A User-Guided Approach to Program Analysis Ravi Mangal, Xin Zhang, Mayur Naik Georgia Tech Aditya Nori Microsoft Research.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

Online Max-Margin Weight Learning with Markov Logic Networks Tuyen N. Huynh and Raymond J. Mooney Machine Learning Group Department of Computer Science.
Google News Personalization: Scalable Online Collaborative Filtering
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Pallavi Joshi  Chang-Seo Park  Koushik Sen  Mayur Naik ‡  Par Lab, EECS, UC Berkeley‡
Effective Static Deadlock Detection
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
University of Texas at Austin Machine Learning Group Department of Computer Sciences University of Texas at Austin Discriminative Structure and Parameter.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Online Max-Margin Weight Learning for Markov Logic Networks Tuyen N. Huynh and Raymond J. Mooney Machine Learning Group Department of Computer Science.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Scalable and Precise Dynamic Datarace Detection for Structured Parallelism Raghavan RamanJisheng ZhaoVivek Sarkar Rice University June 13, 2012 Martin.
PAPER BY : CHRISTOPHER R’E NILESH DALVI DAN SUCIU International Conference on Data Engineering (ICDE), 2007 PRESENTED BY : JITENDRA GUPTA.
Markov Logic: A Unifying Framework for Statistical Relational Learning Pedro Domingos Matthew Richardson
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.
Learning From Data Chichang Jou Tamkang University.
AI – CS364 Hybrid Intelligent Systems Overview of Hybrid Intelligent Systems 07 th November 2005 Dr Bogdan L. Vrusias
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.
7/14/2015EECS 584, Fall MapReduce: Simplied Data Processing on Large Clusters Yunxing Dai, Huan Feng.
Statistical Relational Learning Pedro Domingos Dept. Computer Science & Eng. University of Washington.
Software Bug Localization with Markov Logic Sai Zhang, Congle Zhang University of Washington Presented by Todd Schiller.
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
CSC2535: 2013 Advanced Machine Learning Lecture 3a: The Origin of Variational Bayes Geoffrey Hinton.
University of Michigan Electrical Engineering and Computer Science 1 Practical Lock/Unlock Pairing for Concurrent Programs Hyoun Kyu Cho 1, Yin Wang 2,
CS252: Systems Programming Ninghui Li Final Exam Review.
Introduction to Systems Analysis and Design Trisha Cummings.
The Quest for Minimal Program Abstractions Mayur Naik Georgia Tech Ravi Mangal and Xin Zhang (Georgia Tech), Percy Liang (Stanford), Mooly Sagiv (Tel-Aviv.
Automatically Synthesizing SQL Queries from Input-Output Examples Sai Zhang University of Washington Joint work with: Yuyin Sun.
10/6/2015 1Intelligent Systems and Soft Computing Lecture 0 What is Soft Computing.
Bug Localization with Machine Learning Techniques Wujie Zheng
1 Effective Static Race Detection for Java Mayur, Alex, CS Department Stanford University Presented by Roy Ganor 14/2/08 Point-To Analysis Seminar.
Markov Logic And other SRL Approaches
Algorithms and Algorithm Analysis The “fun” stuff.
Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.
Software Development using artificial markets of constructively egoistic agents Karl Lieberherr 1SD-F09.
CSC321: 2011 Introduction to Neural Networks and Machine Learning Lecture 11: Bayesian learning continued Geoffrey Hinton.
CS 782 – Machine Learning Lecture 4 Linear Models for Classification  Probabilistic generative models  Probabilistic discriminative models.
1 Program Slicing Amir Saeidi PhD Student UTRECHT UNIVERSITY.
Pointer Analysis as a System of Linear Equations. Rupesh Nasre (CSA). Advisor: Prof. R. Govindarajan. Jan 22, 2010.
Soft Computing Lecture 19 Part 2 Hybrid Intelligent Systems.
Computer Science 1 Mining Likely Properties of Access Control Policies via Association Rule Mining JeeHyun Hwang 1, Tao Xie 1, Vincent Hu 2 and Mine Altunay.
On the Relation between SAT and BDDs for Equivalence Checking Sherief Reda Rolf Drechsler Alex Orailoglu Computer Science & Engineering Dept. University.
Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan W. Voung, Ranjit Jhala, Sorin Lerner LBA Reading Group Michelle Goodstein.
Pedro Domingos University of Washington. Traditional Programming Machine Learning Computer Data Algorithm Output Computer Data Output Algorithm.
Using Symbolic PathFinder at NASA Corina Pãsãreanu Carnegie Mellon/NASA Ames.
Effective Static Deadlock Detection Mayur Naik* Chang-Seo Park +, Koushik Sen +, David Gay* *Intel Research, Berkeley + UC Berkeley.
Secure Composition of Untrusted Code: Wrappers and Causality Types Kyle Taylor.
Effective Static Deadlock Detection Mayur Naik (Intel Research) Chang-Seo Park and Koushik Sen (UC Berkeley) David Gay (Intel Research)
Happy Mittal (Joint work with Prasoon Goyal, Parag Singla and Vibhav Gogate) IIT Delhi New Rules for Domain Independent Lifted.
Points-to Analysis as a System of Linear Equations Rupesh Nasre. Computer Science and Automation Indian Institute of Science Advisor: Prof. R. Govindarajan.
Tommy Messelis * Stefaan Haspeslagh Burak Bilgin Patrick De Causmaecker Greet Vanden Berghe *
The Ins and Outs of Gradual Type Inference Avik Chaudhuri Basil Hosmer Adobe Systems Aseem Rastogi Stony Brook University.
CACheck: Detecting and Repairing Cell Arrays in Spreadsheets
General-Purpose Learning Machine
Control Flow Testing Handouts
Combining Logical and Probabilistic Reasoning in Program Analysis
Chapter 8 – Software Testing
Harry Xu University of California, Irvine & Microsoft Research
Outline of the Chapter Basic Idea Outline of Control Flow Testing
Query-Guided Maximum Satisfiability
TriggerScope Towards detecting logic bombs in android applications
A User-Guided Approach to Program Analysis
A User-Guided Approach to Program Analysis
Ravi Mangal, Xin Zhang, Mayur Naik
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Intelligent Systems and
CSC-682 Advanced Computer Security
Presentation transcript:

A User-Guided Approach to Program Analysis Ravi Mangal, Xin Zhang, Mayur Naik Georgia Tech Aditya Nori Microsoft Research

Motivation Imprecisely defined properties Missing program parts Computing exact solutions impossible Program Analysis Analysis Writer Approximations … ESEC/FSE Program Analysis

Motivation Analysis User Bug Reports Program Analysis ESEC/FSE “ People ignore the tool if more than 30% false positives are reported … ” [Coverity, CACM’10]

Our Key Idea Shift decisions about usefulness of results from analysis writers to analysis users Approximations Analysis Writer Analysis User Feedback Program Analysis ESEC/FSE 20154

1 public class RequestHandler { 2 FtpRequestImpl request; 3 FtpWriter writer; 4 BufferedReader reader; 5 Socket controlSocket; 6 boolean isConnectionClosed; 7 … 8 public void getRequest( ) { 10 } Example: Static Datarace Detection 11 public void close( ) { 12 synchronized (this) { 13 if (isConnectionClosed) 14 return; 15 isConnectionClosed = true; 16 } 21 reader.close(); 22 reader = null; 23 controlSocket.close(); 24 controlSocket = null; 25 } Code snippet from Apache FTP Server 9 return request; // x0 17 request.clear(); // x1 18 request = null; // x2 19 writer.close(); // y1 20 writer = null; // y2 R1 R2 R3 R4 R5 ESEC/FSE 20155

Before User Feedback ESEC/FSE 20156

After User Feedback ESEC/FSE 20157

Our System For User-Guided Analysis ESEC/FSE 20158

Logical Analysis ESEC/FSE 20159

Logical Datarace Analysis Using Datalog ESEC/FSE Input relations: next(p1, p2), mayAlias(p1, p2), guarded(p1, p2) Output relations: parallel(p1, p2), race(p1, p2) Rules: parallel(p3, p2) :- parallel(p1, p2), next (p3, p1). (2) parallel(p1, p2) :- parallel(p2, p1). race(p1, p2) :- parallel(p1, p2), mayAlias(p1, p2), ¬guarded(p1, p2). p1 & p2 may have a datarace. p1 & p2 may happen in parallel. p1 is immediate successor of p2. p1 & p2 may access the same memory location. p1 & p2 are guarded by the same lock. If p1 & p2 may happen in parallel, and they may access the same memory location, and they are not guarded by the same lock, then p1 & p2 may have a datarace. If p1 & p2 may happen in parallel, and p3 is successor of p1, then p3 & p2 may happen in parallel. If p2 & p1 may happen in parallel, then p1 & p2 may happen in parallel.

 Easier to specify Why Datalog? vs. ESEC/FSE Analysis in Java Analysis in Datalog

Why Datalog? ESEC/FSE  Easier to specify  Leverage efficient solvers  Widely adaptable

Probabilistic Analysis ESEC/FSE

Datarace Analysis: Logical  Probabilistic Input relations: next(p1, p2), mayAlias(p1, p2), guarded(p1, p2) Output relations: parallel(p1, p2), race(p1, p2) Rules: parallel(p3, p2) :- parallel(p1, p2), next (p3, p1). (2) parallel(p1, p2) :- parallel(p2, p1). race(p1, p2) :- parallel(p1, p2), mayAlias(p1, p2), ¬guarded(p1, p2). ¬race(x2, x1). weight 5 ESEC/FSE weight 25 “Hard” Rule “Soft” Rule

 Probabilistic Analysis => Markov Logic Network (MLN) [Richardson & Domingos, Machine Learning’06 ]  MLN defines a probability distribution over all possible analysis outputs  Probability of an output x : A Semantics for Probabilistic Analysis ESEC/FSE Number of true instances of rule i in x Weight of rule i Normalization factor

Inference Engine ESEC/FSE

Probabilistic Inference Find the most likely output given the input program ESEC/FSE

What is MaxSAT? Find a boolean assignment such that the sum of the weights of the satisfied clauses is maximized ¬ b1 ∨ ¬ b2 ∨ b3 weight 5 ∧ b3 ∨ b4 weight 10 ∧ ¬ b4 ∨ ¬ b2 weight 7 ∧... ESEC/FSE

Probabilistic Inference  MaxSAT Solve the MaxSAT instance entailed by the MLN Find the most likely output given the input program ESEC/FSE

1 public class RequestHandler { 2 FtpRequestImpl request; 3 FtpWriter writer; 4 BufferedReader reader; 5 Socket controlSocket; 6 boolean isConnectionClosed; 7 … 8 public void getRequest( ) { 10 } Example: Static Datarace Detection 11 public void close( ) { 12 synchronized (this) { 13 if (isConnectionClosed) 14 return; 15 isConnectionClosed = true; 16 } 21 reader.close(); 22 reader = null; 23 controlSocket.close(); 24 controlSocket = null; 25 } Code snippet from Apache FTP Server 9 return request; // x0 17 request.clear(); // x1 18 request = null; // x2 19 writer.close(); // y1 20 writer = null; // y2 R1 R2 R3 R4 R5 ESEC/FSE

Output facts (before feedback): parallel(x2, x0), race(x2, x0), parallel(x2, x1), race(x2, x1), parallel( y 2, y 1), race( y 2, y 1) How Does Online Phase Work? Output facts (after feedback): parallel(x2, x0), race(x2, x0) Input facts: next(x2, x1), mayAlias(x2, x1), ¬guarded(x2, x1), next( y 1, x2), mayAlias( y 2, y 1), ¬guarded( y 2, y 1) MaxSAT formula: (parallel(x1, x1) ∧ next(x2, x1) => parallel(x2, x1)) weight 5 ∧ (parallel(x1, x2) ∧ next(x2, x1) => parallel(x2, x2)) weight 5 ∧ (parallel(x2, x2) ∧ next(y1, x2) => parallel(y1, x2)) weight 5 ∧ (parallel( y 2, y 1) ∧ mayAlias( y 2, y 1) ∧ ¬guarded( y 2, y 1) => race( y 2, y 1)) ∧ (parallel(x2, x1) ∧ mayAlias(x2, x1) ∧ ¬guarded(x2, x1) => race(x2, x1)) ∧ ¬race(x2, x1) weight 25 ESEC/FSE

Learning Engine ESEC/FSE

Weight Learning Learn rule weights such that the probability of the training data is maximized Perform gradient descent [Singla & Domingos, AAAI’05] ESEC/FSE

Putting It All Together ESEC/FSE

Empirical Evaluation Questions  RQ1: Does user feedback help in improving analysis precision?  RQ2: How much feedback is needed and does the amount of feedback affect the precision?  RQ3: How feasible is it for users to inspect analysis output and provide useful feedback? ESEC/FSE

Empirical Evaluation Setup  Control Study:  Analyses: (1) Pointer analysis, (2) Datarace analysis  Benchmarks: 7 Java programs ( KLOC each)  Feedback: Automated [Zhang et.al, PLDI’14]  User Study:  Analyses: Information flow analysis  Benchmarks: 3 security micro-benchmarks  Feedback: 9 users ESEC/FSE

Benchmarks Characteristics classesmethodsbytecode(KB)KLOC antlr3502.3K avrora1,5446.2K ftp4142.2K hedc3532.1K luindex6193.7K lusearch6403.9K weblech5763.3K secbench secbench secbench ESEC/FSE Control Study User Study

Precision Results: Pointer Analysis ESEC/FSE % 10% 15% 20%

Precision Results: Datarace Analysis ESEC/FSE RQ1, RQ2: With only up to 20% feedback, 70% of the false positives are eliminated and 98% of true positives retained.

Precision Results: User Study ESEC/FSE User 1 User 2 … User 6 RQ3: Users only need 8 minutes on average to provide useful feedback that improves analysis precision showing feasibility of approach.

 Approximations are a necessary evil in program analysis  Our contributions:  Paradigm: Incorporate user feedback to guide approximations  Method: Datalog  MLN  MaxSAT  Results: Eliminates most false positives (~70%) at the cost of introducing few false negatives (~2%) with limited feedback  Systematically combining program analysis and machine learning techniques with human intelligence is the future Conclusion ESEC/FSE

Feasibility Results: User Study ESEC/FSE RQ3: Users only need 8 minutes on average to provide feedback showing feasibility of approach.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.