Post on 18-Dec-2015
transcript
Scaling Model Checking of Dataraces Using
Dynamic Information
Ohad ShachamTel Aviv University
IBM Haifa Lab
Mooly SagivTel Aviv University
Assaf SchusterTechnion
Datarace Happens when two threads access a
memory location concurrently At least one access is a write
Unpredictable results Can indicate bugs Hard to detect Hard to reproduce
Datarace example
TicketPurchase(NumOfTickets){ if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else
Print “Full”; }
Datarace example
Thread I Thread II
TicketPurchase(2)
if (NumOfTickets · FreeTickets)
TicketPurchase(4)
if (NumOfTickets · FreeTickets)
FreeTickets -= NumOfTickets
FreeTickets -= NumOfTickets
{FreeTickets = -2}
{FreeTickets = 4}
TicketPurchase(NumOfTickets){ if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else
Print “Full”; }
Datarace example
TicketPurchase(NumOfTickets){ Lock(lockFreeTickets) if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else
Print “Full”; Unlock(lockFreeTickets) }
Datarace detection
Static datarace detection tools Racex [Engler and Ashcraft] TVLA [Sagiv et. al.]
Dynamic datarace detection tools: Lamport’s happens-before partial
order (Djit) Lock based techniques (Lockset)
Difficulties in model checking dataraces Infinite state space Huge number of interleavings Huge transition systems Size problem
Hybrid solution
Dynamically check a locking discipline
Produce witnesses for dataraces using a model checker Explore suffixes of the trace
Lockset
Savage et. al. SOSP 1997 Lockset invariant
multiple accesses to a specific memory location are guarded by a unique lock
Lockset example
Lock(lockx)X = 7Unlock(lockx)Lock(locky)Z = Y
Lock(locky)Y = 2Unlock(locky)Lock(locky)Y = X
{lockx}
{locky}
{locky}
Thread I Thread II C(X)
{lockx, locky}{lockx}
{locky}
Unlock(locky)
Locks I Locks II
Lockset
Advantage Predict dataraces which may occur in
a different thread interleaving Disadvantages
Spurious dataraces Hard to use
Lack of trace
Lockset strength
Lock(lockx);X = 7;Unlock(lockx);Lock(locky);Z = Y;
Lock(locky);Y = 2;Unlock(locky);Lock(locky);Y = X;
{lockx}
{locky}
{locky}
Thread I Thread II C(X)
{lockx, locky}{lockx}
{locky}
Unlock(locky);
Locks I Locks II
Our hybrid solution
Combine Lockset & Model Checking Provide witnesses for dataraces
Rare dataraces Dataraces in large programs
Model CheckingProvide witnesses for rare DR
Locksetscale for large programs+
Lockset provides for each warning only a single access event a2
Find a prior access event a1 which can take part in a race with a2
a1
a2
Using Lockset data
Using Lockset data
X = 7
Z = Y
Y = 2
Y = X
A Warning on X
X=7
Z=Y
Y=2
Y=X
{lockx}
{locky}
{locky}
{locky}
Reduce the model checker cost
Reduction in the model size Elimination of thread t1
Providing a single new initial configuration
Heuristically reducing the number of steps that the model checker should carry out
Example
Lock(lockx);X = 7;Unlock(lockx);Lock(locky);Z = Y;
Lock(locky);Y = 2;Unlock(locky);Lock(locky);Y = X;
{lockx}
{locky}
{locky}
Thread I Thread II C(X)
{lockx, locky}{lockx}
{locky}
Unlock(locky);
Lock(locky);Y = 2;Unlock(locky);Lock(locky);Y = X;
1
2
X = 7;
Locks I Locks II
Prototype implementation
A prototype tool based on IBM tools
Lockset – The IBM Watson tool Wolf – IBM Haifa’s software model
checker
Benchmark programsProgramDescriptionLines
Tsptraveling salesman from ETH
706
Our_tspEnhanced traveling salesman
708
mtrtMultithreaded raytracer from specjvm98
3751
HedcWeb Crawler Kernel from ETH
29948
SortArrayParallel sort362
PrimeFinderFinds prime numbers in a given interval
129
ElevsimElevator simulator150
DQueriesShared DB simulator166
Experimental results
Program2 threads3 threads4 threadsTime (sec)
Memory (MB)
Time (sec)
Memory (MB)
Time (sec)
Memory (MB)
our_tsp35069
353 Mem Out Mem Out
SortArray569.31231334.93
396 Mem Out
PrimeFinder888.71162645.51434547.1168
ElevSim33.022867.9233147.948
DQueries140.160201.889585.97136
Hedc2.66117.3312917
tsp35243
377 Mem
Out Mem Out