Qingkai (Thomas) Shi

PhD Candidate

Department of Computer Science and Engineering

Hong Kong University of Science and Technology

Email: qingkaishi AT gmail DOT com, qshiaa AT cse DOT ust DOT hk

Research Interests

  • System Security
  • Programming Language
  • Software Testing
  • Concurrency


  1. CVE-2017–14739: ImageMagick 7.0.7–4 mishandles failed memory allocation, which allows remote attackers to cause a denial of service.
  2. CVE-2017–14952: International Components for Unicode (ICU) for C/C++ through 59.1 contains a double free that allows remote attackers to execute arbitrary code.
  3. CVE-2017–15096: GlusterFS in versions prior to 3.10 contains a null pointer dereference that may cause denial of service.
  4. CVE-2017–16892: Bftpd 4.6 contains a memory leak which occurs if a mal-crafted sequence of FTP requests are received.
  5. CVE-2017–1000445: ImageMagick 7.0.7–1 and older version are vulnerable to null pointer dereference in the MagickCore component and might lead to denial of service.

Thanks to the Pinpoint project.


  1. Gang Fan, Rongxin Wu, Qingkai Shi, Xiao Xiao, Jinguo Zhou, Charles Zhang. SMOKE: Scalable Path-Sensitive Memory Leak Detection for Millions of Lines of Code. In ICSE 2019: the 41st ACM/IEEE International Conference on Software Engineering. Montreal, QC, Canada. May 2019.
  2. Qingkai Shi, Xiao Xiao, Rongxin Wu, Jinguo Zhou, Gang Fan, Charles Zhang. Pinpoint: Fast and Precise Sparse Value Flow Analysis for Million Lines of Code. In PLDI 2018: the 39th annual ACM SIGPLAN conference on Programming Language Design and Implementation. Philadelphia, Pennsylvania, United States. June 2018. (Slides) (Artifact Evaluation) (Media)
  3. Qingkai Shi, Jeff Huang, Zhenyu Chen, Baowen Xu. Verifying Synchronization for Atomicity Violation Fixing. The IEEE Transactions on Software Engineering (IEEE TSE), Vol. 42, No. 3, 2016.
  4. Qingkai Shi, Zhenyu Chen, Chunrong Fang, Yang Feng, Baowen Xu. Measuring the Diversity of a Test Set with Distance Entropy. The IEEE Transactions on Reliability (IEEE TR), Vol. 65, No. 1, 2016.

View all publications. Google Citations. DBLP.


  • Pinpoint

    Pinpoint is an industrial-strength next-generation automated bug finding tool through static analysis and AI. It is built on top of LLVM. It has found more than 50 vulnerabilities in about a dozen of open-source projects, including Apache, MySQL, Firefox, Python, OpenSSL, etc. Some of them have been assigned CVE IDs. This project is being commercialized at Sourcebrella Inc.. For more information, interested readers can refer to our technical papers: <PLDI 2018> <ICSE 2019>.


  • Canary

    Canary is a set of tools built on a unification-based alias analysis. Currently, it contains an order-based record/replay tool, and a trace-based bug detector for concurrent C/C++ programs. It is implemented for C/C++ programs based on LLVM. This project currently is used in the Sourcebrella Inc. for vulnerability detection.

  • Swan

    Swan is a prototype tool for verifying whether an atomicity violation is fixed sufficiently or not. It analyzes a dynamic buggy trace with fix (i.e., synchronization) information. It does not require developers should fully understand the bugs before fixing, thus being more practical. It is implemented for Java programs based on Soot. The technical paper has been accepted by IEEE TSE.

Teaching Experiences

  • TA for COMP4111: Software Engineering Practices (Fall 2016, Spring 2018)
  • TA for COMP3111/3111H: Software Engineering (Fall 2018)


  • Hong Kong Phd Fellowship
  • China National Scholarship