finding crash consistency bugs with bounded black box
play

Finding Crash-Consistency Bugs with Bounded Black-Box Testing - PowerPoint PPT Presentation

Jan 28, 2024 •8 likes •878 views

Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram Crashes I crashed This is very File saved! important File missing Image

  1. Finding Crash-Consistency Bugs with Bounded Black-Box Testing Jayashree Mohan , Ashlie Martinez, Soujanya Ponnapalli, Pandian Raju, Vijay Chidambaram

  2. Crashes 
 I crashed ☹ This is very File saved! important… File missing ☹ Image source : https://www.fotolia.com � 2

  3. I wish filesystems were crash-consistent! � 3

  4. Rename atomicity bug in btrfs Memory Storage � 4

  5. Rename atomicity bug in btrfs A mkdir (A) Memory Storage � 5

  6. Rename atomicity bug in btrfs A mkdir (A) bar touch (A/bar) Memory Storage � 6

  7. Rename atomicity bug in btrfs A mkdir (A) bar touch (A/bar) fsync (A/bar) Memory Storage A bar � 7

  8. Rename atomicity bug in btrfs A mkdir (A) bar touch (A/bar) fsync (A/bar) B mkdir (B) Memory Storage A bar � 8

  9. Rename atomicity bug in btrfs A mkdir (A) bar touch (A/bar) fsync (A/bar) B mkdir (B) bar touch (B/bar) Memory Storage A bar � 9

  10. Rename atomicity bug in btrfs A mkdir (A) bar touch (A/bar) fsync (A/bar) B mkdir (B) touch (B/bar) Memory rename (B/bar, A/bar) Storage A bar � 10

  11. Rename atomicity bug in btrfs A mkdir (A) bar touch (A/bar) foo fsync (A/bar) B mkdir (B) touch (B/bar) Memory rename (B/bar, A/bar) touch (A/foo) Storage A bar � 11

  12. Rename atomicity bug in btrfs A mkdir (A) bar touch (A/bar) foo fsync (A/bar) B mkdir (B) touch (B/bar) Memory rename (B/bar, A/bar) touch (A/foo) fsync (A/foo) Storage A bar foo � 12

  13. Rename atomicity bug in btrfs A mkdir (A) bar touch (A/bar) foo fsync (A/bar) B mkdir (B) touch (B/bar) Memory rename (B/bar, A/bar) touch (A/foo) fsync (A/foo) Storage CRASH! A bar foo Expected � 13

  14. Rename atomicity bug in btrfs A mkdir (A) bar touch (A/bar) foo fsync (A/bar) B mkdir (B) touch (B/bar) Memory rename (B/bar, A/bar) touch (A/foo) Persisted file A/bar fsync (A/foo) missing Storage CRASH! A A bar foo foo Actual Expected � 14

  15. Rename atomicity bug in btrfs A mkdir (A) bar touch (A/bar) foo fsync (A/bar) B mkdir (B) touch (B/bar) Memory rename (B/bar, A/bar) touch (A/foo) Persisted file A/bar fsync (A/foo) missing Storage CRASH! A A bar Exists in the kernel since 2014! foo foo Found by ACE and CrashMonkey Actual Expected � 15

  16. Testing Crash Consistency Today Verified • Annotate filesystems Model Checking • Build FS from scratch • Hard to do for existing FS Filesystems • State of the Art : xfstest suite • Collection of 482 regression tests Only 5% of tests in xfstest check for file system crash consistency � 16

  17. Challenges with systematic testing Systematically generate workloads Infinite Lack of Challenges workload automated space infrastructure Our work addresses both these issues, to provide a systematic testing framework � 17

  18. Bounded Black-Box Crash Testing (B 3 ) New approach to testing file-system crash consistency Bounds: Target Filesystem ➡ Focus on reproducible bugs (length, operations, args) resulting in metadata corruption, data loss. Automatic Crash Explorer(ACE) ➡ Found 10 new bugs across btrfs and F2FS; … Workload 1 Workload n ➡ Found 1 bug in FSCQ (verified file system) CrashMonkey ➡ Filesystem agnostic – works with any POSIX file system Output: Bug report with workload, expected state, actual state www.github.com/utsaslab/crashmonkey � 18

  19. Outline • CrashMonkey • Bounded Black Box Crash Testing • Automatic Crash Explorer (ACE) • Demo � 19

  20. Challenges with systematic testing Infinite Lack of Challenges workload automated space infrastructure � 20

  21. CrashMonkey • Efficient infrastructure to record and replay block level IO requests • Simulate crash at different points in the workload • Automatically test for consistency after crash. • Copy-on-write RAM block device � 21

  22. IO due to workload CrashMonkey in Action Persistence point Workload Initial FS state Final FS state � 22

  23. IO due to workload CrashMonkey in Action Persistence point Workload Initial FS state � 23

  24. IO due to workload Phase 1 : Record IO Persistence point IO forced by unmount Workload Initial FS state Oracle Record IO up to persistence point Safely unmount � 24

  25. IO due to workload Phase 2 : Replay IO Persistence point IO forced by unmount Workload Initial FS state Oracle Record IO up to persistence point Safely unmount Initial FS state Crash State Replay IO up to persistence point � 25

  26. IO due to workload Phase 3 : Test for consistency Persistence point IO forced by unmount Workload Initial FS state Oracle Record IO up to persistence point Safely unmount Auto Checker After recovery Initial FS state Crash State Replay IO up to persistence point � 26

  27. IO due to workload Phase 3 : Test for consistency Persistence point IO forced by unmount Workload Initial FS state Oracle Record IO up to persistence point Safely unmount Auto Checker Initial FS state Crash State Replay IO up to persistence point Bug Report � 27

  28. Challenges with Systematic Testing Infinite Lack of Challenges workload automated space infrastructure CrashMonkey So Far… • Given a workload compliant to POSIX API, we saw how CrashMonkey generates crash states and automatically tests for consistency � 28

  29. Challenges with Systematic Testing Infinite Lack of Challenges workload automated space infrastructure CrashMonkey So Far… • Given a workload compliant to POSIX API, we saw how CrashMonkey generates crash states and automatically tests for consistency • Next question : How to automatically generate workloads in an the infinite workload space? � 29

  30. Exploring the infinite workload space Challenges: • Infinite length of workloads • Large set of filesystem operations • Infinite parameter options (file/directory names, depth) • Infinite options for initial filesystem state • When in the workload to simulate a crash? � 30

  31. Outline • CrashMonkey • Bounded Black Box Crash Testing • Automatic Crash Explorer (ACE) • Demo � 31

  32. B 3 : Bounded Black Box Crash Testing Length of workloads Arguments to system calls Initial FS state � 32

  33. B 3 : Bounded Black Box Crash Testing Length of workloads Arguments to system calls Initial FS state � 33

  34. B 3 : Bounded Black Box Crash Testing Length of workloads Arguments to system calls Image source: https://en.wikipedia.org/wiki/Cube Initial FS state � 34

  35. B 3 : Bounded Black Box Crash Testing Length of workloads Arguments to system calls Initial FS state � 35

  36. B 3 : Bounded Black Box Crash Testing Length of workloads Arguments to system calls Initial FS state � 36

  37. B 3 : Bounded Black Box Crash Testing Length of workloads Arguments to system calls Initial FS state � 37

  38. B 3 : Bounded Black Box Crash Testing Choice of crash point • Only after fsync(), fdatasync() or sync() • Not in the middle of system call • Developers are motivated to patch mkdir (A) touch (A/bar) bugs that break semantics of Crash Point 1 fsync (A/bar) persistence operations mkdir (B) • Crashing in the middle of system touch (B/bar) rename (B/bar, A/bar) calls leads to exponentially large touch (A/foo) Crash Point 2 crash-states. fsync (A/foo) � 38

  39. Limitations of B 3 • No guarantee of finding all crash-consistency bugs in a filesystem • Assumes the correct working of crash-consistency mechanism like journaling or CoW • Does not crash in the middle of system calls • Can only reveal if a bug has occurred, not the reason or origin of bug. • Needs larger compute to test higher sequence lengths � 39

  40. Outline • CrashMonkey • Bounded Black Box Crash Testing • Automatic Crash Explorer (ACE) • Demo � 40

  41. Bounds chosen by ACE Length of workloads Bounds picked based on Arguments to system calls insights from the study of crash-consistency bugs reported on Linux file systems over the last 5 years Initial FS state � 41

  42. Bounds chosen by ACE Length of workloads Maximum # core ops is 3 Arguments to system calls Initial FS state � 42

  43. Bounds chosen by ACE Length of workloads Maximum # core ops is 3 Arguments to system calls A (foo, bar) Root B (foo, bar) Overwrites to start, middle, end of a file and append Initial FS state � 43

  44. Bounds chosen by ACE Length of workloads Maximum # core ops is 3 Arguments to system calls A (foo, bar) Root B (foo, bar) Overwrites to start, middle, end and append New, 100MB FS Initial FS state � 44

  45. Operation Set Phases of ACE creat() link() rename() write() Generating skeletons of sequence-2. : 4*4 = 16 creat() creat() link() link() creat() link() link() rename() creat() creat() link() rename() write() creat() link() rename() rename() write() write() creat() write() creat() rename() rename() write() rename() link() write() write() write() link() rename() � 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang,

Understanding and Finding Crash-Consistency Bugs in Parallel File Systems Jinghan Sun , Chen Wang, Jian Huang, and Marc Snir University of Illinois at Urbana-Champaign Contact: Jinghan Sun (js39@illinois.edu) PFS failures are frequent and

912 views • 17 slides
Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu *

Finding Semantic Bugs in File Systems with an Extensible Fuzzing Framework Seulbae Kim, Meng Xu * , Sanidhya Kashyap * , Jungyeon Yoon, Wen Xu, Taesoo Kim * On the job market Demonstration Fuzzing F2FS in Linux v5.0-rc7 for crash consistency

943 views • 75 slides
Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?!

Failure is not an option * A journey through software bugs Philippe Biondi Nov 20 th 2015 / GreHack Failure is not an option * Outline Bugs! 1 Avoiding and Finding bugs 2 Bugs still happen 3 Why do bugs still happen ?! 4 Living with bugs

966 views • 63 slides
Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for

Finding Bugs Last time Run-time reordering transformations Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues CS553 Lecture Finding Bugs 2

461 views • 8 slides
The problem: crash consistency Single operaBon updates mulBple blocks System might crash in

The problem: crash consistency Single operaBon updates mulBple blocks System might crash in

Consistency Without Ordering Vijay Chidambaram, Tushar Sharma, Andrea ArpaciDusseau, Remzi ArpaciDusseau The Advanced Systems Laboratory University of Wisconsin Madison The problem: crash consistency Single operaBon updates mulBple

953 views • 49 slides
Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea

Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea

Optimistic Crash Consistency Vijay Chidambaram Thanumalayan Sankaranarayana Pillai Andrea Arpaci-Dusseau Remzi Arpaci-Dusseau Crash Consistency Problem Single file-system operation updates multiple on-disk data structures System may crash

1.29k views • 83 slides
Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai,

Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai,

Application Crash Consistency and Performance with CCFS Thanumalayan Sankaranarayana Pillai, Ramnatthan Alagappan, Lanyue Lu, Vijay Chidambaram, Andrea C. Arpaci-Dusseau, Remzi H. Arpaci-Dusseau Application-Level Crash Consistency Storage must

2.09k views • 139 slides
TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting

TxFS: Leveraging File-System Crash Consistency to Provide ACID Transactions Yige Hu, Zhiting Zhu, Ian Neal, Youngjin Kwon, Tianyu Chen, Vijay Chidambaram, Emmett Witchel The University of Texas at Austin 1 Crash Applications need crash

819 views • 30 slides
to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram

CrashMonkey: A Framework to Systematically Test File-System Crash Consistency Ashlie Martinez Vijay Chidambaram University of Texas at Austin Crash Consistency File-system updates change multiple blocks on storage Data blocks, inodes,

499 views • 46 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
From Crash Consistency to Transactions Yige Hu Youngjin Kwon Vijay Chidambaram Emmett Witchel

From Crash Consistency to Transactions Yige Hu Youngjin Kwon Vijay Chidambaram Emmett Witchel

From Crash Consistency to Transactions Yige Hu Youngjin Kwon Vijay Chidambaram Emmett Witchel Persistent data is structured; crash consistency hard Structured data abstractions built on file system SQLite, BerkeleyDB...

468 views • 34 slides
CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs

Datalog CO444H Pointer analysis Ben Livshits 1 Approaches to Finding Reliability and Security Bugs Static Analysis Tools Black-box Testing/Fuzzing 2 Coverity: a Static Analysis Company 3 Bug Report From Coverity Actual bug Path

701 views • 59 slides
Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016

Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016

Specifying and Checking File System Crash-Consistency Models Steven Lang September 4, 2016 Specifying and Checking File System Crash-Consistency Models Johannes Gutenberg Universitt Mainz Motivation The problem: POSIX

982 views • 71 slides
FRICTION-FREE BUG REPORTING SPEND TIME WHERE IT MATTERS GAME DEV BUGS EXPECTED WORKFLOW Crash

FRICTION-FREE BUG REPORTING SPEND TIME WHERE IT MATTERS GAME DEV BUGS EXPECTED WORKFLOW Crash

Raphal Saint-Pierre, Tools Team Leader Ubisoft FRICTION-FREE BUG REPORTING SPEND TIME WHERE IT MATTERS GAME DEV BUGS EXPECTED WORKFLOW Crash Fix Close REAL WORKFLOW Crash Callstack Memdump Screenshot Duplicates ? Send bug to

369 views • 34 slides
1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

1 Bug Triage Regression Testing Decide which bugs to fix Good: rerun the test that failed

What is a bug? Formally, a software defect A Bugs life SUT fails to perform to spec SUT causes something else to fail SUT functions, but does not satisfy Finding and Managing Bugs usability criteria CSE 403 If the

643 views • 3 slides
You Only Live Multiple Times Black box re-use of Crash-Stop Algorithms In Realistic Crash-Recovery

You Only Live Multiple Times Black box re-use of Crash-Stop Algorithms In Realistic Crash-Recovery

You Only Live Multiple Times Black box re-use of Crash-Stop Algorithms In Realistic Crash-Recovery Settings DAVID KOZHAYA 1 , OGNJEN MARIC 2 , AND YVONNE-ANNE PIGNOLET 1 1 ABB CORPORATE RESEARCH SWITZERLAND , 2 DIGITAL ASSET SWITZERLAND A

555 views • 19 slides
Heart failure randomized clinical trials: how we changed standard of care. Karl Swedberg Senior

Heart failure randomized clinical trials: how we changed standard of care. Karl Swedberg Senior

Heart failure randomized clinical trials: how we changed standard of care. Karl Swedberg Senior professor of Medicine University of Gothenburg Professor of Cardiology Imperial College, London Disclosures: Honoraria/Consultancy: Amgen,

499 views • 45 slides
Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline

Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline

Data Poisoning Attack cks on Stoch chastic c Bandits Fang Liu and Ness Shroff Outline Background q What are bandits? q Motivations Data poisoning attacks on stochastic bandits q Offline model q Online model q Simulation results

218 views • 17 slides
In-browser code editing Marijn Haverbeke (Interactive slides at

In-browser code editing Marijn Haverbeke (Interactive slides at

In-browser code editing Marijn Haverbeke (Interactive slides at http://marijnhaverbeke.nl/talks/goto2012) a 3-part talk: state of the art inspirational demo implementation war stories textarea schmextarea who's who ACE

939 views • 24 slides
Robust Incremental Neural Semantic Graph Parsing Jan Buys and Phil Blunsom Dependency Parsing vs

Robust Incremental Neural Semantic Graph Parsing Jan Buys and Phil Blunsom Dependency Parsing vs

Robust Incremental Neural Semantic Graph Parsing Jan Buys and Phil Blunsom Dependency Parsing vs Semantic Parsing Dependency parsing models the syntactic structure between words in a sentence. Dependency Parsing vs Semantic Parsing

637 views • 31 slides
Filtering with Abstract Particles Jacob Steinhardt Percy Liang Stanford University {

Filtering with Abstract Particles Jacob Steinhardt Percy Liang Stanford University {

Filtering with Abstract Particles Jacob Steinhardt Percy Liang Stanford University { jsteinhardt,pliang } @cs.stanford.edu May 1, 2013 J. Steinhardt & P. Liang (Stanford) Filtering with Abstract Particles May 1, 2013 1 / 12 Motivation

651 views • 34 slides
An Example Blackjack: Goal is to obtain cards whose sum is as great as possible without exceeding

An Example Blackjack: Goal is to obtain cards whose sum is as great as possible without exceeding

An Example Blackjack: Goal is to obtain cards whose sum is as great as possible without exceeding 21. All face cards count as 10, and an Ace can be About this class worth either 1 or 11. Back to MDPs Game proceeds as follows: two cards are

435 views • 9 slides
ACE & Behavioural Game Theory, Hierarchy of Cognitive Interactive Agents & Design

ACE & Behavioural Game Theory, Hierarchy of Cognitive Interactive Agents & Design

ACE & Behavioural Game Theory, Hierarchy of Cognitive Interactive Agents & Design Patterns: What is the connection ? Denis Phan ENST de Bretagne, Dpartement conomie et Sciences Humaines & ICI (Universit de Bretagne

256 views • 7 slides
Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

www.toolcrypt.org Standing on the shoulders of the Blue Monster: Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The Toolcrypt Group www.toolcrypt.org www.toolcrypt.org Agenda Agenda Introduction

532 views • 32 slides

More recommend