Abstract
Reference counts are widely used in OS kernels for resource management. However, reference counts are not trivial to be used correctly in large scale programs because it is left to developers to make sure that an increment to a reference count is always paired with a decrement. This paper proposes inconsistent path pair checking, a novel technique that can statically discover bugs related to reference counts without knowing how reference counts should be changed in a function. A prototype called RID is implemented and evaluations show that RID can discover more than 80 bugs which were confirmed by the developers in the latest Linux kernel. The results also show that RID tends to reveal bugs caused by developers' misunderstanding on API specifications or error conditions that are not handled properly.
- Clark Barrett, Pascal Fontaine, and Cesare Tinelli. The smt-lib standard version 2.5. http://smtlib.cs.uiowa.edu/papers/smt-lib-reference-v2.5-r2015-06--28.pdf.Google Scholar
- Peter Baumgartner, Alexander Fuchs, and Cesare Tinelli. (lia) - model evolution with linear integer arithmetic constraints. In Iliano Cervesato, Helmut Veith, and Andrei Voronkov, editors, Logic for Programming, Artificial Intelligence, and Reasoning, volume 5330 of Lecture Notes in Computer Science, pages 258--273. Springer Berlin Heidelberg, 2008.Google Scholar
- Isil Dillig, Thomas Dillig, and Alex Aiken. Static error detection using semantic inconsistency inference. In ACM SIGPLAN Notices, volume 42, pages 435--445, June 2007.Google Scholar
Digital Library
- Michael Emmi, Ranjit Jhala, Eddie Kohler, and Rupak Majumdar. Verifying reference counting implementations. In Stefan Kowalewski and Anna Philippou, editors, Tools and Algorithms for the Construction and Analysis of Systems, 15th International Conference, TACAS 2009, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, York, UK, March 22--29, 2009. Proceedings, volume 5505 of Lecture Notes in Computer Science, pages 352--367. Springer, 2009.Google Scholar
- Dawson R. Engler, Benjamin Chelf, Andy Chou, and Seth Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Michael B. Jones and M. Frans Kaashoek, editors, 4th Symposium on Operating System Design and Implementation (OSDI 2000), San Diego, California, USA, October 23--25, 2000, pages 1--16. USENIX Association, 2000.Google Scholar
- Dawson R. Engler, David Yu Chen, and Andy Chou. Bugs as inconsistent behavior: A general approach to inferring errors in systems code. In SOSP, pages 57--72, 2001.Google Scholar
Digital Library
- Mark Gabel, Junfeng Yang, Yuan Yu, Moises Goldszmidt, and Zhendong Su. Scalable and systematic detection of buggy inconsistencies in source code. ACM SIGPLAN Notices, 45(10):175--190, October 2010.Google Scholar
Digital Library
- Claire Le Goues and Westley Weimer. Specification mining with few false positives. In Stefan Kowalewski and Anna Philippou, editors, Tools and Algorithms for the Construction and Analysis of Systems, 15th International Conference, TACAS 2009, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, York, UK, March 22--29, 2009. Proceedings, volume 5505 of Lecture Notes in Computer Science, pages 292--306. Springer, 2009.Google Scholar
- Seth Hallem, Benjamin Chelf, Yichen Xie, and Dawson R. Engler. A system and language for building system-specific, static analyses. In Jens Knoop and Laurie J. Hendren, editors, Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), Berlin, Germany, June 17--19, 2002, pages 69--82. ACM, 2002.Google Scholar
Digital Library
- Mateus Jurczyk. Windows kernel reference count vulnerabilities - case study. http://j00ru.vexillium.org/dump/zn_slides.pdf.Google Scholar
- Vineet Kahlon. Bootstrapping: a technique for scalable flow and context-sensitive pointer alias analysis. In Rajiv Gupta and Saman P. Amarasinghe, editors, Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, Tucson, AZ, USA, June 7--13, 2008, pages 249--259. ACM, 2008.Google Scholar
Digital Library
- Akash Lal and Ganesh Ramalingam. Reference count analysis with shallow aliasing. Information Processing Letters, 111(2):57--63, 2010.Google Scholar
Digital Library
- Siliang Li and Gang Tan. Finding reference-counting errors in python/C programs with affine analysis. In Richard Jones, editor, ECOOP 2014 - Object-Oriented Programming - 28th European Conference, Uppsala, Sweden, July 28 - August 1, 2014. Proceedings, volume 8586 of Lecture Notes in Computer Science, pages 80--104. Springer, 2014.Google Scholar
- Zhenmin Li and Yuanyuan Zhou. PR-miner: automatically extracting implicit programming rules and detecting violations in large software code. In Michel Wermelinger and Harald C. Gall, editors, Proceedings of the 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2005, Lisbon, Portugal, September 5--9, 2005, pages 306--315. ACM, 2005.Google Scholar
- Huqiu Liu, Yuping Wang, Lingbo Jiang, and Shimin Hu. PF-miner: A new paired functions mining method for android kernel in error paths. In COMPSAC, pages 33--42. IEEE, 2014.Google Scholar
Digital Library
- Shan Lu, Soyeon Park, Chongfeng Hu, Xiao Ma, Weihang Jiang, Zhenmin Li, Raluca A. Popa, and Yuanyuan Zhou. MUVI: automatically inferring multi-variable access correlations and detecting related semantic and concurrency bugs. In Thomas C. Bressoud and M. Frans Kaashoek, editors, Proceedings of the 21st ACM Symposium on Operating Systems Principles 2007, SOSP 2007, Stevenson, Washington, USA, October 14--17, 2007, pages 103--116. ACM, 2007.Google Scholar
- D. Malcom. a static analysis tool for cpython extension code. https://gcc-python-plugin.readthedocs.org/en/latest/cpychecker.html.Google Scholar
- Paul E. McKenney. Overview of linux-kernel reference counting. http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2007/n2167.pdf.Google Scholar
- Paul E. McKenney and Jack Slingwine. Read-copy update: Using execution history to solve concurrency problems. In 10th IASTED International Conference on Parallel and Distributed Computing and Systems, October 1998.Google Scholar
- Leonardo Mendona De Moura and Nikolaj Bjorner. Z3: An Efficient SMT Solver. Springer, 2008.Google Scholar
Cross Ref
- Robert Oehlmann. Static single-assignment for program slicing on binary intermediate language. Master's thesis, Hamburg University of Technology, 2013.Google Scholar
- Abhinav Pathak, Abhilash Jindal, Y. Charlie Hu, and Samuel P. Midkiff. What is keeping my phone awake?: characterizing and detecting no-sleep energy bugs in smartphone apps. In Nigel Davies, Srinivasan Seshan, and Lin Zhong, editors, The 10th International Conference on Mobile Systems, Applications, and Services, MobiSys'12, Ambleside, United Kingdom - June 25 - 29, 2012, pages 267--280. ACM, 2012.Google Scholar
Digital Library
- Python/c api reference manual. https://docs.python.org/2/c-api/.Google Scholar
- Refcount behavior of python/c apis. http://svn.python.org/projects/python/trunk/Doc/data/refcounts.dat.Google Scholar
- Suman Saha, Jean-Pierre Lozi, Gaël Thomas, Julia Lawall, and Gilles Muller. Hector: Detecting resource-release omission faults in error-handling code for systems software. In Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2013, June 2013.Google Scholar
Digital Library
- Martin Schaf, Daniel Schwartz-Narbonne, and Thomas Wies. Explaining inconsistent code. In Bertrand Meyer, Luciano Baresi, and Mira Mezini, editors, Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE'13, Saint Petersburg, Russian Federation, August 18--26, 2013, pages 521--531. ACM, 2013.Google Scholar
- Lin Tan, Chen Liu, Zhenmin Li, Xuanhui Wang, Yuanyuan Zhou, and ChengXiang Zhai. Bug characteristics in open source software. Empirical Software Engineering, 19(6):1665--1705, 2014.Google Scholar
Digital Library
- Aaron Tomb and Cormac Flanagan. Detecting inconsistencies via universal reachability analysis. In Mats Per Erik Heimdahl and Zhendong Su, editors, International Symposium on Software Testing and Analysis, ISSTA 2012, Minneapolis, MN, USA, July 15--20, 2012, pages 287--297. ACM, 2012.Google Scholar
Digital Library
- Security Tracker. Linux kernel memory leak in inotify\_init() lets local users deny service. http://www.securitytracker.com/id/1025321.Google Scholar
- Westley Weimer and George C. Necula. Mining temporal specifications for error detection. In Nicolas Halbwachs and Lenore D. Zuck, editors, Tools and Algorithms for the Construction and Analysis of Systems, 11th International Conference, TACAS 2005, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2005, Edinburgh, UK, April 4--8, 2005, Proceedings, volume 3440 of Lecture Notes in Computer Science, pages 461--476. Springer, 2005.Google Scholar
- Mark Weiser. Program slicing. IEEE Transactions on Software Engineering, SE-10(4):352--357, July 1984.Google Scholar
Digital Library
Index Terms
RID: Finding Reference Count Bugs with Inconsistent Path Pair Checking
Recommendations
RID: Finding Reference Count Bugs with Inconsistent Path Pair Checking
ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating SystemsReference counts are widely used in OS kernels for resource management. However, reference counts are not trivial to be used correctly in large scale programs because it is left to developers to make sure that an increment to a reference count is always ...
RID: Finding Reference Count Bugs with Inconsistent Path Pair Checking
ASPLOS'16Reference counts are widely used in OS kernels for resource management. However, reference counts are not trivial to be used correctly in large scale programs because it is left to developers to make sure that an increment to a reference count is always ...
Static error detection using semantic inconsistency inference
PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and ImplementationInconsistency checking is a method for detecting software errors that relies only on examining multiple uses of a value. We propose that inconsistency inference is best understood as a variant of the older and better understood problem of type ...







Comments