in defense of probabilistic static analysis
DESCRIPTION
In Defense of Probabilistic Static Analysis. Ben Livshits Shuvendu Lahiri Microsoft Research. From the people who brought you soundiness.org…. Static analysis: Uneasy Tradeoffs. too imprecise. does not scale. useless results. overkill for some things. may not scale. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/1.jpg)
In Defense of Probabilistic Static
Analysis
BEN LIVSHITS
SHUVENDU LAHIRI
MICROSOFT RESEARCH
![Page 2: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/2.jpg)
FROM THE PEOPLE WHO BROUGHT YOU SOUNDINESS.ORG…
![Page 3: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/3.jpg)
STATIC ANALYSIS: UNEASY TRADEOFFS
too imprecise
useless results
may not scale
does not scale
overkill for some things
possibly still too imprecise for others
![Page 4: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/4.jpg)
WHAT IS MISSING IS
ANALYSIS ELA S T I C I TY
![Page 5: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/5.jpg)
OUR APPROACH IS PROBABILISTIC TREATMENT
Points-to(p, v, h)
• MANY INTERPRETATIONS ARE POSSIBLE
• OUR CERTAINTY IN THE FACT BASED ON STATIC EVIDENCE SUCH AS PROGRAM STRUCTURE
• OUR CERTAINTY BASED ON RUNTIME OBSERVATIONS
• OUR CERTAINLY BASED ON PRIORS OBTAINED FROM THIS OR OTHER PROGRAMS
Object x = new Object();
try {
} catch(...){
x = null;
}
if(...){ // branch direction info
x = new Object();
}else{
x = null;
}
$(‘mydiv’).css(‘color’:’red’);
![Page 6: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/6.jpg)
BENEFITS
RESULT PRIORITIZATION
• STATIC ANALYSIS RESULTS CAN BE NATURALLY RANKED OR PRIORITIZED IN TERMS OF CERTAINTY, NEARLY A REQUIREMENT IN A SITUATION WHERE ANALYSIS USERS ARE FREQUENTLY FLOODED WITH RESULTS
ANALYSIS DEBUGGING
• PROGRAM POINTS OR EVEN STATIC ANALYSIS INFERENCE RULES AND FACTS LEADING TO IMPRECISION CAN BE IDENTIFIED WITH THE HELP OF BACKWARD PROPAGATION
![Page 7: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/7.jpg)
MORE BENEFITS
HARD AND SOFT RULES
• IN AN EFFORT TO MAKE THEIR ANALYSIS FULLY SOUND, ANALYSIS DESIGNERS OFTEN COMBINE CERTAIN INFERENCE RULES WITH THOSE THAT COVER GENERALLY UNLIKELY CASES TO MAINTAIN SOUNDNESS
• NATURALLY BLENDING SUCH INFERENCE RULES TOGETHER, BY GIVING HIGH PROBABILITIES TO THE FORMER AND LOW PROBABILITIES TO THE LATTER ALLOWS US TO BALANCE SOUNDNESS AND UTILITY CONSIDERATIONS
INFUSING WITH PRIORS
• END-QUALITY OF ANALYSIS RESULTS CAN OFTEN BE IMPROVED BY DO- MAIN KNOWLEDGE SUCH AS INFORMATION ABOUT VARIABLE NAMING, CHECK-IN INFORMATION FROM SOURCE CONTROL REPOSITORIES, BUG FIX DATA FROM BUG REPOSITORIES, ETC.
![Page 8: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/8.jpg)
SIMPLE ANALYSIS IN DATALOG
1. x=3;
2. y=null;
3. z=null;
4. z=x;
5. if(...){
6. z=null;
7. y=5;
8. }
9. w=*z
// transitive flow propagation1. FLOW(x,z) :- FLOW(x,y), ASSIGN(y,z)2. FLOW(a,c) :- FLOW(a,b),
ASSIGNCOND(b,c)3. FLOW(x,x). // nullable variables4. NULLABLE(x) :- FLOW(x,y), ISNULL(y) // error detection5. ERROR(a) :- ISNULL(a), DEREF(a)6. ERROR(a) :- !ISNULL(a),
NULLABLE(a), DEREF(a)
![Page 9: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/9.jpg)
RELAXING THE RULES
// transitive flow propagationFLOW(x,y) ^ ASSIGN(y,z) => FLOW(x,z).1 FLOW(a,b) ^ ASSIGNCOND(b,c) => FLOW(a,c)FLOW(x,x).
// transitive flow propagationFLOW(x,z) :- FLOW(x,y), ASSIGN(y,z).FLOW(a,c) :- FLOW(a,b), ASSIGNCOND(b,c).FLOW(x,x).
// nullable variablesFLOW(x,y) ^ ISNULL(y) => NULLABLE(x).
// nullable variablesNULLABLE(x) :- FLOW(x,y), ISNULL(y).
// error detectionISNULL(a)^ DEREF(a) => ERROR(a).0.5 !ISNULL(a) ^ NULLABLE(a) ^ DEREF(a) => ERROR(a).
// error detectionERROR(a) :- ISNULL(a), DEREF(a).ERROR(a) :- !ISNULL(a), NULLABLE(a), DEREF(a).
// priors and shaping distributions3 !FLOW(x,y).
![Page 10: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/10.jpg)
PROBABILISTIC INFERENCE WITH ALCHEMY
• TUNING THE RULES
• TUNING THE WEIGHTS
• SEMANTICS ARE NOT AS OBVIOUS
• SHAPING PRIORS IS NON-TRIVIAL, BUT FRUITFUL
X1
U1
W1
Z1
Z2
W4
Z3
W3
Y1
W5
W6
W7
W8
W9
W10 W11
0.616988 0.614989
0.567993
0.560994 0.544996
![Page 11: In Defense of Probabilistic Static Analysis](https://reader035.vdocument.in/reader035/viewer/2022070404/56813b9d550346895da4d592/html5/thumbnails/11.jpg)
CHALLENGES
• LEARNING THE WEIGHTS
• EXPERT USERS
• LEARNING (NEED LABELED DATASET)
• WHAT CLASS OF STATIC ANALYSIS CAN BE MADE ELASTIC?
• DATALOG
• ABSTRACT INTERPRETATION
• DECISION PROCEDURE (SMT)-BASED