Model-based Kernel Testing for Concurrency Bugs through Counter Example Replay Moonzoo Kim, Shin Hong, Changki Hong Provable Software Lab. CS Dept. KAIST,

Slides:



Advertisements
Similar presentations
Automating Software Module Testing for FAA Certification Usha Santhanam The Boeing Company.
Advertisements

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Process management Information maintained by OS for process management  process context  process control block OS virtualization of CPU for each process.
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
1/20 Generalized Symbolic Execution for Model Checking and Testing Charngki PSWLAB Generalized Symbolic Execution for Model Checking and Testing.
Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Prof. Moonzoo Kim Computer Science, KAIST
Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.
1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
Presenter : Shih-Tung Huang Tsung-Cheng Lin Kuan-Fu Kuo 2015/6/15 EICE team Model-Level Debugging of Embedded Real-Time Systems Wolfgang Haberl, Markus.
Ch6: Software Verification. 1 Statement coverage criterion  Informally:  Formally:  Difficult to minimize the number of test cases and still ensure.
Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.
Language Support for Lightweight transactions Tim Harris & Keir Fraser Presented by Narayanan Sundaram 04/28/2008.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Maintaining and Updating Windows Server 2008
0 Deterministic Replay for Real- time Software Systems Alice Lee Safety, Reliability & Quality Assurance Office JSC, NASA Yann-Hang.
Timing and Race Condition Verification of Real-time Systems Yann–Hang Lee, Gerald Gannod, and Karam Chatha Dept. of Computer Science and Eng. Arizona State.
CREST Internal Yunho Kim Provable Software Laboratory CS Dept. KAIST.
Designing For Testability. Incorporate design features that facilitate testing Include features to: –Support test automation at all levels (unit, integration,
Static and Dynamic Analysis at JPL Klaus Havelund.
Lifecycle Verification of the NASA Ames K9 Rover Executive Dimitra Giannakopoulou Mike Lowry Corina Păsăreanu Rich Washington.
Korea Advanced Institute of Science and Technology The Spin Model Checker - Advanced Features Moonzoo Kim CS Dept. KAIST.
B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.
The Structure of Processes (Chap 6 in the book “The Design of the UNIX Operating System”)
Survey on Trace Analyzer (2) Hong, Shin /34Survey on Trace Analyzer (2) KAIST.
Siebel 8.0 Module 5: EIM Processing Integrating Siebel Applications.
An Effective Method to Control Interrupt Handler for Data Race Detection Makoto Higashi †, Tetsuo Yamamoto ‡, Yasuhiro Hayase †, Takashi Ishio † and Katsuro.
Predicate Abstraction of ANSI-C Programs Using SAT By Edmund Clarke, Daniel Kroening, Natalia Sharygina, Karen Yorav Presented by Yunho Kim Provable Software.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Mutual Exclusion.
CSC321 Concurrent Programming: §5 Monitors 1 Section 5 Monitors.
Writing a Run Time DLL The application loads the DLL using LoadLibrary() or LoadLibraryEx(). The standard search sequence is used by the operating system.
A Framework on Synchronization Verification in System-Level Design Thanyapat Sakunkonchak Satoshi Komatsu Masahiro Fujita Fujita Laboratory University.
Files & File system. A Possible File System Layout Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All rights reserved
1 Computer Systems II Introduction to Processes. 2 First Two Major Computer System Evolution Steps Led to the idea of multiprogramming (multiple concurrent.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
CS399 New Beginnings Jonathan Walpole. 2 Concurrent Programming & Synchronization Primitives.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Operating Systems Processes and Threads.
NCHU System & Network Lab Lab 14 File and Directory.
CS212: Object Oriented Analysis and Design Lecture 19: Exception Handling.
Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois
Lecture 3 Concurrency and Thread Synchronization     Mutual Exclusion         Dekker's Algorithm         Lamport's Bakery Algorithm.
CSCI 156: Lab 11 Paging. Our Simple Architecture Logical memory space for a process consists of 16 pages of 4k bytes each. Your program thinks it has.
Automated Formal Verification of PLC (Programmable Logic Controller) Programs
Race conditions and synchronization issues Exploiting UNIX.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
Agenda  Quick Review  Finish Introduction  Java Threads.
Reachability Testing of Concurrent Programs1 Reachability Testing of Concurrent Programs Richard Carver, GMU Yu Lei, UTA.
SOFTWARE TESTING TRAINING TOOLS SUPPORT FOR SOFTWARE TESTING Chapter 6 immaculateres 1.
Content Coverity Static Analysis Use cases of Coverity Examples
CS 6560: Operating Systems Design
Background on the need for Synchronization
runtime verification Brief Overview Grigore Rosu
CS453: Automated Software Testing
Software Development Cycle
Processes in Unix, Linux, and Windows
The Spin Model Checker - Advanced Features
Introduction to Static Analyzer
A Refinement Calculus for Promela
CSE 153 Design of Operating Systems Winter 19
Software Development Cycle
Foundations and Definitions
The Spin Model Checker - Advanced Features
Threads CSE 2431: Introduction to Operating Systems
Presentation transcript:

Model-based Kernel Testing for Concurrency Bugs through Counter Example Replay Moonzoo Kim, Shin Hong, Changki Hong Provable Software Lab. CS Dept. KAIST, South Korea Taeho Kim Embedded System Group ETRI, South Korea

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Introduction There are increasing need for operating systems customized for embedded systems –Mobile phones, portable players, etc Conventional testing cannot provide satisfactory reliability to operating system kernel –Complexity of code –Multi-threaded program –Difficulty of unit testing –Lack of proper testing tools A model checking solves some of these problems through abstraction, but there is a gap between a real kernel and its abstract model 2 / 16  To combine both model checking and testing through replaying a counter example on the real code

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Summary of the Approach MOdel-based KERnel Testing (MOKERT) framework 3 / 16 Formal Model Req. Property Model Checker Error Trace Model Extractor Translation Script  Target program Automated Instrumentation  -1 OK Model checking Testing Model extraction

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Traditional Model Checking v.s. MOKERT 4 / 16 Formal Model Req. Property Model Checker Manual modeling Manual Analysis Target program Error Trace Traditional model checkingMOKERT framework ModelingManual(Semi) Automatic Counter example analysis ManualAutomatic OK Manual Script Writing Formal Model Req. Property Spin Error Trace Modex Translation Script  Target program  -1 Automated Instrumenta tion OK

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Model Extraction Similarity between C and Promela –Control statements (if, goto, loop) –Support complex data structures (array, typedef) Without a translation script –C control statements are automatically translated –Others C statements are embedded into a promela model using c_expr{…} and c_code{…} 5 / 16 68: do { 69: spin_unlock(&proc_subdir_lock); 70: if (filldir(dirent, de->name, de->namelen, filp->f_pos, de->low_ino, de->mode >> 12) < 0 ) 71: goto out; 72: spin_lock(&proc_subdir_lock); … 77: } while (de); Target C code Promela code 123: do 124: :: 125: spin_unlock(proc_subdir_lock); /* line 69 */ 126: if 127: :: false; /* line 70 */ 128: goto out; 129: :: else; /* line 72 */ 130: fi; 131: spin_lock(proc_subdir_lock); /* line 72 */ … 137: od; Patterns in C codeCorresponding Promela code spin_unlock(&proc_subdir_lock);spin_unlock(proc_subdir_lock) (filldir(dirent…false spin_lock(&proc_subdir_lock);spin_lock(proc_subdir_lock) Translation table Modex translate a C program into a Promela model based on a translation script - A translation script consists of translation tables for functions and an environment model

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Architecture of MOKERT 6 / 16 Program Translation script Instrumented program Req. property Spin (2) Modex (1) Target C program Promela Model Mapping info Instrumentation module (3) Okay Counter example Static phase Target threads Controller thread Monitor thread Process state Scheduling signals Controller state Test driver Run-time phase User input Objects Process Legend

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Automatic Instrumentation 7 / 16 Target C program is automatically instrumented based on the mapping information and the counter example. Target C program 68 : do { 69: spin_unlock (&proc_subdir_lock); 70: if (filldir(dirent, de->name, de->namelen, filp->f_pos, de->low_ino, de->mode >> 12) < 0) … 77: } while (de) Promela model … 123 : do 124: :: 125: spin_unlock (proc_subdir_lock); /* line 69*/ 126: if 127: :: false; /* line 70 */ Counter example... 44: proc 1 (proc_readdir)line 116 [( (!i) )] 45: proc 1 (proc_readdir)line 125 [((proc_subdir_lock==1))] 46: proc 2 (remove_proc_entry) line 156 [((proc_subdir_lock==0))] 47: proc 2 (remove_proc_entry) line 157 [p = proc_parent.next] Context switch occurs after the execution of line 125 of the promela model insert a probe : the probe enforces context switching

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Automatic Instrumentation (cont.) An example of a probe 8 / 16 Target C program 68 : do { /* filldir passes info to user space */ 69: spin_unlock (&proc_subdir_lock); 70: if (filldir(dirent, de->name, de->namelen, filp->f_pos, de->low_ino, de->mode >> 12) < 0) … 76: de = de->next; 77: } while (de); Instrumented C program 68 : do { 69: spin_unlock (&proc_subdir_lock); if (test_start == true) { m_pid = get_model_pid(current_pid); switch(m_pid) { case m_pid_1: switch (context_switching_point[m_pid][69]) { case 3: notify_controller(); wait_for_signal(); default: context_switching_point[m_pid][69]++; break; } 70: if (filldir(dirent, de->name, de->namelen, filp->f_pos, de->low_ino, de->mode >> 12) < 0) … 77: } while (de); Suppose that a counter example has a context switching after the 3 rd execution of line 69 of the C code notify_controller() : notify the controller thread that context switching should occur wait_for_signal() : wait for the signal from the controller thread to continue execution while(runnable[m_pid]==false) { sys_sched_yield(); }

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Detection of Replay Failure The monitoring thread decides whether a counter example is replayed co rrectly or not based on the following information –Probe entering/leaving logs Each probe reports its entering/exit to the monitoring thread. –Process status A user can read a process's status through proc file system –Target threads' call-stack Example (see case study 2) –If a target thread enters into a probe but not leave and –the status of the thread is "Running“ for long time, then the monitoring thread reports that the counter example replay failed, since the target thread is waiting for the controller thread's si gnal indefinitely 9 / 16

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay 10 / 20 Context Switch Case Study 1: Data Race between proc_readdir() and remove_proc_entry() Context Switch Linux Changelog reported that proc_readdir() and remove_proc_entry() had a data race bug in the Linux kernel. –proc_readdir() : 67 lines (68 lines in Promela) –remove_proc_entry() : 35 lines (36 lines in Promela) –Test driver (environment): 76 lines (24 lines in Promela) –Two graduate students spent 2 days for replaying the bug

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Replaying the data race bug –Environment setting 11 / 16 “Jan”“Mar”“Apr” “Feb” “Month” x Case Study 1: Data Race between proc_readdir() and remove_proc_entry() “Jan” “Feb” “Month” - Result of replaying the data race bug “Jan”“Feb”“Mar”“Apr” Removed directory entry The first directory entry x free_proc_entry(de) does not actually free de, but modifies incoming and outgoing links

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay We found a data race in a Promela model for ext2_readdir() (78 lines/65 lines) and ext2_rmdir() (15 lines/15 lines) in Linux as follows: However, the counter example could not be replayed on the real Linux kernel –The monitor thread found that a thread for ext2_readdir() was waiting for the signal from the controller thread without progress 12 / 16 Case Study 2: Model Refinement of ext2_readdir() and ext2_rmdir() ext2_readdir()ext2_rmdir() 67a: if(de->inode) { … 74a: offset = (char *) de – kaddr; 93b: struct inode * inode = dentry->d_inode; … 97b: if (ext2_empty_dir(inode)) { 98b: err = ext2_unlink(dir, dentry); 75a: over = filldir(dirent, de->name, de->name_len, 76a: (n<PAGE_CACHE_SHIFT) | offset, 77a: le32_to_cpu(de->inode), d_type);

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Replaying the data race bug –vfs_readdir() and do_rmdir() were invoked instead, since ext2_readdir() and ext2_rmdir() could be invoked only from these two functions –We found that vfs_readdir() and do_rmdir() protected ext2_readir() and ext2_rmdir() through mutex, thus preventing the data race. 13 / 16 Case Study 2: Model Refinement of ext2_readdir() and ext2_rmdir() 22 : int vfs_readdir(struct file *file, filldir_t filler, void *buf) { … 33: mutex_lock(&inode->i_mutex); … 36: res = file->f_op->readdir(file, buf, filler); … 39: mutex_unlock(&inode->i_mutex); … ext2_readdir(struct file *filp, void *dirent, filldir_t filldir) { 2038: static long do_rmdir(int dfd, const char __user *pathname) { … 2064: mutex_lock_nested(… ); … 2069: error = vfs_rmdir (…); … 2072: mutex_unlock(…); … 2005: int vfs_rmdir(struct inode *dir, struct dentry *dentry) { … 2024: error = dir->i_op->rmdir(dir, dentry) … ext2_rmdir( struct inode * dir, struct dentry *dentry) { (a) Calling sequence from vfs_readdir() to ext2_readdir() (b) Calling sequence from do_rmdir() to ext2_readdir()

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay MOKERT was applied to verify the proc file system in Linux and found a data race between remove_proc_entry()’s –It may cause a null pointer dereference 14 / 16 Case Study 3: Data Race between remove_proc_entry() ‘s remove_proc_entry(“dir1”, null)remove_proc_entry(“dir1/dir2”,null) 755a: spin_lock(&proc_subdir_lock); 756a: for(p=&parent->subdir; *p; p=&(*p)->next) { … 764a: spin_unlock(&proc_subdir_lock) ; … 807a: if ( de->subdir != NULL) { 755b: spin_lock(&proc_subdir_lock) ; 756b: for(p=&parent->subdir; *p; p=&(*p)->next) { /* if the linked list pointed by parent->subdir becomes empty, subdir is set as NULL */ … 763b: } 764b: spin_unlock(&proc_subdir_lock) ; 808a: printk(KERN_WARNING “%s: removing non-empty directory …”,de->parent->name, de->name, de->subdir->name) ; dir1/dir2

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Case Study 3: Data Race between remove_proc_entry() ‘s Replaying the data race bug –We could reuse the previous experimental setting of the case study 1 Promela model of remove_proc_entry(): 81 lines Environment model: 73 lines –It took one day for a graduate student to perform this verification task 15 / 16

Moonzoo Model-based Kernel Testing for Concurrency Bugs Provable Software Lab, KAIST through Counter Example Replay Conclusions We proposed the MOKERT framework to verify multi-threaded program like an operating system kernel. –The framework applies the analysis result (i.e., a counter example) of model checking to the actual kernel code. –We have demonstrated the effectiveness of MOKERT through the case studies We found a data race bug in proc file system of Linux How to create an abstract model systematically is still issue –Currently, we depend on human knowledge We plan to apply MOKERT to more components of Linux file systems 16 / 16

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.