Breadcrumbs: Efficient Context Sensitivity for Dynamic Bug Detection Analyses Michael D. Bond University of Texas at Austin Graham Z. Baker Tufts / MIT.

Slides:



Advertisements
Similar presentations
Michael Bond (Ohio State) Milind Kulkarni (Purdue)
Advertisements

Efficient, Context-Sensitive Dynamic Analysis via Calling Context Uptrees Jipeng Huang, Michael D. Bond Ohio State University.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.
Building a Better Backtrace: Techniques for Postmortem Program Analysis Ben Liblit & Alex Aiken.
Resurrector: A Tunable Object Lifetime Profiling Technique Guoqing Xu University of California, Irvine OOPSLA’13 Conference Talk 1.
Probabilistic Calling Context Michael D. Bond Kathryn S. McKinley University of Texas at Austin.
CORK: DYNAMIC MEMORY LEAK DETECTION FOR GARBAGE- COLLECTED LANGUAGES A TRADEOFF BETWEEN EFFICIENCY AND ACCURATE, USEFUL RESULTS.
Asynchronous Assertions Eddie Aftandilian and Sam Guyer Tufts University Martin Vechev ETH Zurich and IBM Research Eran Yahav Technion.
Pipelined Profiling and Analysis on Multi-core Systems Qin Zhao Ioana Cutcutache Weng-Fai Wong PiPA.
SOS: Saving Time in Dynamic Race Detection with Stationary Analysis Du Li, Witawas Srisa-an, Matthew B. Dwyer.
Free-Me: A Static Analysis for Individual Object Reclamation Samuel Z. Guyer Tufts University Kathryn S. McKinley University of Texas at Austin Daniel.
Online Performance Auditing Using Hot Optimizations Without Getting Burned Jeremy Lau (UCSD, IBM) Matthew Arnold (IBM) Michael Hind (IBM) Brad Calder (UCSD)
The Ant and The Grasshopper Fast and Accurate Pointer Analysis for Millions of Lines of Code Ben Hardekopf and Calvin Lin PLDI 2007 (Best Paper & Best.
Eliminating Stack Overflow by Abstract Interpretation John Regehr Alastair Reid Kirk Webb University of Utah.
Capriccio: Scalable Threads for Internet Services ( by Behren, Condit, Zhou, Necula, Brewer ) Presented by Alex Sherman and Sarita Bafna.
Recap from last time We were trying to do Common Subexpression Elimination Compute expressions that are available at each program point.
Feedback: Keep, Quit, Start
Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.
Interprocedural analyses and optimizations. Costs of procedure calls Up until now, we treated calls conservatively: –make the flow function for call nodes.
Previous finals up on the web page use them as practice problems look at them early.
From last time: Inlining pros and cons Pros –eliminate overhead of call/return sequence –eliminate overhead of passing args & returning results –can optimize.
Schedule Midterm out tomorrow, due by next Monday Final during finals week Project updates next week.
Bell: Bit-Encoding Online Memory Leak Detection Michael D. Bond Kathryn S. McKinley University of Texas at Austin.
Taking Off The Gloves With Reference Counting Immix
Impact Analysis of Database Schema Changes Andy Maule, Wolfgang Emmerich and David S. Rosenblum London Software Systems Dept. of Computer Science, University.
Introduction to Profile Hidden Markov Models
File Organization Techniques
An Introduction to MBT  what, why and when 张 坚
Michael Bond Varun Srivastava Kathryn McKinley Vitaly Shmatikov University of Texas at Austin.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Understanding Parallelism-Inhibiting Dependences in Sequential Java Programs Atanas (Nasko) Rountev Kevin Van Valkenburgh Dacong Yan P. Sadayappan Ohio.
Bug Localization with Machine Learning Techniques Wujie Zheng
P ath & E dge P rofiling Michael Bond, UT Austin Kathryn McKinley, UT Austin Continuous Presented by: Yingyi Bu.
Buffered dynamic run-time profiling of arbitrary data for Virtual Machines which employ interpreter and Just-In-Time (JIT) compiler Compiler workshop ’08.
1 Fast and Efficient Partial Code Reordering Xianglong Huang (UT Austin, Adverplex) Stephen M. Blackburn (Intel) David Grove (IBM) Kathryn McKinley (UT.
Dynamic Analysis of Multithreaded Java Programs Dr. Abhik Roychoudhury National University of Singapore.
Compactly Representing Parallel Program Executions Ankit Goel Abhik Roychoudhury Tulika Mitra National University of Singapore.
Dynamic Object Sampling for Pretenuring Maria Jump Department of Computer Sciences The University of Texas at Austin Stephen M. Blackburn.
Free-Me: A Static Analysis for Automatic Individual Object Reclamation Samuel Z. Guyer, Kathryn McKinley, Daniel Frampton Presented by: Dimitris Prountzos.
Efficient Deterministic Replay of Multithreaded Executions in a Managed Language Virtual Machine Michael Bond Milind Kulkarni Man Cao Meisam Fathi Salmi.
Targeted Path Profiling : Lower Overhead Path Profiling for Staged Dynamic Optimization Systems Rahul Joshi, UIUC Michael Bond*, UT Austin Craig Zilles,
CS 3500 L Performance l Code Complete 2 – Chapters 25/26 and Chapter 7 of K&P l Compare today to 44 years ago – The Burroughs B1700 – circa 1974.
Navigation Timing Studies of the ATLAS High-Level Trigger Andrew Lowe Royal Holloway, University of London.
CS201: Data Structures and Discrete Mathematics I Hash Table.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University July 21, 2008WODA.
Drinking from Both Glasses: Adaptively Combining Pessimistic and Optimistic Synchronization for Efficient Parallel Runtime Support Man Cao Minjia Zhang.
Michael Bond Katherine Coons Kathryn McKinley University of Texas at Austin.
Pointer Analysis Survey. Rupesh Nasre. Aug 24, 2007.
Targeted Path Profiling : Lower Overhead Path Profiling for Staged Dynamic Optimization Systems Rahul Joshi, UIUC Michael Bond*, UT Austin Craig Zilles,
Thread basics. A computer process Every time a program is executed a process is created It is managed via a data structure that keeps all things memory.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University 1 Extracting Sequence.
Tracking Bad Apples: Reporting the Origin of Null & Undefined Value Errors Michael D. Bond UT Austin Nicholas Nethercote National ICT Australia Stephen.
GC Assertions: Using the Garbage Collector To Check Heap Properties Samuel Z. Guyer Tufts University Edward Aftandilian Tufts University.
CSC 143T 1 CSC 143 Highlights of Tables and Hashing [Chapter 11 p (Tables)] [Chapter 12 p (Hashing)]
Pick Your Contexts Well: Understanding Object-Sensitivity The Making of a Precise and Scalable Pointer Analysis Yannis Smaragdakis University of Massachusetts,
Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting Tian Tan, Yue Li and Jingling Xue SAS 2016 September,
Optimistic Hybrid Analysis
Auburn University
Testing and Debugging PPT By :Dr. R. Mall.
Cork: Dynamic Memory Leak Detection with Garbage Collection
Yuan Yu(MSR) Tom Rodeheffer(MSR) Wei Chen(UC Berkeley) SOSP 2005
Parametric Trace Slicing and Monitoring
SWE-795 Presentation 01 11/16/2018 Asking and Answering Questions during a Programming Change Task Jonathan Sillito, Member, IEEE Computer Society, Gail.
Efficient, Context-Sensitive Detection of Real-World Semantic Attacks
Jipeng Huang, Michael D. Bond Ohio State University
Inlining and Devirtualization Hal Perkins Autumn 2011
Inlining and Devirtualization Hal Perkins Autumn 2009
Dongyun Jin, Patrick Meredith, Dennis Griffith, Grigore Rosu
Trace-based Just-in-Time Type Specialization for Dynamic Languages
Presentation transcript:

Breadcrumbs: Efficient Context Sensitivity for Dynamic Bug Detection Analyses Michael D. Bond University of Texas at Austin Graham Z. Baker Tufts / MIT Lincoln Laboratory We don't make a lot of the bug detectors you use. We make a lot of the bug detectors you use better. Samuel Z. Guyer Tufts University

Example: Dynamic data race detector Thread AThread B write x unlock m lock m write x read x

Example: dynamic data race detector Thread AThread B write x unlock m lock m write x read x race!

Example: dynamic data race detector Thread AThread B write x unlock m lock m write x read x race! B A

Example: dynamic data race detector Thread AThread B write x unlock m lock m write x read x race! How is this race reported? B A

Reporting a race Thread AThread B write x unlock m lock m write x read x B A loc1 loc2 loc3 race!

Reporting a race Thread AThread B write x read x race! B A write x unlock m lock m loc1 loc2 loc3 AbstractDataTreeNode.indexOfChild():426 AbstractDataTreeNode.storeStrings():536

Reporting a race Thread AThread B write x read x race! B A write x unlock m lock m loc1 loc2 loc3 AbstractDataTreeNode.indexOfChild():426 AbstractDataTreeNode.storeStrings():536 Problem : not much information

Full stack traces Thread AThread B write x read x race! B A write x unlock m lock m loc1 loc2 loc3 AbstractDataTreeNode.indexOfChild():426 AbstractDataTreeNode.childAtOrNull():212 DeltaDataTree.lookup():666 ElementTree.includes():528 Workspace.getResourceInfo():1135 Resource.getResourceInfo():973 Project.hasNature():479 JavaProject.hasJavaNature():224 JavaProject.computeExpandedClasspath():430 JavaProject.getExpandedClasspath(): EclipseStarter.run(): AbstractDataTreeNode.storeStrings():536 DataTreeNode.storeStrings():343 AbstractDataTreeNode.storeStrings():541 DataTreeNode.storeStrings(): ElementTree.shareStrings():706 SaveManager.shareStrings(): StringPoolJob.shareStrings(): Worker.run():76...

Context sensitivity  Big impact on static analysis  Better information  Better precision  Critical in modern software:  Intensive code reuse (e.g., frameworks)  Many small methods  Highly dynamic behavior What about dynamic analysis?

How hard is this? Thread AThread B write x read x race! B A write x unlock m lock m loc1 loc2 loc3 AbstractDataTreeNode.indexOfChild():426 AbstractDataTreeNode.childAtOrNull():212 DeltaDataTree.lookup():666 ElementTree.includes():528 Workspace.getResourceInfo():1135 Resource.getResourceInfo():973 Project.hasNature():479 JavaProject.hasJavaNature():224 JavaProject.computeExpandedClasspath():430 JavaProject.getExpandedClasspath(): EclipseStarter.run(): AbstractDataTreeNode.storeStrings():536 DataTreeNode.storeStrings():343 AbstractDataTreeNode.storeStrings():541 DataTreeNode.storeStrings(): ElementTree.shareStrings():706 SaveManager.shareStrings(): StringPoolJob.shareStrings(): Worker.run():76...

How hard is this? Thread AThread B write x read x race! B A write x unlock m lock m loc1 loc2 loc3 AbstractDataTreeNode.indexOfChild():426 AbstractDataTreeNode.childAtOrNull():212 DeltaDataTree.lookup():666 ElementTree.includes():528 Workspace.getResourceInfo():1135 Resource.getResourceInfo():973 Project.hasNature():479 JavaProject.hasJavaNature():224 JavaProject.computeExpandedClasspath():430 JavaProject.getExpandedClasspath(): EclipseStarter.run(): AbstractDataTreeNode.storeStrings():536 DataTreeNode.storeStrings():343 AbstractDataTreeNode.storeStrings():541 DataTreeNode.storeStrings(): ElementTree.shareStrings():706 SaveManager.shareStrings(): StringPoolJob.shareStrings(): Worker.run():76... EASY Race discovered here

How hard is this? Thread AThread B write x read x race! B A write x unlock m lock m loc1 loc2 loc3 AbstractDataTreeNode.indexOfChild():426 AbstractDataTreeNode.childAtOrNull():212 DeltaDataTree.lookup():666 ElementTree.includes():528 Workspace.getResourceInfo():1135 Resource.getResourceInfo():973 Project.hasNature():479 JavaProject.hasJavaNature():224 JavaProject.computeExpandedClasspath():430 JavaProject.getExpandedClasspath(): EclipseStarter.run(): AbstractDataTreeNode.storeStrings():536 DataTreeNode.storeStrings():343 AbstractDataTreeNode.storeStrings():541 DataTreeNode.storeStrings(): ElementTree.shareStrings():706 SaveManager.shareStrings(): StringPoolJob.shareStrings(): Worker.run():76... EASY HARD Previously recorded information

Challenge  Many events might need context information e.g., race detector: every read and write (!)  Existing approaches  Walk the stack: up to 100X slowdown  Build calling context tree: 2-3X, plus space Context BUG

Goal Compact representation of calling contexts Fast correct execution Print out stack trace when bug detected Efficient context sensitivity for dynamic bug detectors

Starting point Represent a calling context in 1 word PCC value Computed online, low overhead <5% BUT, no way to decode a PCC value Probabilistic Calling Context Bond and McKinley OOPSLA 07 ✓ ✓ ✘

With PCC: analysis is context sensitive Thread AThread B write x unlock m lock m write x read x race! B A pcc1 pcc2 pcc3 0xFE9A651B 0x59C2DF08

How PCC works Caller Callee m() k() k(); j(); h(); current PCC callsite ID p’ = f (p, c) p’ = f (p, c) new PCC = ( 3 p + c) mod 2 32 … …… At each call site…

Caller Callee m() k() k(); j(); h(); current PCC callsiteID p’ = f (p, c) p’ = f (p, c) new PCC = ( 3 p + c) mod 2 32 … …… p = 0 in main() … p = f(…f( f( f(0, c 0 ), c 1 ), c 2 )…, c n ) p = 0 in main() … p = f(…f( f( f(0, c 0 ), c 1 ), c 2 )…, c n ) How PCC works

Breadcrumbs  Problem: decode PCC value Find a sequence of callsite IDs such that p = f(…f( f( f(0, c 0 ), c 1 ), c 2 )…, c n ) i.e., invert the hash function

Breadcrumbs  Problem: decode PCC value p Find a sequence of callsite IDs such that p = f(…f( f( f(0, c 0 ), c 1 ), c 2 )…, c n ) i.e., invert the hash function  Key: f is invertible  Given p’ and c unique p such that p’ = f(p, c)  “Peel off” callsites until we reach 0 (main) 3 and 2 32 relatively prime

Decode stack trace bottom-up PCC value = 0x5A93CF09

Decode stack trace bottom-up PCC value = 0x5A93CF09 PCC value = 0x089C3A02 f -1 ( 0x5A93CF09, g():2)

Decode stack trace bottom-up PCC value = 0x5A93CF09 PCC value = 0x0 PCC value = 0x089C3A02 PCC value = 0x59C2DF08 f -1 ( 0x5A93CF09, g():2) f -1 ( 0x5A93CF09, d():9)

Decode stack trace bottom-up PCC value = 0x5A93CF09 … PCC value = 0x0 PCC value = 0x089C3A02 PCC value = 0x59C2DF08 f -1 ( 0x5A93CF09, g():2) f -1 ( 0x5A93CF09, d():9) …

Problem: blind search of call graph … … PCC value = 0x0 … … … … PCC value = 0x5A93CF09 Need more information

Idea: record per-callsite PCC values … … … … … … 0x089C3A02

Very easy search … … … … … … PCC value = 0x5A93CF09 PCC value = 0x0

Very easy search … … … … … … PCC value = 0x5A93CF09 PCC value = 0x0 f -1 ( 0x5A93CF09, g():2) 0x089C3A02

Very easy search … … … … … … PCC value = 0x5A93CF09 PCC value = 0x0 ✓ ✘ f -1 ( 0x5A93CF09, g():2) 0x089C3A02

Very easy search … … … … … … PCC value = 0x5A93CF09 PCC value = 0x0 0x59C2DF08 f -1 ( 0x5A93CF09, d():9) f -1 ( 0x5A93CF09, g():2) 0x089C3A02

Very easy search … … … … … … PCC value = 0x5A93CF09 PCC value = 0x0 ✓ ✘ 0x59C2DF08 f -1 ( 0x5A93CF09, d():9) f -1 ( 0x5A93CF09, g():2) 0x089C3A02

Very easy search … … … … … … PCC value = 0x5A93CF09 PCC value = 0x0 0x59C2DF08 f -1 ( 0x5A93CF09, d():9) f -1 ( 0x5A93CF09, g():2) 0x089C3A02 …

antlr chart eclipse fop hsqldb jython luindex pmd xalan jbb geomean % overhead With per-callsite sets JikesRVM DaCapo benchmarks # set ops 528m 201m 857m 21m 158m 3,624m 217m 270m 738m 137m PCC only

Observation … … … … … …

Idea: stop tracking hot call sites … … … … …

antlr chart eclipse fop hsqldb jython luindex pmd xalan jbb geomean % overhead t = 100,000 t = 100 t = 10,000 No threshold t = 1,000 PCC only Is it enough information? Tunable “hotness” threshold

Decoding: hybrid search … … … … … … PCC value = 0x5A93CF09

Decoding: hybrid search … … … … … … PCC value = 0x5A93CF09 ✓ f -1 ( 0x5A93CF09, g():2) 0x089C3A02

Decoding: hybrid search … … … … … … PCC value = 0x5A93CF09 0x59C2DF08 f -1 ( 0x5A93CF09, d():9) f -1 ( 0x5A93CF09, g():2) 0x089C3A02

Heuristic search (see paper) … … … … … … PCC value = 0x5A93CF09 0x59C2DF08 f -1 ( 0x5A93CF09, d():9) f -1 ( 0x5A93CF09, g():2) 0x089C3A02

antlr chart eclipse fop hsqldb jython luindex pmd xalan jbb % overhead 100 % 47 % 82 % 95 % 100 % 89 % 95 % 97 % Race detection results (go to Pacer talk tomorrow!) t = 100,000 t = 100 t = 10,000 No threshold t = 1,000 geomean

Summary  Make any dynamic bug detector context sensitive  More in the paper:  Description of search algorithm  What kinds of bug detectors will benefit  Results for two real bug detectors (both quantitative and qualitative)  Available as patch to JikesRVM

Related work  Reconstruct contexts from PC and SP [Mytkowicz et al. 2009] [Inoue and Nakatani 2009] Very low overhead, but little entropy in these values  Path profiling approach [Sumner et al. 2010] Uses multiple integers to represent calling context exactly  Both require offline training, pre-computed info Challenge for complex, highly dynamic software

Thank You Questions?

Goals Represent calling context compactly Easily take place of static program locations Fast correct execution For deployed or field-testing environment Decode back into stack trace when needed Could expensive, but cost paid offline

Calling context representation Calling context stored in 1 word PCC value Essentially a hash of sequence of call site IDs Computed online, low overhead <5% PCC values computed incrementally, at each call site BUT, no way to decode a PCC value Can distinguish, but not identify calling contexts ✓ ✓ ✘ Started with Probabilistic Calling Context Bond and McKinley OOPSLA 07

Summary  Make any dynamic bug detector context sensitive  Tunable overhead/precision tradeoff Sweet spot: 10% to 20% overhead at threshold 1,000 to 10,000  Challenges  Long sequences of hot callsites  Deep recursion  Available as patch to JikesRVM

antlr chart eclipse fop hsqldb jython luindex pmd xalan jbb geomean % overhead Tradeoff: cost vs decoding t = 100,000 t = 100 t = 10,000 No threshold t = 1,000 PCC only

100 % antlr chart eclipse fop hsqldb jython luindex pmd xalan jbb geomean % overhead 47 % 82 % 95 % 100 % 89 % 95 % 97 %