an overview of the saturn project l.
Skip this Video
Loading SlideShow in 5 Seconds..
An Overview of the Saturn Project PowerPoint Presentation
Download Presentation
An Overview of the Saturn Project

Loading in 2 Seconds...

play fullscreen
1 / 50

An Overview of the Saturn Project - PowerPoint PPT Presentation

  • Uploaded on

An Overview of the Saturn Project. The Three-Way Trade-Off. Precision Modeling programs accurately enough to be useful Scalability Saying anything at all about large programs Human Effort How much work must the user do? Either giving specifications, or interpreting results. Today’s focus.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'An Overview of the Saturn Project' - kirra

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the three way trade off
The Three-Way Trade-Off
  • Precision
    • Modeling programs accurately enough to be useful
  • Scalability
    • Saying anything at all about large programs
  • Human Effort
    • How much work must the user do?
    • Either giving specifications, or interpreting results

Today’s focus

Not so much about this . . .

Saturn Overview


int f(int x)


. . .

. . .


Primary abstraction is done at function boundaries.


[A(Ff), A(Fg), A(Fh)]




[A(Ff), A(Fg), A(Fh)]

[A(Ff), A(Fg), A(Fh)]


Intraprocedural analysis with minimal abstraction.

Saturn Overview

Design constraint:

SAT formula size ~ function size

Analyze one function at a time

Parallel implementation

Server sends functions to clients to analyze

Typically use 50-100 cores to analyze Linux


Saturn Overview

  • Abstract at function boundaries
    • Compute a summary for function’s behavior
  • Summaries should be small
    • Ideally linear in the size of the function’s interface
  • Summaries are our primary form of abstraction
    • Saturn delays abstraction to function boundaries

Slogan: Analysis design is summary design!

Saturn Overview

  • Analyses written in Calypso
  • Logic programs
    • Express traversals of the program
    • E.g., backwards/forwards propagation
  • Constraints
    • For when we don’t know traversal order
  • Written ~40,000 lines of Calypso code

Saturn Overview

  • An open source project
    • BSD license
  • All Calypso code available for published experiments

Saturn Overview


Brian Hackett

Isil Dillig

Suhabe Bugrara

Yichen Xie


Alex Aiken

Thomas Dillig

Peter Hawkins

Saturn Overview


What else can you do?

Survey of results

  • Saturn overview
  • An example analysis
    • Intraprocedural
    • Interprocedural

Saturn Overview

saturn architecture
Saturn Architecture

C Program

C Frontend

C Syntax Databases

Calypso analyses

Constraint Solvers



Summary Databases

Summary Reports


Saturn Overview

parsing and c frontend
Parsing and C Frontend

Source Code

Build Interceptor

Preprocessed Source Code

Other possible frontends

CIL frontend

Abstract Syntax Tree Databases

Saturn Overview

  • General purpose logic programming language
    • Pure
    • Prolog-like syntax
  • Bottom-up evaluation
    • Magic sets transformation
  • Also a (minor) moon of Saturn

Saturn Overview

helpful features
Helpful Features
  • Strong static type and mode checking
  • Permanent data (sessions)
    • stored as Berkeley DB databases
    • Sessions are just a named bundle of predicates
  • Support for unit-at-a-time analysis

Saturn Overview

extensible interpreter
Extensible Interpreter

SAT Solver

#sat predicate, …

Logic Program


LP Solver

DOT graph package

UI package

Saturn Overview

  • Interpreter is not very efficient
  • OK, it’s slow
  • But can run distributed analyses
    • 50-100 CPUs
  • Scalability is more important than raw speed
    • Can run intensive analyses of the entire Linux kernel (>6MLOC) in a few hours.

Saturn Overview

cluster architecture
Cluster Architecture



Worker Node 1


Master Node



Worker Node 100

Saturn Overview

job scheduling
Job Scheduling

Job = a function body

Dynamically track dependencies between jobs

  • Rerun jobs if new dependencies found
    • Optimistic concurrency control

Iterate to fixpoint for circular dependencies

Saturn Overview

calypso analyses
Calypso Analyses

C Syntax Predicates

CFG Construction

Constraint Solvers

Memory Model

Function Pointer


Typestate verifier

NULL checker

Alias Analysis

Saturn Overview

the paradigmatic locking analysis
The Paradigmatic Locking Analysis

Check that a thread does not:

  • acquire the same lock twice
  • release the lock twice

Otherwise the application may deadlock or crash.

Saturn Overview









Saturn Overview

basic setup
Basic Setup
  • We assume
    • one locking function lock(l)
    • one unlocking function unlock(l).
  • We analyze one function at a time
    • produce locking summary describing the FSM transitions associated with a given lock.

Saturn Overview

an example function summary
An Example Function & Summary

f( . . ., lock *L, . . .) {


. . .



L: unlocked -> unlocked

locked -> error

  • Summaries are input state -> output state
    • The net effect of the function on the lock
  • Summary size is independent of function size
    • Bounded by the square of the number of states

Saturn Overview

lock states

Guard g_guard is a boolean constraint

Program point pp is a unique id for each point in the program

Trace t_trace is a unique name for a memory location

Lock States

type lockstate ::= locked | unlocked | error.

  • Predicates to describe lock states on nodes and edges of the CFG:

predicate node_state(P:pp,L:t_trace,S:lockstate,G:g_guard).

predicate edge_state(P:pp,L:t_trace,S:lockstate,G:g_guard).

Saturn Overview

the intraprocedural analysis
1.Initialize lock states at function entry

2. Join operator:

Combine edges to produce successor’s node_state

3. Transfer functions for every primitive:



function calls

The Intraprocedural Analysis

Saturn Overview

initializing a lock
Initializing a Lock
  • Use fresh boolean variable
  • Interpretation:
    •  is true )Lis locked
    • : is true)Lis unlocked
  • Enforces that L cannot be both locked and unlocked simultaneously

Saturn Overview


(lock, state, guard)


At program point P,

the lock is in state if guard is true.

Saturn Overview

initialization rules
Initialization Rules




fresh_variable(L, LG).




#not(LG, UG).

Allocates new boolean variable associated with lock L.

f( . . ., lock *L, . . .) {

. . .



(L, locked, LG)

(L, unlocked, UG)

Saturn Overview

the intraprocedural analysis28
The Intraprocedural Analysis

1. Initialize lock states at function entry

2.Join operator:

  • Combine edges to produce successor’s node_state

3. Transfer functions for every primitive:

  • assignments
  • tests
  • function calls

Saturn Overview


if (…)

(L, locked, F2)

(L, locked, F1)

(L, locked, F1ÇF2)

  • node_state(P,L,S,G) :-
  • edge_state(P,L,S,_),
  • \/edge_state(P,L,S,EG):#or_all(EG,G).

Note: There is no abstraction in the join . . .

Saturn Overview

the intraprocedural analysis30
The Intraprocedural Analysis

1. Initialize lock states at function entry

2. Join operator:

  • Combine edges to produce successor’s node_state

3. Transfer functions for every primitive:

  • assignments
  • function calls
  • etc.

Saturn Overview


Assignments do not affect lock state:

edge_state(P1,L,S,G) :-




(L, S, G)

X = E;

(L,S, G)


Saturn Overview

interprocedural analysis basics
Interprocedural Analysis Basics
  • Function summaries are the building blocks of interprocedural analysis.
  • Generating a function summary requires:
    • Predicates encoding relevant facts
    • A session to store these predicates.

Saturn Overview

interprocedural analysis outline
Interprocedural Analysis Outline

1. Generating function summaries

2. Using function summaries

  • How do we retrieve the summary of a callee?
  • How do we map facts associated with a callee to the namespace of the currently analyzed function?

Saturn Overview

summary declaration
Summary Declaration

session sum_locking(FN:string) containing[lock_trans].

predicate lock_trans(L: t_trace, S0: lockstate, S1: lockstate).

Declares a persistent database sum_locking(function name)

holding lock_transfacts


Saturn Overview

summary generation primitives

*arg0 is the memory location modified by lock and unlock

Summary Generation: Primitives

Summaries for lock and unlock:

sum_locking("lock")->lock_trans(*arg0,locked,error) :- .

sum_locking("lock")->lock_trans(*arg0,unlocked,locked) :- .

sum_locking("unlock")->lock_trans(*arg0,unlocked,error) :- .

sum_locking("unlock")->lock_trans(*arg0,locked,unlocked) :-.

Saturn Overview

summary generation other functions
Summary Generation: Other Functions

sum_locking(F)->lock_trans(L, S0, S1) :-



node_state(P0, L, S0 , G0),


node_state(P1, L, S1, G1),

#and(G0, G1, G),


F( . . ., lock *L, . . .) {

. . .



(L, S0, G0)


(L, S1, G1)

if SAT(G1Æ G2), then . . .


F: S0! S1

Saturn Overview

summary application rule
Summary Application Rule

call_transfer(I, L, S0, S1, G) :-

direct_call(I, F),

call(P0, _, I),

sum_locking(F)->lock_trans(CL, S0, S1),

instantiate(s_call{I}, P0, CL, L, G).

G( . . .) {

F(. . .)



(S0, L, G)

F: S0! S1

(S1, L, G)

Saturn Overview

  • Bug finding
  • Verification
  • Software Understanding

Saturn Overview

saturn bug finding
Saturn Bug Finding
  • Early work
    • Locking
      • Scalable Error Detection using Boolean Satisfiability. POPL 2005
    • Memory leaks
      • Context- and Path-Sensitive Memory Leak Detection. FSE2005
    • Scripting languages
      • Static Detection of Security Vulnerabilities in Scripting Languages. 15th USENIX Security Symposium, 2006
  • Recent work
    • Inconsistency Checking
      • Static Error Detection Using Semantic Inconsistency Inference. PLDI 2007

Saturn Overview

lessons learned
Lessons Learned
  • Saturn-based tools improve bug-finding
    • Multiple times more bugs than previous results
    • Lower false positive rate
  • Why?
    • “Sounder” than previous bug finding tools
      • bit-level modeling, handling casts, aliasing, etc.
    • Precise
      • Fully intraprocedurally path-sensitive
      • Partially interprocedurally path-sensitive

Saturn Overview

lessons learned cont
Lessons Learned (Cont.)
  • Design of function summary is key to scalability and precision
  • Summary-based analysis only looks at the relevant parts of the heap for a given function
  • Programmers write functions with simple interfaces

Saturn Overview

saturn verification
Saturn Verification
  • Unchecked user pointer dereferences
    • Important OS security property
    • Also called “probing” or “user/kernel pointers”
  • Precision requirements
    • Context-sensitive
    • Flow-sensitive
    • Field-sensitive
    • Intraprocedurally path-sensitive

Saturn Overview

current results for linux 2 6 1
Current Results for Linux-2.6.1

6.2 MLOC with 91,543 functions

Verified 616 / 627 system call arguments


11 false alarms

Verified 851,686 / 852,092 dereferences


406 false alarms

Saturn Overview

preliminary lessons learned
Preliminary Lessons Learned

Bug finders can be sloppy: ignore functions or points-edges that inhibit scalability or precision

Soundness substantially more difficult than finding bugs

Lightweight, sparsely placed annotations

Have programmers add some information

Makes verification tractable

Only 22 annotations need for user pointer analysis

Saturn Overview

saturn for software understanding
Saturn for Software Understanding
  • A program analysis is a code search engine
  • Generic question: Do programmers ever do X?
    • Write an analysis to find out
    • Run it on lots of code
    • Classify the results
    • Write a paper . . .

Saturn Overview

  • Aliasing is used in very stylized ways, at least in C
    • Cursors into data structures
    • Parent/child pointers
    • And 7 other idioms

How is Aliasing Used in Systems Software? FSE 2006

  • Do programmers take the address of function ptrs?
    • Answer: Almost never.
    • Allows simpler analysis of function pointers

Saturn Overview

other things we ve thought about
Other Things We’ve Thought About
  • Shape analysis
    • We notice the lack of shape information
  • Interprocedural path-sensitivity
    • Needed for some common programming patterns
  • Proving correctness of Saturn analyses

Saturn Overview

related work
Related Work
  • Lots
    • All bug finding and verification tools of the last 10 years
  • Particularly, though
    • Systems using logic programming (bddbddb)
    • ESP
    • Metal
    • CQual
    • Blast

Saturn Overview

saturn stanford edu

Saturn Overview