Presentation is loading. Please wait.

Presentation is loading. Please wait.

On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan November 29,

Published byDiana Rogers Modified over 9 years ago

Similar presentations

Presentation on theme: "On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan November 29,"— Presentation transcript:

1 On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan November 29, 2011

2 NIST: SW errors cost U.S. ~$60 billion/year as of 2002 FBI CCS: Security Issues $67 billion/year as of 2005  >⅓ from viruses, network intrusion, etc. Software Errors Abound 2 Cataloged Software Vulnerabilities

3 In spite of proposed solutions Hardware Plays a Role 3 Hardware Data Race Recording Deterministic Execution/Replay Atomicity Violation Detectors Bug-Free Memory Models Bulk Memory Commits TRANSACTIONAL MEMORY IBM BG/Q AMD ASF ?

4 Example of a Modern Bug 4 Thread 2 mylen=large Thread 1 mylen=small ptr ∅ Nov. 2010 OpenSSL Security Flaw if(ptr == NULL) { len=thread_local->mylen; ptr=malloc(len); memcpy(ptr, data, len); }

5 Example of a Modern Bug 5 if(ptr==NULL) memcpy(ptr, data2, len2) ptr LEAKED TIME Thread 2 mylen=large Thread 1 mylen=small ∅ len2=thread_local->mylen; ptr=malloc(len2); len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1)

6 Dynamic Software Analysis Analyze the program as it runs + System state, find errors on any executed path – LARGE runtime overheads, only test one path 6 Developer Instrumented Program In-House Test Machine(s) LONG run time Analysis Results Analysis Instrumentation Program

7 Taint Analysis (e.g.TaintCheck) Dynamic Bounds Checking Data Race Detection (e.g. Inspector XE) Memory Checking (e.g. MemCheck) Runtime Overheads: How Large? 7 2-200x 10-80x 5-50x 2-300x Symbolic Execution 10-200x

8 Could use Hardware Data Race Detection: HARD, CORD, etc. Taint Analysis: Raksha, FlexiTaint, etc. Bounds Checking: HardBound – None Currently Exist; Bugs Are Here Now – Single-Use Specialization – Won’t be built due to HW, power, verification costs – Unchangeable algorithms locked in HW 8

9 Goals of this Talk Accelerate SW Analyses Using Existing HW Run Tests On Demand: Only When Needed Explore Future Generic HW Additions 9

10 Outline Problem Statement Background Information  Demand-Driven Dynamic Dataflow Analysis Proposed Solutions  Demand-Driven Data Race Detection  Unlimited Hardware Watchpoints 10

11 Dynamic Dataflow Analysis Associate meta-data with program values Propagate/Clear meta-data while executing Check meta-data for safety & correctness Forms dataflows of meta/shadow information 11

12 a += y z = y * 75 y = x * 1024 w = x + 42 Check w Example: Taint Analysis 12 validate(x) x = read_input() Clear a += y z = y * 75 y = x * 1024 x = read_input() Propagate Associate Input Check a Check z Data Meta-data

13 Demand-Driven Dataflow Analysis 13 Only Analyze Shadowed Data Native Application Native Application Instrumented Application Instrumented Application Instrumented Application Meta-Data Detection Non- Shadowed Data Shadowed Data No meta-data

14 Finding Meta-Data 14 No additional overhead when no meta-data  Needs hardware support Take a fault when touching shadowed data Solution: Virtual Memory Watchpoints V→P FAULT

15 Results by Ho et al. From “Practical Taint-Based Protection using Demand Emulation” 15

16 Outline Problem Statement Background Information  Demand-Driven Dynamic Dataflow Analysis Proposed Solutions  Demand-Driven Data Race Detection  Unlimited Hardware Watchpoints 16

17 Software Data Race Detection Add checks around every memory access Find inter-thread sharing events Synchronization between write-shared accesses?  No? Data race. 17

18 Thread 2 mylen=large Thread 1 mylen=small if(ptr==NULL) len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1) len2=thread_local->mylen; ptr=malloc(len2); memcpy(ptr, data2, len2) Example of Data Race Detection 18 ptr write-shared? Interleaved Synchronization? TIME

19 SW Race Detection is Slow 19 PhoenixPARSEC

20 Inter-thread Sharing is What’s Important “ Data races... are failures in programs that access and update shared data in critical sections” – Netzer & Miller, 1992 20 if(ptr==NULL) len1=thread_local->mylen; ptr=malloc(len1); memcpy(ptr, data1, len1) len2=thread_local->mylen; ptr=malloc(len2); memcpy(ptr, data2, len2) Thread-local data NO SHARING Shared data NO INTER-THREAD SHARING EVENTS TIME

21 Very Little Inter-Thread Sharing 21 PhoenixPARSEC

22 Use Demand-Driven Analysis! 22 Multi-threaded Application Multi-threaded Application Software Race Detector Local Access Inter-thread sharing Inter-thread Sharing Monitor

23 Finding Inter-thread Sharing Virtual Memory Watchpoints? –~100% of accesses cause page faults Granularity Gap Per-process not per-thread Must go through the kernel on faults Syscalls for setting/removing meta-data 23 FAULT Inter-Thread Sharing

24 Hardware Sharing Detector Hardware Performance Counters Intel’s HITM event: W→R Data Sharing 24 S S M M S S I I HITM Pipeline Cache 0 0 0 0 0 0 0 0 Perf. Ctrs 1 1 2 2 1 1 FAULT Core 1Core 2 - - - - - - - - PEBS Armed Debug Store EFLAGS EIP RegVals MemInfo Precise Fault

25 Potential Accuracy & Perf. Problems Limitations of Performance Counters  HITM only finds W→R Data Sharing  Hardware prefetcher events aren’t counted Limitations of Cache Events  SMT sharing can’t be counted  Cache eviction causes missed events  False sharing, etc… PEBS events still go through the kernel 25

26 Demand-Driven Analysis on Real HW 26 Execute Instruction SW Race Detection Enable Analysis Disable Analysis HITM Interrupt? HITM Interrupt? Sharing Recently? Analysis Enabled? NO YES

27 Performance Increases 27 PhoenixPARSEC 51x

28 Demand-Driven Analysis Accuracy 28 1/1 2/4 3/3 4/4 3/3 4/4 2/4 4/4 2/4 Accuracy vs. Continuous Analysis: 97%

29 Outline Problem Statement Background Information  Demand-Driven Dynamic Dataflow Analysis Proposed Solutions  Demand-Driven Data Race Detection  Unlimited Hardware Watchpoints 29

30 Watchpoints Globally Useful Byte/Word Accurate and Per-Thread 30

31 Watchpoint-Based Software Analyses Taint analysis / Dynamic dataflow analysis Data Race Detection Deterministic Execution Canary-Based Bounds Checking Speculative Program Optimization Hybrid Transactional Memory 31

32 Challenges Some analyses require watchpoint ranges  Better stored as base + length Some need large # of small watchpoints  Better stored as bitmaps Need a large number 32

33 The Best of Both Worlds Store Watchpoints in Main Memory Cache watchpoints on-chip 33

34 Demand-Driven Taint Analysis 34

35 Watchpoint-Based Data Race Detection 35 PhoenixPARSEC

36 Watchpoint-Based Grace System 36 PhoenixSPEC OMP2001

37 BACKUP SLIDES 37

38 Performance Difference 38 PhoenixPARSEC

39 Accuracy on Real Hardware 39 kmeansfacesimferretfreqminevipsx264streamcluster W→W1/1 (100%) 0/1 (0%) --1/1 (100%) - R→W-0/1 (0%) 2/2 (100%) 1/1 (100%) 3/3 (100%) 1/1 (100%) W→R-2/2 (100%) 1/1 (100%) 2/2 (100%) 1/1 (100%) 3/3/ (100%) 1/1 (100%) Spider Monkey-0 Spider Monkey-1 Spider Monkey-2 NSPR-1Memcached-1Apache-1 W→W9/9 (100%) 1/1 (100%) 3/3 (100%) -1/1 (100%) R→W3/3 (100%) -1/1 (100%) 7/7 (100%) W→R8/8 (100%) 1/1 (100%) 2/2 (100%) 4/4 (100%) -2/2 (100%) kmeansfacesimferretfreqminevipsx264streamcluster W→W1/1 (100%) 0/1 (0%) --1/1 (100%) - R→W-0/1 (0%) 2/2 (100%) 1/1 (100%) 3/3 (100%) 1/1 (100%) W→R-2/2 (100%) 1/1 (100%) 2/2 (100%) 1/1 (100%) 3/3/ (100%) 1/1 (100%)

40 Width Test 40

Download ppt "On-Demand Dynamic Software Analysis Joseph L. Greathouse Ph.D. Candidate Advanced Computer Architecture Laboratory University of Michigan November 29,"

Similar presentations

Transactional Memory Parag Dixit Bruno Vavala Computer Architecture Course, 2012.

Transactional Memory Parag Dixit Bruno Vavala Computer Architecture Course, 2012.
1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.

1 Chao Wang, Yu Yang*, Aarti Gupta, and Ganesh Gopalakrishnan* NEC Laboratories America, Princeton, NJ * University of Utah, Salt Lake City, UT Dynamic.
Exploring P4 Trace Cache Features Ed Carpenter Marsha Robinson Jana Wooten.

Exploring P4 Trace Cache Features Ed Carpenter Marsha Robinson Jana Wooten.
Thread Criticality Predictors for Dynamic Performance, Power, and Resource Management in Chip Multiprocessors Abhishek Bhattacharjee Margaret Martonosi.

Thread Criticality Predictors for Dynamic Performance, Power, and Resource Management in Chip Multiprocessors Abhishek Bhattacharjee Margaret Martonosi.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
Recording Inter-Thread Data Dependencies for Deterministic Replay Tarun GoyalKevin WaughArvind Gopalakrishnan.

Recording Inter-Thread Data Dependencies for Deterministic Replay Tarun GoyalKevin WaughArvind Gopalakrishnan.
Hybrid Transactional Memory Nir Shavit MIT and Tel-Aviv University Joint work with Alex Matveev (and describing the work of many in this summer school)

Hybrid Transactional Memory Nir Shavit MIT and Tel-Aviv University Joint work with Alex Matveev (and describing the work of many in this summer school)
Thread-Level Transactional Memory Decoupling Interface and Implementation UW Computer Architecture Affiliates Conference Kevin Moore October 21, 2004.

Thread-Level Transactional Memory Decoupling Interface and Implementation UW Computer Architecture Affiliates Conference Kevin Moore October 21, 2004.
An Case for an Interleaving Constrained Shared-Memory Multi- Processor CS6260 Biao xiong, Srikanth Bala.

An Case for an Interleaving Constrained Shared-Memory Multi- Processor CS6260 Biao xiong, Srikanth Bala.
Concurrency.

Concurrency.
S. Narayanasamy, Z. Wang, J. Tigani, A. Edwards, B. Calder UCSD and Microsoft PLDI 2007.

S. Narayanasamy, Z. Wang, J. Tigani, A. Edwards, B. Calder UCSD and Microsoft PLDI 2007.
Continuously Recording Program Execution for Deterministic Replay Debugging.

Continuously Recording Program Execution for Deterministic Replay Debugging.
[ 1 ] Agenda Overview of transactional memory (now) Two talks on challenges of transactional memory Rebuttals/panel discussion.

[ 1 ] Agenda Overview of transactional memory (now) Two talks on challenges of transactional memory Rebuttals/panel discussion.
Yuanyuan ZhouUIUC-CS Architectural Support for Software Bug Detection Yuanyuan (YY) Zhou and Josep Torrellas University of Illinois at Urbana-Champaign.

Yuanyuan ZhouUIUC-CS Architectural Support for Software Bug Detection Yuanyuan (YY) Zhou and Josep Torrellas University of Illinois at Urbana-Champaign.
Unbounded Transactional Memory Paper by Ananian et al. of MIT CSAIL Presented by Daniel.

Unbounded Transactional Memory Paper by Ananian et al. of MIT CSAIL Presented by Daniel.
RCDC SLIDES README Font Issues – To ensure that the RCDC logo appears correctly on all computers, it is represented with images in this presentation. This.

RCDC SLIDES README Font Issues – To ensure that the RCDC logo appears correctly on all computers, it is represented with images in this presentation. This.
Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Umbra: Efficient and Scalable Memory Shadowing CGO 2010, Toronto, Canada April 26, 2010.

Qin Zhao (MIT) Derek Bruening (VMware) Saman Amarasinghe (MIT) Umbra: Efficient and Scalable Memory Shadowing CGO 2010, Toronto, Canada April 26, 2010.
Rapid Identification of Architectural Bottlenecks via Precise Event Counting John Demme, Simha Sethumadhavan Columbia University

Rapid Identification of Architectural Bottlenecks via Precise Event Counting John Demme, Simha Sethumadhavan Columbia University
Rahul Sharma (Stanford) Michael Bauer (NVIDIA Research) Alex Aiken (Stanford) Verification of Producer-Consumer Synchronization in GPU Programs June 15,

Rahul Sharma (Stanford) Michael Bauer (NVIDIA Research) Alex Aiken (Stanford) Verification of Producer-Consumer Synchronization in GPU Programs June 15,
15-740/18-740 Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.

Similar presentations

Ads by Google