/ PSWLAB RacerX: Effective, Static Detection of Race Conditions and Deadlocks by Dawson Engler & Ken Ashcraft (published in SOSP03) Hong,Shin.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

School of EECS, Peking University “Advanced Compiler Techniques” (Fall 2011) SSA Guo, Yao.
P3 / 2004 Register Allocation. Kostis Sagonas 2 Spring 2004 Outline What is register allocation Webs Interference Graphs Graph coloring Spilling Live-Range.
Synchronization. How to synchronize processes? – Need to protect access to shared data to avoid problems like race conditions – Typical example: Updating.
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
1 CS 201 Compiler Construction Lecture 3 Data Flow Analysis.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.
/ PSWLAB Concurrent Bug Patterns and How to Test Them by Eitan Farchi, Yarden Nir, Shmuel Ur published in the proceedings of IPDPS’03 (PADTAD2003)
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
API Design CPSC 315 – Programming Studio Fall 2008 Follows Kernighan and Pike, The Practice of Programming and Joshua Bloch’s Library-Centric Software.
Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.
Improving code generation. Better code generation requires greater context Over expressions: optimal ordering of subtrees Over basic blocks: Common subexpression.
RacerX: effective, static detection of race conditions and deadlocks Dawson Engler and Ken Ashcraft Stanford University.
1 RELAY: Static Race Detection on Millions of Lines of Code Jan Voung, Ranjit Jhala, and Sorin Lerner UC San Diego speaker.
Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Improving Code Generation Honors Compilers April 16 th 2002.
Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.
Software Testing and QA Theory and Practice (Chapter 4: Control Flow Testing) © Naik & Tripathy 1 Software Testing and Quality Assurance Theory and Practice.
/ PSWLAB Eraser: A Dynamic Data Race Detector for Multithreaded Programs By Stefan Savage et al 5 th Mar 2008 presented by Hong,Shin Eraser:
DETECTION OF POTENTIAL DEADLOCKS AND DATARACES ROZA GHAMARI Bogazici UniversityMarch 2009.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.
1 ECE 453 – CS 447 – SE 465 Software Testing & Quality Assurance Instructor Kostas Kontogiannis.
P ARALLEL P ROCESSING I NSTITUTE · F UDAN U NIVERSITY 1.
Automated Whitebox Fuzz Testing (NDSS 2008) Presented by: Edmund Warner University of Central Florida April 7, 2011 David Molnar UC Berkeley
/ PSWLAB Type-Based Race Detection for J AVA by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong,Shin Type-Based.
Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.
Static Code Checking: Security and Concurrency Ben Watson The George Washington University CS 297 Security and Programming Languages June 9, 2005.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Mutual Exclusion.
Kernel Locking Techniques by Robert Love presented by Scott Price.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 6 Deadlocks Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall, Inc. All.
Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan W. Voung, Ranjit Jhala, Sorin Lerner LBA Reading Group Michelle Goodstein.
Dr. Kalpakis CMSC 421, Operating Systems Deadlocks.
/ 23 Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information Slides taken from Shin Hong’s MS Thesis Defense Concurrency.
CS533 – Spring Jeanie M. Schwenk Experiences and Processes and Monitors with Mesa What is Mesa? “Mesa is a strongly typed, block structured programming.
Effective Static Deadlock Detection Mayur Naik* Chang-Seo Park +, Koushik Sen +, David Gay* *Intel Research, Berkeley + UC Berkeley.
How to execute Program structure Variables name, keywords, binding, scope, lifetime Data types – type system – primitives, strings, arrays, hashes – pointers/references.
CSE 153 Design of Operating Systems Winter 2015 Midterm Review.
CS412/413 Introduction to Compilers Radu Rugina Lecture 18: Control Flow Graphs 29 Feb 02.
1 Control Flow Graphs. 2 Optimizations Code transformations to improve program –Mainly: improve execution time –Also: reduce program size Can be done.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
/ PSWLAB Evidence-Based Analysis and Inferring Preconditions for Bug Detection By D. Brand, M. Buss, V. C. Sreedhar published in ICSM 2007.
Eraser: A dynamic Data Race Detector for Multithreaded Programs Stefan Savage, Michael Burrows, Greg Nelson, Patrick Sobalvarro, Thomas Anderson Presenter:
Mutual Exclusion -- Addendum. Mutual Exclusion in Critical Sections.
Chapter 9: Value-Returning Functions
Control Flow Testing Handouts
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 4 Control Flow Testing
Compositional Pointer and Escape Analysis for Java Programs
ITEC 202 Operating Systems
Multiple Granularity Granularity is the size of data item  allowed to lock. Multiple Granularity is the hierarchically breaking up the database into portions.
Outline of the Chapter Basic Idea Outline of Control Flow Testing
Amir Kamil and Katherine Yelick
Predictive Performance
Paul Ammann & Jeff Offutt
Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.
Amir Kamil and Katherine Yelick
CSE 153 Design of Operating Systems Winter 19
Foundations and Definitions
Automatically Diagnosing and Repairing Error Handling Bugs in C
CSE 153 Design of Operating Systems Winter 2019
Pointer analysis John Rollinson & Kaiyuan Li
Presentation transcript:

/ PSWLAB RacerX: Effective, Static Detection of Race Conditions and Deadlocks by Dawson Engler & Ken Ashcraft (published in SOSP03) Hong,Shin RacerX: Effective, Static Detection of Race Conditions and Deadlocks

/ PSWLAB Contents Introduction Overview Lockset Analysis Deadlock Checking Datarace Checking Conclusion RacerX: Effective, Static Detection of Race Conditions and Deadlocks 2

/ PSWLAB Introduction 1/2 Finding data races and deadlocks is difficult. There have been many approaches to detect these errors. –Dynamic detecting tool (e.g. Erase) These tools can only find errors on executed paths. –Model checking Model checking is not scalable (state explosion problem) –Static tool Many static tools make heavy use of annotations to inject knowledge into the analysis RacerX: Effective, Static Detection of Race Conditions and Deadlocks 3

/ PSWLAB Introduction 2/2 Approach –Do not need annotations except for an indication as to what functions are used to acquire and release locks. –Minimize the impact of false positives(false alarms) –Must scale to large industrial program both in speed and in its ability to report complex errors.  A static tool that uses flow-sensitive, interprocedural analysis to detect both race conditions and deadlock  It aggressively infer checking informations (e.g. which locks protect which operations, which code contexts are multithreaded, which shared accesses are dangerous)  The tool sorts errors from most to least severe RacerX: Effective, Static Detection of Race Conditions and Deadlocks 4

/ PSWLAB Overview 1/3 At a high level, checking a system with RacerX involves five phases: (1) Retargeting a system to system-specific locking function (2) Extracting a control flow graph from the system (3) Analysis (4) Ranking errors (5) Inspection RacerX: Effective, Static Detection of Race Conditions and Deadlocks 5

/ PSWLAB Overview 2/3 (1)Retargeting a system to system-specific locking function –Users supply a table specifying the functions used to acquire/release locks, and disable/enable interrupts. –Users may optionally specify a function is single-threaded, multi- threaded, or interrupt handler (2) Extracting a control flow graph from the system –The tool extracts a CFG from the system and stores it in a file. –The CFG contains all function calls, uses of global variables, uses of parameter pointer variables, and optionally uses of all local variables, concurrency operations. –The CFG includes the symbolic information for these objects, such as their names, types, whether an access is read or write, whether a variable is a parameter or not, whether a function or variable is static or not, the line number, etc RacerX: Effective, Static Detection of Race Conditions and Deadlocks 6

/ PSWLAB Overview 3/3 (3) Analysis –The tool reads the emitted CFG and constructs a linked whole system CFG. And traverse the whole system CFG checking for deadlocks or data races. –The traversal is depth-first, flow-sensitive, and interprocedural and it tracks the set of locks held at any point. –At each program statement, the race checker or deadlock checker are passed the current statement, the current lockset, etc. (4) Ranking errors –Compute ranking information for error messages –Ranking sorts error messages based on two features: the likelihood of being false positive, and the difficulty of inspection (5) Inspection –Present the ranked error messages to users RacerX: Effective, Static Detection of Race Conditions and Deadlocks 7

/ PSWLAB Lockset Analysis 1/5 The tool compute locksets at all program points using a top- down, flow-sensitive, context-sensitive, interprocedural analysis. –Top-down: it starts the root of each call graph and does a DFS traversal down the CFG. –Flow-sensitive: the analysis effects of each path rather than conflate paths at join points. –Context-sensitive: analyzes the lockset at each actual callsite. In the DFS traversal over the CFG, the tool (1) adds and removes locks as needed, and (2) calls the race and deadlock checkers on each statement RacerX: Effective, Static Detection of Race Conditions and Deadlocks 8

/ PSWLAB Lockset Analysis 2/5 Caching –Statement cache: The tool caches the locksets that have reached each statement in CFG. –Summary cache: The tool caches the effect of each function by recording for each lockset l that entered function f, the set of locksets (l 1, …, l n ) that was produced. –Caching works because the analysis is deterministic – two executions that both start from the same statement with the same lockset will always produce the same result. –Since the analysis is flow-sensitive, a function could produce an exponential number of locksets. However, in practice, their effect are more modest RacerX: Effective, Static Detection of Race Conditions and Deadlocks 9

/ PSWLAB Lockset Analysis 3/5 Pseudo-code for interprocedural lockset algorithm (1/2) RacerX: Effective, Static Detection of Race Conditions and Deadlocks 10 void traverse_cfg(set of nodes roots) foreach r in roots traverse_fn(r, {}) ; end set of locksets traverse_fn(fn, ls) foreach edge x in fn->cache if (x->entry_lockset == ls) return x->exit_locksets ; if (fn->on_stack_p) return {} ; fn->on_stack_p = 1 ; x = new edge ; x->entry_lockset = lockset ; x->exit_locksets=traverse_stmts(fn->entry,ls,ls); fn->on_stack_p = 0 ; fn->cache = fn->cache union x ; return x->exit_locksets ; end Check summary cache a Break recursive call Cache update

/ PSWLAB Lockset Analysis 4/5 set of locksets traverse_stmts(s, entry_ls, ls) if ((entry_ls, ls) in s->cache) return {} s->cache = s->cache union (entry_ls, ls) ; if (s is end-of-path) return ls ; if (s is lock acquire operation) ls = add_lock(ls, s) ; if (s is lock release operation) ls = remove_lock(ls, s) ; if (s is not resolved call) worklist = {ls} else worklist = traverse_fn(s->fn, ls) ; summ = {} ; foreach l in worklist foreach k in s->succ summ = summ union traverse_stmts(k,entry_ls, l) ; return sum ; end RacerX: Effective, Static Detection of Race Conditions and Deadlocks 11 Pseudo-code for interprocedural lockset algorithm (2/2) Check statement cache Cache update Lockset update DFS traversal

/ PSWLAB Lockset Analysis 5/5 Limitations –Do not do alias analysis. The tool represent local and parameter pointer variables by their type and name rather than their variable name. (e.g. a parameter foo that is a pointer to a structure of type bar will be named “ local:struct bar ”) –Do only simple function pointer resolution Record all functions ever assigned to a function pointer of a given type. And each call site, assume that all of the function could be invoked RacerX: Effective, Static Detection of Race Conditions and Deadlocks 12

/ PSWLAB Deadlock Checking 1/9 (1) Computing locking cycles (2) Ranking (3) Increasing analysis accuracy (4) Handling lockset mistakes (5) Experience result RacerX: Effective, Static Detection of Race Conditions and Deadlocks 13

/ PSWLAB Deadlock Checking 2/9 Computing locking cycles (1)Constraint extraction At every lock acquisition, emit the lock ordering constraints produced by the current lock acquisition. (e.g. if the current lockset is {l 1, l 2 } and the current ly acquired lock is l 3, then emit l 1  l 3, and l 2  l 3 ) (2) Constraint solving Reads in the emitted locking constraints and computes the transitive closure of all dependencies. It records the shortest path between any cyclic lock depdendencies RacerX: Effective, Static Detection of Race Conditions and Deadlocks 14

/ PSWLAB Deadlock Checking 3/9 Ranking Rank error messages based on three criteria: (1) The number of threads involved. - Errors with fewer threads are preferred to one with many threads. (2) Whether the lock involved are local or global - Global lock errors are preferred over local one. (3) The depth of the call chain - Short call chains are better than longer ones. Use these ranking criteria hierarchically to sort error message: (1) > (2) > (3) RacerX: Effective, Static Detection of Race Conditions and Deadlocks 15

/ PSWLAB Deadlock Checking 4/ RacerX: Effective, Static Detection of Race Conditions and Deadlocks 16 Example: Error message of simple deadlock between two global locks

/ PSWLAB Deadlock Checking 5/9 Increasing analysis accuracy (1/2) There are two significant sources of false lock dependencies: (1) Semaphores used to enforce scheduling dependency - A semaphore may be used to implement scheduling dependencies. - Signal-wait semaphores have two behavior patterns: they are almost never paired, more lock than unlock - Statistical approach: (1) Calculate how often true locks satisfies these two behaviors by counting the number of lock acquisitions, lock releases, and unlock errors. (2) And discard semaphores below some probability threshold RacerX: Effective, Static Detection of Race Conditions and Deadlocks 17

/ PSWLAB Deadlock Checking 6/9 Increasing analysis accuracy (2/2) (2) “Release-on-block” locks Many operating systems such as FreeBSD and Linux use global, coarse- grained locks(e.g. big kernel lock) that have “release-on-block” semantics RacerX: Effective, Static Detection of Race Conditions and Deadlocks 18 lock_kernel() ;down(sem) ; down(sem) ;lock_kernel(); lock_kernel() ; down(sem) ; lock_kernel() ; /* No deadlock */ down(sem) { … while( down(sem) would block ) { unlock_kernel() ; schedule() ; lock_kernel() ; } … }

/ PSWLAB Deadlock Checking 7/9 Handling lockset mistakes The most of deadlock false positives are caused by invalid locksets. And almost all invalid locksets arise from a data-dependent lock release, or correlated branches. e.g. void foo(int x) { if (x) lock(l) ; … if (x) unlock(l) ; } Without path-sensitive analysis, the tool will believe there are four paths through foo.  Use simple and novel propagation techniques to minimize the propagation of invalid locksets RacerX: Effective, Static Detection of Race Conditions and Deadlocks 19

/ PSWLAB Deadlock Checking 8/9 Cutting off lock-error paths - Cut off the lockset on paths that contains a locking error. Downward-only lockset propagation - A significant source of false positives occur when it falsely believe that a lock is held on function exit when it is actually not. - Propagate locksets downward from caller to callee but never upward. - Cause false negatives for wrapper functions. Selecting the right summary - Majority summary selection: Rather than following all locksets a function call with generates, we take the one produced by the largest number of exit point within the function. - Minimum-size summary selection Unlockset analysis - At program statement s, remove any lock l in the current lockset if there exists no successor statement s’ reachable from s that contains an unlock operation of l RacerX: Effective, Static Detection of Race Conditions and Deadlocks 20

/ PSWLAB Deadlock Checking 9/ RacerX: Effective, Static Detection of Race Conditions and Deadlocks 21 Ex. Deadlock: acquired lock is released and then reacquired by the same thread. Experience result scsiLock handleArrayLock

/ PSWLAB Data Race Checking 1/6 Dataracer checker is called by the lockset analysis on each statement. The checker can be run in three modes: (1)Simple checking - only flags global accesses that occur without any lock held. (2) Simple statistical - infer which non-global variables and functions must be protected by some lock. (3) Precise statistical - infer which specified lock protects an access and flag when an access occurs when the lockset does not contain the lock RacerX: Effective, Static Detection of Race Conditions and Deadlocks 22

/ PSWLAB Data Race Checking 2/6 The tool uses a set of heuristics to rank data race errors by a scoring function. Heuristics are to answer following questions: - Is the lockset valid? - Is code multithreaded? - Does x need to be protected? - Does x need to be protected by L? RacerX: Effective, Static Detection of Race Conditions and Deadlocks 23

/ PSWLAB Data Race Checking 3/6 -Is code multithreaded? Two methods of determining a code is multithreaded: (1) Multithreading inference –Any concurrency operation (e.g. lock acquire/release, atomic operations) implies that the programmer believes the surrounding code is multithreaded. –The tool marks a function as multithreaded if concurrency operations occur anywhere within its body, or anywhere above it in a call chain. (2) Programmer written automatic annotator –Users can mark a function as single threaded, a function that should be ignored, multithreaded, interrupt handler RacerX: Effective, Static Detection of Race Conditions and Deadlocks 24

/ PSWLAB Data Race Checking 4/6 -Does x need to be protected? There are three approaches to answer this question: (1)Eliminating accesses unlikely to be dangerous, - Avoid flagging data races on variables that are private to a thread. - Demote errors where data appears to be written only during initialization and only read afterwards. (2) Promoting accesses that have a good chance of being unsafe - Favor errors that write data over errors that read data - Flag unprotected variables that cannot be read or written atomically (e.g. 64-bit variables on 32-bit machine) (3)Inferring which variables programmers believe must not be accessed without a lock. - Count how many times each variable is accessed with a lock held and versus not. - Variables the programmer believes should be protected will have a relatively high number of locked accesses and few unlocked accesses RacerX: Effective, Static Detection of Race Conditions and Deadlocks 25

/ PSWLAB Data Race Checking 5/6 -Does x need to be protected by L? The tool infers whether a given lock protects a variable (or a function) using statistical approaches. For each variable (or function) (1) the number of accesses to a variable(function) (2) the number of times these accesses held a specific lock And then pick a single best lock out of all the candidates and then do an interprocedural checking with this information RacerX: Effective, Static Detection of Race Conditions and Deadlocks 26

/ PSWLAB Data Race Checking 6/6 Experience result RacerX: Effective, Static Detection of Race Conditions and Deadlocks 27 Ex. Datarace error

/ PSWLAB Conclusion RacerX is a static tool that uses flow-sensitive, interprocedural analysis to detect both data races and deadlocks. RacerX found errors in large commercial codes such as FreeBSD, and Linux RacerX: Effective, Static Detection of Race Conditions and Deadlocks 28

/ PSWLAB Further Work Chord, b y Mayur Naik and Alex Aiken, POPL07 Static race detection system for Java. Flow-insensitive, context-sensitive static analysis tool RacerX: Effective, Static Detection of Race Conditions and Deadlocks 29

/ PSWLAB Reference [1] RacerX: Effective, Static Detection of Race Conditions and Deadlocks, Dawson Engler & Ken Ashcraft, SOSP RacerX: Effective, Static Detection of Race Conditions and Deadlocks 30

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.