FiTx: Daily Development-friendly Bug Detection

FiTx is a framework for generating daily development-friendly bug checkers that focus on well-known bug patterns. It is based on the approach described in:

“Balancing Analysis Time and Bug Detection: Daily Development-friendly Bug Detection in Linux” Keita Suzuki, Kenta Ishiguro, Kenji Kono. USENIX Annual Technical Conference (ATC), 2024. https://www.usenix.org/conference/atc24/presentation/suzuki

Library Location: lib/Checker/FiTx/

Headers: include/Checker/FiTx/

Tool Location: tools/checker/lotus_fitx.cpp

Overview

FiTx balances the trade-off between analysis time and bug detection: it uses computationally lightweight analyses and limits scope to a single compilation unit (translation unit), so that checkers can run quickly during daily development while still finding many real bugs.

Design principles from the paper:

• Short analysis time: Path-insensitive, inter-procedural analysis on the CFG; bottom-up summary-based interprocedural analysis; no indirect function calls; static field offsets only (struct fields or constant array indices).

• Targeted bug detection: Typestate-based analysis for well-known patterns (double free, use-after-free, memory leak, refcount errors, double lock/unlock, etc.) that are findable with these lightweight techniques (“FiT analysis” / finger-traceable analysis).

FiTx is not intended to replace heavy-weight static analyzers; it acts as an early warning during build/integration so that developers get fast feedback, and more sophisticated tools can focus on harder bugs later.

Analysis Approach (from the paper)

FiT analysis (finger traceable):

• Scope: single compilation unit.

• Dataflow: inter-procedural, path-insensitive, field-sensitive.

• Alias: intra-procedural only; no interprocedural alias.

• Control flow: direct calls only (no indirect calls).

• Field offsets: compile-time only (struct fields, constant array indices).

Typestate analysis:

• Each bug is specified as a typestate property: a finite state machine (FSM) over variables.

• Transition rules consist of: hook instruction (e.g. call, store, load), operand constraints, and target operand. See paper Table 5 (Fun Arg, Fun Call, Store ANY/NULL/NON/Const, Use).

• The analysis traverses the CFG, merges states from predecessors (by priority, e.g. distance to bug state to suppress false positives), and applies transitions at each instruction.

Return-code aware state propagation (Section 4.3 of the paper):

• Function summaries record states per return code (e.g. 0 for success, negative for error).

• At a call site, if the return value is used in a branch (e.g. if (err)), only the states for the return codes that satisfy that branch are propagated. This reduces false positives from mixing success and error paths.

Bug-checking hooks (paper Table 6):

• IMMEDIATE: right after a transition (default).

• VAR_END: end of variable lifetime.

• BLOCK_END: end of basic block.

• FUNC_END: end of function.

• MODULE_END: end of analysis (e.g. for functions with no in-unit callers).

Components

Frontend (lib/Checker/FiTx/Frontend/):

• Framework.cpp / Framework.h – Main FiTx pass; defines typestate checkers and runs them (paper Section 4, 5).

• Analyzer.cpp – CFG-based typestate analysis: block-by-block state merge, transition application, return-code aware propagation from callee summaries (paper Section 4.2, 4.3).

• State.h, StateTransition.h – Typestate FSM: states, transitions, notification timing (IMMEDIATE, FUNCTION_END, END_OF_LIFE, MODULE_END).

Framework IR (lib/Checker/FiTx/Framework_IR/):

• Analyzer.cpp – Builds the framework IR from LLVM: calls, stores, loads, returns; collects possible return values per basic block for function summaries and return-code aware propagation (paper Section 4.3).

Core (lib/Checker/FiTx/Core/):

• BasicBlock.h, Function.h, Value.h – CFG and value representation with field-sensitive structure (static field offsets).

• Instructions/BranchInstruction.cpp – Branch/switch conditions; used to resolve return-code at call sites (e.g. if (err) vs if (!err)) for propagating the correct callee summary (paper Section 4.3).

• ValueTypeAlias.cpp – Intra-procedural alias for store/load (paper: intra-procedural alias only).

Detectors (lib/Checker/FiTx/Detector/):

• Each detector (e.g. DF_detector/, UAF_detector/, Leak_detector/, Ref_count_detector/) defines a typestate FSM for one bug pattern (paper Section 4.1, Table 5; Section 5: DF, DL/DUL, ML, UAF, Ref).

Bug Types

FiTx targets well-known patterns that are FiT-analysis findable (paper Table 2, Section 5):

• Double Free (DF) – Same memory freed twice.

• Use After Free (UAF) – Use of freed memory.

• Memory Leak (ML) – Allocated memory not freed.

• Reference counting errors (Ref) – Missing get/put or unbalanced refcount.

• Double Lock / Double Unlock (DL / DUL) – Lock/unlock API misuse.

The paper also discusses UBI (use before initialization), null pointer dereference, and out-of-bounds as FiT-findable patterns; the framework is extensible with new typestate definitions.

Understanding the code

Analysis flow

1. Framework IR (framework_ir/Analyzer.cpp): For each LLVM function, build a framework CFG (basic blocks, instructions as Call/Store/Load/Return). Collect possible return values per block (constants, call results) for building function summaries.

2. Main pass (frontend/Framework.cpp): For each typestate checker (StateManager), create an Analyzer and run analyze(). The analyzer iterates over all framework functions in the module.

3. Per-function analysis (frontend/Analyzer.cpp, analyzeFunction): Worklist over basic blocks. For each block: (a) createBasicBlockInfo merges states from all predecessors; (b) analyzePrevBlockBranch applies branch-dependent transitions (e.g. ptr==NULL on true path); (c) for each Call/Store/Load, apply the matching typestate transitions (Fun Arg, Store, Use, Alias); (d) if any state changed, re-queue the block; (e) at end of block, run bug-checking hooks (IMMEDIATE, END_OF_LIFE). After the worklist, analyzeReturnValue builds the function summary (return code → blocks), then report at FUNCTION_END and MODULE_END if applicable.

4. Call handling: On a call, first apply Fun Arg transitions (e.g. kfree(ptr)). If the callee is defined in this TU, analyze it (bottom-up), then copyFunctionValues or addPendingFunctionValues: if the return value is used in a branch (e.g. if (err)), only the callee states for the return codes that satisfy that branch are propagated (return-code aware propagation); otherwise merge states from all callee exit blocks.

Key data structures

• FunctionInformation (frontend/Function.h): Per-function summary: basic_block_info_ (per-block value states), return_info_ (return code → set of blocks), value_collection_ (related/parent values for propagation).

• BasicBlockInformation (frontend/BasicBlock.h): Per-block state: value_states_ (value → TransitionLogs), arg_value_states_ (for summary: arg index → (value, transitions)), pending_values_ (per successor block: pending arg states and return value for return-code aware propagation).

• TransitionLogs (frontend/State.h): History of (transition, instruction) for one value; LeastSignificantSource is used to filter reports (only report if the value reached the bug state from a “real” init).

• StateTransitionManager (frontend/State.h): Lookup transitions by trigger: Fun Arg (function name + arg index), Store (NULL/NON/ANY/CALL_FUNC), Use, Alias. Each detector registers its typestate transitions here.

Adding a new detector

1. Define states (init, intermediate, bug) and transitions in a define_states(StateManager&) (e.g. DFUtils.cpp).

2. Register Fun Arg / Store / Use / Alias transitions via TransitionManager.

3. Create a FrameworkPass subclass that overrides defineStates() and calls your define_states; add it to FrameworkPass::passes.

References

• Suzuki, K., Ishiguro, K., Kono, K. “Balancing Analysis Time and Bug Detection: Daily Development-friendly Bug Detection in Linux.” USENIX ATC 2024.

• FiTx prototype: https://github.com/sslab-keio/FiTx

See Also

• Checker Framework – Checker framework overview