Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisabilityYic - PDF document

Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisabilityYichenXieandAlexAikenStanfordUniversityThisarticlepresentsSaturn,ageneralframeworkforbuildingpreciseandscalablestaticerrordetectionsystems.Saturnexploitsrecentadvancesinbooleansatisability(SAT)solversandispathsensitive,precisedowntothebitlevel,andmodelspointersandheapdata.Ourapproachisalsohighlyscalable,whichweachieveusingtwotechniques.First,foreachprogramfunction,severaloptimizationscompressthesizeofthebooleanformulasthatmodelthecontrol-anddata-\rowandtheheaplocationsaccessedbyafunction.Second,summariesinthespiritoftypesignaturesarecomputedforeachfunction,allowinginter-proceduralanalysiswithoutadramaticincreaseinthesizeofthebooleanconstraintstobesolved.WehaveexperimentallyvalidatedourapproachbyconductingtwocasestudiesinvolvingaLinuxlockcheckerandamemoryleakchecker.Resultsfromtheexperimentsshowthatoursystemscaleswell,parallelizeswell,andndsmoreerrorswithfewerfalsepositivesthanpreviousstaticerrordetectionsystems.CategoriesandSubjectDescriptors:D.2.4[SoftwareEngineering]:Software/ProgramVeri-cation;D.2.3[SoftwareEngineering]:CodingToolsandTechniques;D.2.5[SoftwareEngi-neering]:TestingandDebuggingGeneralTerms:Algorithms,Experimentation,Languages,Verication.AdditionalKeyWordsandPhrases:Programanalysis,errordetection,booleansatisability.1.INTRODUCTIONThisarticlepresentsSaturn1,asoftwareerror-detectionframeworkbasedonex-ploitingrecentadvancesinsolvingbooleansatisability(SAT)constraints.Atahighlevel,Saturnworksbytransformingcommonlyusedprogramcon-structsintobooleanconstraintsandthenusingaSATsolvertoinferandcheck1SATisability-basedfailUReaNalysis.ThisresearchissupportedbyNationalScienceFoundationgrantCCF-1234567.Thisarticlecombinestechniquesandalgorithmspresentedintwopreviousconferencepapersbytheauthors,publishedrespectivelyinProceedingsofthe32ndACMSIGPLAN-SIGACTSym-posiumonPrinciplesofProgrammingLanguages(POPL2005)andProceedingsofthe5thJointMeetingoftheEuropeanSoftwareEngineeringConferenceandACMSIGSOFTSymposiumontheFoundationsofSoftwareEngineering(FSE).Authors'Address:YichenXieandAlexAiken,ComputerScienceDepartment,StanfordUniver-sity,Stanford,CA94305;E-mail:fyxie,aikeng@cs.stanford.edu.Permissiontomakedigital/hardcopyofallorpartofthismaterialwithoutfeeforpersonalorclassroomuseprovidedthatthecopiesarenotmadeordistributedforprotorcommercialadvantage,theACMcopyright/servernotice,thetitleofthepublication,anditsdateappear,andnoticeisgiventhatcopyingisbypermissionoftheACM,Inc.Tocopyotherwise,torepublish,topostonservers,ortoredistributetolistsrequirespriorspecicpermissionand/orafee.c\r2005ACM0164-0925/05/XXXX-XXXX$5.00ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear,Pages1{??. 2
YichenXieandAlexAikenprogramproperties.Comparedtopreviouserrordetectiontoolsbasedondata\rowanalysisorabstractinterpretation,ourapproachhasthefollowingadvantages:(1)Precision:Saturn'smodelingofloop-freecodeisfaithfuldowntothebitlevel,andisthereforeconsiderablymoreprecisethanmostabstraction-basedapproacheswhereimmediateinformationlossoccursatabstractiontime.Inthecontextoferrordetection,theextraprecisiontranslatesintoaddedanalysispowerwithlessconfusion,whichwedemonstratebyndingmanymoreerrorswithsignicantlyfewerfalsepositivesthanpreviousapproaches.(2)Flexibility:Traditionaltechniquesrelyonacombinationofcarefullychosenabstractionstofocusonaclassofpropertieseectively.Saturn,byexploitingtheexpressivepowerofbooleanconstraints,uniformlymodelsmanylanguagefeaturesandcanthereforeserveasageneralframeworkforawiderrangeofanalyses.Wedemonstratethe\rexibilityofourapproachbyencodingtwoprop-ertycheckersinSaturnthattraditionallyrequiredistinctsetsoftechniques.However,SAT-solvingisNP-complete,andthereforeincursaworst-caseexpo-nentialtimecost.SinceSaturnaimsatcheckinglargeprogramswithmillionsoflinesofcode,weemploytwotechniquestomakeourapproachscale.Intraproce-durally,ourencodingofprogramconstructsasbooleanformulasissubstantiallymorecompactthanpreviousapproaches(Section2).Whilewemodeleachbitpathsensitivelyasin[XieandChou2002;Kroeningetal.2003;Clarkeetal.2004],severaltechniquesachieveasubstantialreductioninthesizeoftheSATformulasSaturnmustsolve(Section3).Interprocedurally,Saturncomputesaconcisesummary,similartoatypesigna-ture,foreachanalyzedfunction.Thesummary-basedapproachenablesSaturntoanalyzemuchlargerprogramsthanpreviouserrorcheckingsystemsbasedonSAT,andinfact,thescalingbehaviorofSaturnisatleastcompetitivewith,ifnotbet-terthan,othernon-SATapproachestobugndingandverication.Inaddition,Saturnisabletoinferandapplysummariesthatencodeaformofinterprocedu-ralpathsensitivity,lendingitselfwelltocheckingcomplexprogrambehaviors(seeSection5.2foranexample).Summary-basedinterproceduralanalysisalsoenablesparallelization.Saturnprocesseseachfunctionseparatelyandtheanalysiscanbecarriedoutinparallel,subjectonlytotheorderingdependenciesofthefunctioncallgraph.InSection6.8,wedescribeasimpledistributedarchitecturethatharnessestheprocessingpowerofaheterogeneousclusterofroughly80unloadedCPUs.OurimplementationdramaticallyreducestherunningtimeoftheleakcheckerontheLinuxkernel(5MLOC)fromover23hoursto50minutes.Wepresentexperimentalresultstovalidateourapproach(Sections5and6).Sec-tion5describestheencodingoftemporalsafetypropertiesinSaturnandpresentsaninterproceduralanalysisthatautomaticallyinfersandcheckssuchproperties.Weshowonesuchspecicationindetail:checkingthatasinglethreadcorrectlymanageslocks|i.e.,doesnotperformtwolockorunlockoperationsinarowonanylock(Section5.5).Section6givesacontext-andpath-sensitiveescapeanaly-sisofdynamicallyallocatedobjects.Bothcheckersndmoreerrorsthanpreviousapproacheswithsignicantlyfewerfalsepositives.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
3OnethingthatSaturnisnot,atleastinitscurrentform,isavericationframework.ToolssuchasCQual[Fosteretal.2002]arecapableofverication(provingtheabsenceofbugs,oratleastascloseasonecanreasonablycometothatgoalforCprograms).Inthispaper,SaturnisusedasabugndingframeworkinthespiritofMC[Hallemetal.2002],whichmeansitisdesignedtondasmanybugsaspossiblewithalowfalsepositiverate,potentiallyatthecostofmissingsomebugs.Therestofthearticleisorganizedasfollows:Section2presentstheSaturnlanguageanditsencodingintobooleanconstraints.Section3discussesanumberofkeyimprovementstotheencodingthatenableecientcheckingofopenprograms.Section4givesabriefoutlineofhowweusetheSaturnframeworktobuildmodularcheckersforsoftware.Sections5and6aretwocasestudieswherewepresentthedetailsofthedesignandimplementationoftwopropertycheckers.WedescribesourcesofunsoundnessforbothcheckersinSection7.RelatedworksisdiscussedinSection8andweconcludewithSection9.2.THESATURNFRAMEWORKInthissection,wepresentalow-levelprogramminglanguageanditstranslationintoourerrordetectionframework.BecauseourimplementationtargetsCprograms,ourlanguagemodelsintegers,structures,pointers,andhandlesthearbitrarycontrol\row2foundinC.Webeginwithalanguageandencodingthathandlesonlyintegerprogramvalues(Section2.1)andgraduallyaddfeaturesuntilwehavepresentedtheentireframework:intraproceduralcontrol\rowincludingloops(Section2.2),struc-tures(Section2.3),pointers(Section2.4),andnallyattributes(Section2.5).InSection3weconsidersometechniquesthatsubstantiallyimprovetheperformanceofourencoding.2.1ModelingIntegersFigure1presentsagrammarforasimpleimperativelanguagewithintegers.Theparenthesizedsymbolonthelefthandsideofeachproductionisavariablerangingoverelementsofitssyntacticcategory.Thelanguageisstaticallyandexplicitlytyped;thetyperulesarecompletelystandardandforthemostpartweelidetypesforbrevity.Therearetwobasetypes:booleans(bool)andn-bitsignedorunsignedintegers(int).Notethebasetypesaresyntacticallyseparatedinthelanguageasexpressions,whichareinteger-valued,andconditions,whichareboolean-valued.Weusetorangesolelyoverdierenttypesofintegervalues.Theintegerexpressionsincludeconstants(const),integervariables(v),unaryandbinaryoperations,integercasts,andliftingfromconditionals.Wegivethelistofoperatorsthatwemodelpreciselyusingbooleanformulas(e.g.+,-,bitwise-and,etc.);forotheroperators(e.g.,division,remainder,etc.),wemakeapproximations.Weuseaspecialexpressionunknowntomodelunknownvalues(e.g.,intheenvi-ronment)andtheresultofoperationsthatwedonotmodelprecisely.2ThecurrentimplementationofSaturnhandlesreducible\row-graphs,whicharebyfarthemostcommonformeveninCcode.Irreducible\row-graphscanbeconvertedtoreducibleonesbynode-splitting[Ahoetal.1986].ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 4
YichenXieandAlexAikenLanguageType()::=(n;signedjunsigned)Obj(o)::=vExpr(e)::=unknown()jconst(n;)jojunopeje1binope2j()ejlifte(c;)Cond(c)::=falsejtruej:cje1compe2jc1^c2jc1_c2jliftc(e)Stmt(s)::=o ejassert(c)jassume(c)jskipcomp2f=;�;;;6=gunop2f;!gbinop2f+;;;=;mod;band;bor;xor;;l;agRepresentationRep()::=[bn1:::b0]swheres2fsigned;unsignedgBit(b)::=0j1jxjb1^b2jb1_b2j:bFig.1.ModelingintegersinSaturn.Expressions= (v) `vE)scalar(n;s)=x0;:::;xn1arefreshbooleanvariables `unknown()E)[xn1:::x0]sunknown `eE)[bn1:::b0]x=(m;s)b0=8biif0in0ifs=unsignedandnimbn1ifs=signedandnim `()eE)[b01:::b00]scast(n;s)= `cC)b `lifte(c;)E)[00


0|{z}n1b]slifte `eE)[bn1:::b0]s `e0E)[b01:::b00]s `ebande0E)[bn1^b01:::b0^b00]sandConditionals `eE)[bn1:::b0]s `liftc(e)C)WibiliftcStatements `eE)G; `(v e)S)hG; [v7!]iassign `cC)bG; `assume(c)S)hG^b; iassume `cC)b(G^:b)notsatisableG; `assert(c)S)hG; iassert-okFig.2.Thetranslationofintegers.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
5Objectsinthescalarlanguagearen-bitsignedorunsignedintegers,wherenandthesignednessaredeterminedbythetype.AsshownatthebottomofFigure1,aseparatebooleanexpressionmodelseachbitofanintegerandthustrackingthewidthisimportantforourencoding.Thesigned/unsigneddistinctionisneededtopreciselymodellow-leveltypecasts,bitshiftoperations,andarithmeticoperations.Theclassofobjects(Obj)ultimatelyincludesvariables,pointers,andstructures,whichencompassalltheentitiesthatcanbethetargetofanassignment.Forthemomentwedescribeonlyintegervariables.TheencodingforarepresentativeselectionofconstructsisshowninFigure2;omittedcasesintroducenonewideas.Therulesforexpressionshavetheform `eE)whichmeansthatundertheenvironment mappingvariablestovectorsofbooleanexpressions(oneforeachbitinthevariable'stype),theexpressioneisencodedasavectorofbooleanexpressions.Theencodingschemeforconditionals `cC)bissimilar,exceptthetargetisasinglebooleanexpressionbmodelingthecondition.Themostinterestingrulesareforstatements:G; `sS)hG0; 0imeansthatunderguardGandvariableenvironment thestatementsresultsinanewguard/environmentpairhG0; 0i.Inoursystem,guardsexpresspathsensitiv-ity;everystatementisguardedbyabooleanexpressionexpressingtheconditionsunderwhichthatstatementmayexecute.Moststatementsdonotaectguards(theexceptionisassume);theimportantoperationsonguardsarediscussedinSec-tion2.2.Withoutgoingintodetails,weexplaintheconceptualmeaningofaguardusingthefollowingexample:if(c)fs1;s2gelses3;s4;Statementss1ands2areexecutedifcistrue,sotheguardforbothstatementsisthebooleanencodingofc.Similarly,s3'sguardistheencodingof:c.Statements4isreachedfrombothbranchesoftheifstatementandthereforeitsguardisthedisjunctionoftheguardsfromthetwobranches:(c_:c)=true.Akeystatementinourlanguageisassert,whichweusetoexpresspointsatwhichsatisabilityqueriesmustbechecked.Astatementassert(c)checksthat:ccannotbetrueatthatprogrampointbycomputingthesatisabilityofG^:b,whereGistheguardoftheassertandbistheencodingoftheconditionc.Theoveralleectoftheencodingistoperformsymbolicexecution,castintermsofbooleanexpressions.Eachstatementtransformsanenvironmentintoanewen-vironment(andguard)thatcapturestheeectofthestatement.Ifallbitsintheinitialenvironment 0areconcrete0'sand1'sandtherearenounknownexpres-sionsintheprogrambeinganalyzed,theninfactthisencodingisstraightforwardinterpretationandallmodeledbitscanthemselvesbereducedto0'sand1's.How-ever,bitsmayalsobebooleanvariables(unknowns).Thuseachbitbrepresentedinourencodingmaybeanarbitrarybooleanexpressionoversuchvariables.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 6
YichenXieandAlexAikenMergeScalarv;(Gi; i)=[b0:::b0]swhere[bim:::bi0]s= i(v)b0=Wi(Gi^bij)MergeEnv(Gi; i)=\nWiGi; where (v)=MergeScalarv;(Gi; i)Fig.3.Mergingcontrol-\rowpaths.2.2ControlFlowWerepresentfunctionbodiesascontrol-\rowgraphs,whichwedeneinformally.Forthepurposeofthissection,weassumeloop-freeprograms.Loopsarehandledinavarietyofwayswhicharedescribedattheendofthissection.Eachstatementsisanodeinthecontrol-\rowgraph,andeachedge(s;s0)representsanuncondi-tionaltransferofcontrolfromstos0.Ifastatementhasmultiplesuccessors,thenexecutionmaybetransferredtoanysuccessornon-deterministically.Tomodelthedeterministicsemanticsofconventionalprograms,werequirethatifanodehasmultiplesuccessors,theneachsuccessorisanassumestatement,andfurthermore,thattheconditionsinthoseassumesaremutuallyexclusiveandthattheirdisjunctionisequivalenttotrue.Thusaconditionalbranchwithpredicatepismodeledbyastatementwithtwosuccessors:onesuccessorassumesp(thetruebranch)andtheotherassumes:p(thefalsebranch).Theotherimportantissueisassigningaguardandenvironmenttoeachstatements.Assumeshasanorderedlistofpredecessorssi.3Theencodingofsiproducesanenvironment iandguardGi.Theinitialguardandenvironmentforsisthenacombinationofthenalguardsandenvironmentsofitspredecessors.Thedesiredguardissimplythedisjunctionofthepredecessorguards;aswemayarriveatsfromanyofthepredecessors,smaybeexecutedifanypredecessor'sguardistrue.Notethatduetothemutualexclusionassumptionforbranchconditions,atmostonepredecessor'sguardcanbetrueatatime.Thedesiredenvironmentismorecomplex,aswewishtopreservethepath-sensitivityofouranalysisdowntothebitlevel.Thus,thevalueofeachbitofeachvariableintheenvironmentforeachpredecessorsiofsmustincludetheguardforsiaswell.ThismotivatesthefunctionMergeScalarinFigure3,whichimplementsamultiplexercircuitthatselectstheappropriatebitsfromtheinputenvironments( i(v))basedonthepredecessorguards(Gi).Finally,MergeEnvcombinesthetwocomponentstogethertodenetheinitialenvironmentandguardfors.Preservingpathsensitivityforeverymodeledbitisclearlyexpensiveanditiseasytoconstructrealisticexampleswherethenumberofmodeledpathsisexponentialinthesizeofthecontrol-\rowgraph.InSection3.3wepresentanoptimizationthatenablesustomakethisapproachworkinpractice.Finally,everycontrol-\rowgraphhasadistinguishedentrystatementwithnopredecessors.Theguardforthisinitialstatementistrue.Wepostponediscussionoftheinitialenvironment 0toSection3.2wherewedescribethelazymodelingoftheexternalexecutionenvironment.3WeusethenotationXiasashorthandforavectorofsimilarentities:X1:::Xn.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
7LanguageType()::=f(f1;1);:::;(fn;n)gj:::Obj(o)::=f(f1;o1);:::;(fn;on)gj:::Shorthando=f(f1;o1);:::;(fn;on)go:fidef=oield-accessRepresentationRep()::=f(f1;1);:::;(fn;n)gj:::Translationo=f(f1;o1);:::;(fn;on)g `oiE)ifori21::n `oE)f(f1;1);:::;(fn;n)gobject-strRecAssign( ;v;)= [v7!]RecAssign( ;o;)= nwhere8o=f(f1;o1);:::;(fn;on)g=f(f1;1);:::;(fn;n)g 0= i=RecAssign( i1;oi;i)(8i21::n) `eE) 0=RecAssign( ;o;)G; `(o e)S)hG; 0iassign-structFig.4.Thetranslationofstructures.AsmentionedinSection1,thetwocheckersdescribedinthispapertreatloopsunsoundly.Onetechniqueweadoptistosimplyunrollaloopaxednumberoftimesandremovebackedgesfromthecontrol-\rowgraph.Thus,everyfunctionbodyisrepresentedbyanacycliccontrol-\rowgraph.Anothertransformationiscalledhavoc'ing,whichwediscussindetailinthecontextofthememoryleakchecker(Section6).Whileourhandlingofloopsisunsound,wehavefoundittobeusefulinpractice(seeSection5.6and6.9).2.3StructuresTheprogramsyntaxandtheencodingofstructuresisgiveninFigure4.Astructureisadatatypewithnamedelds,whichwerepresentasasetof(eldname;object)pairs.Weextendthesyntaxoftypes(resp.objects)withsetsoftypes(resp.objects)labeledbyeldnames,andsimilarlytherepresentationofastructinCistherepresentationoftheeldsalsolabeledbytheeldnames.Theshorthandnotationo:fiselectstheobjectofeldfifromobjecto.ThefunctionRecAssigndoestheworkofstructureassignment.Asexpected,assignmentofstructuresisdenedintermsofassignmentsofitselds.Becausestructuresmaythemselvesbeeldsofstructures,RecAssignisrecursivelydened.2.4PointersThenalandtechnicallymostinvolvedconstructinourencodingispointers.Thediscussionisdividedintothreeparts:inSection2.4.1,weintroduceaconceptcalledGuardedLocationSet(GLS)tocapturepath-sensitivepoints-toinformation.WeextendtherepresentationwithtypecastsandpolymorphiclocationsinSection2.4.2anddiscusstherulesindetailinSection2.4.3.2.4.1GuardedLocationSets.PointersinSaturnaremodeledwithGuardedLocationSets(GLS).AGLSrepresentsthesetoflocationsapointercouldrefer-ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 8
YichenXieandAlexAikenLanguageType()::=jvoid*j:::Obj(o)::=pj:::Deref(m)::=(p):f1:


:fn(n0)Expr(e)::=nullj&oj&mj:::Stmt(s)::=load(m;o)jstore(m;e)jnewloc(p)j:::AddressAddr()::=^j^2j:::AddrOf:Obj7!Addr(Constraint:notwoobjectsofthesametypesharethesameaddress)RepresentationLoc(l)::=nulljojRep()::=fj(G0;l0);:::;(Gk;lk)jgj:::Translation= (p) `pE)pointer `&oE)fj(true;o)jggetaddr-objm=(p):f1:


:fn `pE)fj(G0;null);(Gi;oi)jg=fj(G0;null);(Gi;oi:f1:


:fn)jg `&mE)getaddr-mem (p)=fj(G0;null);(Gi;li)jg `liftc(p)C)Wi6=0Giliftc-pointerl=oifpisoftypeifpisoftypevoid*=fj(true;l)jgandoorfreshG; `newloc(p)S)hG; [p7!]inewloc (p)=fj(G0;null);(Gi;i)jgtypeofoi=andAddrOf(oi)=i `()pE)fj(G0;null);(Gi;oi)jgcast-from-void* (p)=fj(G0;null);(Gi;oi)jgAddrOf(oi)=i `(void*)pE)fj(G0;null);(Gi;i)jgcast-to-void*m=(p):f1:


:fn `pE)fj(G0;null);(G1;o1);:::;(Gk;ok)jgG0=G^:G0G0^Gi; `(oi:f1:


:fn e)S)hGi; ii(fori21::k)G; `store(m;e)S)MergeEnv(Gi; i)storeFig.5.Pointersandguardedlocationsets.AddGuard(G;fj(G1;l1);::;(Gk;lk)jg)=fj(G^G1;l1);::;(G^Gk;lk)jgMergePointerp;(Gi; i)=SiAddGuard(Gi; i(p))MergeEnv(Gi; i)=\nWiGi; where8 (v)=MergeScalarv;(Gi; i) (p)=MergePointerp;(Gi; i)Fig.6.Control-\rowmergeswithpointers.enceataparticularprogrampoint.Tomaintainpath-sensitivity,abooleanguardisassociatedwitheachlocationintheGLSandrepresentstheconditionunderwhichthepoints-torelationshipholds.WewriteaGLSasfj(G0;l0);:::;(Gn;ln)jg.Specialbraces(fjjg)distinguishGLSsfromothersets.WeillustrateGLSwithanexample.butdelaytechnicaldiscussionuntilSection2.4.3.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
91if(c)p=&x;/*p:fj(true;x)jg*/2elsep=&y;/*p:fj(true;y)jg*/3*p=3;/*p:fj(c;x);(:c;y)jg*/Inthetruebranch,theGLSforpisfj(true;x)jg,meaningpalwayspointstox.Similarly, (p)evaluatestofj(true;y)jginthefalsebranch.Atthemergepoint,branchguardsareaddedtotherespectiveGLSsandtherepresentationforpbecomesfj(c;x);(:c;y)jg.Finally,thestoreatline3makesaparallelassignmenttoxandyundertheirrespectiveguards(i.e.,if(c)x=3;elsey=3;).Tosimplifytechnicaldiscussion,weassumelocationsinaGLSoccuratmostonce|redundantentries(G;l)and(G0;l)aremergedinto(G_G0;l).Also,weassumetherstlocationl0isalwaysnull(weusethefalseguardforG0ifnecessary).2.4.2PolymorphicLocationsandTypeCasts.TheGLSrepresentationmodelspointerstoconcreteobjectswithasingleknowntype.However,itiscommonforheapobjectstogothroughmultipletypesinC.Forexample,inthefollowingcode,1void*malloc(intsize);2p=(int*)malloc(len);3q=(char*)p;4returnq;thememoryblockallocatedatline2goesthroughthreedierenttypes.Thesetypesallhavedierentrepresentations(i.e.,dierentnumbersofbits)andthusneedtobemodeledseparately,buttheanalysismustunderstandthattheyrefertothesamelocation.Weneedtomodel:1)thepolymorphicpointertypevoid*,and2)castoperationstoandfromvoid*.Castsbetweenincompatiblepointertypes(e.g.fromint*tochar*)canthenbemodeledviaanintermediatecasttovoid*.Wesolvethisproblembyintroducingaddresses(Addr),whicharesymboliciden-tiersassociatedwitheachuniquememorylocation.WeuseamappingAddrOf:Obj!Addrtorecordtheaddressesofobjects.Objectsofdierenttypessharethesameaddressiftheystartatthesamememorylocation.Intheexampleabove,pandqpointtodierentobjects,sayo1oftypeintando2oftypechar,ando1ando2mustsharethesameaddress(i.e.AddrOf(o1)=AddrOf(o2)).Furthermore,anaddressmayhavenoassociatedconcreteobjectsifitisreferencedonlybyapointeroftypevoid*andneverdereferencedatanyothertypes.Inotherwords,theinversemappingAddrOf1maynotbedenedforsomeaddresses.Usingguardedlocationsetsandaddresses,wecannowdescribetheencodingofpointersindetail.2.4.3EncodingRules.Figure5denesthelanguageandencodingrulesforpointers.LocationsintheGLScanbe1)null,2)aconcreteobjecto,or3)anaddressofapolymorphicpointer(void*).WemaintainaglobalmappingAddrOffromobjectstotheiraddressesanduseitinthecastrulestoconvertpointerstoandfromvoid*.Therulesworkasfollows.Takingtheaddressofanobject(get-addr-fobj,memg)constructsaGLSwithasingleentry{theobjectitselfwithguardtrue.ThenewlocrulecreatesafreshobjectoraddressdependingonthetypeofthetargetpointerandbindstheGLScontainingthatlocationtothetargetpointerintheenvironment .NoticethatSaturndoesnothaveaprimitivemodelingexplicitdeallocation.Typecaststovoid*liftentriesintheGLStotheiraddressesusingtheAddrOfmapping,andcastsfromvoid*ndtheconcreteobjectoftheappropriatetypeintheAddrOfACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 10
YichenXieandAlexAikenmappingtoreplaceaddressesintheGLS.Finally,thestorerulemodelsindirectassignmentthroughapointer,possiblyinvolvingelddereferences,bycombiningtheresultsforeachpossiblelocationthepointercouldpointto.Thepointerisassumedtobenon-nullbyadding:G0tothecurrentguard(recallG0istheguardofnullineveryGLS).NoticethatthestorerulerequiresconcretelocationsintheGLSasonecannotassignthroughapointeroftypevoid*.Loadingfromapointerissimilar.2.5AttributesAnotherfeatureinSaturnisattributes,whicharesimplyannotationsassociatedwithnon-nullSaturnlocations(i.e.structs,integervariables,pointers,andad-dresses).Weusethesyntaxo#attrnametodenotetheattrnameattributeofobjecto.Thedenitionandencodingofattributesissimilartostructeldsexceptthatitdoesnotrequirepredeclaration,andattributescanbeaddedduringtheanalysisasneeded.Similartostructelds,attributescanalsobeaccessedindirectlythroughpointers.Weomittheformaldenitionandencodingrulesbecauseoftheirsimilaritytoeldaccesses.Instead,weuseanexampletoillustrateattributeusageinanalysis.1(*p)#escapedtrue;2q(void*)p;3assert((*q)#escaped==(*p)#escaped);Intheexampleabove,weusethestorestatementatline1tomodelthefactthatthelocationpointedtobyphasescaped.Theadvantageofusingattributeshereisthattheyareattachedtoaddressesandpreservedthroughpointercasts|thustheassertionatline3holds.3.DISCUSSIONANDIMPROVEMENTSInthissection,wediscusshowourencodingreducesthesizeofsatisabilityqueriesbyachievingaformofprogramslicing(Section3.1).Wealsodiscusstwoimprove-mentstoourapproach.Therst(Section3.2)concernshowwetreatinputsofunknownshapetofunctionsandthesecond(Section3.3)isanoptimizationthatgreatlyreducesthecostofguards.3.1AutomaticSlicingProgramslicingisatechniquetosimplifyaprogrambyremovingthepartsthatareirrelevanttothepropertyofconcern.Slicingiscommonlydonebycomputingcontrolanddatadependenciesandpreservingonlythestatementsthatthepropertydependson.WeshowthatourencodingautomaticallyslicesaprogramandonlyusesclausesthatthecurrentSATqueryrequires.Considerthefollowingprogramsnippetbelow:if(x)y=a;elsey=b;z=/*complexcomputationhere*/;if(z)...else...;assert(y5);ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
11Thecomputationofzisirrelevanttothepropertywearechecking(y5).Thevariableyisdatadependentonaandbandcontroldependentonx.UsingtheencodingrulesinSection2,weseethattheencodingofy5onlyinvolvesthebitsinx,a,andb,butnotz,becausetheassignruleaccountsforthedatadependen-ciesandthemergerulepullsinthecontroldependency.Noextraconstraintsareincluded.Inlargeprograms,propertiesofinterestoftendependonasmallportionofthecodeanalyzed,thereforethisdesignhelpskeepthesizeofSATqueriesundercontrol.3.2LazyConstructionoftheEnvironmentAstandardprobleminmodularprogramanalysissystemsisthemodelingoftheexternalenvironment.Inparticular,weneedamethodtomodelandtrackdatastructuresused,butnotcreated,bythecodefragmentbeinganalyzed.Thereisnoconsensusonthebestsolutiontothisproblem.Tothebestofourknowledge,SLAM[BallandRajamani2001]andBlast[Henzingeretal.2003]requiremanualconstructionoftheenvironment.Forexample,toanalyzeamodulethatmanipulatesalinkedlistoflocksdenedelsewhere,thesesystemslikelyrequireaharnessthatpopulatesaninputlistwithlocks.Theproblemisreducedasthetargetcode-bases(e.g.,WindowsdriversinthecaseforSLAM)canoftenshareacarefullycraftedharness(e.g.,amodelfortheWindowskernel)[Balletal.2004].Nevertheless,theneedto\close"theenvironmentrepresentsasubstantialmanualeortinthedeploymentofsuchsystems.Becauseweachievescalabilitybycomputingfunctionsummaries,wemustana-lyzeafunctionindependentofitscallingcontextandstillmodelitsarguments.Oursolutionissimilarinspirittothelazyinitializationalgorithmdescribedin[Khur-shidetal.2003]and,conceptually,tolazyevaluationinlanguagessuchasHaskell.RecallinSection2,valuesofvariablesreferencedbutnotcreatedinthecode,i.e.,thosefromtheexternalenvironment,aredenedintheinitialevaluationenviron-ment 0.Saturnlazilyconstructs 0bycallingaspecialfunctionDefVal,whichissuppliedbytheanalysisdesignerandmapsallexternalobjectstoachecker-specicestimationoftheirdefaultvalues; 0isthendenedasDefVal(v)forallv.Operationally,DefValisappliedondemand,whenuninitializedobjectsarerstac-cessedduringsymbolicevaluation.Thisallowsustomodelpotentiallyunboundeddatastructuresintheenvironment.Besidesitsroleindeningtheinitialenviron-ment 0,DefValisalsousedtoprovideanapproximationofthereturnvaluesandside-eectsoffunctioncalls(Section5.3).Inourimplementation,wemodelintegersfromtheenvironmentwithavectorofunconstrainedbooleanvariables.Forpointers,weusethecommonassumptionthatdistinctpointersfromtheenvironmentdonotaliaseachother.ThiscanbemodeledbyaDefValthatreturnsafreshlocationforeachpreviouslyunseenpointerdereference.4Asoundalternativewouldbetouseaseparateglobalaliasanalysisaspartofthedenitionof 0.Noteonceapointerisinitialized,Saturn4Intheimplementation,DefVal(p)returnsfj(G;null);(:G;o)jg,whereGisanunconstrainedbooleanvariable,andoisafreshobjectoftheappropriatetype.Thisallowsustomodelcommondatastructureslikelinkedlistsandtreesofarbitrarylengthordepth.Aslightlysmartervarianthandlesdoublylinkedlistsandtreeswithparentpointersknowingonenodeinsuchadatastructure.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 12
YichenXieandAlexAikenperformsanaccuratepath-sensitiveintraproceduralanalysis,includingrespectingaliasrelationships,onthatpointer.3.3UsingBDDsforGuardsConsiderthefollowingcodefragment:if(c){...}else{...}s;Afterconversiontoacontrol-\rowgraph,therearetwopathsreachingthestatementswithguardscand:c.Thustheguardofsisc_:c.Sinceguardsareattachedtoeverybitofeverymodeledlocationateveryprogrampoint,itisimportanttoavoidgrowthinthesizeofguardsateverycontrol-\rowmerge.Onewaytoaccomplishthistaskistodecompiletheunrolledcontrol\rowgraphintostructuredprogramswithonlyifstatements,sothatweknowexactlywherebranchconditionalscancel.However,thisapproachrequirescodeduplicationinthepresenceofgoto,break,andcontinuestatementscommonlyfoundinC.Oursolutionistointroduceanintermediaterepresentationofguardsusingbinarydecisiondiagrams[Bryant1986].Wegiveeachcondition(whichmaybeacomplexexpression)anameanduseaBDDtorepresentthebooleancombinationofallconditionnamesthatenableaprogrampath.Atcontrol-\rowmergeswejointhecorrespondingBDDs.TheBDDjoinoperationcansimplifytherepresentationofthebooleanformulatoacanonicalform;forexample,thejoinoftheBDDsforcand:cisrepresentedbytrue.Inourencodingofastatement,weconverttheBDDrepresentingthesetofconditionsatthatprogrampointtotheappropriateguard.ThesimplicationofguardsalsoeliminatestrivialcontroldependenciesintheautomaticslicingschemedescribedinSection3.1.Inthesmallexampleinthatsection,hadwenotsimpliedguards,theassertionwouldhavebeencheckedundertheguard(x_:x)^(z_:z),whichpullsintheotherwiseirrelevantcomputationofz.4.BUILDINGMODULARPROPERTYCHECKERSUNDERSATURNTheSaturnframeworkwehavedescribedsofarcanbeapplieddirectlytocheckingsimplepropertiessuchasassertions.Whileotherprogrambehaviorcanbeencodedandcheckedunderthecurrentscheme,therearetwomainlimitationsthatpreventitfrombeingappliedtocomplexpropertiesinlargesystems.(1)Functioncalls.Saturn,likemanyotherSAT-basedtechniques,doesnotdi-rectlymodelfunctioncalls.AcommonsolutionamongSAT-basedassertioncheckersisinlining.However,althoughweemployanumberofoptimizationsinourtransformationsuchasslicing,theexponentialtimecostofSAT-solvingmeansthatinliningwillnotbepracticalforlargesoftwaresystems.(2)Executionenvironment.Assertioncheckingcommonlyrequiresaclosedpro-gram.However,manysoftwaresystemsareopenprogramswhoseenvironmentisacomplexcombinationofuserinputandcomponentinterdependencies.Mod-elingtheenvironmentforsuchprogramsoftenrequiresextensivemanualeortthatisbothcostlyanderrorprone.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
13OursolutionisbasedonSaturn'sabilitytonotonlycheckprogramproperties,butalsoinferthembyformulatingSATqueriesthatcanbesolvedeciently.Thelatterabilitysolvesthetwoproblemsmentionedabove.First,inferenceenablesmodularanalyses5thatscale.Withappropriateabstrac-tions,thecheckercansummarizeafunction'sbehaviorwithrespecttoapropertyintoaconcisesummary.Thissummary,inturn,canbeusedinlieuofthefullfunctionbodyatthefunction'scallsites,whichpreventstheexponentialgrowthinthecostofanalysis.Secondly,bymakinggeneralenoughassumptionsabouttheexecutionenviron-ment,summariescapturethebehaviorofafunctionunderall(or,forerrordetectionpurposes,acommonsubsetof)runtimescenarios.Thisalleviatestherequirementofhavingtoclosetheenvironment.Anaddedbenetofthemodularapproachisthatitenableslocalreasoningduringerrorinspection.Insteadoffollowinglongerrortraceswhichmayinvolvemultiplefunctioncalls,human-readablefunctionsummariesgiveinformationabouttheassumptionsmadeforeachofthecalleesinthecurrentfunction.Therefore,theusercanfocusononefunctionatatimewheninspectingerrorreports.Inourexperience,wenditmucheasiertoconrmerrorsandidentifyfalsepositiveswiththehelpoffunctionsummaries.Basedonthemodularapproach,webrie\ryoutlineafourstepprocessbywhichweconstructpropertycheckersunderSaturn:(1)Firstofall,wemodelthepropertyweintendtocheckwithprogramconstructsinSaturn.Forexample,nitestatemachines(FSM)canbeencodedbyattachingintegerstateeldstoprogramobjectstotracktheircurrentstates.Statetransitionsaresubsequentlymodeledwithconditionalassignments,andcheckingisdonebyensuringthattheerrorstateisnotreachedattheendoftheprogram|ataskeasilyaccomplishedwithSATqueriesonthenalprogramstate.(2)Thenextstepistodesignthefunctionsummaryrepresentation.Agoodsum-maryisonethatisbothconciseforscalabilityandexpressiveenoughtoade-quatelydescribetherelevantpropertiesoffunctionbehavior.Strikingtherightbalanceoftentakesseveraliterationsofdesign.Forexample,indesigningtheFSMcheckingframework,westartedwithasimplesummarythatrecordsthesetoffeasiblestatetransitionsacrossthefunction,butfoundittobeinad-equateforLinuxlockcheckingbecauseofinterproceduraldatadependencies.Weobservedthattheoutputlockstateoftencorrelateswiththereturnvalueofthefunctionandremediedthesituationbysimplyincludingthereturnvalueinoursummarydesign.(3)Thethirdstepistodesignanalgorithmthatinfersandappliesfunctionsum-maries.Asmentionedabove,inferenceisdonebyautomaticallyinsertingSATqueriesatappropriateprogrampoints.Forexample,wecaninferthesetofpossiblestatetransitionsbyquerying,attheendofeachfunction,thesatis-5Here,modularanalysisisdenedintwosenses:1)theabilitytoinferandcheckopenprogrammodulesindependentoftheirusage;and2)theabilitytosummarizeresultsofanalyzedmodulessoastoavoidredundantanalysis.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 14
YichenXieandAlexAikenabilityofallpossiblecombinationsofinputandoutputstates.Thefeasible(i.e.,satisable)subsetisincludedinthefunctionsummary.6(4)Finally,werunthecheckeronanumberofreal-worldapplications,andinspecttheanalysisresults.Duringearlydesigniterations,theresultsoftenpointtoinaccuraciesinthepropertyencoding(Step1),inadequaciesinthesummarydesign(Step2),orinecienciesintheinferencealgorithm(Step3).Weusethatasfeedbacktoimprovethecheckerinthenextiteration.Followingthefourstepprocess,wedesignedandimplementedtwopropertycheckersforlargeopensourcesoftware:aLinuxlockcheckerandamemoryleakchecker.Wepresentthedetailsoftheconstructionandexperimentsinthefollowingtwosections.5.CASESTUDYI:CHECKINGFINITESTATEPROPERTIESFinitestatepropertiesareaclassofspecicationsthatcanbedescribedascertainprogramvaluespassingthroughanitesetofstates,overtime,underspecicconditions.Locking,wherealockcanlegallyonlygofromtheunlockedstatetothelockedstateandthenbacktotheunlockedstate,isacanonicalexample.Thesepropertiesarealsoreferredtoastemporalsafetyproperties.Inthissection,wefocusonnitestateproperties,anddescribeasummary-basedinterproceduralanalysisthatusestheSaturnframeworktoautomaticallychecksuchproperties.Westartbydeningacommonnamespaceforsharedobjectsbetweenthecallerandthecallee(Section5.1),whichweusetodeneageneralsummaryrepresentationfornitestateproperties(Section5.2).Wethendescribealgorithmsforapplying(Section5.3)andinferring(Section5.4)functionsummariesintheSaturnframework.Wedescribeourimplementationofaninterprocedurallockchecker(Section5.5)andendwithexperimentalresults(Section5.6).5.1InterfaceObjectsInC,thetwosidesofafunctioninvocationsharetheglobalnamespacebuthaveseparatelocalnamespaces.Thusweneedacommonnamespaceforobjectsreferredtointhesummary.Barringexternalchannelsandunsafememoryaccesses,thetwopartiessharevaluesthroughglobalvariables,parameters,andthefunction'sresult.Therefore,sharedobjectscanbenamedusingapathfromoneofthesethreeroots.Weformalizethisideausinginterfaceobjects(IObj)ascommonnamesforobjectssharedbetweencallerandcallee:IObj(l)::=paramijglobalvarjretvaljljl:fDependenciesacrossfunctioncallsareexpressedbyinterfaceexpressions(IExpr)andconditions(ICond),whicharedenedrespectivelybyreplacingreferencestoobjectswithinterfaceobjectsinthedenitionofExprandCond(asdenedinFigure1andextendedinFigure5).Toperforminterproceduralanalysisofafunction,wemustmapinputinterfaceobjectstothenamesusedinthefunctionbody,performsymbolicevaluationofthe6Thisisasimplicationoftheactualsummaryinferencealgorithm,whichtakesintoaccountfunctionside-eectsandreturn-valuestate-transitioncorrelations.WedescribethefullalgorithminSection5.2.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
15FSMStatesS=fError;s1;:::;sngSummaries=hPin;Pout;M;RiwherePin=fp1;:::;pngpi2ICond;Pout=fq1;:::;qngqi2ICond;MIObj,andRIObj2jPinjS2jPoutjSFig.7.Functionsummaryrepresentation.function,andmapthenalfunctionstatetothenalstateoftheinterfaceobjects.Thus,weneedtwomappingstoconvertbetweeninterfaceobjectsandthoseinthenativenamespaceofafunction:[[
]]args:IObj!Objextand[[
]]1args:Obj!IObjConvertingIObj'stonativeobjectsisstraightforward.Forfunctioncallr=f(a0;:::;an),[[global]]a0:::an=global[[parami]]a0:::an=ai[[retval]]a0:::an=r[[l]]a0:::an=([[l]]a0:::an)[[l:f]]a0:::an=([[l]]a0:::an):fNotethattheresultoftheconversionisinObjext,whichisdenedasObj(Sec-tion2)extendedwithpointerdereferences.Theextradereferenceoperationscanbetransformedawaybyintroducingtemporaryvariablesandexplicitload/storeoperations.Weomitthedetailsofthistransformationforbrevity.Theinverseconversionismoreinvolved,sincetheremaybemultiplealiasesofthesameobjectintheprogram.Weincrementallyconstructthe[[
]]1argsmappingforobjectsaccessedthroughglobalvariablesandparameters.Forexample,invoidf(structstr*p)fspinlock(&p�lock);gthecorrespondinginterfaceobjectforpisparam0,sinceitisdenedastherstformalparameteroff.Recallthattheobjectpointedtobyp!lockislazilyin-stantiatedwhenpisdereferencedbycallingDefVal(p)(seeSection3.2).Aspartoftheinstantiation,weinitializeeveryeldofthestruct(*p),andcomputetheappropriateIObjforeacheldatthattime.Specically,theinterfaceobjectforp!lockis(param0):lock.Theconversionoperationsextendtointerfaceexpressionsandconditionals.Forbrevity,namespaceconversionsforobjects,expressions,andconditionalsaremostlykeptimplicitinthediscussionbelow.5.2FunctionSummaryRepresentationThelanguageforexpressingnitestatesummariesisgiveninFigure7.Eachfunctionsummaryisafour-tupleconsistingof:|asetofinputpropositionsPin,|asetofoutputpropositionsPout,ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 16
YichenXieandAlexAiken|asetofinterfaceobjectsM,whichmaybemodiedduringthefunctioncall,and|arelationRsummarizingtheFSMbehaviorofthefunction.ThecheckerneedonlysupplythesetofFSMstatesandthesetofinputandoutputpropositions(i.e.S,Pin,andPout);bothMandRarecomputedautomaticallyforeachfunctionbySaturn(seeSection5.4).TheFSMbehaviorofafunctioncallismodeledasasetofstatetransitionsofoneormoreinterfaceobjects.Thesetransitionsmapinputstatestooutputstatesbasedonthevaluesofasetofinput(Pin)andoutput(Pout)propositions.ThestatetransitionsaregiveninthesetR.EachelementinRisavetuple:(sm;incond;s;outcond;s0),whichwedescribebelow:|sm2IObjistheobjectwhosestateisaectedbythetransitionrelationship.Inthelockchecker,smidentiestheaccessedlockobjects,asafunctionmayaccessmorethanonelockduringitsexecution.|incond22jPinjdenotesthepre-conditionoftheFSMtransition:(Vi2incondpi)^(Vi=2incond:pi)wherefp1;:::;png=Pin.Itspeciesoneofthe2npossiblevaluationsoftheinputpropositions,andisevaluatedonentrytothefunction.|s2Sistheinitialstateofsminthestatetransition.|outcond22jPoutjissimilarlydenedasincondanddenotestheoutputconditionofthetransition.outcondisevaluatedonexit.|s02Sisthestateofsmafterthetransition.Figure8presentsthesummaryofthreesamplelockingfunctions:spinlock,spintrylock,andcomplexwrapper.ThefunctioncomplexwrappercapturessomeofthemorecomplicatedlockingbehaviorinLinux.Nevertheless,givenappropri-ateinputandoutputpropositions(i.e.,PinandPout),weareabletoexpress(andautomaticallyinfer)itsbehaviorusingoursummaryrepresentation(i.e.,MandR).Wedescribehowfunctionsummariesareinferredandusedinthefollowingsubsections.SummaryApplicationThissubsectiondescribeshowthesummaryofafunctionisusedtomodelitsbehavioratacallsite.Foragivenfunctioninvocationf(a0;:::;an),weencodethecallintoasetofstatementssimulatingtheobservableeectsofthefunction.Theencoding,giveninFigure9,iscomposedoftwostages:(1)Intherststage,wesavethevaluesofrelevantprogramstatesbeforeandafterthecall(lines3-4and8inFigure9),andaccountforthesideeectsofthefunctionbyconservativelyassigningunknownvaluestoobjectsinthemodiedsetM(line6).Relevantvaluesbeforethecallincludeallinputpropositionspi,andthecurrentstates(smi)oftheinterfaceobjectsmentionedinthetransitionrelationR.Relevantvaluesafterthecallincludealloutputstatesqi.Wethenuseanassumestatementtoruleoutimpossiblecombinationsofinputandoutputpropositions(line10;e.g.,somefunctionsalwaysreturnanon-NULLpointer).(2)Inthesecondstage,weprocessthestatetransitionsinRbyrsttestingtheiractivationconditions,and,whensatised,carryingoutthetransitions(line14-16).Thepropositioninconddenotesthecondition(Vi2incondbpi)^(Vi=2incond:bpi);ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
17voidcomplexwrapper(spinlockt*l,int\rag,int*success)f/*spintrylockreturnsnon-zeroonsuccessfulacquisitionofthelock;0otherwise.*/if(\rag)*success=spintrylock(l);elsefspinunlock(l);*success=1;ggStates:S=fError=0;Locked=1;Unlocked=2gSummary:=hM;R;Pin;Poutispinlock:Input:Pin=fgPout=fgOutput:M=fparam0gR=f(param0;;Unlocked;;Locked);(param0;;Locked;;Error)gspintrylock:Input:Pin=fgPout=fliftc(retval)gOutput:M=fparam0;retvalgR=f(param0;;Unlocked;true;Locked);(param0;;Unlocked;false;Unlocked);(param0;;Locked;;Error)gcomplexwrapper:Input:Pin=fliftc(param1)gPout=fliftc(param2)gOutput:M=fparam0;param2gR=f(param0;true;Locked;;Error)(param0;true;Unlocked;true;Locked)(param0;true;Unlocked;false;Unlocked)(param0;false;Unlocked;true;Error)(param0;false;Locked;true;Unlocked)gFig.8.Samplefunctionsummariesforthelockingproperty.theconditionforoutcondissymmetric.Noticethatsinceincondandoutcondareavaluationofallinputandoutputpropositions,notwotransitionsonthesamestatemachineshouldbeenabledsimultaneously.Violationsofthispropertycanbeattributedtoeitheraninadequatechoiceofinputandoutputpropositions,orabugintheprogram(e.g.,TypeBerrorsintheLinuxlockchecker{Section5.5).Thereisoneaspectoftheencodingthatisleftunspeciedinthedescription,whichistheunknownvaluesusedtomodeltheside-eectsofthefunctioncall.Forintegervalues,weusetheruleforunknownandconservativelymodelthesevalueswithasetofunconstrainedbooleanvariables.Forpointers,weextendtheDefValoperatordescribedinSection3.2toobtainachecker-speciedestimationoftheshapeoftheobjectbeingpointedto.Thecurrentimplementationusesfreshlocationsformodiedpointers.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 18
YichenXieandAlexAikenAssumptions(f)=hPin;Pout;M;Riwhere8Pin=fp1;:::;pmgPout=fq1;:::;qngM=fo1;:::;okgR=f(sm1;incond1;s1;outcond1;s0);:::;(sml;incondl;sl;outcondl;s0)gInstrumentation1:(*Stage1:Preparation*)2:(*saveusefulprogramstates*)3:bp1 p1;:::;bpn pm;4:csm1 sm1;:::;csml sml;5:(*accountfortheside-eectsoff*)6:o1 unknown(o1);:::;ok unknown(ok);7:(*savethevaluesofoutputpropositions*)8:q01 q1;:::;q0n qn;9:(*ruleoutinfeasiblecomb.ofincondandoutcond*)10:assume(Wi(smi=si^incondi^outcondi));11:12:(*Stage2:Transitions*)13:(*recordstatetransitionsafterthefunctioncall*)14:if(csm1=s1^incond1^outcond1)sm1 s0;15::::16:if(csml=sl^incondl^outcondl)sml s0;Fig.9.Summaryapplication.Pin=fp1;:::;pmgPout=fq1;:::;qngM=fvjissatisable( 0(v)6= (v))gR=f(sm;incond;s;outcond;s0)jissatisable( 0(sm=s)^ 0(incond)^ (outcond)^ (sm=s0))gFig.10.Summaryinference.5.4SummaryInferenceThissectiondescribeshowwecomputethesummaryofafunctionafteranalysis.Beforeweproceed,werststatetwoassumptionsaboutthetranslationfromCtoSaturn'sintermediatelanguage:(1)Weassumethateachfunctionhasoneuniqueexitblock.Incasethefunctionhasmultiplereturnstatements,weaddadummyexitblocklinkedtoallreturnsites.Theexitblockisanalyzedlast(seeSection2)andtheenvironment atthatpointencodesallpathsfromfunctionentrytoexit.Summaryinferenceiscarriedoutafteranalyzingtheexitblock.(2)WemodelreturnstatementsinCbyassigningthereturnvaluetoaspecialobjectrv,and[[rv]]1args=retval.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
19Figure10givesthesummaryinferencealgorithm.Theinputtothealgorithmisasetofinput(Pin)andoutput(Pout)propositions.TheinferenceprocessinvolvesaseriesofqueriestotheSATsolverbasedontheinitial( 0)andnalstate( )todetermine:(1)thesetofmodiedobjectsM,and(2)thesetoftransitionrelationshipsR.IncomputingMandR,weuseashorthand (x)todenotethevaluationofxunderenvironment .Thesummaryinferencealgorithmproceedsasfollows.Intuitively,modiedob-jectsarethosewhosevaluationmaybedierentundertheinitialenvironment 0andthenalenvironment .WecomputeMbyiteratingoverallinterfaceobjectsvandusetheSATsolvertodeterminewhetherthevaluesmaybedierentornot.ThetransitionsetRiscomputedbyenumeratingallrelevantinterfaceobjects(e.g.,locksinthelockchecker)inthefunctionandallcombinationsofinputandoutputpropositions.WeagainusetheSATsolvertodeterminewhetheratransitionunderaparticularsetofinputandoutputpropositionsisfeasible.Asthereadermaynotice,summaryinferencerequiresmanySATqueriesandcanbecomputationallyexpensivewhensolvedindividually.Fortunately,thesequeriessharealargesetofcommonconstraintsencodingthefunctioncontrolanddata\row.Infact,theonlydierenceamongthequeriesareconstraintsthatdescribethedierentcombinationsofinput/outputpropositionsandinitial/nalstatepairsforeachstatemachine.WeexploitthisfactbytakingadvantageofincrementalsolvingcapabilitiesinmodernSATsolvers.Incrementalsolvingalgorithmsshareandreuseinformationlearned(e.g.,usingcon\rictclauses)inthecommonpartsofthequeriesandcanconsiderablyspeedupSATsolvingtimeforsimilarqueries.Inpractice,weobservethatSATqueriestypicallycompleteinunderonesecond.5.5ALinuxLockCheckerInthissection,weusetheFSMcheckingframeworkdescribedabovetoconstructalockcheckerfortheLinuxkernel.Westartwithsomebackgroundinformation,andlistthechallengesweencounteredintryingtodetectlockingbugsinLinux.WethendescribethelockcheckerwehaveimplementedintheSaturnframework.TheLinuxkernelisawidelydeployedandwell-testedcoreoftheLinuxoperatingsystem.Thekernelisdesignedtoscaletoanarrayofmultiprocessorplatformsandthusisinherentlyconcurrent.Itusesavarietyoflockingmechanisms(e.g.,spinlocks,semaphores,read/writelocks,primitivecompareandswapinstructions,etc.)tocoordinateconcurrentaccessesofkerneldatastructures.Foreciencyreasons,mostofthecodeinthekernelrunsinsupervisormode,andsynchronizationbugscanthuscausecrashesorhangsthatresultindatalossandsystemdowntime.Forthisreason,lockingbugshavereceivedtheattentionofanumberofresearchandcommercialcheckingandvericationeorts.Locks(a.k.a.mutexes)arenaturallyexpressedasanitestatepropertywiththreestates:Locked,Unlocked,andError.Thelockoperationcanbemodeledastwotransitions:fromUnlockedtoLocked,andLockedtoError(unlockissimilar).ThereareafewchallengesthatacheckermustovercometomodellockingbehaviorinLinux:|Aliasing.InLinux,locksarepassedbyreference(i.e.,bypointersinC).Oneimmediateproblemistheneedtodealwithpointeraliasing.CQualemploysaACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 20
YichenXieandAlexAikennumberoftechniquestoinfernon-aliasingrelationshipstohelprenetheresultsfromthealiasanalysis[Aikenetal.2003].MC[Hallemetal.2002]assumesnon-aliasingamongallpointers,whichhelpsreducefalsepositives,butalsolimitsthecheckingpowerofthetool.|HeapObjects.Innegrainedlocking,locksareoftenembeddedinheapob-jects.Theseobjectsarestoredintheheapandpassedaroundbyreference.Todetectbugsinvolvingheapobjects,areasonablemodeloftheheapneedstobeconstructed(recallSection3.2).Theneedtowrite\harnesses"thatconstructthecheckingenvironmenthasproventobeanon-trivialtaskintraditionalmodelcheckers[Balletal.2004].|PathSensitivity.Thestatemachineforlocksbecomesmorecomplexwhenweconsidertrylocks.Trylocksarelockoperationsthatcanfail.Thecallermustcheckthereturnvalueoftrylockstodeterminewhethertheoperationhassucceededornot.Besidestrylocks,somefunctionsintentionallyexitwithlocksheldonerrorpathsandexpecttheircallerstocarryouterrorrecoveryandcleanupwork.TheseconstructsareusedextensivelyinLinux.Inaddition,onecommonusagescenarioinLinuxisthefollowing:if(x)spinlock(&l);...;if(x)spinunlock(&l);Someformofpathsensitivityisnecessarytohandlethesecases.|InterproceduralAnalysis.AsweshowinSection5.6,alargeportionofsyn-chronizationerrorsarisefrommisunderstandingoffunctioninterfaceconstraints.Thepresenceofmorethan600lock/unlock/trylockwrappersfurthercomplicatestheanalysis.Imprecisionintheintraproceduralanalysisisampliedintheinter-proceduralphase,sowebelieveapreciseinterproceduralanalysisisimportantintheconstructionofalockchecker.Ourlockcheckerisbasedontheframeworkdescribedabove(seeFigure8).Statesaredenedasusual:fLocked;Unlocked;Errorg.Toaccuratelymodeltrylocks,wedenePout=fliftc(retval)gforfunctionsthatreturnintegersorpointers.Trackingthispropositioninsummariesisalsoadequateformodelingfunctionsthatexitindierentlockstatesdependingonwhetherthereturnvalueis0(null)ornot.WedenePouttobetheemptysetforfunctionsoftypevoid;Pinisdenedtobetheemptyset.WedetecttwotypesoflockingerrorsinLinux:|TypeA:doublelocking/unlocking.Thesearefunctionsthatmayacquireorreleasethesamelocktwiceinarow.ThesummaryrelationshipRofsuchfunctionscontainstwotransitionsonthesamelock:oneleadsfromtheLockedstatetoError,andtheotherfromtheUnlockedstatetoError.Thissignalsaninternalinconsistencyinthefunction|nomatterwhatstatethelockisinonentrytothefunction,thereisapathleadingtotheerrorstate.|TypeB:ambiguousreturnstate.ThesearefunctionsthatmayexitinbothLockedandUnlockedstateswithnoobservabledierence(w.r.t.Pout,whichisACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
21TypeCountNum.ofFiles12455TotalLineCount4.8millionLOCTotalNum.Func.63850LockRelatedFunc.23458Runningtime19h40mCPUtimeApprox.LOC/sec67TableI.PerformancestatisticsonasingleprocessorPentiumIV3.0Gdesktopwith1GBmemory.liftc(retval))inthereturnvalue.Thesebugsarecommonlycausedbymissedoperationstorestorelockstatesonerrorpaths.75.6ExperimentalResultsWehaveimplementedthelockcheckerdescribedinSection5.5asaplugintotheSaturnframework.ThecheckermodelslocksinLinux(e.g.,objectsoftypespinlockt,rwlockt,rwsemaphore,andsemaphore)usingthestatemachinesdenedinSection5.Whenanalyzingafunction,weretrievethelocksummariesofitscalleesandusethealgorithmdescribedinSection5.3tosimulatetheirobservableeects.Attheendoftheanalysis,wecomputeasummaryforthecurrentfunctionusingthealgorithmdescribedinSection5.4andstoreitinthesummarydatabaseforfutureuse.TheorderofanalysisforfunctionsinLinuxisdeterminedbytopologicallysortingthestaticcallgraphoftheLinuxkernel.Recursivefunctioncallsarerepresentedbystronglyconnectedcomponents(SCC)inthecallgraph.Duringthebottomupanalysis,functionsinSCCsareanalyzedonceinanarbitraryorder,whichmightresultinimprecisionininferredsummaries.Amorepreciseapproachwouldrequireunwindingtherecursionaswedoforloops,untilaxedpointisreachedforfunctionsummariesintheSCC.However,ourexperimentsindicatethatrecursionhaslittleimpactontheprecisionofinferredlocksummaries,andthereforeweadoptthesimplerapproachinourimplementation.Westarttheanalysisbyseedingthelocksummarydatabasewithmanualspeci-cationsofaround40lock,unlockandtrylockprimitivesinLinux.Otherwisethecheckingprocessisfullyautomatic:ourtoolworksontheunmodiedsourcetreeandrequiresnohumanguidanceduringtheanalysis.Weranourlockcheckeronthethenlatestreleaseofthekernelsourcetree(v2.6.5).PerformancestatisticsoftheexperimentaretabulatedinTableI.Allexperimentsweredoneonasingleprocessor3.0GHzPentiumIVcomputerwith1Gofmemory.Ourtoolparsedandanalyzedaround4.8millionlinesofcodein63,850functionsinunder20hours.Functionside-eectcomputationisnotcurrentlyimplementedintheversionofthecheckerreportedhere.Loopsareunrolleda7OnecanarguethatTypeBerrorsareratheramanifestationoftherestrictedsetsofpredicatesusedfortheanalysis;amoreprecisewayofdetectingthesebugsistoallowambiguousoutputstatesinthefunctionsummary,andreportbugsincallingcontextswhereonlyoneoftheoutputstatesislegal.Practically,however,wendthatthisrestrictionisadesirablefeaturethatallowsustoexploitdomainknowledgeaboutlockusageinLinux,andthushelpstheanalysistopinpointmoreaccuratelytherootcauseofabug.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 22
YichenXieandAlexAikenTypeBugsFPWarningsAccuracy(Bug/Warning)A1349923357%B45226767%Total17912130060%TableII.Numberofbugsfoundineachcategory.TypeABTotalInterprocedural10827135Intraprocedural261844total13445179TableIII.Breakdownofintra-andinter-proceduralbugs.maximumoftwoiterationsbasedonthebeliefthatmostdoublelockerrorsmanifestthemselvesbytheseconditeration.Wehaveimplementedanoptimizationthatskipsfunctionsthathavenolockprimitivesanddonotcallanyotherfunctionswithnon-triviallocksummaries.Thesefunctionsareautomaticallygiventhetrivial\No-Op"summary.Weanalyzedtheremaining23,927lockrelatedfunctions,andstoredtheirsummariesinaGDBMdatabase.Wesetthememorylimitforeachfunctionto700MBtopreventthrashingandtheCPUtimelimitto90seconds.Ourtoolfailedtoanalyze27functions{someofwhichwerewritteninassembly,andtherestduetointernalfailuresofthetool.Thetoolalsofailedtoterminateon442functionsinthekernel,largelyduetoresourceconstraints,withasmallnumberofthemduetoimplementationbugsinourtool.Ineverycasewehaveinvestigated,resourceexhaustioniscausedbyexceedingthecapacityofaninternalcacheinSaturn.Thisrepresentsafailurerateof2%onthelock-relatedfunctions.Theresultoftheanalysisconsistsofabugreportof179previouslyunknownerrorsandalocksummarydatabasefortheentirekernel,whichwedescribeinthesubsectionsbelow.5.6.1ErrorsandFalsePositives.AsdescribedinSection5.5,wedetecttwotypesoflockingerrorsinLinux:doublelock/unlock(TypeA)andambiguousoutputstates(TypeB).WetabulatethebugcountsinTableII.Thebugsandfalsepositivesareclassiedbymanuallyinspectingtheerrorreportsgeneratedbythetool.Onecaveatofthisapproachisthaterrorswediagnosemaynotbeactualerrors.Tocounterthis,weonly\ragoneswearereasonablysureabout.WehaveseveralyearsofexperienceexaminingLinuxbugs,sothenumberofmisdiagnosederrorsisexpectedtobelow.TableIIIfurtherbreaksdownthe179bugsintointraproceduralversusinterpro-ceduralerrors.Weobservethatmorethanthreequartersofdiagnosederrorsarecausedbymisunderstandingoffunctioninterfaceconstraints.TableIVclassiesthefalsepositivesintosixcategories.ThebiggestcategoryoffalsepositivesiscausedbyinadequatechoiceofpropositionsPinandPout.Inasmallnumberofwidelycalledutilityfunctions,inputandoutputlockstatesarecorrelatedwithvaluespassedin/outthroughtheparameter,insteadofthereturnACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
23TypeATypeBTotalPropositions261642LockAssertions21425Semaphores22022SaturnLim.18119Readlocks707Others517Total9922121TableIV.Breakdownoffalsepositives.1staticvoidsscapecoprocclose(void*devinfo,intsubdevice)2f3spinlockirqsave(&devc�lock,\rags);4if(devc�dmaallocated)f5sscapewrite(devc,GADMAAREG,0x20);//bughere6...7...8g910staticvoidsscapewrite(structsscapeinfo*devc,intreg,intdata)11f12...13spinlockirqsave(&devc�lock,\rags);//acquiresthelock14gFig.11.AninterproceduralTypeAerrorfoundinsound/oss/sscape.c.value.Toimprovethissituation,weneedtodetecttherelevantpropositionseitherbymanualspecicationorbyusingapredicateabstractionalgorithmsimilartothatusedinSLAMorBLAST.Anotherlargesourceoffalsepositivesisanidiomthatusestrylockoperationsasawayofqueryingthecurrentstateofthelock.Thisidiomiscommonlyusedinassertionstomakesurethatalockisheldatacertainpoint.Webelieveabetterwaytoaccomplishthistaskistousethelockqueryingfunctions,whichwemodelpreciselyinourtool.Fortunately,thisusagepatternonlyoccursinafewmacros,andcanbeeasilyidentiedduringinspection.Thethirdlargestsourceoffalsepositivesiscountingsemaphores.Dependingonthecontext,semaphorescanbeusedinLinuxeitheraslocks(withdownbeinglockandupbeingunlock)orresourcecounters.Ourtooltreatsallsemaphoresaslocks,andthereforemaymis\ragconsecutivedown/upoperationsasdoublelock/unlockerrors.Theremainingfalsepositivesareduetoreadlocks(wheredoublelocksareOK),andunmodeledfeaturessuchasarrays.Figure11showsasampleinterproceduralTypeAerrorfoundbySaturn,wheresscapecoprocclosecallssscapewritewith&devc!lockheld.However,therstthingsscapewritedoesistoacquirethatlockagain,resultinginadeadlockonmultiprocessorsystems.Figure12givesasampleintraproceduralTypeBerror.Therearetwoplaceswherethefunctionexitswithreturnvalue-EBUSY:onewiththelockheld,andtheotherunheld.TheprogrammerhasforgottentoreleasetheACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 24
YichenXieandAlexAiken1inti2oclaimdevice(structi2odevice*d,2structi2ohandler*h)3f4down(&i2ocongurationlock);5if(d�owner)f6...7up(&i2ocongurationlock);8returnEBUSY;9g10...11if(...)f12...13returnEBUSY;14g15up(&i2ocongurationlock);16return0;17gFig.12.AnintraproceduralTypeBerrorfoundindrivers/message/i2o/i2ocore.c.lockbeforereturningatline13.WehaveledthebugreportstotheLinuxKernelMailingList(LKML)andreceivedconrmationsandpatchesforanumberofreportederrors.Tothebestofourknowledge,SaturnisbyfarthemosteectivebugdetectiontoolforLinuxlockingerrors.5.6.2TheLockSummaryDatabase.Synchronizationerrorsareknowntobediculttoreproduceanddebugdynamically.Tohelpdevelopersdiagnosereportederrors,andalsobetterunderstandtheoftensubtlelockingbehaviorinthekernel(e.g.,lockstatesundererrorconditions),wehavebuiltawebinterfacefortheLinuxlocksummarydatabasegeneratedduringtheanalysis.Ourownexperiencewiththesummarydatabasehasbeenpleasant.Duringinspection,weusethesummarydatabaseextensivelytomatchupthederivedsum-marywiththeimplementationcodetoconrmerrorsandidentifyfalsepositives.Inourexperiencethegeneratedsummariesaccuratelymodelthelockingbehaviorofthefunctionbeinganalyzed.Infact,shortlyafterweledthesebugs,weloggedmorethanathousandqueriestothesummarydatabasefromtheLinuxcommunity.ThesummarydatabasealsorevealsinterestingfactsabouttheLinuxkernel.Tooursurprise,lockingbehaviorisfarfromsimpleinLinux.Morethan23,000ofthe63,000functionsinLinuxdirectlyorindirectlyoperateonlocks.Inaddition,8873functionsaccessmorethanonelock.Thereare193lockwrappers,375unlockwrappers,and36functionswheretheoutputstatecorrelateswiththereturnvalue.Furthermore,morethan17,000functionsdirectlyorindirectlyrequirelockstobeinaparticularstateonentry.WebelieveSaturnistherstautomatictoolthatsuccessfullyunderstandsanddocumentsanyaspectoflockingbehaviorincodethesizeofLinux.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
256.CASESTUDYII:THELEAKDETECTORInthissection,wepresentastaticmemoryleakdetectorbasedonthepathsensi-tivepointeranalysisinSaturn.Wetargetoneimportantclassofleaks,namelyneglectingtofreeanewlyallocatedmemoryblockbeforeallitsreferencesgooutofscope.Thesebugsarecommonlyfoundinerrorhandlingpaths,whicharelesslikelytobecoveredduringtesting.Thissecondstudyisinterestinginitsownrightasaneectivememoryleakdetector,andasevidencethatSaturncanbeusedtoanalyzeavarietyproperties.Therestofthesectionisorganizedasfollows:Section6.1givesexamplesillus-tratingthetargetedclassofbugsandtheanalysistechniquesrequired.Webrie\ryoutlinethedetectionalgorithminSection6.2andgivedetailsinSections6.3,6.4,and6.5.HandlingtheunsafefeaturesofCisdescribedinSection6.7.Section6.8describesaparallelclient/serverarchitecturethatdramaticallyimprovesanalysisspeed.WeendwithexperimentalresultsinSection6.9.6.1MotivationandExamplesBelowweshowatypicalmemoryleakfoundinCcode:p=malloc(...);...if(errorcondition)returnNULL;returnp;Here,theprogrammerallocatesamemoryblockmemoryandstoresthereferenceinp.Undernormalconditionspisreturnedtothecaller,butincaseofanerror,thefunctionreturnsNULLandthenewlocationisleaked.Theproblemisxedbyinsertingthestatementfree(p)immediatelybeforetheerrorreturn.Ourgoalistondtheseerrorsautomatically.Wenotethatleaksarealwaysa\row-sensitiveproperty,butsometimesarepath-sensitiveaswell.Thefollowingexampleshowsacommonusagewhereamemoryblockisfreedwhenitsreferenceisnon-NULL.if(p!=NULL)free(p);Toavoidfalsepositivesintheirpathinsensitiveleakdetector,Heineet.al.[HeineandLam2003]transformthiscodeinto:if(p!=NULL)free(p);elsep=NULL;Thetransformationhandlestheidiomwithaslightchangeofprogramsemantics(i.e.,theextraNULLassignmenttop).However,syntacticmanipulationsareun-likelytosucceedinmorecomplicatedexamples:charfastbuf[10],*p;if(len10)p=fastbuf;elsep=(char*)malloc(len);...if(p!=fastbuf)free(p);ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 26
YichenXieandAlexAikenInthiscase,dependingonthelengthoftherequiredbuer,theprogrammerchoosesbetweenasmallerbutmoreecientstack-allocatedbuerandalargerbutslowerheap-allocatedone.ThisoptimizationiscommoninperformancecriticalcodesuchasSambaandtheLinuxkernelandafullypathsensitiveanalysisisdesirableinanalyzingsuchcode.Anotherchallengetotheanalysisisillustratedbythefollowingexample:p�name=strdup(string);pushonstack(p);Tocorrectlyanalyzethiscode,theanalysismustinferthatstrdupallocatesnewmemoryandthatpushonstackaddsanexternalreferencetoitsrstargumentpandthereforecauses(*p).nametoescape.Thus,aninterproceduralanalysisisrequired.Withoutabstraction,interproceduralprogramanalysisisprohibitivelyexpensiveforpathsensitiveanalysessuchasours.Aswiththelockchecker,weuseasummary-basedapproachthatexploitsthenaturalabstractionboundaryatfunctioncalls.Foreachfunction,weuseSATqueriestoinferinformationaboutthefunction'smemorybehaviorandconstructasummaryforthatfunction.Thesummaryisdesignedtocapturethefollowingtwoproperties:(1)whetherthefunctionisamemoryallocator,and(2)thesetofescapingobjectsthatarereachablefromthefunction'sparameters.WeshowhowweinferandusesuchfunctionsummariesinSection6.5.6.2OutlineoftheLeakCheckerThissubsectiondiscussesseveralkeyideasbehindtheleakchecker.Firstofall,weobservethatpointersarenotallequalwithrespecttomemoryleaks.Considerthefollowingexample:(*p).data=malloc(...);return;Thecodecontainsaleakifpisalocalvariable,butnotifpisaglobaloraparame-ter.Inthecasewhere*pitselfisnewlyallocatedinthecurrentprocedure,(*p).dataescapesonlyifobject*pescapes(exceptforcasesinvolvingcyclicstructures;seebelow).Inordertodistinguishbetweenthesecases,weneedaconceptcalledaccesspaths(Section6.3)totrackthepathsthroughwhichobjectsareaccessedfrombothinsideandoutside(ifpossible)thefunctionbody.WedescribedetailsabouthowwemodelobjectaccessibilityinSection6.4.Referencestoanewmemorylocationcanalsoescapethroughmeansotherthanpointerreferences:(1)memoryblocksmaybedeallocated;(2)functioncallsmaycreateexternalreferencestonewlyallocatedlocations;(3)referencescanbetransferredviaprogramconstructsinCthatcurrentlyarenotmodeledinSaturn(e.g.,bydecomposingapointerintoapagenumberandapageoset,andreconstructingitlater).Tomodelthesecases,weinstrumenteveryallocatedmemoryblockwithabooleanescapeattributewhosedefaultvalueisfalse.Wesettheescapeattributetotruewheneverweencounteroneofthesethreesituations.Amemoryblockisnotcon-sideredleakedwhenitsescapeattributeisset.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
27Params=fparam0;:::;paramn1gOrigins(r)::=fretvalg[Params[Globals[NewLocs[LocalsAccPath()::=rj:fjPathOf:Loc!AccPathRootOf:AccPath!OriginsFig.13.Accesspaths.OnenalissuethatrequiresexplicitmodelingisthatmallocfunctionsinCmightfail.Whenitdoes,mallocreturnsnulltosignalafailedallocation.ThissituationisillustratedinSection6.1andrequiresspecial-casehandlinginpathinsensitiveanalyses.Weuseabooleanvalidattributetotrackthereturnstatusofeachmemoryallocation.Theattributeisnon-deterministicallysetateachallocationsitetomodelbothsuccessandfailurescenarios.Foraleaktooccur,thecorrespondingallocationmustoriginatefromasuccessfulallocationandthushaveitsvalidattributesettotrue.6.3AccessPathsandOriginsThissubsectionextendstheinterfaceobjectconceptintroducedinSection5.1totrackandmanipulatethepaththroughwhichobjectsarerstaccessed.Followingstandardliteratureonaliasandescapeanalysis,wecallthereviseddenitionaccesspaths.AsshownintheSection6.2,accesspathinformationisimportantindeningtheescapeconditionformemorylocations.Figure13denestherepresentationandoperationsonaccesspaths,whichareinterfaceobjects(seeSection5.1)extendedwithLocalsandNewLocs.Objectsarereachedbyeldaccessesorpointerdereferencesfromveorigins:globalandlocalvariables,thereturnvalue,functionparameters,andnewlyallocatedmemorylocations.WerepresentthepaththroughwhichanobjectisaccessedrstwithAccPath.PathOfmapsobjects(andpolymorphiclocations)totheiraccesspathsandaccesspathinformationiscomputedbyrecordingobjectaccesspathsusedduringtheanalysis.TheRootOffunctiontakesanaccesspathandreturnstheobjectfromwhichthepathoriginates.Weillustratetheseconceptsusingthefollowingexample:structstatefvoid*data;g;void*g;voidf(structstate*p)fint*q;g=p�data;q=g;returnq;/*rv=q*/gTableVsummarizestheobjectsreachedbythefunction,theiraccesspathsandorigins.TheoriginandpathinformationindicateshowtheseobjectsarerstaccessedandisusedindeningtheleakconditionsinSection6.4.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 28
YichenXieandAlexAikenObjectAccPathRootOfpparam0param0pparam0param0(p):data(param0):dataparam0(p):data(param0):dataparam0gglobalgglobalgqlocalqlocalqrvretvalretvalTableV.Objects,accesspaths,andaccessoriginsinthesampleprogram.6.4EscapeandLeakConditions (p)=fj(G0;l0);:::;(Gn1;ln1)jgPointsTo(p;l)=Giif9is.t.AddrOf(l)=AddrOf(li)falseotherwisepoints-toExcludedSet:XOrigins(Globals[Locals)RootOf(p)2Locals[XEscapeVia(l;p;X)=falsevia-localRootOf(p)2GlobalsEscapeVia(l;p;X)=PointsTo(p;l)via-globalRootOf(p)=(Params[fretvalg)XEscapeVia(l;p;X)=PointsTo(p;l)via-interfacel0=RootOf(p)l02(NewLocsX)EscapeVia(l;p;X)=PointsTo(p;l)^Escaped(l0;X[flg)via-newlocEscaped(l;X)=[[l#escaped]] _WpEscapeVia(l;p;X)escapedLeaked(l;X)=[[l#valid]] ^:Escaped(l;X)leaked*Forbrevity,RootOf(p)denotesRootOf(PathOf(p)).Fig.14.Memoryleakdetectionrules.Figure14denestherulesweusetondmemoryleaksandconstructfunctionsummaries.AsdiscussedinSection5.4,weassumethatthereisoneuniqueexitblockineachfunction'scontrol\rowgraph.Weapplytheleakrulesattheendoftheexitblock,andtheimplicitlydenedenvironment intherulesreferstotheexitenvironment.InFigure14,thePointsTo(p;l)functiongivestheconditionunderwhichpointerppointstolocationl.TheresultissimplytheguardassociatedwithlifitoccursintheGLSofpandfalseotherwise.UsingthePointsTofunction,wearereadytodenetheescaperelationshipsEscapedandEscapeVia.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
29Escapee()::=paramij:fjSummary:2bool2EscapeeFig.15.Thedenitionoffunctionsummaries.IgnoringtheexclusionsetXfornow,EscapeVia(l;p;X)returnstheconditionunderwhichlocationlescapesthroughpointerp.Dependingontheoriginofp,EscapeViaisdenedbyfourrulesvia-*inFigure14.Thesimplestofthefourrulesisvia-local,whichstipulatesthatlocationlcannotescapethroughpifp'soriginisalocalvariable,sincethereferenceislostwhenpgoesoutofscopeatfunctionexit.Therulevia-globalhandlesthecasewherepisaccessiblethroughaglobalvariable.Inthiscase,lescapeswhenppointstol,whichisdescribedbytheconditionPointsTo(p;l).Thecasewherealocationescapesthroughafunctionparameteristreatedsimilarlyinthevia-interfacerule.Therulevia-newlochandlesthecasewherepisanewlyallocatedlocation.AgainignoringtheexclusionsetX,therulestipulatesthatalocationlescapesifppointstolandtheoriginofp,whichisitselfanewlocation,inturnescapes.However,theabovestatementisoverlygenerousinthefollowingsituation:s=malloc(...);/*createsnewlocationl'*/s�next=malloc(...);/*createsl*/s�next�prev=s;/*circularreference*/Thecirculardependencythatlescapesifl0does,andviceversa,canbesatisedbytheconstraintsolverbyassumingbothlocationsescape.Tondthisleak,wepreferasolutionwhereneitherescapes.WesolvethisproblembyaddinganexclusionsetXtotheleakrulestopreventcircularescaperoutes.Inthevia-newlocrule,thelocationlinquestionisaddedtotheexclusionset,whichpreventsl0fromescapingthroughl.TheEscaped(l;X)functionusedbythevia-newlocrulecomputestheconditionunderwhichlescapesthrougharoutethatdoesnotintersectwithX.Itisdenedbyconsideringescaperoutesthroughallpointersandothermeanssuchasfunctioncalls(modeledbytheattributel#escaped).Finally,Leaked(l;X)computestheconditionunderwhichanewlocationlisleakedthroughsomeroutethatdoesnotintersectwithX.Ittakesintoconsider-ationthevalidityofl,whichmodelswhethertheinitialallocationissuccessfulornot(seeSection6.1foranexample).Usingthesedenitions,wespecifytheconditionunderwhichaleakerroroccurs:9ls.t.(l2NewLocs)and(Leaked(l;fg)issatisable)Weissueawarningforeachlocationthatsatisesthiscondition.6.5InterproceduralAnalysisThissubsectiondescribesthesummary-basedapproachtointerproceduralleakdetectioninSaturn.WestartbydeningthesummaryrepresentationinSec-tion6.5.1anddiscusssummarygenerationandapplicationinSections6.5.2and6.5.3.6.5.1SummaryRepresentation.Figure15showstherepresentationofafunc-tionsummary.InleakanalysisweareinterestedinwhetherthefunctionreturnsACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 30
YichenXieandAlexAikenIsMalloc: (rv)=fj(G0;null);(Gi;li);(G0j;l0j)jgwhereli2NewLocsandl0j=2NewLocsWiGiissatisableandWjG0jisnotsatisable8li2NewLocs;(Gi=)Leaked(li;fretvalg))isatautologyEscapees:EscapedSet(f)=fPathOf(l)jRootOf(l)=paramiandEscaped(l;fparamig)issatisablegFig.16.Summarygeneration.newlyallocatedmemory(i.e.allocatorfunctions),andwhetheritcreatesanyex-ternalreferencetoobjectspassedviaparameters(recallSection6.1).Therefore,asummaryiscomposedoftwocomponents:1)abooleanvaluethatdescribeswhetherthefunctionreturnsnewlyallocatedmemory,and2)asetofescapedlo-cations(escapees).Sincecallerandcalleehavedierentnamesfortheformalandactualparameters,weuseaccesspaths(recallSection6.3)tonameescapedobjects.Thesepaths,calledEscapeesinFigure15,aredenedasasubsetofaccesspathswhoseoriginisaparameter.Considerthefollowingexample:1void*global;2void*f(structstate*p)f3global=p�next�data;4returnmalloc(5);5gThesummaryforfunctionfiscomputedashisMalloc:true;escapees:f(*(*param0).next).datagibecausefreturnsnewlyallocatedmemoryatline4andaddsareferencetop�-next�-datafromglobalandthereforeescapesthatobject.Noticethatthesummaryrepresentationfocusesoncommonleakscenarios.Itdoesnotcaptureallmemoryallocations.Forexample,functionsthatreturnnewmemoryblocksviaaparameter(insteadofthereturnvalue)arenotconsideredallocators.Likewise,aliasingrelationshipsbetweenparametersarenotcapturedbythesummaryrepresentation.6.5.2SummaryGeneration.Figure16describestherulesforfunctionsummarygeneration.Whenthereturnvalueofafunctionisapointer,theIsMallocruleisusedtodecidewhetherafunctionreturnsanewlyallocatedmemoryblock.Afunctionqualiesasamemoryallocatorifitmeetsthefollowingtwoconditions:(1)Thereturnvaluecanonlypointtonullornewlyallocatedmemorylocations.Thepossibilityofreturninganyotherexistinglocationsdisqualiesthefunctionasamemoryallocator.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
31(2)Thereturnvalueistheonlyexternallyvisiblereferencetonewlocationsthatmightbereturned.Thispreventsfalsepositivesfromregion-basedmemorymanagementschemeswhereareferenceisretainedbytheallocatortofreeallnewlocationsinaregiontogether.Thesetofescapedlocationsiscomputedbyiteratingthroughallparameteraccessibleobjects(i.e.,objectswhoseaccesspathoriginisaparameterp),andtestingwhethertheobjectcanescapethrougharoutethatdoesnotgothroughp,i.e.,ifEscaped(l;fparamig)issatisable.Takethefollowingcodeasanexample:voidinsertafter(structnode*head,structnode*new)fnew�next=head�next;head�next=new;gTheescapeesetofinsertafterincludes:(*head).next,sinceitcanbereachedbythepointer(*new).next;and*new,sinceitcanbereachedbythepointer(*head).next.Theobject*headisnotincluded,becauseitisonlyaccessiblethroughthepointerhead,whichisexcludedasapossibleescaperoute.(Forclarity,weusethemoremnemonicnamesheadandnextinsteadofparam0andparam1intheseaccesspaths.)6.5.3SummaryApplication.Functioncallsarereplacedbycodethatsimulatestheirmemorybehaviorbasedontheirsummary.Thefollowingpseudo-codemod-elstheeectofthefunctioncallr=f(e1,e2,...,en),assumingfisanallocatorfunctionwithescapeesetescapees:1/*escapetheescapees*/2foreach(e)inescapeesdo3(*e)#escaped=true;4/*allocatenewmemory,andstoreitinr*/6if(*)f7newloc(r);8(*r)#validtrue;9gelse10rnull;Lines1-3settheescapedattributeforf'sescapees.Notethateatline3isanaccesspathfromaparameter.Thus(*e)isnotstrictlyavalidSaturnobjectandmustbetransformedintooneusingaseriesofassignments.Thedetailsareomittedforbrevity.Lines5-10simulatethememoryallocationperformedbyf.Wenon-deterministicallyassignanewlocationtorandsetthevalidbitofthenewobjecttotrue.Tosimulateafailedallocation,weassignnulltoratline10.Inthecasewherefisnotanallocationfunction,lines5-10arereplacedbythestatementr unknown.6.6LoopsandRecursionFortheleakdetectorSaturnusesatwo-passalgorithmforloops.Intherstpasstheloopisunrolledasmallnumberoftimes(threeinourimplementation)andACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 32
YichenXieandAlexAikenthebackedgesdiscarded;thus,justtherstthreeiterationsareanalyzed.Forleakdetectionthisstrategyworkswellexceptforloopssuchasfor(i=0;i10000;i++);Theproblemhereisthattheloopexitconditionisnevertrueintherstfewit-erationsoftheloop.Thuspathsensitiveanalysisofjusttherstfewiterationsconcludesthattheexittestisneversatisedandthecodeaftertheloopappearstobeunreachable.Intherstpass,iftheloopcanterminatewithinthenumberofunrollediterations,theanalysisoftheloopisjusttheresultoftherstpass.Other-wise,wediscardresultsfromtherstpassandasecond,moreconservativeanalysisisused.Inthesecondpass,wereplacetheright-handsideofallassignmentsintheloopbodybyunknownexpressionsandtheloopisanalyzedonce(havoc'ing).Intuitively,thesecondpassanalyzesthelastiterationoftheloop;wemodelthefactthatwedonotknowthestateofmodiedvariablesafteranarbitrarynumberofearlieriterationsbyassigningthemunknownvalues[XieandChou2002].Inte-gerunknownsarerepresentedusingunconstrainedBooleanvariables,andarethusconservativeapproximationsoftheactualruntimevalues.Forpointers,however,unknowncurrentlyevaluatestoafreshlocation,andthereforeisunsound.Themo-tivationforthistwo-passanalysisisthattherstpassyieldsmorepreciseresultswhentheloopcanbeshowntoterminate;however,iftheunrolledloopiterationscannotreachtheloopexit,thenthesecondpassispreferablebecauseitismoreimportanttoatleastreachthecodeaftertheloopthantohavepreciseinformationfortheloopitself.RecursionishandledinasimilarmannerasintheLinuxlockchecker:wean-alyzemutuallyrecursivefunctionsonceinarbitraryorder.Theoretically,thisisasourceofbothfalsepositives(missedescaperoutesthroughrecursivefunctioncalls)andfalsenegatives(missedallocationfunctions).Practically,however,thelossofprecisionduetorecursionisminimalinourexperiments.6.7HandlingUnsafeOperationsinCTheCtypesystemallowsconstructs(i.e.,unsafetypecastsandpointerarithmetic)notcurrentlymodeledbySaturn.Wehaveidentiedseveralcommonidiomsthatusesuchoperations,motivatingsomeextensionstoourleakdetector.Oneextensionhandlescasessimilartothefollowing,whichemulatesaformofinheritanceinC:structsubfintvalue;structsupersuper;gstructsuper*allocator(intsize)fstructsub*p=malloc(...);p�value=...;return(&p�super);gTheallocatorfunctionreturnsareferencetothesupereldofthenewlyallocatedmemoryblock.Technically,thereferencetosubislostonexit,butitisnotconsid-eredanerrorbecauseitcanberecoveredwithpointerarithmetic.Variantsofthisidiomoccurfrequentlyintheprojectsweexamined.Oursolutionistoconsiderastructureescapedifanyofitscomponentsescape.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
33AnotherextensionrecognizescommonaddressmanipulationmacrosinLinuxsuchasvirttophysandbustovirt,whichaddorsubtractaconstantpageosettoarriveatthephysicalorvirtualequivalentoftheinputaddress.Ourimplementationmatchessuchoperationsandtreatsthemasidentityfunctions.6.8ADistributedArchitectureTheleakanalysisusesapathsensitiveanalysistotrackeveryincomingandnewlyallocatedmemorylocationinafunction.ComparedtothelockcheckerinSection5,thehighernumberoftrackedobjects(andthusSATqueries)meanstheleakanalysisismuchmorecomputationallyintensive.However,Saturnishighlyparallelizable,becauseitanalyzeseachfunctionsep-arately,subjectonlytotheorderingdependenciesofthefunctioncallgraph.Wehaveimplementedadistributedclient/serverarchitecturetoexploitthisparallelisminthememoryleakchecker.Theserversideconsistsofascheduler,dispatcher,anddatabaseserver.Theschedulercomputesthedependencegraphbetweenfunctionsanddeterminesthesetoffunctionsreadytobeanalyzed.Thedispatchersendsreadytaskstoidleclients.Whentheclientreceivesanewtask,itretrievesthefunction'sabstractsyntaxtreeandsummariesofitscalleesfromthedatabaseserver.Theresultoftheanalysisisanewsummaryfortheanalyzedfunction,whichissenttothedatabaseserverforusebythefunction'scallers.Weemploycachingtechniquestoavoidcongestionattheserver.Ourimplemen-tationscalestohundredsofCPUsandishighlyeective:theanalysistimefortheLinuxkernel,whichrequiresnearly24hoursonasinglefastmachine,isanalyzedin50minutesusingaround80unloadedCPUs.8Thespeedupissublinearinthenumberofprocessorsbecausethereisnotalwaysenoughparallelismtokeepallprocessorsbusy,particularlyneartherootofacallgraph.DuetothesimilarityoftheanalysisarchitecturebetweentheLinuxlockcheckerandthememoryleakdetector,weexpectthattheformerwouldalsobenetfromadistributedimplementationandachievesimilarspeedup.6.9ExperimentalResultsWehaveimplementedtheleakcheckerasaplug-intotheSaturnanalysisframe-workandappliedittoveuserspaceapplicationsandtheLinuxkernel.6.9.1UserSpaceApplications.Wecheckedveuserspacesoftwarepackages:Samba,OpenSSL,PostFix,Binutils,andOpenSSH.Weanalyzedthelatestreleaseoftherstthree,whileweusedolderversionsofthelasttwotocomparewithresultsreportedforotherleakdetectors[HeineandLam2003;HackettandRugina2005].AllexperimentsweredoneonalightlyloadeddualXeonTM2.8Gserverwith4gigabytesofmemoryaswellasonaheterogeneousclusterofaround80idle8Ascourtesytothegenerousownersofthesemachines,weconstantlymonitorCPUloadanduseractivityonthesemachines,andturnoclientsthathaveactiveusersortasks.Furthermore,these80CPUsrangefromlow-endPentium41.8Gworkstationstohigh-endXeon2.8Gserversindual-andquad-processorcongurations.Thus,performancestatisticsfordistributedrunsreportedhereonlyprovideanapproximatenotionofspeed-upwhencomparedtosingleprocessoranalysisruns.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 34
YichenXieandAlexAikenLOCSingleProc.DistributedTimeLOC/sP.TimeP.LOC/sUser-spaceApp.Samba403,7443h22m52s3310m57s615OpenSSL296,1923h33m41s2311m09s443Postx137,0911h22m04s2812m00s190Binutils909,4764h00m11s6316m37s912OpenSSH36,67627m34s226m00s102Sub-total1,783,17912h46m22s3956m43s524LinuxKernelv2.6.105,039,29623h13m27s6050m34s1661Total6,822,47535h59m49s531h47m17s1060LOC:totalnumberoflinesofcode;Time:analysistimeonasingleprocessor(2.8GXeon);P.Time:parallelanalysistimeonaheterogeneousclusterofaround80unloadedCPUs.(a)PerformanceStatistics.FnFailed(%)AllocBugsFP(%)User-spaceApp.Samba7,43224(0.3%)80838(8.79%)OpenSSL4,18160(1.4%)1011171(0.85%)Postx1,58911(0.7%)9680(0%)Binutils2,98236(1.2%)911365(3.55%)OpenSSH6075(0.8%)19290(0%)Sub-total16,791136(0.8%)38737314(3.62%)LinuxKernelv2.6.1074,367792(1.1%)3688241(33%)Total91,158928(1.0%)75545555(10.8%)Fn:numberoffunctionsintheprogram;Alloc:numberofmemoryallocatorsdetected;FP:numberoffalsepositives.(b)Analysisresults.TableVI.Experimentalresultsforthememoryleakchecker.workstations.Foreachfunction,theresourcelimitsweresetto512MBofmemoryand90secondsofCPUtime.ThetopportionsofTablesVI(a)and(b)givetheperformancestatisticsandbugcountsoftheleakcheckerontheveuser-spaceapplications.Notethatwemissanybugsinthesmallpercentageoffunctionswhereresourcelimitsareexceeded.The1.8millionlinesofcodewereanalyzedinunder13hoursusingasingleprocessorandinunder1hourusingaclusterofabout80CPUs.Theparallelspeedupsincreasesignicantlywithprojectsize,indicatinglargerprojectshaverelativelyfewercallgraphdependenciesthansmallprojects.Notethatthesequentialscalingbehavior(measuredinlinesofcodepersecond)remainsstableacrossprojectsrangingfrom36Kupto909Klinesofunpreprocessedcode.Thetoolissued379warningsacrosstheseapplications.Wehaveexaminedallthewarningsandbelieve365ofthemarebugs.(Warningsareperallocationsitetofacilitateinspection.)Besidesbugreports,theleakcheckergeneratesadatabaseoffunctionsummariesdocumentingeachfunction'smemorybehavior.Inourex-ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
351/*Samba{libads/ldap.c:adsleaverealm*/2host=strdup(hostname);3if(...)f4...;5returnADSERRORSYSTEM(ENOENT);6g7...(a)Theprogrammerforgottofreehostonanerrorexitpath.1/*Samba{client/clitar.c:dotarput*/2longlename=getlonglename(nfo);3...4return;(b)Theprogrammerapparentlyisnotawarethatgetlonglenameallocatesnewmemory,andforgetstode-allocatelonglenameonexit.1/*Samba{utils/netrpc.c:rpctrustdomrevoke*/2domainname=smbxstrdup(argv[0]);3...4if(!trusteddomainpassworddelete(domainname))5...6return..;(c)trusteddomainpassworddeletedoesnotde-allocatememory,asitsnamemightsuggest.Memoryreferencedbydomainnameisthusleakedonexit.Fig.17.Threerepresentativeerrorsfoundbytheleakchecker.1/*OpenSSL{crypto/bn/bnlib.c:BNcopy*/2t=BNnew();3if(t==NULL)return(NULL);4r=BNcopy(t,a);5if(r==NULL)6BNfree(t);7returnr;Fig.18.Asamplefalsepositive.perience,thefunctionsummariesarehighlyaccurate,andthat,combinedwithpath-sensitiveintraproceduralanalysis,explainstheexceptionallylowfalseposi-tiverate.Thesummarydatabase'sfunctionlevelgranularityenabledustofocusononefunctionatatimeduringinspection,whichfacilitatedbugconrmation.Mostofthebugswefoundcanbeclassiedintothreemaincategories:(1)Misseddeallocationonerrorpaths.Thiscaseisbyfarthemostcommon,oftenhappeningwhentheprocedurehasmultipleallocationsitesanderrorconditions.Errorsarecommonevenwhentheprogrammerhasmadeaneorttoclean-uporphanedmemoryblocks.Figure17agivesanexample.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 36
YichenXieandAlexAiken(2)Missedallocators.NotallmemoryallocatorshavenameslikeOPENSSLmalloc.Programmerssometimesforgettofreeresultsfromlessobviousallocatorssuchasgetlonglename(samba/client/clitar.c,Figure17b).(3)Non-escapingprocedurecalls.Despitethesuggestivename,trusteddomainpassworddelete(samba/passdb/secrets.c)doesnotfreeitsparameter(Figure17c).Figure18showsafalsepositivecausedbyalimitationofourchoiceoffunctionsummaries.Atline4,BNcopyreturnsacopyoftonsuccessandnullonfailure,whichisnotdetected,norisitexpressiblebythefunctionsummary.6.9.2TheLinuxKernel.ThebottomportionsofTablesVI(a)and(b)sum-marizestatisticsofourexperimentsonLinux2.6.10.Usingtheparallelanalysisframework(recallSection6.8)wedistributedtheanalysisworkloadon80CPUs.Theanalysiscompletedin50minutes,processing1661linespersecond.Wearenotawareofanyotheranalysisalgorithmthatachievesthislevelofparallelism.ThebugcountforLinuxisconsiderablylowerthanfortheotherapplicationsrelativetothesizeofthesourcecode.TheLinuxprojecthasmadeaconsciouseorttoreducememoryleaks,and,inmostcases,theytrytorecoverfromerrorconditions,wheremostoftheleaksoccur.Nevertheless,thetoolfound82leakerrors,someofwhichweresurroundedbyerrorhandlingcodethatfreesanumberofotherresources.Twoerrorswereconrmedbythedevelopersasexploitableandcouldpotentiallyenabledenialofserviceattacksagainstthesystem.Thesebugswereimmediatelyxedwhenreported.Thefalsepositiverateishigherinthekernelthanuserspaceapplicationsduetowide-spreaduseoffunctionpointersandpointerarithmetic.Ofthe41falsepositives,16areduetocallsviafunctionpointersand9duetopointerarithmetic.Applicationspeciclogicaccountedforanother12,andtheremaining4areduetoSaturn'scurrentlimitationsinmodelingconstructssuchasarraysandunions.7.UNSOUNDNESSOnetheoreticalweaknessofthetwocheckers,asdescribedabove,isunsoundness.Inthissection,webrie\rysummarizethesourcesofunsoundness.Boththenite-statemachine(FSM)checkerandthememoryleakanalysissharethefollowingsourcesofunsoundness:(1)Handlingofloops.WeintroducedtwotechniquestohandleloopsinSaturn:unrollingandhavoc'ing,bothofwhichareunsound.Theformermightmissbugsthatoccuronlyinalong-runningloop,andthelatterisunsoundinitstreatmentofmodiedpointersintheloopbody(seeSection6.6).(2)Handlingofrecursion.Recursivefunctioncallsarenothandledinthetwocheckers,sobugscouldremainundetectedduetoinaccuratefunctionsum-maries.(3)Interproceduralaliasing.Bothcheckersusetheheuristicthatdistinctpoint-ersfromtheexternalenvironment(e.g.functionparameters,globalvariables)pointtodistinctobjects.Althougheectiveinpractice,thisheuristicmaypreventouranalysisfromdetectingbugscausedbyinterproceduralaliasing.(4)Summaryrepresentation.Thefunctionsummaryrepresentationsforbothcheckersleaveseveralaspectsofafunction'sbehaviorunspecied.ExamplesACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
37includeinterproceduralside-eects(e.g.modicationofglobalvariables)andaliasing,bothofwhichmayleadtofalsenegatives.(5)UnhandledCconstructs.Foreciencyreasons,constructssuchasunions,arrays,andpointerarithmeticarenotdirectlymodeledbytheSaturnframe-work.Rather,theyarehandledbyspeciccheckersduringtranslationfromCtotheSaturnintermediatelanguage.Forexample,intheleakchecker,memoryblocksstoredinarraysareconsideredtobeescaped,whichisasourceofunsoundness.ItisworthnotingthatunsoundnessisnotafundamentallimitationoftheSat-urnframework.SoundanalysescanbeconstructedinSaturnbyusingappropri-atesummariesforbothloopsandfunctionsandbyiteratingtheanalysestoreachaxedpoint.Forexample,[HackettandAiken2005]describesthedesignandimplementationofasoundandprecisepointeraliasanalysisinSaturn.8.RELATEDWORKInthissectionwediscusstherelationshipofSaturntoseveralothersystemsforerrordetectionandprogramverication.8.1FSMCheckingSeveralprevioussystemshavebeensuccessfullyappliedtocheckingnitestatemachinepropertiesinsystemcode.Saturnwaspartlyinspiredbytherstauthor'spreviousworkonMetaCompilation(MC)[Engleretal.2000;Hallemetal.2002]andourprojectisphilosophicallyalignedwithMCinthatitisabugdetection,ratherthanaverication,system.Infact,SaturnbeganasanattempttoimprovetheaccuracyofMC's\rowsensitivebutpathinsensitiveanalysis.Underthehood,MCattachesnitestatemachines(FSM)tosyntacticprogramobjects(e.g.,variables,memorylocations,etc.)andusesaninterproceduraldata\rowanalysistocomputethereachabilityoftheerrorstate.Becauseconservativepointeranalysisisoftenasourceoffalsepositivesforbugndingpurposes[Fosteretal.2002],MCsimplychoosesnottomodelpointersortheheap,therebypre-ventingfalsepositivesfromspuriousaliasrelationshipsbyat.MCcheckersuseheuristics(e.g.,separateFSMtransitionsforthetrueandfalsebranchesofrelevantifstatements)andstatisticalmethodstoinfersomeofthelostinformation.Thesetechniquesusuallydramaticallyreducefalsepositiveratesafterseveralroundsoftrialanderror.However,theycannotfullycompensatefortheinformationlostduringtheanalysis.Forexample,inthecodebelow,/*1:datacorrelation*/if(x)spinlock(&lock);if(x)spinunlock(&lock);/*2:aliasing*/l=&p�lock;spinlock(&p�lock);spinlock(l);MCemitsaspuriouswarningintherstcase,andmissestheerrorinthesecond.TherstscenariooccursfrequentlyinLinux,andaninterproceduralversionofthesecondisalsoprevalent.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 38
YichenXieandAlexAikenSaturncanbeviewedasbothageneralizationandsimplicationofMCbecauseituniformlyreliesonbooleansatisabilitytomodelallaspectswithoutspecialcases.ThelockcheckerpresentedinSection5.5naturallytrackslocksthatareburiedintheheap,orconditionallymanipulatedbasedonthevaluesofcertainpredicates.Indesigningthischecker,wefocusedontwokindsofLinuxmutexer-rorsthatexhibitedhighratesoffalsepositivesinMC:doublelockinganddoubleunlocking(2errorsand23falsepositives[Engleretal.2000]).OurexperimentsshowthatSaturn'simprovedaccuracyandsummary-basedinterproceduralanal-ysisallowittobettercapturelockingbehaviorintheLinuxkernelandthusndmoreerrorsatalowerfalsepositiverate.WhileBLAST,SLAM,andothersoftwaremodelcheckingprojectshavemadedramaticprogressandnowhandlehundredsofthousandsoflinesofcode[BallandRajamani2001;Henzingeretal.2003;Henzingeretal.2002],thesearewhole-programanalyses.ESP,alower-complexityapproachbasedoncontext-freereach-ability,issimilarlywhole-program[Dasetal.2002].Incontrast,Saturnanalyzesopenprogramsandcomputessummariesforfunctionsindependentoftheircall-ingcontext.Inourexperiments,Saturnscalestomillionsoflinesofcodeandshouldinfactbeabletoscalearbitrarily,atleastforcheckingpropertiesthatlendthemselvestoconcisefunctionsummaries.Inaddition,Saturnhastheprecisionofpath-sensitivebit-levelanalysiswithinfunctionbodies,whichmakeshandlingnormallydicult-to-modelconstructs,suchastypecasts,easy.Infact,Saturn'scodesizeisonlyabout25%ofthecomparablepartofBLAST(themostadvancedsoftwaremodelcheckeravailabletous),whichsupportsourimpressionthataSAT-basedcheckeriseasiertoengineer.CQualisaquitedierent,type-basedapproachtoprogramchecking[Fosteretal.2002;Aikenetal.2003].CQual'sprimarylimitationisthatitispathinsensitive.Inthelockingapplicationpathsensitivityisnotparticularlyimportantformostlocks,butwehavefoundthatitisessentialforuncoveringthenumeroustrylockerrorsinLinux.CQual'sstrengthisinsophisticatedglobalaliasanalysisthatallowsforsoundreasoningandrelativelyfewfalsepositivesduetospuriousaliases.8.2MemoryLeakDetectionMemoryleakdetectionusingdynamictoolshasbeenastandardpartoftheworkingprogrammer'stoolkitformorethanadecade.OneoftheearliestandbestknowntoolsisPurify[HastingsandJoyce1992];see[ChilimbiandHauswirth2004]forarecentandsignicantlydierentapproachtodynamicleakdetection.Dynamicmemoryleakdetectionislimitedbythequalityofthetestsuite;unlessatestcasetriggersthememoryleakitcannotbefound.Morerecentlytherehasbeenworkondetectingmemoryleaksstatically,some-timesasanapplicationofgeneralshapeorheapanalysistechniques,butinothercasesfocusingonleakdetectionasaninterestingprogramanalysisprobleminitsownright.OneoftheearlieststaticleakdetectorswasLCLint[Evans1996],whichemploysanintraproceduraldata\rowanalysistondlikelymemoryerrors.Theanalysisdependsheavilyonuserannotationtomodelfunctioncalls,thusrequiringsubstantialmanualeorttouse.Thereportedfalsepositiverateishighmainlyduetopathinsensitiveanalysis.Prex[Bushetal.2000]detectsmemoryleaksbysymbolicsimulation.LikeSat-ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
39urn,Prexusesfunctionsummariesforscalabilityandispathsensitive.However,Prexexplicitlyexplorespathsoneatatime,whichisexpensiveforprocedureswithmanypaths.Heuristicslimitthesearchtoasmallsetof\interesting"paths.Incontrast,Saturnrepresentsallpathsusingbooleanconstraintsandpathexplo-rationisimplicitaspartofbooleanconstraintsolving.Chou[Chou2003]describesapath-sensitiveleakdetectionsystembasedonstaticreferencecounting.Ifthestaticreferencecount(whichover-approximatesthedy-namicreferencecount)becomeszeroforanobjectthathasnotescaped,thatobjectisleaked.ChoureportsndinghundredsofmemoryleaksinanearlierLinuxker-nelusingthismethod,mostofwhichhavesincebeenpatched.Theanalysisisquiteconservativeinwhatitconsidersescaping;forexample,savinganaddressintheheaporpassingitasafunctionargumentbothcausetheanalysistotreatthememoryatthataddressasescaped(i.e.,notleaked).Theinterproceduralaspectoftheanalysisisaconservativetesttodiscovermallocwrappers.Saturn'spath-andcontext-sensitiveanalysisismoreprecisebothintra-andinter-procedurally.Weknowoftwomemoryleakanalysesthataresoundandforwhichsubstantialexperimentaldataisavailable.HeineandLamuseownershiptypestotrackanob-ject'sowningreference(thereferenceresponsiblefordeallocatingtheobject)[HeineandLam2003].HackettandRuginadescribeahybridregionandshapeanalysis(wheretheregionsaregivenbytheequivalenceclassesdenedbyanunderlyingpoints-toanalysis)[HackettandRugina2005].Inbothcases,onthesameinputsSaturnndsmorebugswithalowerfalsepositiverate.WhileSaturn'slowerfalsepositiveisnotsurprising(soundnessusuallycomesattheexpenseofmorefalsepositives),thehigherbugcountsforSaturnaresurprising(becausesoundtoolsshouldnotmissanybugs).Forexample,forbinutilsSaturnfound136bugscomparedwith66foundbyHeineandLam.ThereasonappearstobethatHeineandLaminspectedonly279of1106warningsgeneratedbytheirsystem;theother727warningswereconsideredlikelytobefalsepositives.(SaturndidmissonebugreportedbyHeineandLamduetoexceedingtheCPUtimelimitforthefunctioncontainingthebug.)HackettandRuginareport10bugsinOpenSSHoutof26warnings.Herethereappeartobetwoissues.First,theabstractionforwhichthealgorithmissounddoesnotmodelsomecommonfeaturesofC,causingtheimplementationforCtomisssomebugs.Second,theimplementationdoesnotalwaysnish(justasSaturndoesnot).Therehasbeenextensivepriorresearchinpoints-toandescapeanalysis.AccesspathswererstusedbyLandiandRyder[LandiandRyder1992]assymbolicnamesformemorylocationsaccessedinaprocedure.Severallateralgorithms(e.g.,[Emamietal.1994;WilsonandLam1995;LiangandHarrold2001])alsomakeuseofparameterizedpointerinformationtoachievecontextsensitivity.Escapeanalysis(e.g.[WhaleyandRinard1999;Ruf2000])determinesthesetofobjectsthatdonotescapeacertainregion.Theresultistraditionallyusedinprogramoptimizerstoremoveunnecessarysynchronizationoperations(forobjectsthatneverescapeathread)orenablestackallocation(foronesthatneverescapeafunctioncall).Leakdetectionbenetsgreatlyfrompath-sensitivity,whichisnotapropertyoftraditionalescapeanalyses.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 40
YichenXieandAlexAiken8.3OtherSAT-basedCheckingandVericationToolsRapidimprovementsinalgorithmsforSAT(e.g.zCha[Zhangetal.2001;Moskewiczetal.2001],whichweuseinSaturn)haveledtoitsuseinavarietyofapplications,includingrecentlyinprogramverication.JacksonandVaziriwereapparentlythersttoconsiderndingbugsviareduc-ingprogramsourcetobooleanformulas[JacksonandVaziri2000].Subsequentlytherehasbeensignicantworkonasimilarapproachcalledboundedmodelchecking[Kroeningetal.2003].In[Clarkeetal.2004],Clarkeet.al.hasfurtherexploredtheideaofSAT-basedpredicateabstractionofANSI-Cprograms.Whiletherearemanylow-levelalgorithmicdierencesbetweenSaturnandtheseothersystems,theprimaryconceptualdierenceisouremphasisonscalability(e.g.,functionsum-maries)andfocusonfullyautomatedinference,aswellaschecking,ofpropertieswithoutseparateprogrammer-writtenspecications.9.CONCLUSIONWehavepresentedSaturn,ascalableandpreciseerrordetectionframeworkbasedonbooleansatisability.Oursystemhasanovelcombinationoffeatures:itmodelsallvalues,includingthoseintheheap,pathsensitivelydowntothebitlevel,itcomputesfunctionsummariesautomatically,anditscalestomillionsoflinesofcode.WehaveexperimentallyvalidatedourapproachbyconductingtwocasestudiesinvolvingaLinuxlockcheckerandamemoryleakchecker.Resultsfromtheexperimentsshowthatoursystemscaleswell,parallelizeswell,andndsmoreerrorswithlessfalsepositivesthanpreviouserrordetectionsystems.REFERENCESA.V.,Sethi,R.,andUllman,J.D.1986.Compilers:Principles,Techniques,andTools.Addison-Wesley,Reading,Massachusetts.Aiken,A.,Foster,J.S.,Kodumal,J.,andTerauchi,T.2003.Checkingandinferringlocalnon-aliasing.InProceedingsofthe2003ACMSIGPLANConferenceonProgrammingLanguageDesignandImplementation.ACMPress,129{140.Ball,T.,Cook,B.,Levin,V.,andRajamani,S.2004.SLAMandStaticDriverVerier:TechnologytransferofformalmethodsinsideMicrosoft.InProceedingsofFourthInternationalConferenceonIntegratedFormalMethods.Springer.Ball,T.andRajamani,S.K.2001.Automaticallyvalidatingtemporalsafetypropertiesofinterfaces.InProceedingsofSPIN2001WorkshoponModelCheckingofSoftware.103{122.LNCS2057.Bryant,R.E.1986.Graph-basedalgorithmsforbooleanfunctionmanipulation.IEEETrans-actionsonComputersC-35,8(Aug.),677{691.Bush,W.,Pincus,J.,andSielaff,D.2000.Astaticanalyzerforndingdynamicprogrammingerrors.Software|Practice&Experience30,7(June),775{802.Chilimbi,T.andHauswirth,M.2004.Low-overheadmemoryleakdetectionusingadaptivesta-tisticalproling.InProceedingsofthe11thInternationalConferenceonArchitecturalSupportforProgrammingLanguagesandOperatingSystems.Chou,A.2003.Staticanalysisforbugndinginsystemssoftware.Ph.D.thesis,StanfordUniversity.Clarke,E.,Kroening,D.,andLerda,F.2004.AtoolforcheckingANSI-Cprograms.InToolsandAlgorithmsfortheConstructionandAnalysisofSystems(TACAS),K.JensenandA.Podelski,Eds.LectureNotesinComputerScience,vol.2988.Springer,168{176.Clarke,E.,Kroening,D.,Sharygina,N.,andYorav,K.2004.PredicateabstractionofANSI-CprogramsusingSAT.FormalMethodsinSystemsDesign25,2-3(Sept.),105{127.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. Saturn:AScalableFrameworkforErrorDetectionusingBooleanSatisability
41Das,M.,Lerner,S.,andSeigle,M.2002.Path-sensitiveprogramvericationinpolynomialtime.InProceedingsoftheACMSIGPLAN2002ConferenceonProgrammingLanguageDesignandImplementation.Berlin,Germany.Emami,M.,Ghiya,R.,andHendren,L.1994.Context-sensitiveinterproceduralpoints-toanaly-sisinthepresenceoffunctionpointers.InProceedingsoftheACMSIGPLAN1994ConferenceonProgrammingLanguageDesignandImplementation.Engler,D.,Chelf,B.,Chou,A.,andHallem,S.2000.Checkingsystemrulesusingsystem-specic,programmer-writtencompilerextensions.InProceedingsofOperatingSystemsDesignandImplementation(OSDI).Evans,D.1996.Staticdetectionofdynamicmemoryerrors.InProceedingsoftheACMSIGPLAN1996ConferenceonProgrammingLanguageDesignandImplementation.Foster,J.S.,Terauchi,T.,andAiken,A.2002.Flow-sensitivetypequaliers.InProceedingsofthe2002ACMSIGPLANConferenceonProgrammingLanguageDesignandImplementation.1{12.Hackett,B.andAiken,A.2005.Howisaliasingusedinsystemssoftware?Tech.rep.,StanfordUniversity.Hackett,B.andRugina,R.2005.Region-basedshapeanalysiswithtrackedlocations.InProceedingsofthe32ndAnnualSymposiumonPrinciplesofProgrammingLanguages.Hallem,S.,Chelf,B.,Xie,Y.,andEngler,D.2002.Asystemandlanguageforbuildingsystem-specic,staticanalyses.InProceedingsoftheACMSIGPLAN2002ConferenceonProgrammingLanguageDesignandImplementation.Berlin,Germany.Hastings,R.andJoyce,B.1992.Purify:Fastdetectionofmemoryleaksandaccesserrors.InProceedingsoftheWinterUSENIXConference.Heine,D.L.andLam,M.S.2003.Apractical\row-sensitiveandcontext-sensitiveCandC++memoryleakdetector.InProceedingsoftheACMSIGPLAN2003ConferenceonProgrammingLanguageDesignandImplementation.168{181.Henzinger,T.A.,Jhala,R.,andMajumdar,R.2002.Lazyabstraction.InProceedingsofthe29thAnnualSymposiumonPrinciplesofProgrammingLanguages.Henzinger,T.A.,Jhala,R.,Majumdar,R.,andSutre,G.2003.SoftwarevericationwithBlast.InProceedingsoftheSPIN2003WorkshoponModelCheckingSoftware.235{239.LNCS2648.Jackson,D.andVaziri,M.2000.Findingbugswithaconstraintsolver.InProceedingsofthe2000ACMSIGSOFTInternationalSymposiumonSoftwareTestingandAnalysis.Khurshid,S.,Pasareanu,C.,andVisser,W.2003.Generalizedsymbolicexecutionformodelcheckingandtesting.InProceedingsofthe9thInternationalConferenceonToolsandAlgo-rithmsfortheConstructionandAnalysisofSystems.Springer.Kroening,D.,Clarke,E.,andYorav,K.2003.BehavioralconsistencyofCandVerilogprogramsusingboundedmodelchecking.InProceedingsofthe40thDesignAutomationCon-ference.ACMPress,368{371.Landi,W.andRyder,B.1992.Asafeapproximationalgorithmforinterproceduralpointeraliasing.InProceedingsoftheACMSIGPLAN1992ConferenceonProgrammingLanguageDesignandImplementation.Liang,D.andHarrold,M.2001.Ecientcomputationofparameterizedpointerinformationforinterproceduralanalysis.InProceedingsofthe8thStaticAnalysisSymposium.Moskewicz,M.,Madigan,C.,Zhao,Y.,Zhang,L.,andMalik,S.2001.Cha:Engineeringanecientsatsolver.InProceedingsofthe39thConferenceonDesignAutomationConference.Ruf,E.2000.EectivesynchronizationremovalforJava.InProceedingsoftheACMSIGPLAN2000ConferenceonProgrammingLanguageDesignandImplementation.Whaley,J.andRinard,M.1999.CompositionalpointerandescapeanalysisforJavaprograms.InProceedingsofthe14thACMSIGPLANconferenceonObject-orientedprogramming,sys-tems,languages,andapplications.Wilson,R.andLam,M.1995.Ecientcontext-sensitivepointeranalysisforCprograms.InProceedingsoftheACMSIGPLAN1995ConferenceonProgrammingLanguageDesignandImplementation.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear. 42
YichenXieandAlexAikenXie,Y.andChou,A.2002.Pathsensitiveanalysisusingbooleansatisability.Tech.rep.,StanfordUniversity.Nov.Zhang,L.,Madigan,C.,Moskewicz,M.,andMalik,S.2001.Ecientcon\rictdrivenlearninginabooleansatisabilitysolver.InProceedingsofInternationalConferenceonComputer-AidedDesign.SanJose,CA.ACMTransactionsonProgrammingLanguagesandSystems,Vol.TBD,No.TDB,MonthYear.