scaling model checking of dataraces using dynamic information ohad shacham tel aviv university ibm...
TRANSCRIPT
Scaling Model Checking of Dataraces Using
Dynamic Information
Ohad ShachamTel Aviv University
IBM Haifa Lab
Mooly SagivTel Aviv University
Assaf SchusterTechnion
Datarace Happens when two threads access a
memory location concurrently At least one access is a write
Unpredictable results Can indicate bugs Hard to detect Hard to reproduce
Datarace example
TicketPurchase(NumOfTickets){ if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else
Print “Full”; }
Datarace example
Thread I Thread II
TicketPurchase(2)
if (NumOfTickets · FreeTickets)
TicketPurchase(4)
if (NumOfTickets · FreeTickets)
FreeTickets -= NumOfTickets
FreeTickets -= NumOfTickets
{FreeTickets = -2}
{FreeTickets = 4}
TicketPurchase(NumOfTickets){ if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else
Print “Full”; }
Datarace example
TicketPurchase(NumOfTickets){ Lock(lockFreeTickets) if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else
Print “Full”; Unlock(lockFreeTickets) }
Datarace detection
Static datarace detection tools Racex [Engler and Ashcraft] TVLA [Sagiv et. al.]
Dynamic datarace detection tools: Lamport’s happens-before partial
order (Djit) Lock based techniques (Lockset)
Difficulties in model checking dataraces Infinite state space Huge number of interleavings Huge transition systems Size problem
Observation
Programs maintaining a locking discipline are dataraces free
Hybrid solution
Dynamically check a locking discipline
Produce witnesses for dataraces using a model checker Explore suffixes of the trace
Basic idea
Algorithm flow
Lockset
Multithreaded program
List of Warnings
Find a1
1 2
Model Checker
Lockset
Savage et. al. SOSP 1997 Lockset invariant
multiple accesses to a specific memory location are guarded by a unique lock
Lockset example
Lock(lockx)X = 7Unlock(lockx)Lock(locky)Z = Y
Lock(locky)Y = 2Unlock(locky)Lock(locky)Y = X
{lockx}
{locky}
{locky}
Thread I Thread II C(X)
{lockx, locky}{lockx}
{locky}
Unlock(locky)
Locks I Locks II
Lockset
Advantage Predict dataraces which may occur in
a different thread interleaving Disadvantages
Spurious dataraces Hard to use
Lack of trace
Lockset strength
Lock(lockx);X = 7;Unlock(lockx);Lock(locky);Z = Y;
Lock(locky);Y = 2;Unlock(locky);Lock(locky);Y = X;
{lockx}
{locky}
{locky}
Thread I Thread II C(X)
{lockx, locky}{lockx}
{locky}
Unlock(locky);
Locks I Locks II
Our hybrid solution
Combine Lockset & Model Checking Provide witnesses for dataraces
Rare dataraces Dataraces in large programs
Model CheckingProvide witnesses for rare DR
Locksetscale for large programs+
A witness for a datarace
a1
a2
1
2
ma1 = ma2 a1=Write Ç a2=Write
Required data from Lockset
X=7
Y=2
Z=Y
Y=X
Thread I Thread II
Lockset provides for each warning only a single access event a2
Find a prior access event a1 which can take part in a race with a2
a1
a2
Using Lockset data
Using Lockset data
X = 7
Z = Y
Y = 2
Y = X
A Warning on X
X=7
Z=Y
Y=2
Y=X
{lockx}
{locky}
{locky}
{locky}
Prefix
a1
a2
MODEL without t1
Building a model
a1
Using a model checker
a1
1
a2
Is a2 reachable by t2 ?
Using a model checker
a2
a1
a1
Reduce the model checker cost
Reduction in the model size Elimination of thread t1
Providing a single new initial configuration
Heuristically reducing the number of steps that the model checker should carry out
Example
Lock(lockx);X = 7;Unlock(lockx);Lock(locky);Z = Y;
Lock(locky);Y = 2;Unlock(locky);Lock(locky);Y = X;
{lockx}
{locky}
{locky}
Thread I Thread II C(X)
{lockx, locky}{lockx}
{locky}
Unlock(locky);
Lock(locky);Y = 2;Unlock(locky);Lock(locky);Y = X;
1
2
X = 7;
Locks I Locks II
Prototype implementation
A prototype tool based on IBM tools
Lockset – The IBM Watson tool Wolf – IBM Haifa’s software model
checker
Prototype implementation
Lockset
Multi-threaded program
List of Warnings
Find a1 Extend 1 Wolf
1 2
Benchmark programsProgramDescriptionLines
Tsptraveling salesman from ETH
706
Our_tspEnhanced traveling salesman
708
mtrtMultithreaded raytracer from specjvm98
3751
HedcWeb Crawler Kernel from ETH
29948
SortArrayParallel sort362
PrimeFinderFinds prime numbers in a given interval
129
ElevsimElevator simulator150
DQueriesShared DB simulator166
Experimental results
Program2 threads3 threads4 threadsTime (sec)
Memory (MB)
Time (sec)
Memory (MB)
Time (sec)
Memory (MB)
our_tsp35069
353 Mem Out Mem Out
SortArray569.31231334.93
396 Mem Out
PrimeFinder888.71162645.51434547.1168
ElevSim33.022867.9233147.948
DQueries140.160201.889585.97136
Hedc2.66117.3312917
tsp35243
377 Mem
Out Mem Out
Conclusion
Hybrid technique which combines dynamic datarace detector and a model checker
Provide witnesses for dataraces which occur only in rare interleavings
Helps the user in analyzing the datarace
No spurious dataraces