Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

Published byTyra Roys Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic."— Presentation transcript:

1 1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic Model Checking with Property Driven Pruning to Detect Race Conditions

2 2 Motivation  Concurrent programs are hard to debug  Too many possible thread interleavings  Even for a given input  Data races – a representative type of concurrency bugs  e.g., among flaws in the Therac-25 radiation therapy machine  e.g., related to the 2003 North America Blackout  What’s a data race?  Multiple threads can simultaneously access a shared data variable  At least one is a write

3 3 Related Work  Precisely detecting data races (or proving race-freedom) is hard  Simultaneous reachability  Previous efforts  Static checking (whole-program analysis)  [Flanagan et al 2002], [Engler & Ashcraft 2002], [Pratikakis et al 2006], [Voung et al 2007], [Kahlon et al 2007], …  Bogus warnings – too many of them!  Dynamic checking (on a particular execution trace)  Eraser [Savage et. al. 1997], Valgrind [Nethercote & Seward 2003], …  May miss real races; bogus warnings – may still appear  Classic model checking algorithms  Full coverage, but requires model building (non-trivial)  For example: pointers, rich data types, …

4 4 Related Work (2)  (Stateless) dynamic model checking  e.g., Verisoft (Bell labs), CHESS (MSR), Inspect (U. of Utah)  Do not store the program states, but rely on a Depth-First Search to systematically explore all feasible thread schedules  Advantages  Run in the real environment  no bogus warnings  Full coverage for terminating programs  No missed data races  Disadvantages:  The search is inefficient – too many thread interleavings

5 5 Related Work (3)  DPOR: Dynamic Partial Order Reduction  [Flanagan & Godefroid, POPL 2005]  Main idea: Remove redundant interleavings from each equivalence class of interleavings, provided that the representative has been checked  Still not good enough!  What if an entire equivalence class (of interleavings) is redundant  We need a property-specific reduction!  Remove redundant interleavings within each equivalence class  Remove redundant equivalence classes (w.r.t. the property)

6 6 Outline Introduction and Related Work  Motivating Example  Set of Locksets  Modeling Unobserved Branches  Experiments  Conclusions

7 Motivating Example 7 Error trace: b1-b7, a1-a4, a5, b8-b9, {a6,b10} Where is the data race? Initial state: x=y=z=0

8 Motivating Example 8 Traces: a1-a4,a5-a8, a9-a11,b1-b7,b8-b11 a1-a4,a5-a8, b1-b7,a9-a11,b8-b11 a1-a4,a5-a8, b1-b7,b8-b11,a9-a11 a1-a4,…………………………………. …… Error: b1-b7, a1-a4, a5, b8-b9, {a6,b10} How would DPOR find it? … … it would take awhile. reduction

9 Motivating Example 9 Traces: a1-a4,a5-a8, a9-a11,b1-b7,b8-b11 a1-a4,a5-a8, b1-b7,a9-a11,b8-b11 a1-a4,a5-a8, b1-b7,b8-b11,a9-a11 a1-a4,………………………………….. …… Error: b1-b7, a1-a4, a5, b8-b9, {a6,b10} In this search sub-space, a9-a11 and b1-b11 run concurrently This sub-space does not have data race!!! How can we do better than that? … … lockset analysis of the sub-tree

10 Lockset Analysis: is the sub-space race-free? 10 In this search sub-space, a9-a11 and b1-b11 run concurrently For each variable access, compute the set of held locks (lockset) This sub-space does not have data race!!!

11 Identifying the locksets is a thread-local computation  scalable This reduction is beyond DPOR, but fits seamlessly with dynamic model checking Lockset Analysis: is the sub-space race-free? 11 ReceFreeSubSpace  prune away redundant equivalence classes

12 12 Outline Introduction and Related Work  Motivating Example  Set of Locksets  Modeling Unobserved Branches  Experiments  Conclusions

13 Problem Statement  Given a trace and state Si, ask “whether all alternative traces with the same prefix (up to Si) are race free?” 13

14 Set of Locksets 14 Seg_i Seg_j For example, lsSet_x(seg_i) = { {f1}, {f2} } lsSet_x(seg_j) = { {f1,f2} }

15 Set of Locksets: it’s conservative! 15 Seg_i Seg_j RaceFreeSubSpace(S, si) If it reports a race  may be a real race if it reports race-free  indeed race-free When the subspace is race-free, we prune away all the related equivalence classes (of interleavings) Independent from (and potentially more powerful than) POR

16 16 Outline Introduction and Related Work  Motivating Example  Set of Locksets  Modeling Unobserved Branches  Experiments  Conclusions

17 17 The Missing Link (unobserved branches) In collecting lsSet_x(seg_i), we have to consider all feasible branches of (seg_i), which includes The observed path Unobserved paths (not-yet-executed) (we are talking about paths in a single thread)

18 Over-approximating Unobserved Branches 18 Our solution: 1.Use a priori static analysis to collect lock-info in all branches; 2.Instrument the source code program For both branches of every if-else statement, add calls to the following functions

19 Over-approximating Unobserved Branches 19 The Unobserved Branch What do we know? 1. it accesses variable x, with lockset {B} U ( {C}\{} ) = {B,C} 2. at the end, the held locks are {B} U ( {C}\{} ) = {B,C}

20 Over-approximating Unobserved Branches 20 The Unobserved Branch What do we know? 1. it accesses variable x, with lockset {B} U ( {C}\{} ) = {B,C} 2. at the end, the held locks are {B} U ( {C}\{} ) = {B,C}

21 Over-approximating Unobserved Branches 21 Our solution: 1.Use a priori static analysis to collect lock-info in all branches; 2.Instrument the source code program For both branches of every if—else statement, add calls to the following functions

22 22 Outline Introduction and Related Work  Motivating Example  Set of Locksets  Modeling Unobserved Branches  Experiments  Conclusions

23 23 Experiments  Compared the following methods  DPOR (implemented in Inspect)  DPOR + Property-Driven Pruning  Benchmark programs  Real Linux applications written in C using POSIX thread library  From public domain (sourceforge.net; freshmeat.org, etc.)  Fdrd2  Pfscan – file scanner  Aget – a ftp client for concurrently downloading segments of a large file  Bzip2smt – a multithreaded version of bzip

24 24 Experiments

25 25 Conclusions  We present a new pruning method for stateless model checking  Using a trace-based lockset analysis  The reduction (in thread interleavings) is property-specific, and is therefore is beyond POR  Significance  Our method scales much better to realistic programs  No bogus warnings, complete coverage  Future work  Extend the pruning method to handle more general safety properties (deadlock and assertion)

Download ppt "1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic."

Similar presentations

CHESS : Systematic Testing of Concurrent Programs

CHESS : Systematic Testing of Concurrent Programs
POPL'05: Dynamic Partial-Order ReductionCormac Flanagan1 Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan UC Santa Cruz Patrice.

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan1 Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan UC Santa Cruz Patrice.
Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.
Applications of Synchronization Coverage A.Bron,E.Farchi, Y.Magid,Y.Nir,S.Ur Tehila Mayzels 1.

Applications of Synchronization Coverage A.Bron,E.Farchi, Y.Magid,Y.Nir,S.Ur Tehila Mayzels 1.
The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.

The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.
Effective Static Deadlock Detection

Effective Static Deadlock Detection
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,

Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Testing Concurrent/Distributed Systems Review of Final CEN 5076 Class 14 – 12/05.

Testing Concurrent/Distributed Systems Review of Final CEN 5076 Class 14 – 12/05.
Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.
Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO and THOMAS ANDERSON.

Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO and THOMAS ANDERSON.
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.

Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.
Scaling Model Checking of Dataraces Using Dynamic Information Ohad Shacham Tel Aviv University IBM Haifa Lab Mooly Sagiv Tel Aviv University Assaf Schuster.

Scaling Model Checking of Dataraces Using Dynamic Information Ohad Shacham Tel Aviv University IBM Haifa Lab Mooly Sagiv Tel Aviv University Assaf Schuster.
Static Data Race detection for Concurrent Programs with Asynchronous Calls Presenter: M. Amin Alipour Software Design Laboratory

Static Data Race detection for Concurrent Programs with Asynchronous Calls Presenter: M. Amin Alipour Software Design Laboratory
(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)

(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

Similar presentations

Ads by Google