Finding driver bugs with DR. CHECKER [LWN.net]

By Jake Edge
September 7, 2017

Drivers are a consistent source of kernel bugs, at least partly due to less review, but also because drivers are typically harder for tools to analyze. A team from the University of California, Santa Barbara has set out to change that with a static-analysis tool called DR. CHECKER. In a paper [PDF] presented at the recent 26th USENIX Security Symposium, the team introduced the tool and the results of running it on nine production Linux kernels. Those results were rather encouraging: "it correctly identified 158 critical zero-day bugs with an overall precision of 78%".

Technique

The researchers, Aravind Machiry, Chad Spensky, Jake Corina, Nick Stephens, Christopher Kruegel, and Giovanni Vigna, added their analysis module to the LLVM compiler. It is a "soundy" analysis—a term derived from "soundiness"—which means that it is mostly based on fully accurate (or sound) reasoning about the program. In order to keep the analysis space tractable and to provide usable results without overwhelming numbers of false positives, various unsound assumptions and tradeoffs are made. The researchers tried to limit those, however:

We are able to overcome many of the inherent limitations of static analysis by scoping our analysis to only the most bug-prone parts of the kernel (i.e., the drivers), and by only sacrificing soundness in very few cases to ensure that our technique is both scalable and precise. DR. CHECKER is a fully-automated static analysis tool capable of performing general bug finding using both pointer and taint analyses that are flow-sensitive, context-sensitive, and field-sensitive on kernel drivers.

As part of the motivation for creating the tool, the team describes an integer overflow bug found in the Huawei Bastet driver. The driver uses a user-controlled field in a structure to calculate the size of a buffer to allocate, but the integer overflow allows an attacker to cause the buffer to be far too small, resulting in a buffer overrun. As described in the paper, the bug demonstrates the need for a tool like DR. CHECKER:

There are many notable quirks in this bug that make it prohibitively difficult for naïve static analysis techniques. First, the bug arises from tainted-data (i.e., argp) propagating through multiple usages into a dangerous function, which is only detectable by a flow-sensitive analysis. Second, the integer overflow occurs because of a specific field in the user-provided struct, not the entire buffer. Thus, any analysis that is not field sensitive would over-approximate this and incorrectly identify flow_p as the culprit. Finally, the memory corruption in a different function (i.e., adjust_traffic_flow_by_pkg), which means that that the analysis must be able to handle inter-procedural calls in a context-sensitive way to precisely report the origin of the tainted data. Thus, this bug is likely only possible to detect and report concisely with an analysis that is flow-, context-, and field-sensitive. Moreover, the fact that this bug exists in the driver of a popular mobile device, shows that it evaded both expert analysts and possibly existing bug-finding tools.

DR. CHECKER takes a modular approach to its analysis. There are two analysis clients that are invoked throughout the analysis pass through the code, which is called the "soundy driver traversal" (SDT). Those clients share global state and can benefit from each others' results. Once that pass is complete, the global state is used by various vulnerability detectors to find specific kinds of bugs and generate warnings.

In order to focus solely on the driver code, the tool makes the assumption that Linux API calls operate completely correctly, so that they lie outside the scope of the analysis. That means that only function calls within the driver need to be followed and tracked

The two clients implement a "points-to" analysis to determine where pointers are pointing in a field-sensitive way and a "taint" analysis to determine when values could have been provided by user space. The points-to client tracks dynamic allocation as well as static and automatic variables. It knows enough about the kernel API to recognize allocation functions; it can also recognize the effects of library calls like memcpy(). The taint analysis looks at the sources for tainted data, either as arguments to entry points (e.g. ioctl()) or via kernel functions that copy data from user space (e.g. copy_from_user()).

There are eight separate vulnerability detectors that are each briefly described in the paper. Almost all of them look for incorrect handling of tainted data in one way or another, so they are heavily reliant on the taint analysis results. The tests look at such things as improperly using tainted data (e.g. passing to risky functions like strcmp()), arithmetic on tainted data that could lead to an under or overflow, casts to differently sized types, dereferencing tainted pointers, accessing global variables without proper locking, and so on.

The paper goes into quite a bit of detail of the techniques used and is worth a read for those interested. There were some logistical hurdles to overcome in trying to identify the vendor drivers in multiple kernel source trees. Beyond that, finding the entry points into the drivers was tricky as well; different subsystems have different views of the offset for a driver's ioctl() function, for example.

Results

The researchers ran DR. CHECKER on the drivers in nine mobile devices from four different manufacturers. A total of 3.1 million lines of code was analyzed in 437 separate drivers. They also ran four other static-analysis tools: flawfinder, RATS, Cppcheck, and Sparse. Ultimately, those tools were found wanting for a variety of reasons, most often because of the number of false positives generated.

DR. CHECKER uses Clang to compile each of the driver source files into LLVM bitcode, which contains the compiler's intermediate representation. Compiling the drivers required some changes to Clang to support the GCC-specific constructs and compiler flags used by the normal kernel build. Those individual bitcode files are then combined using the llvm-link tool to create a single file to hand off to DR. CHECKER.

Some 5,000 warnings were generated, of which nearly 4,000 were verified as correct by the team. Of those, 158 were actual bugs that were reported upstream and fixed. So 78% of the reports were correct and 3% actually resulted in security fixes for the kernel. The paper noted that there are a number of improvements that could be made to reduce duplicated, but correct, warnings as well as false positives. It also points out that the code could likely be adapted for other code bases.

Overall, DR. CHECKER looks like a useful tool that could potentially be applied more widely. Vendors may wish to analyze their drivers and device makers could do the same for all of the drivers in their device. It would also seem like there may be some lurking bugs in mainline drivers that could be ferreted out using the tool.

[Thanks to Paul Wise for pointing us toward DR. CHECKER.]

Index entries for this article
Security	Static analysis

to post comments

Finding driver bugs with DR. CHECKER

Posted Sep 7, 2017 23:21 UTC (Thu) by jhoblitt (subscriber, #77733) [Link] (2 responses)

Speaking of lurking bugs... " using the tool.q"

Finding driver bugs with DR. CHECKER

Posted Sep 7, 2017 23:57 UTC (Thu) by jake (editor, #205) [Link] (1 responses)

> using the tool.q

ouch, fixed now ... a gentle reminder that typos should go to lwn@lwn.net ...

thanks!

jake

Finding driver bugs with DR. CHECKER

Posted Sep 8, 2017 10:35 UTC (Fri) by epa (subscriber, #39769) [Link]

How about a checkbox when submitting comments? The comment would be shown until the typo is fixed, at which point the editor would delete it.

Upstreaming

Posted Sep 8, 2017 7:15 UTC (Fri) by epa (subscriber, #39769) [Link]

Is this tool actively maintained and with current users among kernel developers, or is it more of a one-off where the paper is published and then the researchers move on to a new problem? I note that it uses a moderately old version of LLVM with some patches for gcc compatibility -- are those patches being incorporated upstream?

Culture-relativity

Posted Sep 8, 2017 11:12 UTC (Fri) by NAR (subscriber, #1313) [Link] (9 responses)

Funnily the Dr. prefix in Hungarian is used by medical doctors, similar to the MD suffix in (US?) English, so this tool's name sounds like the name of someone who cures people - in this case the tool cures software :-)

Culture-relativity

Posted Sep 8, 2017 11:46 UTC (Fri) by cjwatson (subscriber, #7322) [Link] (3 responses)

That's used in at least UK English too. An "MD" postnominal suffix might be used if somebody really wants to make it absolutely clear what their doctorate is in, but that would be a pretty formal use. You'd pretty much always use prenominal "Dr." if you're addressing somebody, for instance.

I believe that US English has different cultural norms and a wider range of practitioners are entitled to use prenominal "Dr.", so it's more common to use "MD" to disambiguate, but people would still know what "Dr." means.

(This is leaving aside weird historical quirks like the way that consultant surgeons in the UK go by Mr./Ms./etc. rather than Dr. even though they may well have an MD ...)

Culture-relativity

Posted Sep 10, 2017 15:28 UTC (Sun) by marcH (subscriber, #57642) [Link] (2 responses)

> I believe that US English has different cultural norms and a wider range of practitioners are entitled to use prenominal "Dr.",...

Sounds like Germany; probably came with German migrants. It feels much rarer in the US though.

(from another sub-thread)
> In Germany the medical doctorate (“Dr. med.”) is lightweight compared to a “real” research doctorate like the ones you would obtain in physics, chemistry, or mathematics – to a point where in international comparisons it is considered mostly equivalent to a master's degree in science.

Same in France, with the difference that "docteur" refers to a medical doctor 99.99% of the time. Other docteurs never use their title outside work (and not much even there) so the "medical" adjective is not needed and never used. To resolve the 0.01% ambiguity, French has instead a... shorter, single word for Medical Doctor: "médecin"!? Go figure.

Culture-relativity

Posted Sep 10, 2017 23:51 UTC (Sun) by anselm (subscriber, #2796) [Link] (1 responses)

Same in France, with the difference that "docteur" refers to a medical doctor 99.99% of the time. Other docteurs never use their title outside work (and not much even there) so the "medical" adjective is not needed and never used. To resolve the 0.01% ambiguity, French has instead a... shorter, single word for Medical Doctor: "médecin"!? Go figure.

In Germany, not all practicing physicians actually have medical doctorates (it's not required; what is required to be allowed to see patients is an official government-controlled exam). In everyday usage, however, even the non-doctors are still often addressed by their patients as “Herr Doktor” or “Frau Doktor” as a courtesy, simply because the notion that “physician = doctorate” is pretty deeply ingrained in the population.

Incidentally somebody mentioned that in the UK, physicians go by “Doctor XYZ” except that when they qualify as surgeons they revert to “Mr. /Mrs./… XYZ”. This is because way back when, medicine and surgery were completely different disciplines. Actual physicians weren't keen on the bloody business of surgery, while surgery, especially wartime surgery, was usually undertaken by barbers (presumably because they had sharp knives to hand). Physicians, who in spite of the limited scope of pre-scientific medicine were usually university-trained professionals, used to look down on surgeons, who were mere tradesmen – glorified barbers – who had gone through an apprenticeship.

Culture-relativity

Posted Sep 14, 2017 8:30 UTC (Thu) by Wol (subscriber, #4433) [Link]

And most modern medical doctors aren't actually legally entitled to use the "Dr."

There was a major fuss some years back at the East Kent Hospital in Canterbury. The administrators tried to pass an edict saying "you can only call yourself Doctor if you're a medical doctor". It very rapidly got dropped - the Ph.D's on staff said "hang on a sec, we have a *legal* entitlement* to use 'Dr', medical people don't. You try and stop us using it, we'll get the courts to stop the medical people from using it".

And one of my friends, when she was a student doctor, commented on the confusion caused by one of her fellow students, who was a Ph.D.

It dates back, as the previous comment says, to when Physicians *were* doctorally qualified. Today's medical doctors aren't Doctors, they're Apothecaries (chemists, ie pharmacists). Because they dispensed medicine, and provided medical advice to the majority of people who couldn't afford a Doctor's advice, they rose in status and acquired the honorific "doctor". One of my doctor friends joked about how doctors have an apprenticeship and are "tradespeople" not "professionals".

Cheers,
Wol

Culture-relativity

Posted Sep 8, 2017 12:02 UTC (Fri) by tialaramex (subscriber, #21167) [Link] (2 responses)

Dr is a prefix meaning "Doctor" in English too. In British English it would be usual for a medical doctor to use just use the prefix "Doctor" or "Dr" and not suffix MD, unless there was a context where everybody is a "doctor" and it was important to distinguish.

My general practitioner (the woman who examines me if I have an illness to decide if it needs treating and if so how) would usually style herself Dr Creagh not "Ms Creagh" or "Creagh MD" even though the practice she works in is on a University main campus and so lots of her patients have doctorate degrees in non-medical subjects.

Culture-relativity

Posted Sep 8, 2017 16:50 UTC (Fri) by mjg59 (subscriber, #23239) [Link] (1 responses)

MD in the British and Irish sense is an actual research doctorate and usually considered senior to a PhD. Most British medical doctors have a bachelor of medicine degree, not an MD.

Culture-relativity

Posted Sep 9, 2017 0:50 UTC (Sat) by anselm (subscriber, #2796) [Link]

This is funny because here in Germany the medical doctorate (“Dr. med.”) is lightweight compared to a “real” research doctorate like the ones you would obtain in physics, chemistry, or mathematics – to a point where in international comparisons it is considered mostly equivalent to a master's degree in science.

Culture-relativity

Posted Sep 8, 2017 12:24 UTC (Fri) by dezgeg (guest, #92243) [Link] (1 responses)

Windows used (or still does?) to ship with a crash-reporting program called Dr. Watson too.

Culture-relativity

Posted Sep 8, 2017 13:21 UTC (Fri) by cpitrat (subscriber, #116459) [Link]

Which is way better because it suggests both system health and helping investigations !

Flawfinder

Posted Sep 8, 2017 21:26 UTC (Fri) by david.a.wheeler (subscriber, #72896) [Link]

Author of flawfinder here.

You might expect me to object to the paper, but I think it's great. I'm glad there are more advanced tools being developed as OSS. Flawfinder and RATS, as noted in the paper, use a very simplistic lexical approach to finding vulnerabilities. That means they're simple, easy to install, and can handle code that can't build - all pluses. And I can confirm that flawfinder's messages were specifically designed to be useful to developers who were less familiar with how to develop secure software. But as the article notes, they're subject to a range of false positives because they're not following control flow or data flow.

The number of reports from flawfinder look huge, but I think it's important to put them in context. By default flawfinder reports practically everything, but sorts them the reports by expected risk... so most users simply start with the "most risky" items first. If you don't plan to look at the less risky ones, a simple option will stop reporting them. But fundamentally the approach taken by flawfinder and RATS will always have more false positive approaches than an in-depth approach that uses data flow and control flow information.

I do have questions. It's not clear to me how easy it would be to expand it beyond kernel drivers. They discuss it, but not enough to make it easy to estimate the time involved. Also, are they planning to maintain it? I'd like to see this as a live project, not something released and never improved upon. I hope they (or someone else) will do that!

Finding driver bugs with DR. CHECKER

Posted Sep 9, 2017 7:52 UTC (Sat) by pabs (subscriber, #43278) [Link]

If folks are interested in other tools for static analysis of C code, there are some other tools listed here:

https://anonscm.debian.org/cgit/collab-maint/check-all-th...
https://github.com/mcandre/linters#c

Finding driver bugs with DR. CHECKER

Posted Sep 10, 2017 18:29 UTC (Sun) by bmork (subscriber, #88411) [Link]

> the fact that this bug exists in the driver of a popular mobile device, shows that it evaded both expert analysts and possibly existing bug-finding tools.

In which reality is that?

Finding driver bugs with DR. CHECKER

Posted Sep 11, 2017 1:56 UTC (Mon) by dc123 (guest, #117760) [Link] (21 responses)

The very first sentence of the paper starts out like this:

"While kernel drivers have long been know to poses huge security risks..."

Sorry, could not be bothered to read the rest.

Finding driver bugs with DR. CHECKER

Posted Sep 11, 2017 12:13 UTC (Mon) by gregkh (subscriber, #8) [Link] (2 responses)

Why not? It's a provable statement, see the numbers that Google has provided as to where the kernel crashes they get all come from (hint, it's not the core kernel, nor in the upstream driver code...)

So this is a good thing to work to help solve, which is why we run so many different code checking tools, to ignore the state of out-of-tree driver quality is to not work to solve a real problem.

Finding driver bugs with DR. CHECKER

Posted Sep 12, 2017 2:19 UTC (Tue) by dc123 (guest, #117760) [Link] (1 responses)

I simply found it amusing that nobody bothered to proofread a paper about finding bugs :)

Finding driver bugs with DR. CHECKER

Posted Sep 12, 2017 14:10 UTC (Tue) by jerojasro (guest, #98169) [Link]

you know how it goes; you don't see the typos until it's printed.

Finding driver bugs with DR. CHECKER

Posted Sep 11, 2017 13:01 UTC (Mon) by excors (subscriber, #95769) [Link]

Perhaps it was a subtle reference to the similarity between error-finding tools for code and for English - a spellchecker will happily observe that "know" and "poses" are valid words, without noticing that the sentence makes no grammatical or logical sense, just as most bug-finding tools will detect simple erroneous code patterns but fail to do any higher-level analysis.

Or perhaps they just made some last-minute edits to the abstract and didn't proofread it properly.

Finding driver bugs with DR. CHECKER

Posted Sep 11, 2017 17:49 UTC (Mon) by smckay (guest, #103253) [Link] (16 responses)

That's a really poor filter. Insisting on perfect English means missing out on the work of a lot of smart people who happen not to speak English as a first language. I think it's more likely that you're just a jerk, though. Could you be a jerk more quietly?

Finding driver bugs with DR. CHECKER

Posted Sep 12, 2017 2:26 UTC (Tue) by dc123 (guest, #117760) [Link] (15 responses)

Sorry, my mistake. I just assumed, incorrectly, that graduate students at an American university were know to poses basic English.

Finding driver bugs with DR. CHECKER

Posted Sep 12, 2017 3:31 UTC (Tue) by BlueLightning (subscriber, #38978) [Link] (2 responses)

> Sorry, my mistake. I just assumed, incorrectly, that graduate students at an American university were know to poses basic English.

I think there may be a beam in your eye there.

Finding driver bugs with DR. CHECKER

Posted Sep 12, 2017 4:10 UTC (Tue) by bronson (subscriber, #4806) [Link] (1 responses)

Wow, that's true. One for each eye. ("know to poses")

If anyone hasn't seen the reference: https://en.wikipedia.org/wiki/The_Mote_and_the_Beam

Finding driver bugs with DR. CHECKER

Posted Sep 12, 2017 13:32 UTC (Tue) by epa (subscriber, #39769) [Link]

Whoosh!

Finding driver bugs with DR. CHECKER

Posted Sep 14, 2017 6:46 UTC (Thu) by kronat (guest, #117266) [Link]

In fact, they could have used grammarly.com, which correctly spots the typo.

Finding driver bugs with DR. CHECKER

Posted Sep 14, 2017 8:39 UTC (Thu) by Wol (subscriber, #4433) [Link] (10 responses)

> Sorry, my mistake. I just assumed, incorrectly, that graduate students at an American university were know to poses basic English.

Don't forget, native English speakers rarely realise that English is one of the HARDEST languages to learn as a second language. It's easy to learn to speak English. It's *hard* to learn to speak it well.

English will have four or five words, all subtly different! where other languages have just one. English has *three* present tenses whereas other languages have one. I'm sure other people can spot English speakers by their grammatical peculiarities in other languages, I sure as hell can spot foreigners - even those with near-perfect English - by their subtle grammatical oddities ...

(And yes, spelling. Words that are truly English are easy to spell. Problem is, a lot of "English" words are in fact foreign ... and retain (traces of) their foreign origin.)

Cheers,
Wol

Finding driver bugs with DR. CHECKER

Posted Sep 14, 2017 9:43 UTC (Thu) by renox (guest, #23785) [Link] (1 responses)

Hardest?
So is-it "le cailloux" or "la cailloux", "le pierre" or "la pierre", hmm?
Same with Spanish..

Finding driver bugs with DR. CHECKER

Posted Sep 14, 2017 12:04 UTC (Thu) by gevaerts (subscriber, #21521) [Link]

You're making it too easy! You started well, but you could so easily have added a few more -oux vs -ou cases instead of that stupid rock! :)

Finding driver bugs with DR. CHECKER

Posted Sep 14, 2017 12:11 UTC (Thu) by anselm (subscriber, #2796) [Link] (7 responses)

Don't forget, native English speakers rarely realise that English is one of the HARDEST languages to learn as a second language.

I'm not convinced. Try German, Russian, or Arabic.

English will have four or five words, all subtly different! where other languages have just one. English has *three* present tenses whereas other languages have one.

So what? English doesn't really have grammatical gender or inflection – for verbs, tacking on an “s” to get third-person singular verb forms is about as difficult as it gets (you very sensibly got rid of “thou hast” and “he hath” in common usage a good while ago), while nouns have only one singular and one plural form and no declensions because all the cases are formed using prepositions. Irregular verbs and nouns are fairly rare. English also doesn't have tones like Chinese or the more outlandish phonemes of some African languages, and it uses a reasonably straightforward writing system (26 easily distinguished letters, rather than, say, thousands of little pictures).

The main practical problems with English are its comparatively large vocabulary (as you said), the fact that the correspondence between written words and their pronuncation is sometimes very loose, and the challenge of getting one's prepositions straight in many idiomatic expressions. Usually, not being able to handle these perfectly may out you as a foreigner but not render you unintelligible, while with most English native speakers trying to speak German, you won't need to listen for subtle grammatical oddities to suss them out because when they confuse der, die, and das, which they inevitably will unless they are really very good, it will hit you right in the face.

The main reason (apart from network effects) why so many people speak English as a second language these days is that, compared to most other contenders, it is actually fairly simple to learn unless you want to be Shakespeare or Joyce. If you want a language that is really simple to learn as a second language, check out Esperanto.

Finding driver bugs with DR. CHECKER

Posted Sep 15, 2017 12:14 UTC (Fri) by jezuch (subscriber, #52988) [Link] (2 responses)

It's not the amount of different types of declination etc. that makes a language hard to learn; it's the number of *quirks*, and English is a very quirky language.

Finding driver bugs with DR. CHECKER

Posted Sep 15, 2017 13:39 UTC (Fri) by Wol (subscriber, #4433) [Link]

What's the plural of "index"?

(Stands back and watches the flame war ... :-)

Cheers,
Wol

Finding driver bugs with DR. CHECKER

Posted Sep 15, 2017 19:35 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Pretty much every language has the same amount of quirks (except maybe for conlangs like Esperanto). It's just that inflected languages also have inflections in addition to quirks.

English is also easy to pick up, you can start with simple constructs and a couple hundred of words and you'll be able to write completely comprehensible texts. In an inflected language you'll have to master inflection first.

Personally, I attempted to learn Arabic and it was really slow going. Now I'm studying Mandarin and it's so much easier to master (module its writing system).

Finding driver bugs with DR. CHECKER

Posted Sep 15, 2017 13:41 UTC (Fri) by Wol (subscriber, #4433) [Link] (3 responses)

> So what? English doesn't really have grammatical gender or inflection – for verbs, tacking on an “s” to get third-person singular verb forms is about as difficult as it gets

I am, thou art, he is, we/you/they are.

Note that it is all the *common* verbs that tend to have weird forms!

Cheers,
Wol

Finding driver bugs with DR. CHECKER

Posted Sep 17, 2017 12:46 UTC (Sun) by mathstuf (subscriber, #69389) [Link] (1 responses)

Yes, the common verbs tend to be the oddballs in many languages. Now this is just a hunch, but my suspicion is that they are irregular because there are pressures to makes these words as short as possible due to their frequency of use and they end up getting so short that the normal rules don't apply anymore. If it were only uncommon verbs that we're irregular, I feel like they'd be pressured over time to be more regular. Examples include words or terms originally borrowed from other languages and then forced into the native patterns and even pronunciation.

Finding driver bugs with DR. CHECKER

Posted Sep 20, 2017 23:27 UTC (Wed) by nix (subscriber, #2304) [Link]

The other possibility is that they are irregular because they are very commonly used and thus are invariably learned very early by every speaker, and used so often by all interlocutors of all early speakers that there is little room for misinterpretation: everyone converges on the same behaviour. The root of all language change is innovations, often rooted in misinterpretations, by language learners, and (with a few exceptions such as present-day English and various creoles and trade tongues) that mostly means young children. Parts of language that are highly used around children will tend to smooth away the childrens' errors (many of which are regularizations of irregular forms: oh look pronouns are highly irregular).

For an example, look at English pronouns. They're inflected, they're fairly bizarre in all sorts of ways, and they are almost unchangeable. People have been trying to introduce a third-person gender-neutral pronoun less contorted than singular they for centuries. It has never caught on, and it likely never will, because pronouns are nearly universal among the community of English speakers, so there is little dialectical diversity to exploit in generating new pronouns, and all early speakers learn the same things (and, at the least, correctly learn their dialect's variation).

Finding driver bugs with DR. CHECKER

Posted Sep 17, 2017 14:26 UTC (Sun) by anselm (subscriber, #2796) [Link]

I am, thou art, he is, we/you/they are.

That's clutching at straws. In English, “to be” and “to have” are among the very few outliers, and nobody actually uses “thou art” anymore.

Compare that to German sein: ich bin, du bist, er/sie/es ist, wir sind, ihr seid, sie sind (present tense) and ich war, du warst, er/sie/es war, wir waren, ihr wart, sie waren (past tense). Oh, and there's a subjunctive mode, too: ich sei, du seist, er/sie/es sei, wir seien, ihr seiet, sie seien. Oops, actually there's two of them: ich wäre, du wärst, er/sie/es wäre, wir wären, ihr wäret, sie wären. And of course there are composite forms for present perfect, past perfect, and future I and II (although they work basically like the same forms in English – German and English are related, after all). But the past participle of sein that you need for these is the very obvious gewesen. Any questions?

Finding driver bugs with DR. CHECKER

Posted Sep 11, 2017 9:51 UTC (Mon) by mfuzzey (subscriber, #57966) [Link] (1 responses)

Has anyone run this on recent mainline kernels?

The paper only seems to mention various Android vendor kernels from mobile phones.

Finding driver bugs with DR. CHECKER

Posted Sep 19, 2017 7:45 UTC (Tue) by montjoie (subscriber, #110115) [Link]

I have tried to use it on linux-next.
Their build/setup is fragile and bad.
Requiring to build the kernel in j1 only for just generating a buildlog and after sed 's,gcc,llvm,' (and removing some flags) is bad.
The tool support only arm/arm64.
With some insistence (and ignoring segfaults and other errors), I finished to the last step.
And for the moment; I see nothing than false positive.