1Constraint-Based AnalysisProf. Aiken CS295 Lecture 161Lecture 16CS295void f(state *x, state *y) {result = spin_trylock(&x->lock); spin_lock(&y->lock);Code ExamplePath Sensitivityresult(&x->lock);(&y->lock);Flow Sensitivityspin_trylockspin_lockProf. Aiken CS295 Lecture 162…if (!result) spin_unlock(&x->lock);spin_unlock(&y->lock);}Sensitivity(!result)Pointers & Heap(&x->lock);(&y->lock);Inter-proceduralspin_unlockLockedUnlockedErrorunlocklockunlocklockSaturn•What?– SAT-based approach to static bug detection•How? – SAT-based approachP tt Bl titProf. Aiken CS295 Lecture 163–Program constructs Boolean constraints– Inference SAT solving•Why SAT?– Lots of reasons, but for now:– Program states naturally expressed as bits– The theory for bits is SAT– Efficient solvers widely availableIntuition• Analyzing in one direction is problematic– Forwards or backwards– Consider null dereference analysis• No null ptr assignments: forwards is bestProf. Aiken CS295 Lecture 164• No dereferences: backwards is best•Constraints– Give a global picture of the program– Allow more efficient order of solutionStraight-line Codevoid f(int x, int y) {int z = x &y ;x31… x0y31… y0Bitwise-ANDy&xz;Prof. Aiken CS295 Lecture 165int z = x &y ;assert(z == x);}==x31y31… x0y0Ry&xz==;Straight-line Codevoid f(int x, int y) {int z = x &y;Query: Is-Satisfiable( )Answer: Yes [00 1] [00 0]Prof. Aiken CS295 Lecture 166int z = x &y;assert(z == x);}Rx = [00…1] y = [00…0]Negated assertion is satisfiable.Therefore, the assertion may fail.2Control Flow – Preparation• Approach– Assumes loop free program– Unroll loops, drop backedgesProf. Aiken CS295 Lecture 167• May miss errors that are deeply buried– Bug finding, not verification– Many errors surface in a few iterations•Advantages– Simplicity, reduces false positivesif (c)Control Flow – ExampleG = c, x: [a31…a0]G = c, x: [b31…b0]G = c c, x: [v31…v0]cx = a;x = b;cif (c)x = a;elsex = b;trueProf. Aiken CS295 Lecture 168•Merges– preserve path sensitivity– select bits based on the values of incoming guardswhere vi= (cai)(cbi)res = x;;res = x;Pointers – Overview• May point to different locations…– Thus, use points-to sets p: { l1,…,ln}Prof. Aiken CS295 Lecture 169• … but path sensitive – Use guards on points-to relationshipsp: { (g1, l1), …, (gn, ln) }Pointers – ExampleG = true, p: { (true, x) }p = &x;if (c)Prof. Aiken CS295 Lecture 1610G = c, p: { (true, y) }if (c)p = &y;res = *p;G = true, p: { (c, y); (c, x)}if (c) res = y;else if (c) res = x;Pointers – Recap• Guarded Location Sets{ (g1, l1), …, (gn, ln) }•GuardsProf. Aiken CS295 Lecture 1611•Guards– Condition under which points-to relationship holds– Collected from statement guards• Pointer Dereference– Conditional AssignmentsNot Covered• Other Constructs– Structs, …Mdlig f th i tProf. Aiken CS295 Lecture 1612•Modeling of the environment• Optimizations– several to reduce size of formulas– some form of program slicing important3What can we do with Saturn?int f(lock_t *l) {lock(l);…if (l->state == Unlocked)l->state = Locked;elseif (l->state == Locked)UnlockedunlockProf. Aiken CS295 Lecture 1613unlock(l);}l->state = Error;l->state = Unlocked;elsel->state = Error;LockedErrorlockunlocklockGeneral FSM Checking• Encode FSM in the program– State Integer– Transition Conditional AssignmentsProf. Aiken CS295 Lecture 1614• Check code behavior– SAT queriesHow are we doing so far?•Precision: • Scalability: – SAT limit is 1M clausesProf. Aiken CS295 Lecture 1615– About 10 functions• Solution:– Divide and conquer– Function summariesFunction Summaries (1sttry)• Function behavior can be summarized with a set of state transitionsint f(lock_t *l){lock(l);…Prof. Aiken CS295 Lecture 1616• Summary:*l: Unlocked  UnlockedLocked  Error…unlock(l);return 0;}int f(lock_t *l){lock(l);…A Difficulty•Problem – two possible output states– distinguished by return value(retval == 0)…Prof. Aiken CS295 Lecture 1617if (err) return -1;…unlock(l);return 0;}• Summary1. (retval == 0)*l: Unlocked  UnlockedLocked  Error2. (retval == 0)*l: Unlocked  LockedLocked  ErrorFSM Function Summaries• Summary representation (simplified):{ Pin, Pout, R }• User gives:P: predicates on initial stateProf. Aiken CS295 Lecture 1618–Pin: predicates on initial state– Pout: predicates on final state– Express interprocedural path sensitivity• Saturn computes:– R: guarded state transitions– Used to simulate function behavior at call site4int f(lock_t *l){lock(l);…Lock Summary (2ndtry)• Output predicate:– Pout = { (retval == 0) }•Summary (R):Prof. Aiken CS295 Lecture 1619if (err) return -1;…unlock(l);return 0;}Summary (R):1. (retval == 0)*l: Unlocked  UnlockedLocked  Error2. (retval == 0)*l: Unlocked  LockedLocked  ErrorLock checker for Linux• Parameters:– States: { Locked, Unlocked, Error }– Pin= {}– Pout= { (retval == 0) }Prof. Aiken CS295 Lecture 1620• Experiment:– Linux Kernel 2.6.5: 4.8MLOC– ~40 lock/unlock/trylock primitives– 20 hours to analyze• 3.0GHz Pentium IV, 1GB memoryDouble Locking/Unlockingstatic void sscape_coproc_close(…) {spin_lock_irqsave(&devc->lock, flags);if (…)sscape_write(devc, DMAA_REG, 0x20);…}Prof. Aiken CS295 Lecture 1621}static void sscape_write(struct … *devc, …) {spin_lock_irqsave(&devc->lock, flags);…}Ambiguous Return Stateint i2o_claim_device(…) {down(&i2o_configuration_lock);if (d->owner) {up(&i2o_configuration_lock);return–EBUSY;Prof. Aiken CS295 Lecture 1622return –EBUSY;}if (…) {return –EBUSY;}…}BugsType Bugs False Pos. % BugsDouble Locking134 99 57%Prof. Aiken CS295 Lecture 1623Ambiguous State45 22 67%Total 179 121 60%Previous Work: MC (31), CQual (18), <20% BugsFunction Summary Database• 63,000 functions in Linux– More than 23,000 are lock related– 17,000 with locking constraints on entry–Around 9,000 affects more than one lockProf. Aiken CS295 Lecture 1624,ff– 193 lock wrappers– 375 unlock wrappers– 36 with return value/lock state correlation• Available on the web . . .5Another Checker• Memory leaks– Common, esp. in error handling code– Hard to find– Problematic in long running