Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Abstract Interpretation meets model
checking near the 1000000 LOC
mark
- Finding errors in the Linux Kernel
Source
Peter T...
Goal
•
Apply
Formal Methods
to the
Linux kernel
•
Methods must be
➢ post-hoc
➢ capable of application by non-experts
➢ abl...
Analysis Example -Sleep under
Spinlock Hunt (SluSH)
Output from SluSH run
What is sleep under spinlock?
• Sleep = thread scheduled out of CPU
• Spinlock = busy wait for lock release
• Two CPUs
+ t...
Example of bad code
• snd_sb_csp_load() in sb16_csp.c
Another piece of guilty code
• Kernel 2.6.12 sound/oss/sequencer.c midi_outc()
Cox owns up
Output summarises liklihoods
Other classes of problems detected
• Access (read/write) to kfreed memory
• Overflow 4096B of stack
• Spinlock under spinl...
Example of kfree/access
• drivers/scsi/aix7xxx_old.c in kernel 2.6.3
Basic technique
The abstract view
Components of analysis system
• Description of statements as logic transformers
– p .... p[n-1/n]
• Trigger/action system ...
Statement Logic - NRB
• Single code statement
– maintains condition P normally
– empty statement cannot return (F)
– empty...
Sequence logic -NRB
• normal exit: traverse A then B
• return exit: return from A
OR traverse A then return from B
• break...
Loop logic -NRB
• break from body is only normal exit from while(1)
• relax p until it
is invariant
Conditional logic -NRB
Programmable trigger/action engine
• Three rules handle propagation of call graph and
other housekeeping.
– a sleep call w...
Using the analyser
• Call with the same arguments as given to the gcc
compiler
Limitations
• Predicates are restricted to unions of n-cubes
• State is not followed well enough:
– x = 1; if (x) A else B...
Implication of predicates is decidable
• Basic evaluation is C  U Ci
of cubes
– i.e. U Ci
covers C
Summary
• A step towards analyses of 100MLoC.
– No expertise needed
– Fast
– Copes with massive amounts of code
– Soundly ...
Upcoming SlideShare
Loading in …5
×

Abstract Interpretation meets model checking near the 1000000 LOC mark: Finding errors in the Linux Kernel Source (AVIS '06)

Slides for presentation on "Abstract Interpretation meets model checking near the 1000000 LOC mark" at 5th International Workshop on Automated Verification of Infinite-State Systems (AVIS'06), Apr 1, 2006. A preprint of the full paper is available at http://www.academia.edu/2494187/Abstract_Interpretation_meets_Model_Checking_near_the_10_6_LOC_mark .

  • Login to see the comments

  • Be the first to like this

Abstract Interpretation meets model checking near the 1000000 LOC mark: Finding errors in the Linux Kernel Source (AVIS '06)

  1. 1. Abstract Interpretation meets model checking near the 1000000 LOC mark - Finding errors in the Linux Kernel Source Peter T. Breuer & Simon Pickin Universidad Carlos III de Madrid
  2. 2. Goal • Apply Formal Methods to the Linux kernel • Methods must be ➢ post-hoc ➢ capable of application by non-experts ➢ able to handle 6.5 millions of lines of rapidly changing C code
  3. 3. Analysis Example -Sleep under Spinlock Hunt (SluSH)
  4. 4. Output from SluSH run
  5. 5. What is sleep under spinlock? • Sleep = thread scheduled out of CPU • Spinlock = busy wait for lock release • Two CPUs + two threads waiting on spinlocks = one dead machine
  6. 6. Example of bad code • snd_sb_csp_load() in sb16_csp.c
  7. 7. Another piece of guilty code • Kernel 2.6.12 sound/oss/sequencer.c midi_outc()
  8. 8. Cox owns up
  9. 9. Output summarises liklihoods
  10. 10. Other classes of problems detected • Access (read/write) to kfreed memory • Overflow 4096B of stack • Spinlock under spinlock • Call to function that expects non-NULL parameters with possibly NULL argument • ... – Logic is configured, so new tests can be invented
  11. 11. Example of kfree/access • drivers/scsi/aix7xxx_old.c in kernel 2.6.3
  12. 12. Basic technique
  13. 13. The abstract view
  14. 14. Components of analysis system • Description of statements as logic transformers – p .... p[n-1/n] • Trigger/action system for raising alarms! • Combining logic NRB • Guiding abstract interpretation s to state x x ∈s ∩ p stops dead code evaluation, etc.
  15. 15. Statement Logic - NRB • Single code statement – maintains condition P normally – empty statement cannot return (F) – empty statement cannot break (F)
  16. 16. Sequence logic -NRB • normal exit: traverse A then B • return exit: return from A OR traverse A then return from B • break exit: break from A OR traverse A then break from B
  17. 17. Loop logic -NRB • break from body is only normal exit from while(1) • relax p until it is invariant
  18. 18. Conditional logic -NRB
  19. 19. Programmable trigger/action engine • Three rules handle propagation of call graph and other housekeeping. – a sleep call while the objective function is positive causes output:
  20. 20. Using the analyser • Call with the same arguments as given to the gcc compiler
  21. 21. Limitations • Predicates are restricted to unions of n-cubes • State is not followed well enough: – x = 1; if (x) A else B; ● treated correctly - only A is evaluated – if (x) A else B; if (x) C else D; ● over-abstracted - A;C | A;D | B;C | B;D – possible solution is to push state into the predicates ((x!=0);A | (x==0);B) ; ((x!=0);C | (x==0);D) ● but we can't follow calculation well - quickly get to 
  22. 22. Implication of predicates is decidable • Basic evaluation is C  U Ci of cubes – i.e. U Ci covers C
  23. 23. Summary • A step towards analyses of 100MLoC. – No expertise needed – Fast – Copes with massive amounts of code – Soundly based • Negatives – Not good tracking program state; model checking? – Not yet easy to extend to new problem classes

×