Learning Type Inference for Enhanced Dataflow Analysis

TL;DR

This paper introduces CodeTIDAL5, a Transformer-based model for type inference in dynamically-typed languages, improving accuracy and integration with static analysis tools to enhance code analysis and security research.

Contribution

We develop a novel Transformer-based model, CodeTIDAL5, that outperforms existing neural type inference systems and integrate it into Joern for practical static analysis applications.

Findings

CodeTIDAL5 achieves 71.27% accuracy on ManyTypes4TypeScript benchmark.

The model outperforms state-of-the-art by 7.85%.

Integration into Joern improves static analysis results.

Abstract

Statically analyzing dynamically-typed code is a challenging endeavor, as even seemingly trivial tasks such as determining the targets of procedure calls are non-trivial without knowing the types of objects at compile time. Addressing this challenge, gradual typing is increasingly added to dynamically-typed languages, a prominent example being TypeScript that introduces static typing to JavaScript. Gradual typing improves the developer's ability to verify program behavior, contributing to robust, secure and debuggable programs. In practice, however, users only sparsely annotate types directly. At the same time, conventional type inference faces performance-related challenges as program size grows. Statistical techniques based on machine learning offer faster inference, but although recent approaches demonstrate overall improved accuracy, they still perform significantly worse on user-defined types than on the most common built-in types. Limiting their real-world usefulness even more, they rarely integrate with user-facing applications. We propose CodeTIDAL5, a Transformer-based model trained to reliably predict type annotations. For effective result retrieval and re-integration, we extract usage slices from a program's code property graph. Comparing our approach against recent neural type inference systems, our model outperforms the current state-of-the-art by 7.85% on the ManyTypes4TypeScript benchmark, achieving 71.27% accuracy overall. Furthermore, we present JoernTI, an integration of our approach into Joern, an open source static analysis tool, and demonstrate that the analysis benefits from the additional type information. As our model allows for fast inference times even on commodity CPUs, making our system available through Joern leads to high accessibility and facilitates security research.