1 Chao Wang, Yu Yang, Aarti Gupta, and Ganesh Gopalakrishnan NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

Slides:

Advertisements

Similar presentations

CHESS : Systematic Testing of Concurrent Programs

Advertisements

POPL'05: Dynamic Partial-Order ReductionCormac Flanagan1 Dynamic Partial-Order Reduction for Model Checking Software Cormac Flanagan UC Santa Cruz Patrice.

Cristian Cadar, Peter Boonstoppel, Dawson Engler RWset: Attacking Path Explosion in Constraint-Based Test Generation TACAS 2008, Budapest, Hungary ETAPS.

Applications of Synchronization Coverage A.Bron,E.Farchi, Y.Magid,Y.Nir,S.Ur Tehila Mayzels 1.

The complexity of predicting atomicity violations Azadeh Farzan Univ of Toronto P. Madhusudan Univ of Illinois at Urbana Champaign.

Effective Static Deadlock Detection

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

Testing Concurrent/Distributed Systems Review of Final CEN 5076 Class 14 – 12/05.

Annoucements  Next labs 9 and 10 are paired for everyone. So don’t miss the lab.  There is a review session for the quiz on Monday, November 4, at 8:00.

Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO and THOMAS ANDERSON.

Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

Hybrid Concolic Testing Rupak Majumdar Koushik Sen UC Los Angeles UC Berkeley.

Scaling Model Checking of Dataraces Using Dynamic Information Ohad Shacham Tel Aviv University IBM Haifa Lab Mooly Sagiv Tel Aviv University Assaf Schuster.

Static Data Race detection for Concurrent Programs with Asynchronous Calls Presenter: M. Amin Alipour Software Design Laboratory

(Quickly) Testing the Tester via Path Coverage Alex Groce Oregon State University (formerly NASA/JPL Laboratory for Reliable Software)

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

Scheduling Considerations for building Dynamic Verification Tools for MPI Sarvani Vakkalanka, Michael DeLisi Ganesh Gopalakrishnan, Robert M. Kirby School.

1 Distributed Dynamic Partial Order Reduction based Verification of Threaded Software Yu Yang (PhD student; summer intern at CBL) Xiaofang Chen (PhD student;

Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]

Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.

Partial Order Reduction for Scalable Testing of SystemC TLM Designs Sudipta Kundu, University of California, San Diego Malay Ganai, NEC Laboratories America.

1 RELAY: Static Race Detection on Millions of Lines of Code Jan Voung, Ranjit Jhala, and Sorin Lerner UC San Diego speaker.

Cormac Flanagan UC Santa Cruz Velodrome: A Sound and Complete Dynamic Atomicity Checker for Multithreaded Programs Jaeheon Yi UC Santa Cruz Stephen Freund.

/ PSWLAB Eraser: A Dynamic Data Race Detector for Multithreaded Programs By Stefan Savage et al 5 th Mar 2008 presented by Hong,Shin Eraser:

DETECTION OF POTENTIAL DEADLOCKS AND DATARACES ROZA GHAMARI Bogazici UniversityMarch 2009.

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

CUTE: A Concolic Unit Testing Engine for C Technical Report Koushik SenDarko MarinovGul Agha University of Illinois Urbana-Champaign.

Testing and Verifying Atomicity of Composed Concurrent Operations Ohad Shacham Tel Aviv University Nathan Bronson Stanford University Alex Aiken Stanford.

Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO, and THOMAS ANDERSON Ethan.

Survey on Trace Analyzer (2) Hong, Shin /34Survey on Trace Analyzer (2) KAIST.

Pallavi Joshi* Mayur Naik † Koushik Sen* David Gay ‡ *UC Berkeley † Intel Labs Berkeley ‡ Google Inc.

Model Checking Java Programs using Structural Heuristics

Xusheng Xiao North Carolina State University CSC 720 Project Presentation 1.

Java Basics Hussein Suleman March 2007 UCT Department of Computer Science Computer Science 1015F.

Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan W. Voung, Ranjit Jhala, Sorin Lerner LBA Reading Group Michelle Goodstein.

Deadlock Analysis with Fewer False Positives Thread T1: sync(G){ sync(L1){ sync(L2){} } }; T3 = new T3(); j3.start(); J3.join(); sync(L2){ sync(L1){} }

CSV 889: Concurrent Software Verification Subodh Sharma Indian Institute of Technology Delhi Scalable Symbolic Execution: KLEE.

Motivation  Parallel programming is difficult  Culprit: Non-determinism Interleaving of parallel threads But required to harness parallelism  Sequential.

Department of Computer Science and Software Engineering

CS265: Dynamic Partial Order Reduction Koushik Sen UC Berkeley.

CS527 Topics in Software Engineering (Software Testing and Analysis) Darko Marinov August 30, 2011.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department A MULTITHREADED SEARCH ENGINE AND TESTING OF MULTITHREADED.

Effective Static Deadlock Detection Mayur Naik* Chang-Seo Park +, Koushik Sen +, David Gay* *Intel Research, Berkeley + UC Berkeley.

HARD: Hardware-Assisted lockset- based Race Detection P.Zhou, R.Teodorescu, Y.Zhou. HPCA’07 Shimin Chen LBA Reading Group Presentation.

Grigore Rosu Founder, President and CEO Professor of Computer Science, University of Illinois

Effective Static Deadlock Detection Mayur Naik (Intel Research) Chang-Seo Park and Koushik Sen (UC Berkeley) David Gay (Intel Research)

Eraser: A dynamic Data Race Detector for Multithreaded Programs Stefan Savage, Michael Burrows, Greg Nelson, Patrick Sobalvarro, Thomas Anderson Presenter:

Random Test Generation of Unit Tests: Randoop Experience

Reachability Testing of Concurrent Programs1 Reachability Testing of Concurrent Programs Richard Carver, GMU Yu Lei, UTA.

GC Assertions: Using the Garbage Collector To Check Heap Properties Samuel Z. Guyer Tufts University Edward Aftandilian Tufts University.

Verification vs. Validation Verification: "Are we building the product right?" The software should conform to its specification.The software should conform.

1 Active Random Testing of Parallel Programs Koushik Sen University of California, Berkeley.

24 September 2002© Willem Visser Partial-Order Reductions Reduce the number of interleavings of independent concurrent transitions x := 1 || y :=

Detecting Data Races in Multi-Threaded Programs

runtime verification Brief Overview Grigore Rosu

Amir Kamil and Katherine Yelick

References [1] LEAP:The Lightweight Deterministic Multi-processor Replay of Concurrent Java Programs [2] CLAP:Recording Local Executions to Reproduce.

Over-Approximating Boolean Programs with Unbounded Thread Creation

Reachability testing for concurrent programs

Amir Kamil and Katherine Yelick

CS510 Operating System Foundations

CUTE: A Concolic Unit Testing Engine for C

Tools for the development of parallel applications

Introduction Time is something we waist as a society

Eraser: A dynamic data race detector for multithreaded programs

Presentation transcript:

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic Model Checking with Property Driven Pruning to Detect Race Conditions

2 Motivation  Concurrent programs are hard to debug  Too many possible thread interleavings  Even for a given input  Data races – a representative type of concurrency bugs  e.g., among flaws in the Therac-25 radiation therapy machine  e.g., related to the 2003 North America Blackout  What’s a data race?  Multiple threads can simultaneously access a shared data variable  At least one is a write

3 Related Work  Precisely detecting data races (or proving race-freedom) is hard  Simultaneous reachability  Previous efforts  Static checking (whole-program analysis)  [Flanagan et al 2002], [Engler & Ashcraft 2002], [Pratikakis et al 2006], [Voung et al 2007], [Kahlon et al 2007], …  Bogus warnings – too many of them!  Dynamic checking (on a particular execution trace)  Eraser [Savage et. al. 1997], Valgrind [Nethercote & Seward 2003], …  May miss real races; bogus warnings – may still appear  Classic model checking algorithms  Full coverage, but requires model building (non-trivial)  For example: pointers, rich data types, …

4 Related Work (2)  (Stateless) dynamic model checking  e.g., Verisoft (Bell labs), CHESS (MSR), Inspect (U. of Utah)  Do not store the program states, but rely on a Depth-First Search to systematically explore all feasible thread schedules  Advantages  Run in the real environment  no bogus warnings  Full coverage for terminating programs  No missed data races  Disadvantages:  The search is inefficient – too many thread interleavings

5 Related Work (3)  DPOR: Dynamic Partial Order Reduction  [Flanagan & Godefroid, POPL 2005]  Main idea: Remove redundant interleavings from each equivalence class of interleavings, provided that the representative has been checked  Still not good enough!  What if an entire equivalence class (of interleavings) is redundant  We need a property-specific reduction!  Remove redundant interleavings within each equivalence class  Remove redundant equivalence classes (w.r.t. the property)

6 Outline Introduction and Related Work  Motivating Example  Set of Locksets  Modeling Unobserved Branches  Experiments  Conclusions

Motivating Example 7 Error trace: b1-b7, a1-a4, a5, b8-b9, {a6,b10} Where is the data race? Initial state: x=y=z=0

Motivating Example 8 Traces: a1-a4,a5-a8, a9-a11,b1-b7,b8-b11 a1-a4,a5-a8, b1-b7,a9-a11,b8-b11 a1-a4,a5-a8, b1-b7,b8-b11,a9-a11 a1-a4,…………………………………. …… Error: b1-b7, a1-a4, a5, b8-b9, {a6,b10} How would DPOR find it? … … it would take awhile. reduction

Motivating Example 9 Traces: a1-a4,a5-a8, a9-a11,b1-b7,b8-b11 a1-a4,a5-a8, b1-b7,a9-a11,b8-b11 a1-a4,a5-a8, b1-b7,b8-b11,a9-a11 a1-a4,………………………………….. …… Error: b1-b7, a1-a4, a5, b8-b9, {a6,b10} In this search sub-space, a9-a11 and b1-b11 run concurrently This sub-space does not have data race!!! How can we do better than that? … … lockset analysis of the sub-tree

Lockset Analysis: is the sub-space race-free? 10 In this search sub-space, a9-a11 and b1-b11 run concurrently For each variable access, compute the set of held locks (lockset) This sub-space does not have data race!!!

Identifying the locksets is a thread-local computation  scalable This reduction is beyond DPOR, but fits seamlessly with dynamic model checking Lockset Analysis: is the sub-space race-free? 11 ReceFreeSubSpace  prune away redundant equivalence classes

12 Outline Introduction and Related Work  Motivating Example  Set of Locksets  Modeling Unobserved Branches  Experiments  Conclusions

Problem Statement  Given a trace and state Si, ask “whether all alternative traces with the same prefix (up to Si) are race free?” 13

Set of Locksets 14 Seg_i Seg_j For example, lsSet_x(seg_i) = { {f1}, {f2} } lsSet_x(seg_j) = { {f1,f2} }

Set of Locksets: it’s conservative! 15 Seg_i Seg_j RaceFreeSubSpace(S, si) If it reports a race  may be a real race if it reports race-free  indeed race-free When the subspace is race-free, we prune away all the related equivalence classes (of interleavings) Independent from (and potentially more powerful than) POR

16 Outline Introduction and Related Work  Motivating Example  Set of Locksets  Modeling Unobserved Branches  Experiments  Conclusions

17 The Missing Link (unobserved branches) In collecting lsSet_x(seg_i), we have to consider all feasible branches of (seg_i), which includes The observed path Unobserved paths (not-yet-executed) (we are talking about paths in a single thread)

Over-approximating Unobserved Branches 18 Our solution: 1.Use a priori static analysis to collect lock-info in all branches; 2.Instrument the source code program For both branches of every if-else statement, add calls to the following functions

Over-approximating Unobserved Branches 19 The Unobserved Branch What do we know? 1. it accesses variable x, with lockset {B} U ( {C}\{} ) = {B,C} 2. at the end, the held locks are {B} U ( {C}\{} ) = {B,C}

Over-approximating Unobserved Branches 20 The Unobserved Branch What do we know? 1. it accesses variable x, with lockset {B} U ( {C}\{} ) = {B,C} 2. at the end, the held locks are {B} U ( {C}\{} ) = {B,C}

Over-approximating Unobserved Branches 21 Our solution: 1.Use a priori static analysis to collect lock-info in all branches; 2.Instrument the source code program For both branches of every if—else statement, add calls to the following functions

22 Outline Introduction and Related Work  Motivating Example  Set of Locksets  Modeling Unobserved Branches  Experiments  Conclusions

23 Experiments  Compared the following methods  DPOR (implemented in Inspect)  DPOR + Property-Driven Pruning  Benchmark programs  Real Linux applications written in C using POSIX thread library  From public domain (sourceforge.net; freshmeat.org, etc.)  Fdrd2  Pfscan – file scanner  Aget – a ftp client for concurrently downloading segments of a large file  Bzip2smt – a multithreaded version of bzip

24 Experiments

25 Conclusions  We present a new pruning method for stateless model checking  Using a trace-based lockset analysis  The reduction (in thread interleavings) is property-specific, and is therefore is beyond POR  Significance  Our method scales much better to realistic programs  No bogus warnings, complete coverage  Future work  Extend the pruning method to handle more general safety properties (deadlock and assertion)