Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE...
-
Upload
peter-breuer -
Category
Technology
-
view
94 -
download
0
description
Transcript of Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE...
![Page 1: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/1.jpg)
Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel
Source Code Tree
Peter T. Breuer & Simon PickinUniversidad Carlos III de Madrid
![Page 2: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/2.jpg)
Goal•
ApplyMathematical Methods
to the source code of theLinux kernel
•
Must be
post-hoc
capable of application by non-experts
able to handle 6.5 millions of lines of rapidly changing C
![Page 3: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/3.jpg)
Analysis Example -Sleep under Spinlock Hunt (SluSH)
![Page 4: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/4.jpg)
Output from SluSH run
![Page 5: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/5.jpg)
What is sleep under spinlock?
• Sleep - thread scheduled out of CPU
• Spinlock - busy wait for lock release
• 2+2 = 1 2 CPUs + 2 threads busy waiting
= 1 dead machine
![Page 6: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/6.jpg)
Example of bad code
• snd_sb_csp_load() in sb16_csp.c
![Page 7: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/7.jpg)
Another piece of guilty code
• Kernel 2.6.12 sound/oss/sequencer.c midi_outc()
![Page 8: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/8.jpg)
Cox owns up
![Page 9: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/9.jpg)
Output summarises liklihoods
![Page 10: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/10.jpg)
Other classes of problems detected
• Access (read/write) to kfreed memory
• Overflow 4096B of stack
• Spinlock under spinlock
• Call to function that expects non-NULL parameters with possibly NULL argument
• ...– Logic is configured, so new tests can be invented
![Page 11: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/11.jpg)
Example of kfree/access
• drivers/scsi/aix7xxx_old.c in kernel 2.6.3
![Page 12: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/12.jpg)
Basic technique
![Page 13: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/13.jpg)
The abstract view
![Page 14: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/14.jpg)
Symbolic Approximation
• Description of statements as logic transformers– p x=x+1 p[n-1/n]
• Approximation of programs in this domain– More approximate, weaker logic relation
• Perspectives of single symbolic approximation– Trigger/action system for raising alarms!
• Compositional logic NRBG– Adjusting logic adjusts approximation
![Page 15: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/15.jpg)
Statement Logic - NRB
• Single code statement
– maintains condition P normally
– empty statement cannot return (F)
– empty statement cannot break (F)
![Page 16: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/16.jpg)
Sequence logic -NRB• normal exit: traverse A then B
• return exit: return from A OR traverse A then return from B
• break exit: break from AOR traverse A then break from B
![Page 17: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/17.jpg)
Loop logic -NRB
• break from body is only normal exit from while(1)
• relax p until it is invariant
![Page 18: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/18.jpg)
Programmable trigger/action engine
• Three rules handle propagation of call graph and other housekeeping.
– a sleep call while the objective function is positive causes output:
![Page 19: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/19.jpg)
Using the analyser
• Call with the same arguments as given to the gcc compiler
![Page 20: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/20.jpg)
Limitations
• Predicates are restricted to unions of n-cubes
• State is not followed well enough:– x = 1; if (x) A else B;
● treated correctly - only A is evaluated
– if (x) A else B; if (x) C else D;● over-abstracted - A;C | A;D | B;C | B;D
– solution is to push branch hypotheses down((x!=0);A | (x==0);B) ; ((x!=0);C | (x==0);D)
● but we can't follow more detailed expressions well
![Page 21: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/21.jpg)
Implication of predicates is decidable
• Basic evaluation is C U Ci of cubes
– i.e. U Ci covers C
![Page 22: Checking for Deadlock, Double Free, and Other Abuses in the Linux Kernel Source Code Tree (CSSSE '06)](https://reader033.fdocuments.in/reader033/viewer/2022052506/5577b559d8b42a1c068b469b/html5/thumbnails/22.jpg)
Summary
• A step towards analyses of 100MLoC.– No expertise needed
– Fast
– Copes with massive amounts of code
– Soundly based
• Negatives– Not good tracking program state; model
checking?● Solution - symbolic approximation
– Not yet easy to extend to new problem classes