PDF Editor
PDF Converter
Image Converter
Video Converter
Audio Converter
File Compressor
a crash course on some recent bug finding tricks

A crash course on some recent bug finding tricks. Junfeng Yang, Can - PowerPoint PPT Presentation

Nov 24, 2023 •312 likes •1.02k views

A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul Twohey Dawson Engler Stanford Background Lineage Thesis work at MIT building a new OS (exokernel) Spent last 7 years developing methods to

  1. A crash course on some recent bug finding tricks. Junfeng Yang, Can Sar, Cristian Cadar, Paul Twohey Dawson Engler Stanford

  2. Background  Lineage  Thesis work at MIT building a new OS (exokernel)  Spent last 7 years developing methods to find bugs in them (and anything else big and interesting)  Goal: find as many serious bugs as possible.  Agnostic on technique: system-specific static analysis, implementation-level model checking, symbolic execution.  Our only religion: results. Works? Good. No work? Bad.  This talk  eXplode: model-checking to find storage system bugs.  EXE: symbolic execution to generate inputs of death  Maybe: weird things that happen(ed) when academics try to commercialize static checking.

  3. E X PLODE: a Lightweight, General System for Finding Serious Storage System Errors Junfeng Yang, Can Sar, Dawson Engler Stanford University

  4. The problem  Many storage systems, one main contract  You give it data. It does not lose or corrupt data.  File systems, RAID, databases, version control, ...  Simple interface, difficult implementation: failure  Wonderful tension for bug finding  Some of the most serious errors possible.  Very difficult to test: system must *always* recover to a valid state after any crash  Typical: inspection (erratic), bug reports (users Goal: comprehensively check many storage mad), pull power plug (advanced, not systematic) systems with little work

  5. E X PLODE summary  Comprehensive: uses ideas from model checking  Fast, easy Check new storage system: 200 lines of C++ code  Port to new OS: 1 device driver + optional instrumentation   General, real: check live systems. Can run (on Linux, BSD), can check, even w/o source code   Effective checked 10 Linux FS, 3 version control software, Berkeley DB,  Linux RAID, NFS, VMware GSX 3.2/Linux Bugs in all, 36 in total, mostly data loss   This work [OSDI’06] subsumes our old work FiSC [OSDI’04]

  6. Checking complicated stacks subversion ok?  All real checker subversion  Stack of storage %svnadm.recover systems NFS client  subversion: an %fsck.jfs loopback open-source crash version control NFS server %mdadm --assemble software --run JFS --force  User-written --update=resync software checker on top %mdadm -a RAID1  Recovery tools run checking checking crash crash after EXPLODE- disk disk disk disk simulated crashes

  7. Outline  Core idea  Checking interface  Implementation  Results  Related work, conclusion and future work

  8. The two core eXplode principles  Expose all choice: When execution reaches a point in program that can do one of N different actions, fork execution and in first child do first action, in second do second, etc.  Exhaust states: Do every possible action to a state before exploring another.  Result of systematic state exhaustion:  Makes low-probability events as common as high- probability ones. Quickly hit tricky corner cases.

  9. Core idea: explore all choices  Bugs are often triggered by corner cases  How to find: drive execution down to these tricky corner cases When execution reaches a point in program that can do one of N different actions, fork execution and in first child do first action, in second do second, etc.

  10. External choices  Fork and do every possible operation creat Explore generated k n i l states as well … /root unlink a b mkdir c rmdir … Speed hack: hash states, discard if seen, prioritize interesting ones.

  11. Internal choices  Fork and explore all internal choices creat kmalloc returns NULL /root a b Buffer cache misses c

  12. How to expose choices  To explore N-choice point, users instrument code using choose(N)  choose(N): N-way fork, return K in K’th kid void* kmalloc(size s) { if(choose(2) == 0) return NULL; … // normal memory allocation }  We instrumented 7 kernel functions in Linux

  13. Crashes  Dirty blocks can be written in any order, crash at any point creat buffer Users write code to cache check recovered FS /root a b check fsck c Write all check fsck subsets check fsck

  14. Outline  Core idea: exhaustively do all verbs to a state.  external choices X internal choices X crashes.  This is the main thing we’d take from model checking  Surprised when don’t find errors.  Checking interface  What E X PLODE provides  What users do to check their storage system  Implementation  Results  Related work, conclusion and future work

  15. What E X PLODE provides  choose(N) : conceptual N-way fork, return K in K’th child execution  check_crash_now(): check all crashes that can happen at the current moment  Paper talks about more ways for checking crashes  Users embed non-crash checks in their code. E X PLODE amplifies them  error() : record trace for deterministic replay

  16. What users do FS checker  Example: ext3 on RAID Ext3 Raid RAM Disk RAM Disk  checker: drive ext3 to do something: mutate(), then verify what ext3 did was correct: check()  storage component: set up, repair and tear down ext3, RAID. Write once per system  assemble a checking stack

  17.  FS Checker  mutate  ext3 Component  Stack choose(4) creat file rm file mkdir rmdir sync fsync …/0 1 2 3 4 …/0 1 2 3 4

  18. Check file exists  FS Checker  check Check file contents match  ext3 Component Even trivial checkers work:finds JFS fsync bug which causes lost file.  Stack Checkers can be simple (50 lines) or very complex(5,000 lines) Whatever you can express in C++, you can check

  19.  storage component: initialize, repair, set up, and tear down your  FS Checker system  Mostly wrappers to existing utilities. “mkfs”, “fsck”, “mount”, “umount”  ext3  threads(): returns list of kernel Component thread IDs for deterministic error replay  Stack  Write once per system, reuse to form stacks  Real code on next slide

  20.  FS Checker  ext3 Component  Stack

  21.  FS Checker  assemble a checking stack  Let E X PLODE know how  ext3 subsystems are connected Component together, so it can initialize, set up, tear down, and repair the entire stack  Stack Ext3 Raid  Real code on next slide RAM Disk RAM Disk

  22.  FS Checker  ext3 Component  Stack Ext3 Raid RAM Disk RAM Disk

  23. Outline  Core idea: explore all choices  Checking interface: 200 lines of C++ to check a system  Implementation  Checkpoint and restore states  Deterministic replay  Checking process  Checking crashes  Checking “soft” application crashes  Results Related work, conclusion and future work

  24. Recall: core idea  “Fork” at decision point to explore all choices state: a snapshot of the checked system …

  25. How to checkpoint live system?  Hard to checkpoint live kernel memory  VM checkpoint heavy-weight  checkpoint: record all choose() returns from S0 2 S0 3  restore: umount, restore S S0, re-run code, make K’th choose() return K’th … recorded values S = S0 + redo choices (2, 3) Key to E X PLODE approach

  26. Deterministic replay  Need it to recreate states, diagnose bugs Sources of non-determinism  Kernel choose() can be called by other code  Fix: filter by thread IDs. No choose() in interrupt  Kernel scheduler can schedule any thread  Opportunistic hack: setting priorities. Worked well  Can’t use lock: deadlock. A holds lock, then yield to B  Other requirements in paper  Worst case: non-repeatable error. Automatic detect and ignore

  27. E X PLODE: put it all together E X PLODE Runtime Checking Stack FS Checker ? Model Ext3 Component Checking Loop Raid Component Kernel Modified Linux Cache EKM Buffer Ext 3 Raid ? void* kmalloc (size_t s, int fl) { if(fl & __GFP_NOFAIL) RAM Disk RAM Disk if(choose (2) == 0) return NULL; …. Hardware EKM = EXPLODE EXPLODE User code device driver

  28. Outline  Core idea: explore all choices  Checking interface: 200 lines of C++ to check a system  Implementation  Results  Lines of code  Errors found Related work, conclusion and future work

  29. E X PLODE core lines of code Lines of code Linux 1,915 (+ 2,194 generated) Kernel patch FreeBSD 1,210 User-level code 6,323 3 kernels: Linux 2.6.11, 2.6.15, FreeBSD 6.0. FreeBSD patch doesn’t have all functionality yet

  30. Checkers lines of code, errors found Storage System Checked Component Checker Bugs 10 file systems 744/10 5,477 18 CVS 27 68 1 Subversion 31 69 1 Storage applications 30 124 3 “E XP ENS IVE ” Berkeley DB 82 202 6 RAID 144 FS + 137 2 Transparent NFS 34 FS 4 subsystems VMware 54 FS 1 GSX/Linux Total 1,115 6,008 36

  31. Outline  Core idea: explore all choices  Checking interface: 200 lines of C++ to check new storage system  Implementation  Results  Lines of code  Errors found Related work, conclusion and future work

  32. FS Sync checking results indicates a failed check App rely on sync operations, yet they are broken

  33. ext2 fsync bug Events to trigger bug B B truncate A … A creat B Mem write B Disk B fsync B … A crash! Indirect block fsck.ext2 Bug is fundamental due to ext2 asynchrony

Recommend

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location

PUEBLO MS2 - CRASH http://pueblo.ms2soft.com/ By: Hannah Haunert TCDS Traffic Crash Location System Website Address: http://pueblo.ms2soft.com Quick Search By: Study Location Location Crash Data Crash ID Date Crash Type LOG

555 views • 31 slides
Cool Cisco IOS Commands: test crash test crash test crash is an undocumented Cisco IOS command

Cool Cisco IOS Commands: test crash test crash test crash is an undocumented Cisco IOS command

Cool Cisco IOS Commands: test crash test crash test crash is an undocumented Cisco IOS command that will simulate a router crash. An undocumented IOS command is exactly that: one that does not appear in Cisco documentation or in IOS help. test

308 views • 5 slides
Bug Driven Bug Finding Chadd C. Williams Jeffrey K. Hollingsworth University of Maryland

Bug Driven Bug Finding Chadd C. Williams Jeffrey K. Hollingsworth University of Maryland

Bug Driven Bug Finding Chadd C. Williams Jeffrey K. Hollingsworth University of Maryland Overview Review historical data to choose a static bug checker to apply manual inspection to gather background data identify common types of

294 views • 28 slides
Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits the Ore of Exploits Private & Confidential Property of COSEINC The Bug Mining Analogy The Bug Mining Analogy Phase 1: Extraction Phase 2:

591 views • 37 slides
MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash

MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash

MATLAB crash course 1 / 27 MATLAB crash course Cesar E. Tamayo Economics - Rutgers September 27th, 2013 1/27 MATLAB crash course 2 / 27 Program Program I Interface: layout, menus, help, etc.. I Vectors and matrices I Graphics: I Plots,

2k views • 27 slides
FRICTION-FREE BUG REPORTING SPEND TIME WHERE IT MATTERS GAME DEV BUGS EXPECTED WORKFLOW Crash

FRICTION-FREE BUG REPORTING SPEND TIME WHERE IT MATTERS GAME DEV BUGS EXPECTED WORKFLOW Crash

Raphal Saint-Pierre, Tools Team Leader Ubisoft FRICTION-FREE BUG REPORTING SPEND TIME WHERE IT MATTERS GAME DEV BUGS EXPECTED WORKFLOW Crash Fix Close REAL WORKFLOW Crash Callstack Memdump Screenshot Duplicates ? Send bug to

369 views • 34 slides
Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared

Arizona Crash Report Presentation by Glen Robison State Custodian of Crash Records Prepared 6/3/2020 1- Crash Identification Block The month, day and hour should be when the crash occurred Not when reported Not when you arrived 2- General

561 views • 15 slides
Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types

Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types

Crash Preventability Determination Program 1 Request and Review Process 2 Eligible Crash Types The following crash types are eligible for submission to the program. Struck in the Rear type of crash when the CMV was struck: in the rear; or

211 views • 20 slides
Fedora Bug Triage John "poelcat" Poelstra Jon "jds2001" Stanley June 21,

Fedora Bug Triage John "poelcat" Poelstra Jon "jds2001" Stanley June 21,

Fedora Bug Triage John "poelcat" Poelstra Jon "jds2001" Stanley June 21, 2008 version 0.2 What Is Bug Triage? Bug Triage is the process of reviewing open bug reports to make sure that they are: reported in the

467 views • 20 slides
3/3/15 Announcement: Bug of the week (extra credit) Architectural Patterns Each group can

3/3/15 Announcement: Bug of the week (extra credit) Architectural Patterns Each group can

3/3/15 Announcement: Bug of the week (extra credit) Architectural Patterns Each group can nominate a bug TA choose one to be bug of the week . Group gets extra credit. Bug due Sunday evening. Database-centric

300 views • 5 slides
Bugzilla, Bug-squad and GNOME3 Presented By Akhil Laddha 1 Agenda About me Bugzilla Bug

Bugzilla, Bug-squad and GNOME3 Presented By Akhil Laddha 1 Agenda About me Bugzilla Bug

Bugzilla, Bug-squad and GNOME3 Presented By Akhil Laddha 1 Agenda About me Bugzilla Bug triaging : In and Out Bugzilla Statistics GNOME3 contribution Q & A 2 Who am I ? Bug Master Evolution QA mailto: lakhil@gnome.org IRC nick :

477 views • 26 slides
Open Source Bug Fixes: Characterization and Dataset Prediction Data Collection Bug

Open Source Bug Fixes: Characterization and Dataset Prediction Data Collection Bug

Overview Introduction Motivation Research Questions Open Source Bug Fixes: Characterization and Dataset Prediction Data Collection Bug Report Features Factors A ff ecting Bug Fix Likelihood Reputations Edits and

424 views • 5 slides
CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain

CRASH COURSE OR COURSE CRASH: Gaming, VR and a Pedagogical Approach Dr. Brent Chamberlain Landscape Architecture & Regional and Community Planning Kansas State University DLA Conference 2015 June 6, 2015 BACKGROUND AND CONTEXT

702 views • 31 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides
A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure

A Crash Course in Genetics A Crash Course in Genetics General Overview: DNA Structure RNA DNA Replication Encoding Proteins Protein Folding Types of DNA Manipulating DNA PCR Biological Computation CPSC

379 views • 36 slides
Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

Crash Course into the New Finnish Government and HQ Communication Crash Course into the New

@amchamwatch| @HofstedeInsight @RudPedersenFIN Country Manager Network Breakfast: Crash Course into the New Finnish Government and HQ Communication Crash Course into the New Finnish Government and HQ Communication Esa Suominen Managing

262 views • 25 slides
Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann

Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann

Specifying and Checking File System Crash-Consistency Models James Bornholt Antoine Kaufmann Jialin Li Arvind Krishnamurthy Emina Torlak Xi Wang University of Washington File systems persist our data Application File System File systems

937 views • 91 slides
Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and

Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and

Minneap apol olis V Vision on Zero Cr Crash sh St Study City Council Transportation and Public Works Committee January 22, 2019 Todays topics Context for Vision Zero Crash Study Key crash study information Next steps for

690 views • 37 slides
ACHILLES Lon Long-term De Deterioration of f Lin Linea ear Infr Infrastructure Monday 04

ACHILLES Lon Long-term De Deterioration of f Lin Linea ear Infr Infrastructure Monday 04

ACHILLES Lon Long-term De Deterioration of f Lin Linea ear Infr Infrastructure Monday 04 February 2019 Friends House London, UK Agenda 1500 Welcome, background and introduction Prof Stephanie Glendinning (Newcastle) 1520 Modelling

318 views • 28 slides
5 th E of Safety John Milton, Ph.D., P.E. Director: Transportation Safety, Quality and Enterprise

5 th E of Safety John Milton, Ph.D., P.E. Director: Transportation Safety, Quality and Enterprise

Joint Use of the HSM and Human Factors Guide 5 th E of Safety John Milton, Ph.D., P.E. Director: Transportation Safety, Quality and Enterprise Risk AASHTO Committee on Safety Annual Meeting, May 8, 2018 Last update 10/24/17 Using Human Factors

608 views • 37 slides
Steele St Multimodal Safety Project July 10th, th, 2019 HOW? Provide roadway space for all

Steele St Multimodal Safety Project July 10th, th, 2019 HOW? Provide roadway space for all

Steele St Multimodal Safety Project July 10th, th, 2019 HOW? Provide roadway space for all WHY? SAFETY Trend is going up in 2019 Streets need to be designed to be safer Project Background Corridor in Context Corridor provides

494 views • 38 slides
Waterfall Way Route Review Casualty Crash Data Analysis June 2014 Centre for Road Safety, TfNSW

Waterfall Way Route Review Casualty Crash Data Analysis June 2014 Centre for Road Safety, TfNSW

Waterfall Way Route Review Casualty Crash Data Analysis June 2014 Centre for Road Safety, TfNSW Overview of Crash Analysis From Tyringham St, Dorrigo to 10m west of Pacific Highway, Raleigh was examined. This section of Waterfall

428 views • 17 slides
OF CRASHES IN LAS CRUCES Purpose The purpose of this project was to identify and analyze

OF CRASHES IN LAS CRUCES Purpose The purpose of this project was to identify and analyze

SPATIAL ANALYSIS OF CRASHES IN LAS CRUCES Purpose The purpose of this project was to identify and analyze areas within the Las Cruces urbanized area that are experiencing recurring patterns of crashes, specifically those that occur at

530 views • 18 slides
Crash Safety of Batteries for Prof. Wayne Chen, PI, wchen@purdue.edu Passenger Vehicles Prof.

Crash Safety of Batteries for Prof. Wayne Chen, PI, wchen@purdue.edu Passenger Vehicles Prof.

TEAM: Purdue University Research Group Crash Safety of Batteries for Prof. Wayne Chen, PI, wchen@purdue.edu Passenger Vehicles Prof. Thomas Siegmund, Co-PI, siegmund@purdue.edu Current Status Technology Overview Multifunctional EV

422 views • 6 slides

More recommend

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2025 SAMBUZ, All right reserved.