Slides for presentation on "Abstract Interpretation meets model checking near the 1000000 LOC mark" at 5th International Workshop on Automated Verification of Infinite-State Systems (AVIS'06), Apr 1, 2006. A preprint of the full paper is available at http://www.academia.edu/2494187/Abstract_Interpretation_meets_Model_Checking_near_the_10_6_LOC_mark .

1. Abstract Interpretation meets model
checking near the 1000000 LOC
mark
- Finding errors in the Linux Kernel
Source
Peter T. Breuer & Simon Pickin
Universidad Carlos III de Madrid

2. Goal
•
Apply
Formal Methods
to the
Linux kernel
•
Methods must be
➢ post-hoc
➢ capable of application by non-experts
➢ able to handle 6.5 millions of lines of
rapidly changing C code

3. Analysis Example -Sleep under
Spinlock Hunt (SluSH)

4. Output from SluSH run

5. What is sleep under spinlock?
• Sleep = thread scheduled out of CPU
• Spinlock = busy wait for lock release
• Two CPUs
+ two threads waiting on spinlocks
= one dead machine

6. Example of bad code
• snd_sb_csp_load() in sb16_csp.c

7. Another piece of guilty code
• Kernel 2.6.12 sound/oss/sequencer.c midi_outc()

8. Cox owns up

9. Output summarises liklihoods

10. Other classes of problems detected
• Access (read/write) to kfreed memory
• Overflow 4096B of stack
• Spinlock under spinlock
• Call to function that expects non-NULL
parameters with possibly NULL argument
• ...
– Logic is configured, so new tests can be invented

11. Example of kfree/access
• drivers/scsi/aix7xxx_old.c in kernel 2.6.3

12. Basic technique

13. The abstract view

14. Components of analysis system
• Description of statements as logic transformers
– p .... p[n-1/n]
• Trigger/action system for raising alarms!
• Combining logic NRB
• Guiding abstract interpretation s to state x
x ∈s ∩ p
stops dead code evaluation, etc.

15. Statement Logic - NRB
• Single code statement
– maintains condition P normally
– empty statement cannot return (F)
– empty statement cannot break (F)

16. Sequence logic -NRB
• normal exit: traverse A then B
• return exit: return from A
OR traverse A then return from B
• break exit: break from A
OR traverse A then break from B

17. Loop logic -NRB
• break from body is only normal exit from while(1)
• relax p until it
is invariant

18. Conditional logic -NRB

19. Programmable trigger/action engine
• Three rules handle propagation of call graph and
other housekeeping.
– a sleep call while the objective function is
positive causes output:

20. Using the analyser
• Call with the same arguments as given to the gcc
compiler

21. Limitations
• Predicates are restricted to unions of n-cubes
• State is not followed well enough:
– x = 1; if (x) A else B;
● treated correctly - only A is evaluated
– if (x) A else B; if (x) C else D;
● over-abstracted - A;C | A;D | B;C | B;D
– possible solution is to push state into the
predicates
((x!=0);A | (x==0);B) ; ((x!=0);C | (x==0);D)
● but we can't follow calculation well - quickly get
to 

22. Implication of predicates is decidable
• Basic evaluation is C  U Ci
of cubes
– i.e. U Ci
covers C

23. Summary
• A step towards analyses of 100MLoC.
– No expertise needed
– Fast
– Copes with massive amounts of code
– Soundly based
• Negatives
– Not good tracking program state; model
checking?
– Not yet easy to extend to new problem classes