+ All Categories
Home > Documents > Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static...

Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static...

Date post: 27-May-2020
Category:

Documents
Upload: others
View: 1 times
Download: 0 times
Download Report this document
Share this document with a friend
22
Configuration Coverage in the Analysis of Large-Scale System Software Reinhard Tartler, Daniel Lohmann, Christian Dietrich, Christoph Egger, Julio Sincero System Software Group Friedrich-Alexander University Erlangen-Nuremberg October 23, 2011 supported by
Transcript
Page 1: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Configuration Coverage in the Analysis ofLarge-Scale System Software

Reinhard Tartler, Daniel Lohmann,Christian Dietrich, Christoph Egger, Julio Sincero

System Software Group

Friedrich-Alexander UniversityErlangen-Nuremberg

October 23, 2011

supported by

Page 2: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Configuration Complexity

Linux has become incredibly configurable

Complexity increases considerably

; Source of bugs!

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)2 – 10

Page 3: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Configuration Complexity

Linux has become incredibly configurable

Complexity increases considerably

; Source of bugs!

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)2 – 10

Page 4: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Configuration Complexity

Linux has become incredibly configurable

Complexity increases considerably

; Source of bugs!

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)2 – 10

Page 5: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Configuration Complexity

Linux has become incredibly configurable

Complexity increases considerably

; Source of bugs!

Linux v3.0 contains:

7.702 Features

893 Kconfig files

31.281 Source files

88.897 #ifdef blocks

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)2 – 10

Page 6: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Finding Bugs with Tools for Static Analysis

Bugs in declaration and implementation

Excellent tool support for static analysis:

Coccinelle: Faults in Linux: Ten Years Later (ASPLOS’11)

Dingo: Taming Device Drivers (EuroSys’09)

KLEE: Automatic generation of high-coverage tests (EuroSys’08)

RWset: Attacking path explosion (TACAS’08)

EXE: Automatically generating inputs of death (CCS’06)

...

Each of them checks a single configuration:

What does allyesconfig actually cover?

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)3 – 10

Page 7: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Finding Bugs with Tools for Static Analysis

Bugs in declaration and implementation

Excellent tool support for static analysis:

Coccinelle: Faults in Linux: Ten Years Later (ASPLOS’11)

Dingo: Taming Device Drivers (EuroSys’09)

KLEE: Automatic generation of high-coverage tests (EuroSys’08)

RWset: Attacking path explosion (TACAS’08)

EXE: Automatically generating inputs of death (CCS’06)

...

Each of them checks a single configuration:

What does allyesconfig actually cover?

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)3 – 10

Page 8: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Finding Bugs with Tools for Static Analysis

Bugs in declaration and implementation

Excellent tool support for static analysis:

Coccinelle: Faults in Linux: Ten Years Later (ASPLOS’11)

Dingo: Taming Device Drivers (EuroSys’09)

KLEE: Automatic generation of high-coverage tests (EuroSys’08)

RWset: Attacking path explosion (TACAS’08)

EXE: Automatically generating inputs of death (CCS’06)

...

Each of them checks a single configuration:

What does allyesconfig actually cover?

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)3 – 10

Page 9: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Configuration Coverage

We define Configuration Coverage as:

fraction of selected configuration-conditional blocksdivided by the number of available configuration-conditional blocks.

How to catch bugs in obscure configurations?

Use a static analyzer that is able to detect the bug

Test each possible configuration individually

⇒ Not feasible

Static analyzers scan only a particular kernel configuration

⇒ How to effeciently extend their coverage?

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)4 – 10

Page 10: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Approach

MEMORY MODEL

FLATMEM

DISCONTIGMEM

SPARSEMEM NUMA

depends on

#ifdef CONFIG DISCONTIGMEM

// Block1

static . . . int pfn_to_mid(. . .)

# ifdef CONFIG NUMA

// Block2

# else

// Block3

# endif

#endif

Analysis of both Model and Implementation

Extraction of logical constraints

Find set of configuration that maximizes coverage

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)5 – 10

Page 11: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Approach

MEMORY MODEL

FLATMEM

DISCONTIGMEM

SPARSEMEM NUMA

depends on

#ifdef CONFIG DISCONTIGMEM

// Block1

static . . . int pfn_to_mid(. . .)

# ifdef CONFIG NUMA

// Block2

# else

// Block3

# endif

#endif

Analysis of both Model and Implementation

Extraction of logical constraints

Find set of configuration that maximizes coverage

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)5 – 10

Page 12: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Solution Outline

Build Variability Model

Reuse of the Implementation Variability Model [GPCE’10]

Additional constraints from Kconfig [Eurosys’11]

Use SAT solvers to find a “good” inital solution

Repeat until finished:

find a solution that adds additional blocksstore this selection of features as partial configuration

Caveat: Terminate even with dead blocks

Scan the source code with the resulting set of valid configurations

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)6 – 10

Page 13: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Implementation for Linux

KConfigFiles

config HOTPLUG_CPU bool "Support for ..." depends on SMP && ...

undertaker

Dead BlockDetection

KConfigParser

#ifdef CONFIG_HOTPLUG_CPU...#endif

Linuxsource file

CalculatePartialConfigs

ExpandPartialConfigs

Buildand

Testing

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)7 – 10

Page 14: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Implementation Challenges

Proper extraction of Configurations constraints

Kconfig (implemented in undertaker)Kbuild constraints (largely unhandled)

Expansion of Partial Configurations (Kconfig Fragments)

Naıve approach has some surprising effects (i.e., fails sometimes)Kconfig-sat seems promising, but unfortunately discontinued

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)8 – 10

Page 15: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Evaluation with Linux 2.6.35

Analyzed files 10,365Files with variability 3,163Rate of files with variability 30.52%Sum of all (partial) configurations 4,435

Sum of configuration controlled conditional blocks 16,444Sum of blocks selected by allyesconfig 11,511Sum of all blocks selected by undertaker-coverage 13,844Coverage allyesconfig (non-dead-corrected) 70.00%Coverage undertaker (non-dead-corrected) 84.19%

Dead blocks 1,778Selectable blocks (excluding dead blocks) 14,666Selected by allyesconfig 11,511Covered by undertaker 13,844allyesconfig coverage (dead-corrected) 78.49%undertaker coverage (dead-corrected) 94.40%undertaker coverage / allyesconfig coverage 1.20

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)9 – 10

Page 16: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Evaluation with Linux 2.6.35

Analyzed files 10,365Files with variability 3,163Rate of files with variability 30.52%Sum of all (partial) configurations 4,435Sum of configuration controlled conditional blocks 16,444Sum of blocks selected by allyesconfig 11,511Sum of all blocks selected by undertaker-coverage 13,844Coverage allyesconfig (non-dead-corrected) 70.00%Coverage undertaker (non-dead-corrected) 84.19%

Dead blocks 1,778Selectable blocks (excluding dead blocks) 14,666Selected by allyesconfig 11,511Covered by undertaker 13,844allyesconfig coverage (dead-corrected) 78.49%undertaker coverage (dead-corrected) 94.40%undertaker coverage / allyesconfig coverage 1.20

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)9 – 10

Page 17: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Evaluation with Linux 2.6.35

Analyzed files 10,365Files with variability 3,163Rate of files with variability 30.52%Sum of all (partial) configurations 4,435Sum of configuration controlled conditional blocks 16,444Sum of blocks selected by allyesconfig 11,511Sum of all blocks selected by undertaker-coverage 13,844Coverage allyesconfig (non-dead-corrected) 70.00%Coverage undertaker (non-dead-corrected) 84.19%Dead blocks 1,778Selectable blocks (excluding dead blocks) 14,666Selected by allyesconfig 11,511Covered by undertaker 13,844allyesconfig coverage (dead-corrected) 78.49%undertaker coverage (dead-corrected) 94.40%undertaker coverage / allyesconfig coverage 1.20

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)9 – 10

Page 18: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Evaluation with Linux 2.6.35

Analyzed files 10,365Files with variability 3,163Rate of files with variability 30.52%Sum of all (partial) configurations 4,435Sum of configuration controlled conditional blocks 16,444Sum of blocks selected by allyesconfig 11,511Sum of all blocks selected by undertaker-coverage 13,844Coverage allyesconfig (non-dead-corrected) 70.00%Coverage undertaker (non-dead-corrected) 84.19%Dead blocks 1,778Selectable blocks (excluding dead blocks) 14,666Selected by allyesconfig 11,511Covered by undertaker 13,844allyesconfig coverage (dead-corrected) 78.49%undertaker coverage (dead-corrected) 94.40%undertaker coverage / allyesconfig coverage 1.20

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)9 – 10

Page 19: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Evaluation with Linux 2.6.35

Analyzed files 10,365Files with variability 3,163Rate of files with variability 30.52%Sum of all (partial) configurations 4,435Sum of configuration controlled conditional blocks 16,444Sum of blocks selected by allyesconfig 11,511Sum of all blocks selected by undertaker-coverage 13,844Coverage allyesconfig (non-dead-corrected) 70.00%Coverage undertaker (non-dead-corrected) 84.19%Dead blocks 1,778Selectable blocks (excluding dead blocks) 14,666Selected by allyesconfig 11,511Covered by undertaker 13,844allyesconfig coverage (dead-corrected) 78.49%undertaker coverage (dead-corrected) 94.40%undertaker coverage / allyesconfig coverage 1.20

With 30 percent more static analysis runs(compiler calls)

→ 15 percent more Configuration Coverage

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)9 – 10

Page 20: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Conclusions

Configurability has to be seen as a significant cause ofsoftware defects in its own respect

The C Preprocessor imposes challenges for existing static analyzers

Configuration Coverage makes existing tools more effective

Further Discussions Points:

How accurate and useful is the current metric?Suggestions for other static analyzers?Analyze non-Linux projects

http://vamos.informatik.uni-erlangen.de/trac/undertaker

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)10 – 10

http://vamos.informatik.uni-erlangen.de/trac/undertaker
Page 21: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Conclusions

Configurability has to be seen as a significant cause ofsoftware defects in its own respect

The C Preprocessor imposes challenges for existing static analyzers

Configuration Coverage makes existing tools more effective

Further Discussions Points:

How accurate and useful is the current metric?Suggestions for other static analyzers?Analyze non-Linux projects

http://vamos.informatik.uni-erlangen.de/trac/undertaker

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)10 – 10

http://vamos.informatik.uni-erlangen.de/trac/undertaker
Page 22: Con guration Coverage in the Analysis of Large-Scale ... · Finding Bugs with Tools for Static Analysis Bugs indeclarationandimplementation Excellent tool support forstatic analysis:

Conclusions

Configurability has to be seen as a significant cause ofsoftware defects in its own respect

The C Preprocessor imposes challenges for existing static analyzers

Configuration Coverage makes existing tools more effective

Further Discussions Points:

How accurate and useful is the current metric?Suggestions for other static analyzers?Analyze non-Linux projects

http://vamos.informatik.uni-erlangen.de/trac/undertaker

R. Tartler Configuration Coverage in the Analysis of Large-Scale System Software (October 23, 2011)10 – 10

http://vamos.informatik.uni-erlangen.de/trac/undertaker

Recommended
Empircal Studies of Performance Bugs & Performance Analysis Approaches for Large Scale Software Systems

Empircal Studies of Performance Bugs & Performance Analysis Approaches for Large Scale Software Systems

Software

LSI 2008 SAS MegaRAID Confi guration Utility€¦ · LSI 2008 SAS MegaRAID Confi guration Utility User's Manual 1-2 of software RAID confi guration without the high costs associated

LSI 2008 SAS MegaRAID Confi guration Utility€¦ · LSI 2008 SAS MegaRAID Confi guration Utility User's Manual 1-2 of software RAID confi guration without the high costs associated

Documents

About Programming Bugs - aaai.org · An Analysis of Tutorial Reasoning About Programming Bugs David C. Littman, Jeannine Pinto & Elliot Soloway Cognition and Programming Project

About Programming Bugs - aaai.org · An Analysis of Tutorial Reasoning About Programming Bugs David C. Littman, Jeannine Pinto & Elliot Soloway Cognition and Programming Project

Documents

State-taint analysis for detecting resource bugs · complex program annotations to guide the analysis or are rather sophisticated to use for resource bugs detection in practice, since

State-taint analysis for detecting resource bugs · complex program annotations to guide the analysis or are rather sophisticated to use for resource bugs detection in practice, since

Documents

ElasticHosts Con guration

ElasticHosts Con guration

Documents

Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers

Fast and Precise Symbolic Analysis of Concurrency Bugs in Device Drivers

Technology

CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2015.

CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2015.

Documents

BUGS, BUGS, BUGS WHICH ARE GOOD? WHICH ARE BAD?ffigs.org/2018/Kavita Walia Edible Insects May 2018.pdf · BUGS, BUGS, BUGS WHICH ARE GOOD? WHICH ARE BAD? Kavita Walia (kwalia@uoguelph.ca)

BUGS, BUGS, BUGS WHICH ARE GOOD? WHICH ARE BAD?ffigs.org/2018/Kavita Walia Edible Insects May 2018.pdf · BUGS, BUGS, BUGS WHICH ARE GOOD? WHICH ARE BAD? Kavita Walia ([email protected])

Documents

© PreKinders · ÇOUt- 4 bugs . Ill Ill I I Il S bugs . six 6 bugs . seven 7 bugs . eight 8 bugs . nine 9 bugs . ten (0 bugs . twelve (2 bugs . Author: Karen Created Date: 4/17/2011

© PreKinders · ÇOUt- 4 bugs . Ill Ill I I Il S bugs . six 6 bugs . seven 7 bugs . eight 8 bugs . nine 9 bugs . ten (0 bugs . twelve (2 bugs . Author: Karen Created Date: 4/17/2011

Documents

Hardware Setup 4-5 - Tachosys · Hardware Setup 4-5 digipostpro Controls 6 Con guration 7-14 - Basic Preferences 8-9 -Networking 10-12 - Files & Analysis 12-13 -Other Con guration

Hardware Setup 4-5 - Tachosys · Hardware Setup 4-5 digipostpro Controls 6 Con guration 7-14 - Basic Preferences 8-9 -Networking 10-12 - Files & Analysis 12-13 -Other Con guration

Documents

System Con guration and Acceptance Testing · System Con guration and Acceptance Testing Democracy SuiteR system installation and con guration procedures are described in Dominion

System Con guration and Acceptance Testing · System Con guration and Acceptance Testing Democracy SuiteR system installation and con guration procedures are described in Dominion

Documents

A few billion lines of code later: using static analysis to find bugs in ...

A few billion lines of code later: using static analysis to find bugs in ...

Documents

Body Bugs NOVA | Bugs That Live on You NOVA | Bugs That Live on You.

Body Bugs NOVA | Bugs That Live on You NOVA | Bugs That Live on You.

Documents

CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2012

CAP6135: Malware and Software Vulnerability Analysis Find Software Bugs Cliff Zou Spring 2012

Documents

Little Bugs, Little Bugs, What Do You See?€¦ · Little Bugs, Little Bugs, What Do You See? Tint tots & Velcro Dots

Little Bugs, Little Bugs, What Do You See?€¦ · Little Bugs, Little Bugs, What Do You See? Tint tots & Velcro Dots

Documents

“Bugs are Bringing Bugs” - Health Sciences Centerhsc.ghs.org/.../2014/04/0304-Brenner-Bugs-Are-Bringing-Bugs.pdf“Bugs are Bringing Bugs ... •Had been working in Malawi (East

“Bugs are Bringing Bugs” - Health Sciences Centerhsc.ghs.org/.../2014/04/0304-Brenner-Bugs-Are-Bringing-Bugs.pdf“Bugs are Bringing Bugs ... •Had been working in Malawi (East

Documents

Con guration Manual Dinesh Kumar Jagadeesan

Con guration Manual Dinesh Kumar Jagadeesan

Documents

FAMILY TIME Bugs! Bugs! Bugs!Bugs! Bugs! Bugs! by Bob Barner Enjoy the Book Together • you read, make the action words in the story come alive by using As your fingers to mimic the

FAMILY TIME Bugs! Bugs! Bugs!Bugs! Bugs! Bugs! by Bob Barner Enjoy the Book Together • you read, make the action words in the story come alive by using As your fingers to mimic the

Documents