/ 23 Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information Slides taken from Shin Hong’s MS Thesis Defense 2016-01-041Concurrency.

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

Advanced programming tools at Microsoft
An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
CS492B Analysis of Concurrent Programs Lock Basics Jaehyuk Huh Computer Science, KAIST.
Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
CSCC69: Operating Systems
Parallel Processing (CS526) Spring 2012(Week 6).  A parallel algorithm is a group of partitioned tasks that work with each other to solve a large problem.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Department of Software Engineering Faculty of Mathematics and Physics CHARLES UNIVERSITY IN PRAGUE Czech Republic Extracting Zing Models from C Source.
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
S. Narayanasamy, Z. Wang, J. Tigani, A. Edwards, B. Calder UCSD and Microsoft PLDI 2007.
Today From threads to file systems
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.
Threads 1 CS502 Spring 2006 Threads CS-502 Spring 2006.
CS533 Concepts of Operating Systems Class 3 Monitors.
1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
A. Frank - P. Weisberg Operating Systems Introduction to Cooperating Processes.
/* iComment: Bugs or Bad Comments? */
/ PSWLAB Eraser: A Dynamic Data Race Detector for Multithreaded Programs By Stefan Savage et al 5 th Mar 2008 presented by Hong,Shin Eraser:
CS252: Systems Programming Ninghui Li Final Exam Review.
Advances in Language Design
OSE 2013 – synchronization (lec3) 1 Operating Systems Engineering Locking & Synchronization [chapter #4] By Dan Tsafrir,
Synchronization (Barriers) Parallel Processing (CS453)
Model-based Kernel Testing for Concurrency Bugs through Counter Example Replay Moonzoo Kim, Shin Hong, Changki Hong Provable Software Lab. CS Dept. KAIST,
Lecture 2 Foundations and Definitions Processes/Threads.
Operating Systems Lecture 7 OS Potpourri Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software.
Analysis of Concurrent Software Models Using Partial Order Views Qiang Sun, Yuting Chen,
CS 346 – Chapter 4 Threads –How they differ from processes –Definition, purpose Threads of the same process share: code, data, open files –Types –Support.
1 Announcements The fixing the bug part of Lab 4’s assignment 2 is now considered extra credit. Comments for the code should be on the parts you wrote.
4061 Session 21 (4/3). Today Thread Synchronization –Condition Variables –Monitors –Read-Write Locks.
Lecture 8 Page 1 CS 111 Online Other Important Synchronization Primitives Semaphores Mutexes Monitors.
Random Testing of Concurrent Programs Prof. Moonzoo Kim Computer Science, KAIST CS492B Analysis of Concurrent Programs.
1 Interprocess Communication (IPC) - Outline Problem: Race condition Solution: Mutual exclusion –Disabling interrupts; –Lock variables; –Strict alternation.
Dataflow Analysis for Concurrent Programs using Datarace Detection Ravi Chugh, Jan W. Voung, Ranjit Jhala, Sorin Lerner LBA Reading Group Michelle Goodstein.
1 Computer Systems II Introduction to Processes. 2 First Two Major Computer System Evolution Steps Led to the idea of multiprogramming (multiple concurrent.
CS399 New Beginnings Jonathan Walpole. 2 Concurrent Programming & Synchronization Primitives.
ICFEM 2002, Shanghai Reasoning about Hardware and Software Memory Models Abhik Roychoudhury School of Computing National University of Singapore.
CS510 Concurrent Systems Jonathan Walpole. RCU Usage in Linux.
Deadlock Bug Detection Techniques Prof. Moonzoo Kim CS KAIST CS492B Analysis of Concurrent Programs 1.
CSE 153 Design of Operating Systems Winter 2015 Midterm Review.
Fall 2008Programming Development Techniques 1 Topic 20 Concurrency Section 3.4.
Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)
Eraser: A dynamic Data Race Detector for Multithreaded Programs Stefan Savage, Michael Burrows, Greg Nelson, Patrick Sobalvarro, Thomas Anderson Presenter:
CS510 Concurrent Systems Jonathan Walpole. Introduction to Concurrency.
Introduction to Computer Programming Concepts M. Uyguroğlu R. Uyguroğlu.
Outline Other synchronization primitives
Threads Cannot Be Implemented As a Library
Other Important Synchronization Primitives
Effective Data-Race Detection for the Kernel
Atomicity CS 2110 – Fall 2017.
Amir Kamil and Katherine Yelick
Concurrency Specification
Threads and Memory Models Hal Perkins Autumn 2011
Threading And Parallel Programming Constructs
Threads and Memory Models Hal Perkins Autumn 2009
Threads Chapter 4.
Kernel Synchronization II
Amir Kamil and Katherine Yelick
CSE 153 Design of Operating Systems Winter 19
Foundations and Definitions
Automatically Diagnosing and Repairing Error Handling Bugs in C
CSE 153 Design of Operating Systems Winter 2019
In Today’s Class.. General Kernel Responsibilities Kernel Organization
Presentation transcript:

/ 23 Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information Slides taken from Shin Hong’s MS Thesis Defense Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information Moonzoo Kim CS Dept. KAIST

/ 23 Approach Verification techniques Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 2 Model Checking Testing Lock-based static analysis Pattern- based analysis Precision Scalability Related works - Lock-based static analysis techniques : RacerX, RELAY  Lock discipline, Partial order among locks - Pattern-based bug detection : MetaL, FindBugs  Low precision (Too many false alarms)

/ 23 Goal Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 3 Linux file system code Reported bug survey Common bug patterns Concurrency bug detection technique Level of Abstraction Linux file system verification Concurrency Bug Classification Concurrency Bug Patterns Semantic Augmented Concurrency Bug Patterns Change Log & Code Review Change Log & Code Review Code-based automatic concurrency bug detection for large size system software Idea: Automatically detect common concurrency bugs using both syntactic and semantics code pattern matching

/ 23 Concurrency Bug Classification (1/3) We survey previous concurrency bugs from Linux file systems –Search Linux Change Log ~ –Keyword: concurrency, data race, deadlock, livelock, file system, ext, etc. –In almost 300 documents, we found 40 bug reports (patches) related to both file system and concurrency bugs. We construct concurrency bug classification to analyze the bug reports. –5 different aspects Symptom: –Data race (machine exception), Data race (Faulty state), Deadlock, Livelock. Fault : –Design decision violations, Incorrect use of synch. idioms, Program logic error Resolution: –{Insert, Remove, Change, Reorder} £ {Sync. operation, Data operation, Control operation} Related synchronization mechanism: –Instruction, Barrier, Thread operations, Conditional variable, Lock, Complex lock, Semaphore Synchronization granularity: –Kernel-level, File system-level, File-level, Inode-level –27 bugs are classified Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 4

/ 23 Example of Concurrency Bug Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 5 Bug08 (Reported in Linux Change Log /fs/ext3/balloc.c) - Symptom: Data race (Faulty state) - Fault: Incorrect use of synchronization idioms In ext3_discard_reservation(), it incorrectly use test and test-and-set idiom by missing the second testing. This may cause race condition, so that rsv_window_remove() can be invoked twice for the same object. - Resolution: Insert control operations - Related synchronization mechanism : Binary lock - Lock granularity: File system Example ext3_discard_reservation(inode * inode) { if (!rsv_is_empty(&rsv->rsv_window)) { spin_lock(rsv_lock) ; rsv_window_remove(inode->i_sb,rsv) ; spin_unlock(rsv_lock) ; } /* Linux kernel */ ext3_discard_reservation(inode * inode) { if (!rsv_is_empty(&rsv->rsv_window)) { spin_lock(rsv_lock) ; if (!rsv_is_empty(&rsv->rsv_window)) rsv_window_remove(inode->i_sb,rsv) ; spin_unlock(rsv_lock) ; } /* Linux kernel */

/ 23 Concurrency Bug Classification Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 6 Symptom \ Fault Design decision violation Incorrect use of synchronization idioms Program logic error Data race resulting machine exception Bug1,Bug5,Bug9,Bug13, Bug18,Bug20,Bug23 Bug16 Data race resulting faulty states Bug2,Bug7,Bug22, Bug25Bug8,Bug12,Bug26, Bug27Bug3,Bug15,Bug17, Bug19 DeadlockBug11,Bug24Bug10,Bug14,Bug21 LivelockBug4,Bug6 Sync. granularity \ Sync. primitives InstructionBarrier Thread operation Binary Lock Complex Lock Semaphore Kernel levelBug4Bug12 Bug1,Bug2,Bug3, Bug5,Bug10,Bug11 Bug19Bug6 File System levelBug17Bug8,Bug9,Bug22Bug14 File levelBug15, Bug16Bug20Bug13Bug7 Inode levelBug26 Bug18,Bug23,Bug25, Bug26,Bug27 Bug21,Bug24 13 bugs among 27 bugs in the concurrency bug classifications cannot be detected by conventional lock-based concurrency bug detection techniques.

/ 23 Concurrency Bug Patterns Based on the bug analysis result by the classification, we define the 10 concurrency bug patterns in order to detect unrevealed bugs automatically by code pattern matching Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 7 Race conditionDeadlockLivelock Barrier No Memory Barrier After Object Initializations Busy-waiting on atomic variable without memory barrier Instruction Use atomic instructions in Non- atomic ways Thread operation Unsynchronized Data Passing to Child Thread Waiting Already Finished Thread Conditional variable Waiting with Lock Held Lock Misused Test and Test-and-Set Unlock before I/O Operations Releasing and Re-taking Outer Lock Complex lock Unintended Big Kernel Lock Releasing

/ 23 Misused Test and Test-and-Set Bug Pattern Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 8 int data; /*shared data*/ int func(){ if (test(data)) { /*test*/ lock () ; if (test(data)) { /*test*/ data = newvalue ; } unlock () ; } /* Correct Code */ int data; /*shared data*/ int func(){ if (test(data)) { /*test*/ lock () ; data = newvalue ; } unlock () ; } /* Incorrect Code */ test(data) might be false

/ 23 Concurrency Bug Patterns (3/3) Bug detection result by pattern matching –Misused Test and Test and Set pattern: We analyze 9 file systems with VFS layer in Linux suspected bugs are revealed as false positive by manual review & discussion with maintainers Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 9 Ext2Ext3Ext4NFSReiserFSProcSysfsUDFBtrFSTotal # of suspected bugs # of files LOC 28K104K25K56K27K18K37K9K82K386K Time(sec) /* In Linux kernel /fs/ nfs/nfs4state.c */ void nfs_free_seqid(nfs_seqid *seqid) { if (!list_empty(&seqid->list)) { sequence = seqid->sequence->sequence ; spin_lock(&sequence->lock); list_del(&seqid->list) ; spin_unlock(&clp->cl_lock); rpc_wake_up(&sequence->wait) ; } - Ex. A suspected bug detected from NFS

/ 23 Semantics Augmented Pattern Matching We improve the bug pattern matching using semantic information to refine the bug detection results Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 10 Program behavior (reachable states) Safe states (no error) State space Bug pattern # 1 Bug pattern # 2 with semantics Bug pattern # 1 with semantics There are the following main sources of false positives: –No parallel thread to be scheduled –Synchronized by other locks –Shared variable initializations without holding locks Thread sensitive analysis Lock analysis Simple points-to analysis

/ 23 COBET Framework We build a COncurrency Bug pattErn maTching framework (COBET) to support programming template for effective bug pattern detector generation upon EDG C/C++ parser COBET: Pattern-driven Concurrency Bug Detection Framework 11 AST generator Path analysis Semantic analysis engine Alias analysis Config. Thread starting functions Lock spec. Target C src code Memory alloc. spec. Lock analysis Bug 1 description Bug pattern detector 1 COBET synthesizer Bug 2 description Bug pattern detector 2 Semantic condition checker Syntactic pattern matcher Phase I: Bug pattern description and pattern detector construction Phase II: Code pattern matching with semantic code checking

/ 23 COBET Synthesizer Pattern description language (PDL) Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 12 Grammar of COBET PDL 1a:pattern1 { 2a: fun $f1{ 3a: if $cond { 4a: lock $l; 5a: \{if $cond { }} 6a: unlock $l; 7a:}}} 1b:pattern 2 { 2b: fun $f2 { 3b: write $w; 4b: }} Example of incorrect test-test-set bug pattern

/ 23 Thread Sensitive Analysis (1/2) Most concurrency errors are interleaved executions of two or more threads. We extend each bug pattern to specify multiple disconnected code patterns which are necessary for bug occurrence. The extended bug pattern matching inputs thread starting functions (system call handlers), thread-spawning operation, and interrupt-handler registering operations to notice execution starting points Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 13 Code pattern match#1 Code pattern match #2 Error execution

/ 23 Thread Sensitive Analysis (2/2) Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 14 Code pattern #1 if (expr) { lock(m) ; /* no if(expr) here */... unlock(m) ; Code pattern #2 write(x) ; Ex. Extended Misused Test and Test-and-Set bug pattern proc_get_sb() {... ei = PROC_I(sb->s_root->d_inode); if (!ei->pid) { rcu_read_lock(); ei->pid=get_pid(find_pid_ns(1,ns)); rcu_read_unlock(); }... proc_alloc_inode() { … ei = kmem_cache_alloc(...) ; if (!ei) return NULL ; ei->pid = NULL ; proc_get_sb() { … if (!ei->pid) ei->pid = find_get_pid(1) ; Ex. A suspected bug of Misused Test and Test-and-Set from Proc file system Code pattern#2 Match-2 Code pattern#2 Match-1 Code pattern #1 Match-1 Condition: expr may read x

/ 23 Lock Analysis (1/3) Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 15 Code pattern match#1 Code pattern match #2 Lock analysis We applied lock analysis to compute the set of locks held when a code pattern match is executed. –Inter-procedural, flow-sensitive, path-insensitive analysis (similar to RacerX). –The specification of lock acquiring(releasing) operations are given by users. Lock(A) Lock(C) Lock(A) LS = {A} LS = {A,B} Conflict! No concurrent execution is possible due to lock A. Lock(B) Unlock(C)

/ 23 Lock Analysis (2/3) Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 16 proc_alloc_inode() { … ei = kmem_cache_alloc(… ; if (!ei) return NULL ; ei->pid = NULL ; proc_get_sb() { … if (!ei->pid) ei->pid = find_get_pid(1) ; Lockset: {lock_kernel} sys_mount() do_mount() do_new_mount() do_kern_mount() vfs_kern_mount() proc_get_sb() { … ei=PROC_I(sb->s_root->d_inode); if (!ei->pid) { rcu_read_lock(); ei->pid=get_pid(find_pid_ns(1,… rcu_read_unlock(); } … sys_mount() do_mount() do_new_mount() do_kern_mount() vfs_kern_mount() compat_sys_futimesat() __user_walk_fd() do_utimes() Lockset: {lock_kernel} Lockset: {inode.i_mutexl} acquire lock_kernel() acquire inode.i_mutex real_lookup() Code pattern # 1 Match-1 Code pattern # 2 Match-1 Code pattern # 2 Match-2 Conflict

/ 23 Lock Analysis (3/3) COBET uses an inter-procedural lock analysis –Transfer the lockset of a call site to the caller function analysis To avoid redundant inter-procedural lock analysis, COBET semantic engine uses a cache that record analysis result for functions Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 17

/ 23 Points-to Analysis Non-shared variables are free from concurrency errors. A newly allocated heap variable is non-shared until it is linked to a global data structure. These variables are initialized without any synchronization during non-shared period. This type code would result false positives in the bug pattern matching for the lack of alias- sensitive analysis Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information 18 Match 2-2 0: proc_alloc_inode() { 1:... 2: ei = kmem_cache_alloc(... 3: if (!ei) return NULL ; 4: ei->pid = NULL ;... Match 1-1 0: proc_get_sb() { 1:... 2: ei = PROC_I(sb->s_root->d_inode); 3: if (!ei->pid) { 4: rcu_read_lock(); 5: ei->pid = get_pid(...; 6: rcu_read_unlock(); 7: } 8:... Non-shared: { ei } Non-shared: {} Non-shared: { ei } No other thread can access ei->pid.

/ 23 Experiment Result (1/3) We reviewed Linux Change Logs on file systems from 2.6 to and defined the four bug patterns based on actual bug history. Effectiveness –We applied the four bug pattern detectors to seven Linux file systems in kernel –We detected the four new bugs confirmed by Linux maintainers COBET: Pattern-driven Concurrency Bug Detection Framework 19

/ 23 Experiment Result (2/3) Efficiency –We measured the false alarm reduction rate through the semantic analyses and time cost –The false alarms are reduced as additional analysis techniques are employed, and the time costs were not burdensome (8.34 sec for analyzing 193KLOC) COBET: Pattern-driven Concurrency Bug Detection Framework 20

/ 23 Experiment Result (3/3) Applicability –We applied the four bug detectors to Linux device drivers and network modules COBET: Pattern-driven Concurrency Bug Detection Framework 21

/ 23 Conclusion COBET framework –Pattern-based concurrency bug detection framework –Able to define and match various bug patterns. –Utilizes composite patterns with semantic conditions to improve accuracy Empirical result –Defined four concurrency bug patterns with various synchronization mechanisms –Implement the four bug pattern detectors through COBET –Detect ten fresh and real bugs in Linux COBET: Pattern-driven Concurrency Bug Detection Framework 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.