research-article

Defective error/pointer interactions in the Linux kernel

Authors:

Cindy Rubio-González,

Ben LiblitAuthors Info & Claims

ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and Analysis

Pages 111 - 121

https://doi.org/10.1145/2001420.2001434

Published: 17 July 2011 Publication History

Abstract

Linux run-time errors are represented by integer values referred to as error codes. These values propagate across long function-call chains before being handled. As these error codes propagate, they are often temporarily or permanently encoded into pointer values. Error-valued pointers are not valid memory addresses, and therefore require special care by programmers. Misuse of pointer variables that store error codes can lead to serious problems such as system crashes, data corruption, unexpected results, etc. We use static program analysis to find three classes of bugs relating to error-valued pointers: bad dereferences, bad pointer arithmetic, and bad overwrites. Our tool finds 56 true bugs among 52 different Linux file system implementations, the virtual file system (VFS), the memory management module (mm), and 4 drivers.

References

[1]

D. Babic and A. J. Hu. Calysto: scalable and precise extended static checking. In W. Schäfer, M. B. Dwyer, and V. Gruhn, editors, ICSE, pages 211--220. ACM, 2008.

Digital Library

[2]

R. E. Bryant. Binary decision diagrams and beyond: enabling technologies for formal verification. In R. L. Rudell, editor, ICCAD, pages 236--243. IEEE Computer Society, 1995.

Digital Library

[3]

W. R. Bush, J. D. Pincus, and D. J. Sielaff. A static analyzer for finding dynamic programming errors. Softw., Pract. Exper., 30(7):775--802, 2000.

Digital Library

[4]

I. Dillig, T. Dillig, and A. Aiken. Static error detection using semantic inconsistency inference. In J. Ferrante and K. S. McKinley, editors, PLDI, pages 435--445. ACM, 2007.

Digital Library

[5]

D. R. Engler, D. Y. Chen, and A. Chou. Bugs as deviant behavior: A general approach to inferring errors in systems code. In SOSP, pages 57--72, 2001.

Digital Library

[6]

H. S. Gunawi, C. Rubio-González, A. C. Arpaci-Dusseau, R. H. Arpaci-Dusseau, and B. Liblit. EIO: Error handling is occasionally correct. In 6th USENIX Conference on File and Storage Technologies (FAST '08), San Jose, California, Feb. 2008.

Digital Library

[7]

D. Hovemeyer and W. Pugh. Finding more null pointer bugs, but not too many. In M. Das and D. Grossman, editors, PASTE, pages 9--14. ACM, 2007.

Digital Library

[8]

S. Karthik and H. G. Jayakumar. Static analysis: C code error checking for reliable and secure programming. In C. Ardil, editor, IEC (Prague), pages 434--439. Enformatika, Çanakkale, Turkey, 2005.

[9]

A. Kelley and I. Pohl. A book on C (4th ed.): programming in C. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1998.

Digital Library

[10]

N. Kidd, T. Reps, and A. Lal. WALi: A C++ library for weighted pushdown systems. http://www.cs.wisc.edu/wpis/wpds/, 2009.

[11]

A. Lal, N. Kidd, T. W. Reps, and T. Touili. Abstract error projection. In H. R. Nielson and G. Filé, editors, SAS, volume 4634 of Lecture Notes in Computer Science, pages 200--217. Springer, 2007.

Digital Library

[12]

A. Lal, T. Touili, N. Kidd, and T. Reps. Interprocedural analysis of concurrent programs under a context bound. Technical Report 1598, University of Wisconsin--Madison, July 2007.

[13]

J. L. Lawall, J. Brunel, N. Palix, R. R. Hansen, H. Stuart, and G. Muller. WYSIWIB: A declarative approach to finding API protocols and bugs in Linux code. In DSN, pages 43--52. IEEE, 2009.

[14]

J. Lind-Nielsen. BuDDy - A Binary Decision Diagram Package. http://sourceforge.net/projects/buddy, 2004.

[15]

A. Loginov, E. Yahav, S. Chandra, S. Fink, N. Rinetzky, and M. G. Nanda. Verifying dereference safety via expanding-scope analysis. In B. G. Ryder and A. Zeller, editors, ISSTA, pages 213--224. ACM, 2008.

Digital Library

[16]

M. G. Nanda and S. Sinha. Accurate interprocedural null-dereference analysis for Java. In ICSE, pages 133--143. IEEE, 2009.

Digital Library

[17]

G. C. Necula, S. McPeak, S. P. Rahul, and W. Weimer. CIL: Intermediate language and tools for analysis and transformation of C programs. In R. N. Horspool, editor, CC, volume 2304 of Lecture Notes in Computer Science, pages 213--228. Springer, 2002.

Digital Library

[18]

Y. Padioleau, J. L. Lawall, R. R. Hansen, and G. Muller. Documenting and automating collateral evolutions in Linux device drivers. In J. S. Sventek and S. Hand, editors, EuroSys, pages 247--260. ACM, 2008.

Digital Library

[19]

T. W. Reps, S. Schwoon, S. Jha, and D. Melski. Weighted pushdown systems and their application to interprocedural dataflow analysis. Sci. Comput. Program., 58(1--2):206--263, 2005.

Digital Library

[20]

C. Rubio-González and B. Liblit. Expect the unexpected: Error code mismatches between documentation and the real world. In S. Lerner and A. Rountev, editors, 9th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools and Engineering (PASTE 2010), Toronto, Canada, June 2010. ACM SIGPLAN and SIGSOFT.

Digital Library

[21]

C. Rubio-González, H. S. Gunawi, B. Liblit, R. H. Arpaci-Dusseau, and A. C. Arpaci-Dusseau. Error Propagation Analysis for File Systems. In Proceedings of the ACM SIGPLAN 2009 Conference on Programming Language Design and Implementation, Dublin, Ireland, June 15--20 2009.

Digital Library

[22]

M. N. Wegman and F. K. Zadeck. Constant propagation with conditional branches. In POPL, pages 291--299, 1985.

Digital Library

[23]

Y. Xie, A. Chou, and D. R. Engler. Archer: using symbolic, path-sensitive analysis to detect memory access errors. In ESEC/SIGSOFT FSE, pages 327--336. ACM, 2003.

Digital Library

[24]

X. Zhang, A. Edwards, and T. Jaeger. Using CQUAL for static analysis of authorization hook placement. In D. Boneh, editor, USENIX Security Symposium, pages 33--48. USENIX, 2002.

Digital Library

Cited By

Zuo ZWang KHussain ASani AZhang YLu SDou WWang LLi XWang CXu G(2021)Systemizing Interprocedural Static Analysis of Large-scale Systems Code with GraspanACM Transactions on Computer Systems10.1145/346682038:1-2(1-39)Online publication date: 29-Jul-2021
https://dl.acm.org/doi/10.1145/3466820
O’CONNOR LCHEN ZRIZKALLAH CJACKSON VAMANI SKLEIN GMURRAY TSEWELL TKELLER G(2021)Cogent: uniqueness types and certifying compilationJournal of Functional Programming10.1017/S095679682100023X31Online publication date: 27-Oct-2021
https://doi.org/10.1017/S095679682100023X
DeFreez DBhowmick ALaguna IRubio-González CGupta RShen X(2020)Detecting and reproducing error-code propagation bugs in MPI implementationsProceedings of the 25th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming10.1145/3332466.3374515(187-201)Online publication date: 19-Feb-2020
https://dl.acm.org/doi/10.1145/3332466.3374515
Show More Cited By

Recommendations

Error propagation analysis for file systems
PLDI '09: Proceedings of the 30th ACM SIGPLAN Conference on Programming Language Design and Implementation

Unchecked errors are especially pernicious in operating system file management code. Transient or permanent hardware failures are inevitable, and error-management bugs at the file system layer can cause silent, unrecoverable data corruption. We propose ...
Error propagation analysis for file systems
PLDI '09

Unchecked errors are especially pernicious in operating system file management code. Transient or permanent hardware failures are inevitable, and error-management bugs at the file system layer can cause silent, unrecoverable data corruption. We propose ...
Expect the unexpected: error code mismatches between documentation and the real world
PASTE '10: Proceedings of the 9th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering

Inaccurate documentation can mislead programmers and cause software to fail in unexpected ways. We examine mismatches between documented and actual error codes returned by 42 Linux file-related system calls. We use static program analysis to identify ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and Analysis

July 2011

394 pages

ISBN:9781450305624

DOI:10.1145/2001420

General Chair:
Matthew Dwyer
University of Nebraska
,
Program Chair:
Frank Tip
IBM T.J. Watson Research Center

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 July 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

ISSTA '11

Sponsor:

SIGSOFT

ISSTA '11: International Symposium on Software Testing and Analysis

July 17 - 21, 2011

Ontario, Toronto, Canada

Acceptance Rates

Overall Acceptance Rate 58 of 213 submissions, 27%

Upcoming Conference

ISSTA '25

Sponsor:
sigsoft

34th ACM SIGSOFT International Symposium on Software Testing and Analysis

June 25 - 28, 2025

Trondheim , Norway

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
210
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)2

Reflects downloads up to 05 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zuo ZWang KHussain ASani AZhang YLu SDou WWang LLi XWang CXu G(2021)Systemizing Interprocedural Static Analysis of Large-scale Systems Code with GraspanACM Transactions on Computer Systems10.1145/346682038:1-2(1-39)Online publication date: 29-Jul-2021
https://dl.acm.org/doi/10.1145/3466820
O’CONNOR LCHEN ZRIZKALLAH CJACKSON VAMANI SKLEIN GMURRAY TSEWELL TKELLER G(2021)Cogent: uniqueness types and certifying compilationJournal of Functional Programming10.1017/S095679682100023X31Online publication date: 27-Oct-2021
https://doi.org/10.1017/S095679682100023X
DeFreez DBhowmick ALaguna IRubio-González CGupta RShen X(2020)Detecting and reproducing error-code propagation bugs in MPI implementationsProceedings of the 25th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming10.1145/3332466.3374515(187-201)Online publication date: 19-Feb-2020
https://dl.acm.org/doi/10.1145/3332466.3374515
DeFreez DBaldwin HRubio-González CThakur ADumas MPfahl DApel SRusso A(2019)Effective error-specification inference via domain-knowledge expansionProceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3338906.3338960(466-476)Online publication date: 12-Aug-2019
https://dl.acm.org/doi/10.1145/3338906.3338960
Bian PLiang BZhang YYang CShi WCai Y(2019)Detecting Bugs by Discovering Expectations and Their ViolationsIEEE Transactions on Software Engineering10.1109/TSE.2018.281663945:10(984-1001)Online publication date: 1-Oct-2019
https://doi.org/10.1109/TSE.2018.2816639
Yavuz T(2019)Detecting Callback Related Deep Vulnerabilities in Linux Device Drivers2019 IEEE Cybersecurity Development (SecDev)10.1109/SecDev.2019.00018(62-75)Online publication date: Sep-2019
https://doi.org/10.1109/SecDev.2019.00018
Wang WLu KYew PLie DMannan MBackes MWang X(2018)Check It AgainProceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security10.1145/3243734.3243844(1899-1913)Online publication date: 15-Oct-2018
https://dl.acm.org/doi/10.1145/3243734.3243844
DeFreez DThakur ARubio-González CLeavens GGarcia APăsăreanu C(2018)Path-based function embedding and its application to error-handling specification miningProceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3236024.3236059(423-433)Online publication date: 26-Oct-2018
https://dl.acm.org/doi/10.1145/3236024.3236059
Bian PLiang BShi WHuang JCai YLeavens GGarcia APăsăreanu C(2018)NAR-miner: discovering negative association rules from code for bug detectionProceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3236024.3236032(411-422)Online publication date: 26-Oct-2018
https://dl.acm.org/doi/10.1145/3236024.3236032
Wang KHussain AZuo ZXu GAmiri Sani A(2017)GraspanACM SIGARCH Computer Architecture News10.1145/3093337.303774445:1(389-404)Online publication date: 4-Apr-2017
https://dl.acm.org/doi/10.1145/3093337.3037744
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents