Open access to the Proceedings of the 2018 USENIX Annual Technical Conference is sponsored by USENIX. Spindle: Informed Memory Access Monitoring Haojie Wang, Tsinghua University, Qatar Computing Research Institute; Jidong Zhai, Tsinghua University; Xiongchao Tang, Tsinghua University, Qatar Computing Research Institute; Bowen Yu, Tsinghua University; Xiaosong Ma, Qatar Computing Research Institute; Wenguang Chen, Tsinghua University https://www.usenix.org/conference/atc18/presentation/wang-haojie This paper is included in the Proceedings of the 2018 USENIX Annual Technical Conference (USENIX ATC ’18). July 11–13, 2018 • Boston, MA, USA ISBN 978-1-939133-02-1
Transcript
Open access to the Proceedings of the 2018 USENIX Annual Technical Conference
AbstractMemory monitoring is of critical use in understandingapplications and evaluating systems. Due to the dynamicnature in programs’ memory accesses, common practicetoday leaves large amounts of address examination anddata recording at runtime, at the cost of substantial per-formance overhead (and large storage time/space con-sumption if memory traces are collected).
Recognizing the memory access patterns available atcompile time and redundancy in runtime checks, we pro-pose a novel memory access monitoring and analysisframework, Spindle. Unlike methods delaying all checksto runtime or performing task-specific optimization atcompile time, Spindle performs common static analy-sis to identify predictable memory access patterns intoa compact program structure summary. Custom mem-ory monitoring tools can then be developed on top ofSpindle, leveraging the structural information extractedto dramatically reduce the amount of instrumentationthat incurs heavy runtime memory address examina-tion or recording. We implement Spindle in the popu-lar LLVM compiler, supporting both single-thread andmulti-threaded programs. Our evaluation demonstratedthe effectiveness of two Spindle-based tools, perform-ing memory bug detection and trace collection respec-tively, with a variety of programs. Results show thatthese tools are able to aggressively prune online mem-ory monitoring processing, fulfilling desired tasks withperformance overhead significantly reduced (2.54× onaverage for memory bug detection and over 200× on av-erage for access tracing, over state-of-the-art solutions).
1 IntroductionMemory access behavior is crucial to understand ap-
plications and evaluate systems. They are widely mon-∗Department of Computer Science and Technology, TsinghuaUniversity {wanghaoj15, txc13, yubw15}@mails.tsinghua.edu.cn,{zhaijidong, cwg}@mail.tsinghua.edu.cn†Qatar Computing Research Institute, HBKU {whaojie, txiongchao,xma}@qf.org.qa
itored in system and architecture research, for memorybug or race condition detection [21, 27, 31], informa-tion flow tracking [16, 30], large-scale system optimiza-tion [35, 36, 42], and memory system design [14, 17, 20].
Memory access monitoring and tracing need to obtainand check/record memory addresses visited by a pro-gram and this process is quite expensive. Even givencomplete source-level information, much of the relevantinformation regarding locations to be accessed at runtimeis not available at compile time. For example, it is com-mon that during static analysis, we see a heap object ac-cessed repeately in a loop, but does not have any of theparameters needed to perform our desired examinationor tracing: where the object is allocated, how large it is,or how many iterations there are in a particular executionof the loop. As a result, existing memory checking toolsmostly delay the checking/transcribing of such memoryaddresses to execution time, with associated instructionsinstrumented to perform task-specific processing. Suchruntime processing brings substantial performance over-head (typically bringing 2× or more application slow-down [5, 33] for online memory access checking andmuch higher for memory trace collection [6, 22, 26]).
However, there are important information not wellutilized at compile time. Even with actual locations,sizes, branch taken decisions, or loop iteration counts un-known, we still see patterns in memory accesses. In par-ticular, accesses to large objects are not isolated eventsthat have to be verified or recorded individually at run-time. Instead, they form groups with highly similar (of-ten identical) behaviors and relative displacement in lo-cations visited given plainly in the code. The processingtasks that are delayed to execution time often perform thesame checking or recording on individual members ofsuch large groups of highly homogeneous accesses. Inaddition, the memory access patterns recognizable dur-ing static analysis summarize common structural infor-mation useful to many memory checking/tracing tasks.
Based on these observations, we propose Spindle,
USENIX Association 2018 USENIX Annual Technical Conference 561
a new platform that facilitates hybrid static+dynamicanalysis for efficient memory monitoring. It leveragescommon static analysis to identify from the target pro-gram the source of redundancy in runtime memory ad-dress examination. By summarizing groups of mem-ory accesses with statically identified program struc-tures, such compact intermediate analysis results can bepassed to Spindle-based tools, to further perform task-specific analysis and code instrumentation. The reg-ular/predictable patterns contained in Spindle-distilledstructural information allow diverse types of memory ac-cess checking more efficiently: by computing rather thancollecting memory accesses whenever possible, evenwhen certain examination has to be conducted at runtime,it can be elevated from instruction to object granularity,with the amount of instrumentation dramatically pruned.
We implement Spindle on top of the open-sourceLLVM compiler infrastructure [10]. On top of it, we im-plement two proof-of-concept custom tools, a memorybug detector (S-Detector) and a memory trace collector(S-Tracer), that leverage the common structural informa-tion extracted by Spindle to optimize their specific mem-ory access monitoring tasks.
We evaluated Spindle and the aforementioned customtools with popular benchmarks (NPB, SPEC CPU2006,Graph500, and PARSEC) and open-source applicationscovering areas such as machine learning, key-value store,and text processing. Results show that S-Detector canreduce the amount of instrumentation by 64% on aver-age using Spindle static analysis results, allowing run-time overhead reduction of up to 30.25× (2.54× on av-erage) over the Google AddressSanitizer [33]. S-Tracer,meanwhile, reduces the trace collection time overheadby up to over 500× (228× on average) over the polularPIN tool [22], and cuts the trace storage space overheadby up to over 10000× (248× on average).
Spindle is publicly available at https://github.com/thu-pacman/Spindle.
2 Overview2.1 Spindle Framework
Spindle is designed as a hybrid memory monitoringframework. Its main module performs static analysis toextract program structures relevant to memory accesses.Such structural information allows Spindle to obtain reg-ular or predictable patterns in memory accesses. Differ-ent Spindle-based tools utilize these patterns in differentways, with the common goal of reducing the amount ofinstrumentation that leads to costly runtime check or in-formation collection.
Figure 1 gives the overall structure of Spindle, alongwith sample memory monitoring tools implemented ontop of it. To use Spindle-based tools, end-users onlyhave to compile their application source code with the
Sou
rce
Co
de
Instrumented Code 1
Spin
dle
Control Flow Analysis
Dependence Analysis
Inte
r-P
roce
du
ral
An
alys
is
Build Program Call Graph(PCG)
Intr
a-P
roce
du
ral
An
alys
is
Inter-procedural Analysis Algorithm
Dynamic Trace
Trac
es
Static Trace
Runtime Trace Collecting Lib
ExecuteRu
nti
me
S-Tr
acer Tracer Specific Analyzer
and Instrumentation
S-D
etec
tor
Bug Detector Specific Analyzer
and Instrumentation
Instrumented Code 2
Runtime Bug Detecting Lib
ExecuteRu
nti
me
Bug Report
OtherSpindleBasedTools
Memory Access Skeleton (MAS)
Figure 1: Spindle overview
Spindle-enhanced LLVM modules, whose output thengoes through tool-specific analysis and instrumentation.More specifically, the common static analysis performedby Spindle will generate a highly compact MemoryAccess Skeleton (MAS), describing the structured, pre-dictable memory access components.
Spindle tool developers write their own analyzer,which uses MAS to optimize their code instrumentation,aggressively pruning unnecessary or redundant runtimechecks or monitoring data collection. In general, suchtask-specific tools enable computing groups of memoryaddresses visited before or after program executions, toavoid examining individual memory accesses at runtime.As illustrated in Figure 1, each of such Spindle-basedtools (the memory bug detector S-Detector and memorytrace collector S-Tracer in this case) will generate its owninstrumented application code. As our results will show,for typical applications, the majority of memory accessesare computable given a small amount of runtime infor-mation, leading to dramatic reduction of instrumentationand runtime collection.
End-users then execute their tool-instrumented appli-cations, with again task-specific runtime libraries linked.The instrumented code conducts runtime processing toperform the desired form of memory access monitoring,such as bug or race condition detection, security check,or memory trace collection. The runtime libraries cap-ture dynamic information to fill in parameters (such asthe starting address of an array or the actual iterationcount of a loop) to instantiate the Spindle MAS and com-plete the memory monitoring tasks. In addition, all the“unpredictable” memory access components, identifiedby Spindle at compile time as input-dependent, are mon-itored/recorded in the traditional manner.
Spindle’s static analysis workflow to produce MAS isfurther divided into multiple stages, performing intra-procedural analysis, inter-procedural analysis, as wellas tool specific analysis and instrumentation. During
562 2018 USENIX Annual Technical Conference USENIX Association
the intra-procedural stage, Spindle analyzes the programcontrol flow graph and finds out the dependence amongmemory access instructions. The dependence check-ing is then expanded across functions in inter-proceduralanalysis.
One limitation of the current Spindle framework is thatit requires source level information of target programs.As this work is a proof-of-concept study, also consid-ering the current trend of open-source software adop-tion [9, 41], our evaluation uses applications with sourcecode available. Spindle can potentially work withoutsource code though: it starts with LLVM IR and cantherefore employ open-source tools such as Fcd [7] orMcSema [37] to translate binary codes into IR. In our fu-ture work we are however more interested in direct staticanalysis, performing tasks such as loop and dependencydetection on binaries.
2.2 Sample Input/Output: Memory TraceCollector
1 void BubbleSort(int *A, int N){2 for (int i = 0; i < N; ++i){3 for (int j = i+1; j < N; ++j){4 bool flag = (A[i] > A[j]);5 if (flag) {6 Swap(A, i, j);7 }}}}8
9 void Swap(int *S, int i, int j) {10 int tmp = S[i];11 S[i] = S[j];12 S[j] = tmp;13 }
Figure 3: Memory traces of the bubble sort program
We take S-Tracer, our Spindle-based trace collector, asan example to give a more concrete picture of Spindle’sworking. Suppose the application to be monitored is thebubble sort program listed in Figure 2. S-Tracer’s output,given in Figure 3, is a complete yet compressed memoryaccess trace, consisting of its MAS (coupled with corre-sponding dynamic parameters) and dynamic traces col-lected in the conventional manner.
In the static trace, we list out the structure of the pro-gram, including the control flow, the memory accessespattern and the call graph. There are information itemsthat cannot be determined during static analysis, such as
the base address of array A and its size N, which is alsothe final value of loop induction variables i and j , aswell as the value of flag, which is data-dependent anddetermines the control flow of this program. The “Instru-mented code 1” shown in Figure 1 records these missingvalues at executing time, which compose the dynamictrace shown on the right.
This new trace format, though slightly more com-plex than traditionally traces, is often orders of magni-tude smaller. A straightforward post-processor can eas-ily take S-Tracer traces and restore the traditional fulltraces. More practically, an S-Tracer trace driver per-forming similar decompression can be prepended to typ-ical memory trace consumers, to enable fast replay with-out involving large trace files or slow I/O.
3 Static Analysis3.1 Intra-procedural Analysis
During this first step, Spindle extracts a program’s per-function control structure to identify memory accesseswhose traces can be computed and hence can be (mostly)skipped in dynamic instrumentation.
3.1.1 Extracting Program Control StructureA program’s memory access patterns (or the lack
thereof) are closely associated to its control flows. Itis not surprising that it shares a similar structure withthe program’s control flow graph (CFG). Therefore wecall this graph M-CFG. Unlike traditional control flowgraphs, M-CFG records only instructions containingmemory references (rather than the entire basic block),program control structures (loops and branches), andfunction calls. For loops and branches, we need to recordrelated variables, such as loop boundaries and branchconditions.
Flag
Call Swap
End Loop 1
End Loop 0True
False
Load 1
M-CFG of BubbleSort
Loop 0
Loop 1
Load 2
Figure 4: The M-CFG for the function BubbleSort
With M-CFG, memory access instructions are embed-ded within program basic control structures, as illus-trated in Figure 4 for the aforementioned BubbleSortfunction (Figure 2). Here the M-CFG records a nestedloop containing two memory accesses and a branch witha function call. Subsection 3.1.2 discusses dependenceanalysis regarding memory access instructions and iden-tification of computable memory accesses, while Sec-tion 3.2 discusses as handling of function calls.
3.1.2 Building Memory Dependence TreesIn Spindle, we classify all memory accesses into either
computable or non-computable types. The computable
USENIX Association 2018 USENIX Annual Technical Conference 563
accesses can have traces computed based on the statictrace, with the help of little or no dynamic information;the non-computable ones, on the other hand, need to fallback to traditional instrumentation and runtime tracing.
For such classification, we build a memory depen-dence tree for each memory access instruction. It recordsdata dependence between a specific memory access in-struction and its related variables. The tree is rooted atthe memory address accessed, with non-leaf nodes de-noting operators between variables such as addition ormultiplication and leaf nodes denoting variables in theprogram. Edges hence intuitively denote dependence.
Below we list the types of leaf nodes in memory de-pendence trees:• Constant value: value determined at compile time• Base memory address: start address for continu-
ously allocated memory region (such as an array),with value acquired at compile time for global orstatic variables, and at runtime for dynamically al-located variables.• Function parameter: value determined at either
compile time or runtime (see Section 3.2)• Data-dependent variable: value dependent on data
not predictable at compile time – to be collected atruntime• Function return value: value collected at runtime• Loop induction variable: variable regularly updated
at each loop iteration, value determined at compiletime or runtime
Algorithm 1 Algorithm of building memory dependencetree1: input: A worklist WL[A]. Predefined Leaf types: Type2: output: memory dependence tree: T (A)3: Insert a root note r to T (A)4: while WL[A] 6= φ do5: Remove an item v1 from WL[A]6: if v1 /∈ Type then7: for v2 ∈UD(v1) do8: if v2 ∈ Type then9: Insert a leaf node v2
10: Insert an edge from v1 to v211: else12: Insert an operator node in v2 to T (A)13: Add all variables used in v2 to WL[A]14: else15: Insert a leaf node v1 to v1 to T (A)16: Insert an edge from r to v1 to T (A)17: return T (A)
The memory dependence tree is built by performinga backward data flow analysis at compile time. Specif-ically, for each memory access, we start from the vari-able storing this memory address and traverse its use-define data structure, which describes the relation be-tween the definition and use of each variable, to identifyall the variables and operators affecting it. This traversal
is an iterative process that stops when all the leaf nodesare categorized into one of the types listed above. Wegive the worklist algorithm (Algorithm 1) that performssuch backward data flow analysis with, where we repeat-edly variables storing memory addresses into the work-list WL(A) and iteratively find all the related variablesthrough the use-define structure UD(v), till the worklistbecomes empty.
Figure 5: Sample memory dependence treeFigure 5 shows a group of instructions (generated from
the source code in Figure 2) and the memory dependencetree corresponding to the variable %array.1 in the lastline. Here getelementptr is an instruction that cal-culates the address of an aggregate data structure (wherean addition operation is implied) and does not accessmemory. We omit certain arguments for this instructionfor simplicity. sext performs type casting. As to theleaf nodes, %A is an array base address, 4 is a constantvalue, and %i.0 is a loop induction variable.
Such a dependence tree allows us to approach the cen-tral task of Spindle: computable memory access iden-tification. This is done by analyzing the types of theleaf nodes in the memory dependence tree. Intuitively,a memory access is computable if the leaf nodes of itsdependence tree are either constants (trivial) or loop in-duction variables (computable by replicating computa-tion performed in the original program using initial plusfinal values, collected at compile time or runtime). TheM-CFG and the memory access dependence trees, pre-serving control flows, data dependencies, and operationsto facilitate such replication, can be viewed as a formof program pruning that only retains computation rele-vant to memory address calculation. By replacing eachmemory instruction of the M-CFG with its dependencetree, we obtain a single graph representing main mem-ory access patterns for a single function. Note that suchdependence analysis naturally handles aliases.
3.2 Inter-procedural AnalysisAt the end of the intra-procedural analysis, we have
a memory dependence tree for every memory accesswithin each function. Below we describe how Spindleanalyzes memory address dependence across functions.
The core idea here is to propagate function argumentsplus their dependence from the caller to the callee, andreplace all the function parameters of the dependencetrees in the callee with actual parameters. For this, we
564 2018 USENIX Annual Technical Conference USENIX Association
first build a program call graph (PCG), on which wesubsequently perform top-down inter-procedural analy-sis. Algorithm 2 gives the detailed process.
Algorithm 2 The algorithm of inter-procedural analysis1: input: The dependence trees for each procedure p2: input: The program call graph (PCG)3: Change← True4: /* Top-Down inter-procedural analysis */5: while (Change == True) do6: Change← False7: for all procedure p in Pre-Order over PCG do8: for all dependence trees d in p do9: if A leaf node l of d is a function’s parameter then
10: Replace l with its actual parameter11: Change← True
%array.1
%i.0
+
*
sext
%S
4
%array.1
%L0
+
*
sext
%S
4%A
%i.0
Figure 6: Transformation of dependence tree
Figure 6 illustrates the transformation a dependencetree in function Swap (Figure 2) undergoes during inter-procedural analysis. After intra-procedural analysis, thedependence tree for the load instruction Load3 of func-tion Swap has two leaf nodes that are function parame-ters, which cannot be analyzed then as the variables %Sand %i.0 are undetermined. Within inter-proceduralanalysis, these two nodes are replaced with their ac-tual parameters, a base address %A and a loop induc-tion variable %i.0 Now the dependence tree rooted at%array.1 is computable.
For function calls forming a loop in PCG, such as re-cursive calls, currently we do not perform parameter re-placement for any function in this loop during our inter-procedural analysis, as when these functions terminate istypically data-dependent.
3.3 Special Cases and ComplicationsIndex arrays If a memory dependence tree has data-dependent variables as its leaf nodes, normally we con-sider it non-computable. However, we still have chanceto extract regular patterns. Index array is an importantcase of such data-dependent variables, storing “links” toother data structures, as explained below.
1 for (j=0; j<i; j++){2 for (k=0; k<m; k++)3 sum += delta * z[colidx[k]]4 //colidx is index array to z5 r[k] = d6 }
Figure 7: NPB CG code with index array colidx
Figure 7 gives a simplified version of a code snippetfrom NPB CG [2], where the array z is repeatedly ac-cessed via the index array colidx, which cannot be de-termined at compile time. However, we find that in manyprograms (including here) the index array itself is notmodified across multiple iterations of accesses. There-fore, there is still significant room for finding repeatedaccess patterns and removing redundancy.
To this end, Spindle performs the following extra eval-uation during its static analysis. First, it compares thesize of index array and its total access count. If the latteris larger, we only need to record the content of the in-dex array and compute the memory accesses accordinglyrather than instrumenting them at runtime. Such evalua-tion needs to be repeated if the content of this index arrayis changed, of course. This is the case with the examplegiven in Figure 7, where the total memory access countfor the index array colidx is i*m and greater than thesize of colidx. Thus at runtime we only need to recordits content at the beginning of this nested loop and thebase address of array z. Combining such informationand memory dependence tree, we can compute all thememory access locations.Multi-threaded programs The discussion so far hasbeen focused on analyzing single-thread programs.However, Spindle’s methodology can also be easily ap-plied to multi-threaded applications. Spindle is thread-safe and we perform the same static analysis as forsingle-thread programs, except that we also mark thepoint where a new thread is created and record relevantparameter values. With parallel executions, during dy-namic memory monitoring (discussed in the next sec-tion), the current thread ID would be easily fetched alongwith information such as loop iteration count and branchtaken, which allows us to distinguish runtime informa-tion collected by different threads. Note that certain tech-niques need to be augmented to handle multi-threadedexecutions. E.g., the array index technique (Section 3.3)needs to be protected by additional check, as an arraycould be modified by another thread.
Again, with addresses or values that cannot be de-termined at compile time, such as shared objects orbranches affected by other threads, we fall back to run-time instrumentation. So typical SPMD codes will sharethe same static MAS, to be supplemented by per-threador even per-process runtime information, making Spin-dle even more appealing in efficiency and scalability. Ifsignificant amount of output is generated, such as withmemory trace collection, Spindle allows users to havethe option to look at a single-thread’s memory accessesor correlating accesses from all threads (though trace in-terleaving is a separate topic that requires further study.)
For example, with pthread, Spindle instrumentspthread create to record where a new thread is cre-
USENIX Association 2018 USENIX Annual Technical Conference 565
ated. During multi-threaded execution, the appropriatethread ID is recorded for each function. Thus we knowwhich thread the dynamic information collected by Spin-dle belongs to, therefore can apply per-thread static anal-ysis, similar to that in single-thread executions.
4 Spindle-based Runtime MonitoringThis section illustrates how Spindle’s static analysis
results can be used to reduce runtime instrumentation.We first describe common runtime information to be ob-tained through instrumentation, then present two samplesof Spindle-based tool design, for memory bug detectionand memory trace collection, respectively.
4.1 Runtime information collectionDuring program runs, Spindle’s static memory access
skeleton is supplemented by information not available atcompile time. Generally, three cases require instrumen-tation: control structures, input-dependent variables, andnon-computable memory accesses:Control structures Spindle needs to record the initialvalues of all the loop induction variables and the loopiteration count if they are unknown at compilation time.Moreover, for a loop with multiple exit points, we need toinstrument each exit point to track where the loop exits.Similarly, for conditional branches in MAS, we need torecord their taken statuses to track taken paths.Input dependent variables For input dependent vari-ables, runtime information is necessary but certain staticanalysis can indeed reduce runtime overhead. For in-stance, the address of a dynamically allocated memoryregion can be obtained at runtime by collecting actualvalues. An optimization in Spindle is that we do not in-strument every instruction that references input depen-dent variables, but only where they are defined, initial-ized, or updated. E.g., for a global variable needed bythe analysis, it leverages static analysis to only record itsinitial value at the beginning of the program, and thenagain upon its updates.Non-computable memory accesses For non-computable memory accesses (as mentioned inSubsection 3.1.2), we fall back to conventional dy-namic monitoring/instrumentation.
%array.1
%L0: 0,N,1
+
*
sext
%S
4%A
%i.0
void *BubbleSort(int *A, int N) {
for (int i = 0; i < N; ++i) {for (int j = i+1; j < N; ++j) {
bool flag = (A[i] > A[j]);
if (flag) {Swap(A, i, j);
}}}}
recordAddr(A, variable_id);
recordLoop(N, loop_id);
recordPath(flag, path_id);
Dependence tree for %array.1 Instrumented Bubblesort code segment
Figure 8: Sample runtime information collection
Figure 8 shows an example of runtime information
collection for the BubbleSort routine discussed ear-lier in Section 2.2. The left side gives the dependencetree of the variable %array.1 in function Swap, whereundetermined address %A and loop L0’s induction vari-able %N need to be collected at runtime. Note that L0’sinitial index value (0) and increment (1) can be deter-mined at compile time. The right side lists the instru-mented BubbleSort code. Here Spindle automati-cally instruments three memory accesses by inserting thehighlighted statements (for A, N, and the branch relatedflag, which falls out of the dependence tree shown).variable id, loop id, and path id are also auto-matically generated by Spindle for its runtime library tofind the appropriate static structures.
4.2 Spindle-based tool developingSpindle’s performs automatic code instrumentation for
runtime information collection, based on its static analy-sis. To build a memory monitoring tool on top of Spin-dle, users only need to supply additional codes using itsAPI to perform custom analysis, as to be illustrated be-low. Our two sample tools, S-Detector and S-Tracer,each takes under 500 lines of code to implement bothcompile-time analysis and runtime library.
4.2.1 Memory Bug Detector (S-Detector)Memory bugs, such as buffer overflow, use after free,
and use before initialization, may cause severe run-time errors or failures, especially with programming lan-guages like C and C++. There have been a series oftools, software- or hardware-based, developed to de-tect memory bugs at compile-time or runtime. Amongthem, Memchecker [39] uses hardware support for mem-ory access monitoring and debugging and is thereforefast (only 2.7% performance overhead for SPECCPU2000). Such special-purpose hardware is neverthelessnot yet adopted by general processors. ARCHER [43]relies on static analysis only, so is faced with the difficulttrade-off between accuracy (false positives) and sound-ness (false negatives), like other static tools. A recent,state-of-the-art tool is AddressSanitizer (ASan) [33], anindustrial-strength memory bug detection tool developedby Google and now built into the LLVM compiler. ASaninserts memory checking instructions (such as out-of-bound array accesses) into programs at compile time,then uses shadow memory [25] for fast runtime check-ing. Despite well implemented and highly tuned, ASanstill introduces 2–3× slowdown to SPEC programs.
In this work, we present S-Detector, a memory bug de-tector that leverages Spindle-gathered static informationto eliminate unnecessary instrumentation to facilitate ef-ficient online memory checking. Our proof-of-conceptimplementation of S-Detector can currently detect in-valid accesses (e.g., out-of-bound array access and use
566 2018 USENIX Annual Technical Conference USENIX Association
after free) and memory leaks (dynamically allocated ob-jects remaining unfreed upon program termination).
With Spindle’s MAS, S-Detector is aware of a pro-gram’s groups of memory accesses and therefore able toperform checking at a coarser granule. E.g., with dy-namically allocated arrays, even when neither the start-ing address (base) or size (bound) is known at compiletime, its accesses are given as relative to these two val-ues and can therefore be checked for out-of-bound bugsat compile time. With existing tools like ASan, however,such checks are delayed till runtime and repeated at ev-ery memory acesses.
Therefore, S-Detector performs aggressive memorycheck pruning by proactively conducting compile-timeaccess analysis and replacing instruction-level checksby object-level ones. Only for accesses labeled ”non-computable” by Spindle, S-Detector falls back to tradi-tional instrumentation. Below, we illustrate S-Detector’smemory check pruning with two sample scenarios, bothcontained in the same code snippet from SPEC CPU2006mcf (Figure 9).
1 while (pos - 1 && red_cost >2 (cost_t)new[pos/2-1].flow){3 new[pos-1].tail = new[pos/2-1].tail;4 new[pos-1].head = new[pos/2-1].head;5 // Three more accesses to struct members6 // of new[pos-1] and new[pos/2-1].7 pos = pos/2;8 new[pos-1].tail = tail;9 // Four more accesses to struct members
10 // of new[pos-1].11 }
Figure 9: Sample code from SPEC CPU 2006 mcf
In-structure accesses This sample code referencesan array of structures (new), issuing multiple ac-cesses to members of its elements. In this case,assisted with Spindle-extracted MAS, all access tar-gets can be represented as addr = struct base+ constant offset. Once S-Detector finds thatthe constant offset is valid for this struct, i.e.,offset<struct size, it only needs to determineif this structure element itself is valid at runtime, i.e.,the memory range [struct base, struct base+ struct size) is a valid range. This groupsthe per-member access checks to per-element checks(validating structure elements like new[pos-1] andnew[pox/2-1]) and significantly reduces the amountof instrumentation.In-loop accesses Given the while loop in the samesample code, Spindle records the following informationfor its loop induction variable pos: its initial and finalvalues (denoted here as pos init and pos final),as well as the operation used to update it across iterations(divided by 2 at Line 7). Based on the MAS, S-Detectorcan easily infer the offset range of array new’s access to
be within [pos end/2-1, pos init-1]. In addition,it records array new’s size in bytes (new size) and thesize of new’s elements (struct size). Aside fromquick checks to ensure that the object has been allocatedand not freed yet, S-Detector verifies that(pos init−1)∗struct size< new size (1)
andpos end/2−1≥ 0 (2)
Actually inequality (2) is guaranteed by the loop’s exitcondition, so S-Detector only needs to check (1). Evenwhen none of these four parameter values is available atcompile time, S-Detector only needs to perform a one-time, object-level check at runtime, for array object ac-cesses within this while loop.
Combining the structure- and loop-level pruningdescribed above, S-Detector can eliminate all per-instruction memory checks on accesses of the new ob-ject in the sample code, performing at most one singlerun-time check instead.
verse analysis and faithful benchmarking or simulationtests. However, their colletion is expensive, both in timeand space. Existing tools like PIN [22], Valgrind [26],and DynamoRIO [6] produce memory trace output ofdaunting sizes, due to the high frequency of memory ac-cesses in typical program executions. It is common forseveral seconds’ execution to generate hundreds of GBs,sometimes even over one TB, of memory traces usingany of the existing tools. Large memory trace size notonly introduces large overhead for underlying trace stor-age and various trace-based analysis tools, but also af-fects the performance of the original programs. For ex-ample, PIN introduces an average slowdown of 38× forSPEC INT programs to perform memory analysis [38].In addition, large traces bring back the I/O bottleneckduring replay time, slowing down trace-driven simula-tions. Such limitations make it less and less practical forexisting memory tracing tools to measure significant por-tions of modern data-intensive applications.
We present S-Tracer, a memory trace collection toolbased on Spindle. With the static information that pro-vided by Spindle, S-Tracer can generate highly com-pressed memory access traces with much lower runtimeoverhead than traditional tracing tools using dynamic in-strumentation. At runtime, S-Tracer couples the Spindle-extracted MAS with dynamically collected informationmentioned earlier in this section. The result would be apair of static and dynamic traces, as illustrated in Fig-ure 2 and Figure 3.
Our discussion below focuses on specific challengesdue to the limitation of using LLVM IR, where wepropose several techniques to generate approximate butfairly accurate traces.
USENIX Association 2018 USENIX Annual Technical Conference 567
Register spilling Since Spindle performs its static anal-ysis in the LLVM IR level, where local scalar variablesare usually represented as register variables, it is diffi-cult for our approach to capture the stack memory ac-cesses caused by register spilling in the final binary code.Considering the small footprint of register variables evenwith spilling, we implement typical register allocatorsused in the compiler backend for Spindle at the IR level,to calculate register spilling. Based on our experiments,our approach is able to achieve the similar statistical be-havior of stack accesses as by traditional tracing tools.Implicit memory accesses with function calls Func-tion calls can also generate stack memory operations, notexplicitly described in IR and hence not captured by ourintra- and inter-procedural analysis. There are two cat-egories of such accesses. For the caller, it has to writeinto stack the return address, the contents of registers tobe used, and function parameters (with x86 64, the first 6parameters are put in registers while the others in stack).For the callee, upon returning it has to read from stack thereturn address of the caller, the content of register EBP(for 32-bit systems) or RBP (for 64-bit systems), and thecontent of saved registers. To handle this, we again writea simple simulator to generate these memory accesses.Dynamically linked libraries Since Spindle performssource code analysis, for calls to functions in dynami-cally linked libraries, we cannot capture their memoryaccesses in the IR level and have to fall back again to tra-ditional dynamic instrumentation. As an optimization,we adopt a hybrid approach, by using dynamic instru-mentation to collect the relative memory traces withinsuch functions, along with their base stack addresseswithin the dynamic library. When a program calls sucha function, we can then calculate new memory accessesbased on the new base stack address.
5 EvaluationIn this section, we demonstrate the effectiveness of
Spindle with the aforementioned two sample tools builton top of its static analysis framework: S-Detector foronline memory bug detection and S-Tracer for full mem-ory access trace collection.
We compare S-Detector with the state-of-the-art mem-ory bug detector, ASan [33] by Google. In our exper-iments, S-Detector and ASan do the same checks: useafter free, heap buffer overflow, stack buffer overflow,global buffer overflow, and memory leaks. Note thatASan does support additional checks (use after return,use after scope, and initialization order bugs), whichneed to be explicitly enabled by certain compiler options.Our tests used the default compiler options and we per-formed extra verification to confirm that these additionalchecks were disabled in all of our ASan experiments.
For S-Tracer, we show that it produces orders of mag-
nitude smaller trace output, and thus lower overhead, byomitting redundant information. To validate its correct-ness, we also compare its decompressed trace with tracegenerated by PIN, a widely used dynamic tool.
5.1 Experiment SetupTest platform We evaluate Spindle on a server with In-tel Xeon E7-8890 v3 processors (running CentOS 7.1),128GB of DDR3 memory, and 1TB SATA-2 hard disk.For memory bug detection, the tests use mandatory op-tions to enable ASan and DrMem. For memory tracecollection, we record each memory access in a 16-byteentry, 8 bytes for memory address and another 8 bytesfor access type (read/write) and access size.Test programs Currently, Spindle fully supports Cand partially supports C++ and Fortran. For memorybug detection, we follow the practice of previouslypublished tools and use 11 C programs from SPEC CPU2006 [1]: 400.perlbench, 401.bzip2, 403.gcc,429.mcf, 433.milc, 445.gobmk, 456.hmmer,458.sjeng, 464.h264ref, 470.lbm, and482.sphinx3. The program 998.specrand isomitted as it has too few memory accesses. Using thesecommon test programs, we not only can compare thetools’ runtime overhead, but also their effectiveness ofcapturing known bugs.
For memory trace collection, we use the popular NPBparallel benchmark suite [2] as codes with mostly regularmemory accesses, plus SPEC 429.mcf as a memory-intensive, non-numerical program. We also sample frommodern data-intensive and irregular datacenter applica-tions: (1) the Breadth First Search (BFS) component ofthe Graph500 Benchmark [11], a representative graphapplication with input-dependent memory accesses, (2)a convolutional neural network for digit recognition(MNIST) [29], (3) kissdb, a key-value store [18],and (4) Fido, a lightweight, modular machine learn-ing library [8]. Finally, for multi-threaded applications,we test 3 programs from the PARSEC suite [4] cover-ing different application domains: streamcluster(stream processing), freqmine (data mining), andblackscholes (PDE solving), plus one MapRe-duce [23]-style program performing word count, de-noted as SC, FM, BS and WC respectively.
5.2 Spindle Compilation OverheadBefore we get to the tool use cases, we first assess
the extra overhead brought by Spindle’s static analysis.Table 1 summarizes this compilation overhead for eval-uated programs, as well as their original compilationtime and code size. In general, the Spindle compilationoverhead only composes a small fraction of the originalLLVM compilation cost (2% to 35%, average at 10%).We consider such one-time static analysis overhead neg-
568 2018 USENIX Annual Technical Conference USENIX Association
ligible, considering the significant savings in the muchlarger runtime checking/tracing cost.
5.3 S-Detector for Memory bug detectionS-Detector runtime overhead We compare S-Detectorwith two popular memory bug detection tools: Google’sAddressSanitizer (ASan) [33] and DynamoRIO [6]-based Dr. Memory (DrMem) [5]. To examine the bene-fits of instrumentation pruning based on Spindle’s staticanalysis, we test two versions of S-Detector: SD-All, abaseline version that instruments all memory accesses,and SD-Opt, after check pruning.
On bug detection results, S-Detector captures most ofthe common SPEC bugs reported by DrMem and ASan,plus additional memory leaks (dynamically allocated ob-jects not freed by program termination) that are verifiedby our manual code examination.
Figure 10 shows the runtime overhead of ASan, SD-All and SD-Opt, in percentage of the original programexecution time. As DrMem is much heavier than oth-ers (for most programs over 10× slowdown), we omit itsresults from the figure for clarity. ASan is an industrial-strength tool, whose streamlined implementation deliv-ers lower overhead than SD-All (geometric mean of over-head at 66% by the former vs. 184% by the latter),both with similar amount of instrumentation. SD-Opt,however, overcomes its slower checking implementationand brings down runtime overhead to geometric meanof 26%. Except for two out of 11 cases (bzip2 andh264ref), SD-Opt reduces overhead from ASan, by upto 30.25× (sphinx3). We give more detailed discus-sion of these special cases later.Spindle-enabled instrumentation pruning To take acloser look, we examine the amount of checks avoidedby Spindle’s static analysis. Figure 11 gives the percent-age of eliminated memory checks, from SD-All to SD-Opt. On average, Spindle enables S-Detector to cut run-time memory checks by 64%, lowering its performanceoverhead consequently. The check and overhead reduc-tion level depends on several factors, such as the amountof irregular/unpredictable memory accesses (Amdahl’sLaw), the overall intensiveness of memory accesses, and
400.perlbench
401.bzip2
403.gcc
429.mcf
433.milc
445.gobmk
456.hmmer
458.sjeng
464.h264ref
470.lbm
482.sphinx3
GEOMEAN0%
50%
100%
150%
200%
250%
300%
Perf
orm
ance
Overh
ead SD-All ASan SD-Opt
Figure 10: Overhead comparison (bars over 300% truncated)
control flow behavior. Below we give more detailed re-sults and analysis via several case studies.
400.perlbench
401.bzip2
403.gcc
429.mcf
433.milc
445.gobmk
456.hmmer
458.sjeng
464.h264ref
470.lbm
482.sphinx3
AVERAGE0%
20%
40%
60%
80%
100%
Avoid
ed C
heck
s
Figure 11: Reduction in runtime memory checks
lbm, hmmer, milc: These are the best cases amongtested. Function-level profiling shows that the vast ma-jority of their execution time and most of their memoryaccesses are spent within loops, where Spindle analy-sis allows S-Detector to apply the loop-level check pre-sented in Section 4.2.1, replacing the per-access checksperformed by ASan and DrMem. As a result, these threeprograms have 99%, 97%, and 91% of memory checksremoved by S-Detector, respectively. Such instrumenta-tion pruning then lowers S-Detector’s runtime overhead,e.g., to 5% for hmmer, vs. ASan’s 107%.gcc: this compiler program is inherently input-dependent and as a result, has the lowest reduction by S-Detector in memory checks (19%). Interestingly, thoughits execution does spend most time within Spindle-identified loop structures, most of its loops are foundto run only a few iterations, limiting the benefit of S-Detector’s loop-level static checks. However, in this caseeven SD-All is faster than ASan. Follow-up measure-ments reveal that S-Detector’s shadow memory imple-mentation, though less efficient in general, offers betterspatial locality than ASan’s. With gcc accessed mem-ory areas being particularly spread out, ASan’s runtimecheck harms its locality, bringing the LLC miss rate fromthe original 1.3% to 5.9%, while S-Detector retains theoriginal caching performance.bzip2: this compression/decompression program isalso input-dependent. Profiling reveals a performancehot-spot in sorting, with many branches whose taken sta-tus relies on input data. Even with 32% of runtime mem-ory checks pruned, the less efficient instrumentation of
USENIX Association 2018 USENIX Annual Technical Conference 569
S-Detector brought overall higher overhead than ASan,158% vs. 62%.
Despite such worst cases, the overall strong perfor-mance of S-Detector indicates that its Spindle-basedstatic analysis, if adopted by highly-tuned, mature toolslike ASan, may lead to even lower runtime overhead.
5.4 S-Tracer for Memory Trace CollectionResult Trace Verification Next, we evaluate S-Tracer,comparing it with the widely used PIN tool [22] formemory tracing. We first validate the correctness of itsmemory trace generation. Note that Spindle is based oncompile-time instrumentation while traditional tools likePIN use runtime instrumentation. The two systems runapplication programs within different frameworks, eachwith different components (such as dynamic libraries),which may in turn alter the absolute locations of mem-ory objects. Therefore, one would not expect them togenerate identical trace sequences.
Recognizing such limitations, we first check the out-put trace size. We compare the size of PIN’s trace withfull traces recovered from Spindle’s output, in the sameformat. The Spindle recovered trace has the similar vol-ume to PIN’s, with relative difference between 0.5% and6% (median at 3.2%). Additional examination revealsthat such discrepancies stem from the aforementionedinaccuracy caused by Spindle’s approximation of stackaccesses and register spilling. Though amounting for upto a few percent of the overall trace entries, affected ac-cesses are typically localized to a very small footprintand hardly impact the overall memory access behavior.
We then validate the Spindle-generated heap mem-ory access sequence. We examine trace fidelity by per-forming more detailed trace alignment and checking dif-ference in heap access sequences. For each access onheap, we break it into a pair: (object, offset), sincefor each execution the dynamically allocated object’sbase is different but the offset remains constant. Weuse Linux diff tool to compare S-Detector’s heaptrace and PIN’s and find that overall, S-Tracer generatesheap traces close to PIN’s (relative difference ratio be-tween 0.0% and 4.7%, median at 1.5%).
In the worst case, S-Tracer could generate an over-all 5.9% difference in total trace size and 4.7% differ-ence ratio on heap accesses, mostly attributed to stackaccesses (more influenced by register allocation) and reg-ister spilling. Below we test this worst case, BFS, usinga cache simulator, to (1) demonstrate a use case of ourfast and large-capacity memory tracing and (2) provide avalidation for trace fidelity. The test uses a simple trace-driven tool that simulates an 8-way set-associative cachewith 64-byte cache line, and two replacement algorithms(LRU and FIFO). We validate simulation results usingS-Tracer traces against that using PIN’s, at varied cache
sizes (including typical L2 and LLC sizes). Figure 12shows that S-Tracer output achieves almost identical out-come as the PIN trace in miss ratio, across different com-binations of cache size and replacement strategies.
0
5
10
15
20
25
F32KF256K
F1MF4M
L32KL256K
L1ML4M
Mis
s R
ate
(%) PIN
S-Tracer
Figure 12: The cache miss rate of BFS in a trace-drivensimulator. F means FIFO algorithm, L means LRU algo-rithm. The size means the cache size we simulate.
Trace Size Reduction Next we assess S-Tracer’s gainin tracing time/space efficiency. Figure 13 shows a com-parison of the trace size generated by S-Tracer and PIN,in log scale, for 13 single-thread and 4 multi-threadedprograms. Truncated bars are from programs whose PINtraces exceed our 1TB storage capacity (BT, EP, LU, SPof Class A). For S-Tracer, the trace size includes both thestatic and dynamic components.
0.01
0.1
1
10
100
1000
BT CG EP FT IS LU MG SP BFSMCF
MNIST
kissdb
FidoFM SC BS W
C
Tra
ce
Siz
e (
GB
)
single-thread multi-threaded
PIN S-Tracer
Figure 13: Trace size comparison
As expected, S-Tracer achieves orders of magnitudereduction in trace size from the PIN baseline. For pro-grams dominated by regular memory accesses, like mostof the programs in NPB benchmark, MNIST, kissdb,streamcluster, and wordcount, it reduces tracesize by more than 100×. For the four NPB benchmarkswhere PIN exceeds the 1TB storage space, S-Tracer gen-erates traces sized at 85MB-1.71GB. Even for the lessregular programs, such as BFS and freqmine, Spin-dle brings considerable trace size reduction. In the worstcase (IS, integer sorting), a 6.93× reduction is achieved.
We also evaluated compressing PIN’s trace with anaive alternative, gzip, which ended up producing or-ders of magnitude larger traces than S-Tracer does. Be-sides, generating then compressing traces is much moreexpensive than Spindle-based approach, online or offline.Runtime Tracing Overhead Reduction To evaluate theruntime overhead of trace collection, Figure 14 shows theslowdown factor (left axis, in log scale), calculated bydividing the execution time with tracing by the originaltime, for S-Tracer and PIN.
As expected, the online overhead difference is dra-matic. In the 13 programs that PIN can complete trac-ing (full trace size under 1TB disk space), the averageslowdown is 502× (and up to over 2000×), while S-
570 2018 USENIX Annual Technical Conference USENIX Association
1
10
100
1000
BT CG EP FT IS LU MG SP BFSMCF
MNIST
kissdb
FidoFM SC BS W
C 1
10
100
Slo
wd
ow
n F
acto
r
Sp
ee
du
p t
o P
IN
single-thread multi-threaded
PIN S-Tracer SpeedUp
Figure 14: Application slowdown by S-Tracer and PINwith I/O (left) and S-Tracer speedup over PIN (right)
Tracer brings that of 6.5× on average (and up to 35.2×),making full trace collection/storage much more afford-able. Across the applications, S-Tracer reduces slow-down from PIN by a factor of 61× on average.
Though we do not have space to show the no-I/O re-sults, the savings there are still significant. For the 17test programs, PIN introduces an average slowdown of70.1× (and up to 384×), while S-Tracer brings that of4.5× on average (and up to 33×). Across the applica-tions, S-Tracer reduces slowdown from PIN by a factorof 17.9× on average. The reason is that Spindle allows S-Tracer to perform far less dynamic instrumentation, andan application’s relative time overhead is highly corre-lated to its dynamic trace generation rate.
6 Related WorkUsing Static Analysis to Assist Runtime CheckingThis group of work is closest to Spindle in approach. Inparticular, GreenArray [24] is an LLVM-based tool thatanalyzes the value range of index variables as well as theboundary of memory regions at compile time, to elimi-nate unnecessary runtime memory check. Spindle is dif-ferent in that (1) its static analysis performs much morethan inferring variables’ value range, allowing completecomputation of their value by iteration and full trace col-lection, and (2) the static skeleton it produces enablesmore types of and much more aggressive pruning in run-time checking, judging by reported GreenArray perfor-mance relative to AddressSanitizer.
Abstract Execution (AE) [19] produces a target-event-specific program slice, to be coupled by a “schema com-piler” with runtime collected information and executedagain for analysis or trace collection. Spindle, instead,records static trace at compile time, which is directly uti-lized during the target programs (production) execution.
On utilizing static information to assist trace col-lection, Cypress [44] uses hybrid static-dynamic anal-ysis for parallel programs’ communication trace com-pression. There are also techniques that performstatic binary rewriting/instrumentation [32] or regular-expression-based memory access pattern constructionfor memory layout transformation [15]. However, noneof these approaches is able to gather enough static struc-trual information to enable versatile runtime monitor-
ing/tracing as Spindle does.Also, logical connectives proposed for relational anal-
yses between input and output memory states [13] maybe used by Spindle to further reduce instrumentation.Monitoring/Tracing overhead reduction Prior workhas explored reducing monitoring or tracing overhead inother ways. MemTrace [28] performs lightweight mem-ory tracing of unmodified binary applications by trans-lating 32-bit codes to 64-bit codes, which is fast but lim-its its application to running 32-bit programs on 64-bitmachines. Among sampling-based methods, Vetter [40]evaluates techniques for analyzing communication activ-ity in large-scale distributed applications. RACEZ [34]uses hardware performance monitoring units to sam-ple memory accesses at runtime, and then uses the col-lected memory access trace for offline data-race detec-tion. However, such low-overhead methods lose impor-tant information, such as temporal order of operations, ormiss detection targets.
Finally, Bao et al. [3, 12] adopt a DIMM-snoopinghardware mechanism to collect virtual memory referencetraces. This hardware solution indeed minimizes collec-tion overhead, but is rather costly and only catches mem-ory accesses missed by on-chip caches.
7 Conclusion and Future WorkThis paper presents Spindle, a versatile memory mon-
itoring framework that performs detailed static analysisto extract program structures, allowing different types ofstatic and dynamic techniques to compute rather than col-lect memory accesses whenever possible. Our develop-ment and experiments confirm that there are abundantredundancy and regularity in memory accesses, evenfor applications perceived as more irregular and data-dependent. By identifying predictable memory accessbehaviors at compile time and supplementing staticallyobtained memory access skeletons with runtime infor-mation, we can dramatically reduce the amount of onlinechecking (for purposes like bug or race detection) or datacollection (for purposes like memory access pattern anal-ysis or memory tracing).
AcknowledgmentWe thank all reviewers for their insightful comments
and our shepherd Samira Khan for her timely guidance.We also thank colleagues from both the Tsinghua Uni-versity PACMAN group and the QCRI Distributed Sys-tems group, for their valuable feedback and suggestions.This work is supported in part by the National KeyR&D Program of China (Grant No. 2017YFA0604500),National Natural Science Foundation of China (GrantNo. 61722208, 61472201), Tsinghua University Initia-tive Scientific Research Program (20151080407). JidongZhai is the corresponding author of this paper.
USENIX Association 2018 USENIX Annual Technical Conference 571
References
[1] SPEC CPU 2006. https://www.spec.org/cpu2006/.
[2] D. Bailey, T. Harris, W. Saphir, R. V. D. Wijngaart,A. Woo, and M. Yarrow. The NAS Parallel Benchmarks2.0. NAS Systems Division, NASA Ames Research Cen-ter, Moffett Field, CA, 1995.
[3] Yungang Bao, Mingyu Chen, Yuan Ruan, Li Liu, Jian-ping Fan, Qingbo Yuan, Bo Song, and Jianwei Xu.Hmtt: A platform independent full-system memory tracemonitoring system. In Proceedings of the 2008 ACMSIGMETRICS International Conference on Measurementand Modeling of Computer Systems, SIGMETRICS ’08,pages 229–240. ACM, 2008.
[4] The PARSEC benchmark. http://parsec.cs.princeton.edu/.
[5] Derek Bruening and Qin Zhao. Practical memory check-ing with dr. memory. In Proceedings of the IEEE/ACMInternational Symposium on Code Generation and Opti-mization, pages 213–223, Los Alamitos, CA, USA, 2011.
[6] Derek L Bruening. Efficient, transparent, and compre-hensive runtime code manipulation. PhD thesis, Mas-sachusetts Institute of Technology, 2004.
[7] The fcd tool. https://github.com/zneak/fcd/.
[8] The fido library. http://fidoproject.github.io/.
[9] Brian Fitzgerald, Jay P Kesan, Barbara Russo, MahaShaikh, and Giancarlo Succi. Adopting Open Source Soft-ware. MIT Press, 2011.
[10] The LLVM Compiler Framework. http://llvm.org.
[11] Graph500. http://www.graph500.org/.
[12] Yongbing Huang, Licheng Chen, Zehan Cui, Yuan Ruan,Yungang Bao, Mingyu Chen, and Ninghui Sun. Hmtt:A hybrid hardware/software tracing system for bridgingthe dram access trace’s semantic gap. ACM Trans. Archit.Code Optim., 11(1):7:1–7:25, 2014.
[13] Hugo Illous, Matthieu Lemerre, and Xavier Rival. A re-lational shape abstract domain. In NASA Formal MethodsSymposium, pages 212–229. Springer, 2017.
[14] Ravi Iyer, Li Zhao, Fei Guo, Ramesh Illikkal, SrihariMakineni, Don Newell, Yan Solihin, Lisa Hsu, and SteveReinhardt. Qos policies and architecture for cache/mem-ory in cmp platforms. In SIGMETRICS’07, pages 25–36.ACM, 2007.
[15] Jinseong Jeon, Keoncheol Shin, and Hwansoo Han. Lay-out transformations for heap objects using static accesspatterns. In Proceedings of the 16th International Confer-ence on Compiler Construction, CC’07, pages 187–201,2007.
[16] Vasileios P Kemerlis, Georgios Portokalidis, KangkookJee, and Angelos D Keromytis. libdft: Practical dynamicdata flow tracking for commodity systems. In ACM SIG-PLAN Notices, volume 47, pages 121–132. ACM, 2012.
[17] Y. Kim, M. Papamichael, O. Mutlu, and M. Harchol-Balter. Thread cluster memory scheduling: Exploitingdifferences in memory access behavior. In Micro, pages65–76, 2010.
[18] The kissdb program. https://github.com/adamierymenko/kissdb.git.
[19] J. R. Larus. Abstract execution: A technique for effi-ciently tracing programs. Software Practice Experience,20(12):1241–1258, November 1990.
[20] Lei Liu, Zehan Cui, Mingjie Xing, Yungang Bao, MingyuChen, and Chengyong Wu. A software memory partitionapproach for eliminating bank-level interference in mul-ticore systems. In PACT’12, pages 367–376. ACM, 2012.
[21] Shan Lu, Joseph Tucek, Feng Qin, and Yuanyuan Zhou.Avio: Detecting atomicity violations via access interleav-ing invariants. In Proceedings of the 12th InternationalConference on Architectural Support for ProgrammingLanguages and Operating Systems, ASPLOS, pages 37–48. ACM, 2006.
[22] Chi-Keung Luk, Robert Cohn, Robert Muth, HarishPatil, Artur Klauser, Geoff Lowney, Steven Wallace, Vi-jay Janapa Reddi, and Kim Hazelwood. Pin: Buildingcustomized program analysis tools with dynamic instru-mentation. In Proceedings of the 2005 ACM SIGPLANConference on Programming Language Design and Im-plementation, PLDI ’05, pages 190–200. ACM, 2005.
[23] The mapreduce program. https://github.com/sysprog21/mapreduce.git.
[24] Henrique Nazare, Izabela Maffra, Willer Santos,Leonardo Barbosa, Laure Gonnord, and Fernando MagnoQuintao Pereira. Validation of memory accesses throughsymbolic analyses. In ACM SIGPLAN Notices, vol-ume 49, pages 791–809. ACM, 2014.
[25] Nicholas Nethercote and Julian Seward. How to shadowevery byte of memory used by a program. In Proceed-ings of the 3rd International Conference on Virtual Exe-cution Environments, VEE ’07, pages 65–74, New York,NY, USA, 2007. ACM.
[26] Nicholas Nethercote and Julian Seward. Valgrind: Aframework for heavyweight dynamic binary instrumenta-tion. In Proceedings of the 28th ACM SIGPLAN Confer-ence on Programming Language Design and Implemen-tation, PLDI ’07, pages 89–100. ACM, 2007.
572 2018 USENIX Annual Technical Conference USENIX Association
[27] Soyeon Park, Shan Lu, and Yuanyuan Zhou. Ctrig-ger: Exposing atomicity violation bugs from their hidingplaces. In ASPLOS, pages 25–36. ACM, 2009.
[28] Mathias Payer, Enrico Kravina, and Thomas R Gross.Lightweight memory tracing. In USENIX Annual Tech-nical Conference, pages 115–126, 2013.
[29] The CNN program. https://github.com/preimmortal/CNN.git.
[30] Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim,Yuanyuan Zhou, and Youfeng Wu. Lift: A low-overheadpractical information flow tracking system for detectingsecurity attacks. In ACM Sigplan Notices, pages 245–258. ACM, 2009.
[31] Paruj Ratanaworabhan, Martin Burtscher, DarkoKirovski, Benjamin Zorn, Rahul Nagpal, and KarthikPattabiraman. Detecting and tolerating asymmetric races.In Proceedings of the 14th ACM SIGPLAN Symposiumon Principles and Practice of Parallel Programming,PPoPP ’09, pages 173–184. ACM, 2009.
[32] Amitabha Roy, Steven Hand, and Tim Harris. Hybridbinary rewriting for memory access instrumentation. InProceedings of the 7th ACM SIGPLAN/SIGOPS Inter-national Conference on Virtual Execution Environments,VEE ’11, pages 227–238. ACM, 2011.
[33] Konstantin Serebryany, Derek Bruening, AlexanderPotapenko, and Dmitriy Vyukov. Addresssanitizer: Afast address sanity checker. In USENIX Annual Techni-cal Conference, pages 309–318, 2012.
[34] Tianwei Sheng, Neil Vachharajani, Stephane Eranian, andRobert Hundt. Racez: A lightweight and non-invasiverace detection tool for production applications. In ICSE,pages 401–410, 2011.
[36] Allan Snavely, Laura Carrington, Nicole Wolter, JesusLabarta, Rosa Badia, and Avi Purkayastha. A frameworkfor performance modeling and prediction. In SC, pages1–17, 2002.
[37] The McSema tool. https://github.com/trailofbits/mcsema/.
[38] Gang-Ryung Uh, Robert Cohn, Bharadwaj Yadavalli,Ramesh Peri, and Ravi Ayyagari. Analyzing dynamicbinary instrumentation overhead. In WBIA Workshop atASPLOS, 2006.
[39] Guru Venkataramani, Brandyn Roemer, Yan Solihin,and Milos Prvulovic. Memtracker: Efficient and pro-grammable support for memory access monitoring anddebugging. In High Performance Computer Architecture,2007. HPCA 2007. IEEE 13th International Symposiumon, pages 273–284. IEEE, 2007.
[40] Jeffrey Vetter. Dynamic statistical profiling of commu-nication activity in distributed applications. In Proceed-ings of the 2002 ACM SIGMETRICS International Con-ference on Measurement and Modeling of Computer Sys-tems, SIGMETRICS ’02, pages 240–250. ACM, 2002.
[41] Georg Von Krogh and Eric Von Hippel. The promise ofresearch on open source software. Management science,52(7):975–983, 2006.
[42] Shasha Wen, Milind Chabbi, and Xu Liu. Redspy: Ex-ploring value locality in software. In ASPLOS, pages 47–61. ACM, 2017.
[43] Yichen Xie, Andy Chou, and Dawson Engler. Archer:using symbolic, path-sensitive analysis to detect mem-ory access errors. ACM SIGSOFT Software EngineeringNotes, 28(5):327–336, 2003.
[44] Jidong Zhai, Jianfei Hu, Xiongchao Tang, Xiaosong Ma,and Wenguang Chen. Cypress: Combining static and dy-namic analysis for top-down communication trace com-pression. In Proceedings of the International Conferencefor High Performance Computing, Networking, Storageand Analysis, SC’14, pages 143–153, 2014.
USENIX Association 2018 USENIX Annual Technical Conference 573
![Page 1: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/1.jpg)
![Page 2: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/2.jpg)
![Page 3: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/3.jpg)
![Page 4: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/4.jpg)
![Page 5: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/5.jpg)
![Page 6: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/6.jpg)
![Page 7: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/7.jpg)
![Page 8: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/8.jpg)
![Page 9: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/9.jpg)
![Page 10: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/10.jpg)
![Page 11: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/11.jpg)
![Page 12: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/12.jpg)
![Page 13: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/13.jpg)
![Page 14: Spindle: Informed Memory Access Monitoring · itored in system and architecture research, for memory bug or race condition detection [21, 27, 31], informa-tion flow tracking [16,](https://reader035.documents.pub/reader035/viewer/2022070717/5edcf827ad6a402d6667e134/html5/thumbnails/14.jpg)
