SlideShare a Scribd company logo

Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code

M
Miro Cupak

This document describes techniques for automatically detecting bugs in system code through inconsistencies in the code's behavior compared to inferred rules. It involves defining checkers based on templates of valid code constructs and beliefs about how the code should behave. Checkers are implemented for null pointers, lock usage, security, failure handling, and temporal rules. The techniques are applied to Linux and OpenBSD, finding many real bugs but also false positives requiring manual inspection. Adoption in industry could be improved through better performance, integration into IDEs, and reducing false positives.

Software
1 of 24
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code Dawson Engle, David Yu Chen, Seth Hallem, Andy Chou, Benjamin Chelf Miroslav Cupak 10/01/2012
Introduction systems obey rules for correctness and performance verification, testing, manual and automatic inspection problem with static analysis: what rules to check? solution: automatically extract from source
Techniques problem: finding what is incorrect without knowing what is correct tools: contradictions & common behaviour approach: internal consistency & statistical analysis implement checkers and apply them to Linux & OpenBSD
Terminology beliefs MUST MAY templates slots
Internal Consistency checkers defined by: the rule template T the valid slot instances for T the code actions implying beliefs the rules for how beliefs combine & the rules for contradiction the rules for belief propagation issues: inferring beliefs (direct observation, pre/post-conditions) relating code (implementation, abstraction)
Statistical Analysis internal consistency checkers with modifications: assume all slot-instance combinations are MUST beliefs indicate checks and failures rank the errors and order the results to get most relevant results issues: large set of cases pre-processing noise (large samples, ranking, human-level operations) extensible, makes use of empty templates latent specifications (naming conventions, error codes)
Checker: Null Pointer Consistency static null pointer detection based on internal consistency associates pointers with belief sets and flags contradictions check-then-use use-then-check redundant checks
Checker: Statistical Lock Inference detection of accesses to shared variables without their locks problem: finding variable-lock bindings test MAY beliefs, rank errors forward and backward propagation of locks
Checker: Security determine whether the pointer is a kernel (safe) or a user (tainted) pointer, report intersection based on dereference counts problems: false positives problem due to kernel backdoors checking if they are called from user or kernel code manual inspection
Checker: Failure Checking find routines that are not checked or are incorrectly checked for failures routines returning null pointers are checked before use unnecessary checking of routines that cannot fail
Checker: Temporal Rules no A after B (free memory) B must follow A (lock-unlock) important preprocessing of traces
Results finding bugs without special knowledge of the correctness of the program many interesting bugs new surprising bugs real bug reports and patches significant portion of false positives (bug/false positives ratio: null pointer 205/40, security 35/19)
Related work extension of Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions (Using Meta-level Compilation to Check FLASH Protocol Code) type systems specifications dynamic invariant inference
Questions?
What else can we check? Any ideas for other checkers or situations?
What else can we check? check permissions before writing to data structures reenable interrupts after disabling them size limit on variables hold read locks if variable is not modified memory allocation before its use protocol headers double if statements waiting on synchronous sends certain references not allowed in parts of code
How can we use this tool to prevent deadlocks?
How can we use this tool to prevent deadlocks? lock releasing after acquiring it kernel cannot call blocking functions with interrupts disabled thread holding spin lock cannot block temporal ordering
What do you see as the biggest problem of the proposed tools? How would you tackle it?
What do you see as the biggest problem of the proposed tools? setup cost manual inspection false positives (ranking, thresholds) performance
If you were a developer in a real SW company trying to extend their QE processes, would you consider adoption of this tool a good idea? What could make it more practical?
Do you consider the tool usable in real SW companies? still a lot of manual work, but it can help relatively easily extensible flexibility scalability + IDE integration + improve performance (storing history, running on parts of code, ignore certain paths)
Are the metrics in use objective?
Are the metrics in use objective? exhaustive all-paths search shifting the rating preprocesssing step heuristics relying on code convention

More Related Content

PDF
Test Case Prioritization for Acceptance Testing of Cyber Physical Systems
Lionel Briand
 
PDF
DevOps with GitHub Actions
Nilesh Gule
 
PDF
How to Choose the Proper Infra (Online, Odoo.sh, On premise)
Odoo
 
PPTX
CICD Pipeline Using Github Actions
Kumar Shìvam
 
PPTX
How to Design a Successful Test Automation Strategy
Impetus Technologies
 
PDF
Test Automation
rockoder
 
PDF
Shift Left Testing: Going Beyond Agile
TechWell
 
PDF
Introduction to GitHub Actions
Bo-Yi Wu
 
Test Case Prioritization for Acceptance Testing of Cyber Physical Systems
Lionel Briand
 
DevOps with GitHub Actions
Nilesh Gule
 
How to Choose the Proper Infra (Online, Odoo.sh, On premise)
Odoo
 
CICD Pipeline Using Github Actions
Kumar Shìvam
 
How to Design a Successful Test Automation Strategy
Impetus Technologies
 
Test Automation
rockoder
 
Shift Left Testing: Going Beyond Agile
TechWell
 
Introduction to GitHub Actions
Bo-Yi Wu
 

What's hot (20)

PDF
Test Automation Architecture
Applitools
 
PDF
Ruin your life using robot framework
Prayoch Rujira
 
PPTX
Test Automation in Agile
Agile Testing Alliance
 
PPTX
Jira-Zephyr_Training.pptx
DhananjayaDeevi
 
PDF
Git Version Control System
KMS Technology
 
PPTX
CI/CD with GitHub Actions
Swaminathan Vetri
 
PPTX
functional testing
bharathanche
 
PPTX
TestComplete – A Sophisticated Automated Testing Tool by SmartBear
Software Testing Solution
 
PPTX
Guide to Agile testing
Subrahmaniam S.R.V
 
PDF
Introducing Pair Programming
Steven Smith
 
PPTX
Git One Day Training Notes
glen_a_smith
 
PPT
Introduction to jira
Xpand IT
 
PPTX
Agile Testing Strategy
tharindakasun
 
PPTX
Robot framework
boriau
 
PDF
Agile Test Management Using Jira and Zephyr
XBOSoft
 
PPTX
Cypress Automation
Susantha Pathirana
 
PPT
Scrum Testing Methodology
Gaya1985
 
PPTX
Building a scalable microservice architecture with envoy, kubernetes and istio
SAMIR BEHARA
 
PDF
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA Firmware Analyzer
 
PDF
Java Source Code Analysis using SonarQube
Angelin R
 
Test Automation Architecture
Applitools
 
Ruin your life using robot framework
Prayoch Rujira
 
Test Automation in Agile
Agile Testing Alliance
 
Jira-Zephyr_Training.pptx
DhananjayaDeevi
 
Git Version Control System
KMS Technology
 
CI/CD with GitHub Actions
Swaminathan Vetri
 
functional testing
bharathanche
 
TestComplete – A Sophisticated Automated Testing Tool by SmartBear
Software Testing Solution
 
Guide to Agile testing
Subrahmaniam S.R.V
 
Introducing Pair Programming
Steven Smith
 
Git One Day Training Notes
glen_a_smith
 
Introduction to jira
Xpand IT
 
Agile Testing Strategy
tharindakasun
 
Robot framework
boriau
 
Agile Test Management Using Jira and Zephyr
XBOSoft
 
Cypress Automation
Susantha Pathirana
 
Scrum Testing Methodology
Gaya1985
 
Building a scalable microservice architecture with envoy, kubernetes and istio
SAMIR BEHARA
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA Firmware Analyzer
 
Java Source Code Analysis using SonarQube
Angelin R
 
Ad

Similar to Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code (20)

PPT
Testing 2 - Thinking Like A Tester
ArleneAndrews2
 
PPT
Getting Unstuck: Working with Legacy Code and Data
Cory Foy
 
PPT
Object oriented sad 6
Bisrat Girma
 
PPT
Automatic Assessment of Failure Recovery in Erlang Applications
Jan Henry Nystrom
 
PPTX
Taxonomy of bugs total topic covered presentation
PallaSrija
 
PDF
Bt0081 software engineering2
Techglyphs
 
PPTX
Implementing TDD in for .net Core applications
Ahmad Kazemi
 
PPT
software testing mtehododlogies path testing
Ranjeet Reddy
 
PDF
Different Methodologies For Testing Web Application Testing
Rachel Davis
 
PDF
Manual software-testing-interview-questions-with-answers
Tripti Shergill
 
PDF
Manual software-testing-interview-questions-with-answers
Sachin Gupta
 
PPT
Testing 3: Types Of Tests That May Be Required
ArleneAndrews2
 
DOCX
Manuel testing word
Vijay R
 
PPTX
Software Testing overview jay prakash maurya.pptx
JayPrakash779563
 
PDF
Testing In Software Engineering
kiansahafi
 
PPTX
Software_Testing_Overview.pptx
JayPrakash255
 
PPTX
ST UNIT-1.pptx
GhanaVishnu
 
PPT
software-testing-strategies888888888.ppt
sameera abu-ghalyoon
 
PPTX
Programming Fundamentals lecture 3
REHAN IJAZ
 
PPTX
Software testing
Aman Adhikari
 
Testing 2 - Thinking Like A Tester
ArleneAndrews2
 
Getting Unstuck: Working with Legacy Code and Data
Cory Foy
 
Object oriented sad 6
Bisrat Girma
 
Automatic Assessment of Failure Recovery in Erlang Applications
Jan Henry Nystrom
 
Taxonomy of bugs total topic covered presentation
PallaSrija
 
Bt0081 software engineering2
Techglyphs
 
Implementing TDD in for .net Core applications
Ahmad Kazemi
 
software testing mtehododlogies path testing
Ranjeet Reddy
 
Different Methodologies For Testing Web Application Testing
Rachel Davis
 
Manual software-testing-interview-questions-with-answers
Tripti Shergill
 
Manual software-testing-interview-questions-with-answers
Sachin Gupta
 
Testing 3: Types Of Tests That May Be Required
ArleneAndrews2
 
Manuel testing word
Vijay R
 
Software Testing overview jay prakash maurya.pptx
JayPrakash779563
 
Testing In Software Engineering
kiansahafi
 
Software_Testing_Overview.pptx
JayPrakash255
 
ST UNIT-1.pptx
GhanaVishnu
 
software-testing-strategies888888888.ppt
sameera abu-ghalyoon
 
Programming Fundamentals lecture 3
REHAN IJAZ
 
Software testing
Aman Adhikari
 
Ad

More from Miro Cupak (20)

PDF
Exploring the latest and greatest from Java 14
Miro Cupak
 
PDF
Exploring reactive programming in Java
Miro Cupak
 
PDF
Exploring the last year of Java
Miro Cupak
 
PDF
Local variable type inference - Will it compile?
Miro Cupak
 
PDF
The Good, the Bad and the Ugly of Java API design
Miro Cupak
 
PDF
Local variable type inference - Will it compile?
Miro Cupak
 
PDF
Exploring reactive programming in Java
Miro Cupak
 
PDF
The good, the bad, and the ugly of Java API design
Miro Cupak
 
PDF
Master class in modern Java
Miro Cupak
 
PDF
The good, the bad, and the ugly of Java API design
Miro Cupak
 
PDF
Exploring reactive programming in Java
Miro Cupak
 
PDF
The good, the bad, and the ugly of Java API design
Miro Cupak
 
PDF
Writing clean code with modern Java
Miro Cupak
 
PDF
The good, the bad, and the ugly of Java API design
Miro Cupak
 
PDF
Master class in modern Java
Miro Cupak
 
PDF
Exploring reactive programming in Java
Miro Cupak
 
PDF
Writing clean code with modern Java
Miro Cupak
 
PDF
Exploring what's new in Java 10 and 11 (and 12)
Miro Cupak
 
PDF
Exploring what's new in Java 10 and 11
Miro Cupak
 
PDF
Exploring what's new in Java in 2018
Miro Cupak
 
Exploring the latest and greatest from Java 14
Miro Cupak
 
Exploring reactive programming in Java
Miro Cupak
 
Exploring the last year of Java
Miro Cupak
 
Local variable type inference - Will it compile?
Miro Cupak
 
The Good, the Bad and the Ugly of Java API design
Miro Cupak
 
Local variable type inference - Will it compile?
Miro Cupak
 
Exploring reactive programming in Java
Miro Cupak
 
The good, the bad, and the ugly of Java API design
Miro Cupak
 
Master class in modern Java
Miro Cupak
 
The good, the bad, and the ugly of Java API design
Miro Cupak
 
Exploring reactive programming in Java
Miro Cupak
 
The good, the bad, and the ugly of Java API design
Miro Cupak
 
Writing clean code with modern Java
Miro Cupak
 
The good, the bad, and the ugly of Java API design
Miro Cupak
 
Master class in modern Java
Miro Cupak
 
Exploring reactive programming in Java
Miro Cupak
 
Writing clean code with modern Java
Miro Cupak
 
Exploring what's new in Java 10 and 11 (and 12)
Miro Cupak
 
Exploring what's new in Java 10 and 11
Miro Cupak
 
Exploring what's new in Java in 2018
Miro Cupak
 

Recently uploaded (20)

PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
System and Network Administration Chapter 2
jaramharo
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
AI in Product Development-omnex systems
omnex systems
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 

Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code

  • 1. Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code Dawson Engle, David Yu Chen, Seth Hallem, Andy Chou, Benjamin Chelf Miroslav Cupak 10/01/2012
  • 2. Introduction systems obey rules for correctness and performance verification, testing, manual and automatic inspection problem with static analysis: what rules to check? solution: automatically extract from source
  • 3. Techniques problem: finding what is incorrect without knowing what is correct tools: contradictions & common behaviour approach: internal consistency & statistical analysis implement checkers and apply them to Linux & OpenBSD
  • 5. Internal Consistency checkers defined by: the rule template T the valid slot instances for T the code actions implying beliefs the rules for how beliefs combine & the rules for contradiction the rules for belief propagation issues: inferring beliefs (direct observation, pre/post-conditions) relating code (implementation, abstraction)
  • 6. Statistical Analysis internal consistency checkers with modifications: assume all slot-instance combinations are MUST beliefs indicate checks and failures rank the errors and order the results to get most relevant results issues: large set of cases pre-processing noise (large samples, ranking, human-level operations) extensible, makes use of empty templates latent specifications (naming conventions, error codes)
  • 7. Checker: Null Pointer Consistency static null pointer detection based on internal consistency associates pointers with belief sets and flags contradictions check-then-use use-then-check redundant checks
  • 8. Checker: Statistical Lock Inference detection of accesses to shared variables without their locks problem: finding variable-lock bindings test MAY beliefs, rank errors forward and backward propagation of locks
  • 9. Checker: Security determine whether the pointer is a kernel (safe) or a user (tainted) pointer, report intersection based on dereference counts problems: false positives problem due to kernel backdoors checking if they are called from user or kernel code manual inspection
  • 10. Checker: Failure Checking find routines that are not checked or are incorrectly checked for failures routines returning null pointers are checked before use unnecessary checking of routines that cannot fail
  • 11. Checker: Temporal Rules no A after B (free memory) B must follow A (lock-unlock) important preprocessing of traces
  • 12. Results finding bugs without special knowledge of the correctness of the program many interesting bugs new surprising bugs real bug reports and patches significant portion of false positives (bug/false positives ratio: null pointer 205/40, security 35/19)
  • 13. Related work extension of Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions (Using Meta-level Compilation to Check FLASH Protocol Code) type systems specifications dynamic invariant inference
  • 15. What else can we check? Any ideas for other checkers or situations?
  • 16. What else can we check? check permissions before writing to data structures reenable interrupts after disabling them size limit on variables hold read locks if variable is not modified memory allocation before its use protocol headers double if statements waiting on synchronous sends certain references not allowed in parts of code
  • 17. How can we use this tool to prevent deadlocks?
  • 18. How can we use this tool to prevent deadlocks? lock releasing after acquiring it kernel cannot call blocking functions with interrupts disabled thread holding spin lock cannot block temporal ordering
  • 19. What do you see as the biggest problem of the proposed tools? How would you tackle it?
  • 20. What do you see as the biggest problem of the proposed tools? setup cost manual inspection false positives (ranking, thresholds) performance
  • 21. If you were a developer in a real SW company trying to extend their QE processes, would you consider adoption of this tool a good idea? What could make it more practical?
  • 22. Do you consider the tool usable in real SW companies? still a lot of manual work, but it can help relatively easily extensible flexibility scalability + IDE integration + improve performance (storing history, running on parts of code, ignore certain paths)
  • 23. Are the metrics in use objective?
  • 24. Are the metrics in use objective? exhaustive all-paths search shifting the rating preprocesssing step heuristics relying on code convention