Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Is Program Analysis The Silver Bullet Against Software Bugs? by Karim Ali

Is Program Analysis The Silver Bullet Against Software Bugs? by Karim Ali

Program analysis is the art of reasoning about the run-time behavior of a program without necessarily executing it. This information is useful for various real-life applications such as supporting software developers (e.g., bug-finding tools, code refactoring tools, and code recommenders) and compiler optimizations. Program analysis is also used to ensure complex software adheres to standards and regulations (e.g., medical devices, car industry, and aviation industry).

In this talk, I will discuss the three main properties that enable program analyses to be useful in practice: scalability, precision, and usability. I will relate that to various papers that have been published in the field of program analysis, as well as some of the work that my group has done. I will conclude with where I see program analysis research going and the challenges that we aim to solve in the field.

Papers_We_Love

September 12, 2019
Tweet

More Decks by Papers_We_Love

Other Decks in Programming

Transcript

  1. Karim Ali
    University of Alberta
    @karimhamdanali
    Is Program Analysis The Silver
    Bullet Against Software Bugs?
    Papers We Love Conference — 2019

    View full-size slide

  2. @karimhamdanali
    Software Bugs
    !2

    View full-size slide

  3. @karimhamdanali
    Software Bugs
    Invalid SSL/TLS
    connections
    earned Apple
    Most Epic Fail
    [Pwnie ’14]
    !3
    goto fail;
    goto fail;
    Source: CVE-2014-1266

    View full-size slide

  4. @karimhamdanali © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license.
    5
    http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/
    May 25,
    2010
    Software Bugs
    Errors in ABS
    software led to
    fatal accidents
    and cost Toyota
    $3 Billion
    !4
    Source: Philip Koopman, CMU

    View full-size slide

  5. @karimhamdanali
    Software Bugs
    Unencrypted,
    unauthenticated
    connections to
    some medical
    implants
    !5
    Source: Department of Homeland Security

    View full-size slide

  6. @karimhamdanali
    Program Analysis
    !6
    goto fail;
    goto fail;
    © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license.
    5
    http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/
    May 25,
    2010

    View full-size slide

  7. @karimhamdanali
    What is
    Program Analysis?
    !7

    View full-size slide

  8. @karimhamdanali
    Program Analysis
    !8
    A way of reasoning about the runtime behaviour
    of a program without necessarily executing it

    View full-size slide

  9. @karimhamdanali
    Rice’s Theorem
    “For any interesting
    property Pr of the
    behaviour of a
    program, it is
    impossible to write an
    analysis that can
    decide for every
    program p whether Pr
    holds for p.”
    !9
    Image: CooperToons

    View full-size slide

  10. @karimhamdanali
    By definition, program
    analysis is undecidable
    !10

    View full-size slide

  11. @karimhamdanali
    Not quite…
    !11
    Image: J. K. Simmons / Whiplash

    View full-size slide

  12. @karimhamdanali
    Program Analysis
    •Settle for an approximation of Pr
    •Make it as “good” as possible
    p analysis
    yes
    p analysis
    no
    !12
    few
    Image: Jenna Mullins / ENews

    View full-size slide

  13. @karimhamdanali
    Program Analysis
    !13
    Code Navigation
    Code Recommenders
    Code Refactoring
    Constant Propagation
    Dead Code Elimination
    Static Inlining
    Parallelization

    View full-size slide

  14. @karimhamdanali
    Program Analysis in Practice
    !14
    Image: Minion Special / YouTube

    View full-size slide

  15. @karimhamdanali
    Program Analysis in Practice
    !15
    Scalability Usability
    Precision

    View full-size slide

  16. @karimhamdanali
    Collaborators
    •Erick Ochoa (UAlberta)
    •Spencer Killen (UAlberta)
    •Kristen Newbury (UAlberta)
    •Revan MacQueen (UAlberta)
    •Daniil Tiganov (UAlberta)
    •Jeff Cho (UAlberta)
    •Johannes Späth (Paderborn)
    •Lisa Nguyen (Paderborn)
    •Stefan Krüger (Paderborn)
    •Ondřej Lhoták (Waterloo)
    •Frank Tip (Northeastern)
    •Eric Bodden (Paderborn & Fraunhofer IEM)
    •Mira Mezini (TU Darmstadt)
    •Julian Dolby (IBM Research)
    •Andrew Craik (IBM)
    •Mark Stoodley (IBM)
    •Vijay Sundaresan (IBM)
    •Ben Livshits (Imperial College London & Brave)
    •Emerson Murphy-Hill (Google)
    •Justin Smith (Lafayette College)
    •José Nelson Amaral (UAlberta)
    •James Wright (UAlberta)
    •Kirsten Thommes (Paderborn)
    •René Fahr (Paderborn)
    !16

    View full-size slide

  17. @karimhamdanali
    Collaborators
    •Erick Ochoa (UAlberta)
    •Spencer Killen (UAlberta)
    •Kristen Newbury (UAlberta)
    •Revan MacQueen (UAlberta)
    •Daniil Tiganov (UAlberta)
    •Jeff Cho (UAlberta)
    •Johannes Späth (Paderborn)
    •Lisa Nguyen (Paderborn)
    •Stefan Krüger (Paderborn)
    •Ondřej Lhoták (Waterloo)
    •Frank Tip (Northeastern)
    •Eric Bodden (Paderborn & Fraunhofer IEM)
    •Mira Mezini (TU Darmstadt)
    •Julian Dolby (IBM Research)
    •Andrew Craik (IBM)
    •Mark Stoodley (IBM)
    •Vijay Sundaresan (IBM)
    •Ben Livshits (Imperial College London & Brave)
    •Emerson Murphy-Hill (Google)
    •Justin Smith (Lafayette College)
    •José Nelson Amaral (UAlberta)
    •James Wright (UAlberta)
    •Kirsten Thommes (Paderborn)
    •René Fahr (Paderborn)
    !17

    View full-size slide

  18. @karimhamdanali
    2010
    !18

    View full-size slide

  19. @karimhamdanali
    2010
    !19

    View full-size slide

  20. @karimhamdanali
    2010
    !20
    Where do I begin?

    View full-size slide

  21. @karimhamdanali
    2010
    !21
    Where do I begin?
    Start with this paper!

    View full-size slide

  22. @karimhamdanali
    … so what is a Call Graph?
    !24

    View full-size slide

  23. @karimhamdanali
    Call Graph
    !25

    View full-size slide

  24. @karimhamdanali
    Call Graph
    !26
    class Circle extends Shape
    { void draw() { ... } }
    class Square extends Shape
    { void draw() { ... } }
    Shape s;
    if(*) s = new Circle();
    else s = new Square();
    s.draw();

    View full-size slide

  25. @karimhamdanali
    Call Graph
    !27
    class Circle extends Shape
    { void draw() { ... } }
    class Square extends Shape
    { void draw() { ... } }
    Shape s;
    if(*) s = new Circle();
    else s = new Square();
    s.draw();
    required by every inter-procedural analysis

    View full-size slide

  26. @karimhamdanali
    Let’s build a Call Graph
    !28
    public class Main {
    public static void main(String[] args) {
    Shape s;
    if (args.length > 2) s = new Circle();
    else s = new Square();
    s.draw();
    }
    }
    abstract class Shape {
    abstract void draw();
    }
    class Circle extends Shape {
    void draw() { ... }
    }
    class Square extends Shape {
    void draw() { ... }
    }

    View full-size slide

  27. @karimhamdanali
    Let’s build a Call Graph
    !29
    public class Main {
    public static void main(String[] args) {
    Shape s;
    if (args.length > 2) s = new Circle();
    else s = new Square();
    s.draw();
    }
    }
    abstract class Shape {
    abstract void draw();
    }
    class Circle extends Shape {
    void draw() { ... }
    }
    class Square extends Shape {
    void draw() { ... }
    }
    Main.main()

    View full-size slide

  28. @karimhamdanali
    Let’s build a Call Graph
    !30
    public class Main {
    public static void main(String[] args) {
    Shape s;
    if (args.length > 2) s = new Circle();
    else s = new Square();
    s.draw();
    }
    }
    abstract class Shape {
    abstract void draw();
    }
    class Circle extends Shape {
    void draw() { ... }
    }
    class Square extends Shape {
    void draw() { ... }
    }
    Main.main()
    Circle.()

    View full-size slide

  29. @karimhamdanali
    Let’s build a Call Graph
    !31
    public class Main {
    public static void main(String[] args) {
    Shape s;
    if (args.length > 2) s = new Circle();
    else s = new Square();
    s.draw();
    }
    }
    abstract class Shape {
    abstract void draw();
    }
    class Circle extends Shape {
    void draw() { ... }
    }
    class Square extends Shape {
    void draw() { ... }
    }
    Main.main()
    Shape.()
    Circle.()
    Object.()

    View full-size slide

  30. @karimhamdanali
    Let’s build a Call Graph
    !32
    public class Main {
    public static void main(String[] args) {
    Shape s;
    if (args.length > 2) s = new Circle();
    else s = new Square();
    s.draw();
    }
    }
    abstract class Shape {
    abstract void draw();
    }
    class Circle extends Shape {
    void draw() { ... }
    }
    class Square extends Shape {
    void draw() { ... }
    }
    Main.main()
    Shape.()
    Square.()
    Circle.()
    Object.()

    View full-size slide

  31. @karimhamdanali
    Let’s build a Call Graph
    !33
    public class Main {
    public static void main(String[] args) {
    Shape s;
    if (args.length > 2) s = new Circle();
    else s = new Square();
    s.draw();
    }
    }
    abstract class Shape {
    abstract void draw();
    }
    class Circle extends Shape {
    void draw() { ... }
    }
    class Square extends Shape {
    void draw() { ... }
    }
    Main.main()
    Shape.()
    Square.()
    Circle.()
    Square.draw()
    Circle.draw()
    Object.()

    View full-size slide

  32. @karimhamdanali
    Let’s build a Call Graph
    for javac
    !35

    View full-size slide

  33. @karimhamdanali
    Let’s build a Call Graph for javac
    !36
    • Java 1.4
    • 0.5 MB of class files
    • 8 GB of RAM
    • HOURS!
    IRIS Reasoner

    View full-size slide

  34. @karimhamdanali
    Let’s build a Call Graph for javac
    !37
    • Java 1.4
    • 0.5 MB of class files
    • 8 GB of RAM
    • HOURS!
    IRIS Reasoner
    Exception in thread “main"
    java.lang.OutOfMemoryError: Java heap space

    View full-size slide

  35. @karimhamdanali
    Let’s build a Call Graph
    for "Hello, World!"
    !38

    View full-size slide

  36. @karimhamdanali !39
    public class HelloWorld {
    public static void main(String[] args) {
    System.out.println("Hello, World!");
    }
    }

    View full-size slide

  37. @karimhamdanali !40
    public class HelloWorld {
    public static void main(String[] args) {
    System.out.println("Hello, World!");
    }
    }
    • > 30 seconds
    • > 5,000 reachable methods
    • > 23,000 call edges

    View full-size slide

  38. @karimhamdanali
    Hello, World!
    !41

    View full-size slide

  39. @karimhamdanali !42

    View full-size slide

  40. @karimhamdanali
    Alone?
    !44

    View full-size slide

  41. @karimhamdanali
    Not Alone!
    !45
    I'd like to ignore library code
    what about callbacks?
    this would be unsound
    but better than nothing
    ignore non-application program
    elements (e.g., system libraries)?
    whole-program analysis always
    pulls in the world for
    completeness. The problem is
    that the world is fairly large
    I am NOT interested in those

    View full-size slide

  42. @karimhamdanali
    Partial-Program Analysis
    !46

    View full-size slide

  43. @karimhamdanali
    Sound and Precise
    Partial-Program Analysis
    !47

    View full-size slide

  44. @karimhamdanali !48

    View full-size slide

  45. @karimhamdanali !49
    Ideal Call Graph
    Image: CooperToons

    View full-size slide

  46. @karimhamdanali !50
    Ideal Call Graph
    Whole-Program
    Call Graph

    View full-size slide

  47. @karimhamdanali !51
    Ideal Call Graph
    Whole-Program
    Call Graph
    Incomplete
    Call Graph
    (unsound)

    View full-size slide

  48. @karimhamdanali !52
    Ideal Call Graph
    Whole-Program
    Call Graph
    Incomplete
    Call Graph
    (unsound)
    Conservative
    Call Graph
    (highly imprecise)

    View full-size slide

  49. @karimhamdanali !53
    Ideal Call Graph
    Whole-Program
    Call Graph
    Incomplete
    Call Graph
    (unsound)
    Conservative
    Call Graph
    (highly imprecise)
    Partial-Program
    Call Graph

    View full-size slide

  50. @karimhamdanali
    The Separate
    Compilation Assumption
    !54
    Source: Ali and Lhoták. Application-Only Call Graph Construction. [ECOOP '12]

    View full-size slide

  51. @karimhamdanali
    The Separate Compilation Assumption
    All of the library classes can be
    compiled in the absence of the
    application classes.
    !55

    View full-size slide

  52. @karimhamdanali
    Constraints
    1. Class Hierarchy
    2. Class Instantiation
    3. Local Variables
    4. Method Calls
    !56
    5. Field Access
    6. Array Access
    7. Static Initialization
    8. Exception Handling

    View full-size slide

  53. @karimhamdanali
    Constraints
    1. Class Hierarchy
    2. Class Instantiation
    3. Local Variables
    4. Method Calls
    !57
    5. Field Access
    6. Array Access
    7. Static Initialization
    8. Exception Handling

    View full-size slide

  54. @karimhamdanali
    Library Points-to Set (LPT)
    !58
    Application Library
    pt(v1) = o1
    o3
    pt(v2) = o2
    o3
    pt(v3) = o1
    o4
    LPT =
    o1
    o2 o3
    o5

    View full-size slide

  55. @karimhamdanali
    Library Callbacks
    !59
    Application Library
    class C {
    m();
    }
    class B extends L {
    m();
    }
    class A extends L {
    m();
    }
    calls
    class L {
    m();
    }
    1
    LPT = A
    C
    2

    View full-size slide

  56. @karimhamdanali !60
    Source: Ali and Lhoták. Averroes: Whole-Program Analysis Without The Whole Program. [ECOOP '13]

    View full-size slide

  57. @karimhamdanali
    JAR
    Placeholder
    Library
    SCA
    JAR
    !61

    View full-size slide

  58. @karimhamdanali
    Evaluation
    !62
    600× smaller library 7× faster analysis
    6× less memory Precise & Sound

    View full-size slide

  59. @karimhamdanali !63

    View full-size slide

  60. @karimhamdanali !64
    Application Library
    Scalability

    View full-size slide

  61. @karimhamdanali
    Program Analysis in Practice
    !65
    Precision

    View full-size slide

  62. @karimhamdanali
    Program Analysis in Practice
    !66
    Scalability Precision

    View full-size slide

  63. @karimhamdanali
    Security-Related
    Static Analyses
    !67

    View full-size slide

  64. @karimhamdanali
    Security-Related Static Analyses
    !68
    public void main(String[] args) {
    Object x = null;
    Object y = x;
    y.toString();
    }
    Null-Pointer Analysis

    View full-size slide

  65. @karimhamdanali
    Security-Related Static Analyses
    !69
    public void main(String[] args) {
    String x = args[0];
    String y = x;
    SQL.execute(''SELECT * FROM
    User where userId='' + y );
    }
    Taint Analysis

    View full-size slide

  66. @karimhamdanali
    Security-Related Static Analyses
    !70
    public void main(String[] args) {
    File x = new File();
    File y = x;
    y.close();
    }
    Typestate Analysis

    View full-size slide

  67. @karimhamdanali
    Static Data-Flow Analysis
    !71

    View full-size slide

  68. @karimhamdanali
    Precise
    Static Data-Flow Analysis
    !72

    View full-size slide

  69. @karimhamdanali
    Precise Static Data-Flow Analysis
    !73
    public void main(String[] args) {
    File x = new File();
    this.z = x;
    foo(x);
    x.close();
    foo(x);
    }
    public void foo(File y){
    y.write(...);
    }
    public void foo(){
    this.a.write(...);
    }

    View full-size slide

  70. @karimhamdanali
    Precise Static Data-Flow Analysis
    !74
    public void main(String[] args) {
    File x = new File();
    this.z = x;
    foo(x);
    x.close();
    foo(x);
    }
    public void foo(File y){
    y.write(...);
    }
    public void foo(){
    this.a.write(...);
    }
    Context-Sensitive

    View full-size slide

  71. @karimhamdanali
    Precise Static Data-Flow Analysis
    !75
    public void main(String[] args) {
    File x = new File();
    this.z = x;
    foo(x);
    x.close();
    foo(x);
    }
    public void foo(File y){
    y.write(...);
    }
    public void foo(){
    this.a.write(...);
    }
    Field-Sensitive

    View full-size slide

  72. @karimhamdanali
    Precise Static Data-Flow Analysis
    !76
    x
    z y
    Pushdown Automaton
    main()
    foo(x)
    bar(y)
    foo(z)
    Stack of Calls
    f
    h
    g
    f
    Stack of Fields
    Context-Sensitive ∧ Field-Sensitive

    View full-size slide

  73. @karimhamdanali
    Precise Static Data-Flow Analysis
    !77
    x
    z y
    Pushdown Automaton
    main()
    foo(x)
    bar(y)
    foo(z)
    Stack of Calls
    f
    h
    g
    f
    Stack of Fields
    Undecidable
    Reps [TOPLAS 2000]
    Source: Thomas W. Reps. Undecidability of Context-Sensitive Data-Dependence Analysis. [TOPLAS '00]
    Context-Sensitive ∧ Field-Sensitive

    View full-size slide

  74. @karimhamdanali
    Precise Static Data-Flow Analysis
    !78
    x
    z y
    Pushdown Automaton
    main()
    foo(x)
    bar(y)
    foo(z)
    Stack of Calls
    f
    h
    g
    f
    Stack of Fields
    Context-Sensitive ∧ Field-Sensitive

    View full-size slide

  75. @karimhamdanali
    Precise Static Data-Flow Analysis
    !79
    x
    z
    Pushdown Automaton
    main()
    foo(x)
    bar(y)
    foo(z)
    Stack of Calls k-limitting
    Access Paths/Graphs
    y.f
    y.g
    y.f.h
    y.f.g
    Context-Sensitive ∧ Field-Sensitive

    View full-size slide

  76. @karimhamdanali
    Precise Static Data-Flow Analysis
    !80
    x
    z
    Pushdown Automaton
    main()
    foo(x)
    bar(y)
    foo(z)
    Stack of Calls k-limitting
    Access Paths/Graphs
    y.f
    y.g
    y.f.h
    y.f.g
    Context-Sensitive ∧ Field-Sensitive
    What’s a good value for k?
    k-limitting yields
    too many false positives

    View full-size slide

  77. @karimhamdanali
    Synchronized
    Pushdown Systems
    (SPDS)
    !81
    Source: Späeth et al. Context-, Flow-, and Field-Sensitive Data-Flow Analysis using Synchronized Pushdown Systems. [POPL '19]

    View full-size slide

  78. @karimhamdanali
    Synchronized Pushdown Systems
    !82
    Context-Sensitive ∧ Field-Sensitive

    View full-size slide

  79. @karimhamdanali
    Synchronized Pushdown Systems
    !83
    Context-Sensitive Field-Sensitive
    Context-Sensitive ∧ Field-Sensitive


    over-approximation
    Never encountered
    in practice

    View full-size slide

  80. @karimhamdanali
    Synchronized Pushdown Systems
    !84
    Context-Sensitive Field-Sensitive

    Pushdown System of Calls
    x
    z y main()
    foo(x)
    bar(y)
    foo(z)
    Stack of Calls
    Variables
    f
    h
    g
    f
    Stack of Fields
    Pushdown System of Fields
    x
    z y
    Variables

    View full-size slide

  81. @karimhamdanali
    Synchronized Pushdown Systems
    !85
    Context-Sensitive Field-Sensitive

    Pushdown System of Calls
    x
    z y main()
    foo(x)
    bar(y)
    foo(z)
    Stack of Calls
    Variables
    f
    h
    g
    f
    Stack of Fields
    Pushdown System of Fields
    x
    z y
    Variables
    Decidable

    View full-size slide

  82. @karimhamdanali
    Synchronized Pushdown Systems
    !86
    Context-Sensitive Field-Sensitive

    Pushdown System of Calls
    x
    z y main()
    foo(x)
    bar(y)
    foo(z)
    Stack of Calls
    Variables
    f
    h
    g
    f
    Stack of Fields
    Pushdown System of Fields
    x
    z y
    Variables
    Decidable No k-limitting

    View full-size slide

  83. @karimhamdanali
    SPDS Evaluation
    !87

    View full-size slide

  84. @karimhamdanali
    SPDS Evaluation
    !88
    Analysis Time (seconds)
    0
    5
    10
    15
    20
    25
    30
    35
    40
    45
    50
    Number of Field Accesses
    2 4 6 8 10 12 14 16 18
    Access Path (k=4)
    Access Path (k=3)
    Access Path (k=2)
    Access Path (k=1)
    SPDS
    Eclipse

    View full-size slide

  85. @karimhamdanali
    … but is it useful in practice?
    !89

    View full-size slide

  86. @karimhamdanali
    CogniCrypt.org
    Eclipse Foundation
    !90

    View full-size slide

  87. @karimhamdanali
    68% are insecure
    (Maven has > 2.7 million artifacts)
    !91

    View full-size slide

  88. @karimhamdanali
    95% are insecure
    (10,000 most recent Android apps on AndroZoo)
    !92

    View full-size slide

  89. @karimhamdanali
    Symantec CVE-2018-12240
    !93

    View full-size slide

  90. @karimhamdanali !94
    Precision
    SPDS

    View full-size slide

  91. @karimhamdanali
    Program Analysis in Practice
    !95
    Usability

    View full-size slide

  92. @karimhamdanali !98

    View full-size slide

  93. @karimhamdanali 99
    precise responsive
    seamless tailored
    Sources: Johnson et al. Why Don’t Software Developers Use Static Analysis Tools to Find Bugs? [ICSE '13]
    Sources: Xiao et al. Social Influences on Secure Development Tool Adoption: Why Security Tools Spread. [CSCW '14]
    Sources: Smith et al. Questions Developers Ask While Diagnosing Potential Security Vulnerabilities with Static Analysis. [FSE '15]

    View full-size slide

  94. @karimhamdanali
    Just-In-Time Static Analysis
    !100

    View full-size slide

  95. @karimhamdanali
    Just-In-Time Static Analysis
    (Cheetah)
    !101
    https://github.com/secure-software-engineering/cheetah
    Developers fix errors
    2x faster

    View full-size slide

  96. @karimhamdanali !102
    Usability

    View full-size slide

  97. @karimhamdanali !103
    Scalability Usability
    Precision

    View full-size slide

  98. @karimhamdanali
    Where do we go from here?
    !104
    Image: Boomerang Toons / GIPHY

    View full-size slide

  99. @karimhamdanali
    Swift Analysis Framework
    !105
    themaplelab/swan

    View full-size slide

  100. @karimhamdanali
    @karimhamdanali
    Analysis-Driven Inliner
    Discriminants Budget Algorithm Search Space
    Call Frequency
    Method Size
    Method Size Nested Knapsack All IDT Methods
    Post-Inlining
    Transformations
    !59
    Estimate Post-Inlining Transformations
    !106
    themaplelab/openj9

    View full-size slide

  101. @karimhamdanali
    • Understanding the internals of neural networks is limited due to their complexity
    • Fixing errors in neural networks without retraining is hard and currently not supported
    • We use Rosette to solve for changes in weights to a neural network
    • Rosette is able to represent neural networks and their results as symbolic values,
    which can then be solved for, under the assertion that a given data point is correct
    OVERVIEW
    Rosette
    Objective
    Adjust n weights
    We use rosette
    to solve for
    changes in
    network weights
    subject to the
    following
    objective
    To maximize
    Weight
    Selection
    EVALUATION
    WEIGHT SELECTION
    METHOD
    TRAINING
    SOLVING
    Training
    Solving
    Evaluation
    #lang rosette
    (define-symbolic x integer?)
    (assert (> x3))
    (define solution (solve x))
    > (evaluate x solution)
    4
    Fixing Neural Networks
    using Solver-Aided Languages
    !107
    coming soon...

    View full-size slide

  102. @karimhamdanali
    Google
    Android Mobile Security
    !108
    Image: Android Developers Blog

    View full-size slide

  103. @karimhamdanali
    Facebook
    Infer, Zoncolan, SapFix
    !109
    Source: Distefano et al. Scaling Satic Analsyes at Facebook. [CACM '19]

    View full-size slide

  104. @karimhamdanali
    Semmle
    Continuous Security Analysis
    !110
    Image: LGTM.com

    View full-size slide

  105. @karimhamdanali
    Future of
    Program Analysis
    !111
    • Understanding the internals of neural networks is limited due to their complexity
    • Fixing errors in neural networks without retraining is hard and currently not supported
    • We use Rosette to solve for changes in weights to a neural network
    • Rosette is able to represent neural networks and their results as symbolic values,
    which can then be solved for, under the assertion that a given data point is correct
    OVERVIEW
    Rosette
    Objective
    Adjust n weights
    We use rosette
    to solve for
    changes in
    network weights
    subject to the
    following
    objective
    To maximize
    Weight
    Selection
    • We evaluate network performance
    before and after solving
    • Network with 784 input nodes, 300
    hidden, and 10 output nodes
    • On average, after making changes,
    99.85% of testing points remain
    correctly classified
    EVALUATION
    WEIGHT SELECTION
    METHOD
    TRAINING
    SOLVING
    Training
    Effect of Number of Symbolic Weights on Runtime
    Solving
    Evaluation
    #lang rosette
    (define-symbolic x integer?)
    (assert (> x3))
    (define solution (solve x))
    > (evaluate x solution)
    4
    @karimhamdanali
    Discriminants Budget Algorithm Search Space
    Call Frequency
    Method Size
    Method Size Nested Knapsack All IDT Methods
    Post-Inlining
    Transformations
    !59
    Extra Images: SIGPLAN Blog

    View full-size slide

  106. @karimhamdanali
    Program Analysis
    !6
    goto fail;
    goto fail;
    © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license.
    5
    http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/
    May 25,
    2010

    View full-size slide

  107. @karimhamdanali
    Program Analysis
    !6
    goto fail;
    goto fail;
    © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license.
    5
    http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/
    May 25,
    2010
    @karimhamdanali
    Program Analysis
    !13
    Code Navigation
    Code Recommenders
    Code Refactoring
    Constant Propagation
    Dead Code Elimination
    Static Inlining
    Parallelization

    View full-size slide

  108. @karimhamdanali
    Program Analysis
    !6
    goto fail;
    goto fail;
    © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license.
    5
    http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/
    May 25,
    2010
    @karimhamdanali
    Program Analysis
    !13
    Code Navigation
    Code Recommenders
    Code Refactoring
    Constant Propagation
    Dead Code Elimination
    Static Inlining
    Parallelization
    @karimhamdanali !103
    Scalability Usability
    Precision

    View full-size slide

  109. @karimhamdanali
    Program Analysis
    !6
    goto fail;
    goto fail;
    © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license.
    5
    http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/
    May 25,
    2010
    @karimhamdanali
    Program Analysis
    !13
    Code Navigation
    Code Recommenders
    Code Refactoring
    Constant Propagation
    Dead Code Elimination
    Static Inlining
    Parallelization
    @karimhamdanali !103
    Scalability Usability
    Precision
    @karimhamdanali
    Future of
    Program Analysis
    !111
    Fixing Neural Networks with Solver-Aided Languages
    Revan MacQueen1, Julian Dolby2, Karim Ali1
    1UNIVERSITY OF ALBERTA, 2IBM RESEARCH
    https://github.com/themaplelab/ML-SE
    • Understanding the internals of neural networks is limited due to their complexity
    • Fixing errors in neural networks without retraining is hard and currently not supported
    • We use Rosette to solve for changes in weights to a neural network
    • Rosette is able to represent neural networks and their results as symbolic values,
    which can then be solved for, under the assertion that a given data point is correct
    OVERVIEW
    Rosette
    Objective
    Adjust n weights
    We use rosette
    to solve for
    changes in
    network weights
    subject to the
    following
    objective
    To maximize
    Weight
    Selection
    • We evaluate network performance
    before and after solving
    • Network with 784 input nodes, 300
    hidden, and 10 output nodes
    • On average, after making changes,
    99.85% of testing points remain
    correctly classified
    EVALUATION
    WEIGHT SELECTION
    METHOD
    TRAINING
    SOLVING
    Training
    Effect of Number of Symbolic Weights on Runtime
    Solving
    Evaluation
    #lang rosette
    (define-symbolic x integer?)
    (assert (> x3))
    (define solution (solve x))
    > (evaluate x solution)
    4
    @karimhamdanali
    Analysis-Driven Inliner
    Discriminants Budget Algorithm Search Space
    Call Frequency
    Method Size
    Method Size Nested Knapsack All IDT Methods
    Post-Inlining
    Transformations
    !59
    Extra Images: SIGPLAN Blog

    View full-size slide

  110. Karim Ali
    University of Alberta
    @karimhamdanali
    Is Program Analysis The Silver
    Bullet Against Software Bugs?
    @karimhamdanali
    Program Analysis
    !6
    goto fail;
    goto fail;
    © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license.
    5
    http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/
    May 25,
    2010
    @karimhamdanali
    Program Analysis
    !13
    Code Navigation
    Code Recommenders
    Code Refactoring
    Constant Propagation
    Dead Code Elimination
    Static Inlining
    Parallelization
    @karimhamdanali !103
    Scalability Usability
    Precision
    @karimhamdanali
    Future of
    Program Analysis
    !111
    Fixing Neural Networks with Solver-Aided Languages
    Revan MacQueen1, Julian Dolby2, Karim Ali1
    1UNIVERSITY OF ALBERTA, 2IBM RESEARCH
    https://github.com/themaplelab/ML-SE
    • Understanding the internals of neural networks is limited due to their complexity
    • Fixing errors in neural networks without retraining is hard and currently not supported
    • We use Rosette to solve for changes in weights to a neural network
    • Rosette is able to represent neural networks and their results as symbolic values,
    which can then be solved for, under the assertion that a given data point is correct
    OVERVIEW
    Rosette
    Objective
    Adjust n weights
    We use rosette
    to solve for
    changes in
    network weights
    subject to the
    following
    objective
    To maximize
    Weight
    Selection
    • We evaluate network performance
    before and after solving
    • Network with 784 input nodes, 300
    hidden, and 10 output nodes
    • On average, after making changes,
    99.85% of testing points remain
    correctly classified
    EVALUATION
    WEIGHT SELECTION
    METHOD
    TRAINING
    SOLVING
    Training
    Effect of Number of Symbolic Weights on Runtime
    Solving
    Evaluation
    #lang rosette
    (define-symbolic x integer?)
    (assert (> x3))
    (define solution (solve x))
    > (evaluate x solution)
    4
    @karimhamdanali
    Analysis-Driven Inliner
    Discriminants Budget Algorithm Search Space
    Call Frequency
    Method Size
    Method Size Nested Knapsack All IDT Methods
    Post-Inlining
    Transformations
    !59
    Extra Images: SIGPLAN Blog

    View full-size slide