Automated program analysis is responsible for a majority of vulnerability discoveries in modern programming languages, but program analysis tools are usually run on only a handful of projects. Authors must manually approach developers with a few high signal results which at best lead to changes in a smaller number of programs. Once research has been published, the tools are rarely run again by anyone, authors included. Even when a few use the work again, industry rarely benefits from these tools and research. We can all do better. We introduce r2c, a platform for ecosystem-wide program analysis. r2c allows authors to test program analysis against entire ecosystems of code, such as npm, getting results on hundreds of thousands of projects per hour. r2c includes tools to triage and filter results, label data sets, and reuse the labeled data and results from other program analysis projects. r2c is currently in use by more than 50 researchers at 8 universities and growing quickly. We present a case study of the kind of work made uniquely possible by r2c and how the results of such program analysis can be integrated with community developer tools, helping program analysis tools to live beyond the paper and to change the way we write software. This talk will include a live demonstration of the r2c platform, measuring program features across millions of commits in the span of the talk.
Before joining r2c to lead program analysis, Cam worked on compilers and build systems at Microsoft, Facebook, and Instagram. Prior to that, he left PL research at MIT for the siren song of silicon valley. In his spare time, he maintains a motley crew of wheeled vehicles in advanced stages of decomposition and lives with his elderly cat.