skip to main content
research-article

RID: Finding Reference Count Bugs with Inconsistent Path Pair Checking

Published:25 March 2016Publication History
Skip Abstract Section

Abstract

Reference counts are widely used in OS kernels for resource management. However, reference counts are not trivial to be used correctly in large scale programs because it is left to developers to make sure that an increment to a reference count is always paired with a decrement. This paper proposes inconsistent path pair checking, a novel technique that can statically discover bugs related to reference counts without knowing how reference counts should be changed in a function. A prototype called RID is implemented and evaluations show that RID can discover more than 80 bugs which were confirmed by the developers in the latest Linux kernel. The results also show that RID tends to reveal bugs caused by developers' misunderstanding on API specifications or error conditions that are not handled properly.

References

  1. Clark Barrett, Pascal Fontaine, and Cesare Tinelli. The smt-lib standard version 2.5. http://smtlib.cs.uiowa.edu/papers/smt-lib-reference-v2.5-r2015-06--28.pdf.Google ScholarGoogle Scholar
  2. Peter Baumgartner, Alexander Fuchs, and Cesare Tinelli. (lia) - model evolution with linear integer arithmetic constraints. In Iliano Cervesato, Helmut Veith, and Andrei Voronkov, editors, Logic for Programming, Artificial Intelligence, and Reasoning, volume 5330 of Lecture Notes in Computer Science, pages 258--273. Springer Berlin Heidelberg, 2008.Google ScholarGoogle Scholar
  3. Isil Dillig, Thomas Dillig, and Alex Aiken. Static error detection using semantic inconsistency inference. In ACM SIGPLAN Notices, volume 42, pages 435--445, June 2007.Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Michael Emmi, Ranjit Jhala, Eddie Kohler, and Rupak Majumdar. Verifying reference counting implementations. In Stefan Kowalewski and Anna Philippou, editors, Tools and Algorithms for the Construction and Analysis of Systems, 15th International Conference, TACAS 2009, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, York, UK, March 22--29, 2009. Proceedings, volume 5505 of Lecture Notes in Computer Science, pages 352--367. Springer, 2009.Google ScholarGoogle Scholar
  5. Dawson R. Engler, Benjamin Chelf, Andy Chou, and Seth Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In Michael B. Jones and M. Frans Kaashoek, editors, 4th Symposium on Operating System Design and Implementation (OSDI 2000), San Diego, California, USA, October 23--25, 2000, pages 1--16. USENIX Association, 2000.Google ScholarGoogle Scholar
  6. Dawson R. Engler, David Yu Chen, and Andy Chou. Bugs as inconsistent behavior: A general approach to inferring errors in systems code. In SOSP, pages 57--72, 2001.Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Mark Gabel, Junfeng Yang, Yuan Yu, Moises Goldszmidt, and Zhendong Su. Scalable and systematic detection of buggy inconsistencies in source code. ACM SIGPLAN Notices, 45(10):175--190, October 2010.Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Claire Le Goues and Westley Weimer. Specification mining with few false positives. In Stefan Kowalewski and Anna Philippou, editors, Tools and Algorithms for the Construction and Analysis of Systems, 15th International Conference, TACAS 2009, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2009, York, UK, March 22--29, 2009. Proceedings, volume 5505 of Lecture Notes in Computer Science, pages 292--306. Springer, 2009.Google ScholarGoogle Scholar
  9. Seth Hallem, Benjamin Chelf, Yichen Xie, and Dawson R. Engler. A system and language for building system-specific, static analyses. In Jens Knoop and Laurie J. Hendren, editors, Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), Berlin, Germany, June 17--19, 2002, pages 69--82. ACM, 2002.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Mateus Jurczyk. Windows kernel reference count vulnerabilities - case study. http://j00ru.vexillium.org/dump/zn_slides.pdf.Google ScholarGoogle Scholar
  11. Vineet Kahlon. Bootstrapping: a technique for scalable flow and context-sensitive pointer alias analysis. In Rajiv Gupta and Saman P. Amarasinghe, editors, Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, Tucson, AZ, USA, June 7--13, 2008, pages 249--259. ACM, 2008.Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Akash Lal and Ganesh Ramalingam. Reference count analysis with shallow aliasing. Information Processing Letters, 111(2):57--63, 2010.Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Siliang Li and Gang Tan. Finding reference-counting errors in python/C programs with affine analysis. In Richard Jones, editor, ECOOP 2014 - Object-Oriented Programming - 28th European Conference, Uppsala, Sweden, July 28 - August 1, 2014. Proceedings, volume 8586 of Lecture Notes in Computer Science, pages 80--104. Springer, 2014.Google ScholarGoogle Scholar
  14. Zhenmin Li and Yuanyuan Zhou. PR-miner: automatically extracting implicit programming rules and detecting violations in large software code. In Michel Wermelinger and Harald C. Gall, editors, Proceedings of the 10th European Software Engineering Conference held jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2005, Lisbon, Portugal, September 5--9, 2005, pages 306--315. ACM, 2005.Google ScholarGoogle Scholar
  15. Huqiu Liu, Yuping Wang, Lingbo Jiang, and Shimin Hu. PF-miner: A new paired functions mining method for android kernel in error paths. In COMPSAC, pages 33--42. IEEE, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Shan Lu, Soyeon Park, Chongfeng Hu, Xiao Ma, Weihang Jiang, Zhenmin Li, Raluca A. Popa, and Yuanyuan Zhou. MUVI: automatically inferring multi-variable access correlations and detecting related semantic and concurrency bugs. In Thomas C. Bressoud and M. Frans Kaashoek, editors, Proceedings of the 21st ACM Symposium on Operating Systems Principles 2007, SOSP 2007, Stevenson, Washington, USA, October 14--17, 2007, pages 103--116. ACM, 2007.Google ScholarGoogle Scholar
  17. D. Malcom. a static analysis tool for cpython extension code. https://gcc-python-plugin.readthedocs.org/en/latest/cpychecker.html.Google ScholarGoogle Scholar
  18. Paul E. McKenney. Overview of linux-kernel reference counting. http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2007/n2167.pdf.Google ScholarGoogle Scholar
  19. Paul E. McKenney and Jack Slingwine. Read-copy update: Using execution history to solve concurrency problems. In 10th IASTED International Conference on Parallel and Distributed Computing and Systems, October 1998.Google ScholarGoogle Scholar
  20. Leonardo Mendona De Moura and Nikolaj Bjorner. Z3: An Efficient SMT Solver. Springer, 2008.Google ScholarGoogle ScholarCross RefCross Ref
  21. Robert Oehlmann. Static single-assignment for program slicing on binary intermediate language. Master's thesis, Hamburg University of Technology, 2013.Google ScholarGoogle Scholar
  22. Abhinav Pathak, Abhilash Jindal, Y. Charlie Hu, and Samuel P. Midkiff. What is keeping my phone awake?: characterizing and detecting no-sleep energy bugs in smartphone apps. In Nigel Davies, Srinivasan Seshan, and Lin Zhong, editors, The 10th International Conference on Mobile Systems, Applications, and Services, MobiSys'12, Ambleside, United Kingdom - June 25 - 29, 2012, pages 267--280. ACM, 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Python/c api reference manual. https://docs.python.org/2/c-api/.Google ScholarGoogle Scholar
  24. Refcount behavior of python/c apis. http://svn.python.org/projects/python/trunk/Doc/data/refcounts.dat.Google ScholarGoogle Scholar
  25. Suman Saha, Jean-Pierre Lozi, Gaël Thomas, Julia Lawall, and Gilles Muller. Hector: Detecting resource-release omission faults in error-handling code for systems software. In Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2013, June 2013.Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Martin Schaf, Daniel Schwartz-Narbonne, and Thomas Wies. Explaining inconsistent code. In Bertrand Meyer, Luciano Baresi, and Mira Mezini, editors, Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, ESEC/FSE'13, Saint Petersburg, Russian Federation, August 18--26, 2013, pages 521--531. ACM, 2013.Google ScholarGoogle Scholar
  27. Lin Tan, Chen Liu, Zhenmin Li, Xuanhui Wang, Yuanyuan Zhou, and ChengXiang Zhai. Bug characteristics in open source software. Empirical Software Engineering, 19(6):1665--1705, 2014.Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Aaron Tomb and Cormac Flanagan. Detecting inconsistencies via universal reachability analysis. In Mats Per Erik Heimdahl and Zhendong Su, editors, International Symposium on Software Testing and Analysis, ISSTA 2012, Minneapolis, MN, USA, July 15--20, 2012, pages 287--297. ACM, 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Security Tracker. Linux kernel memory leak in inotify\_init() lets local users deny service. http://www.securitytracker.com/id/1025321.Google ScholarGoogle Scholar
  30. Westley Weimer and George C. Necula. Mining temporal specifications for error detection. In Nicolas Halbwachs and Lenore D. Zuck, editors, Tools and Algorithms for the Construction and Analysis of Systems, 11th International Conference, TACAS 2005, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2005, Edinburgh, UK, April 4--8, 2005, Proceedings, volume 3440 of Lecture Notes in Computer Science, pages 461--476. Springer, 2005.Google ScholarGoogle Scholar
  31. Mark Weiser. Program slicing. IEEE Transactions on Software Engineering, SE-10(4):352--357, July 1984.Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. RID: Finding Reference Count Bugs with Inconsistent Path Pair Checking

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 51, Issue 4
      ASPLOS '16
      April 2016
      774 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/2954679
      • Editor:
      • Andy Gill
      Issue’s Table of Contents
      • cover image ACM Conferences
        ASPLOS '16: Proceedings of the Twenty-First International Conference on Architectural Support for Programming Languages and Operating Systems
        March 2016
        824 pages
        ISBN:9781450340915
        DOI:10.1145/2872362
        • General Chair:
        • Tom Conte,
        • Program Chair:
        • Yuanyuan Zhou

      Copyright © 2016 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 25 March 2016

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!