Presentation is loading. Please wait.

Presentation is loading. Please wait.

A User-Guided Approach to Program Analysis Ravi Mangal, Xin Zhang, Mayur Naik Georgia Tech Aditya Nori Microsoft Research.

Published byAlexander Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "A User-Guided Approach to Program Analysis Ravi Mangal, Xin Zhang, Mayur Naik Georgia Tech Aditya Nori Microsoft Research."— Presentation transcript:

1 A User-Guided Approach to Program Analysis Ravi Mangal, Xin Zhang, Mayur Naik Georgia Tech Aditya Nori Microsoft Research

2 Motivation Imprecisely defined properties Missing program parts Computing exact solutions impossible Program Analysis Analysis Writer Approximations … ESEC/FSE 20152 Program Analysis

3 Motivation Analysis User Bug Reports Program Analysis ESEC/FSE 20153 “ People ignore the tool if more than 30% false positives are reported … ” [Coverity, CACM’10]

4 Our Key Idea Shift decisions about usefulness of results from analysis writers to analysis users Approximations Analysis Writer Analysis User Feedback Program Analysis ESEC/FSE 20154

5 1 public class RequestHandler { 2 FtpRequestImpl request; 3 FtpWriter writer; 4 BufferedReader reader; 5 Socket controlSocket; 6 boolean isConnectionClosed; 7 … 8 public void getRequest( ) { 10 } Example: Static Datarace Detection 11 public void close( ) { 12 synchronized (this) { 13 if (isConnectionClosed) 14 return; 15 isConnectionClosed = true; 16 } 21 reader.close(); 22 reader = null; 23 controlSocket.close(); 24 controlSocket = null; 25 } Code snippet from Apache FTP Server 9 return request; // x0 17 request.clear(); // x1 18 request = null; // x2 19 writer.close(); // y1 20 writer = null; // y2 R1 R2 R3 R4 R5 ESEC/FSE 20155

6 Before User Feedback ESEC/FSE 20156

7 After User Feedback ESEC/FSE 20157

8 Our System For User-Guided Analysis ESEC/FSE 20158

9 Logical Analysis ESEC/FSE 20159

10 Logical Datarace Analysis Using Datalog ESEC/FSE 201510 Input relations: next(p1, p2), mayAlias(p1, p2), guarded(p1, p2) Output relations: parallel(p1, p2), race(p1, p2) Rules: parallel(p3, p2) :- parallel(p1, p2), next (p3, p1). (2) parallel(p1, p2) :- parallel(p2, p1). race(p1, p2) :- parallel(p1, p2), mayAlias(p1, p2), ¬guarded(p1, p2). p1 & p2 may have a datarace. p1 & p2 may happen in parallel. p1 is immediate successor of p2. p1 & p2 may access the same memory location. p1 & p2 are guarded by the same lock. If p1 & p2 may happen in parallel, and they may access the same memory location, and they are not guarded by the same lock, then p1 & p2 may have a datarace. If p1 & p2 may happen in parallel, and p3 is successor of p1, then p3 & p2 may happen in parallel. If p2 & p1 may happen in parallel, then p1 & p2 may happen in parallel.

11  Easier to specify Why Datalog? vs. ESEC/FSE 201511 Analysis in Java Analysis in Datalog

12 Why Datalog? ESEC/FSE 201512  Easier to specify  Leverage efficient solvers  Widely adaptable

13 Probabilistic Analysis ESEC/FSE 201513

14 Datarace Analysis: Logical  Probabilistic Input relations: next(p1, p2), mayAlias(p1, p2), guarded(p1, p2) Output relations: parallel(p1, p2), race(p1, p2) Rules: parallel(p3, p2) :- parallel(p1, p2), next (p3, p1). (2) parallel(p1, p2) :- parallel(p2, p1). race(p1, p2) :- parallel(p1, p2), mayAlias(p1, p2), ¬guarded(p1, p2). ¬race(x2, x1). weight 5 ESEC/FSE 201514 weight 25 “Hard” Rule “Soft” Rule

15  Probabilistic Analysis => Markov Logic Network (MLN) [Richardson & Domingos, Machine Learning’06 ]  MLN defines a probability distribution over all possible analysis outputs  Probability of an output x : A Semantics for Probabilistic Analysis ESEC/FSE 201515 Number of true instances of rule i in x Weight of rule i Normalization factor

16 Inference Engine ESEC/FSE 201516

17 Probabilistic Inference Find the most likely output given the input program ESEC/FSE 201517

18 What is MaxSAT? Find a boolean assignment such that the sum of the weights of the satisfied clauses is maximized ¬ b1 ∨ ¬ b2 ∨ b3 weight 5 ∧ b3 ∨ b4 weight 10 ∧ ¬ b4 ∨ ¬ b2 weight 7 ∧... ESEC/FSE 201518

19 Probabilistic Inference  MaxSAT Solve the MaxSAT instance entailed by the MLN Find the most likely output given the input program ESEC/FSE 201519

20 1 public class RequestHandler { 2 FtpRequestImpl request; 3 FtpWriter writer; 4 BufferedReader reader; 5 Socket controlSocket; 6 boolean isConnectionClosed; 7 … 8 public void getRequest( ) { 10 } Example: Static Datarace Detection 11 public void close( ) { 12 synchronized (this) { 13 if (isConnectionClosed) 14 return; 15 isConnectionClosed = true; 16 } 21 reader.close(); 22 reader = null; 23 controlSocket.close(); 24 controlSocket = null; 25 } Code snippet from Apache FTP Server 9 return request; // x0 17 request.clear(); // x1 18 request = null; // x2 19 writer.close(); // y1 20 writer = null; // y2 R1 R2 R3 R4 R5 ESEC/FSE 201520

21 Output facts (before feedback): parallel(x2, x0), race(x2, x0), parallel(x2, x1), race(x2, x1), parallel( y 2, y 1), race( y 2, y 1) How Does Online Phase Work? Output facts (after feedback): parallel(x2, x0), race(x2, x0) Input facts: next(x2, x1), mayAlias(x2, x1), ¬guarded(x2, x1), next( y 1, x2), mayAlias( y 2, y 1), ¬guarded( y 2, y 1) MaxSAT formula: (parallel(x1, x1) ∧ next(x2, x1) => parallel(x2, x1)) weight 5 ∧ (parallel(x1, x2) ∧ next(x2, x1) => parallel(x2, x2)) weight 5 ∧ (parallel(x2, x2) ∧ next(y1, x2) => parallel(y1, x2)) weight 5 ∧ (parallel( y 2, y 1) ∧ mayAlias( y 2, y 1) ∧ ¬guarded( y 2, y 1) => race( y 2, y 1)) ∧ (parallel(x2, x1) ∧ mayAlias(x2, x1) ∧ ¬guarded(x2, x1) => race(x2, x1)) ∧ ¬race(x2, x1) weight 25 ESEC/FSE 201521

22 Learning Engine ESEC/FSE 201522

23 Weight Learning Learn rule weights such that the probability of the training data is maximized Perform gradient descent [Singla & Domingos, AAAI’05] ESEC/FSE 201523

24 Putting It All Together ESEC/FSE 201524

25 Empirical Evaluation Questions  RQ1: Does user feedback help in improving analysis precision?  RQ2: How much feedback is needed and does the amount of feedback affect the precision?  RQ3: How feasible is it for users to inspect analysis output and provide useful feedback? ESEC/FSE 201525

26 Empirical Evaluation Setup  Control Study:  Analyses: (1) Pointer analysis, (2) Datarace analysis  Benchmarks: 7 Java programs (130-200 KLOC each)  Feedback: Automated [Zhang et.al, PLDI’14]  User Study:  Analyses: Information flow analysis  Benchmarks: 3 security micro-benchmarks  Feedback: 9 users ESEC/FSE 201526

27 Benchmarks Characteristics classesmethodsbytecode(KB)KLOC antlr3502.3K186131 avrora1,5446.2K325193 ftp4142.2K118130 hedc3532.1K140153 luindex6193.7K235190 lusearch6403.9K250198 weblech5763.3K208194 secbench15130.30.6 secbench24120.20.6 secbench317461.34.2 ESEC/FSE 201527 Control Study User Study

28 Precision Results: Pointer Analysis ESEC/FSE 201528 5% 10% 15% 20%

29 Precision Results: Datarace Analysis ESEC/FSE 201529 RQ1, RQ2: With only up to 20% feedback, 70% of the false positives are eliminated and 98% of true positives retained.

30 Precision Results: User Study ESEC/FSE 201530 User 1 User 2 … User 6 RQ3: Users only need 8 minutes on average to provide useful feedback that improves analysis precision showing feasibility of approach.

31  Approximations are a necessary evil in program analysis  Our contributions:  Paradigm: Incorporate user feedback to guide approximations  Method: Datalog  MLN  MaxSAT  Results: Eliminates most false positives (~70%) at the cost of introducing few false negatives (~2%) with limited feedback  Systematically combining program analysis and machine learning techniques with human intelligence is the future Conclusion ESEC/FSE 201531

32 Feasibility Results: User Study ESEC/FSE 201532 RQ3: Users only need 8 minutes on average to provide feedback showing feasibility of approach.

Download ppt "A User-Guided Approach to Program Analysis Ravi Mangal, Xin Zhang, Mayur Naik Georgia Tech Aditya Nori Microsoft Research."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Online Max-Margin Weight Learning with Markov Logic Networks Tuyen N. Huynh and Raymond J. Mooney Machine Learning Group Department of Computer Science.

Online Max-Margin Weight Learning with Markov Logic Networks Tuyen N. Huynh and Raymond J. Mooney Machine Learning Group Department of Computer Science.
Google News Personalization: Scalable Online Collaborative Filtering

Google News Personalization: Scalable Online Collaborative Filtering
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Pallavi Joshi  Chang-Seo Park  Koushik Sen  Mayur Naik ‡  Par Lab, EECS, UC Berkeley‡

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Pallavi Joshi  Chang-Seo Park  Koushik Sen  Mayur Naik ‡  Par Lab, EECS, UC Berkeley‡
Effective Static Deadlock Detection

Effective Static Deadlock Detection
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
University of Texas at Austin Machine Learning Group Department of Computer Sciences University of Texas at Austin Discriminative Structure and Parameter.

University of Texas at Austin Machine Learning Group Department of Computer Sciences University of Texas at Austin Discriminative Structure and Parameter.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.

Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Online Max-Margin Weight Learning for Markov Logic Networks Tuyen N. Huynh and Raymond J. Mooney Machine Learning Group Department of Computer Science.

Online Max-Margin Weight Learning for Markov Logic Networks Tuyen N. Huynh and Raymond J. Mooney Machine Learning Group Department of Computer Science.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Scalable and Precise Dynamic Datarace Detection for Structured Parallelism Raghavan RamanJisheng ZhaoVivek Sarkar Rice University June 13, 2012 Martin.

Scalable and Precise Dynamic Datarace Detection for Structured Parallelism Raghavan RamanJisheng ZhaoVivek Sarkar Rice University June 13, 2012 Martin.
PAPER BY : CHRISTOPHER R’E NILESH DALVI DAN SUCIU International Conference on Data Engineering (ICDE), 2007 PRESENTED BY : JITENDRA GUPTA.

PAPER BY : CHRISTOPHER R’E NILESH DALVI DAN SUCIU International Conference on Data Engineering (ICDE), 2007 PRESENTED BY : JITENDRA GUPTA.
Markov Logic: A Unifying Framework for Statistical Relational Learning Pedro Domingos Matthew Richardson

Markov Logic: A Unifying Framework for Statistical Relational Learning Pedro Domingos Matthew Richardson
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.

Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.
Learning From Data Chichang Jou Tamkang University.

Learning From Data Chichang Jou Tamkang University.
AI – CS364 Hybrid Intelligent Systems Overview of Hybrid Intelligent Systems 07 th November 2005 Dr Bogdan L. Vrusias

AI – CS364 Hybrid Intelligent Systems Overview of Hybrid Intelligent Systems 07 th November 2005 Dr Bogdan L. Vrusias
From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.

From last time S1: l := new Cons p := l S2: t := new Cons *p := t p := t l p S1 l p tS2 l p S1 t S2 l t S1 p S2 l t S1 p S2 l t S1 p L2 l t S1 p S2 l t.
SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.

SDLC. Information Systems Development Terms SDLC - the development method used by most organizations today for large, complex systems Systems Analysts.

Similar presentations

Ads by Google