Slide 1

Slide 1 text

Karim Ali University of Alberta @karimhamdanali Is Program Analysis The Silver Bullet Against Software Bugs? Papers We Love Conference — 2019

Slide 2

Slide 2 text

@karimhamdanali Software Bugs !2

Slide 3

Slide 3 text

@karimhamdanali Software Bugs Invalid SSL/TLS connections earned Apple Most Epic Fail [Pwnie ’14] !3 goto fail; goto fail; Source: CVE-2014-1266

Slide 4

Slide 4 text

@karimhamdanali © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010 Software Bugs Errors in ABS software led to fatal accidents and cost Toyota $3 Billion !4 Source: Philip Koopman, CMU

Slide 5

Slide 5 text

@karimhamdanali Software Bugs Unencrypted, unauthenticated connections to some medical implants !5 Source: Department of Homeland Security

Slide 6

Slide 6 text

@karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010

Slide 7

Slide 7 text

@karimhamdanali What is Program Analysis? !7

Slide 8

Slide 8 text

@karimhamdanali Program Analysis !8 A way of reasoning about the runtime behaviour of a program without necessarily executing it

Slide 9

Slide 9 text

@karimhamdanali Rice’s Theorem “For any interesting property Pr of the behaviour of a program, it is impossible to write an analysis that can decide for every program p whether Pr holds for p.” !9 Image: CooperToons

Slide 10

Slide 10 text

@karimhamdanali By definition, program analysis is undecidable !10

Slide 11

Slide 11 text

@karimhamdanali Not quite… !11 Image: J. K. Simmons / Whiplash

Slide 12

Slide 12 text

@karimhamdanali Program Analysis •Settle for an approximation of Pr •Make it as “good” as possible p analysis yes p analysis no !12 few Image: Jenna Mullins / ENews

Slide 13

Slide 13 text

@karimhamdanali Program Analysis !13 Code Navigation Code Recommenders Code Refactoring Constant Propagation Dead Code Elimination Static Inlining Parallelization

Slide 14

Slide 14 text

@karimhamdanali Program Analysis in Practice !14 Image: Minion Special / YouTube

Slide 15

Slide 15 text

@karimhamdanali Program Analysis in Practice !15 Scalability Usability Precision

Slide 16

Slide 16 text

@karimhamdanali Collaborators •Erick Ochoa (UAlberta) •Spencer Killen (UAlberta) •Kristen Newbury (UAlberta) •Revan MacQueen (UAlberta) •Daniil Tiganov (UAlberta) •Jeff Cho (UAlberta) •Johannes Späth (Paderborn) •Lisa Nguyen (Paderborn) •Stefan Krüger (Paderborn) •Ondřej Lhoták (Waterloo) •Frank Tip (Northeastern) •Eric Bodden (Paderborn & Fraunhofer IEM) •Mira Mezini (TU Darmstadt) •Julian Dolby (IBM Research) •Andrew Craik (IBM) •Mark Stoodley (IBM) •Vijay Sundaresan (IBM) •Ben Livshits (Imperial College London & Brave) •Emerson Murphy-Hill (Google) •Justin Smith (Lafayette College) •José Nelson Amaral (UAlberta) •James Wright (UAlberta) •Kirsten Thommes (Paderborn) •René Fahr (Paderborn) !16

Slide 17

Slide 17 text

@karimhamdanali Collaborators •Erick Ochoa (UAlberta) •Spencer Killen (UAlberta) •Kristen Newbury (UAlberta) •Revan MacQueen (UAlberta) •Daniil Tiganov (UAlberta) •Jeff Cho (UAlberta) •Johannes Späth (Paderborn) •Lisa Nguyen (Paderborn) •Stefan Krüger (Paderborn) •Ondřej Lhoták (Waterloo) •Frank Tip (Northeastern) •Eric Bodden (Paderborn & Fraunhofer IEM) •Mira Mezini (TU Darmstadt) •Julian Dolby (IBM Research) •Andrew Craik (IBM) •Mark Stoodley (IBM) •Vijay Sundaresan (IBM) •Ben Livshits (Imperial College London & Brave) •Emerson Murphy-Hill (Google) •Justin Smith (Lafayette College) •José Nelson Amaral (UAlberta) •James Wright (UAlberta) •Kirsten Thommes (Paderborn) •René Fahr (Paderborn) !17

Slide 18

Slide 18 text

@karimhamdanali 2010 !18

Slide 19

Slide 19 text

@karimhamdanali 2010 !19

Slide 20

Slide 20 text

@karimhamdanali 2010 !20 Where do I begin?

Slide 21

Slide 21 text

@karimhamdanali 2010 !21 Where do I begin? Start with this paper!

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

@karimhamdanali … so what is a Call Graph? !24

Slide 25

Slide 25 text

@karimhamdanali Call Graph !25

Slide 26

Slide 26 text

@karimhamdanali Call Graph !26 class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Shape s; if(*) s = new Circle(); else s = new Square(); s.draw();

Slide 27

Slide 27 text

@karimhamdanali Call Graph !27 class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Shape s; if(*) s = new Circle(); else s = new Square(); s.draw(); required by every inter-procedural analysis

Slide 28

Slide 28 text

@karimhamdanali Let’s build a Call Graph !28 public class Main { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } }

Slide 29

Slide 29 text

@karimhamdanali Let’s build a Call Graph !29 public class Main { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Main.main()

Slide 30

Slide 30 text

@karimhamdanali Let’s build a Call Graph !30 public class Main { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Main.main() Circle.()

Slide 31

Slide 31 text

@karimhamdanali Let’s build a Call Graph !31 public class Main { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Main.main() Shape.() Circle.() Object.()

Slide 32

Slide 32 text

@karimhamdanali Let’s build a Call Graph !32 public class Main { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Main.main() Shape.() Square.() Circle.() Object.()

Slide 33

Slide 33 text

@karimhamdanali Let’s build a Call Graph !33 public class Main { public static void main(String[] args) { Shape s; if (args.length > 2) s = new Circle(); else s = new Square(); s.draw(); } } abstract class Shape { abstract void draw(); } class Circle extends Shape { void draw() { ... } } class Square extends Shape { void draw() { ... } } Main.main() Shape.() Square.() Circle.() Square.draw() Circle.draw() Object.()

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

@karimhamdanali Let’s build a Call Graph for javac !35

Slide 36

Slide 36 text

@karimhamdanali Let’s build a Call Graph for javac !36 • Java 1.4 • 0.5 MB of class files • 8 GB of RAM • HOURS! IRIS Reasoner

Slide 37

Slide 37 text

@karimhamdanali Let’s build a Call Graph for javac !37 • Java 1.4 • 0.5 MB of class files • 8 GB of RAM • HOURS! IRIS Reasoner Exception in thread “main" java.lang.OutOfMemoryError: Java heap space

Slide 38

Slide 38 text

@karimhamdanali Let’s build a Call Graph for "Hello, World!" !38

Slide 39

Slide 39 text

@karimhamdanali !39 public class HelloWorld { public static void main(String[] args) { System.out.println("Hello, World!"); } }

Slide 40

Slide 40 text

@karimhamdanali !40 public class HelloWorld { public static void main(String[] args) { System.out.println("Hello, World!"); } } • > 30 seconds • > 5,000 reachable methods • > 23,000 call edges

Slide 41

Slide 41 text

@karimhamdanali Hello, World! !41

Slide 42

Slide 42 text

@karimhamdanali !42

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

@karimhamdanali Alone? !44

Slide 45

Slide 45 text

@karimhamdanali Not Alone! !45 I'd like to ignore library code what about callbacks? this would be unsound but better than nothing ignore non-application program elements (e.g., system libraries)? whole-program analysis always pulls in the world for completeness. The problem is that the world is fairly large I am NOT interested in those

Slide 46

Slide 46 text

@karimhamdanali Partial-Program Analysis !46

Slide 47

Slide 47 text

@karimhamdanali Sound and Precise Partial-Program Analysis !47

Slide 48

Slide 48 text

@karimhamdanali !48

Slide 49

Slide 49 text

@karimhamdanali !49 Ideal Call Graph Image: CooperToons

Slide 50

Slide 50 text

@karimhamdanali !50 Ideal Call Graph Whole-Program Call Graph

Slide 51

Slide 51 text

@karimhamdanali !51 Ideal Call Graph Whole-Program Call Graph Incomplete Call Graph (unsound)

Slide 52

Slide 52 text

@karimhamdanali !52 Ideal Call Graph Whole-Program Call Graph Incomplete Call Graph (unsound) Conservative Call Graph (highly imprecise)

Slide 53

Slide 53 text

@karimhamdanali !53 Ideal Call Graph Whole-Program Call Graph Incomplete Call Graph (unsound) Conservative Call Graph (highly imprecise) Partial-Program Call Graph

Slide 54

Slide 54 text

@karimhamdanali The Separate Compilation Assumption !54 Source: Ali and Lhoták. Application-Only Call Graph Construction. [ECOOP '12]

Slide 55

Slide 55 text

@karimhamdanali The Separate Compilation Assumption All of the library classes can be compiled in the absence of the application classes. !55

Slide 56

Slide 56 text

@karimhamdanali Constraints 1. Class Hierarchy 2. Class Instantiation 3. Local Variables 4. Method Calls !56 5. Field Access 6. Array Access 7. Static Initialization 8. Exception Handling

Slide 57

Slide 57 text

@karimhamdanali Constraints 1. Class Hierarchy 2. Class Instantiation 3. Local Variables 4. Method Calls !57 5. Field Access 6. Array Access 7. Static Initialization 8. Exception Handling

Slide 58

Slide 58 text

@karimhamdanali Library Points-to Set (LPT) !58 Application Library pt(v1) = o1 o3 pt(v2) = o2 o3 pt(v3) = o1 o4 LPT = o1 o2 o3 o5

Slide 59

Slide 59 text

@karimhamdanali Library Callbacks !59 Application Library class C { m(); } class B extends L { m(); } class A extends L { m(); } calls class L { m(); } 1 LPT = A C 2

Slide 60

Slide 60 text

@karimhamdanali !60 Source: Ali and Lhoták. Averroes: Whole-Program Analysis Without The Whole Program. [ECOOP '13]

Slide 61

Slide 61 text

@karimhamdanali JAR Placeholder Library SCA JAR !61

Slide 62

Slide 62 text

@karimhamdanali Evaluation !62 600× smaller library 7× faster analysis 6× less memory Precise & Sound

Slide 63

Slide 63 text

@karimhamdanali !63

Slide 64

Slide 64 text

@karimhamdanali !64 Application Library Scalability

Slide 65

Slide 65 text

@karimhamdanali Program Analysis in Practice !65 Precision

Slide 66

Slide 66 text

@karimhamdanali Program Analysis in Practice !66 Scalability Precision

Slide 67

Slide 67 text

@karimhamdanali Security-Related Static Analyses !67

Slide 68

Slide 68 text

@karimhamdanali Security-Related Static Analyses !68 public void main(String[] args) { Object x = null; Object y = x; y.toString(); } Null-Pointer Analysis

Slide 69

Slide 69 text

@karimhamdanali Security-Related Static Analyses !69 public void main(String[] args) { String x = args[0]; String y = x; SQL.execute(''SELECT * FROM User where userId='' + y ); } Taint Analysis

Slide 70

Slide 70 text

@karimhamdanali Security-Related Static Analyses !70 public void main(String[] args) { File x = new File(); File y = x; y.close(); } Typestate Analysis

Slide 71

Slide 71 text

@karimhamdanali Static Data-Flow Analysis !71

Slide 72

Slide 72 text

@karimhamdanali Precise Static Data-Flow Analysis !72

Slide 73

Slide 73 text

@karimhamdanali Precise Static Data-Flow Analysis !73 public void main(String[] args) { File x = new File(); this.z = x; foo(x); x.close(); foo(x); } public void foo(File y){ y.write(...); } public void foo(){ this.a.write(...); }

Slide 74

Slide 74 text

@karimhamdanali Precise Static Data-Flow Analysis !74 public void main(String[] args) { File x = new File(); this.z = x; foo(x); x.close(); foo(x); } public void foo(File y){ y.write(...); } public void foo(){ this.a.write(...); } Context-Sensitive

Slide 75

Slide 75 text

@karimhamdanali Precise Static Data-Flow Analysis !75 public void main(String[] args) { File x = new File(); this.z = x; foo(x); x.close(); foo(x); } public void foo(File y){ y.write(...); } public void foo(){ this.a.write(...); } Field-Sensitive

Slide 76

Slide 76 text

@karimhamdanali Precise Static Data-Flow Analysis !76 x z y Pushdown Automaton main() foo(x) bar(y) foo(z) Stack of Calls f h g f Stack of Fields Context-Sensitive ∧ Field-Sensitive

Slide 77

Slide 77 text

@karimhamdanali Precise Static Data-Flow Analysis !77 x z y Pushdown Automaton main() foo(x) bar(y) foo(z) Stack of Calls f h g f Stack of Fields Undecidable Reps [TOPLAS 2000] Source: Thomas W. Reps. Undecidability of Context-Sensitive Data-Dependence Analysis. [TOPLAS '00] Context-Sensitive ∧ Field-Sensitive

Slide 78

Slide 78 text

@karimhamdanali Precise Static Data-Flow Analysis !78 x z y Pushdown Automaton main() foo(x) bar(y) foo(z) Stack of Calls f h g f Stack of Fields Context-Sensitive ∧ Field-Sensitive

Slide 79

Slide 79 text

@karimhamdanali Precise Static Data-Flow Analysis !79 x z Pushdown Automaton main() foo(x) bar(y) foo(z) Stack of Calls k-limitting Access Paths/Graphs y.f y.g y.f.h y.f.g Context-Sensitive ∧ Field-Sensitive

Slide 80

Slide 80 text

@karimhamdanali Precise Static Data-Flow Analysis !80 x z Pushdown Automaton main() foo(x) bar(y) foo(z) Stack of Calls k-limitting Access Paths/Graphs y.f y.g y.f.h y.f.g Context-Sensitive ∧ Field-Sensitive What’s a good value for k? k-limitting yields too many false positives

Slide 81

Slide 81 text

@karimhamdanali Synchronized Pushdown Systems (SPDS) !81 Source: Späeth et al. Context-, Flow-, and Field-Sensitive Data-Flow Analysis using Synchronized Pushdown Systems. [POPL '19]

Slide 82

Slide 82 text

@karimhamdanali Synchronized Pushdown Systems !82 Context-Sensitive ∧ Field-Sensitive

Slide 83

Slide 83 text

@karimhamdanali Synchronized Pushdown Systems !83 Context-Sensitive Field-Sensitive Context-Sensitive ∧ Field-Sensitive ∧ ⊑ over-approximation Never encountered in practice

Slide 84

Slide 84 text

@karimhamdanali Synchronized Pushdown Systems !84 Context-Sensitive Field-Sensitive ∧ Pushdown System of Calls x z y main() foo(x) bar(y) foo(z) Stack of Calls Variables f h g f Stack of Fields Pushdown System of Fields x z y Variables

Slide 85

Slide 85 text

@karimhamdanali Synchronized Pushdown Systems !85 Context-Sensitive Field-Sensitive ∧ Pushdown System of Calls x z y main() foo(x) bar(y) foo(z) Stack of Calls Variables f h g f Stack of Fields Pushdown System of Fields x z y Variables Decidable

Slide 86

Slide 86 text

@karimhamdanali Synchronized Pushdown Systems !86 Context-Sensitive Field-Sensitive ∧ Pushdown System of Calls x z y main() foo(x) bar(y) foo(z) Stack of Calls Variables f h g f Stack of Fields Pushdown System of Fields x z y Variables Decidable No k-limitting

Slide 87

Slide 87 text

@karimhamdanali SPDS Evaluation !87

Slide 88

Slide 88 text

@karimhamdanali SPDS Evaluation !88 Analysis Time (seconds) 0 5 10 15 20 25 30 35 40 45 50 Number of Field Accesses 2 4 6 8 10 12 14 16 18 Access Path (k=4) Access Path (k=3) Access Path (k=2) Access Path (k=1) SPDS Eclipse

Slide 89

Slide 89 text

@karimhamdanali … but is it useful in practice? !89

Slide 90

Slide 90 text

@karimhamdanali CogniCrypt.org Eclipse Foundation !90

Slide 91

Slide 91 text

@karimhamdanali 68% are insecure (Maven has > 2.7 million artifacts) !91

Slide 92

Slide 92 text

@karimhamdanali 95% are insecure (10,000 most recent Android apps on AndroZoo) !92

Slide 93

Slide 93 text

@karimhamdanali Symantec CVE-2018-12240 !93

Slide 94

Slide 94 text

@karimhamdanali !94 Precision SPDS

Slide 95

Slide 95 text

@karimhamdanali Program Analysis in Practice !95 Usability

Slide 96

Slide 96 text

No content

Slide 97

Slide 97 text

No content

Slide 98

Slide 98 text

@karimhamdanali !98

Slide 99

Slide 99 text

@karimhamdanali 99 precise responsive seamless tailored Sources: Johnson et al. Why Don’t Software Developers Use Static Analysis Tools to Find Bugs? [ICSE '13] Sources: Xiao et al. Social Influences on Secure Development Tool Adoption: Why Security Tools Spread. [CSCW '14] Sources: Smith et al. Questions Developers Ask While Diagnosing Potential Security Vulnerabilities with Static Analysis. [FSE '15]

Slide 100

Slide 100 text

@karimhamdanali Just-In-Time Static Analysis !100

Slide 101

Slide 101 text

@karimhamdanali Just-In-Time Static Analysis (Cheetah) !101 https://github.com/secure-software-engineering/cheetah Developers fix errors 2x faster

Slide 102

Slide 102 text

@karimhamdanali !102 Usability

Slide 103

Slide 103 text

@karimhamdanali !103 Scalability Usability Precision

Slide 104

Slide 104 text

@karimhamdanali Where do we go from here? !104 Image: Boomerang Toons / GIPHY

Slide 105

Slide 105 text

@karimhamdanali Swift Analysis Framework !105 themaplelab/swan

Slide 106

Slide 106 text

@karimhamdanali @karimhamdanali Analysis-Driven Inliner Discriminants Budget Algorithm Search Space Call Frequency Method Size Method Size Nested Knapsack All IDT Methods Post-Inlining Transformations !59 Estimate Post-Inlining Transformations !106 themaplelab/openj9

Slide 107

Slide 107 text

@karimhamdanali • Understanding the internals of neural networks is limited due to their complexity • Fixing errors in neural networks without retraining is hard and currently not supported • We use Rosette to solve for changes in weights to a neural network • Rosette is able to represent neural networks and their results as symbolic values, which can then be solved for, under the assertion that a given data point is correct OVERVIEW Rosette Objective Adjust n weights We use rosette to solve for changes in network weights subject to the following objective To maximize Weight Selection EVALUATION WEIGHT SELECTION METHOD TRAINING SOLVING Training Solving Evaluation #lang rosette (define-symbolic x integer?) (assert (> x3)) (define solution (solve x)) > (evaluate x solution) 4 Fixing Neural Networks using Solver-Aided Languages !107 coming soon...

Slide 108

Slide 108 text

@karimhamdanali Google Android Mobile Security !108 Image: Android Developers Blog

Slide 109

Slide 109 text

@karimhamdanali Facebook Infer, Zoncolan, SapFix !109 Source: Distefano et al. Scaling Satic Analsyes at Facebook. [CACM '19]

Slide 110

Slide 110 text

@karimhamdanali Semmle Continuous Security Analysis !110 Image: LGTM.com

Slide 111

Slide 111 text

@karimhamdanali Future of Program Analysis !111 • Understanding the internals of neural networks is limited due to their complexity • Fixing errors in neural networks without retraining is hard and currently not supported • We use Rosette to solve for changes in weights to a neural network • Rosette is able to represent neural networks and their results as symbolic values, which can then be solved for, under the assertion that a given data point is correct OVERVIEW Rosette Objective Adjust n weights We use rosette to solve for changes in network weights subject to the following objective To maximize Weight Selection • We evaluate network performance before and after solving • Network with 784 input nodes, 300 hidden, and 10 output nodes • On average, after making changes, 99.85% of testing points remain correctly classified EVALUATION WEIGHT SELECTION METHOD TRAINING SOLVING Training Effect of Number of Symbolic Weights on Runtime Solving Evaluation #lang rosette (define-symbolic x integer?) (assert (> x3)) (define solution (solve x)) > (evaluate x solution) 4 @karimhamdanali Discriminants Budget Algorithm Search Space Call Frequency Method Size Method Size Nested Knapsack All IDT Methods Post-Inlining Transformations !59 Extra Images: SIGPLAN Blog

Slide 112

Slide 112 text

No content

Slide 113

Slide 113 text

@karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010

Slide 114

Slide 114 text

@karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010 @karimhamdanali Program Analysis !13 Code Navigation Code Recommenders Code Refactoring Constant Propagation Dead Code Elimination Static Inlining Parallelization

Slide 115

Slide 115 text

@karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010 @karimhamdanali Program Analysis !13 Code Navigation Code Recommenders Code Refactoring Constant Propagation Dead Code Elimination Static Inlining Parallelization @karimhamdanali !103 Scalability Usability Precision

Slide 116

Slide 116 text

@karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010 @karimhamdanali Program Analysis !13 Code Navigation Code Recommenders Code Refactoring Constant Propagation Dead Code Elimination Static Inlining Parallelization @karimhamdanali !103 Scalability Usability Precision @karimhamdanali Future of Program Analysis !111 Fixing Neural Networks with Solver-Aided Languages Revan MacQueen1, Julian Dolby2, Karim Ali1 1UNIVERSITY OF ALBERTA, 2IBM RESEARCH https://github.com/themaplelab/ML-SE • Understanding the internals of neural networks is limited due to their complexity • Fixing errors in neural networks without retraining is hard and currently not supported • We use Rosette to solve for changes in weights to a neural network • Rosette is able to represent neural networks and their results as symbolic values, which can then be solved for, under the assertion that a given data point is correct OVERVIEW Rosette Objective Adjust n weights We use rosette to solve for changes in network weights subject to the following objective To maximize Weight Selection • We evaluate network performance before and after solving • Network with 784 input nodes, 300 hidden, and 10 output nodes • On average, after making changes, 99.85% of testing points remain correctly classified EVALUATION WEIGHT SELECTION METHOD TRAINING SOLVING Training Effect of Number of Symbolic Weights on Runtime Solving Evaluation #lang rosette (define-symbolic x integer?) (assert (> x3)) (define solution (solve x)) > (evaluate x solution) 4 @karimhamdanali Analysis-Driven Inliner Discriminants Budget Algorithm Search Space Call Frequency Method Size Method Size Nested Knapsack All IDT Methods Post-Inlining Transformations !59 Extra Images: SIGPLAN Blog

Slide 117

Slide 117 text

Karim Ali University of Alberta @karimhamdanali Is Program Analysis The Silver Bullet Against Software Bugs? @karimhamdanali Program Analysis !6 goto fail; goto fail; © Copyright 2014, Philip Koopman. CC Attribution 4.0 International license. 5 http://www.cbsnews.com/news/toyota-unintended-acceleration-has-killed-89/ May 25, 2010 @karimhamdanali Program Analysis !13 Code Navigation Code Recommenders Code Refactoring Constant Propagation Dead Code Elimination Static Inlining Parallelization @karimhamdanali !103 Scalability Usability Precision @karimhamdanali Future of Program Analysis !111 Fixing Neural Networks with Solver-Aided Languages Revan MacQueen1, Julian Dolby2, Karim Ali1 1UNIVERSITY OF ALBERTA, 2IBM RESEARCH https://github.com/themaplelab/ML-SE • Understanding the internals of neural networks is limited due to their complexity • Fixing errors in neural networks without retraining is hard and currently not supported • We use Rosette to solve for changes in weights to a neural network • Rosette is able to represent neural networks and their results as symbolic values, which can then be solved for, under the assertion that a given data point is correct OVERVIEW Rosette Objective Adjust n weights We use rosette to solve for changes in network weights subject to the following objective To maximize Weight Selection • We evaluate network performance before and after solving • Network with 784 input nodes, 300 hidden, and 10 output nodes • On average, after making changes, 99.85% of testing points remain correctly classified EVALUATION WEIGHT SELECTION METHOD TRAINING SOLVING Training Effect of Number of Symbolic Weights on Runtime Solving Evaluation #lang rosette (define-symbolic x integer?) (assert (> x3)) (define solution (solve x)) > (evaluate x solution) 4 @karimhamdanali Analysis-Driven Inliner Discriminants Budget Algorithm Search Space Call Frequency Method Size Method Size Nested Knapsack All IDT Methods Post-Inlining Transformations !59 Extra Images: SIGPLAN Blog