Presentation is loading. Please wait.

Presentation is loading. Please wait.

On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan December 12,

Published byEustacia Hill Modified over 9 years ago

Similar presentations

Presentation on theme: "On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan December 12,"— Presentation transcript:

1 On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan December 12, 2011

2 NIST: SW errors cost U.S. ~$60 billion/year as of 2002 FBI CCS: Security Issues $67 billion/year as of 2005  >⅓ from viruses, network intrusion, etc. Software Errors Abound 2 Cataloged Software Vulnerabilities

3 In spite of proposed solutions Hardware Plays a Role 3 Hardware Data Race Recording Deterministic Execution/Replay Atomicity Violation Detectors Bug-Free Memory Models Bulk Memory Commits TRANSACTIONAL MEMORY IBM BG/Q AMD ASF ?

4 Example of a Modern Bug 4 Thread 2 mylen=large Thread 1 mylen=small ptr ∅ Nov. 2010 OpenSSL Security Flaw if(ptr == NULL) { len=thread_local->mylen; ptr=malloc(len); memcpy(ptr, data, len); }

5 Example of a Modern Bug 5 if(ptr==NULL) memcpy(ptr, data2, len2) ptr LEAKED TIME Thread 2 mylen=large Thread 1 mylen=small ∅ len2=thread_local->mylen; ptr=malloc(len2); len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1)

6 Dynamic Software Analysis Analyze the program as it runs + System state, find errors on any executed path – LARGE runtime overheads, only test one path 6 Developer Instrumented Program In-House Test Machine(s) LONG run time Analysis Results Analysis Instrumentation Program

7 Taint Analysis (e.g.TaintCheck) Dynamic Bounds Checking Data Race Detection (e.g. Inspector XE) Memory Checking (e.g. MemCheck) Runtime Overheads: How Large? 7 2-200x 10-80x 5-50x 2-300x Symbolic Execution 10-200x

8 Could use Hardware Data Race Detection: HARD, CORD, etc. Taint Analysis: Raksha, FlexiTaint, etc. Bounds Checking: HardBound – None Currently Exist; Bugs Are Here Now – Single-Use Specialization – Won’t be built due to HW, power, verification costs – Unchangeable algorithms locked in HW 8

9 Goals of this Talk Accelerate SW Analyses Using Existing HW Run Tests On Demand: Only When Needed Explore Future Generic HW Additions 9

10 Outline Problem Statement Background Information  Demand-Driven Dynamic Dataflow Analysis Proposed Solutions  Demand-Driven Data Race Detection  Unlimited Hardware Watchpoints 10

11 a += y z = y * 75 y = x * 1024 w = x + 42 Check w Example Dynamic Dataflow Analysis 11 validate(x) x = read_input() Clear a += y z = y * 75 y = x * 1024 x = read_input() Propagate Associate Input Check a Check z Data Meta-data

12 Demand-Driven Dataflow Analysis 12 Only Analyze Shadowed Data Native Application Native Application Instrumented Application Instrumented Application Instrumented Application Meta-Data Detection Non- Shadowed Data Shadowed Data No meta-data

13 Finding Meta-Data 13 No additional overhead when no meta-data  Needs hardware support Take a fault when touching shadowed data Solution: Virtual Memory Watchpoints V→P FAULT

14 Results by Ho et al. From “Practical Taint-Based Protection using Demand Emulation” 14

15 Outline Problem Statement Background Information  Demand-Driven Dynamic Dataflow Analysis Proposed Solutions  Demand-Driven Data Race Detection  Unlimited Hardware Watchpoints 15

16 Software Data Race Detection Add checks around every memory access Find inter-thread sharing events Synchronization between write-shared accesses?  No? Data race. 16

17 Thread 2 mylen=large Thread 1 mylen=small if(ptr==NULL) len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1) len2=thread_local->mylen; ptr=malloc(len2); memcpy(ptr, data2, len2) Data Race Detection 17 Shared? Synchronized? TIME

18 SW Race Detection is Slow 18 PhoenixPARSEC

19 Inter-thread Sharing is What’s Important “ Data races... are failures in programs that access and update shared data in critical sections” – Netzer & Miller, 1992 19 if(ptr==NULL) len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1) len2=thread_local->mylen; ptr=malloc(len2); memcpy(ptr, data2, len2) Thread-local data NO SHARING Shared data NO INTER-THREAD SHARING EVENTS TIME

20 Very Little Inter-Thread Sharing 20 PhoenixPARSEC

21 Use Demand-Driven Analysis! 21 Multi-threaded Application Multi-threaded Application Software Race Detector Local Access Inter-thread sharing Inter-thread Sharing Monitor

22 Finding Inter-thread Sharing Virtual Memory Watchpoints? –~100% of accesses cause page faults Granularity Gap Per-process not per-thread Must go through the kernel on faults Syscalls for setting/removing meta-data 22 FAULT Inter-Thread Sharing

23 Hardware Sharing Detector HITM in Cache: W→R Data Sharing Hardware Performance Counters 23 Read Y S S I I S S I I HITM Core 1Core 2 Write Y=5 M M Y=5 Pipeline Cache 0 0 0 0 0 0 0 0 Perf. Ctrs 1 1 1 1 FAULT - - - - - - - - PEBS Armed Debug Store EFLAGS EIP RegVals MemInfo Precise Fault

24 Potential Accuracy & Perf. Problems Limitations of Performance Counters  HITM only finds W→R Data Sharing  Hardware prefetcher events aren’t counted Limitations of Cache Events  SMT sharing can’t be counted  Cache eviction causes missed events  False sharing, etc… PEBS events still go through the kernel 24

25 On-Demand Analysis on Real HW 25 Execute Instruction SW Race Detection Enable Analysis Disable Analysis HITM Interrupt? HITM Interrupt? Sharing Recently? Analysis Enabled? NO YES > 97% < 3%

26 Performance Difference 26 PhoenixPARSEC

27 Performance Increases 27 PhoenixPARSEC 51x

28 Demand-Driven Analysis Accuracy 28 1/1 2/4 3/3 4/4 3/3 4/4 2/4 4/4 2/4 Accuracy vs. Continuous Analysis: 97%

29 Outline Problem Statement Background Information  Demand-Driven Dynamic Dataflow Analysis Proposed Solutions  Demand-Driven Data Race Detection  Unlimited Hardware Watchpoints 29

30 Watchpoints Globally Useful Byte/Word Accurate and Per-Thread 30

31 Watchpoint-Based Software Analyses Taint Analysis Data Race Detection Deterministic Execution Canary-Based Bounds Checking Speculative Program Optimization Hybrid Transactional Memory 31

32 Challenges Some analyses require watchpoint ranges  Better stored as base + length Some need large # of small watchpoints  Better stored as bitmaps Need a large number 32

33 The Best of Both Worlds Store Watchpoints in Main Memory Cache watchpoints on-chip 33

34 Demand-Driven Taint Analysis 34

35 Watchpoint-Based Data Race Detection 35 PhoenixPARSEC

36 Watchpoint Deterministic Execution 36 PhoenixSPEC OMP2001

37 BACKUP SLIDES 37

Download ppt "On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan December 12,"

Similar presentations

Transactional Memory Parag Dixit Bruno Vavala Computer Architecture Course, 2012.

Transactional Memory Parag Dixit Bruno Vavala Computer Architecture Course, 2012.
Exploring P4 Trace Cache Features Ed Carpenter Marsha Robinson Jana Wooten.

Exploring P4 Trace Cache Features Ed Carpenter Marsha Robinson Jana Wooten.
Thread Criticality Predictors for Dynamic Performance, Power, and Resource Management in Chip Multiprocessors Abhishek Bhattacharjee Margaret Martonosi.

Thread Criticality Predictors for Dynamic Performance, Power, and Resource Management in Chip Multiprocessors Abhishek Bhattacharjee Margaret Martonosi.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
Recording Inter-Thread Data Dependencies for Deterministic Replay Tarun GoyalKevin WaughArvind Gopalakrishnan.

Recording Inter-Thread Data Dependencies for Deterministic Replay Tarun GoyalKevin WaughArvind Gopalakrishnan.
Thread-Level Transactional Memory Decoupling Interface and Implementation UW Computer Architecture Affiliates Conference Kevin Moore October 21, 2004.

Thread-Level Transactional Memory Decoupling Interface and Implementation UW Computer Architecture Affiliates Conference Kevin Moore October 21, 2004.
Concurrency.

Concurrency.
S. Narayanasamy, Z. Wang, J. Tigani, A. Edwards, B. Calder UCSD and Microsoft PLDI 2007.

S. Narayanasamy, Z. Wang, J. Tigani, A. Edwards, B. Calder UCSD and Microsoft PLDI 2007.
Continuously Recording Program Execution for Deterministic Replay Debugging.

Continuously Recording Program Execution for Deterministic Replay Debugging.
[ 1 ] Agenda Overview of transactional memory (now) Two talks on challenges of transactional memory Rebuttals/panel discussion.

[ 1 ] Agenda Overview of transactional memory (now) Two talks on challenges of transactional memory Rebuttals/panel discussion.
What Great Research ?s Can RAMP Help Answer? What Are RAMP’s Grand Challenges ?

What Great Research ?s Can RAMP Help Answer? What Are RAMP’s Grand Challenges ?
Yuanyuan ZhouUIUC-CS Architectural Support for Software Bug Detection Yuanyuan (YY) Zhou and Josep Torrellas University of Illinois at Urbana-Champaign.

Yuanyuan ZhouUIUC-CS Architectural Support for Software Bug Detection Yuanyuan (YY) Zhou and Josep Torrellas University of Illinois at Urbana-Champaign.
Unbounded Transactional Memory Paper by Ananian et al. of MIT CSAIL Presented by Daniel.

Unbounded Transactional Memory Paper by Ananian et al. of MIT CSAIL Presented by Daniel.
1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.

1 RAKSHA: A FLEXIBLE ARCHITECTURE FOR SOFTWARE SECURITY Computer Systems Laboratory Stanford University Hari Kannan, Michael Dalton, Christos Kozyrakis.
MSWAT: Low-Cost Hardware Fault Detection and Diagnosis for Multicore Systems Siva Kumar Sastry Hari, Man-Lap (Alex) Li, Pradeep Ramachandran, Byn Choi,

MSWAT: Low-Cost Hardware Fault Detection and Diagnosis for Multicore Systems Siva Kumar Sastry Hari, Man-Lap (Alex) Li, Pradeep Ramachandran, Byn Choi,
RCDC SLIDES README Font Issues – To ensure that the RCDC logo appears correctly on all computers, it is represented with images in this presentation. This.

RCDC SLIDES README Font Issues – To ensure that the RCDC logo appears correctly on all computers, it is represented with images in this presentation. This.
Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Umbra: Efficient and Scalable Memory Shadowing CGO 2010, Toronto, Canada April 26, 2010.

Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Umbra: Efficient and Scalable Memory Shadowing CGO 2010, Toronto, Canada April 26, 2010.
Rapid Identification of Architectural Bottlenecks via Precise Event Counting John Demme, Simha Sethumadhavan Columbia University

Rapid Identification of Architectural Bottlenecks via Precise Event Counting John Demme, Simha Sethumadhavan Columbia University
Rahul Sharma (Stanford) Michael Bauer (NVIDIA Research) Alex Aiken (Stanford) Verification of Producer-Consumer Synchronization in GPU Programs June 15,

Rahul Sharma (Stanford) Michael Bauer (NVIDIA Research) Alex Aiken (Stanford) Verification of Producer-Consumer Synchronization in GPU Programs June 15,
15-740/18-740 Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Similar presentations

Ads by Google