Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Pallavi Joshi  Chang-Seo Park  Koushik Sen  Mayur Naik ‡  Par Lab, EECS, UC Berkeley‡
Effective Static Deadlock Detection
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Java PathRelaxer: Extending JPF for JMM-Aware Model Checking Huafeng Jin, Tuba Yavuz-Kahveci, and Beverly Sanders Computer and Information Science and.
Pointer Analysis – Part I Mayur Naik Intel Research, Berkeley CS294 Lecture March 17, 2009.
Conditional Must Not Aliasing for Static Race Detection Mayur Naik Alex Aiken Stanford University.
Demand-driven Alias Analysis Implementation Based on Open64 Xiaomi An
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Practical Object-sensitive Points-to Analysis for Java Ana Milanova Atanas Rountev Barbara Ryder Rutgers University.
Scaling Model Checking of Dataraces Using Dynamic Information Ohad Shacham Tel Aviv University IBM Haifa Lab Mooly Sagiv Tel Aviv University Assaf Schuster.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Parameterized Object Sensitivity for Points-to Analysis for Java Presented By: - Anand Bahety Dan Bucatanschi.
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Pointer and Shape Analysis Seminar Context-sensitive points-to analysis: is it worth it? Article by Ondřej Lhoták & Laurie Hendren from McGill University.
Next Section: Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis (Wilson & Lam) –Unification.
Range Analysis. Intraprocedural Points-to Analysis Want to compute may-points-to information Lattice:
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Intraprocedural Points-to Analysis Flow functions:
1 RELAY: Static Race Detection on Millions of Lines of Code Jan Voung, Ranjit Jhala, and Sorin Lerner UC San Diego speaker.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
RADAR: Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan Voung, Ranjit Jhala, Sorin Lerner {rchugh, jvoung, jhala, lerner}
Comparison Caller precisionCallee precisionCode bloat Inlining context-insensitive interproc Context sensitive interproc Specialization.
Reps Horwitz and Sagiv 95 (RHS) Another approach to context-sensitive interprocedural analysis Express the problem as a graph reachability query Works.
Cormac Flanagan UC Santa Cruz Velodrome: A Sound and Complete Dynamic Atomicity Checker for Multithreaded Programs Jaeheon Yi UC Santa Cruz Stephen Freund.
Pointer analysis. Pointer Analysis Outline: –What is pointer analysis –Intraprocedural pointer analysis –Interprocedural pointer analysis Andersen and.
/ PSWLAB Eraser: A Dynamic Data Race Detector for Multithreaded Programs By Stefan Savage et al 5 th Mar 2008 presented by Hong,Shin Eraser:
Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.
C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research.
Rahul Sharma (Stanford) Michael Bauer (NVIDIA Research) Alex Aiken (Stanford) Verification of Producer-Consumer Synchronization in GPU Programs June 15,
Finding Optimum Abstractions in Parametric Dataflow Analysis Xin Zhang Georgia Tech Mayur Naik Georgia Tech Hongseok Yang University of Oxford.
Static Deadlock Detection for Java Libraries Amy Williams, William Thies, and Michael D. Ernst Massachusetts Institute of Technology.
- 1 - Dongyoon Lee, Peter Chen, Jason Flinn, Satish Narayanasamy University of Michigan, Ann Arbor Chimera: Hybrid Program Analysis for Determinism * Chimera.
CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.
1 Effective Static Race Detection for Java Mayur, Alex, CS Department Stanford University Presented by Roy Ganor 14/2/08 Point-To Analysis Seminar.
Deadlock Detection Nov 26, 2012 CS 8803 FPL 1. Part I Static Deadlock Detection Reference: Effective Static Deadlock Detection [ICSE’09]
Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO, and THOMAS ANDERSON Ethan.
Pallavi Joshi* Mayur Naik † Koushik Sen* David Gay ‡ *UC Berkeley † Intel Labs Berkeley ‡ Google Inc.
50.530: Software Engineering Sun Jun SUTD. Week 8: Race Detection.
DoubleChecker: Efficient Sound and Precise Atomicity Checking Swarnendu Biswas, Jipeng Huang, Aritra Sengupta, and Michael D. Bond The Ohio State University.
Drinking from Both Glasses: Adaptively Combining Pessimistic and Optimistic Synchronization for Efficient Parallel Runtime Support Man Cao Minjia Zhang.
Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan W. Voung, Ranjit Jhala, Sorin Lerner LBA Reading Group Michelle Goodstein.
Detecting and Eliminating Potential Violation of Sequential Consistency for concurrent C/C++ program Duan Yuelu, Feng Xiaobing, Pen-chung Yew.
PRESTO: Program Analyses and Software Tools Research Group, Ohio State University Merging Equivalent Contexts for Scalable Heap-cloning-based Points-to.
Pointer Analysis Survey. Rupesh Nasre. Aug 24, 2007.
/ 23 Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information Slides taken from Shin Hong’s MS Thesis Defense Concurrency.
CS527 Topics in Software Engineering (Software Testing and Analysis) Darko Marinov August 30, 2011.
Sound and Precise Analysis of Parallel Programs through Schedule Specialization Jingyue Wu, Yang Tang, Gang Hu, Heming Cui, Junfeng Yang Columbia University.
CS 343 presentation Concrete Type Inference Department of Computer Science Stanford University.
Effective Static Deadlock Detection Mayur Naik* Chang-Seo Park +, Koushik Sen +, David Gay* *Intel Research, Berkeley + UC Berkeley.
Effective Static Deadlock Detection Mayur Naik (Intel Research) Chang-Seo Park and Koushik Sen (UC Berkeley) David Gay (Intel Research)
Pointer and Escape Analysis for Multithreaded Programs Alexandru Salcianu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology.
Pointer Analysis – Part I CS Pointer Analysis Answers which pointers can point to which memory locations at run-time Central to many program optimization.
5/7/03ICSE Fragment Class Analysis for Testing of Polymorphism in Java Software Atanas (Nasko) Rountev Ohio State University Ana Milanova Barbara.
ReIm & ReImInfer: Checking and Inference of Reference Immutability and Method Purity Wei Huang 1, Ana Milanova 1, Werner Dietl 2, Michael D. Ernst 2 1.
Eraser: A dynamic Data Race Detector for Multithreaded Programs Stefan Savage, Michael Burrows, Greg Nelson, Patrick Sobalvarro, Thomas Anderson Presenter:
Effective Static Race Detection for Java Mayur Naik Alex Aiken Stanford University.
Pick Your Contexts Well: Understanding Object-Sensitivity The Making of a Precise and Scalable Pointer Analysis Yannis Smaragdakis University of Massachusetts,
A User-Guided Approach to Program Analysis Ravi Mangal, Xin Zhang, Mayur Naik Georgia Tech Aditya Nori Microsoft Research.
FastTrack: Efficient and Precise Dynamic Race Detection [FlFr09] Cormac Flanagan and Stephen N. Freund GNU OS Lab. 23-Jun-16 Ok-kyoon Ha.
Detecting Data Races in Multi-Threaded Programs
Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting Tian Tan, Yue Li and Jingling Xue SAS 2016 September,
Why Events Are A Bad Idea (for high-concurrency servers)
Ravi Mangal Mayur Naik Hongseok Yang
Amir Kamil and Katherine Yelick
Over-Approximating Boolean Programs with Unbounded Thread Creation
Pointer analysis.
Amir Kamil and Katherine Yelick
Eraser: A dynamic data race detector for multithreaded programs
Presentation transcript:

Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java

The Problem A multi-threaded program contains a race if: –Two threads can access a memory location –At least one access is a write –No ordering between the accesses As a rule, races are bad –And common … –And hard to find …

Previous Work A lot of previous work –Dozens of papers in on-line citation indices –Spanning decades Two broad classes –Dynamic –Static

Dynamic Race Detectors Three kinds –happens-before (Lamport, 1978) –lockset (Savage et al., 1997) –hybrid (e.g., O’Callahan and Choi, 2003) Drawbacks –Unsound –Cannot analyze open programs (e.g., libraries) –Need sufficient input data for closed programs

Static Race Detectors Three kinds –Type systems (e.g., rccjava, LOCKSMITH) –Dataflow analyses (e.g., RacerX) –Model checkers (e.g., BLAST, KISS) Drawback: all find relatively few bugs –Precise techniques not applied to large programs –Coarse techniques find a few bugs in > 1 MLOC

# Bugs Found Using Our Approach 387 bugs in mature Java programs comprising 1.5 MLOC –Many fixed within a week by developers

Our Static Race Detection Algorithm original pairs reachable pairs aliasing pairs escaping pairs unlocked pairs

Architecture of Chord Reachable pairs Aliasing pairs Escaping pairs Unlocked pairs Alias analysis Call graph analysis Thread-escape analysis Lock analysis

Flow Insensitivity Helps scalability Hurts precision Affects kinds of synchronization idioms we can handle –Lexically-scoped, lock-based synchronization –fork/join synchronization (42 annotations in 1.5 MLOC) –wait/notify synchronization Simplifies handling of open programs Simplifies counterexample generation

Context Sensitivity Precise alias analysis is crucial –Central to call graph, thread-escape, and lock analyses –Most alias analyses are too imprecise CHA, context-insensitive analysis, k-CFA What works: k-object-sensitive analysis –Proposed by Milanova et al., 2003 –Our implementation leverages BDD-based context-sensitive program analysis –k = 3 necessary in our experiments

Running Example public A() { f = 0; } public int get() { return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); return wr(t); } private int rd() { return f; } private int wr(int x) { f = x; return x; } static public void main() { A a; a = new A(); a.get(); a.inc(); } Harness (Note: Single-threaded)

All pairs of accesses such that: –Both access the same instance field or the same static field or array elements –At least one is a write Computing Original Pairs

Example: Original Pairs static public void main() { A a; a = new A(); a.get(); a.inc(); } private int rd() { return f; } private int wr(int x) { f = x; return x; } public A() { f = 0; } public int get() { return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); return wr(t); } private int rd() { return f; } private int wr(int x) { f = x; return x; }

Computing Reachable Pairs Step 1 –Access pairs with at least one write to same field Step 2 –Consider access pair (e1, e2) –To have a race, e1 must be reachable from a thread-spawning call site s1 without “switching” threads –And s1 must be reachable from main –And similarly for e2

Example: Reachable Pairs static public void main() { A a; a = new A(); a.get(); a.inc(); } private int rd() { return f; } private int wr(int x) { f = x; return x; } public A() { f = 0; } public int get() { return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); return wr(t); } private int rd() { return f; } private int wr(int x) { f = x; return x; }

Example: Two Object-Sensitive Contexts public A() { f = 0; } public int get() { return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); return wr(t); } private int rd() { return f; } private int wr(int x) { f = x; return x; } static public void main() { A a; a = new A(); a.get(); a.inc(); } private int rd() { return f; } private int wr(int x) { f = x; return x; }

Example: 1st Context public A() { f = 0; } public int get() { return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); return wr(t); } private int rd() { return f; } private int wr(int x) { f = x; return x; } static public void main() { A a; a = new A(); a.get(); a.inc(); } private int rd() { return f; } private int wr(int x) { f = x; return x; }

Example: 2nd Context public A() { f = 0; } public int get() { return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); return wr(t); } private int rd() { return f; } private int wr(int x) { f = x; return x; } static public void main() { A a; a = new A(); a.get(); a.inc(); } private int rd() { return f; } private int wr(int x) { f = x; return x; }

Example: Reachable Pairs static public void main() { A a; a = new A(); a.get(); a.inc(); } private int rd() { return f; } private int wr(int x) { f = x; return x; } public A() { f = 0; } public int get() { return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); return wr(t); } private int rd() { return f; } private int wr(int x) { f = x; return x; }

Computing Aliasing Pairs Steps 1-2 –Access pairs with at least one write to same field –And both are reachable from some thread Step 3 –To have a race, both must access the same memory location –Use alias analysis

static public void main() { A a; a = new A(); a.get(); a.inc(); } private int rd() { return f; } private int wr(int x) { f = x; return x; } Example: Aliasing Pairs public A() { f = 0; } public int get() { return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); return wr(t); } private int rd() { return f; } private int wr(int x) { f = x; return x; }

Computing Escaping Pairs Steps 1-3 –Access pairs with at least one write to same field –And both are reachable from some thread –And both can access the same memory location Step 4 –To have a race, the memory location must also be thread-shared –Use thread-escape analysis

Example: Escaping Pairs static public void main() { A a; a = new A(); a.get(); a.inc(); } private int rd() { return f; } private int wr(int x) { f = x; return x; } public A() { f = 0; } public int get() { return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); return wr(t); } private int rd() { return f; } private int wr(int x) { f = x; return x; }

Computing Unlocked Pairs Steps 1-4 –Access pairs with at least one write to same field –And both are reachable from some thread –And both can access the same memory location –And the memory location is thread-shared Step 5 –Discard pairs where the memory location is guarded by a common lock in both accesses –Needs must-alias analysis –We use approximation of may-alias analysis, which is unsound

public A() { f = 0; } public int get() { return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); return wr(t); } private int rd() { return f; } private int wr(int x) { f = x; return x; } Example: Unlocked Pairs static public void main() { A a; a = new A(); a.get(); a.inc(); } private int rd() { return f; } private int wr(int x) { f = x; return x; }

static public void main() { A a; a = new A(); 4:a.get(); 5:a.inc(); } field reference A.f (A.java:10) [Rd] A.get(A.java:4) Harness.main(Harness.java:4) field reference A.f (A.java:12) [Wr] A.inc(A.java:7) Harness.main(Harness.java:5) Example: Counterexample public A() { f = 0; } public int get() { 4:return rd(); } public sync int inc() { int t = rd() + (new A()).wr(1); 7:return wr(t); } private int rd() { 10: return f; } private int wr(int x) { 12: f = x; return x; }

Benchmarks vect1.1 htbl1.1 htbl1.4 vect1.4 tsp hedc ftp pool jdbm jdbf jtds derby classes KLOC description JDK 1.1 java.util.Vector JDK 1.1 java.util.Hashtable JDK 1.4 java.util.Hashtable JDK 1.4 java.util.Vector Traveling Salesman Problem Web crawler Apache FTP server Apache object pooling library Transaction manager O/R mapping system JDBC driver Apache RDBMS

Running Time and Annotation Counts vect1.1 htbl1.1 htbl1.4 vect1.4 tsp hedc ftp pool jdbm jdbf jtds derby time 0m08s 0m07s 1m04s 1m02s 1m03s 1m10s 1m17s 5m29s 1m33s 1m42s 3m23s 26m03s root annot local annot

Pairs Retained After Each Stage (Log scale)

Classification of Unlocked Pairs vect1.1 htbl1.1 htbl1.4 vect1.4 tsp hedc ftp pool jdbm jdbf jtds derby harmful benign false # bugs

Conclusions A scalable and precise approach to static race detection –Largest program analyzed: ~ 650 KLOC ( derby ) –48 false positives and 42 annotations in total in 1.5 MLOC Handles common synchronization idioms, analyzes open programs, and generates counterexamples An example where precise alias analysis is key –Not just any alias analysis (k-object sensitivity) –Good stress test for alias analysis

The End

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.