Detecting C++ Lifetime Errors with Symbolic Execution

One of the reasons why it is so hard to statically analyze C++ source code is because of its Standard Template Library (STL). The STL is a monstrous collection of complex code base whose semantics is hard for static analyzers to understand. Unfortunately, many of the most serious memory management bugs in C++ are connected to the lifetimes of STL containers. This paper describes a method of adding knowledge of STL ownership semantics to a static analysis engine. It was implemented in an open-source symbolic execution framework widely used in the industry, and produced new and serious lifetime-related error reports in popular open-source projects.