1
Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan*
NEC Laboratories America, Princeton, NJ
* University of Utah, Salt Lake City, UT
Dynamic Model Checking with Property Driven Pruning to Detect Race Conditions
2
Motivation
Concurrent programs are hard to debug Too many possible thread interleavings
Even for a given input
Data races – a representative type of concurrency bugs e.g., among flaws in the Therac-25 radiation therapy machine e.g., related to the 2003 North America Blackout
What’s a data race? Multiple threads can simultaneously access a shared data variable At least one is a write
3
Related Work
Precisely detecting data races (or proving race-freedom) is hard Simultaneous reachability
Previous efforts Static checking (whole-program analysis)
[Flanagan et al 2002], [Engler & Ashcraft 2002], [Pratikakis et al 2006], [Voung et al 2007], [Kahlon et al 2007], …
Bogus warnings – too many of them!
Dynamic checking (on a particular execution trace) Eraser [Savage et. al. 1997], Valgrind [Nethercote & Seward 2003], … May miss real races; bogus warnings – may still appear
Classic model checking algorithms Full coverage, but requires model building (non-trivial) For example: pointers, rich data types, …
4
Related Work (2)
(Stateless) dynamic model checking e.g., Verisoft (Bell labs), CHESS (MSR), Inspect (U. of Utah) Do not store the program states, but rely on a Depth-First Search to
systematically explore all feasible thread schedules
Advantages Run in the real environment no bogus warnings Full coverage for terminating programs No missed data races
Disadvantages: The search is inefficient – too many thread interleavings
5
Related Work (3)
DPOR: Dynamic Partial Order Reduction [Flanagan & Godefroid, POPL 2005] Main idea: Remove redundant interleavings from each equivalence
class of interleavings, provided that the representative has been checked
Still not good enough! What if an entire equivalence class (of interleavings) is redundant
We need a property-specific reduction! Remove redundant interleavings within each equivalence class Remove redundant equivalence classes (w.r.t. the property)
6
Outline
Introduction and Related Work Motivating Example Set of Locksets Modeling Unobserved Branches Experiments Conclusions
Motivating Example
7
Error trace: b1-b7, a1-a4, a5, b8-b9, {a6,b10}
Where is the data race?Initial state: x=y=z=0
Motivating Example
8
Traces: a1-a4,a5-a8, a9-a11,b1-b7,b8-b11 a1-a4,a5-a8, b1-b7,a9-a11,b8-b11 a1-a4,a5-a8, b1-b7,b8-b11,a9-a11 a1-a4,…………………………………. ……Error: b1-b7, a1-a4, a5, b8-b9, {a6,b10}
How would DPOR find it? … … it would take awhile.
reduction
Motivating Example
9
Traces: a1-a4,a5-a8, a9-a11,b1-b7,b8-b11 a1-a4,a5-a8, b1-b7,a9-a11,b8-b11 a1-a4,a5-a8, b1-b7,b8-b11,a9-a11 a1-a4,………………………………….. ……Error: b1-b7, a1-a4, a5, b8-b9, {a6,b10}
In this search sub-space, a9-a11 and b1-b11 run concurrently
This sub-space does not have data race!!!
How can we do better than that? … … lockset analysis of the sub-tree
Lockset Analysis: is the sub-space race-free?
10
In this search sub-space, a9-a11 and b1-b11 run concurrently
For each variable access, compute the set of held locks (lockset)
This sub-space does not have data race!!!
Identifying the locksets is a thread-local computation scalable
This reduction is beyond DPOR, but fits seamlessly with dynamic model checking
Lockset Analysis: is the sub-space race-free?
11
ReceFreeSubSpace prune away redundant equivalence classes
12
Outline
Introduction and Related Work Motivating Example Set of Locksets Modeling Unobserved Branches Experiments Conclusions
Problem Statement
Given a trace and state Si, ask “whether all alternative traces with the same prefix (up to Si) are race free?”
13
Set of Locksets
14
Seg_i
Seg_j
For example, lsSet_x(seg_i) = { {f1}, {f2} } lsSet_x(seg_j) = { {f1,f2} }
Set of Locksets: it’s conservative!
15
Seg_i
Seg_j
RaceFreeSubSpace(S, si)
• If it reports a race may be a real race• if it reports race-free indeed race-free
• When the subspace is race-free, we prune away all the related equivalence classes (of interleavings)
•Independent from (and potentially more powerful than) POR
16
Outline
Introduction and Related Work Motivating Example Set of Locksets Modeling Unobserved Branches Experiments Conclusions
17
The Missing Link (unobserved branches)
In collecting lsSet_x(seg_i), we have to consider all feasible branches of (seg_i), which includes
• The observed path• Unobserved paths (not-yet-executed)
(we are talking about paths in a single thread)
Over-approximating Unobserved Branches
18
Our solution: 1.Use a priori static analysis to collect lock-info in all branches;2.Instrument the source code program
• For both branches of every if-else statement, add calls to the following functions
Over-approximating Unobserved Branches
19
The Unobserved BranchWhat do we know? 1. it accesses variable x, with lockset {B} U ( {C}\{} ) = {B,C} 2. at the end, the held locks are {B} U ( {C}\{} ) = {B,C}
Over-approximating Unobserved Branches
20
The Unobserved BranchWhat do we know? 1. it accesses variable x, with lockset {B} U ( {C}\{} ) = {B,C} 2. at the end, the held locks are {B} U ( {C}\{} ) = {B,C}
Over-approximating Unobserved Branches
21
Our solution: 1.Use a priori static analysis to collect lock-info in all branches;2.Instrument the source code program
• For both branches of every if—else statement, add calls to the following functions
22
Outline
Introduction and Related Work Motivating Example Set of Locksets Modeling Unobserved Branches Experiments Conclusions
23
Experiments
Compared the following methods DPOR (implemented in Inspect) DPOR + Property-Driven Pruning
Benchmark programs Real Linux applications written in C using POSIX thread library From public domain (sourceforge.net; freshmeat.org, etc.)
Fdrd2 Pfscan – file scanner Aget – a ftp client for concurrently downloading segments of a large file Bzip2smt – a multithreaded version of bzip
24
Experiments
25
Conclusions
We present a new pruning method for stateless model checking Using a trace-based lockset analysis The reduction (in thread interleavings) is property-specific, and is
therefore is beyond POR
Significance Our method scales much better to realistic programs No bogus warnings, complete coverage
Future work Extend the pruning method to handle more general safety properties
(deadlock and assertion)