Lecture: Testing and verification

Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior, SOSP 2013
Hyperkernel: Push-Button Verification of an OS Kernel, SOSP 2017
Optional: A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World, CACM 2010
Optional: Scaling symbolic evaluation for automated verification of systems code with Serval, SOSP 2019

Question

Describe one type of bugs that cannot be prevented by STACK and one type of bugs that cannot be prevented by Hyperkernel.

Question

Compare Figure 10 from the Hyperkernel paper to Tables 2 and 3 from the Dune paper (“getpid”, “trap”, “appel1”, and “appel2”). Why do you think Dune performs much better on “appel1” and “appel2” than Hyperkernel?

Question

Provide a list of questions you would like to discuss in class. Feel free to provide any comments on the papers and related topics (e.g., which parts you like and which parts you find confusing). For instance, would STACK and the Hyperkernel approach prevent any bugs you had in your xv6 labs?

Hyperkernel source code

If you are interested, check out the source code of Hyperkernel on GitHub.

Write down your answers in a file named answers.txt, and upload it using Canvas.

administrivia

project demo in class next Monday
- see schedule on Canvas
- 10min per group
- test your laptop before class
project code & report due next Sunday
- email staff if you would like to post on the course website

overview

how to test your xv6 kernel
- what’s considered correct (specification)?
- complex input sources & state transitions
- randomly generate sytem calls and interrupts?
challenge: generate “useful” tests
- what’s the chance of randomly generating (x, y) to trigger crash? 1/2⁶⁴
- blackbox: infinite monkey theorem

void test_me(int x, int y) {
  int z = 2 * x;
  if (z == y) {
    if (y == x + 10) {
      crash();
    }
  }
}

approaches
- bug finding: find code that may violate a given spec
- formal verification: prove that code must adhere to a given spec

background: SAT/SMT

termininology
- SAT: boolean satisfiability
- SMT: satisfiability modulo theories
breakthrough in SAT/SMT solving
building block for modern bug-finding and verification tools: MS Office (FlashFill), Visual Studio (IntelliTest, StaticDV), …
check CSE 507 if you are interested
try Z3 yourself
demo mini-mc for the test_me program

bug finding

types of tools
- static tools: analyze source code without running (a smart compiler)
- dynamic tools: run the code (and can try to break it)
- the line is blurred
- terminology: false positives vs. false negatives
examples
- gcc/clang
- sparse, annotations, and some history
- fuzzing: afl-fuzz, libFuzzer
try the following code example
- static analysis: run the analyzer in Xcode
- compile using gcc/clang’s -fsanitize=address on Linux
example: STACK

#include <stdio.h>
#include <stdlib.h>

int foo(int n)
{
        int *arr = malloc(n * sizeof(int));
        //arr[0] = 42;
        //free(arr);
        return arr[0];
}

int main(int argc, const char * argv[]) {
    printf("%d\n", foo(argc));
    return 0;
}