Race conditions are a class of bugs in software where concurrent accesses to shared resources are not protected from each other. Consequences of race conditions include privilege escalation, denial of service, and memory corruption which can potentially lead to arbitrary code execution. However, in large code bases the exact rules as to which fields should be accessed under which locks are not always clear. We propose a novel static technique that infers rules for how field accesses should be locked, and then checks the code against these rules. Traditional static analysers for detecting race conditions are based on lockset analysis. Instead, we propose an outlier-based technique enhanced with a context-sensitive mechanism that scales well. We have implemented this analysis in LLIF, and evaluated it to find incorrectly protected field accesses in Linux v5.14.11. We thoroughly evaluate its ability to find race conditions, and study the causes for false positive reports. In addition, we reported a subset of the issues and submitted patches. The maintainers confirmed 24 bugs.

翻译：竞态条件是一类软件缺陷，表现为对共享资源的并发访问未得到相互保护。竞态条件可能引发权限提升、拒绝服务攻击以及内存损坏，甚至可能导致任意代码执行。然而在大型代码库中，关于哪些字段应在何种锁保护下被访问的具体规则并不总是明确。我们提出了一种新颖的静态技术，该技术能够推断字段访问应遵循的加锁规则，并依据这些规则对代码进行检查。传统的竞态条件检测静态分析器基于锁集分析。与之不同，我们提出了一种结合上下文敏感机制的基于异常值的技术，该技术具有良好的可扩展性。我们已在LLIF中实现了该分析，并评估了其对Linux v5.14.11中未正确保护的字段访问的检测能力。我们全面评估了其发现竞态条件的能力，并研究了误报报告的原因。此外，我们报告了部分问题并提交了补丁。维护人员已确认其中24个缺陷。