Combining the Logical and the Probabilistic in Program Analysis. Xin Zhang Xujie Si Mayur Naik University of Pennsylvania
|
|
- Dinah Hunt
- 6 years ago
- Views:
Transcription
1 Combining the Logical and the Probabilistic in Program Analysis Xin Zhang Xujie Si Mayur Naik University of Pennsylvania
2 What is Program Analysis? int f(int i) {... } Program Analysis x may be null!... x.f = y; assert(n > 10);... Pre: i > 0 Post: ret=sqrt(i) 2
3 Conventional Logical Approach + Easy to specify Explainable With formal guarantees path(a, a). path(a, c) :- path(a, b), edge(b, c). Program Analysis 1. Each node connects to itself. 2. If there is a path from a to b, and there is an edge from b to c, then there is a path from a to c. 3
4 Conventional Logical Approach + Easy to specify + Explainable path(a, a). path(a, c) :- path(a, b), edge(b, c). Program Analysis path(1,1) edge(1,7) edge(7,2,a 0 ) path(1,7) edge(7,5) edge(2,8,c 0 ) path(1,2) path(1,5) edge(5,8) edge(8,3) path(1,8) edge(8,6) int f(int i) {... x.f = y;... } x may be null when i = 5. path(1,3) path(1,6) 4
5 Conventional Logical Approach + Easy to specify + Explainable + With formal guarantees path(a, a). path(a, c) :- path(a, b), edge(b, c). Program Analysis int f(int i){... assert(n > 10);... } i 5
6 Conventional Logical Approach + Easy to specify + Explainable + With formal guarantees path(a, a). path(a, c) :- path(a, b), edge(b, c). Program Analysis - Unable to handle uncertainty /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); pl = p;... /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); Will this buffer overflow lead to a security exploit? CVE (Heartbleed) 6
7 Conventional Logical Approach + Easy to specify + Explainable + With formal guarantees path(a, a). path(a, c) :- path(a, b), edge(b, c). Program Analysis - Unable to handle uncertainty - Unable to adapt Bug Detection Verification Pointer Analysis 7
8 Conventional Logical Approach + Easy to specify + Explainable + With formal guarantees path(a, a). path(a, c) :- path(a, b), edge(b, c). Program Analysis - Unable to handle uncertainty - Unable to adapt - Unable to learn 8
9 Emerging Probabilistic Approach - Hard to specify - Hard to interpret - Without formal guarantees guarantees ML System + Able to handle uncertainty + Able to adapt + Able to learn 9
10 An Overarching Question + Easy to specify + Explainable + With formal guarantees? Program Analysis + Able to handle uncertainty + Able to adapt + Able to learn 10
11 Talk Outline } Motivation } A General Approach } Instance Applications } Solver } Empirical Results 11
12 Our Approach: Mixed Hard and Soft Constraints + Easy to specify + Explainable + With formal guarantees path(a, a). path(a, c) :- path(a, b), edge(b, c) 2.0 Program Analysis + Able to handle uncertainty + Able to adapt + Able to learn 12
13 Background: Mixed Hard and Soft Constraints 5 p(p3, p2) :- p(p1, p2), n(p3, p1) a5 Stochastic Logic Programs (SLP) [Muggleton, 1996] Probabilistic Relational Models (PRM) [Koller, 1999] Bayesian Logic (BLOG) [Milch et al., 2005] Logic Probability Markov Logic Network (MLN) [Richardson & Domingos, 2006] Encodes Handles Uncertainty Formal Semantics Probabilistic Soft Logic (PSL) [Kimmig et al., 2012] 13
14 Background: Mixed Hard and Soft Constraints Input relations: edge(a, b) Output relations: path(a, b) Hard Rules: path(a, a). path(a, c) :- path(a, b), edge(b, c). Soft Rules: path(a, b). weight 5 Solution: path 1, 1 = T, path 2, 2 = T, path 1, 2 = T, path 2, 1 = F, Grounding Solving Input tuples: edge(1, 7), edge(4, 7), MaxSAT Hard constraints: edge 1, 7 edge(4, 7)... path(1, 1) path(2, 2)... (path(1, 1) path(1, 1) edge(1, 1)) (path(1, 2) path(1, 1) edge(1, 2)) (path(1, 2) path(1, 2) edge(2, 2)) Soft constraints: ( path 1, 1 weight 5) path 1, 2 weight 5 14
15 Our Overall Methodology Offline Online Learning Markov Logic Network Inference 15
16 Talk Outline } Motivation } A General Approach } Instance Applications } Solver } Empirical Results 16
17 Static Bug Detection: Prevalent Approach Detected Races R1: Race on field org.apache.ftpserver.requesthandler.request org.apache.ftpserver.requesthandler: 9 org.apache.ftpserver.requesthandler: 18 R2: Race on field org.apache.ftpserver.requesthandler.request org.apache.ftpserver.requesthandler: 17 org.apache.ftpserver.requesthandler: 18 R3: Race on field org.apache.ftpserver.requesthandler.writer org.apache.ftpserver.requesthandler: 19 org.apache.ftpserver.requesthandler: 20 R4: Race on field org.apache.ftpserver.requesthandler.reader org.apache.ftpserver.requesthandler: 21 org.apache.ftpserver.requesthandler: 22 R5: Race on field org.apache.ftpserver.requesthandler.controlsocket org.apache.ftpserver.requesthandler: 23 org.apache.ftpserver.requesthandler: 24 Eliminated Races E1: Race on field org.apache.ftpserver.requesthandler. isclosed org.apache.ftpserver.requesthandler: 13 org.apache.ftpserver.requesthandler: 15 17
18 Static Bug Detection: Our Approach Detected Races R1: Race on field org.apache.ftpserver.requesthandler.request org.apache.ftpserver.requesthandler: 9 org.apache.ftpserver.requesthandler: 18 R2: Race on field org.apache.ftpserver.requesthandler.request org.apache.ftpserver.requesthandler: 17 org.apache.ftpserver.requesthandler: 18 R3: Race on field org.apache.ftpserver.requesthandler.writer org.apache.ftpserver.requesthandler: 19 org.apache.ftpserver.requesthandler: 20 R4: Race on field org.apache.ftpserver.requesthandler.reader org.apache.ftpserver.requesthandler: 21 org.apache.ftpserver.requesthandler: 22 R5: Race on field org.apache.ftpserver.requesthandler.controlsocket org.apache.ftpserver.requesthandler: 23 org.apache.ftpserver.requesthandler: 24 Eliminated Races E1: Race on field org.apache.ftpserver.requesthandler. isclosed org.apache.ftpserver.requesthandler: 13 org.apache.ftpserver.requesthandler: 15 18
19 Static Bug Detection: Our Approach Detected Races R1: Race on field org.apache.ftpserver.requesthandler.request org.apache.ftpserver.requesthandler: 9 org.apache.ftpserver.requesthandler: 18 Eliminated Races E1: Race on field org.apache.ftpserver.requesthandler. isclosed org.apache.ftpserver.requesthandler: 13 org.apache.ftpserver.requesthandler: 15 E2: Race on field org.apache.ftpserver.requesthandler.request org.apache.ftpserver.requesthandler: 17 org.apache.ftpserver.requesthandler: 18 E3: Race on field org.apache.ftpserver.requesthandler.writer org.apache.ftpserver.requesthandler: 19 org.apache.ftpserver.requesthandler: 20 E4: Race on field org.apache.ftpserver.requesthandler.reader org.apache.ftpserver.requesthandler: 21 org.apache.ftpserver.requesthandler: 22 E5: Race on field org.apache.ftpserver.requesthandler.controlsocket org.apache.ftpserver.requesthandler: 23 org.apache.ftpserver.requesthandler: 24 19
20 Instance Applications [CAV 17 Invited Tutorial] Static Bug Detection [FSE 15] Hard Rules analysis rules Soft Rules analysis rule i weight w i confidence of writer result j weight w j confidence of user Automated Verification [PLDI 14, POPL 16] analysis rules abstraction 1 abstraction n result i weight w i query resolution award abstraction j weight w j abstraction cost Interactive Verification [OOPSLA 17] analysis rules cause i weight w i cost of inspection result j weight w j reward of resolution 20
21 An Example: Datarace Analysis Input relations: next(p1, p2), mayalias(p1, p2), guarded(p1, p2) Output relations: program point p1 parallel(p1, p2), race(p1, p2) If is & p1 p2 & may p2 may p1 happen & p2 are in parallel, If p1 & p2 may happen in parallel, immediate successor access the same guarded by the andif they p2 & may p1 and access may p3 happen is successor the same in parallel, of p1, memory location, of p2. memory location. same lock. Rules: then and they p1 then & are p2 p3 not may & p2 guarded happen may happen by in parallel. in parallel. the same lock, p1 & p2 may parallel(p3, p2) :- parallel(p1, p1 then & p1 p2 p2), & may p2 happen in parallel. next may (p3, have p1). a datarace. have a datarace. (2) parallel(p1, p2) :- parallel(p2, p1). race(p1, p2) :- parallel(p1, p2), mayalias(p1, p2), guarded(p1, p2). 21
22 An Example: Datarace Analysis Input relations: next(p1, p2), mayalias(p1, p2), guarded(p1, p2) Output relations: parallel(p1, p2), race(p1, p2) Rules: parallel(p3, p2) :- parallel(p1, p2), next (p3, p1). (2) parallel(p1, p2) :- parallel(p2, p1). race(p1, p2) :- parallel(p1, p2), mayalias(p1, p2), guarded(p1, p2). race(x2, x1). weight 25 a = 1; if (a > 2) { // p1... // p2 } Hard Rule Soft Rule weight 5 22
23 An Example: Datarace Analysis 1 public class RequestHandler { 2 Request request; 3 FtpWriter writer; 4 BufferedReader reader; 5 Socket controlsocket; 6 boolean isconnectionclosed; 7 8 public Request getrequest() { 9 return request; 10 } 11 public void close() { 12 synchronized (this) { 13 if (isclosed) 14 return; 15 isclosed = true; 16 } 17 request.clear(); 18 request = null; 19 writer.close(); 20 writer = null; 21 reader.close(); 22 reader = null; 23 controlsocket.close(); 24 controlsocket = null; 25 } Source code snippet from Apache FTP Server 23
24 An Example: Datarace Analysis 1 public class RequestHandler { 2 Request request; 3 FtpWriter writer; 4 BufferedReader reader; 5 Socket controlsocket; 6 boolean isconnectionclosed; 7 8 public Request getrequest() { 9 return request; 10 } R1 11 public void close() { 12 synchronized (this) { 13 if (isclosed) 14 return; 15 isclosed = true; 16 } 17 request.clear(); 18 request = null; 19 writer.close(); 20 writer = null; 21 reader.close(); 22 reader = null; 23 controlsocket.close(); 24 controlsocket = null; 25 } Source code snippet from Apache FTP Server 24
25 An Example: Datarace Analysis 1 public class RequestHandler { 2 Request request; 3 FtpWriter writer; 4 BufferedReader reader; 5 Socket controlsocket; 6 boolean isconnectionclosed; 7 8 public Request getrequest() { 9 return request; 10 } 11 public void close() { 12 synchronized (this) { 13 if (isclosed) 14 return; 15 isclosed = true; 16 } 17 request.clear(); 18 request = null; 19 writer.close(); 20 writer = null; 21 reader.close(); 22 reader = null; 23 controlsocket.close(); 24 controlsocket = null; 25 } R2 R3 R4 R5 Source code snippet from Apache FTP Server 25
26 How Does Generalization Work? 17 request.clear();// x1 next(x2,x1) parallel(x1,x1) 18 request = null; // x2 19 writer.close(); // y1 guarded(x2, x1) mayaias(x2,x1) parallel(x2,x1) 20 writer = null; // y2 race(x2,x1) parallel(x1,x2) next(x2,x1) parallel(p3, p2) :- parallel(p1, p2), next (p3, p1). weight 5 race(x2, x1) weight 25 next(y1,x2) parallel(y1,x2) parallel(x2,x2) parallel(p1, p2) :- parallel(p2, p1). race(p1, p2) :- parallel(p1, p2), mayalias(p1, p2), guarded(p1, p2). next(y1,x2) parallel(x2,y1) parallel(y1,y1) next(y2,y1) mayaias(y2,y1) parallel(y2,y1) guarded(y2, y1) race(y2,y1) 26
27 How Does Generalization Work? 17 request.clear();// x1 next(x2,x1) parallel(x1,x1) 18 request = null; // x2 19 writer.close(); // y1 guarded(x2, x1) mayaias(x2,x1) parallel(x2,x1) 20 writer = null; // y2 race(x2,x1) parallel(x1,x2) next(x2,x1) parallel(p3, p2) :- parallel(p1, p2), next (p3, p1). weight 5 race(x2, x1) weight 25 next(y1,x2) parallel(y1,x2) parallel(x2,x2) parallel(p1, p2) :- parallel(p2, p1). race(p1, p2) :- parallel(p1, p2), mayalias(p1, p2), guarded(p1, p2). next(y1,x2) parallel(x2,y1) parallel(y1,y1) next(y2,y1) mayaias(y2,y1) parallel(y2,y1) guarded(y2, y1) race(y2,y1) 27
28 How Does Generalization Work? 17 request.clear();// x1 next(x2,x1) parallel(x1,x1) 18 request = null; // x2 19 writer.close(); // y1 guarded(x2, x1) mayaias(x2,x1) parallel(x2,x1) 20 writer = null; // y2 race(x2,x1) parallel(x1,x2) next(x2,x1) parallel(p3, p2) :- parallel(p1, p2), next (p3, p1). weight 5 race(x2, x1) weight 25 next(y1,x2) parallel(y1,x2) parallel(x2,x2) parallel(p1, p2) :- parallel(p2, p1). race(p1, p2) :- parallel(p1, p2), mayalias(p1, p2), guarded(p1, p2). next(y1,x2) parallel(x2,y1) parallel(y1,y1) next(y2,y1) mayaias(y2,y1) parallel(y2,y1) guarded(y2, y1) race(y2,y1) 28
29 How Does Generalization Work? 17 request.clear();// x1 next(x2,x1) parallel(x1,x1) 18 request = null; // x2 19 writer.close(); // y1 guarded(x2, x1) mayaias(x2,x1) parallel(x2,x1) 20 writer = null; // y2 race(x2,x1) parallel(x1,x2) next(x2,x1) parallel(p3, p2) :- parallel(p1, p2), next (p3, p1). weight 5 race(x2, x1) weight 25 next(y1,x2) parallel(y1,x2) parallel(x2,x2) parallel(p1, p2) :- parallel(p2, p1). race(p1, p2) :- parallel(p1, p2), mayalias(p1, p2), guarded(p1, p2). next(y1,x2) parallel(x2,y1) parallel(y1,y1) next(y2,y1) mayaias(y2,y1) parallel(y2,y1) guarded(y2, y1) race(y2,y1) 29
30 Talk Outline } Motivation } A General Approach } Instance Applications } Solver } Empirical Results 30
31 The Inference Problem Input relations: edge(a, b) Output relations: path(a, b) Hard Rules: path(a, a). path(a, c) :- path(a, b), edge(b, c). Soft Rules: path(a, b). weight 5 Existing Solvers Tuffy [VLDB 11] Alchemy [ML 06] CPI [UAI 08] RockIt [AAAI 13] Z3 [TACAS 08] Markov Logic Network Solver Soundness Optimality Scalability 31
32 The Nichrome Solver MLN instance work set candidate solution MaxSAT Solver Yes Checker No sound & optimal solution expanded work set 32
33 The Nichrome Solver MLN instance work set candidate solution MaxSAT Solver Yes Checker No Datalog SQL MaxSAT ILP SMT sound & optimal solution expanded work set Volt: A Lazy Grounding Framework for Solving Very Large MaxSAT Instances [SAT 2015] 33
34 The Nichrome Solver MLN instance work set candidate solution MaxSAT Solver Yes Checker No Datalog SQL MaxSAT ILP SMT sound & optimal solution expanded work set On Abstraction Refinement for Program Analyses in Datalog [PLDI 2014] 34
35 The Nichrome Solver MLN instance work set candidate solution MaxSAT Solver Yes Checker No Datalog SQL MaxSAT ILP SMT sound & optimal solution expanded work set Scaling Relational Inference Using Proofs and Refutations [AAAI 2016] 35
36 The Nichrome Solver MaxSAT instance work set Program Reasoning: Does head alias tail on line 50 in Complex.java? candidate solution MaxSAT Solver expanded work set Yes Checker No Query-Guided Maximum Satisfiability [POPL 2016] Datalog SQL MaxSAT ILP SMT sound & optimal solution Information Retrieval: Is Dijkstra most likely author of Structured Programming? 36
37 The Nichrome Solver MaxSAT instance work set all clauses involving query variables candidate solution MaxSAT Solver Yes Checker No Overestimates the effect of unexplored clauses max(work set summary set) - max(work set) = 0 sound & optimal solution expanded work set Query-Guided Maximum Satisfiability [POPL 2016] 37
38 Talk Outline } Motivation } A General Approach } Instance Applications } Solver } Empirical Results 38
39 Experimental Setup } Control Study: } Analyses: (1) Datarace analysis, (2) Pointer analysis } Benchmarks: 7 Java programs ( KLOC each) } Feedback: Automated [Zhang et.al, PLDI 14] } User Study: } Analyses: Information flow analysis } Benchmarks: 3 Android Apps } Feedback: 9 users 30 rules 18 input relations 18 output relations 76 rules 52 input relations 42 output relations 76 rules 50 input relations 42 output relations 39
40 Benchmarks Characteristics classes methods bytecode(kb) KLOC antlr K avrora 1, K ftp K hedc K luindex K lusearch K weblech K App App App Control Study User Study 40
41 Precision Results: Datarace Analysis 100% feedback on 5% reports % With 60% only up to 5% feedback, 70% of the false positives 40% are eliminated and 96% of true positives retained. 20% 0% avrora ftp hedc luindex lusearch weblech false reports eliminated true reports retained 41
42 Precision Results: Varying Amount of Feedback 100% 338 false and 700 true reports 80% 60% 40% 20% 0% 5% 10% 15% 20% false reports eliminated true reports retained 42
43 Solver Performance Results running Winner time of the peak 2015 memory Annual (seconds) MaxSAT Competition (MB) # clauses (M = million) Nichrome Eva500 Nichrome Eva500 Nichrome Eva500 ftp ,262 29K 3M hedc , K 4.8M weblech 4 timeout 363 timeout 922K 8.4M antlr 190 timeout 1,405 timeout 3.3M 13M avrora 178 timeout 1,095 timeout 2.6M 16.3M chart 253 timeout 721 timeout 1.8M 22.3M luindex 169 timeout 944 timeout 2.2M 11.9M 43
44 Solver Performance Results running time (seconds) 44 peak memory (MB) # clauses (M = million) Nichrome Eva500 Nichrome Eva500 Nichrome Eva500 ftp ,262 29K 3M hedc , K 4.8M weblech 4 timeout 363 timeout 922K 8.4M antlr 190 timeout 1,405 timeout 3.3M 13M avrora 178 timeout 1,095 timeout 2.6M 16.3M chart 253 timeout 721 timeout 1.8M 22.3M luindex 169 timeout 944 timeout 2.2M 11.9M Advisor Recommendation AR 4 timeout 4 timeout 2K 7.9M ER Entity 13Resolution K 4.8M IE 2 2, K 0.9M Information Extraction
45 Conclusions } Combining logical and probabilistic reasoning in program analysis provides best of both worlds } Our approach: extend conventional program analyses by augmenting logical rules with weights => Adopt semantics of MLN from the AI community } New solver that achieves accuracy and scalability by leveraging program analysis domain insights 45
Interactive Alarm Ranking System using Bayesian Inference
Interactive Alarm Ranking System using Bayesian Inference Kihong Heo University of Pennsylvania (cowork with Sulekha Kulkarni, Mayur Naik, Mukund Raghothaman) Jan 4 2017 @ Korea University 1 Conventional
More informationCombining the Logical and the Probabilistic in Program Analysis
Combining the Logical and the Probabilistic in Program Analysis Xin Zhang Georgia Institute of Technology, USA xin.zhang@gatech.edu Xujie Si University of Pennsylvania, USA xsi@cis.upenn.edu Mayur Naik
More informationStatic and Dynamic Program Analysis: Synergies and Applications
Static and Dynamic Program Analysis: Synergies and Applications Mayur Naik Intel Labs, Berkeley CS 243, Stanford University March 9, 2011 Today s Computing Platforms Trends: parallel cloud mobile Traits:
More informationLearning Loop Invariants for Program Verification
Learning Loop Invariants for Program Verification Xujie Si*, Hanjun Dai*, Mukund Raghothaman, Mayur Naik, Le Song University of Pennsylvania Georgia Institute of Technology NeurIPS 2018 Code: https://github.com/pl-ml/code2inv
More informationOn Abstraction Refinement for Program Analyses in Datalog
On Abstraction Refinement for Program Analyses in Datalog Xin Zhang Ravi Mangal Radu Grigore Mayur Naik Hongseok Yang Georgia Institute of Technology Oxford University Abstract A central task for a program
More informationScaling Abstraction Refinement via Pruning. PLDI - San Jose, CA June 8, 2011
Scaling Abstraction Refinement via Pruning PLDI - San Jose, CA June 8, 2011 Percy Liang UC Berkeley Mayur Naik Intel Labs Berkeley The Big Picture Program 2 The Big Picture Program Static Analysis 2 The
More informationDifferential program verification
Differential program verification Shuvendu K. Lahiri Research in Software Engineering (RiSE), Microsoft Research Redmond, WA Involved in building static assertion checkers HAVOC [POPL 06, 08, 09, CAV 09,
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationMarkov Logic: Representation
Markov Logic: Representation Overview Statistical relational learning Markov logic Basic inference Basic learning Statistical Relational Learning Goals: Combine (subsets of) logic and probability into
More informationTuffy. Scaling up Statistical Inference in Markov Logic using an RDBMS
Tuffy Scaling up Statistical Inference in Markov Logic using an RDBMS Feng Niu, Chris Ré, AnHai Doan, and Jude Shavlik University of Wisconsin-Madison One Slide Summary Machine Reading is a DARPA program
More informationA Dynamic Evaluation of the Precision of Static Heap Abstractions
A Dynamic Evaluation of the Precision of Static Heap Abstractions OOSPLA - Reno, NV October 20, 2010 Percy Liang Omer Tripp Mayur Naik Mooly Sagiv UC Berkeley Tel-Aviv Univ. Intel Labs Berkeley Tel-Aviv
More informationScalable Program Analysis Using Boolean Satisfiability: The Saturn Project
Scalable Program Analysis Using Boolean Satisfiability: The Saturn Project Alex Aiken Stanford University Saturn 1 The Idea Verify properties of large systems! Doesn t {SLAM, BLAST, CQual, ESP} already
More informationOn Incremental Core-Guided MaxSAT Solving
On Incremental Core-Guided MaxSAT Solving Xujie Si 1, Xin Zhang 1, Vasco Manquinho 2, Mikoláš Janota 3, Alexey Ignatiev 4,5, and Mayur Naik 1 1 Georgia Institute of Technology, USA 2 INESC-ID, IST, Universidade
More informationToward Efficient Strong Memory Model Support for the Java Platform via Hybrid Synchronization
Toward Efficient Strong Memory Model Support for the Java Platform via Hybrid Synchronization Aritra Sengupta, Man Cao, Michael D. Bond and Milind Kulkarni 1 PPPJ 2015, Melbourne, Florida, USA Programming
More informationVS 3 : SMT Solvers for Program Verification
VS 3 : SMT Solvers for Program Verification Saurabh Srivastava 1,, Sumit Gulwani 2, and Jeffrey S. Foster 1 1 University of Maryland, College Park, {saurabhs,jfoster}@cs.umd.edu 2 Microsoft Research, Redmond,
More informationLightweight Data Race Detection for Production Runs
Lightweight Data Race Detection for Production Runs Swarnendu Biswas, UT Austin Man Cao, Ohio State University Minjia Zhang, Microsoft Research Michael D. Bond, Ohio State University Benjamin P. Wood,
More informationIntroduction to Statistical Relational Learning
Introduction to Statistical Relational Learning Series Foreword Preface xi xiii 1 Introduction 1 Lise Getoor, Ben Taskar 1.1 Overview 1 1.2 Brief History of Relational Learning 2 1.3 Emerging Trends 3
More informationXFindBugs: extended FindBugs for AspectJ
XFindBugs: extended FindBugs for AspectJ Haihao Shen, Sai Zhang, Jianjun Zhao, Jianhong Fang, Shiyuan Yao Software Theory and Practice Group (STAP) Shanghai Jiao Tong University, China A code Is there
More informationDoubleChecker: Efficient Sound and Precise Atomicity Checking
DoubleChecker: Efficient Sound and Precise Atomicity Checking Swarnendu Biswas, Jipeng Huang, Aritra Sengupta, and Michael D. Bond The Ohio State University PLDI 2014 Impact of Concurrency Bugs Impact
More informationA Context-Sensitive Memory Model for Verification of C/C++ Programs
A Context-Sensitive Memory Model for Verification of C/C++ Programs Arie Gurfinkel and Jorge A. Navas University of Waterloo and SRI International SAS 17, August 30th, 2017 Gurfinkel and Navas (UWaterloo/SRI)
More informationSimply-Typed Lambda Calculus
#1 Simply-Typed Lambda Calculus #2 Back to School What is operational semantics? When would you use contextual (small-step) semantics? What is denotational semantics? What is axiomatic semantics? What
More informationModel Checking and Its Applications
Model Checking and Its Applications Orna Grumberg Technion, Israel Verification and Deduction Mentoring Workshop July 13, 2018 1 Personal data Ph.d. in (non-automated) verification Postdoc in Model Checking
More informationLightweight Verification of Array Indexing
Lightweight Verification of Array Indexing Martin Kellogg*, Vlastimil Dort**, Suzanne Millstein*, Michael D. Ernst* * University of Washington, Seattle ** Charles University, Prague The problem: unsafe
More informationXuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata
BACH: Path-oriented Reachability Checker of Linear Hybrid Automata Xuandong Li Department of Computer Science and Technology, Nanjing University, P.R.China Outline Preliminary Knowledge Path-oriented Reachability
More informationPLDI 2016 Tutorial Automata-Based String Analysis
PLDI 2016 Tutorial Automata-Based String Analysis Tevfik Bultan, Abdulbaki Aydin, Lucas Bang Verification Laboratory http://vlab.cs.ucsb.edu Department of Computer Science Common Usages of Strings } Input
More informationControl Flow Analysis with SAT Solvers
Control Flow Analysis with SAT Solvers Steven Lyde, Matthew Might University of Utah, Salt Lake City, Utah, USA Abstract. Control flow analyses statically determine the control flow of programs. This is
More informationversat: A Verified Modern SAT Solver
Computer Science, The University of Iowa, USA Satisfiability Problem (SAT) Is there a model for the given propositional formula? Model: assignments to the variables that makes the formula true. SAT if
More informationMixing Type Checking and Symbolic Execution. Khoo Yit Phang (UMD College Park) Bor-Yuh Evan Chang (CU Boulder) Jeffrey S. Foster (UMD College Park)
Mixing Type Checking and Symbolic Execution Khoo Yit Phang (UMD College Park) Bor-Yuh Evan Chang (CU Boulder) Jeffrey S. Foster (UMD College Park) FRACTAL - December 5, 2009 An all too common scenario
More informationFinding Optimum Abstractions in Parametric Dataflow Analysis
Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Institute of Technology, USA xin.zhang@gatech.edu Mayur Naik Georgia Institute of Technology, USA naik@cc.gatech.edu Hongseok
More informationPrograms that write themselves: Program synthesis for the masses. Yu Feng UT Austin
Programs that write themselves: Program synthesis for the masses Yu Feng UT Austin New platforms impose demand for programming 2 New platforms impose demand for programming 2 New platforms impose demand
More informationPliny and Fixr Meeting. September 15, 2014
Pliny and Fixr Meeting September 15, 2014 Fixr: Mining and Understanding Bug Fixes for App-Framework Protocol Defects (TA2) University of Colorado Boulder September 15, 2014 Fixr: Mining and Understanding
More informationFormally Certified Satisfiability Solving
SAT/SMT Proof Checking Verifying SAT Solver Code Future Work Computer Science, The University of Iowa, USA April 23, 2012 Seoul National University SAT/SMT Proof Checking Verifying SAT Solver Code Future
More informationJoin Bayes Nets: A New Type of Bayes net for Relational Data
Join Bayes Nets: A New Type of Bayes net for Relational Data Oliver Schulte oschulte@cs.sfu.ca Hassan Khosravi hkhosrav@cs.sfu.ca Bahareh Bina bba18@cs.sfu.ca Flavia Moser fmoser@cs.sfu.ca Abstract Many
More informationMechanically-Verified Validation of Satisfiability Solvers
Mechanically-Verified Validation of Satisfiability Solvers Nathan Wetzler The University of Texas at Austin Dissertation Proposal October 18, 2013 Outline Motivation and Proposal Satisfiability and Proofs
More informationAutomated Program Repair
#1 Automated Program Repair Motivation Software maintenance is expensive Up to 90% of the cost of software [Seacord] Up to $70 Billion per year in US [Jorgensen, Sutherland] Bug repair is the majority
More informationAutomatic Software Verification
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework
More informationFORMAL VERIFICATION OF EMBEDDED SOFTWARE THROUGH FRAMA-C. Julien Signoles Software Security Labs CEA LIST
FORMAL VERIFICATION OF EMBEDDED SOFTWARE THROUGH FRAMA-C Julien Signoles Software Security Labs CEA LIST This document is the property of CEA. It can not be copied or disseminated without its authorization.
More informationCSE507. Practical Applications of SAT. Computer-Aided Reasoning for Software. Emina Torlak
Computer-Aided Reasoning for Software CSE507 Practical Applications of SAT courses.cs.washington.edu/courses/cse507/18sp/ Emina Torlak emina@cs.washington.edu Today Past 2 lectures The theory and mechanics
More informationTowards Incremental Grounding in Tuffy
Towards Incremental Grounding in Tuffy Wentao Wu, Junming Sui, Ye Liu University of Wisconsin-Madison ABSTRACT Markov Logic Networks (MLN) have become a powerful framework in logical and statistical modeling.
More informationFinding and Fixing Bugs in Liquid Haskell. Anish Tondwalkar
Finding and Fixing Bugs in Liquid Haskell Anish Tondwalkar Overview Motivation Liquid Haskell Fault Localization Fault Localization Evaluation Predicate Discovery Predicate Discovery Evaluation Conclusion
More informationVerifying Concurrent Programs
Verifying Concurrent Programs Daniel Kroening 8 May 1 June 01 Outline Shared-Variable Concurrency Predicate Abstraction for Concurrent Programs Boolean Programs with Bounded Replication Boolean Programs
More informationSafety Checks and Semantic Understanding via Program Analysis Techniques
Safety Checks and Semantic Understanding via Program Analysis Techniques Nurit Dor Joint Work: EranYahav, Inbal Ronen, Sara Porat Goal Find properties of a program Anti-patterns that indicate potential
More informationIn Our Last Exciting Episode
In Our Last Exciting Episode #1 Lessons From Model Checking To find bugs, we need specifications What are some good specifications? To convert a program into a model, we need predicates/invariants and
More informationDuet: Static Analysis for Unbounded Parallelism
Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing
More informationConstraint Solving. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Constraint Solving Systems
More informationJSAI: A STATIC ANALYSIS PLATFORM FOR JAVASCRIPT
JSAI: A STATIC ANALYSIS PLATFORM FOR JAVASCRIPT Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, John Sarracino, BenWiedermann, Ben Hardekopf PAPER BACKGROUND Symposium on Foundations
More informationMining and Understanding Software Enclaves (MUSE)
Mining and Understanding Software Enclaves (MUSE) Suresh Jagannathan Information Innovation Office DARPA http://www.darpa.mil/our_work/i2o/programs/mining_and_understanding_software_enclaves_(muse).aspx
More informationHeartbleed Attack Lab
SEED Labs Heartbleed Attack 1 Heartbleed Attack Lab Copyright c 2016 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation under Award
More informationScreaming Fast Declarative Pointer Analysis
Screaming Fast Declarative Pointer Analysis http://doop.program-analysis.org Martin Bravenboer and Yannis Smaragdakis University of Massachusetts Amherst University of Oregon NEPLS March 5, 2008 overview
More informationDynamic Software Model Checking
Dynamic Software Model Checking Patrice Godefroid Microsoft Research Page 1 September 2014 Ed Clarke: A man, An idea LASER 2011 summer school (Elba island, Italy) Page 2 September 2014 Ed Clarke: A man,
More informationMoving Fast with High Reliability: Program Analysis at Uber
Moving Fast with High Reliability: Program Analysis at Uber Manu Sridharan Software Reliability Workshop ETH Zurich OCTOBER 14, 2017 Uber Apps Rider Driver Eats ios and Android Uber Apps Rider Driver Eats
More informationCloning-Based Context-Sensitive Pointer Alias Analysis using BDDs
More Pointer Analysis Last time Flow-Insensitive Pointer Analysis Inclusion-based analysis (Andersen) Today Class projects Context-Sensitive analysis March 3, 2014 Flow-Insensitive Pointer Analysis 1 John
More informationRelational Learning. Jan Struyf and Hendrik Blockeel
Relational Learning Jan Struyf and Hendrik Blockeel Dept. of Computer Science, Katholieke Universiteit Leuven Celestijnenlaan 200A, 3001 Leuven, Belgium 1 Problem definition Relational learning refers
More informationSoftware Architecture and Engineering: Part II
Software Architecture and Engineering: Part II ETH Zurich, Spring 2016 Prof. http://www.srl.inf.ethz.ch/ Framework SMT solver Alias Analysis Relational Analysis Assertions Second Project Static Analysis
More informationSelective Context-Sensitivity Guided by Impact Pre-Analysis
Selective Context-Sensitivity Guided by Impact Pre-Analysis 1 1 1 Hakjoo Oh Wonchan Lee Kihong Heo 2 1 Hongseok Yang Kwangkeun Yi 1 Seoul National University 2University of Oxford PLDI 2014 @Edinburgh,
More informationThe Checker Framework: pluggable static analysis for Java
The Checker Framework: pluggable static analysis for Java http://checkerframework.org/ Werner Dietl University of Waterloo https://ece.uwaterloo.ca/~wdietl/ Joint work with Michael D. Ernst and many others.
More informationMaximal Causality Reduction for TSO and PSO. Shiyou Huang Jeff Huang Parasol Lab, Texas A&M University
Maximal Causality Reduction for TSO and PSO Shiyou Huang Jeff Huang huangsy@tamu.edu Parasol Lab, Texas A&M University 1 A Real PSO Bug $12 million loss of equipment curpos = new Point(1,2); class Point
More informationAtomicity for Reliable Concurrent Software. Race Conditions. Motivations for Atomicity. Race Conditions. Race Conditions. 1. Beyond Race Conditions
Towards Reliable Multithreaded Software Atomicity for Reliable Concurrent Software Cormac Flanagan UC Santa Cruz Joint work with Stephen Freund Shaz Qadeer Microsoft Research 1 Multithreaded software increasingly
More informationKruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring
NDSS 2012 Kruiser: Semi-synchronized Nonblocking Concurrent Kernel Heap Buffer Overflow Monitoring Donghai Tian 1,2, Qiang Zeng 2, Dinghao Wu 2, Peng Liu 2 and Changzhen Hu 1 1 Beijing Institute of Technology
More informationBottom-up Context-Sensitive Pointer Analysis for Java
Bottom-up Context-Sensitive Pointer Analysis for Java Yu Feng, Xinyu Wang, Isil Dillig and Thomas Dillig UT Austin 1 What is this talk about? Pointer analysis Given a program variable v, what are the heap
More informationThe Pointer Assertion Logic Engine
The Pointer Assertion Logic Engine [PLDI 01] Anders Mφller Michael I. Schwartzbach Presented by K. Vikram Cornell University Introduction Pointer manipulation is hard Find bugs, optimize code General Approach
More informationA Serializability Violation Detector for Shared-Memory Server Programs
A Serializability Violation Detector for Shared-Memory Server Programs Min Xu Rastislav Bodík Mark Hill University of Wisconsin Madison University of California, Berkeley Serializability Violation Detector:
More informationConfigurable Software Model Checking
Configurable Software Model Checking CPAchecker Dirk Beyer Dirk Beyer 1 / 26 Software Verification C Program int main() { int a = foo(); int b = bar(a); } assert(a == b); Verification Tool TRUE i.e., specification
More informationSymbolic and Concolic Execution of Programs
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015 Information Security, CS 526 1 Reading for this lecture Symbolic execution and program testing - James
More informationAPISan: Sanitizing API Usages through Semantic Cross-checking
APISan: Sanitizing API Usages through Semantic Cross-checking Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, Mayur Naik Georgia Institute of Technology 1 APIs in today s software are plentiful
More informationPUG (Prover of User GPU Programs) v0.2
PUG (Prover of User GPU Programs) v0.2 Guodong Li School of Computing, University of Utah 1 Installation For details on PUG, see our forthcoming FSE 2010 paper. This manual pertains to our tool for which
More informationA Classification of Concurrency Bugs in Java Benchmarks by Developer Intent
A Classification of Concurrency Bugs in Java Benchmarks by Developer Intent M. Erkan Keremoglu, Serdar Tasiran, Tayfun Elmas Center for Advanced Design Technologies @ Koc University http://designtech.ku.edu.tr
More informationSeminar decision procedures: Certification of SAT and unsat proofs
Seminar decision procedures: Certification of SAT and unsat proofs Wolfgang Nicka Technische Universität München June 14, 2016 Boolean satisfiability problem Term The boolean satisfiability problem (SAT)
More informationVerifying the Safety of Security-Critical Applications
Verifying the Safety of Security-Critical Applications Thomas Dillig Stanford University Thomas Dillig 1 of 31 Why Program Verification? Reliability and security of software is a huge problem. Thomas Dillig
More informationLeveraging Lock Contention to Improve Transaction Applications. University of Washington
Leveraging Lock Contention to Improve Transaction Applications Cong Yan Alvin Cheung University of Washington Background Pessimistic locking-based CC protocols Poor performance under high data contention
More informationResearch on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa, Ling Lu, Wen Jiao
6th International Conference on Information Engineering for Mechanics and Materials (ICIMM 2016) Research on the Static Analysis Method of the Localization Embedded Platform Software Code Zhijie Gaoa,
More informationEmbedded Software Verification Challenges and Solutions. Static Program Analysis
Embedded Software Verification Challenges and Solutions Static Program Analysis Chao Wang chaowang@nec-labs.com NEC Labs America Princeton, NJ ICCAD Tutorial November 11, 2008 www.nec-labs.com 1 Outline
More informationHow Can You Trust Formally Verified Software?
How Can You Trust Formally Verified Software? Alastair Reid Arm Research @alastair_d_reid https://www.theguardian.com/business/2015/may/01/us-aviation-authority-boeing-787-dreamliner-bug-could-cause-loss-of-control
More informationLarge-Scale API Protocol Mining for Automated Bug Detection
Large-Scale API Protocol Mining for Automated Bug Detection Michael Pradel Department of Computer Science ETH Zurich 1 Motivation LinkedList pinconnections =...; Iterator i = pinconnections.iterator();
More informationSoftware Model Checking. From Programs to Kripke Structures
Software Model Checking (in (in C or or Java) Java) Model Model Extraction 1: int x = 2; int y = 2; 2: while (y
More informationStatic Analysis of Embedded C
Static Analysis of Embedded C John Regehr University of Utah Joint work with Nathan Cooprider Motivating Platform: TinyOS Embedded software for wireless sensor network nodes Has lots of SW components for
More informationRubicon: Scalable Bounded Verification of Web Applications
Joseph P. Near Research Statement My research focuses on developing domain-specific static analyses to improve software security and reliability. In contrast to existing approaches, my techniques leverage
More informationHybrid POR with Under-Approximate Dynamic Points-To and Determinacy Information
Hybrid POR with Under-Approximate Dynamic Points-To and Determinacy Information http://d3s.mff.cuni.cz Pavel Parízek CHARLES UNIVERSITY IN PRAGUE faculty of mathematics and physics P. Parízek Hybrid POR
More informationEfficient Data Race Detection for Unified Parallel C
P A R A L L E L C O M P U T I N G L A B O R A T O R Y Efficient Data Race Detection for Unified Parallel C ParLab Winter Retreat 1/14/2011" Costin Iancu, LBL" Nick Jalbert, UC Berkeley" Chang-Seo Park,
More informationTypes, Universes and Everything
Types, Universes and Everything Andres Löh Dept. of Information and Computing Sciences, Utrecht University P.O. Box 80.089, 3508 TB Utrecht, The Netherlands Web pages: http://www.cs.uu.nl/wiki/center May
More informationHow Can You Trust Formally Verified Software?
How Can You Trust Formally Verified Software? Alastair Reid Arm Research @alastair_d_reid Buffer over-read vulnerabilities Use after free s e i t i l i b a r e n l u v r o r r e c Logi Buffer overflow
More informationA Parameterized Type System for Race-Free Java Programs
A Parameterized Type System for Race-Free Java Programs Chandrasekhar Boyapati Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology {chandra, rinard@lcs.mit.edu Data races
More informationToday Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding
More informationScalable Program Verification by Lazy Abstraction
Scalable Program Verification by Lazy Abstraction Ranjit Jhala U.C. Berkeley ars, July, 997 Lost contact due to real-time priority inversion bug ars, December, 999 Crashed due to uninitialized variable
More informationSynthesis of Domain Specific Encoders for Bit- Vector Solvers
Synthesis of Domain Specific Encoders for Bit- Vector Solvers Jeevana Priya Inala! with Rohit Singh, Armando Solar-Lezama To appear at SAT 16 High-level constraint to CNF clauses SMT solver High-level
More informationGoal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010
Goal Overflow Checking in Firefox Brian Hackett Can we clean a code base of buffer overflows? Keep it clean? Must prove buffer accesses are in bounds Verification: prove a code base has a property Sixgill
More informationRipple: Reflection Analysis for Android Apps in Incomplete Information Environments
Ripple: Reflection Analysis for Android Apps in Incomplete Information Environments Yifei Zhang, Tian Tan, Yue Li and Jingling Xue Programming Languages and Compilers Group University of New South Wales
More informationSemantic Atomicity for Multithreaded Programs!
P A R A L L E L C O M P U T I N G L A B O R A T O R Y Semantic Atomicity for Multithreaded Programs! Jacob Burnim, George Necula, Koushik Sen! Parallel Computing Laboratory! University of California, Berkeley!
More informationInductive Logic Programming Using a MaxSAT Solver
Inductive Logic Programming Using a MaxSAT Solver Noriaki Chikara 1, Miyuki Koshimura 2, Hiroshi Fujita 2, and Ryuzo Hasegawa 2 1 National Institute of Technology, Tokuyama College, Gakuendai, Shunan,
More informationSynthesis of Synchronization using Uninterpreted Functions
Synthesis of Synchronization using Uninterpreted Functions* October 22, 2014 Roderick Bloem, Georg Hofferek, Bettina Könighofer, Robert Könighofer, Simon Außerlechner, and Raphael Spörk * This work was
More informationConstraint Propagation for Efficient Inference in Markov Logic
Constraint Propagation for Efficient Inference in Tivadar Papai 1 Parag Singla 2 Henry Kautz 1 1 University of Rochester, Rochester NY 14627, USA 2 University of Texas, Austin TX 78701, USA September 13,
More informationUNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES
FEDERAL UNIVERSITY OF AMAZONAS INSTITUTE OF COMPUTING GRADUATE PROGRAM IN COMPUTER SCIENCE UNDERSTANDING PROGRAMMING BUGS IN ANSI-C SOFTWARE USING BOUNDED MODEL CHECKING COUNTER-EXAMPLES Herbert Oliveira
More informationA Trace-based Java JIT Compiler Retrofitted from a Method-based Compiler
A Trace-based Java JIT Compiler Retrofitted from a Method-based Compiler Hiroshi Inoue, Hiroshige Hayashizaki, Peng Wu and Toshio Nakatani IBM Research Tokyo IBM Research T.J. Watson Research Center April
More informationProgram Analysis and Constraint Programming
Program Analysis and Constraint Programming Joxan Jaffar National University of Singapore CPAIOR MasterClass, 18-19 May 2015 1 / 41 Program Testing, Verification, Analysis (TVA)... VS... Satifiability/Optimization
More informationPooya Saadatpanah, Michalis Famelis, Jan Gorzny, Nathan Robinson, Marsha Chechik, Rick Salay. September 30th, University of Toronto.
Comparing the Pooya Michalis Jan Nathan Marsha Chechik, Rick Salay University of Toronto September 30th, 2012 MoDeVVa 12 1 / 32 in software modeling : pervasive in MDE Models with uncertainty: Represent
More informationGaps in Static Analysis Tool Capabilities. Providing World-Class Services for World-Class Competitiveness
Gaps in Static Analysis Tool Capabilities 1 Overview Gaps in Static Analysis tools as identified during the evaluation of five (5) commercially available static analysis tools Collaborative effort between
More informationC Code Verification based on the Extended Labeled Transition System Model
C Code Verification based on the Extended Labeled Transition System Model Dexi Wang, Chao Zhang, Guang Chen, Ming Gu, and Jiaguang Sun School of Software, TNLIST, Tsinghua University, China {dx-wang12,zhang-chao13,chenguan14}@mails.tsinghua.edu.cn
More informationSyntax-Guided Program Synthesis. Rajeev Alur. University of Pennsylvania
Syntax-Guided Program Synthesis Rajeev Alur University of Pennsylvania 1 Goal: Programming computers easier than communicating with people Can programming be liberated, period. David Harel, IEEE Computer,
More informationSyntax-Guided Program Synthesis. Rajeev Alur
Syntax-Guided Program Synthesis Rajeev Alur University of Pennsylvania 1 Goal: Programming computers easier than communicating with people Can programming be liberated, period. David Harel, IEEE Computer,
More informationThe Mezzo case. Jonathan Protzenko. François Pottier FSFMA'13. Why design a new programming language?
Why design a new programming language? The Mezzo case François Pottier francois.pottier@inria.fr Jonathan Protzenko jonathan.protzenko@inria.fr INRIA FSFMA'13 Jonathan Protzenko (INRIA) The Mezzo language
More information