toward general diagnosis of static errors
play

Toward General Diagnosis of Static Errors Danfeng Zhang and Andrew - PowerPoint PPT Presentation

Apr 01, 2024 •143 likes •429 views

Toward General Diagnosis of Static Errors Danfeng Zhang and Andrew C. Myers Cornell University POPL 2014 Static Program Analysis Many flavors Type system Dataflow analysis Information-flow analysis Useful properties Type

  1. Toward General Diagnosis of Static Errors Danfeng Zhang and Andrew C. Myers Cornell University POPL 2014

  2. Static Program Analysis • Many flavors – Type system – Dataflow analysis – Information-flow analysis • Useful properties – Type safety – Memory safety – Information-flow security • But, (sometimes) confusing error messages make static analyses hard to use 2

  3. Example 1: ML Type Inference • OCaml 1 let foo(lst: int list): (float*float) list = 2 … 3 let rec loop lst x y dir acc = 4 if lst = [] then 5 acc Mistake 6 else 7 print_string “foo” 8 in [(0.0,0.0)] 9 List.rev (loop lst 0.0 0.0 0.0 ) Locating the error cause is OCaml: This expression has type 'a list but is here used • Time-consuming with type unit • Difficult 3

  4. Example 2: Information-Flow Analysis • Jif: Java + Information-Flow control Mistake 1 public final byte[ ] {this} encText; {} 2 … 3 public void m(FileOutputStream[ ]{this} encFos) {this} 4 throws (IOException) { 5 try { Jif: This label is 6 for (int i=0; i<encText.length; i++) too restrictive 7 encFos.write(encText[i]); 8 } catch (IoException e) {} 9 } Better error report is needed 4

  5. Toward Better Error Reports • Limitations of previous work – Methods reporting full explanation – Verbose reports – Analysis-specific methods – Tailored heuristics – Methods diagnosing false alarms – No diagnosis of true errors • Our approach – Applies to a large class of program analyses – Diagnoses the cause of both true errors and false alarms – Reports error causes more accurately than existing tools 5

  6. Approach Overview Language-Specific Programs Constraints OCaml Jif let foo(lst: int list):(float*float) list = let rec loop lst x y dir acc = if lst = [] then acc else print_string “foo” Others in List.rev(loop lst 0.0 0.0 0.0 [(0.0,0.0)]) Based on Language-Agnostic Bayesian Cause Constraints Analysis via Graph interpretation General Diagnosis Heuristics The error cause is likely to be • Simple • Able to explain all errors • Not used often on correct paths • (false alarm) weak and simple 6

  7. From Programs to Constraints • ML type inference Constructors: unit, float, list,∗ – Constraint elements: types Variables: 𝑏𝑑𝑑 3 , 𝑏𝑑𝑑 5 – Constraints: type equalities 1 let foo(lst: int list): (float*float) list = 2 … 3 let rec loop lst x y dir acc = acc 4 if lst = [] then 5 acc acc 6 else print_string “foo” 7 print_string “foo” 8 in 9 List.rev (loop lst 0.0 0.0 0.0 [(0.0,0.0)]) [(0.0,0.0)] 7

  8. A General Constraint Language Syntax of Constraints 𝑑 𝑗 𝐹 𝐹 1 ⊔ 𝐹 2 𝐹 1 ⊓ 𝐹 2 | ⊥ |⊤ 𝐹 ∷= 𝛽 𝑑 𝐹 1 , … , 𝐹 𝑜 𝐽 ∷= 𝐹 1 ≤ 𝐹 2 𝐷 ∷= 𝑗 𝐽 1𝑗 ⊢ 𝑘 𝐽 2𝑘 • Element ( 𝐹 ): form a lattice, with an ordering ≤ • Inequality ( 𝐽 ): a partial order on elements – E.g., “subtype of”, “subset of”, “less confidential than ” • Constraint (Hypothesis ⊢ Conclusion) – Hypothesis captures programmer assumptions – Variable-free constraint is valid when all ≤ in conclusion can be derived from hypothesis 8

  9. Properties of the Constraint Language • Expressive – ML type inference with polymorphism – Information-flow analysis with complex security model – Dataflow analysis (See formal translations in paper) • Practical to calculate satisfiable/unsatisfiable subsets of constraints 9

  10. Approach Overview Programs Constraints OCaml Jif let foo(lst: int list):(float*float) list = let rec loop lst x y dir acc = if lst = [] then acc else print_string “foo” Others in List.rev(loop lst 0.0 0.0 0.0 [(0.0,0.0)]) Language-Agnostic Constraints Analysis via Graph 10

  11. Constraint Graph in a Nutshell • Graph construction (simple case) – Node: constraint element – Directed edge: partial ordering 5. 6. 4. 7. 1. 2. 3. 11

  12. Constraint Analysis in a Nutshell P1 P3 P2 Type mismatch 12

  13. Constraint Analysis for the Full Constraint Language • Handling constructors, hypotheses – CFG Reachability [Barrett et al. 2000, Melski&Reps 2000] – Also handles join/meet operations (See details in paper) • Performance – Scalable: quadratic w.r.t. # graph nodes in practice 13

  14. Error Diagnosis Programs Constraints OCaml Jif let foo(lst: int list):(float*float) list = let rec loop lst x y dir acc = if lst = [] then acc else print_string “foo” Others in List.rev(loop lst 0.0 0.0 0.0 [(0.0,0.0)]) Language-Agnostic Constraints Analysis via Graph Bayesian reasoning 14

  15. Possible Explanations • When an analysis reports an error, either – The program being analyzed is wrong (true alarm) • E.g., an expression is wrong in OCaml program – The program analysis reports an false alarm (false alarm) • E.g., an assumption is missing in Jif program • Explanations to find – Wrong expressions – Missing hypotheses 15

  16. Key insight: Bayesian reasoning 16

  17. Inferring Most-Likely Error Cause • The most likely explanation argmax 𝑄(𝐹, 𝐼|𝑝) 𝐹,𝐼 ∈𝒣 – 𝒣 : explanation (pair of constraint elements and hypotheses) – o : observation (structure of a constraint graph) Observation 17

  18. Likelihood Estimation MAP estimation argmax 𝑄 Ω 𝐹 𝑄 𝑝 𝐹, 𝐼 𝑄 Ψ (𝐼) 𝐹,𝐼 ∈𝒣 18

  19. Likelihood Estimation # sat paths use elements in E 𝑙 𝐹 𝑄 2 |𝐹| argmax 𝑄 Ω 𝐹 𝑄 𝑝 𝐹, 𝐼 𝑄 Ψ (𝐼) 𝑄 1 1 − 𝑄 2 𝐹,𝐼 ∈𝒣 • Simplifying assumptions: – All expressions are equally likely to be wrong (with 𝑄 1 ) – Errors are unlikely (with 𝑄 2 < 0.5 ) to appear on satisfiable paths • Intuitively, General Diagnosis Heuristics The error cause is likely to be • Simple • Able to explain all errors • Not used often on correct paths • (missing hypotheses) weak and simple Explain later 19

  20. Inferring Likely Wrong Expressions 𝑙 𝐹 |𝐹| 𝑄 2 argmax 𝑄 1 1 − 𝑄 2 𝐹 • Search space – all subsets of expressions (nodes in constraint graph) • A * search – Optimal: all most likely wrong expressions are returned – Efficient: 10 seconds when the search space is over 2 1000 Evaluation suggests the accuracy is not sensitive to the value of 𝑸 𝟐 and 𝑸 𝟑 20

  21. Inferring Likely Missing Hypotheses argmax 𝑄 Ψ 𝐼 𝐼 • Simplicity is not the only metric – ⊤ ≤ ⊥ “explains” all errors • Likely missing hypotheses are both weak and simple – Minimal weakest hypothesis Bob ≤ Carol ⊢ Alice ≤ Bob Minimal weakest hypothesis Bob ≤ Carol ⊢ Alice ≤ Carol Alice ≤ Bob Bob ≤ Carol ⊢ Alice ≤ Carol ⊔⊥ Formal definition & search algorithm in paper 21

  22. Evaluation • Implementation Modest effort – Translation from analyses to constraints • OCaml: modified EasyOCaml (500 on top of 9,000LoC) • Jif: modified Jif (300 on top of 45,000LoC) – General error diagnostic tool • ~5,500 LoC in Java Error Diagnostic Tool OCaml Constraint Error Constraints Reports Graph Diagnosis Jif 22

  23. Accuracy of Error Reports: OCaml • Data – A corpus of previously collected programs [Lerner et al.’07] – Analyzed 336 programs with type mismatch errors • Metric of report quality – Location of programmer mistake: user’s fix with larger timestamp – Correctness: only when the programmer mistake is returned 23

  24. Comparison with OCaml and Seminal 100% Our tool finds a correct error 90%  Other tool misses the error 80% Both find correct error 70% Our tool finds multiple errors 60% 50% Both find correct error Both miss correct error  40% 30% 20% Other tool finds a correct error Our tool misses the error  10% 2% 0% Comparison with the OCaml compiler Comparison with the Seminal tool [Lerner et al.’07] 24

  25. Comparison with Jif • 16 previously collected buggy programs – An application with real-world security concern [Arden et al.’12] – Errors clearly marked by the application developer – Contains both error types 100% 100% Our tool finds a correct error 80% 80% Other tool misses the error 60% 60% Correct Both find correct error 40% 40% 20% 20% Both miss correct error Wrong 0% 0% Comparison with the Jif compiler Accuracy on missing hypothesis (Wrong expression) 25

  26. Related Work • Program analyses as constraint solving [e.g., Aiken’99, Foster et al. ’06] – No support for hypothesis; error report is verbose • Diagnosing ML/Jif errors [e.g., McAdam’98, Heeren’05, Lerner’07 , King’08, Chen&Erwig’14] – Tailored to specific program analysis • Probabilistic inference [e.g., Ball et al.’03, Kremenek et al.’06, Livshits et al.’09] – Different contexts; errors are considered in isolation • Diagnosing false alarms [e.g., Dillig et al.’12 , Blackshear and Lahiri’13] – Does not diagnose true errors in program 26

  27. Future Work • More expressive language – Add arithmetic to the language • Refine the simplifying assumptions – Remove assumptions on error independence – Incorporate domain specific knowledge 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Avoiding Errors in the Diagnosis and Management of Head and Neck Tumors Kerry D. Olsen, M.D.

Avoiding Errors in the Diagnosis and Management of Head and Neck Tumors Kerry D. Olsen, M.D.

Avoiding Errors in the Diagnosis and Management of Head and Neck Tumors Kerry D. Olsen, M.D. Professor, Otolaryngology Head and Neck Surgery Mayo Clinic Relevance and Purpose It is estimated that the average time from diagnosis to treatment of

555 views • 26 slides
Static analysis by abstract interpretation of run-time errors in synchronous and multithreaded

Static analysis by abstract interpretation of run-time errors in synchronous and multithreaded

Static analysis by abstract interpretation of run-time errors in synchronous and multithreaded embedded critical C programs Antoine Min e CNRS &amp; Ecole normale sup erieure Paris, France MOVEP CIRM, Marseille 4 December 2012

1.26k views • 90 slides
Automatic diagnosis and feedback for lexical stress errors in non-native speech: Towards a CAPT

Automatic diagnosis and feedback for lexical stress errors in non-native speech: Towards a CAPT

Automatic diagnosis and feedback for lexical stress errors in non-native speech: Towards a CAPT system for French learners of German Anjana Sofia Vakil Department of Computational Linguistics and Phonetics University of Saarland, Saarbr

539 views • 51 slides
Donald Trump: Errors in Diagnosis and Cure Robert Z Lawrence Albert L Williams Professor of

Donald Trump: Errors in Diagnosis and Cure Robert Z Lawrence Albert L Williams Professor of

Donald Trump: Errors in Diagnosis and Cure Robert Z Lawrence Albert L Williams Professor of Trade and Investment Harvard Kennedy School Agenda. Introduction: Why Manufacturing Employment matters Part1: Deindustrialization in the USA

272 views • 25 slides
Analysis of Diagnosis Errors for the APR1400 Main Control Rooms Awwal M. Arigi a and Jonghyun Kim a

Analysis of Diagnosis Errors for the APR1400 Main Control Rooms Awwal M. Arigi a and Jonghyun Kim a

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Analysis of Diagnosis Errors for the APR1400 Main Control Rooms Awwal M. Arigi a and Jonghyun Kim a a Nuclear Engineering. Department, Chosun University., 309

151 views • 4 slides
Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors

Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors

Basic Errors Compiling in Unix Syntax errors Common Errors, and Debugging Run-Time errors CS-121 Logic errors Syntax Errors Syntax Errors An error in which a C++ grammar rule has been violated. Are flagged at compile time Missing ;

338 views • 5 slides
Automated Diagnosis of Software Configuration Errors Sai Zhang , Michael D. Ernst University of

Automated Diagnosis of Software Configuration Errors Sai Zhang , Michael D. Ernst University of

Automated Diagnosis of Software Configuration Errors Sai Zhang , Michael D. Ernst University of Washington

372 views • 35 slides
Static and Method Overloading static One per class, not per object static variables

Static and Method Overloading static One per class, not per object static variables

Static and Method Overloading static One per class, not per object static variables all instances of the class share the same static variable example: serial/VIN number for Car static methods invoked through class

324 views • 7 slides
1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

1 Static Equilibrium From Static Eq. to Dynamic Eq. System of mass points Static

Static/ Dynamic Deformation I ntroduction to Static deformation Dynamic deformation Static/ Dynamic Deformation with Mass-Spring Systems undeformed shape f internal + = f inertia = 0 f external Min Gyu Choi deformed

426 views • 4 slides
Unified error reporting -- A worthy goal? Andi Kleen, Intel Corporation Sep 2009

Unified error reporting -- A worthy goal? Andi Kleen, Intel Corporation Sep 2009

Unified error reporting -- A worthy goal? Andi Kleen, Intel Corporation Sep 2009 andi@firstfloor.org errors standardized errors machine checks pci-express errors platform errors thermal errors APEI storage errors IO errors SMART events

518 views • 21 slides
Treasurers Institute Sun, Nov. 17, 2019 Property Tax Errors Property Tax Errors Property Tax

Treasurers Institute Sun, Nov. 17, 2019 Property Tax Errors Property Tax Errors Property Tax

Treasurers Institute Sun, Nov. 17, 2019 Property Tax Errors Property Tax Errors Property Tax Errors Property Tax Errors Historically, DCCA presented the Tax Levy training. Last Dept of Revenue Property Tax Rate and Levy Manual Dated Dec

960 views • 57 slides
NeuroTREMOR - A novel concept for support to diagnosis and remote management of tremor General

NeuroTREMOR - A novel concept for support to diagnosis and remote management of tremor General

! NeuroTREMOR - A novel concept for support to diagnosis and remote management of tremor General Presentation Project contract: 287739 Background Pathological tremors: the most extended movement disorder, a ff ecting up to 15% of people with

582 views • 25 slides
OCR Errors by Michael Barz Motivation In general: How to get information out of noisy input?

OCR Errors by Michael Barz Motivation In general: How to get information out of noisy input?

OCR Errors by Michael Barz Motivation In general: How to get information out of noisy input? Dealing with noisy input (scan/fax/e- mail) in written form Approach: Combination of diverse NLP tools in one pipeline Optical

543 views • 29 slides
ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors

ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors

ELO TRANSLATION PROJECT SARAH **** SOME VOCAB Errors Logic Errors Runtime Errors Strings ex. This is a string Data Structure a particular way of organizing data for computers Dictionary type of data

454 views • 42 slides
GENIE Systematic Errors GENIE Systematic Errors GENIE Systematic Errors Hugh Gallagher, Tufts

GENIE Systematic Errors GENIE Systematic Errors GENIE Systematic Errors Hugh Gallagher, Tufts

GENIE Systematic Errors GENIE Systematic Errors GENIE Systematic Errors Hugh Gallagher, Tufts University July 11, 2016 - NUTUNE 16, U. Liverpool OUTLINE 1) History/Context 2) Neutrino-Nucleon Interaction Modeling Free nucleon cross

905 views • 43 slides
COTS SW Dedication Introduction Dependable Software Laboratory Konkuk Univ.

COTS SW Dedication Introduction Dependable Software Laboratory Konkuk Univ.

COTS SW Dedication Introduction Dependable Software Laboratory Konkuk Univ. 2015.10.07 LINTING 2 Linting Linter program checks static errors or potential errors and coding style guideline violations variables being used

818 views • 46 slides
Congressional Request Advancing the Science of Climate Change Generic Report Summary Slides

Congressional Request Advancing the Science of Climate Change Generic Report Summary Slides

1 Congressional Request Advancing the Science of Climate Change Generic Report Summary Slides (based on presentations by Pam Matson and Ian Kraucunas to various audiences) http://americasclimatechoices.org 2 The National Academies A

333 views • 22 slides
June 3, 2014 Brian Haigh, MD Learning Objectives Appreciate complexity and impact of risk

June 3, 2014 Brian Haigh, MD Learning Objectives Appreciate complexity and impact of risk

Management of the Suicidal Adolescent in Primary Care June 3, 2014 Brian Haigh, MD Learning Objectives Appreciate complexity and impact of risk factors for self harm that can be co-morbid or independent of depression. Increase

466 views • 30 slides
Structurally Related N-oxide-Containing Heterocycles Elena Chugunova 1, *, Nurgali Akylbekov 2 ,

Structurally Related N-oxide-Containing Heterocycles Elena Chugunova 1, *, Nurgali Akylbekov 2 ,

Synthesis and Antimicrobial Activity of Benzofuroxans and Structurally Related N-oxide-Containing Heterocycles Elena Chugunova 1, *, Nurgali Akylbekov 2 , Vladimir Samsonov 3 , Alexandra Voloshina 1 , Alexander Burilov 1 1 A.E. Arbuzov Institute

399 views • 29 slides
Disclosures: None Insights on Occupational &amp; Environmental Causes of Neurodegenerative

Disclosures: None Insights on Occupational &amp; Environmental Causes of Neurodegenerative

Disclosures: None Insights on Occupational &amp; Environmental Causes of Neurodegenerative Disease Updates in Occupational and Environmental Medicine 2017 Samuel M. Goldman, MD, MPH Associate Professor, UCSF Department of Neurology SFVAMC,

547 views • 19 slides
HUD Review Requirements 182 Contents PHA Submissions for HUD Approval Contract Actions

HUD Review Requirements 182 Contents PHA Submissions for HUD Approval Contract Actions

12 CHAPTER HUD Review Requirements 182 Contents PHA Submissions for HUD Approval Contract Actions Requiring Prior HUD Approval Exemption from Pre-award Review 183 Introduction HUD review of PHAs procurement activity is

302 views • 9 slides
Model Estimation Within Planning and Learning Alborz Geramifard ICML W orkshop - June 2011

Model Estimation Within Planning and Learning Alborz Geramifard ICML W orkshop - June 2011

Model Estimation Within Planning and Learning Alborz Geramifard ICML W orkshop - June 2011 agf@mit.edu 1 Joint W ork Joshua Redding Joshua Joseph Jonathan How 2 +1 -1 -0.01 20% noise Conservative Aggressive Optimal 3 +1 -1

563 views • 27 slides
Where are you going with those types? Vincent St-Amour, Sam Tobin-Hochstadt, Matthew Flatt,

Where are you going with those types? Vincent St-Amour, Sam Tobin-Hochstadt, Matthew Flatt,

Where are you going with those types? Vincent St-Amour, Sam Tobin-Hochstadt, Matthew Flatt, Matthias Felleisen PLT / Northeastern University Boston, MA, USA PLT / University of Utah Salt Lake City, UT, USA IFL 2010 - September 3rd, 2010

839 views • 70 slides
All City Council Live! Info Academic Update Q&amp;A Raise your hand to be called on! Use the

All City Council Live! Info Academic Update Q&amp;A Raise your hand to be called on! Use the

All City Council Live! Info Academic Update Q&amp;A Raise your hand to be called on! Use the chat box to type in comments or questions While we wait for people to join us, well watch these awesome handwashing dance videos... ACC Live!

320 views • 21 slides

More recommend