Debugging Concurrent Software by Context-Bounded Analysis Shaz Qadeer Microsoft Research Joint work with: Jakob Rehof, Microsoft Research Dinghao Wu, Princeton University

Concurrent software Operating systems, device drivers Databases, web servers, browsers, GUIs,... Modern languages: C#, Java Processor 1 Processor 2                         Thread 1 Thread 2 Thread 3 Thread 4

Concurrency is increasingly important Single-chip multiprocessors are an architectural inflexion point –Software running on these chips will be even more concurrent Embedded systems –Airplanes, cars, PDAs, cellphones Web services

Reliable concurrent software? Correctness Problem –does program behave correctly for all inputs and all interleavings? Bugs due to concurrency are insidious –nondeterministic, timing dependent –difficult to detect, reproduce, eliminate –coverage from testing very poor

Analysis of concurrent programs is difficult (1) Finite-data single-procedure program –n lines –m states for global data variables 1 thread –n * m states K threads –(n) K * m states

Analysis of concurrent programs is difficult (2) Finite-data program with procedures –n lines –m states for global data variables 1 thread –Infinite number of states –Can still decide assertions in O(n * m 3 ) –SLAM, ESP, BLAST implement this algorithm K  2 threads –Undecidable! (Ramalingam 00)

Context-bounded verification of concurrent software           Context Context switch Analyze all executions with small number of context switches !

Many subtle concurrency errors are manifested in executions with a small number of contexts Context-bounded analysis can be performed efficiently Why context-bounded analysis?

KISS: A static checker for concurrent software An implementation of context-bounded analysis –Technique to use any sequential checker to perform context-bounded concurrency analysis Has found a number of concurrency errors in NT device drivers

Sequential program Q KISS Sequential Checker Concurrent program P  No error found Error in Q indicates error in P KISS: A static checker for concurrent software

Sequential program Q KISS Concurrent program P KISS: A static checker for concurrent software  No error found Error in Q indicates error in P SDV

Sequential program Q KISS Concurrent program P KISS: A static checker for concurrent software  No error found Error in Q indicates error in P PREfix

Sequential program Q KISS Concurrent program P KISS: A static checker for concurrent software  No error found Error in Q indicates error in P ESP

Inside a static checker for sequential programs int x, y, z; void foo ( ) { if (x > y) { y = x; } if (y > z) { z = y; } assert (x ≤ z); } Symbolically analyze all paths Check the assertion for each path Interprocedural analysis – e.g., PREfix, ESP, SLAM, BLAST

KISS strategy Q encodes executions of P with small number of context switches –instrumentation introduces lots of extra paths to mimic context switches Leverage all-path analysis of sequential checkers Sequential program Q KISS Concurrent program P  SDV

PnpStop( ) { int t; de->stopping = T; t = AtomicDecr(& de->count); if (t == 0) SetEvent(& de->stopEvent); WaitEvent(& de->stopEvent); } DispatchRoutine( ) { int t; if (! de->stopping) { AtomicIncr(& de->count); // do useful work // … t = AtomicDecr(& de->count); if (t == 0) SetEvent(& de->stopEvent); }

DispatchRoutine( ) { int t; if (! de->stopping) { AtomicIncr(& de->count); // do useful work // … t = AtomicDecr(& de->count); if (t == 0) SetEvent(& de->stopEvent); } PnpStop( ) { int t; if ($) return; de->stopping = T; if ($) return; t = AtomicDecr(& de->count); if ($) return; if (t == 0) SetEvent(& de->stopEvent); if ($) return; WaitEvent(& de->stopEvent); }

PnpStop( ) { int t; if ($) return; de->stopping = T; if ($) return; t = AtomicDecr(& de->count); if ($) return; if (t == 0) SetEvent(& de->stopEvent); if ($) return; WaitEvent(& de->stopEvent); } DispatchRoutine( ) { int t; CODE; if (! de->stopping) { CODE; AtomicIncr(& de->count); // do useful work // … CODE; t = AtomicDecr(& de->count); CODE; if (t == 0) SetEvent(& de->stopEvent); CODE; } if ( !done ) { if ($) { done = T; PnpStop( ); } } CODE  bool done = F;

PnpStop( ) { int t; if ($) return; de->stopping = T; if ($) return; t = AtomicDecr(& de->count); if ($) return; if (t == 0) SetEvent(& de->stopEvent); if ($) return; WaitEvent(& de->stopEvent); } DispatchRoutine( ) { int t; CODE; if (! de->stopping) { CODE; AtomicIncr(& de->count); // do useful work // … CODE; t = AtomicDecr(& de->count); CODE; if (t == 0) SetEvent(& de->stopEvent); CODE; } if ( !done ) { if ($) { done = T; PnpStop( ); } } CODE  bool done = F; main( ) { DispatchRoutine( ); }

PnpStop( ) { int t; CODE; de->stopping = T; CODE; t = AtomicDecr(& de->count); CODE; if (t == 0) SetEvent(& de->stopEvent); CODE; WaitEvent(& de->stopEvent); CODE; } DispatchRoutine( ) { int t; if ($) return; if (! de->stopping) { if ($) return; AtomicIncr(& de->count); // do useful work // … if ($) return; t = AtomicDecr(& de->count); if ($) return; if (t == 0) SetEvent(& de->stopEvent); } if ( !done ) { if ($) { done = T; PnpStop( ); } } CODE  bool done = F; main( ) { PnpStop( ); }

KISS features KISS trades off soundness for scalability Cost of analyzing a concurrent program P = cost of analyzing a sequential program Q –Size of Q asymptotically same as size of P Unsoundness is precisely quantifiable –for 2-thread program, explores all executions with up to two context switches –for n-thread program, explores up to 2n-2 context switches Allows any sequential checker to analyze concurrency

Experimental Evaluation of KISS

Driver Stopping Error in Bluetooth Driver (1 KLOC) DispatchRoutine() { int t; if (! de->stopping) { AtomicIncr(& de->count); assert ! driverStopped; // do useful work // … t = AtomicDecr(& de->count); if (t == 0) SetEvent(& de->stopEvent); } PnpStop() { int t; de->stopping = T; t = AtomicDecr(& de->count); if (t == 0) SetEvent(& de->stopEvent); WaitEvent(& de->stopEvent); driverStopped = T; }

int t; if (! de->stopping) { int t; de->stopping = T; t = AtomicDecr(& de->count); if (t == 0) SetEvent(& de->stopEvent); WaitEvent(& de->stopEvent); driverStopped = T; AtomicIncr(& de->count); assert ! driverStopped; // do useful work // … t = AtomicDecr(& de->count); if (t == 0) SetEvent(& de->stopEvent); } Assertion fails!

DispatchRoutine(IRP *irp) { … irp->CancelRoutine = PacketCancelRoutine; Enqueue(irp); IoMarkIrpPending(irp); … } IoCancelIrp(IRP *irp) { IoAcquireCancelSpinLock(); if (irp->CancelRoutine) { (irp->CancelRoutine)(irp); } … } PacketCancelRoutine(IRP *irp) { … Dequeue(irp); IoCompleteRequest(irp); IoReleaseCancelSpinLock(); … } IRP Cancellation Error in Packet Driver (2.5 KLOC)

… irp->CancelRoutine = PacketCancelRoutine; Enqueue(irp); IoAcquireCancelSpinLock(); if (irp->CancelRoutine) { // inline PacketCancelRoutine(irp) … Dequeue(irp); IoCompleteRequest(irp); IoReleaseCancelSpinLock(); IoMarkIrpPending(irp); Error: An irp should not be marked pending after it has been completed !

Data-race Conditions in DDK Sample Drivers Device extension shared among threads Data-races on device extension fields 18 sample DDK drivers –Range KLOC –Total 70 KLOC Each field checked separately with resource limit of 20 minutes and 800MB Two threads: each calls nondeterministically chosen dispatch routine

DriverKLOC# Fields# Races Tracedrv0.530 Moufiltr Kbfiltr Imca1.151 Startio1.190 Toaster/toastmon1.481 Diskperf diag vdev Fakemodem Toaster/bus Serenum Toaster/func Mouclass Kbdclass Mouser Fdc Total: 30 races

ToastMon_DispatchPnp( DEVICE_OBJECT *obj, IRP *irp) { … IoAcquireRemoveLock(); … case IRP_MN_QUERY_STOP_DEVICE: // Race: write access deviceExt->DevicePnPState = StopPending; … break; … IoReleaseRemoveLock(); … } ToastMon_DispatchPower( DEVICE_OBJECT *obj, IRP *irp) { … // Race: read access if (deviceExt->DevicePnpState == Deleted) { … } … } DevicePnpState Field in Toaster/toastmon

Acknowledgments Tom Ball Byron Cook John Henry Doron Holan Vladimir Levin Jakob Lichtenberg Adrian Oney Sriram Rajamani Peter Wieland …

Keep It Simple and Sequential Context-bounded analysis by leveraging existing sequential checkers Validates the hypothesis that many concurrency errors require few context switches to show up

However… Hard limit on number of explored contexts –e.g., two context switches for concurrent program with two threads Case study: Concurrent transaction management code written in C# (Naik-Rehof 04) –Analyzed by the Zing model checker after automatically translating to the Zing input language –Found three bugs each requiring between three and four context switches

Is a tuning knob possible? Given a concurrent boolean program P and a positive integer c, does P go wrong by failing an assertion via an execution with at most c contexts? Given a concurrent boolean program P, does P go wrong by failing an assertion? Undecidable Decidable Given a concurrent boolean program P with unbounded fork-join parallelism and a positive integer c, does P go wrong by failing an assertion via an execution with at most c contexts? Decidable

          Context Context switch Problem: Unbounded computation possible within each context! Unbounded execution depth and reachable state space Different from bounded-depth model checking

Global store g, valuation to global variables Local store l, valuation to local variables Stack s, sequence of local stores State (g, s) Sequential boolean program

Example bool a = F; void main( ) { L1: a = T; L2: flip(a); L3: } void flip(bool x) { L4: a = !x; L5: } (F,  ) (F,  _, L3  ) (F,  _, L3   T, L5  ) (T,  _, L3   T, L4  ) (T,  _, L2  ) (F,  _, L1  ) (a,  x, pc  )

Global store g, valuation to global variables Local store l, valuation to local variables Stack s, sequence of local stores State (g, s) Sequential boolean program Transition relation: (g, s)  (g’, s’)

Reachability problem for sequential boolean program Given (g, s), is there s’ such that (g, s)  * (error,s’)?

Aggregate state Set of stacks ss Aggregate state (g, ss) = { (g,s) | s  ss } Reach(g, ss) = { (g’, s’) | exists s  ss such that (g, s)  * (g’, s’) }

Aggregate transition relation Observations: There is a unique smallest partition of Reach(g, ss) into aggregate states: (g’ 1, ss’ 1 )  …  (g’ n, ss’ n ) The number of elements in the partition is bounded by the number of global stores (g, ss)  (g’ 1, ss’ 1 ). (g, ss)  (g’ n, ss’ n )

Theorem (Buchi, Schwoon00) If ss is regular and (g, ss)  (g’, ss’), then ss’ is regular. If ss is given as a finite automaton A, then a finite automaton A’ for ss’ can be constructed from A in polynomial time.

Algorithm Solution: Compute automaton for ss’ such that (g, {s})  (error, ss’) and check if ss’ is nonempty. Problem: Given (g, s), is there s’ such that (g, s)  * (error,s’)?

Global store g, valuation to global variables Local store l, valuation to local variables Stack s, sequence of local stores State (g, s 1, s 2 ) Concurrent boolean program Transition relation: (g, s 1 )  (g’, s’ 1 ) in thread 1 (g, s 1, s 2 )  1 (g’, s’ 1, s 2 ) (g, s 2 )  (g’, s’ 2 ) in thread 2 (g, s 1, s 2 )  2 (g’, s 1, s’ 2 )

Reachability problem for concurrent boolean program Given (g, s 1, s 2 ), are there s’ 1 and s’ 2 such that (g, s 1, s 2 ) reaches (error, s’ 1, s’ 2 ) via an execution with at most c contexts?

Aggregate transition relation (g, ss 1 )  (g’, ss’ 1 ) in thread 1 (g, ss 1, ss 2 )  1 (g’, ss’ 1, ss 2 ) (g, ss 1, ss 2 )  2 (g’, ss 1, ss’ 2 ) (g, ss 2 )  (g’, ss’ 2 ) in thread 2 (g, ss 1, ss 2 ) = { (g, s 1, s 2 ) | s 1  ss 1, s 2  ss 2 }

Algorithm: 2 threads, c contexts   12   12   12 Depth c (g, {s 1 }, {s 2 }) Compute the set of reachable aggregate states. Report an error if (g, ss 1, ss 2 ) is reachable and g = error, ss 1 is nonempty, and ss 2 is nonempty.

Complexity: 2 threads, c contexts   12   12   12 Depth of tree = context bound c Branching factor bounded by G  2 (G = # of global stores) Number of edges bounded by (G  2) (c+1) Each edge computable in polynomial time Depth c (g, {s 1 }, {s 2 })

Context-bounded analysis of concurrent software Many subtle concurrency errors are manifested in executions with few context switches –Experience with KISS on Windows drivers –Experience with Zing on transaction manager Algorithms for context-bounded analysis are more efficient than those for unbounded analysis –Reducibility to sequential checking with KISS –Decidability of assertion checking for concurrent boolean programs

Applications of context-bounded analysis Coverage metric for testing concurrent software Analysis of computer protocols –networking –cache-coherence

Unbounded fork-join parallelism Fork operation: x = fork Join operation: join(x) Copy thread identifier from one variable to another

Algorithm: unbounded fork-join parallelism, c contexts At most c threads may perform a transition Reduce to previously solved problem with c threads and c contexts –Nondeterministically pick c forked threads for execution

start : {1, …, c}  boolean, initialized to i. (i == 1) end : {1, …, c}  boolean, initialized to i. false x = fork translates to if ($) { assume(count < c); count = count + 1; x = count; start[count] = true; } else { x = c + 1; } join(x) translates to assume(x  c); assume(end[x]); count : {1, …, c}, initialized to 1 c statically created threads thread i starts execution when start[i] is true thread i sets end[i] to true on termination