Static program analysis plays an essential role in program optimization, bug detection, and debugging. However, reliance on compilation and limited customization hinder its adoption in the real world. This paper presents a compositional neuro-symbolic approach named NESA that facilitates compilation-free and customizable static program analysis using large language models (LLMs) with mitigated hallucinations. Specifically, we propose an analysis policy language, a restricted form of Datalog, to support users decomposing a static program analysis problem into several sub-problems that target simpler syntactic or semantic properties upon smaller code snippets. The problem decomposition enables the LLMs to target more manageable semantic-related sub-problems with reduced hallucinations, while the syntactic ones are resolved by parsing-based analysis without hallucinations. An analysis policy then is evaluated with lazy and incremental prompting, which significantly mitigates the hallucinations and improves the performance. We evaluate NESA for program slicing and bug detection upon benchmark and real-world programs. Evaluation results show that while NESA supports compilation-free and customizable analysis, it can still achieve comparable and even better performance than existing techniques. In a customized taint vulnerability detection upon TaintBench, for example, NESA achieves a precision of 66.27%, a recall of 78.57%, and an F1 score of 0.72, surpassing an industrial approach by 0.20 in F1 score. NESA also detects 13 real-world memory leak bugs, which have been fixed by developers.

翻译：静态程序分析在程序优化、缺陷检测和调试中起着至关重要的作用。然而，对编译的依赖和有限的可定制性阻碍了其在实际场景中的广泛应用。本文提出一种名为NESA的组合式神经符号方法，利用大型语言模型（LLMs）实现无需编译且可定制的静态程序分析，并有效缓解幻觉问题。具体而言，我们提出一种分析策略语言（即受限形式的Datalog），支持用户将静态程序分析问题分解为若干子问题，这些子问题针对较小代码片段上的简单语法或语义属性。问题分解使LLMs能够专注于更易处理的语义相关子问题，从而减少幻觉，而语法相关子问题则通过基于解析的分析无幻觉地解决。分析策略随后通过惰性渐进式提示进行评估，显著缓解幻觉并提升性能。我们在基准程序和真实程序上评估了NESA在程序切片和缺陷检测中的表现。评估结果表明，尽管NESA支持无需编译和可定制的分析，其性能仍可与现有技术相媲美甚至更优。例如，在TaintBench上的定制化污点漏洞检测中，NESA实现了66.27%的精确率、78.57%的召回率和0.72的F1分数，在F1分数上比工业方法高出0.20。此外，NESA还检测出13个已被开发者修复的真实内存泄漏缺陷。