a crash course on some recent bug finding tricks
play

A crash course on some recent bug finding tricks. Junfeng Yang, Can - PowerPoint PPT Presentation

Nov 24, 2023 •312 likes •1.02k views

A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul Twohey Dawson Engler Stanford Background Lineage Thesis work at MIT building a new OS (exokernel) Spent last 7 years developing methods to

  1. A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul Twohey Dawson Engler Stanford

  2. Background  Lineage  Thesis work at MIT building a new OS (exokernel)  Spent last 7 years developing methods to find bugs in them (and anything else big and interesting)  Goal: find as many serious bugs as possible.  Agnostic on technique: system-specific static analysis, implementation-level model checking, symbolic execution.  Our only religion: results. Works? Good. No work? Bad.  This talk  eXplode: model-checking to find storage system bugs.  EXE: symbolic execution to generate inputs of death  Maybe: weird things that happen(ed) when academics try to commercialize static checking.

  3. E X PLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang, Can Sar, Dawson Engler Stanford University

  4. The problem  Many storage systems, one main contract  You give it data. It does not lose or corrupt data.  File systems, RAID, databases, version control, ...  Simple interface, difficult implementation: failure  Wonderful tension for bug finding  Some of the most serious errors possible.  Very difficult to test: system must *always* recover to a valid state after any crash  Typical: inspection (erratic), bug reports (users Goal: comprehensively check many storage mad), pull power plug (advanced, not systematic) systems with little work

  5. E X PLODE summary  Comprehensive: uses ideas from model checking  Fast, easy Check new storage system: 200 lines of C++ code  Port to new OS: 1 device driver + optional instrumentation   General, real: check live systems. Can run (on Linux, BSD), can check, even w/o source code   Effective checked 10 Linux FS, 3 version control software, Berkeley DB,  Linux RAID, NFS, VMware GSX 3.2/Linux Bugs in all, 36 in total, mostly data loss   This work [OSDI’06] subsumes our old work FiSC [OSDI’04]

  6. Checking complicated stacks subversion ok?  All real checker subversion  Stack of storage %svnadm.recover systems NFS client  subversion: an %fsck.jfs loopback open-source crash version control NFS server %mdadm --assemble software --run JFS --force  User-written --update=resync software checker on top %mdadm -a RAID1  Recovery tools run checking checking crash crash after EXPLODE- disk disk disk disk simulated crashes

  7. Outline  Core idea  Checking interface  Implementation  Results  Related work, conclusion and future work

  8. The two core eXplode principles  Expose all choice: When execution reaches a point in program that can do one of N different actions, fork execution and in first child do first action, in second do second, etc.  Exhaust states: Do every possible action to a state before exploring another.  Result of systematic state exhaustion:  Makes low-probability events as common as high- probability ones. Quickly hit tricky corner cases.

  9. Core idea: explore all choices  Bugs are often triggered by corner cases  How to find: drive execution down to these tricky corner cases When execution reaches a point in program that can do one of N different actions, fork execution and in first child do first action, in second do second, etc.

  10. External choices  Fork and do every possible operation creat Explore generated k n i l states as well … /root unlink a b mkdir c rmdir … Speed hack: hash states, discard if seen, prioritize interesting ones.

  11. Internal choices  Fork and explore all internal choices creat kmalloc returns NULL /root a b Buffer cache misses c

  12. How to expose choices  To explore N-choice point, users instrument code using choose(N)  choose(N): N-way fork, return K in K’th kid void* kmalloc(size s) { if(choose(2) == 0) return NULL; … // normal memory allocation }  We instrumented 7 kernel functions in Linux

  13. Crashes  Dirty blocks can be written in any order, crash at any point creat buffer Users write code to cache check recovered FS /root a b check fsck c Write all check fsck subsets check fsck

  14. Outline  Core idea: exhaustively do all verbs to a state.  external choices X internal choices X crashes.  This is the main thing we’d take from model checking  Surprised when don’t find errors.  Checking interface  What E X PLODE provides  What users do to check their storage system  Implementation  Results  Related work, conclusion and future work

  15. What E X PLODE provides  choose(N) : conceptual N-way fork, return K in K’th child execution  check_crash_now(): check all crashes that can happen at the current moment  Paper talks about more ways for checking crashes  Users embed non-crash checks in their code. E X PLODE amplifies them  error() : record trace for deterministic replay

  16. What users do FS checker  Example: ext3 on RAID Ext3 Raid RAM Disk RAM Disk  checker: drive ext3 to do something: mutate(), then verify what ext3 did was correct: check()  storage component: set up, repair and tear down ext3, RAID. Write once per system  assemble a checking stack

  17.  FS Checker  mutate  ext3 Component  Stack choose(4) creat file rm file mkdir rmdir sync fsync …/0 1 2 3 4 …/0 1 2 3 4

  18. Check file exists  FS Checker  check Check file contents match  ext3 Component Even trivial checkers work:finds JFS fsync bug which causes lost file.  Stack Checkers can be simple (50 lines) or very complex(5,000 lines) Whatever you can express in C++, you can check

  19.  storage component: initialize, repair, set up, and tear down your  FS Checker system  Mostly wrappers to existing utilities. “mkfs”, “fsck”, “mount”, “umount”  ext3  threads(): returns list of kernel Component thread IDs for deterministic error replay  Stack  Write once per system, reuse to form stacks  Real code on next slide

  20.  FS Checker  ext3 Component  Stack

  21.  FS Checker  assemble a checking stack  Let E X PLODE know how  ext3 subsystems are connected Component together, so it can initialize, set up, tear down, and repair the entire stack  Stack Ext3 Raid  Real code on next slide RAM Disk RAM Disk

  22.  FS Checker  ext3 Component  Stack Ext3 Raid RAM Disk RAM Disk

  23. Outline  Core idea: explore all choices  Checking interface: 200 lines of C++ to check a system  Implementation  Checkpoint and restore states  Deterministic replay  Checking process  Checking crashes  Checking “soft” application crashes  Results Related work, conclusion and future work

  24. Recall: core idea  “Fork” at decision point to explore all choices state: a snapshot of the checked system …

  25. How to checkpoint live system?  Hard to checkpoint live kernel memory  VM checkpoint heavy-weight  checkpoint: record all choose() returns from S0 2 S0 3  restore: umount, restore S S0, re-run code, make K’th choose() return K’th … recorded values S = S0 + redo choices (2, 3) Key to E X PLODE approach

  26. Deterministic replay  Need it to recreate states, diagnose bugs Sources of non-determinism  Kernel choose() can be called by other code  Fix: filter by thread IDs. No choose() in interrupt  Kernel scheduler can schedule any thread  Opportunistic hack: setting priorities. Worked well  Can’t use lock: deadlock. A holds lock, then yield to B  Other requirements in paper  Worst case: non-repeatable error. Automatic detect and ignore

  27. E X PLODE: put it all together E X PLODE Runtime Checking Stack FS Checker ? Model Ext3 Component Checking Loop Raid Component Kernel Modified Linux Cache EKM Buffer Ext 3 Raid ? void* kmalloc (size_t s, int fl) { if(fl & __GFP_NOFAIL) RAM Disk RAM Disk if(choose (2) == 0) return NULL; …. Hardware EKM = EXPLODE EXPLODE User code device driver

  28. Outline  Core idea: explore all choices  Checking interface: 200 lines of C++ to check a system  Implementation  Results  Lines of code  Errors found Related work, conclusion and future work

  29. E X PLODE core lines of code Lines of code Linux 1,915 (+ 2,194 generated) Kernel patch FreeBSD 1,210 User-level code 6,323 3 kernels: Linux 2.6.11, 2.6.15, FreeBSD 6.0. FreeBSD patch doesn’t have all functionality yet

  30. Checkers lines of code, errors found Storage System Checked Component Checker Bugs 10 file systems 744/10 5,477 18 CVS 27 68 1 Subversion 31 69 1 Storage applications 30 124 3 “E XP ENS IVE ” Berkeley DB 82 202 6 RAID 144 FS + 137 2 Transparent NFS 34 FS 4 subsystems VMware 54 FS 1 GSX/Linux Total 1,115 6,008 36

  31. Outline  Core idea: explore all choices  Checking interface: 200 lines of C++ to check new storage system  Implementation  Results  Lines of code  Errors found Related work, conclusion and future work

  32. FS Sync checking results indicates a failed check App rely on sync operations, yet they are broken

  33. ext2 fsync bug Events to trigger bug B B truncate A … A creat B Mem write B Disk B fsync B … A crash! Indirect block fsck.ext2 Bug is fundamental due to ext2 asynchrony

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez,

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram Crashes I crashed This is very File saved! important File missing Image

878 views • 87 slides
Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang, Jian Huang, and Marc Snir University of Illinois at Urbana-Champaign Contact: Jinghan Sun (js39@illinois.edu) PFS failures are frequent and

912 views • 17 slides
2010 Large Truck and Bus Crash Data: An Overview Webinar June 21, 2012 Ralph Craft, Ph.D.

2010 Large Truck and Bus Crash Data: An Overview Webinar June 21, 2012 Ralph Craft, Ph.D.

2010 Large Truck and Bus Crash Data: An Overview Webinar June 21, 2012 Ralph Craft, Ph.D. Analysis Division Table of Contents 2010 macro data Recent trends Crash rates The economy and crashes Crash description

286 views • 24 slides
Finding Recent Frequent Itemsets Adaptively over Online Data Stream Yueting Chen Outline

Finding Recent Frequent Itemsets Adaptively over Online Data Stream Yueting Chen Outline

2017/11/22 Finding Recent Frequent Itemsets Adaptively over Online Data Stream Yueting Chen Outline Introduction Data Stream Related Works Preliminaries Finding recent frequent itemsets Count estimations of an itemset

315 views • 20 slides
Recent finding and control measures of branch canker, black

Recent finding and control measures of branch canker, black

Recent finding and control measures of branch canker, black streak and stem-end rot diseases of avocado Akif Eskalen, Mathias Twizeyimana, Jim Adaskaveg, Helga

735 views • 31 slides
Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared 6/3/2020 1- Crash Identification Block The month, day and hour should be when the crash occurred Not when reported Not when you arrived 2- General

561 views • 15 slides
TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11

TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11

TEACHING OLD COMPILERS NEW TRICKS TEACHING OLD COMPILERS NEW TRICKS Transpiling C ++ 17 to C ++ 11 Tony Wasserka Meeting C ++ @ fail _ cluez 17 November 2018 WHO AM I ? WHO AM I ? Berlin - based consultant : Workflow optimization , Code

973 views • 24 slides
TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a

TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a

TRICKS AND TRAPS OF THE CO-OPS ACT TRICKS AND TRAPS OF THE CO-OPS ACT THE NAME TRAP a proposed name for a co-operative can be reserved for 90 days before incorporation if you dont incorporate within 90 days, you cannot reserve

604 views • 38 slides
PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location System Website Address: http://pueblo.ms2soft.com Quick Search By: Study Location Location Crash Data Crash ID Date Crash Type LOG

555 views • 31 slides
The Command Line Toolbox A Crash Course on building your own CLI tools Michael Bates !" #$

The Command Line Toolbox A Crash Course on building your own CLI tools Michael Bates !" #$

The Command Line Toolbox A Crash Course on building your own CLI tools Michael Bates !" #$ Kentucky Swing Dance Learn Swift Louisville Organizer " Day job: Python & JS CLI tools: Swift Goals Learn Tips & Tricks

1.17k views • 88 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides
The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks

The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks

W8 Concurrent Session Wednesday 11/12/2008 12:45 PM 2:15 PM The Agile PMP: Teaching an Old Dog New Tricks The Agile PMP: Teaching an Old Dog New Tricks Presented by: Mike Cottmeyer VersionOne Presented at: Agile Development Practices

646 views • 60 slides
A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure RNA DNA Replication Encoding Proteins Protein Folding Types of DNA Manipulating DNA PCR Biological Computation CPSC

378 views • 36 slides
Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

@amchamwatch| @HofstedeInsight @RudPedersenFIN Country Manager Network Breakfast: Crash Course into the New Finnish Government and HQ Communication Crash Course into the New Finnish Government and HQ Communication Esa Suominen Managing

262 views • 25 slides
Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your

Finding your way in a graph Finding your way in a graph Finding your way in a graph Finding your way in a graph = station One loop = junction A system of interconnected loops L L What is the best way to go from L to ? L L L 1 ? L

2.13k views • 166 slides
CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain Landscape Architecture & Regional and Community Planning Kansas State University DLA Conference 2015 June 6, 2015 BACKGROUND AND CONTEXT

702 views • 31 slides
Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann

Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann

Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann Jialin Li Arvind Krishnamurthy Emina Torlak Xi Wang University of Washington File systems persist our data Application File System File systems

937 views • 91 slides
Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types

Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types

Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types The following crash types are eligible for submission to the program. Struck in the Rear type of crash when the CMV was struck: in the rear; or

211 views • 20 slides
Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and

Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and

Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and Public Works Committee January 22, 2019 Todays topics Context for Vision Zero Crash Study Key crash study information Next steps for

690 views • 37 slides
ACHILLES Lon Long-term De Deterioration of f Lin Linea ear Infr Infrastructure Monday 04

ACHILLES Lon Long-term De Deterioration of f Lin Linea ear Infr Infrastructure Monday 04

ACHILLES Lon Long-term De Deterioration of f Lin Linea ear Infr Infrastructure Monday 04 February 2019 Friends House London, UK Agenda 1500 Welcome, background and introduction Prof Stephanie Glendinning (Newcastle) 1520 Modelling

318 views • 28 slides
5 th E of Safety John Milton, Ph.D., P.E. Director: Transportation Safety, Quality and Enterprise

5 th E of Safety John Milton, Ph.D., P.E. Director: Transportation Safety, Quality and Enterprise

Joint Use of the HSM and Human Factors Guide 5 th E of Safety John Milton, Ph.D., P.E. Director: Transportation Safety, Quality and Enterprise Risk AASHTO Committee on Safety Annual Meeting, May 8, 2018 Last update 10/24/17 Using Human Factors

606 views • 37 slides
Steele St Multimodal Safety Project July 10th, th, 2019 HOW? Provide roadway space for all

Steele St Multimodal Safety Project July 10th, th, 2019 HOW? Provide roadway space for all

Steele St Multimodal Safety Project July 10th, th, 2019 HOW? Provide roadway space for all WHY? SAFETY Trend is going up in 2019 Streets need to be designed to be safer Project Background Corridor in Context Corridor provides

494 views • 38 slides
Waterfall Way Route Review Casualty Crash Data Analysis June 2014 Centre for Road Safety, TfNSW

Waterfall Way Route Review Casualty Crash Data Analysis June 2014 Centre for Road Safety, TfNSW

Waterfall Way Route Review Casualty Crash Data Analysis June 2014 Centre for Road Safety, TfNSW Overview of Crash Analysis From Tyringham St, Dorrigo to 10m west of Pacific Highway, Raleigh was examined. This section of Waterfall

428 views • 17 slides
OF CRASHES IN LAS CRUCES Purpose The purpose of this project was to identify and analyze

OF CRASHES IN LAS CRUCES Purpose The purpose of this project was to identify and analyze

SPATIAL ANALYSIS OF CRASHES IN LAS CRUCES Purpose The purpose of this project was to identify and analyze areas within the Las Cruces urbanized area that are experiencing recurring patterns of crashes, specifically those that occur at

530 views • 18 slides

More recommend