Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions

Similar documents
Motivation. What s the Problem? What Will we be Talking About? What s the Solution? What s the Problem?

MC: Meta-level Compilation

Static Analysis versus Software Model Checking for bug finding

Static Analysis Basics II

Static Analysis of C++ Projects with CodeSonar

A System and Language for Building System-Specific, Static Analyses

Operating- System Structures

Ricardo Rocha. Department of Computer Science Faculty of Sciences University of Porto

1 Lexical Considerations

Static Analysis in Practice

Parallel Computer Architecture Spring Memory Consistency. Nikos Bellas

SPIN Operating System

Static Analysis in Practice

Abe Skolnik. Presentation #1: An Introduction to MyGCC

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code

CERT C++ COMPLIANCE ENFORCEMENT

OPERATING SYSTEM. Chapter 4: Threads

Utilizing Linux Kernel Components in K42 K42 Team modified October 2001

Operating Systems 2010/2011

Linux Driver and Embedded Developer

Design and development of Svace static analyzers

UC Santa Barbara. Operating Systems. Christopher Kruegel Department of Computer Science UC Santa Barbara

Module 1. Introduction:

SOEN228, Winter Revision 1.2 Date: October 25,

Che-Wei Chang Department of Computer Science and Information Engineering, Chang Gung University

Concurrent programming: Introduction I

Lexical Considerations

Static Analysis in C/C++ code with Polyspace

Formal Specification and Verification

a. A binary semaphore takes on numerical values 0 and 1 only. b. An atomic operation is a machine instruction or a sequence of instructions

Chapter 4: Threads. Chapter 4: Threads. Overview Multicore Programming Multithreading Models Thread Libraries Implicit Threading Threading Issues

Initial Evaluation of a User-Level Device Driver Framework

Module 15: "Memory Consistency Models" Lecture 34: "Sequential Consistency and Relaxed Models" Memory Consistency Models. Memory consistency

How to Sandbox IIS Automatically without 0 False Positive and Negative

PUG (Prover of User GPU Programs) v0.2

CS356: Discussion #6 Assembly Procedures and Arrays. Marco Paolieri

Verification and Validation

Concurrency, Thread. Dongkun Shin, SKKU

Ian Sommerville 2006 Software Engineering, 8th edition. Chapter 22 Slide 1

Parallel And Distributed Compilers

Eraser: Dynamic Data Race Detection

Lexical Considerations

The Environment Model. Nate Foster Spring 2018

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

G Programming Languages - Fall 2012

EXPLODE: a Lightweight, General System for Finding Serious Storage System Errors. Junfeng Yang, Can Sar, Dawson Engler Stanford University

The SPIN Model Checker

Motivation was to facilitate development of systems software, especially OS development.

CS1622. Semantic Analysis. The Compiler So Far. Lecture 15 Semantic Analysis. How to build symbol tables How to use them to find

Operating System Review

Outline. Outline. Program needs a representation for the analysis. Understanding the Program Representations. Zhiqiang Lin

Objectives. Chapter 19. Verification vs. validation. Topics covered. Static and dynamic verification. The V&V process

Introduction CHAPTER. Review Questions

EI 338: Computer Systems Engineering (Operating Systems & Computer Architecture)

ECS 153 Discussion Section. April 6, 2015

Chapter 4: Threads. Chapter 4: Threads

Formal Verification by Model Checking

Module 6: Process Synchronization. Operating System Concepts with Java 8 th Edition

Security Analyses For The Lazy Superhero

Summary: Direct Code Generation

Paging. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Verification and Validation

Verification and Validation

Part 5. Verification and Validation

Closures. Mooly Sagiv. Michael Clarkson, Cornell CS 3110 Data Structures and Functional Programming

Java PathFinder JPF 2 Second Generation of Java Model Checker

System Call. Preview. System Call. System Call. System Call 9/7/2018

CPU Architecture. HPCE / dt10 / 2013 / 10.1

High-Level Language VMs

Input and Output = Communication. What is computation? Hardware Thread (CPU core) Transforming state

! Why is synchronization needed? ! Synchronization Language/Definitions: ! How are locks implemented? Maria Hybinette, UGA

Mid-term Roll no: Scheduler Activations: Effective Kernel Support for the User-Level Management of Parallelism

HSA QUEUEING HOT CHIPS TUTORIAL - AUGUST 2013 IAN BRATT PRINCIPAL ENGINEER ARM

Testing. ECE/CS 5780/6780: Embedded System Design. Why is testing so hard? Why do testing?

CS 471 Operating Systems. Yue Cheng. George Mason University Fall 2017

Run time environment of a MIPS program

The Environment Model

Outline. Proof Carrying Code. Hardware Trojan Threat. Why Compromise HDL Code?

Chapter 3 Process Description and Control

Control Abstraction. Hwansoo Han

The Procedure Abstraction Part I Basics

Chapter 3 (part 3) Describing Syntax and Semantics

82V391x / 8V893xx WAN PLL Device Families Device Driver User s Guide

Interprocess Communication By: Kaushik Vaghani

SPIN, PETERSON AND BAKERY LOCKS

A Novel Approach to Explain the Detection of Memory Errors and Execution on Different Application Using Dr Memory.

CS61C : Machine Structures

Lecture 4: Mechanism of process execution. Mythili Vutukuru IIT Bombay

Using Intel Inspector XE 2011 with Fortran Applications

Volume II, Section 5 Table of Contents

3.4 Data-Centric workflow

CS164: Programming Assignment 5 Decaf Semantic Analysis and Code Generation

Chapter 6: Process [& Thread] Synchronization. CSCI [4 6] 730 Operating Systems. Why does cooperation require synchronization?

Overview: The OpenMP Programming Model

Virtual Memory COMPSCI 386

Sardar Vallabhbhai Patel Institute of Technology (SVIT), Vasad M.C.A. Department COSMOS LECTURE SERIES ( ) (ODD) Code Optimization

Computer aided verification

Virtualization. Operating Systems, 2016, Meni Adler, Danny Hendler & Amnon Meisels

Concurrency. Glossary

Transcription:

Motivation for using Checking System Rules Using System-Specific, Programmer- Written Compiler Extensions Dawson Engler Benjamin Chelf Andy Chou Seth Hallem 1 Computer Systems Laboratory Stanford University Presenter: Yoon-Kah Leow

Motivation for using Outline of Topics Motivation for using

Motivation for using Checking for System-Rules Violations Using Formal Verification 1. Advantages 1.1 Able to locate hard-to-find errors. (i.e., when defined appropriately) 2. Disadvantages 2.1 Hard to create a comprehensive specification. 2.2 Specifications are only an abstraction of actual code. Can we propose something much easier than this?

Motivation for using Checking for System-Rules Violations Using Testing 1. Advantages 1.1 Testing is easier than verification to implement. 1.2 Operates on the actual code. 2. Disadvantages 2.1 Execution paths grows exponentially with increasing code size. 2.2 Difficult to track intermittent bugs. 2.3 Hard to interpret test results. Can we propose something that scales better than this?

Motivation for using Checking for System-Rules Violations Using Manual Inspection 1. Advantages 1.1 Take into consideration of various semantic levels. 1.2 Flexible 2. Disadvantages 2.1 Difficult to scale to large code sizes. 2.2 Inconsistent results. Can we propose something that is more consistent?

Motivation for using Checking for System-Rules Violations Using Compilers YES! Compilers are a good alternative but what is missing? Meta-semantics of the underlying code.

Motivation for using Checking for System-Rules Violations Using Compilers YES! Compilers are a good alternative but what is missing? Meta-semantics of the underlying code. An easy yet scalable way for developers to extend the compiler, xg++.

Motivation for using Checking for System-Rules Violations Using Compilers YES! Compilers are a good alternative but what is missing? Meta-semantics of the underlying code. An easy yet scalable way for developers to extend the compiler, xg++. Solution is (MC).

Motivation for using What is? 1. Extend compilers with checkers defined as high-level state machines. 2. State machines are defined using a language called Metal. 3. Checkers are dynamically-linked into the compiler.

Motivation for using An Example Metal State Machine Pattens defining state transitions 1. sti() restore flags() enable 2. cli() disable Available States 1. is enabled: disable is disabled enable error(double enable) 2. is disabled: enable is enabled disable error(double disable) end of path error( exiting with interrupt request disabled! )

Motivation for using Potential Caveats 1. Extensions do not ensure 100% bugs-free. 2. Unable to check for proprietary systems features. 2.1 Send error-logs to system designers for verification. 2.2 Disregard items that is hard to reason. 3. False positives caused by local analyses. 3.1 Add global analysis or system-specific information. 3.2 Provide extra API calls to suppress warnings. 4. Compiler compatibility issues with other languages. 4.1 Remove illegal GNU C constructs. 4.2 Relax type-checking in g++ compiler front-end. 4.3 Port Metal language based checkers to support other languages.

Motivation for using Expected Behavior of Assertions MC detects code deviation in assertion constructs based on the following 2 behavior definitions. 1. assert is used typically during development. 2. assert should never fail.

Motivation for using Assertion Checking Extension State-Machine Patterns defining state transitions 1. Any statement resembling the form assert( expr ). 2. Variables of any type in expr. 3. Any function call with any arguments in expr. Available States 1. start: assert( expr ) mgk expr recurse(expr, in assert) 2. in assert: any fcall(args) error( function call ) x=y error( assignment ) z++ error( post-increment ) z++ error( post-decrement )

Motivation for using Assertion Checking with Static Analysis 1. Track scalar variable values using dataflow analysis. 2. Evaluate the set of values accumulated for the variable in an assert statement. 3. Set of values is the union of all previous constant assignments.

Motivation for using Temporal Orderings MC checks for code execution order in the following scenarios. 1. System calls should always validate application pointers before using them. 2. Execution order during memory allocation and deallocation. 2.1 Check returned pointer handler after malloc invocation before using it. 2.2 Ensure deallocated memory is not used. 2.3 Paths that exits with an error needs to deallocate memory. 2.4 Allocated memory size cannot be lesser than the size of the object.

Motivation for using Tracking Pointer Copying Between Kernel and User Space State-Machine 1. Track all pointer variables during each system call. 2. Mark each pointer variable as tainted. 3. Eliminate/kill each pointer variable if it is re-assigned or passed on to a tainted function.

Motivation for using Extensions Dealing with Global Contexts Expected global Linux rules. 1. Check for kernel code invoking a blocking function during interrupt disabled or while holding a spin-lock. 2. Check for kernel code invoking a blocking function during kernel module loading.

Motivation for using Global analysis to detect blocking routine 1. Invoke local pass using a Metal extension. 2. Mark every blocking kernel routine. 3. Generate a global call-graph. 4. Invoke global pass and mark all routines that invokes a blocking routine.

Motivation for using Check for deadlocks in the Linux Kernel Pattens defining state transitions 1. sti() restore flags() enable 2. cli() disable Available States 1. is enabled: disable check blocking functions(is disabled) 2. is disabled: enable is enabled

Motivation for using Optimization Extensions Created extensions to optimize FLASH cache coherence protocol in the following areas. 1. Buffer optimization to remove redundant buffer allocation for control messages. 2. Detects redundant default message s buffer length. 3. Applying XOR operation to consecutive messages that have headers the same as the previous message.

Motivation for using After commercialization of their product under the brand name, Coverity, the authors experience the harsh reality from the commercial world. 1. Associating coding practices with compiler. 2. Managing unconventional compiler extensions in embedded design development. 3. Acquiring out-dated compiler designs. 4. Customers are not concern with bugs. 5. Programmers have a weak grasp in compilers and disregard hard-to-understand bugs. 6. Customers have low trust in the product. 7. A good error is an error which can be diagnosed easily.

Motivation for using Managing Unconventional C Code with a C Compiler Utilise a third party software to manage variations in C language. 1. Utilize Edison Design Group (EDG) front-end. Design targets feature compatibility and version-specific bug compatibility. 2. Develop code transformers to parse code into reasonable intermediate representations to be interpreted by EDG. 3. Hack EDG code to ensure compatibility!

Motivation for using 1. A good bug is easy to diagnose yet hard to dispute. 2. Users emphasizes on a tool which is scalable, easy to use, and maintains high standard of accuracy with low number of false positives. 3. Validation engineers might not have sufficient knowledge of the tested code to write the necessary extensions.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback