Abstract Interpretation meets model checking near the 1000000 LOC mark: Finding errors in the Linux...
-
Upload
peter-breuer -
Category
Technology
-
view
50 -
download
1
description
Transcript of Abstract Interpretation meets model checking near the 1000000 LOC mark: Finding errors in the Linux...
Abstract Interpretation meets model checking near the 1000000 LOC
mark- Finding errors in the Linux Kernel
Source
Peter T. Breuer & Simon PickinUniversidad Carlos III de Madrid
Goal•
ApplyFormal Methods
to theLinux kernel
•
Methods must be➢ post-hoc
➢ capable of application by non-experts
➢ able to handle 6.5 millions of lines of rapidly changing C code
Analysis Example -Sleep under Spinlock Hunt (SluSH)
Output from SluSH run
What is sleep under spinlock?
• Sleep = thread scheduled out of CPU
• Spinlock = busy wait for lock release
• Two CPUs + two threads waiting on spinlocks= one dead machine
Example of bad code
• snd_sb_csp_load() in sb16_csp.c
Another piece of guilty code
• Kernel 2.6.12 sound/oss/sequencer.c midi_outc()
Cox owns up
Output summarises liklihoods
Other classes of problems detected
• Access (read/write) to kfreed memory
• Overflow 4096B of stack
• Spinlock under spinlock
• Call to function that expects non-NULL parameters with possibly NULL argument
• ...– Logic is configured, so new tests can be invented
Example of kfree/access
• drivers/scsi/aix7xxx_old.c in kernel 2.6.3
Basic technique
The abstract view
Components of analysis system
• Description of statements as logic transformers– p .... p[n-1/n]
• Trigger/action system for raising alarms!
• Combining logic NRB
• Guiding abstract interpretation s to state x x ∈s ∩ p
stops dead code evaluation, etc.
Statement Logic - NRB
• Single code statement
– maintains condition P normally
– empty statement cannot return (F)
– empty statement cannot break (F)
Sequence logic -NRB• normal exit: traverse A then B
• return exit: return from A OR traverse A then return from B
• break exit: break from AOR traverse A then break from B
Loop logic -NRB
• break from body is only normal exit from while(1)
• relax p until it is invariant
Conditional logic -NRB
Programmable trigger/action engine
• Three rules handle propagation of call graph and other housekeeping.
– a sleep call while the objective function is positive causes output:
Using the analyser
• Call with the same arguments as given to the gcc compiler
Limitations
• Predicates are restricted to unions of n-cubes
• State is not followed well enough:– x = 1; if (x) A else B;
● treated correctly - only A is evaluated
– if (x) A else B; if (x) C else D;● over-abstracted - A;C | A;D | B;C | B;D
– possible solution is to push state into the predicates((x!=0);A | (x==0);B) ; ((x!=0);C | (x==0);D)
● but we can't follow calculation well - quickly get to
Implication of predicates is decidable
• Basic evaluation is C U Ci of cubes
– i.e. U Ci covers C
Summary
• A step towards analyses of 100MLoC.– No expertise needed
– Fast
– Copes with massive amounts of code
– Soundly based
• Negatives– Not good tracking program state; model
checking?
– Not yet easy to extend to new problem classes