We further apply our tool to several real-world Rust crates and find 15 previously-unknown bugs from nine crates.