1

Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan*

NEC Laboratories America, Princeton, NJ

* University of Utah, Salt Lake City, UT

Dynamic Model Checking with Property Driven Pruning to Detect Race Conditions

2

Motivation

Concurrent programs are hard to debug Too many possible thread interleavings

Even for a given input

Data races – a representative type of concurrency bugs e.g., among flaws in the Therac-25 radiation therapy machine e.g., related to the 2003 North America Blackout

What’s a data race? Multiple threads can simultaneously access a shared data variable At least one is a write

3

Related Work

Precisely detecting data races (or proving race-freedom) is hard Simultaneous reachability

Previous efforts Static checking (whole-program analysis)

[Flanagan et al 2002], [Engler & Ashcraft 2002], [Pratikakis et al 2006], [Voung et al 2007], [Kahlon et al 2007], …

Bogus warnings – too many of them!

Dynamic checking (on a particular execution trace) Eraser [Savage et. al. 1997], Valgrind [Nethercote & Seward 2003], … May miss real races; bogus warnings – may still appear

Classic model checking algorithms Full coverage, but requires model building (non-trivial) For example: pointers, rich data types, …

4

Related Work (2)

(Stateless) dynamic model checking e.g., Verisoft (Bell labs), CHESS (MSR), Inspect (U. of Utah) Do not store the program states, but rely on a Depth-First Search to

systematically explore all feasible thread schedules

Advantages Run in the real environment no bogus warnings Full coverage for terminating programs No missed data races

Disadvantages: The search is inefficient – too many thread interleavings

5

Related Work (3)

DPOR: Dynamic Partial Order Reduction [Flanagan & Godefroid, POPL 2005] Main idea: Remove redundant interleavings from each equivalence

class of interleavings, provided that the representative has been checked

Still not good enough! What if an entire equivalence class (of interleavings) is redundant

We need a property-specific reduction! Remove redundant interleavings within each equivalence class Remove redundant equivalence classes (w.r.t. the property)

6

Outline

Introduction and Related Work Motivating Example Set of Locksets Modeling Unobserved Branches Experiments Conclusions

Motivating Example

7

Error trace: b1-b7, a1-a4, a5, b8-b9, {a6,b10}

Where is the data race?Initial state: x=y=z=0

Motivating Example

8

Traces: a1-a4,a5-a8, a9-a11,b1-b7,b8-b11 a1-a4,a5-a8, b1-b7,a9-a11,b8-b11 a1-a4,a5-a8, b1-b7,b8-b11,a9-a11 a1-a4,…………………………………. ……Error: b1-b7, a1-a4, a5, b8-b9, {a6,b10}

How would DPOR find it? … … it would take awhile.

reduction

Motivating Example

9

Traces: a1-a4,a5-a8, a9-a11,b1-b7,b8-b11 a1-a4,a5-a8, b1-b7,a9-a11,b8-b11 a1-a4,a5-a8, b1-b7,b8-b11,a9-a11 a1-a4,………………………………….. ……Error: b1-b7, a1-a4, a5, b8-b9, {a6,b10}

In this search sub-space, a9-a11 and b1-b11 run concurrently

This sub-space does not have data race!!!

How can we do better than that? … … lockset analysis of the sub-tree

Lockset Analysis: is the sub-space race-free?

10

In this search sub-space, a9-a11 and b1-b11 run concurrently

For each variable access, compute the set of held locks (lockset)

This sub-space does not have data race!!!

Identifying the locksets is a thread-local computation scalable

This reduction is beyond DPOR, but fits seamlessly with dynamic model checking

Lockset Analysis: is the sub-space race-free?

11

ReceFreeSubSpace prune away redundant equivalence classes

12

Outline

Introduction and Related Work Motivating Example Set of Locksets Modeling Unobserved Branches Experiments Conclusions

Problem Statement

Given a trace and state Si, ask “whether all alternative traces with the same prefix (up to Si) are race free?”

13

Set of Locksets

14

Seg_i

Seg_j

For example, lsSet_x(seg_i) = { {f1}, {f2} } lsSet_x(seg_j) = { {f1,f2} }

Set of Locksets: it’s conservative!

15

Seg_i

Seg_j

RaceFreeSubSpace(S, si)

• If it reports a race may be a real race• if it reports race-free indeed race-free

• When the subspace is race-free, we prune away all the related equivalence classes (of interleavings)

•Independent from (and potentially more powerful than) POR

16

Outline

Introduction and Related Work Motivating Example Set of Locksets Modeling Unobserved Branches Experiments Conclusions

17

The Missing Link (unobserved branches)

In collecting lsSet_x(seg_i), we have to consider all feasible branches of (seg_i), which includes

• The observed path• Unobserved paths (not-yet-executed)

(we are talking about paths in a single thread)

Over-approximating Unobserved Branches

18

Our solution: 1.Use a priori static analysis to collect lock-info in all branches;2.Instrument the source code program

• For both branches of every if-else statement, add calls to the following functions

Over-approximating Unobserved Branches

19

The Unobserved BranchWhat do we know? 1. it accesses variable x, with lockset {B} U ( {C}\{} ) = {B,C} 2. at the end, the held locks are {B} U ( {C}\{} ) = {B,C}

Over-approximating Unobserved Branches

20

The Unobserved BranchWhat do we know? 1. it accesses variable x, with lockset {B} U ( {C}\{} ) = {B,C} 2. at the end, the held locks are {B} U ( {C}\{} ) = {B,C}

Over-approximating Unobserved Branches

21

Our solution: 1.Use a priori static analysis to collect lock-info in all branches;2.Instrument the source code program

• For both branches of every if—else statement, add calls to the following functions

22

Outline

Introduction and Related Work Motivating Example Set of Locksets Modeling Unobserved Branches Experiments Conclusions

23

Experiments

Compared the following methods DPOR (implemented in Inspect) DPOR + Property-Driven Pruning

Benchmark programs Real Linux applications written in C using POSIX thread library From public domain (sourceforge.net; freshmeat.org, etc.)

Fdrd2 Pfscan – file scanner Aget – a ftp client for concurrently downloading segments of a large file Bzip2smt – a multithreaded version of bzip

24

Experiments

25

Conclusions

We present a new pruning method for stateless model checking Using a trace-based lockset analysis The reduction (in thread interleavings) is property-specific, and is

therefore is beyond POR

Significance Our method scales much better to realistic programs No bogus warnings, complete coverage

Future work Extend the pruning method to handle more general safety properties

(deadlock and assertion)