Hi all,

I am a graduate student at the University of Wisconsin-Madison. My
advisor (Prof. Ben Liblit) and I have been working on performing
static analysis to find program points at which potential error-valued
pointers are dereferenced in Linux file system implementations.

We have applied our analysis to 52 Linux file systems, the virtual
file system and the memory management module (Linux 2.6.35.4
kernel). We have manually inspected these reports and filtered out
what we believe are false positives. We have identified 31 true bugs,
from which 13 are located or we think might be attributed to the Memory
Management module.


Attached are two files:

1) mm-short-reports.txt

Contains short reports that include program location at which the
dereference occurs, variable name and list of error codes the pointer
variable may contain.

2) mm-detailed-reports.txt

Contains more detailed reports that include a complete sample trace
and a slice. The complete sample trace illustrates how one error code
may reach the program point at which the variable is dereferenced. The
slice summarizes the complete sample trace by including only relevant
program points at which the error code is transferred from variable to
variable or returned by a function. Each report is separated by
"====". Each complete trace and slice is separated by a blank line.


Any feedback will be really appreciated. Should we submit these bug reports
somewhere else? Are these true bugs? If not, a brief explanation could help
us to improve our tool.

Please let us know if you have any questions.

Thank you,

Cindy

P.S. We have also reported bugs #5, #10, #11, #12, #13, #14 and #15 to VFS
maintainers as these bugs might be attributed to the virtual file system
instead. Similarly, we have reported bugs #21, #22 and #23 to the HFS Plus
maintainers.