Skip to main content
SpringerLink
Log in

Effective Bug Finding in C Programs with Shape and Effect Abstractions

  • Conference paper
  • First Online:
Verification, Model Checking, and Abstract Interpretation (VMCAI 2017)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 10145))

Abstract

Software tends to suffer from simple resource mis-manipulation bugs, such as double-locks. Code scanners are used extensively to remove these bugs from projects like the Linux kernel. Yet, these tools are not effective when the manipulation of resources spans multiple functions. We present a shape-and-effect analysis for C, that enables efficient and scalable inter-procedural reasoning about resource manipulation. This analysis builds a program abstraction based on the observable side-effects of functions. Bugs are found by model checking this abstraction, matching undesirable sequences of operations. We implement this approach in the Eba tool, and evaluate it on a collection of historical double-lock bugs from the Linux kernel. Our results show that our tool is more effective at finding bugs than similar code-scanning tools. Eba analyzes nine thousand Linux files in less than half an hour, and uncovers double-lock bugs in various drivers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    See https://github.com/torvalds/linux/commit/hash with hash replaced by the identifier.

  2. 2.

    http://smatch.sf.net.

  3. 3.

    http://www.iagoabal.eu/eba/.

  4. 4.

    http://dl.iagoabal.eu/eba/cil.pdf.

  5. 5.

    We use overline to denote tuples.

  6. 6.

    https://github.com/iagoabal/eba/.

  7. 7.

    At scripts/coccinelle/locks/double_lock.cocci.

  8. 8.

    https://github.com/iagoabal/2017-vmcai.

  9. 9.

    Extracted from the Linux kernel’s Git repository as of August 3, 2016.

  10. 10.

    Bug e50525b was independently found and fixed during beta testing, but that bug-fix was unknown to us.

References

  1. Abal, I.: Shape-region and effect inference for C(IL). Technical report (2016)

    Google Scholar 

  2. Abal, I., Brabrand, C., Wasowski, A.: 42 variability bugs in the Linux kernel: A qualitative analysis. In: ASE 2014 (2014)

    Google Scholar 

  3. Ball, T., Majumdar, R., Millstein, T., Rajamani, S.K.: Automatic predicate abstraction of C programs. In: PLDI 2001 (2001)

    Google Scholar 

  4. Ball, T., Rajamani, S.K.: Bebop: a path-sensitive interprocedural dataflow engine. In: PASTE 2001 (2001)

    Google Scholar 

  5. Ball, T., Rajamani, S.K.: The SLAM toolkit. In: CAV 2001 (2001)

    Google Scholar 

  6. Banning, J.P.: An efficient way to find the side effects of procedure calls and the aliases of variables. In: POPL 1979 (1979)

    Google Scholar 

  7. Berdine, J., Calcagno, C., O’Hearn, P.W.: Smallfoot: Modular automatic assertion checking with separation logic. In: FMCO 2005 (2005)

    Google Scholar 

  8. Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: The software model checker BLAST: applications to software engineering. Int. J. Softw. Tools Technol. Transf. 9(5), 505–525 (2007)

    Article  Google Scholar 

  9. Birkedal, L., Torp-Smith, N., Reynolds, J.C.: Local reasoning about a copying garbage collector. In: POPL 2004 (2004)

    Google Scholar 

  10. Brown, F., Nötzli, A., Engler, D.: How to build static checking systems using orders of magnitude less code. In: ASPLOS 2016 (2016)

    Google Scholar 

  11. Brunel, J., Doligez, D., Hansen, R.R., Lawall, J.L., Muller, G.: A foundation for flow-based program matching: using temporal logic and model checking. In: POPL 2009 (2009)

    Google Scholar 

  12. Chen, Y., Wu, F., Yu, K., Zhang, L., Chen, Y., Yang, Y., Mao, J.: Instant bug testing service for Linux kernel. In: HPCC/EUC 2013 (2013)

    Google Scholar 

  13. Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs (2004)

    Google Scholar 

  14. Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: CAV 2000 (2000)

    Google Scholar 

  15. Cooper, K.D., Kennedy, K.: Efficient computation of flow insensitive interprocedural summary information. In: SIGPLAN 1984 (1984)

    Google Scholar 

  16. Cooper, K.D., Kennedy, K.: Interprocedural side-effect analysis in linear time. In: PLDI 1988 (1988)

    Google Scholar 

  17. Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Rival, X.: Why does Astrée scale up? Form. Methods Syst. Des. 35(3), 229–264 (2009)

    Article  MATH  Google Scholar 

  18. Damas, L., Milner, R.: Principal type-schemes for functional programs. In: POPL 1982 (1982)

    Google Scholar 

  19. Darwin, I.F.: Checking C Programs with Lint. O’Reilly, Sebastopol (1986)

    Google Scholar 

  20. Das, M.: Unification-based pointer analysis with directional assignments. In: PLDI 2000 (2000)

    Google Scholar 

  21. Engler, D., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. In: OSDI 2000 (2000)

    Google Scholar 

  22. Foster, J.S., Fähndrich, M., Aiken, A.: Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In: Palsberg, J. (ed.) SAS 2000. LNCS, vol. 1824, pp. 175–198. Springer, Heidelberg (2000). doi:10.1007/978-3-540-45099-3_10

    Chapter  Google Scholar 

  23. Foster, J.S., Johnson, R., Kodumal, J., Aiken, A.: Flow-insensitive type qualifiers. ACM Trans. Program. Lang. Syst. 28(6), 1035–1087 (2006)

    Article  Google Scholar 

  24. Foster, J.S., Terauchi, T., Aiken, A.: Flow-sensitive type qualifiers. In: PLDI 2002 (2002)

    Google Scholar 

  25. Hallem, S., Chelf, B., Xie, Y., Engler, D.: A system and language for building system-specific, static analyses. In: PLDI 2002. ACM (2002)

    Google Scholar 

  26. Hind, M.: Pointer analysis: Haven’t we solved this problem yet? In: PASTE 2001 (2001)

    Google Scholar 

  27. Johnson, R., Wagner, D.: Finding user/kernel pointer bugs with type inference. In: Proceedings of the 13th Conference on USENIX Security Symposium, vol. 13, SSYM 2004, pp. 9–9, Berkeley, CA, USA, 2004. USENIX Association (2004)

    Google Scholar 

  28. Jouvelot, P., Gifford, D.: Algebraic reconstruction of types and effects. POPL 1991 (1991)

    Google Scholar 

  29. Jouvelot, P., Talpin, J.-P.: The type and effect discipline (1993)

    Google Scholar 

  30. Kiselyov, O., Shan, C.-C.: Lightweight monadic regions. Haskell (2008)

    Google Scholar 

  31. Lawall, J., Laurie, B., Hansen, R.R., Palix, N., Muller, G.: Finding error handling bugs in openssl using coccinelle. In: EDCC 2010 (2010)

    Google Scholar 

  32. Leijen, D.: Koka: programming with Row polymorphic Effect Types. In: MSFP 2014 (2014)

    Google Scholar 

  33. Livshits, B., Sridharan, M., Smaragdakis, Y., Lhoták, O., Amaral, J.N., Chang, B.-Y.E., Guyer, S.Z., Khedker, U.P., Møller, A., Vardoulakis, D.: In defense of soundiness: a manifesto. Commun. ACM 58(2), 44–46 (2015)

    Article  Google Scholar 

  34. Lucassen, J.M., Types, E.: Towards the integration of functional and imperative programming. Ph.D. thesis (1987)

    Google Scholar 

  35. Lucassen, J.M., Gifford, D.K.: Polymorphic effect systems. In: POPL 1988 (1988)

    Google Scholar 

  36. Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: intermediate language and tools for analysis and transformation of C programs. In: CC 2002 (2002)

    Google Scholar 

  37. Nielson, F., Nielson, H.R.: Type and effect systems. In: Olderog, E.-R., Steffen, B. (eds.) Correct System Design. LNCS, vol. 1710, pp. 114–136. Springer, Heidelberg (1999). doi:10.1007/3-540-48092-7_6

    Chapter  Google Scholar 

  38. Padioleau, Y., Lawall, J.L., Muller, G.: Understanding collateral evolution in Linux device drivers. In: EuroSys 2006 (2006)

    Google Scholar 

  39. Palix, N., Thomas, G., Saha, S., Calvès, C., Muller, G., Lawall, J.: Faults in Linux 2.6. ACM Trans. Comput. Syst. 32, 4:1–4:40 (2014)

    Article  Google Scholar 

  40. Pratikakis, P., Foster, J.S., Hicks, M.: Locksmith: context-sensitive correlation analysis for race detection. In: PLDI 2006 (2006)

    Google Scholar 

  41. Remy, D.: Type inference for records in a natural extension of ML. In: Theoretical Aspects Of Object-Oriented Programming. MIT Press (1993)

    Google Scholar 

  42. Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: POPL 1995 (1995)

    Google Scholar 

  43. Smaragdakis, Y., Balatsouras, G.: Pointer analysis. Found. Trends Program. Lang. 2(1), 1–69 (2015)

    Article  Google Scholar 

  44. Steensgaard, B.: Points-to analysis by type inference of programs with structures and unions. In: CC 1996 (1996)

    Google Scholar 

  45. Steensgaard, B.: Points-to analysis in almost linear time. In: POPL 1996 (1996)

    Google Scholar 

  46. Strom, R.E., Yemini, S.: Typestate: a programming language concept for enhancing software reliability. IEEE Trans. Softw. Eng. 2(1), 157–171 (1986)

    Article  MATH  Google Scholar 

  47. Talpin, J.-P., Jouvelot, P.: Polymorphic type, region and effect inference. J. Funct. Program. 2, 7 (1992)

    Article  MathSciNet  MATH  Google Scholar 

  48. Tofte, M.: Type inference for polymorphic references. Inf. Comput. 89(1), 1–34 (1990)

    Article  MathSciNet  MATH  Google Scholar 

  49. Tofte, M., Talpin, J.-P.: Implementation of the typed call-by-value \(\lambda \)-calculus using a stack of regions. In: POPL 1994 (1994)

    Google Scholar 

  50. Wright, D.A.: A new technique for strictness analysis. In: TAPSOFT 1991 (1991)

    Google Scholar 

  51. Xie, Y., Aiken, A.: Scalable error detection using boolean satisfiability. In: POPL 2005 (2005)

    Google Scholar 

  52. Yong, S.H., Horwitz, S., Reps, T.: Pointer analysis for programs with structures and casting. In: PLDI 1999 (1999)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IT University of Copenhagen, Copenhagen, Denmark

    Iago Abal, Claus Brabrand & Andrzej Wąsowski

Authors
  1. Iago Abal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Claus Brabrand
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrzej WÄ…sowski
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Iago Abal .

Editor information

Editors and Affiliations

  1. IRIF, Université Paris Diderot, Paris, France

    Ahmed Bouajjani

  2. VERIMAG, CNRS & Université Grenoble Alpes, Grenoble, France

    David Monniaux

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Abal, I., Brabrand, C., WÄ…sowski, A. (2017). Effective Bug Finding in C Programs with Shape and Effect Abstractions. In: Bouajjani, A., Monniaux, D. (eds) Verification, Model Checking, and Abstract Interpretation. VMCAI 2017. Lecture Notes in Computer Science(), vol 10145. Springer, Cham. https://doi.org/10.1007/978-3-319-52234-0_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-52234-0_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-52233-3

  • Online ISBN: 978-3-319-52234-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation