Scaling Model Checking of Dataraces Using Dynamic Information Ohad Shacham Tel Aviv University IBM Haifa Lab Mooly Sagiv Tel Aviv University Assaf Schuster.

Scaling Model Checking of Dataraces Using

Dynamic Information

Ohad ShachamTel Aviv University

IBM Haifa Lab

Mooly SagivTel Aviv University

Assaf SchusterTechnion

Datarace Happens when two threads access a

memory location concurrently At least one access is a write

Unpredictable results Can indicate bugs Hard to detect Hard to reproduce

Datarace example

TicketPurchase(NumOfTickets){ if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else

Print “Full”; }

Datarace example

Thread I Thread II

TicketPurchase(2)

if (NumOfTickets · FreeTickets)

TicketPurchase(4)

if (NumOfTickets · FreeTickets)

FreeTickets -= NumOfTickets

FreeTickets -= NumOfTickets

{FreeTickets = -2}

{FreeTickets = 4}

TicketPurchase(NumOfTickets){ if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else

Print “Full”; }

Datarace example

TicketPurchase(NumOfTickets){ Lock(lockFreeTickets) if (NumOfTickets · FreeTickets) FreeTickets -= NumOfTickets else

Print “Full”; Unlock(lockFreeTickets) }

Datarace detection

Static datarace detection tools Racex [Engler and Ashcraft] TVLA [Sagiv et. al.]

Dynamic datarace detection tools: Lamport’s happens-before partial

order (Djit) Lock based techniques (Lockset)

Difficulties in model checking dataraces Infinite state space Huge number of interleavings Huge transition systems Size problem

Observation

Programs maintaining a locking discipline are dataraces free

Hybrid solution

Dynamically check a locking discipline

Produce witnesses for dataraces using a model checker Explore suffixes of the trace

Basic idea

Algorithm flow

Lockset

Multithreaded program

List of Warnings

Find a1

1 2

Model Checker

Lockset

Savage et. al. SOSP 1997 Lockset invariant

multiple accesses to a specific memory location are guarded by a unique lock

Lockset example

Lock(lockx)X = 7Unlock(lockx)Lock(locky)Z = Y

Lock(locky)Y = 2Unlock(locky)Lock(locky)Y = X

{lockx}

{locky}

{locky}

Thread I Thread II C(X)

{lockx, locky}{lockx}

{locky}

Unlock(locky)

Locks I Locks II

Lockset

Advantage Predict dataraces which may occur in

a different thread interleaving Disadvantages

Spurious dataraces Hard to use

Lack of trace

Lockset strength

Lock(lockx);X = 7;Unlock(lockx);Lock(locky);Z = Y;

Lock(locky);Y = 2;Unlock(locky);Lock(locky);Y = X;

{lockx}

{locky}

{locky}

Thread I Thread II C(X)

{lockx, locky}{lockx}

{locky}

Unlock(locky);

Locks I Locks II

Our hybrid solution

Combine Lockset & Model Checking Provide witnesses for dataraces

Rare dataraces Dataraces in large programs

Model CheckingProvide witnesses for rare DR

Locksetscale for large programs+

A witness for a datarace

a1

a2

1

2

ma1 = ma2 a1=Write Ç a2=Write

Required data from Lockset

X=7

Y=2

Z=Y

Y=X

Thread I Thread II

Lockset provides for each warning only a single access event a2

Find a prior access event a1 which can take part in a race with a2

a1

a2

Using Lockset data

Using Lockset data

X = 7

Z = Y

Y = 2

Y = X

A Warning on X

X=7

Z=Y

Y=2

Y=X

{lockx}

{locky}

{locky}

{locky}

Prefix

a1

a2

MODEL without t1

Building a model

a1

Using a model checker

a1

1

a2

Is a2 reachable by t2 ?

Using a model checker

a2

a1

a1

Reduce the model checker cost

Reduction in the model size Elimination of thread t1

Providing a single new initial configuration

Heuristically reducing the number of steps that the model checker should carry out

Example

Lock(lockx);X = 7;Unlock(lockx);Lock(locky);Z = Y;

Lock(locky);Y = 2;Unlock(locky);Lock(locky);Y = X;

{lockx}

{locky}

{locky}

Thread I Thread II C(X)

{lockx, locky}{lockx}

{locky}

Unlock(locky);

Lock(locky);Y = 2;Unlock(locky);Lock(locky);Y = X;

1

2

X = 7;

Locks I Locks II

Prototype implementation

A prototype tool based on IBM tools

Lockset – The IBM Watson tool Wolf – IBM Haifa’s software model

checker

Prototype implementation

Lockset

Multi-threaded program

List of Warnings

Find a1 Extend 1 Wolf

1 2

Benchmark programsProgramDescriptionLines

Tsptraveling salesman from ETH

706

Our_tspEnhanced traveling salesman

708

mtrtMultithreaded raytracer from specjvm98

3751

HedcWeb Crawler Kernel from ETH

29948

SortArrayParallel sort362

PrimeFinderFinds prime numbers in a given interval

129

ElevsimElevator simulator150

DQueriesShared DB simulator166

Experimental results

Program2 threads3 threads4 threadsTime (sec)

Memory (MB)

Time (sec)

Memory (MB)

Time (sec)

Memory (MB)

our_tsp35069

353 Mem Out Mem Out

SortArray569.31231334.93

396 Mem Out

PrimeFinder888.71162645.51434547.1168

ElevSim33.022867.9233147.948

DQueries140.160201.889585.97136

Hedc2.66117.3312917

tsp35243

377 Mem

Out Mem Out

Conclusion

Hybrid technique which combines dynamic datarace detector and a model checker

Provide witnesses for dataraces which occur only in rare interleavings

Helps the user in analyzing the datarace

No spurious dataraces