Automatically Generating Features for Learning Program Analysis Heuristics for C-Like Languages
|
|
- Sara Booker
- 5 years ago
- Views:
Transcription
1 Automatically Generating Features for Learning Program Analysis Heuristics for C-Like Languages Kwonsoo Chae Korea University Joint work with Hakjoo Oh (Korea University), Kihong Heo (Seoul National University), Hongseok Yang (University of Oxford) Canada
2 Static Analysis Diverse engineering decisions in static analysis: Context-sensitivity for which procedures? Relational analysis for which variables? Unsoundness for which part of the program? etc. 2/49
3 Static Analysis Data-Driven Diverse engineering decisions in static analysis: Context-sensitivity for which procedures? Relational analysis for which variables? Unsoundness for which part of the program? etc. Data-driven static analysis aims at automatically learning analysis heuristics from the codebase. codebase machine learning context-sensitivity heuristics relation tracking heuristics unsoundness heuristics etc. 3/49
4 Main Obstacle: Manual Feature Engineering What people expect codebase ML analysis 4/49
5 Main Obstacle: Manual Feature Engineering What people expect Reality codebase codebase ML analysis feature engineering ML analysis Manual, time-consuming Need for domain expertise Not interchangeable among different analyses 5/49
6 Main Obstacle: flow-sensitivity (OOPSLA'15) Manual Feature Engineering What people think Reality Codebase codebase ML Analysis feature engineering ML analysis Manual, time-consuming Need for domain expertise Not interchangeable among different analyses 6/49
7 Main Obstacle: context-sensitivity (OOPSLA'15) Manual Feature Engineering What people think Reality Codebase codebase ML Analysis feature engineering ML analysis Manual, time-consuming Need for domain expertise Not interchangeable among different analyses 7/49
8 Main Obstacle: widening threshold (APLAS'16) Manual Feature Engineering What people think Reality Codebase Codebase ML Analysis Feature engineering ML analysis Manual, time-consuming Need for domain expertise Not interchangeable among different analyses 8/49
9 relational analysis (SAS'16) Main Obstacle: Manual Feature Engineering What people think Reality Codebase Codebase ML Feature engineering Manual, time-consuming Analysis ML Need for domain expertise Not interchangeable Analysis among different analyses 9/49
10 unsoundness (ICSE'17) Main Obstacle: Manual Feature Engineering What people think Reality Codebase Codebase ML Feature engineering Manual, time-consuming Analysis ML Need for domain expertise Not interchangeable Analysis among different analyses 10/49
11 context-sensitivity (previous talk) Main Obstacle: Manual Feature Engineering What people think Reality Codebase Codebase ML Feature engineering Manual, time-consuming Analysis ML Need for domain expertise Not interchangeable Analysis among different analyses 11/49
12 context-sensitivity (previous talk) Main Obstacle: Manual Feature Engineering What people think Reality Feature engineering: Feature Codebase ML Codebase major bottleneck inengineering data-driven static analysis Manual, time-consuming Analysis ML Need for domain expertise Not interchangeable Analysis among different analyses 12/49
13 This talk We Aim At Generating Features Automatically What people expect Reality Our goal codebase ML analysis codebase feature engineering ML codebase automatically generated features ML analysis analysis 13/49
14 Example: Partially Flow-Sensitive Interval Analysis x = 0; y = 0 z = input() w = 0 y = x y ++ assert (y>0); assert (z > 0); assert (w ==0) 14/49
15 Example: Partially Flow-Sensitive Interval Analysis x = 0; y = 0 z = input() FS-proven but FI-unproven (FS is beneficial) w = 0 y = x y ++ assert (y>0); assert (z > 0); assert (w ==0) 15/49
16 Example: Partially Flow-Sensitive Interval Analysis x = 0; y = 0 z = input() w = 0 Unproven even by FS (FS is not beneficial) y = x y ++ assert (y>0); assert (z > 0); assert (w ==0) 16/49
17 Example: Partially Flow-Sensitive Interval Analysis x = 0; y = 0 z = input() w = 0 Proven even by FI (FS is not beneficial) y = x y ++ assert (y>0); assert (z > 0); assert (w ==0) 17/49
18 Example: Partially Flow-Sensitive Interval Analysis x = 0; y = 0 z = input() w = 0 y = x y ++ FS FI FI assert (y>0); assert (z > 0); assert (w ==0) 18/49
19 Example: Partially Flow-Sensitive Interval Analysis x = 0; y = 0 z = input() Build a classifier that selects the 1 st assertion only. w = 0 y = x y ++ FS FI FI assert (y>0); assert (z > 0); assert (w ==0) 19/49
20 Building a Classifier Usual procedure (1) Design a good set of features manually. 20/49
21 Building a Classifier Usual procedure (1) Design a good set of features manually. (2) Generate labeled data. 21/49
22 Building a Classifier Usual procedure (1) Design a good set of features manually. (2) Generate labeled data. (3) Run an off-the-shelf classification algorithm. classification algorithm classifier 22/49
23 Building a Classifier Our Usual procedure automatically (1) Design a good set of features manually. (2) Generate labeled data. (3) Run an off-the-shelf classification algorithm. automatically classification algorithm classifier 23/49
24 Highlight: Key Ideas 1. Capture the key reason why FS is beneficial using a program reducer. program FS & FI >10KLOC program reducer for (i=0; i<7; i++) assert (i<10); 24/49
25 Highlight: Key Ideas 1. Capture the key reason why FS is beneficial using a program reducer. 2. Generalize the reduced program. program FS & FI >10KLOC program reducer for (i=0; i<7; i++) assert (i<10); generalize Q feature 25/49
26 Highlight: Key Ideas 1. Capture the key reason why FS is beneficial using a program reducer. 2. Generalize the reduced program. program FS & FI generalize >10KLOC program reducer for (i=0; i<7; i++) assert (i<10); generalize new program Q (The program has the feature) feature Q 26/49
27 Highlight: Results Generated 38 (interval), 45 (pointer), 44 (Octagon) features. Analysis heuristics built on top of automatically generated features Excellent balance between cost and precision, e.g., Partially flow-sensitive interval analysis: Precision 80.2 % FI (0) Cost FS(100) FI (1x) 2.0x FS (46x) 27/49
28 Automatic Feature Generation Recipe (1) Capture the key reasons from the codebase (using a program reducer). (2) Properly generalize the key reasons (to build generic features). The end. 28/49
29 (1) Capture The Key Reasons a = 0; b = 0; while (1) { b = unknown(); if (a > b) if (a < 3) assert (a < 5); a++; } 29/49
30 (1) Capture The Key Reasons a = 0; b = 0; while (1) { b = unknown(); if (a > b) reduce if (a < 3) assert (a < 5); a++; } e.g., C-Reduce a = 0; while (1) { if (a < 3) assert (a < 5); a++; } (FS: a<3 before assertion in the loop ) Use a program reducer to generate a feature program. The reduction preserves an invariant : 30/49
31 (2) Generalize The Key Reasons a = 0; while (1) { if (a < 3) assert (a < 5); a++; } 31/49
32 (2) Generalize The Key Reasons a = 0; while (1) { if (a < 3) assert (a < 5); a++; } abstract x := x + c x := c x c Q(x c) Properly generalize the feature program to an abstract data-flow graph (= feature). 32/49
33 (2) Generalize The Key Reasons a = 0; while (1) { if (a < 3) assert (a < 5); a++; } abstract x := x + c x := c x c Q(x c) Properly generalize the feature program to an abstract data-flow graph (= feature). The right level of abstraction is automatically identified by an iterative search and cross validation. Generalization vs. Preservation 33/49
34 Feature Check = Graph Inclusion Check feature: x := x + c x := c x c Q(x c) original program: a = 0; b = 0; while (1) { b = unknown(); if (a > b) if (a < 3) assert (a < 5); a++; } 34/49
35 Feature Check = Graph Inclusion Check feature: x := x + c x := c x c Q(x c) original program: a = 0; b = 0; while (1) { b = unknown(); if (a > b) if (a < 3) assert (a < 5); a++; } abstract data-flow graph: x := x x x := x + c x := c x c Q(x c) 35/49
36 Feature Check = Graph Inclusion Check feature: x := x + c x := c x c Q(x c) original program: a = 0; b = 0; while (1) { b = unknown(); if (a > b) if (a < 3) assert (a < 5); a++; } abstract data-flow graph: x := x x x := x + c x := c x c Q(x c) 36/49
37 Feature Check = Graph Inclusion Check feature: x := x + c x := c x c Q(x c) original program: a = 0; b = 0; while (1) { b = unknown(); if (a > b) if (a < 3) assert (a < 5); a++; } noise abstract data-flow graph: x := x x x := x + c x := c x c Q(x c) 37/49
38 Feature Check = Graph Inclusion Check feature: x := x + c x := c x c Q(x c) original program: a = 0; b = 0; while (1) { b = unknown(); if (a > b) if (a < 3) assert (a < 5); a++; } transitive closure abstract data-flow graph: x := x x x := x + c x := c x c Q(x c) 38/49
39 Feature Check = Graph Inclusion Check feature: x := x + c x := c x c Q(x c) Removing noise: reducer (offline, feature) original program: a = 0; b = 0; while (1) { b = unknown(); if (a > b) if (a < 3) assert (a < 5); a++; } transitive closure abstract data-flow graph: x := x x x := x + c transitive closure (online, new pgm) x := c x c Q(x c) 39/49
40 Feature Check = Graph Inclusion Check feature: x := x + c x := c x c Q(x c) original program: a = 0; b = 0; while (1) { b = unknown(); if (a > b) if (a < 3) assert (a < 5); a++; } abstract data-flow graph: x := x x x := x + c x := c x c Q(x c) 40/49
41 Evaluation Static analyzer: ( Reducer: C-Reduce [PLDI'12] ( Three instance analyses for C Partially flow-sensitive interval analysis Partially flow-sensitive pointer analysis Partial Octagon analysis 60 benchmark programs from Linux and GNU packages 41/49
42 Results: Effectiveness (Classifier) Partially flow-sensitive interval analysis Partially flow-sensitive pointer analysis Partial Octagon analysis 42/49
43 Results: Effectiveness (Analysis) Partially flow-sensitive interval analysis Partially flow-sensitive pointer analysis Partial Octagon analysis 43/49
44 Results: Comparison Partially flow-sensitive interval analysis Partial Octagon analysis automatic manual Consistently perform well on a wide range of programs. ( wide variation) No clear conclusion (different approaches and learning algorithms) 44/49
45 Results: Generated Features (Top 2) Partially flow-sensitive interval analysis feature program 1: feature program 2: int buf [10]; for (i = 0; i < 7; i++) { buf[i] = 0; // Query } k = 255; p = malloc (k); while (k > 0) { *(p + k) = 0; // Query k ; } Access to a consecutive memory region in a loop Bounded indice by a constant 45/49
46 Results: Generated Features (Top 2) Partially flow-sensitive pointer analysis feature program 1: feature program 2: int j = 16; q = malloc(j) if (q == 0) return; else *q = 0; // Query r = malloc(v); r = &a; *r = 0; // Query Null-check before buffer access Strong update by the address of another variable 46/49
47 Results: Generated Features (Top 2) Partial Octagon analysis feature program 1: feature program 2: size = POS_NUM; arr = malloc(size); arr[size 1] = 0; // Query idx = POS_NUM; buf = malloc(idx); for (n = 0; n < idx; n++) { buf[n] = 0; // Query } Array of a positive size e.g., when POS_NUM = [1,+oo] in the flow-sensitive interval analysis Index related to the size in a simple linear way 47/49
48 Caveats: Expressiveness of Features Our feature representation is expressive enough, but not perfect, e.g., x and y results in finite intervals after analysis. 2 k type of integers are important constants. 48/49
49 Summary codebase automatically generated features ML analysis Features in data-driven static analysis By reducing programs As generalized graphs ( program text) 49/49
Selective Context-Sensitivity Guided by Impact Pre-Analysis
Selective Context-Sensitivity Guided by Impact Pre-Analysis 1 1 1 Hakjoo Oh Wonchan Lee Kihong Heo 2 1 Hongseok Yang Kwangkeun Yi 1 Seoul National University 2University of Oxford PLDI 2014 @Edinburgh,
More informationLearning Analysis Strategies for Octagon and Context Sensitivity from Labeled Data Generated by Static Analyses
Noname manuscript No. (will be inserted by the editor) Learning Analysis Strategies for Octagon and Context Sensitivity from Labeled Data Generated by Static Analyses Kihong Heo Hakjoo Oh Hongseok Yang
More informationMachine-Learning-Guided Selectively Unsound Static Analysis
Machine-Learning-Guided Selectively Unsound Static Analysis Kihong Heo Seoul National University Hakjoo Oh Korea University Kwangkeun Yi Seoul National University 26 May 2017 ICSE'17 @ Buenos Aires Goal
More informationLearning a Variable-Clustering Strategy for Octagon from Labeled Data Generated by a Static Analysis
Learning a Variable-Clustering Strategy for Octagon from Labeled Data Generated by a Static Analysis Kihong Heo 1, Hakjoo Oh 2, and Hongseok Yang 3 1 Seoul National University 2 Korea University 3 University
More informationLearning a Variable-Clustering Strategy for Octagon from Labeled Data Generated by a Static Analysis
Learning a Variable-Clustering Strategy for Octagon from Labeled Data Generated by a Static Analysis Kihong Heo 1, Hakjoo Oh 2, and Hongseok Yang 3 1 Seoul National University 2 Korea University 3 University
More informationSelective Context-Sensitivity Guided by Impact Pre-Analysis
Selective Context-Sensitivity Guided by Impact Pre-Analysis Hakjoo Oh 1 Wonchan Lee 1 Kihong Heo 1 Hongseok Yang 2 Kwangkeun Yi 1 Seoul National University 1, University of Oxford 2 Abstract We present
More informationStatic Analysis of JavaScript. Ben Hardekopf
Static Analysis of JavaScript Insights and Challenges Ben Hardekopf Department of Computer Science University of California, Santa Barbara Setting Expectations What this talk is about Brief introduction
More informationWidening Operator. Fixpoint Approximation with Widening. A widening operator 2 L ˆ L 7``! L is such that: Correctness: - 8x; y 2 L : (y) v (x y)
EXPERIENCE AN INTRODUCTION WITH THE DESIGN TOF A SPECIAL PURPOSE STATIC ANALYZER ABSTRACT INTERPRETATION P. Cousot Patrick.Cousot@ens.fr http://www.di.ens.fr/~cousot Biarritz IFIP-WG 2.3 2.4 meeting (1)
More informationStatic Analysis of Embedded C
Static Analysis of Embedded C John Regehr University of Utah Joint work with Nathan Cooprider Motivating Platform: TinyOS Embedded software for wireless sensor network nodes Has lots of SW components for
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationDuet: Static Analysis for Unbounded Parallelism
Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing
More informationLanguage Security. Lecture 40
Language Security Lecture 40 (from notes by G. Necula) Prof. Hilfinger CS 164 Lecture 40 1 Lecture Outline Beyond compilers Looking at other issues in programming language design and tools C Arrays Exploiting
More informationStatic Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security
Static Analysis: Overview, Syntactic Analysis and Abstract Interpretation TDDC90: Software Security Ahmed Rezine IDA, Linköpings Universitet Hösttermin 2014 Outline Overview Syntactic Analysis Abstract
More informationFrama-C Value Analysis
Frama-C Value Analysis Séminaire CAP TRONIC Virgile Prevosto virgile.prevosto@cea.fr June 18 th, 2015 Outline Introduction Abstract domains Arithmetic Memory Methodology Basic commands Parameters Introduction
More informationSendmail crackaddr - Static Analysis strikes back
Sendmail crackaddr - Static Analysis strikes back Bogdan Mihaila Technical University of Munich, Germany December 6, 2014 Name Lastname < name@mail.org > ()()()()()()()()()... ()()() 1 / 25 Abstract Interpretation
More informationAutomatically Identifying Critical Input and Code Regions in Applications
Automatically Identifying Critical Input and Code Regions in Applications Michael Carbin and Martin Rinard Massachusetts Institute of Technology! Computer Science and Artificial Intelligence Laboratory
More informationEmbedded Software Verification Challenges and Solutions. Static Program Analysis
Embedded Software Verification Challenges and Solutions Static Program Analysis Chao Wang chaowang@nec-labs.com NEC Labs America Princeton, NJ ICCAD Tutorial November 11, 2008 www.nec-labs.com 1 Outline
More informationTesting, code coverage and static analysis. COSC345 Software Engineering
Testing, code coverage and static analysis COSC345 Software Engineering Outline Various testing processes ad hoc / formal / automatic Unit tests and test driven development Code coverage metrics Integration
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More informationLoop-Oriented Array- and Field-Sensitive Pointer Analysis for Automatic SIMD Vectorization
Loop-Oriented Array- and Field-Sensitive Pointer Analysis for Automatic SIMD Vectorization Yulei Sui, Xiaokang Fan, Hao Zhou and Jingling Xue School of Computer Science and Engineering The University of
More informationStatic Analysis in Practice
in Practice 17-654/17-754: Analysis of Software Artifacts Jonathan Aldrich 1 Quick Poll Who is familiar and comfortable with design patterns? e.g. what is a Factory and why use it? 2 1 Outline: in Practice
More informationNumerical static analysis with Soot
Numerical static analysis with Soot Gianluca Amato Università G. d Annunzio di Chieti Pescara ACM SIGPLAN International Workshop on the State Of the Art in Java Program Analysis SOAP 2013 (joint work with
More informationOne-Slide Summary. Lecture Outline. Language Security
Language Security Or: bringing a knife to a gun fight #1 One-Slide Summary A language s design principles and features have a strong influence on the security of programs written in that language. C s
More informationStreams. CS21b: Structure and Interpretation of Computer Programs Spring Term, 2004
Streams CS21b: Structure and Interpretation of Computer Programs Spring Term, 2004 We ve already seen how evaluation order can change behavior when we program with state. Now we want to investigate how
More informationCIS 341 Final Examination 3 May 2011
CIS 341 Final Examination 3 May 2011 1 /16 2 /20 3 /40 4 /28 5 /16 Total /120 Do not begin the exam until you are told to do so. You have 120 minutes to complete the exam. There are 12 pages in this exam.
More informationSMT-Style Program Analysis with Value-based Refinements
SMT-Style Program Analysis with Value-based Refinements Vijay D Silva Leopold Haller Daniel Kröning NSV-3 July 15, 2010 Outline Imprecision and Refinement in Abstract Interpretation SAT Style Abstract
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More informationSelectively Sensitive Static Analysis by Impact Pre-analysis and Machine Learning 2017 년 8 월 허기홍
공학박사학위논문 예비분석과기계학습을이용하여선별적으로정확하게정적분석을하는방법 Selectively Sensitive Static Analysis by Impact Pre-analysis and Machine Learning 2017 년 8 월 서울대학교대학원 컴퓨터공학부 허기홍 예비분석과 기계학습을 이용하여 선별적으로 정확하게 정적분석을 하는 방법 지도교수 이
More informationDerivative Delay Embedding: Online Modeling of Streaming Time Series
Derivative Delay Embedding: Online Modeling of Streaming Time Series Zhifei Zhang (PhD student), Yang Song, Wei Wang, and Hairong Qi Department of Electrical Engineering & Computer Science Outline 1. Challenges
More informationAnnouncements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1
Announcements assign due tonight No late submissions Labs start this week Very helpful for assign1 Goals for Today Pointer operators Allocating memory in the heap malloc and free Arrays and pointer arithmetic
More informationTHE ROAD NOT TAKEN. Estimating Path Execution Frequency Statically. ICSE 2009 Vancouver, BC. Ray Buse Wes Weimer
ICSE 2009 Vancouver, BC Ray Buse Wes Weimer THE ROAD NOT TAKEN Estimating Path Execution Frequency Statically The Big Idea 2 Developers often have a expectations about common and uncommon cases in programs
More informationCopyright 2008 CS655 System Modeling and Analysis. Korea Advanced Institute of Science and Technology
The Spin Model Checker : Part I Copyright 2008 CS655 System Korea Advanced Institute of Science and Technology System Spec. In Promela Req. Spec. In LTL Overview of the Spin Architecture Spin Model pan.c
More informationSimplifying Loop Invariant Generation Using Splitter Predicates. Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University
Simplifying Loop Invariant Generation Using Splitter Predicates Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Loops and Loop Invariants Loop Head x = 0; while( x
More informationCombined Static and Dynamic Mutability Analysis 1/31
Combined Static and Dynamic Mutability Analysis SHAY ARTZI, ADAM KIEZUN, DAVID GLASSER, MICHAEL D. ERNST ASE 2007 PRESENTED BY: MENG WU 1/31 About Author Program Analysis Group, Computer Science and Artificial
More informationGermán Llort
Germán Llort gllort@bsc.es >10k processes + long runs = large traces Blind tracing is not an option Profilers also start presenting issues Can you even store the data? How patient are you? IPDPS - Atlanta,
More informationOVERHEADS ENHANCEMENT IN MUTIPLE PROCESSING SYSTEMS BY ANURAG REDDY GANKAT KARTHIK REDDY AKKATI
CMPE 655- MULTIPLE PROCESSOR SYSTEMS OVERHEADS ENHANCEMENT IN MUTIPLE PROCESSING SYSTEMS BY ANURAG REDDY GANKAT KARTHIK REDDY AKKATI What is MULTI PROCESSING?? Multiprocessing is the coordinated processing
More informationInterval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships
Interval Polyhedra: An Abstract Domain to Infer Interval Linear Relationships Liqian Chen 1,2 Antoine Miné 3,2 Ji Wang 1 Patrick Cousot 2,4 1 National Lab. for Parallel and Distributed Processing, Changsha,
More informationChecking System Rules Using System-Specific, Programmer- Written Compiler Extensions
Motivation for using Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler Benjamin Chelf Andy Chou Seth Hallem 1 Computer Systems Laboratory Stanford University
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationStatic Analysis and Dataflow Analysis
Static Analysis and Dataflow Analysis Static Analysis Static analyses consider all possible behaviors of a program without running it. 2 Static Analysis Static analyses consider all possible behaviors
More informationCSE 501: Compiler Construction. Course outline. Goals for language implementation. Why study compilers? Models of compilation
CSE 501: Compiler Construction Course outline Main focus: program analysis and transformation how to represent programs? how to analyze programs? what to analyze? how to transform programs? what transformations
More informationStatic Analysis in Practice
in Practice 15-313: Foundations of Software Engineering Jonathan Aldrich 1 Outline: in Practice Case study: Analysis at ebay Case study: Analysis at Microsoft Analysis Results and Process Example: Standard
More informationDavid Glasser Michael D. Ernst CSAIL, MIT
static dynamic intraprocedural interprocedural Shay Artzi, Adam Kiezun, David Glasser Michael D. Ernst CSAIL, MIT Parameter P of method M is: Mutable if some execution of M can change the state of P s
More informationStatic Analysis by A. I. of Embedded Critical Software
Static Analysis by Abstract Interpretation of Embedded Critical Software Julien Bertrane ENS, Julien.bertrane@ens.fr Patrick Cousot ENS & CIMS, Patrick.Cousot@ens.fr Radhia Cousot CNRS & ENS, Radhia.Cousot@ens.fr
More informationTypes, Universes and Everything
Types, Universes and Everything Andres Löh Dept. of Information and Computing Sciences, Utrecht University P.O. Box 80.089, 3508 TB Utrecht, The Netherlands Web pages: http://www.cs.uu.nl/wiki/center May
More informationData-Flow Based Detection of Loop Bounds
Data-Flow Based Detection of Loop Bounds Christoph Cullmann and Florian Martin AbsInt Angewandte Informatik GmbH Science Park 1, D-66123 Saarbrücken, Germany cullmann,florian@absint.com, http://www.absint.com
More informationSeparating Shape Graphs
Separating Shape Graphs Vincent Laviron Bor-Yuh Evan Chang Xavier Rival ENS University of Colorado INRIA Boulder ENS European Symposium on Programming 1/ 23 Shape Analysis Analysis of programs using dynamic
More informationGoal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010
Goal Overflow Checking in Firefox Brian Hackett Can we clean a code base of buffer overflows? Keep it clean? Must prove buffer accesses are in bounds Verification: prove a code base has a property Sixgill
More informationStatic Analysis of Embedded C Code
Static Analysis of Embedded C Code John Regehr University of Utah Joint work with Nathan Cooprider Relevant features of C code for MCUs Interrupt-driven concurrency Direct hardware access Whole program
More informationStatic Analysis of List-Manipulating Programs via Bit-Vectors and Numerical Abstractions
Static Analysis of List-Manipulating Programs via Bit-Vectors and Numerical Abstractions Liqian Chen 1,2 Renjian Li 1 Xueguang Wu 1 Ji Wang 1 1 National University of Defense Technology, Changsha, China
More informationStatic Program Analysis Part 1 the TIP language
Static Program Analysis Part 1 the TIP language http://cs.au.dk/~amoeller/spa/ Anders Møller & Michael I. Schwartzbach Computer Science, Aarhus University Questions about programs Does the program terminate
More informationVerification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control
Verification of Parameterized Concurrent Programs By Modular Reasoning about Data and Control Zachary Kincaid Azadeh Farzan University of Toronto January 18, 2013 Z. Kincaid (U. Toronto) Modular Reasoning
More informationComplexity, Induction, and Recurrence Relations. CSE 373 Help Session 4/7/2016
Complexity, Induction, and Recurrence Relations CSE 373 Help Session 4/7/2016 Big-O Definition Definition: g(n) is in O( f(n) ) if there exist positive constants c and n0 such that g(n) c f(n) for all
More informationControl-Flow Refinment via Partial Evaluation
Control-Flow Refinment via Partial Evaluation Jesús Doménech 1, Samir Genaim 2, and John P. Gallagher 3 1 Universidad Complutense de Madrid, Spain jdomenec@ucm.es 2 Universidad Complutense de Madrid, Spain
More informationVerifying C & C++ with ESBMC
Verifying C & C++ with ESBMC Denis A Nicole dan@ecs.soton.ac.uk CyberSecuritySoton.org [w] @CybSecSoton [fb & tw] ESBMC ESBMC, the Efficient SMT-Based Context-Bounded Model Checker was originally developed
More informationSoftware Security: Vulnerability Analysis
Computer Security Course. Software Security: Vulnerability Analysis Program Verification Program Verification How to prove a program free of buffer overflows? Precondition Postcondition Loop invariants
More informationSchool of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne
Principles of Dependable Systems Building Reliable Software School of Computer & Communication Sciences École Polytechnique Fédérale de Lausanne Winter 2006-2007 Outline Class Projects: mtgs next week
More informationStatic and Dynamic Program Analysis: Synergies and Applications
Static and Dynamic Program Analysis: Synergies and Applications Mayur Naik Intel Labs, Berkeley CS 243, Stanford University March 9, 2011 Today s Computing Platforms Trends: parallel cloud mobile Traits:
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationAn Introduction to Heap Analysis. Pietro Ferrara. Chair of Programming Methodology ETH Zurich, Switzerland
An Introduction to Heap Analysis Pietro Ferrara Chair of Programming Methodology ETH Zurich, Switzerland Analisi e Verifica di Programmi Universita Ca Foscari, Venice, Italy Outline 1. Recall of numerical
More informationFaults, Errors, Failures
Faults, Errors, Failures CS 4501 / 6501 Software Testing [Ammann and Offutt, Introduction to Software Testing ] 1 Software Testing Review Testing = process of finding input values to check against a software
More informationProperties. Comparing and Ordering Rational Numbers Using a Number Line
Chapter 5 Summary Key Terms natural numbers (counting numbers) (5.1) whole numbers (5.1) integers (5.1) closed (5.1) rational numbers (5.1) irrational number (5.2) terminating decimal (5.2) repeating decimal
More informationLecture 16 Notes AVL Trees
Lecture 16 Notes AVL Trees 15-122: Principles of Imperative Computation (Spring 2016) Frank Pfenning 1 Introduction Binary search trees are an excellent data structure to implement associative arrays,
More informationEvolving Frama-C Value Analysis
Evolving Frama-C Value Analysis Evolving Frama-C Value Analysis Frama-C Day 2016 Boris Yakobowski, CEA Tech List Frama-C Value Analysis: a Brief Recap Frama-C Value Analysis: a Brief Recap The Value Analysis
More informationThe Apron Library. Bertrand Jeannet and Antoine Miné. CAV 09 conference 02/07/2009 INRIA, CNRS/ENS
The Apron Library Bertrand Jeannet and Antoine Miné INRIA, CNRS/ENS CAV 09 conference 02/07/2009 Context : Static Analysis What is it about? Discover properties of a program statically and automatically.
More informationData-flow Analysis for Interruptdriven Microcontroller Software
Data-flow Analysis for Interruptdriven Microcontroller Software Nathan Cooprider Advisor: John Regehr Dissertation defense School of Computing University of Utah Data-flow Analysis for Interruptdriven
More informationUML CS Algorithms Qualifying Exam Fall, 2003 ALGORITHMS QUALIFYING EXAM
NAME: This exam is open: - books - notes and closed: - neighbors - calculators ALGORITHMS QUALIFYING EXAM The upper bound on exam time is 3 hours. Please put all your work on the exam paper. (Partial credit
More informationCITS5501 Software Testing and Quality Assurance Formal methods
CITS5501 Software Testing and Quality Assurance Formal methods Unit coordinator: Arran Stewart May 1, 2018 1 / 49 Sources Pressman, R., Software Engineering: A Practitioner s Approach, McGraw-Hill, 2005
More information18-642: Code Style for Compilers
18-642: Code Style for Compilers 9/25/2017 1 Anti-Patterns: Coding Style: Language Use Code compiles with warnings Warnings are turned off or over-ridden Insufficient warning level set Language safety
More informationStatic Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT
Static Analysis Alert Audits Lexicon And Rules David Svoboda, CERT Lori Flynn, CERT Presenter: Will Snavely, CERT Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 2016 Carnegie
More informationCSCE 548 Building Secure Software Software Analysis Basics
CSCE 548 Building Secure Software Software Analysis Basics Professor Lisa Luo Spring 2018 Previous Class Ø Android Background Ø Two Android Security Problems: 1. Android App Repackaging o Very easy to
More informationSummary of Last Chapter. Course Content. Chapter 3 Objectives. Chapter 3: Data Preprocessing. Dr. Osmar R. Zaïane. University of Alberta 4
Principles of Knowledge Discovery in Data Fall 2004 Chapter 3: Data Preprocessing Dr. Osmar R. Zaïane University of Alberta Summary of Last Chapter What is a data warehouse and what is it for? What is
More informationCS 315 Data Structures mid-term 2
CS 315 Data Structures mid-term 2 1) Shown below is an AVL tree T. Nov 14, 2012 Solutions to OPEN BOOK section. (a) Suggest a key whose insertion does not require any rotation. 18 (b) Suggest a key, if
More informationContext-Based Detection of Clone-Related Bugs. Lingxiao Jiang, Zhendong Su, Edwin Chiu University of California at Davis
Context-Based Detection of Clone-Related Bugs Lingxiao Jiang, Zhendong Su, Edwin Chiu University of California at Davis 1 Outline Introduction and samples of cloning errors Definitions of inconsistencies
More informationAdvanced Programming Methods. Introduction in program analysis
Advanced Programming Methods Introduction in program analysis What is Program Analysis? Very broad topic, but generally speaking, automated analysis of program behavior Program analysis is about developing
More informationIntroduction to Machine-Independent Optimizations - 1
Introduction to Machine-Independent Optimizations - 1 Department of Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Principles of Compiler Design Outline of
More informationLimited view X-ray CT for dimensional analysis
Limited view X-ray CT for dimensional analysis G. A. JONES ( GLENN.JONES@IMPERIAL.AC.UK ) P. HUTHWAITE ( P.HUTHWAITE@IMPERIAL.AC.UK ) NON-DESTRUCTIVE EVALUATION GROUP 1 Outline of talk Industrial X-ray
More informationPROGRAM EFFICIENCY & COMPLEXITY ANALYSIS
Lecture 03-04 PROGRAM EFFICIENCY & COMPLEXITY ANALYSIS By: Dr. Zahoor Jan 1 ALGORITHM DEFINITION A finite set of statements that guarantees an optimal solution in finite interval of time 2 GOOD ALGORITHMS?
More informationModel Counting with Applications to CodeHunt
Model Counting with Applications to CodeHunt Willem Visser Stellenbosch University South Africa CodeHunt is built on Model Counting SAT or UNSAT? And Some solutions # SAT solutions? Can we use this for
More informationAutomatic visual recognition for metro surveillance
Automatic visual recognition for metro surveillance F. Cupillard, M. Thonnat, F. Brémond Orion Research Group, INRIA, Sophia Antipolis, France Abstract We propose in this paper an approach for recognizing
More informationSYSC 2006 C Winter 2012
SYSC 2006 C Winter 2012 Pointers and Arrays Copyright D. Bailey, Systems and Computer Engineering, Carleton University updated Sept. 21, 2011, Oct.18, 2011,Oct. 28, 2011, Feb. 25, 2011 Memory Organization
More information: Principles of Imperative Computation, Fall Written Homework 1 Solutions
15-122 Written Homework 1 Page 1 of 9 15-122 : Principles of Imperative Computation, Fall 2013 Written Homework 1 Solutions Name: Andrew ID: Recitation: The theory portion of this week s homework will
More informationAlgebraic Program Analysis
Introduction to Algebraic Program Analysis Zachary Kincaid 1 Thomas Reps 2,3 1 Princeton University 2 University of Wisconsin-Madison 3 GrammaTech, Inc. January 8, 2018 1 Program analysis Design algorithms
More informationLecture 16 AVL Trees
Lecture 16 AVL Trees 15-122: Principles of Imperative Computation (Fall 2018) Frank Pfenning Binary search trees are an excellent data structure to implement associative arrays, maps, sets, and similar
More informationLecture Notes on Binary Search Trees
Lecture Notes on Binary Search Trees 15-122: Principles of Imperative Computation Frank Pfenning André Platzer Lecture 16 March 17, 2015 1 Introduction In this lecture, we will continue considering ways
More informationLecture Notes on Binary Search Trees
Lecture Notes on Binary Search Trees 15-122: Principles of Imperative Computation Frank Pfenning Lecture 17 1 Introduction In the previous two lectures we have seen how to exploit the structure of binary
More informationInterprocStack analyzer for recursive programs with finite-type and numerical variables
InterprocStack analyzer for recursive programs with finite-type and numerical variables Bertrand Jeannet Contents 1 Invoking InterprocStack 1 2 The Simple language 2 2.1 Syntax and informal semantics.........................
More informationCOS 320. Compiling Techniques
Topic 5: Types COS 320 Compiling Techniques Princeton University Spring 2016 Lennart Beringer 1 Types: potential benefits (I) 2 For programmers: help to eliminate common programming mistakes, particularly
More informationFormal Methods. CITS5501 Software Testing and Quality Assurance
Formal Methods CITS5501 Software Testing and Quality Assurance Pressman, R. Software Engineering: A Practitioner s Approach. Chapter 28. McGraw-Hill, 2005 The Science of Programming, David Gries, 1981
More informationHiding local state in direct style: a higher-order anti-frame rule
1 / 65 Hiding local state in direct style: a higher-order anti-frame rule François Pottier January 28th, 2008 2 / 65 Contents Introduction Basics of the type system A higher-order anti-frame rule Applications
More informationLecture 15 Notes Binary Search Trees
Lecture 15 Notes Binary Search Trees 15-122: Principles of Imperative Computation (Spring 2016) Frank Pfenning, André Platzer, Rob Simmons 1 Introduction In this lecture, we will continue considering ways
More informationFeature selection. LING 572 Fei Xia
Feature selection LING 572 Fei Xia 1 Creating attribute-value table x 1 x 2 f 1 f 2 f K y Choose features: Define feature templates Instantiate the feature templates Dimensionality reduction: feature selection
More informationInterprocedural Type Specialization of JavaScript Programs Without Type Analysis
Interprocedural Type Specialization of JavaScript Programs Without Type Analysis Maxime Chevalier-Boisvert joint work with Marc Feeley ECOOP - July 20th, 2016 Overview Previous work: Lazy Basic Block Versioning
More informationA typed foreign function interface for ML
A typed foreign function interface for ML Jeremy Yallop 26 November 2013 1 / 18 Itinerary Background / using ctypes / inside ctypes 2 / 18 Itinerary Background / using ctypes / inside ctypes 3 / 18 Foreign
More informationLecture 15 Binary Search Trees
Lecture 15 Binary Search Trees 15-122: Principles of Imperative Computation (Fall 2017) Frank Pfenning, André Platzer, Rob Simmons, Iliano Cervesato In this lecture, we will continue considering ways to
More informationSpark verification features
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether
More informationBug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher
Bug Finding with Under-approximating Static Analyses Daniel Kroening, Matt Lewis, Georg Weissenbacher Overview Over- vs. underapproximating static analysis Path-based symbolic simulation Path merging Acceleration
More informationMaking Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World
Making Context-sensitive Points-to Analysis with Heap Cloning Practical For The Real World Chris Lattner Apple Andrew Lenharth UIUC Vikram Adve UIUC What is Heap Cloning? Distinguish objects by acyclic
More informationWhy does ASTRÉE scale up?
Form Methods Syst Des (2009) 35: 229 264 DOI 10.1007/s10703-009-0089-6 Why does ASTRÉE scale up? Patrick Cousot Radhia Cousot Jérôme Feret Laurent Mauborgne Antoine Miné Xavier Rival Published online:
More informationLast time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise
Last time Reasoning about programs Coming up This Thursday, Nov 30: 4 th in-class exercise sign up for group on moodle bring laptop to class Final projects: final project presentations: Tue Dec 12, in
More information