Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.

Slides:

Advertisements

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Advertisements

Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

Concurrency 101 Shared state. Part 1: General Concepts 2.

Locks (Java 1.5) Only one thread can hold a lock at once –Other threads that try to acquire it block (or become suspended) until lock becomes available.

/ PSWLAB Concurrent Bug Patterns and How to Test Them by Eitan Farchi, Yarden Nir, Shmuel Ur published in the proceedings of IPDPS’03 (PADTAD2003)

1 Beyond Reduction Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } if (m == 0) { m = 1; return true; } else.

Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)

Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)

CS294-32: Dynamic Data Race Detection Koushik Sen UC Berkeley.

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

Atomicity Violation Detection Prof. Moonzoo Kim CS492B Analysis of Concurrent Programs.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.

“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.

Atomicity: A powerful concept for analyzing concurrent software Shaz Qadeer Microsoft Research.

C. FlanaganTypes for Race Freedom1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.

CS533 Concepts of Operating Systems Class 3 Data Races and the Case Against Threads.

C. FlanaganAtomicity for Reliable Concurrent Software - PLDI'05 Tutorial1 Atomicity for Reliable Concurrent Software Part 3a: Types for Race-Freedom and.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.

C. FlanaganDynamic Analysis for Atomicity1. C. Flanagan2Dynamic Analysis for Atomicity Atomicity The method inc() is atomic if concurrent threads do not.

Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.

C. Flanagan1Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity for Reliable Concurrent Software Joint work with Stephen Freund Shaz.

Runtime Atomicity Analysis of Multi-threaded Programs Focus is on the paper: “Atomizer: A Dynamic Atomicity Checker for Multithreaded Programs” by C. Flanagan.

Types for Atomicity in Multithreaded Software Cormac Flanagan Systems Research Center HP Labs.

Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

CS533 Concepts of Operating Systems Class 3 Monitors.

1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.

Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz.

Part II: Atomicity for Software Model Checking. Class Account { int balance; static int MIN = 0, MAX = 100; bool synchronized deposit(int n) { int t =

Cormac Flanagan UC Santa Cruz Velodrome: A Sound and Complete Dynamic Atomicity Checker for Multithreaded Programs Jaeheon Yi UC Santa Cruz Stephen Freund.

Synchronization CSCI 444/544 Operating Systems Fall 2008.

/ PSWLAB Eraser: A Dynamic Data Race Detector for Multithreaded Programs By Stefan Savage et al 5 th Mar 2008 presented by Hong,Shin Eraser:

Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.

C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research.

Accelerating Precise Race Detection Using Commercially-Available Hardware Transactional Memory Support Serdar Tasiran Koc University, Istanbul, Turkey.

Threading and Concurrency Issues ● Creating Threads ● In Java ● Subclassing Thread ● Implementing Runnable ● Synchronization ● Immutable ● Synchronized.

/ PSWLAB Type-Based Race Detection for J AVA by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong,Shin Type-Based.

Reduction: A powerful technique for analyzing concurrent software Shaz Qadeer Microsoft Research Collaborators: Cormac Flanagan, UC Santa Cruz Stephen.

COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.

Internet Software Development Controlling Threads Paul J Krause.

Aritra Sengupta, Swarnendu Biswas, Minjia Zhang, Michael D. Bond and Milind Kulkarni ASPLOS 2015, ISTANBUL, TURKEY Hybrid Static-Dynamic Analysis for Statically.

Shared Memory Consistency Models. SMP systems support shared memory abstraction: all processors see the whole memory and can perform memory operations.

Motivation  Parallel programming is difficult  Culprit: Non-determinism Interleaving of parallel threads But required to harness parallelism  Sequential.

COSC 3407: Operating Systems Lecture 9: Readers-Writers and Language Support for Synchronization.

Detecting Atomicity Violations via Access Interleaving Invariants

Effective Static Deadlock Detection Mayur Naik (Intel Research) Chang-Seo Park and Koushik Sen (UC Berkeley) David Gay (Intel Research)

November 2005Scott Stoller, Stony Brook University1 Checking Atomicity in Concurrent Java Programs Scott D. Stoller Joint work with Rahul Agarwal, Amit.

/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.

Aritra Sengupta, Man Cao, Michael D. Bond and Milind Kulkarni PPPJ 2015, Melbourne, Florida, USA Toward Efficient Strong Memory Model Support for the Java.

Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)

Eraser: A dynamic Data Race Detector for Multithreaded Programs Stefan Savage, Michael Burrows, Greg Nelson, Patrick Sobalvarro, Thomas Anderson Presenter:

Using Escape Analysis in Dynamic Data Race Detection Emma Harrington `15 Williams College

Healing Data Races On-The-Fly

Speculative Lock Elision

Specifying Multithreaded Java semantics for Program Verification

Threads and Memory Models Hal Perkins Autumn 2011

Changing thread semantics

Atomicity in Multithreaded Software

Threads and Memory Models Hal Perkins Autumn 2009

Concurrency Control WXES 2103 Database.

CSE 332: Concurrency and Locks

Eraser: A dynamic data race detector for multithreaded programs

Presentation transcript:

Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz

2 class Account { private int balance = 0; public read() { int r; synchronized(this) { r = balance; } return r; } Race-Free Bank Account public void deposit(int n) { int r = read(); synchronized(this) { balance = r + n; }  Race-freedom is not sufficient other threads can update balance

3 class Account { private int balance = 0; public read() { int r; synchronized(this) { r = balance; } return r; } Fixed Bank Account public void deposit(int n) { synchronized(this) { int r = balance; balance = r + n; }

4 class Account { private int balance = 0; public read() { return balance; } Optimized Bank Account public void deposit(int n) { synchronized(this) { int r = balance; balance = r + n; }  Race-freedom is not necessary

5 Race-Freedom  Race-freedom is neither necessary nor sufficient to ensure the absence of errors due to unexpected interactions between threads  Is there a more fundamental semantic correctness property?

6 Sequential Program Execution void deposit() {.... } precond. postcond. deposit()

7 Multithreaded Program Execution void deposit() {.... }

8 Multithreaded Program Execution void deposit() {.... }

9 Multithreaded Program Execution  Atomicity –maximal non-interference property –enables sequential reasoning –matches existing methodology

10 Definition of Atomicity  deposit is atomic if for every non-serial execution, there is a serial execution with the same overall behavior (same final state)         acq(this)r=balbal=r+nrel(this)xyz         acq(this)r=balbal=r+nrel(this)xyz         acq(this)r=balbal=r+nrel(this)xyz  Serial execution of deposit  Non-serial executions of deposit public void deposit(int n) { synchronized(this) { int r = bal; bal = r + n; }

11 Atomizer: Dynamic Analysis  Lockset algorithm –from Eraser [Savage et al. 97] –identifies race conditions  Reduction [Lipton 75] –proof technique for verifying atomicity, using information about race conditions

12 Atomizer: Dynamic Analysis  Lockset algorithm –from Eraser [Savage et al. 97] –identifies race conditions  Reduction [Lipton 75] –proof technique for verifying atomicity, using information about race conditions

13 Atomizer: Dynamic Analysis  Lockset algorithm –from Eraser [Savage et al. 97] –identifies race conditions  Reduction [Lipton 75] –proof technique for verifying atomicity, using information about race conditions

14 Reduction [Lipton 75] acq(this) S 1 X S 2 j=bal S 3 Y S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0

15 Reduction [Lipton 75] X T 1 Y T 2 acq(this) T 3 j=bal S 4 bal=j+n S 5 rel(this) T 6 Z S 7 S0 S0 acq(this) S 1 X S 2 j=bal S 3 Y S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0

16 Commuting Actions 00 33 11 bc

17 Right Mover 00 33 22 00 33 11 bc cb b is right mover

18 Right Mover 00 33 22 00 33 11 ACQ(l,t)c c

19 Left Mover 00 33 22 00 33 11 bc cb c is left mover

20 Left Mover 00 33 22 00 33 11 bREL(l,t) b

21 Both Mover 00 33 22 00 33 11 bMEM(m,a,t) b m is always protected by the lockset L and at least one lock in L is held by t during the access

22 Non Mover 00 33 22 00 33 11 bMEM(m,a,t) b m is always protected by the lockset L and none of the locks in L is held by t during the access X

23  Reducible methods: (R|B)* [N] (L|B)* Performing Reduction Dynamically  R: right-mover –lock acquire  L: left-mover –lock release  B: both-mover –race-free field access  N: non-mover –access to "racy" fields InRightInLeft R|B L|N start atomic block Error L|B R|N acq(lock) j=bal bal=j+n rel(lock) R B B L

24 Reduction [Lipton 75] acq(this) S 1 X S 2 j=bal S 3 Y S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 green thread holds lock  red thread does not hold lock  operation y does not access balance (assuming balance protected by lock)  operations commute

25 Reduction [Lipton 75] acq(this) S 1 X S 2 j=bal S 3 Y S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 acq(this) S 1 X S 2 Y T 3 j=bal S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 green thread holds lock after acquire  operation x does not modify lock  operations commute

26 Reduction [Lipton 75] acq(this) S 1 X S 2 j=bal S 3 Y S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 acq(this) S 1 X S 2 Y T 3 j=bal S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 X T 1 acq(this) S 2 Y T 3 j=bal S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0

27 Reduction [Lipton 75] acq(this) S 1 X S 2 j=bal S 3 Y S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 acq(this) S 1 X S 2 Y T 3 j=bal S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 X T 1 acq(this) S 2 Y T 3 j=bal S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 X T 1 Y T 2 acq(this) T 3 j=bal S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0

28 Reduction [Lipton 75] X T 1 Y T 2 acq(this) T 3 j=bal S 4 bal=j+n S 5 rel(this) T 6 Z S 7 S0 S0 acq(this) S 1 X S 2 j=bal S 3 Y S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 acq(this) S 1 X S 2 Y T 3 j=bal S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 X T 1 acq(this) S 2 Y T 3 j=bal S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0 X T 1 Y T 2 acq(this) T 3 j=bal S 4 bal=j+n S 5 Z S 6 rel(this) S 7 S0 S0

29 class Account { private int balance = 0; atomic public read() { int r; synchronized(this) { r = balance; } return r; } Atomizer Goal atomic void deposit(int n) { synchronized(this) { int r = balance; balance = r + n; } Add two more event types: BEGIN and END

30 Atomizer Algorithm t.State = InRightt.State = InLeftWrong REL(l,t) MEM(m,a,t) and m is unprotected ACQ(l,t) t.State = OutsideAtomic REL(l,t) BEGIN END ACQ(l,t) MEM(m,a,t) and m is unprotected

31 Atomizer Review  Instrumented code calls Atomizer runtime –on field accesses, sync ops, etc  Lockset algorithm identifies races –used to classify ops as movers or non-movers  Atomizer checks reducibility of atomic blocks –warns about atomicity violations

32 Evaluation  12 benchmarks –scientific computing, web server, std libraries,... –200,000+ lines of code  Heuristics for atomicity –all synchronized blocks are atomic –all public methods are atomic, except main and run  Slowdown:1.5x - 40x

33 BenchmarkLines Base Time (s) Atomizer Slowdown elevator hedc29, tsp sor17, moldyn1, montecarlo3, raytracer1, mtrt11, jigsaw90, specJBB30, webl22, lib-java75,

34 Extensions  Redundant lock operations are both-movers –re-entrant acquire/release –operations on thread-local locks –operations on lock A, if lock B always acquired before A  Write-protected data

35 Write-Protected Data class Account { int bal; /*# atomic */ int read() { return bal; } /*# atomic */ void deposit(int n) { synchronized (this) { int j = bal; bal = j + n; } RBNLRBNL

36 Extensions Reduce Number of Warnings Total 341 Total 97

37 Evaluation  Warnings: 97 (down from 341)  Real errors (conservative): 7  False alarms due to: –simplistic heuristics for atomicity programmer should specify atomicity –false races –methods irreducible yet still "atomic" eg caching, lazy initialization  No warnings reported in more than 90% of exercised methods

38 java.lang.StringBuffer /**... used by the compiler to implement the binary string concatenation operator... String buffers are safe for use by multiple threads. The methods are synchronized so that all the operations on any particular instance behave as if they occur in some serial order that is consistent with the order of the method calls made by each of the individual threads involved. */ /*# atomic */ public class StringBuffer {... }

39 public class StringBuffer { private int count; public synchronized int length() { return count; } public synchronized void getChars(...) {... } /*# atomic */ public synchronized void append(StringBuffer sb){ int len = sb.length();... sb.getChars(...,len,...);... } java.lang.StringBuffer sb.length() acquires lock on sb, gets length, and releases lock use of stale len may yield StringIndexOutOfBoundsException inside getChars(...) other threads can change sb

40 public class StringBuffer { private int count; public synchronized int length() { return count; } public synchronized void getChars(...) {... } /*# atomic */ public synchronized void append(StringBuffer sb){ int len = sb.length();... sb.getChars(...,len,...);... } java.lang.StringBuffer StringBuffer.append is not atomic: Start: at StringBuffer.append(StringBuffer.java:701) at Thread1.run(Example.java:17) Commit: Lock Release at StringBuffer.length(StringBuffer.java:221) at StringBuffer.append(StringBuffer.java:702) at Thread1.run(Example.java:17) Error: Lock Acquire at StringBuffer.getChars(StringBuffer.java:245) at StringBuffer.append(StringBuffer.java:710) at Thread1.run(Example.java:17)

41 Related Work  Reduction –[Lipton 75, Lamport-Schneider 89,...] –type systems [Flanagan-Qadeer 03], model checking [Stoller-Cohen 03, Flanagan-Qadeer 03], procedure summaries [Qadeer et al 04]  Other atomicity checkers –[Wang-Stoller 03], Bogor model checker [Hatcliff et al 03]  Race detection / prevention –dynamic [Savage et al 97, O'Callahan-Choi 01, von Praun-Gross 01] –Warlock [Sterling 93], SPMD [Aiken-Gay 98] –type systems [Abadi-Flanagan 99, Flanagan-Freund 00, Boyapati-Rinard 01] –Guava [Bacon et al 01]  View consistency [Artho-Biere-Havelund 03, von Praun-Gross 03]

42 atomic Multithreaded Program Execution run() b() d() a()

43 Multithreaded Program Execution run() b() d() a() atomic

44 Conclusions And Future Directions  Atomicity –maximal non-interference property –enables sequential reasoning –matches practice  Atomizer extends race detection techniques –catches "higher-level" concurrency errors –some benign races do not break atomicity  Atomicity for distributed systems?