Automated Repair of Resource Leaks in Android Applications

TL;DR

PlumbDroid tackles Android resource leaks by marrying a succinct static analysis with a formal automata-theoretic leak model. It builds resource-flow graphs for procedures, uses deterministic pushdown and finite automata to detect leaks via a context-free emptiness check, and automatically generates safe fixes that release leaked resources early in the lifecycle, followed by a validation pass. Empirically, it fixes 50 leaks across 9 resources on 17 apps with high precision and competitive performance, outperforming Relda2/RelFix on non-aliasing resources and producing much smaller patches. The approach shows practical potential for improving Android app quality, while acknowledging aliasing as a key limitation and pointing to future work on alias analysis to broaden applicability.

Abstract

Resource leaks -- a program does not release resources it previously acquired -- are a common kind of bug in Android applications. Even with the help of existing techniques to automatically detect leaks, writing a leak-free program remains tricky. One of the reasons is Android's event-driven programming model, which complicates the understanding of an application's overall control flow. In this paper, we present PlumbDroid: a technique to automatically detect and fix resource leaks in Android applications. PlumbDroid uses static analysis to find execution traces that may leak a resource. The information built for detection also undergirds automatically building a fix -- consisting of release operations performed at appropriate locations -- that removes the leak and does not otherwise affect the application's usage of the resource. An empirical evaluation on resource leaks from the DroidLeaks curated collection demonstrates that PlumbDroid's approach is scalable, precise, and produces correct fixes for a variety of resource leak bugs: PlumbDroid automatically found and repaired 50 leaks that affect 9 widely used resources of the Android system, including all those collected by DroidLeaks for those resources; on average, it took just 2 minutes to detect and repair a leak. PlumbDroid also compares favorably to Relda2/RelFix -- the only other fully automated approach to repair Android resource leaks -- since it usually detects more leaks with higher precision and producing smaller fixes. These results indicate that PlumbDroid can provide valuable support to enhance the quality of Android applications in practice.

Figures (9)

• Figure 1: An excerpt of class in Android app IRCCloud, showing a resource leak that [0.5]Plumb-Droid can fix automatically.
• Figure 2: How [0.5]Plumb-Droid works: First, [0.5]Plumb-Droid builds a finite-state abstraction of the Android app under analysis, which captures acquire and release operations of an API's resources. The abstraction models each function of the application with a resource-flow graph (RFG)---a special kind of control-flow graph---and combines resource-flow graphs to model inter-procedural behavior. In the analysis step, [0.5]Plumb-Droid searches the graph abstraction for resource leaks: paths where a resource $k$ is acquired ($a_k$) but not eventually released. In the fixing step, [0.5]Plumb-Droid injects the missing release operations $r_k$ where needed along the leaking path. In the final validation step, [0.5]Plumb-Droid abstracts and analyzes the code after fixing, so as to ensure that the fix does not introduce unintended interactions that cause new resource-usage related problems.
• Figure 3: Simplified callback graph of an Android component.
• Figure 4: Some abstractions built by [0.5]Plumb-Droid to analyze the example of \ref{['fig:motivating']}. The intra-procedural analysis described in \ref{['sec:intra-proc']} builds a resource-flow graph (RFG) for each procedure and independently. As described in \ref{['sec:inter-proc']}, the inter-procedural analysis considers, among others, the sequence of callback functions ; since and do nothing in this example, this corresponds to connecting 's exit to 's entry. The inter-procedural analysis thus finds a leaking path (in orange), where acquire operation is not matched by any release operation. Fixing (\ref{['sec:fixgen']}) modifies the app by adding a suitable release operation (in green), which completely removes the leak.
• Figure 5: A graphical display of [0.5]Plumb-Droid's intra-procedural leak detection. The resource automaton $A_L$ captures all leak-free sequences; its complement$\overline{A_L}$ captures all leaking sequences. The flow automaton $A_R$ captures all sequences of resource usages that may happen when the procedure under analysis runs. The intersection automaton $A^X$ captures the intersection of the violet and orange areas (outlined in dotted white), which marks the procedure's resource usage sequences that are leaking. If this area is empty, we conclude that the procedure is leak free.

Theorems & Definitions (4)

• Definition 1: Deterministic pushdown automaton
• Example 1: Resource automaton for WifiLock
• Definition 2: Finite-state automaton
• Example 2: Resource automaton for MediaPlayer