In Defense of Unsoundness Ben Livshits, Manu Sridharan, Yannis Smaragdakis, and Ondřej Lhoták.

Slides:

Advertisements

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Advertisements

Runtime Techniques for Efficient and Reliable Program Execution Harry Xu CS 295 Winter 2012.

Yannis Smaragdakis / 11-Jun-14 General Adaptive Replacement Policies Yannis Smaragdakis Georgia Tech.

ASSUMPTION HIERARCHY FOR A CHA CALL GRAPH CONSTRUCTION ALGORITHM JASON SAWIN & ATANAS ROUNTEV.

Modeling and Simulation By Lecturer: Nada Ahmed. Introduction to simulation and Modeling.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Chair of Software Engineering From Program slicing to Abstract Interpretation Dr. Manuel Oriol.

P ROGRAMMING L ANGUAGES : C ONTROL 1. S LIDES R EFERENCES Kenneth C. Louden, Control I: Expressions and Statements: Principles and Practice. 2.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

Advanced Compiler Design CSE 231 Instructor: Sorin Lerner.

Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.

Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.

Chapter 101 Virtual Memory Chapter 10 Sections and plus (Skip:10.3.2, 10.7, rest of 10.8)

Precise Inter-procedural Analysis Sumit Gulwani George C. Necula using Random Interpretation presented by Kian Win Ong UC Berkeley.

1 Module 5 How to identify essay Matakuliah: G1222, Writing IV Tahun: 2006 Versi: v 1.0 rev 1.

Type-Safe Programming in C George Necula EECS Department University of California, Berkeley.

Aliases in a bug finding tool Benjamin Chelf Seth Hallem June 5 th, 2002.

Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.

Advanced Compilers CSE 231 Instructor: Sorin Lerner.

Programming Language Semantics Mooly SagivEran Yahav Schrirber 317Open space html://

Advanced Compilers CSE 231 Instructor: Sorin Lerner.

OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.

Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.

Semantics with Applications Mooly Sagiv Schrirber html:// Textbooks:Winskel The.

How organization can improve creativity Robotics and Automation Copyright © Texas Education Agency, All rights reserved. 1.

(c) 2007 Mauro Pezzè & Michal Young Ch 3, slide 1 Basic Principles.

1 The Problem o Fluid software cannot be trusted to behave as advertised unknown origin (must be assumed to be malicious) known origin (can be erroneous.

CODING Research Data Management. Research Data Management Coding When writing software or analytical code it is important that others and your future.

CASE Tools And Their Effect On Software Quality Peter Geddis – pxg07u.

CS527: (Advanced) Topics in Software Engineering Overview of Software Quality Assurance Tao Xie ©D. Marinov, T. Xie.

Section 2: Science as a Process

DySy: Dynamic Symbolic Execution for Invariant Inference.

JIT in webkit. What’s JIT See time_compilation for more info. time_compilation.

CSCI-256 Data Structures & Algorithm Analysis Lecture Note: Some slides by Kevin Wayne. Copyright © 2005 Pearson-Addison Wesley. All rights reserved. 4.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Conrad Benham Java Opcode and Runtime Data Analysis By: Conrad Benham Supervisor: Professor Arthur Sale.

The Daikon system for dynamic detection of likely invariants MIT Computer Science and Artificial Intelligence Lab. 16 January 2007 Presented by Chervet.

Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.

Mark Marron 1, Deepak Kapur 2, Manuel Hermenegildo 1 1 Imdea-Software (Spain) 2 University of New Mexico 1.

1 Program Slicing Amir Saeidi PhD Student UTRECHT UNIVERSITY.

Software Debugging, Testing, and Verification Presented by Chris Hundersmarck November 10, 2004 Dr. Bi’s SE516.

Introduction to Earth Science Section 2 Section 2: Science as a Process Preview Key Ideas Behavior of Natural Systems Scientific Methods Scientific Measurements.

Semantics In Text: Chapter 3.

An Undergraduate Course on Software Bug Detection Tools and Techniques Eric Larson Seattle University March 3, 2006.

Design - programming Cmpe 450 Fall Dynamic Analysis Software quality Design carefully from the start Simple and clean Fewer errors Finding errors.

Review of Parnas’ Criteria for Decomposing Systems into Modules Zheng Wang, Yuan Zhang Michigan State University 04/19/2002.

Management Planning Process. Formulation of Policies Important Considerations which should be followed in formulating the various policies:- 1.Policies.

Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois

5/7/03ICSE Fragment Class Analysis for Testing of Polymorphism in Java Software Atanas (Nasko) Rountev Ohio State University Ana Milanova Barbara.

D A C U C P Speculative Alias Analysis for Executable Code Manel Fernández and Roger Espasa Computer Architecture Department Universitat Politècnica de.

Combining Static and Dynamic Reasoning for Bug Detection Yannis Smaragdakis and Christoph Csallner Elnatan Reisner – April 17, 2008.

Whole Test Suite Generation. Abstract Not all bugs lead to program crashes, and not always is there a formal specification to check the correctness of.

Points-to Analysis as a System of Linear Equations Rupesh Nasre. Computer Science and Automation Indian Institute of Science Advisor: Prof. R. Govindarajan.

Course topics Representing programs Analyzing and transforming programs Applications of these techniques.

Introduction to Earth Science Section 1 SECTION 1: WHAT IS EARTH SCIENCE? Preview  Key Ideas Key Ideas  The Scientific Study of Earth The Scientific.

1 Program Analysis Too Loopy? Set the Loops Aside Eric Larson September 25, 2011 Seattle University.

ECE 750 Topic 8 Meta-programming languages, systems, and applications Automatic Program Specialization for J ava – U. P. Schultz, J. L. Lawall, C. Consel.

1 Potential for Parallel Computation Chapter 2 – Part 2 Jordan & Alaghband.

© Kenneth C. Louden, Chapter 7 - Control I: Expressions and Statements Programming Languages: Principles and Practice, 2nd Ed. Kenneth C. Louden.

This has been created by QA InfoTech. Choose QA InfoTech as your Automated testing partner. Visit for more information.

Jeremy Nimmer, page 1 Automatic Generation of Program Specifications Jeremy Nimmer MIT Lab for Computer Science Joint work with.

CSC207 Fall 2016.

YAHMD - Yet Another Heap Memory Debugger

Chapter 8 – Software Testing

Section 2: Science as a Process

BUS 600 HOMEWORK Lessons in Excellence--bus600homework.com.

Advanced Compiler Design

String Analysis for JavaScript Programs Using JSAI

Operating Systems Concepts

Presentation transcript:

In Defense of Unsoundness Ben Livshits, Manu Sridharan, Yannis Smaragdakis, and Ondřej Lhoták

April 14 – 19, 2013, Dagstuhl Seminar Pointer Analysis

Are Static Analysis (papers) Sound? Sound: capture all program behavior Must analysis results hold during program execution? Of course not! Virtually all recent whole program analyses for realistic languages are unsound

Unsoundness is Everywhere! Omit conservative handling for common language features Unsoundness lurks in the shadows caveats only mentioned off-hand in an “implementation” or “evaluation” section.

Nasty Language Features Typical (published) whole-program analysis extolls its scalability virtues and briefly mentions its soundness caveats. Java: reflection and JNI JavaScript: eval and dynamically computed properties C/C++: assumptions about memory region and pointer arithmetic

Can These Language Features be Ignored? Most of the time the answer is no These language features are nearly ubiquitous in practice. "Assuming the features away" excludes the majority of input programs. For example, very few JavaScript programs larger than a certain size omit at least occasional calls to eval.

Could all these Features be Modeled Soundly? In principle, yes. In practice, destroys the precision of the analysis Must be highly over-approximate. Huge imprecise result = useless. Imprecision destroys scalability

Soundness is not Even Necessary! Many clients can tolerate unsoundness. IDEs (auto-complete systems, code navigation) General purpose bug detectors Automated refactoring tools Even hints for runtime optimization

Should We Even Try? Soundness is extremely hard to achieve for a whole-program analysis in a realistic, modern language, due to programming language features that are very hard or even impossible to analyze precisely. Even if achieved the precision is likely to be destroyed. What is a reasonable middle ground?

Soundiness Sound modulo inevitable unsoundness “best-effort soundness” “sound except for the things we all know about”

Middle Ground: Soundiness We draw a distinction between a soundy analysis, which aims to capture all dynamic behaviors within reason, and an unsound analysis that deliberately ignores certain behaviors We argue that soundiness is a good line in the sand to draw in order to avoid abuse of the observation that "everyone's analysis is unsound."

Moving Forward Soundy is the new sound, de facto, given the research literature of the past decades. Papers on unsound analyses should explain the implications of their unsoundness. For nasty features, more studies should be published to characterize how extensively they are used in typical programs. As a community, we should provide guidelines on how to write unsound analysis papers. The PL research community should embrace unsound analysis techniques and tune its soundness expectations.