In Increasing Soundness and Precision of Static Analyzers Anders - - PowerPoint PPT Presentation

in increasing soundness and precision
SMART_READER_LITE
LIVE PREVIEW

In Increasing Soundness and Precision of Static Analyzers Anders - - PowerPoint PPT Presentation

Dec 03, 2022 349 likes •533 views

Systematic Approaches for In Increasing Soundness and Precision of Static Analyzers Anders Mller Aarhus University Joint work with Esben Sparre Andreasen and Benjamin Barslev Nielsen C ENTER FOR A DVANCED S OFTWARE A NALYSIS

slide-1
SLIDE 1

Systematic Approaches for In Increasing Soundness and Precision

  • f Static Analyzers

Anders Møller

Aarhus University Joint work with Esben Sparre Andreasen and Benjamin Barslev Nielsen

Π CENTER FOR ADVANCED SOFTWARE ANALYSIS

http://casa.au.dk/

slide-2
SLIDE 2

Some lessons learned from developing a static analyzer for JavaScript

  • How to detect soundness bugs

that matter?

  • How to isolate precision

bottlenecks?

… in a large static analyzer for a complex language and a massive platform API

slide-3
SLIDE 3

Soundness and precision in static analysis

3

the set of

reachable states

  • f a given program

the set of reachable states as approximated by a static analysis

precision loss unsoundness

When analyzing JavaScript programs:

imprecise ⇒ slow

slide-4
SLIDE 4

Outline

  • Soundness testing
  • Blended analysis1
  • Delta debugging2 (or, cause reduction)
  • Combining the techniques

1) Dufour, Ryder, and Sevitsky, Blended Analysis for Performance Understanding of Framework-Based Applications, ISSTA’07 2) Zeller and Hildebrandt, Simplifying and Isolating Failure-Inducing Input, STE 2002

4

slide-5
SLIDE 5

Soundness testing

Provably sound

  • sound with respect to all concrete executions
  • infeasible for an analyzer as complex as TAJS

vs.

Probably sound

  • sound with respect to a finite set of concrete executions
  • very easy to test
  • over 1 million soundness checks in TAJS’s test suite

5

slide-6
SLIDE 6

Soundness testing – example

A JavaScript program: A value log from an execution:

6

slide-7
SLIDE 7

Artificially increasing precision with blended analysis

Filter abstract values based on concrete values:

Dufour, Ryder, and Sevitsky, Blended Analysis for Performance Understanding of Framework-Based Applications, ISSTA’07

slide-8
SLIDE 8

Delta debugging

Systematically minimizes input while preserving a target behavior Typical inputs: Programs to analyze

Minimized input satisfying the predicate

(hopefully with the same cause as the original program)

JavaScript program Some predicate

1

1) https://github.com/wala/jsdelta

8

slide-9
SLIDE 9

Delta debugging – precision example

9

1

underscore.js 1548 lines Analysis times out after 3 minutes (“unanalyzable”)

8 lines! 1) https://github.com/wala/jsdelta

Limitations:

  • Generally only finds one problem at a time
  • May introduce spurious behaviors
slide-10
SLIDE 10

Combining the techniques

① Soundness testing + delta debugging ② Blended analysis + delta debugging ③ Soundness testing + blended analysis ④ Soundness testing + blended analysis + delta debugging

10

slide-11
SLIDE 11

① Soundness testing + delta debugging

Goal: Isolate a soundness bug

11

Minimized unsound program Program to analyze Analysis result is unsound

Debugging is easier when there is only one soundness test failing

slide-12
SLIDE 12

② Blended analysis + delta debugging

Goal: find precision bottlenecks Idea: bottlenecks are program locations that benefit from blended analysis – what is the minimal set of such locations?

12

Minimized set of locations satisfying predicate All locations in program to analyze Program analyzable in 3 minutes?

Why better than reducing the program?

  • Finds all the critical locations

in the program

  • Avoids spurious behaviors

introduced by delta debugger

slide-13
SLIDE 13

Example: finding precision bottlenecks

13

critical that name is not “any string” critical that func is not any function from obj

Useful information for analysis designers! Tells us where we need to improve the analysis abstractions

slide-14
SLIDE 14

③ Soundness testing + blended analysis

Soundness testing is possible even with unanalyzable programs!

(where “unanalyzable” means “cannot be analyzed within 3 minutes”)

Blended analysis does not affect the soundness tests when using the same concrete executions

14

Our model of Symbol was inadequate

slide-15
SLIDE 15

④ Soundness testing + blended analysis + delta debugging

Automatically find a minimal unsound program from an unanalyzable program:

15

slide-16
SLIDE 16

Recommendations to static analysis developers

  • 1. Implement a dynamic analysis to record value logs from concrete executions
  • 2. Use soundness testing systematically

– When soundness bugs are detected, use delta debugging

  • 3. When critical precision problems appear, use blended analysis

– Use delta debugging to find the critical program locations

  • 4. Soundness bugs can be found, even with programs that are unanalyzable

due to insufficient precision

16

slide-17
SLIDE 17

A workflow for static analysis developers

17

Can be automated!