1 / 31

Scaling Model Checking of Dataraces Using Dynamic Information

Scaling Model Checking of Dataraces Using Dynamic Information. Ohad Shacham Tel Aviv University IBM Haifa Lab. Mooly Sagiv Tel Aviv University. Assaf Schuster Technion. Datarace. Happens when two threads access a memory location concurrently At least one access is a write

ringo
Download Presentation

Scaling Model Checking of Dataraces Using Dynamic Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Scaling Model Checking of Dataraces Using Dynamic Information Ohad Shacham Tel Aviv University IBM Haifa Lab Mooly Sagiv Tel Aviv University Assaf Schuster Technion

  2. Datarace • Happens when two threads access a memory location concurrently • At least one access is a write • Unpredictable results • Can indicate bugs • Hard to detect • Hard to reproduce

  3. Datarace example TicketPurchase(NumOfTickets) { if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else Print “Full”; }

  4. TicketPurchase(NumOfTickets) { if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else Print “Full”; } Datarace example {FreeTickets = 4} Thread I Thread II TicketPurchase(2) if (NumOfTickets · FreeTickets) TicketPurchase(4) if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets FreeTickets -= NumOfTickets {FreeTickets = -2}

  5. Datarace example TicketPurchase(NumOfTickets) { Lock(lockFreeTickets) if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else Print “Full”; Unlock(lockFreeTickets) }

  6. Datarace detection • Static datarace detection tools • Racex [Engler and Ashcraft] • TVLA [Sagiv et. al.] • Dynamic datarace detection tools: • Lamport’s happens-before partial order (Djit) • Lock based techniques (Lockset)

  7. Difficulties in model checking dataraces • Infinite state space • Huge number of interleavings • Huge transition systems • Size problem

  8. Observation Programs maintaining a locking discipline are dataraces free

  9. Hybrid solution • Dynamically check a locking discipline • Produce witnesses for dataraces using a model checker • Explore suffixes of the trace

  10. Basic idea

  11. Algorithm flow Multithreaded program List of Warnings Lockset Find a1 Model Checker 1 2

  12. Lockset • Savage et. al. SOSP 1997 • Lockset invariant • multiple accesses to a specific memory location are guarded by a unique lock

  13. Lockset example Locks I Thread I Thread II Locks II C(X) {lockx, locky} Lock(lockx)  {lockx} X = 7 {lockx} Unlock(lockx) Lock(locky)  Z = Y {locky} Unlock(locky) Lock(locky)  Y = 2 {locky} Unlock(locky)  Lock(locky) {locky} Y = X 

  14. Lockset • Advantage • Predict dataraces which may occur in a different thread interleaving • Disadvantages • Spurious dataraces • Hard to use • Lack of trace

  15. Lockset strength Locks I Thread I Thread II Locks II C(X) {lockx, locky} Lock(lockx);  {lockx} X = 7; {lockx} Unlock(lockx); Lock(locky);  Z = Y; {locky} Unlock(locky); Lock(locky);  Y = 2; {locky} Unlock(locky);  Lock(locky); {locky} Y = X; 

  16. Our hybrid solution • Combine Lockset & Model Checking • Provide witnesses for dataraces • Rare dataraces • Dataraces in large programs Model CheckingProvide witnesses for rare DR + Locksetscale for large programs

  17. A witness for a datarace 1 2 a1 ma1 = ma2a1=Write Ç a2=Write a2

  18. Required data from Lockset Thread I Thread II X=7 Z=Y Y=2 Y=X

  19. Using Lockset data • Lockset provides for each warning only a single access event a2 • Find a prior access event a1 which can take part in a race with a2 a1 a2

  20. Using Lockset data X=7 X = 7 {lockx} Z=Y Z = Y {locky} Y=2 {locky} Y = 2 Y=X Y = X {locky} A Warning on X

  21. Prefix a1 a2

  22. Building a model a1 MODEL without t1

  23. Using a model checker Is a2 reachable by t2? 1 a1 a2

  24. Using a model checker a1 a2 a1

  25. Reduce the model checker cost • Reduction in the model size • Elimination of thread t1 • Providing a single new initial configuration • Heuristically reducing the number of steps that the model checker should carry out

  26. Example Locks I Thread I Thread II Locks II C(X) 1 {lockx, locky} Lock(lockx);  {lockx} X = 7; {lockx} Unlock(lockx); Lock(locky); Lock(locky);  Y = 2; Z = Y; {locky} 2 Unlock(locky); Unlock(locky); Lock(locky); Y = X; Lock(locky); X = 7; Y = 2; {locky} Unlock(locky);  Lock(locky); {locky} Y = X; 

  27. Prototype implementation • A prototype tool based on IBM tools • Lockset – The IBM Watson tool • Wolf – IBM Haifa’s software model checker

  28. Prototype implementation Multi-threaded program List of Warnings Lockset Find a1 Extend 1 Wolf 1 2

  29. Benchmark programs

  30. Experimental results

  31. Conclusion • Hybrid technique which combines dynamic datarace detector and a model checker • Provide witnesses for dataraces which occur only in rare interleavings • Helps the user in analyzing the datarace • No spurious dataraces

More Related