Feature Consistency in Compile-Time–Configurable System Software Facing the Linux 10000 Feature Problem Reinhard Tartler , Daniel Lohmann, Julio Sincero, Wolfgang Schr¨ oder-Preikschat System Software Group Friedrich-Alexander University Erlangen-Nuremberg September 7, 2011 supported by
Configuration Complexity Linux has become incredibly configurable R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 2 – 16
Configuration Complexity Linux has become incredibly configurable Complexity increases considerably R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 2 – 16
Configuration Complexity Linux has become incredibly configurable Complexity increases considerably � Source of bugs ! R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 2 – 16
Configuration Complexity Linux has become incredibly configurable Linux v3.0 contains: Complexity increases considerably 7.702 Features 893 Kconfig files � Source of bugs ! 31.281 Source files 88.897 #ifdef blocks R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 2 – 16
The Problem Configuration Implementation R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 3 – 16
The Problem Configuration Source of Inconsistencies! Implementation R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 3 – 16
Finding Bugs with Tools for Static Analysis Bugs in declaration and implementation Excellent tool support for static analysis: Coccinelle: Faults in Linux: Ten Years Later (ASPLOS’11) Dingo: Taming Device Drivers (EuroSys’09) KLEE: Automatic generation of high-coverage tests (EuroSys’08) RWset: Attacking path explosion (TACAS’08) EXE: Automatically generating inputs of death (CCS’06) ... R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 4 – 16
Finding Bugs with Tools for Static Analysis Bugs in declaration and implementation Excellent tool support for static analysis: Coccinelle: Faults in Linux: Ten Years Later (ASPLOS’11) Dingo: Taming Device Drivers (EuroSys’09) KLEE: Automatic generation of high-coverage tests (EuroSys’08) RWset: Attacking path explosion (TACAS’08) EXE: Automatically generating inputs of death (CCS’06) ... Each of them check a single configuration: R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 4 – 16
Symbolic Inconsistency config HOTPLUG_CPU bool "Support for hot -pluggable CPUs" depends on SMP && HOTPLUG ---help --- R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 5 – 16
Symbolic Inconsistency config HOTPLUG_CPU bool "Support for hot -pluggable CPUs" depends on SMP && HOTPLUG ---help --- static int hotplug_cfd (struct notifier_block *nfb , unsigned long action , void *hcpu) { // [...] switch (action) { case CPU_UP_PREPARE : case CPU_UP_PREPARE_FROZEN : // [...] #ifdef CONFIG_CPU_HOTPLUG case CPU_UP_CANCELED : case CPU_UP_CANCELED_FROZEN : case CPU_DEAD: case CPU_DEAD_FROZEN : free_cpumask_var (cfd ->cpumask ); break; #endif }; return NOTIFY_OK; R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 5 – 16
Symbolic Inconsistency config HOTPLUG_CPU bool "Support for hot -pluggable CPUs" depends on SMP && HOTPLUG ---help --- Symbolic � static int hotplug_cfd (struct notifier_block *nfb , unsigned long action , void *hcpu) { // [...] switch (action) { case CPU_UP_PREPARE : case CPU_UP_PREPARE_FROZEN : // [...] #ifdef CONFIG_CPU_HOTPLUG case CPU_UP_CANCELED : case CPU_UP_CANCELED_FROZEN : case CPU_DEAD: case CPU_DEAD_FROZEN : free_cpumask_var (cfd ->cpumask ); break; #endif }; return NOTIFY_OK; Result: Fix for a critical bug R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 5 – 16
Logic Inconsistencies #ifdef CONFIG DISCONTIGMEM MEMORY MODEL // Block 1 static . . . int pfn_to_mid ( . . . ) FLATMEM # ifdef CONFIG NUMA // Block 2 SPARSEMEM NUMA # else DISCONTIGMEM // Block 3 d n e o p s e n d # endif #endif R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 6 – 16
Logic Inconsistencies #ifdef CONFIG DISCONTIGMEM MEMORY MODEL // Block 1 static . . . int pfn_to_mid ( . . . ) FLATMEM # ifdef CONFIG NUMA // Block 2 SPARSEMEM NUMA # else DISCONTIGMEM // Block 3 d n e o p s e n d # endif #endif Feature DISCONTIGMEM requires NUMA Inner block is not configuration dependent anymore R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 6 – 16
Logic Inconsistencies #ifdef CONFIG DISCONTIGMEM MEMORY MODEL // Block 1 static . . . int pfn_to_mid ( . . . ) FLATMEM # ifdef CONFIG NUMA // Block 2 SPARSEMEM NUMA # else DISCONTIGMEM // Block 3 d n e o p s e n d # endif Logic � #endif Feature DISCONTIGMEM requires NUMA Inner block is not configuration dependent anymore Result: code cleanup R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 6 – 16
General Approach #ifdef CONFIG DISCONTIGMEM MEMORY MODEL // Block 1 static . . . int pfn_to_mid ( . . . ) # ifdef CONFIG NUMA FLATMEM // Block 2 SPARSEMEM NUMA # else DISCONTIGMEM // Block 3 n d o e p s e n d # endif #endif R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 7 – 16
General Approach #ifdef CONFIG DISCONTIGMEM MEMORY MODEL // Block 1 static . . . int pfn_to_mid ( . . . ) # ifdef CONFIG NUMA FLATMEM // Block 2 SPARSEMEM NUMA # else DISCONTIGMEM // Block 3 n d o e p s e n d # endif #endif R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 7 – 16
General Approach #ifdef CONFIG DISCONTIGMEM MEMORY MODEL // Block 1 static . . . int pfn_to_mid ( . . . ) # ifdef CONFIG NUMA FLATMEM // Block 2 SPARSEMEM NUMA # else DISCONTIGMEM // Block 3 n d o e p s e n d # endif #endif extract C = ( FLATMEM → MEMORY MODEL ) ∧ ( DISCONTIGMEM → MEMORY MODEL ) ∧ ( SPARSEMEM → MEMORY MODEL ) ∧ ( NUMA → MEMORY MODEL ) ∧ ( DISCONTIGMEM → NUMA ) R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 7 – 16
General Approach #ifdef CONFIG DISCONTIGMEM MEMORY MODEL // Block 1 static . . . int pfn_to_mid ( . . . ) # ifdef CONFIG NUMA FLATMEM // Block 2 SPARSEMEM NUMA # else DISCONTIGMEM // Block 3 n d o e p s e n d # endif #endif extract extract C = ( FLATMEM → MEMORY MODEL ) I = ( Block 1 ↔ DISCONTIGMEM ) ∧ ( DISCONTIGMEM → MEMORY MODEL ) ∧ ( Block 2 ↔ Block 1 ∧ ( NUMA ) ∧ ( SPARSEMEM → MEMORY MODEL ) ∧ ( Block 3 ↔ Block 1 ∧ ¬ Block 2 ) ∧ ( NUMA → MEMORY MODEL ) ∧ ( DISCONTIGMEM → NUMA ) R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 7 – 16
General Approach #ifdef CONFIG DISCONTIGMEM MEMORY MODEL // Block 1 static . . . int pfn_to_mid ( . . . ) # ifdef CONFIG NUMA FLATMEM // Block 2 SPARSEMEM NUMA # else DISCONTIGMEM // Block 3 n d o e p s e n d # endif Crosscheck both formulas with a SAT solver: #endif extract extract dead? = sat ( C ∧ I ∧ Block N ) undead? = sat ( C ∧ I ∧ ¬ Block N ∧ parent ( Block N )) C = ( FLATMEM → MEMORY MODEL ) I = ( Block 1 ↔ DISCONTIGMEM ) ∧ ( DISCONTIGMEM → MEMORY MODEL ) ∧ ( Block 2 ↔ Block 1 ∧ ( NUMA ) ∧ ( SPARSEMEM → MEMORY MODEL ) ∧ ( Block 3 ↔ Block 1 ∧ ¬ Block 2 ) ∧ ( NUMA → MEMORY MODEL ) ∧ ( DISCONTIGMEM → NUMA ) R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 7 – 16
Implementation Challenges Accuracy Conceptually no false positives Exact identification of variation points R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 8 – 16
Implementation Challenges Accuracy Conceptually no false positives Exact identification of variation points Coverage Extract configuration model for all 22 architectures Defect � detected on each architecture R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 8 – 16
Implementation Challenges Accuracy Conceptually no false positives Exact identification of variation points Coverage Extract configuration model for all 22 architectures Defect � detected on each architecture Performance Easy and fast to use during incremental builds Possible by problem slicing Complete run on Linux in less than 10 minutes R. Tartler Feature Consistency in Compile-Time–Configurable System Software (September 7, 2011) 8 – 16
Recommend
More recommend