Abstract
Software tends to suffer from simple resource mis-manipulation bugs, such as double-locks. Code scanners are used extensively to remove these bugs from projects like the Linux kernel. Yet, these tools are not effective when the manipulation of resources spans multiple functions. We present a shape-and-effect analysis for C, that enables efficient and scalable inter-procedural reasoning about resource manipulation. This analysis builds a program abstraction based on the observable side-effects of functions. Bugs are found by model checking this abstraction, matching undesirable sequences of operations. We implement this approach in the Eba tool, and evaluate it on a collection of historical double-lock bugs from the Linux kernel. Our results show that our tool is more effective at finding bugs than similar code-scanning tools. Eba analyzes nine thousand Linux files in less than half an hour, and uncovers double-lock bugs in various drivers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
See https://github.com/torvalds/linux/commit/hash with hash replaced by the identifier.
- 2.
- 3.
- 4.
- 5.
We use overline to denote tuples.
- 6.
- 7.
At scripts/coccinelle/locks/double_lock.cocci.
- 8.
- 9.
Extracted from the Linux kernel’s Git repository as of August 3, 2016.
- 10.
Bug e50525b was independently found and fixed during beta testing, but that bug-fix was unknown to us.
References
Abal, I.: Shape-region and effect inference for C(IL). Technical report (2016)
Abal, I., Brabrand, C., Wasowski, A.: 42 variability bugs in the Linux kernel: A qualitative analysis. In: ASE 2014 (2014)
Ball, T., Majumdar, R., Millstein, T., Rajamani, S.K.: Automatic predicate abstraction of C programs. In: PLDI 2001 (2001)
Ball, T., Rajamani, S.K.: Bebop: a path-sensitive interprocedural dataflow engine. In: PASTE 2001 (2001)
Ball, T., Rajamani, S.K.: The SLAM toolkit. In: CAV 2001 (2001)
Banning, J.P.: An efficient way to find the side effects of procedure calls and the aliases of variables. In: POPL 1979 (1979)
Berdine, J., Calcagno, C., O’Hearn, P.W.: Smallfoot: Modular automatic assertion checking with separation logic. In: FMCO 2005 (2005)
Beyer, D., Henzinger, T.A., Jhala, R., Majumdar, R.: The software model checker BLAST: applications to software engineering. Int. J. Softw. Tools Technol. Transf. 9(5), 505–525 (2007)
Birkedal, L., Torp-Smith, N., Reynolds, J.C.: Local reasoning about a copying garbage collector. In: POPL 2004 (2004)
Brown, F., Nötzli, A., Engler, D.: How to build static checking systems using orders of magnitude less code. In: ASPLOS 2016 (2016)
Brunel, J., Doligez, D., Hansen, R.R., Lawall, J.L., Muller, G.: A foundation for flow-based program matching: using temporal logic and model checking. In: POPL 2009 (2009)
Chen, Y., Wu, F., Yu, K., Zhang, L., Chen, Y., Yang, Y., Mao, J.: Instant bug testing service for Linux kernel. In: HPCC/EUC 2013 (2013)
Clarke, E., Kroening, D., Lerda, F.: A tool for checking ANSI-C programs (2004)
Clarke, E.M., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement. In: CAV 2000 (2000)
Cooper, K.D., Kennedy, K.: Efficient computation of flow insensitive interprocedural summary information. In: SIGPLAN 1984 (1984)
Cooper, K.D., Kennedy, K.: Interprocedural side-effect analysis in linear time. In: PLDI 1988 (1988)
Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Rival, X.: Why does Astrée scale up? Form. Methods Syst. Des. 35(3), 229–264 (2009)
Damas, L., Milner, R.: Principal type-schemes for functional programs. In: POPL 1982 (1982)
Darwin, I.F.: Checking C Programs with Lint. O’Reilly, Sebastopol (1986)
Das, M.: Unification-based pointer analysis with directional assignments. In: PLDI 2000 (2000)
Engler, D., Chelf, B., Chou, A., Hallem, S.: Checking system rules using system-specific, programmer-written compiler extensions. In: OSDI 2000 (2000)
Foster, J.S., Fähndrich, M., Aiken, A.: Polymorphic versus monomorphic flow-insensitive points-to analysis for C. In: Palsberg, J. (ed.) SAS 2000. LNCS, vol. 1824, pp. 175–198. Springer, Heidelberg (2000). doi:10.1007/978-3-540-45099-3_10
Foster, J.S., Johnson, R., Kodumal, J., Aiken, A.: Flow-insensitive type qualifiers. ACM Trans. Program. Lang. Syst. 28(6), 1035–1087 (2006)
Foster, J.S., Terauchi, T., Aiken, A.: Flow-sensitive type qualifiers. In: PLDI 2002 (2002)
Hallem, S., Chelf, B., Xie, Y., Engler, D.: A system and language for building system-specific, static analyses. In: PLDI 2002. ACM (2002)
Hind, M.: Pointer analysis: Haven’t we solved this problem yet? In: PASTE 2001 (2001)
Johnson, R., Wagner, D.: Finding user/kernel pointer bugs with type inference. In: Proceedings of the 13th Conference on USENIX Security Symposium, vol. 13, SSYM 2004, pp. 9–9, Berkeley, CA, USA, 2004. USENIX Association (2004)
Jouvelot, P., Gifford, D.: Algebraic reconstruction of types and effects. POPL 1991 (1991)
Jouvelot, P., Talpin, J.-P.: The type and effect discipline (1993)
Kiselyov, O., Shan, C.-C.: Lightweight monadic regions. Haskell (2008)
Lawall, J., Laurie, B., Hansen, R.R., Palix, N., Muller, G.: Finding error handling bugs in openssl using coccinelle. In: EDCC 2010 (2010)
Leijen, D.: Koka: programming with Row polymorphic Effect Types. In: MSFP 2014 (2014)
Livshits, B., Sridharan, M., Smaragdakis, Y., Lhoták, O., Amaral, J.N., Chang, B.-Y.E., Guyer, S.Z., Khedker, U.P., Møller, A., Vardoulakis, D.: In defense of soundiness: a manifesto. Commun. ACM 58(2), 44–46 (2015)
Lucassen, J.M., Types, E.: Towards the integration of functional and imperative programming. Ph.D. thesis (1987)
Lucassen, J.M., Gifford, D.K.: Polymorphic effect systems. In: POPL 1988 (1988)
Necula, G.C., McPeak, S., Rahul, S.P., Weimer, W.: CIL: intermediate language and tools for analysis and transformation of C programs. In: CC 2002 (2002)
Nielson, F., Nielson, H.R.: Type and effect systems. In: Olderog, E.-R., Steffen, B. (eds.) Correct System Design. LNCS, vol. 1710, pp. 114–136. Springer, Heidelberg (1999). doi:10.1007/3-540-48092-7_6
Padioleau, Y., Lawall, J.L., Muller, G.: Understanding collateral evolution in Linux device drivers. In: EuroSys 2006 (2006)
Palix, N., Thomas, G., Saha, S., Calvès, C., Muller, G., Lawall, J.: Faults in Linux 2.6. ACM Trans. Comput. Syst. 32, 4:1–4:40 (2014)
Pratikakis, P., Foster, J.S., Hicks, M.: Locksmith: context-sensitive correlation analysis for race detection. In: PLDI 2006 (2006)
Remy, D.: Type inference for records in a natural extension of ML. In: Theoretical Aspects Of Object-Oriented Programming. MIT Press (1993)
Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: POPL 1995 (1995)
Smaragdakis, Y., Balatsouras, G.: Pointer analysis. Found. Trends Program. Lang. 2(1), 1–69 (2015)
Steensgaard, B.: Points-to analysis by type inference of programs with structures and unions. In: CC 1996 (1996)
Steensgaard, B.: Points-to analysis in almost linear time. In: POPL 1996 (1996)
Strom, R.E., Yemini, S.: Typestate: a programming language concept for enhancing software reliability. IEEE Trans. Softw. Eng. 2(1), 157–171 (1986)
Talpin, J.-P., Jouvelot, P.: Polymorphic type, region and effect inference. J. Funct. Program. 2, 7 (1992)
Tofte, M.: Type inference for polymorphic references. Inf. Comput. 89(1), 1–34 (1990)
Tofte, M., Talpin, J.-P.: Implementation of the typed call-by-value \(\lambda \)-calculus using a stack of regions. In: POPL 1994 (1994)
Wright, D.A.: A new technique for strictness analysis. In: TAPSOFT 1991 (1991)
Xie, Y., Aiken, A.: Scalable error detection using boolean satisfiability. In: POPL 2005 (2005)
Yong, S.H., Horwitz, S., Reps, T.: Pointer analysis for programs with structures and casting. In: PLDI 1999 (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Abal, I., Brabrand, C., WÄ…sowski, A. (2017). Effective Bug Finding in C Programs with Shape and Effect Abstractions. In: Bouajjani, A., Monniaux, D. (eds) Verification, Model Checking, and Abstract Interpretation. VMCAI 2017. Lecture Notes in Computer Science(), vol 10145. Springer, Cham. https://doi.org/10.1007/978-3-319-52234-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-52234-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-52233-3
Online ISBN: 978-3-319-52234-0
eBook Packages: Computer ScienceComputer Science (R0)