Race Checking by Context Inference

1
Race Checking by Context Inference

• Tom Henzinger Ranjit Jhala Rupak
  Majumdar
• UC Berkeley ! EPFL
• UC Berkeley ! ???
• U.C. Berkeley ! UCLA

2
Multithreaded Programs
Thread
Thread
x
Shared Memory

• OS, WebServers, Databases, Embedded Systems
• Curse of Interleaving
• Non-deterministic scheduling
• Exponentially many behaviors hard to detect,
  reproduce errors
• Testing exercises a fraction of possible behaviors

3
Data Races
? x x1 ?
? x x-5 ?
lock(l) unlock(l)
lock(l) unlock(l)
x

• A data race on x is a state where
• Two threads can access x
• One of the accesses is a write
• Unpredictable, undesirable program
• There should be no races on shared variables
• Synchronization Must hold lock when accessing x

4
Previous Work

• Infer some lock(s) that protect x
• Check lock(s) held when accessing x
• Report error if lock(s) not held

Dinning-Schonberg 90 ,Savage et al. 97 Cheng
et al. 98, Choi et al. 02
Dynamic LockSet
Flanagan-Freund 00 Bacon et al.
00 Boyapati et al. 02
Type-based
Static LockSet
Sterling 93, Engler-Ashcraft 03
Object Usage Graph
von Praun-Gross 03
5
Other Synchronization Idioms
Producer-Consumer
atomic old state if(state0)
state1 ? if(old0) x
state0


x
Interrupt-toggling
State-based
6
Previous Work
Godefroid 97Holzmann Havelund-Visser
Dwyer-HatcliffAvrunin-Clarke
Musuvathi-Dill-Engler 02
Model Checking
Any Synchronization Idiom Fixed of threads,
State-explosion
7
The Safety Verification Problem
Error
Initial
Program State Space
Q From Initial states is an Error state
Reachable ?
8
Idea 1 Predicate Abstraction
Error
Initial
Graf-Saidi 97
Program State Space
Abstraction

• Abstraction Predicates on program state
• Signs x gt 0
• Aliasing x ? y
• States satisfying the same preds are equivalent
• Merged into single abstract state

9
Idea 1 Predicate Abstraction
Abstract

• Search finite state space
• Conservative
• Abstraction safe ) System safe
• Too coarse ) spurious counterexample

10
Idea 2 Counterex.-Guided Refinement
Abstract
Refine
Kurshan et al. 93 Clarke et al.
00 Ball-Rajamani 01

• Add predicates to rule out spurious trace
• Repeat reachability
• Till safe or real trace is found

11
Idea 2 Counterex.-Guided Refinement
Abstract
safe
Refine
Kurshan et al. 93 Clarke et al.
00 Ball-Rajamani 01

• Add predicates to rule out spurious trace
• Repeat reachability
• Till safe or real trace is found

12
Brute Force Approach

• Explore (abstract) State Space
• State Explosion!! (Too many interleavings)
• Control Combinations m.n
• 250,000 if 500 lines/thread, ignoring predicates
• 3,4,5,,k threads ? Unbounded threads ?

13
Take 1 Verify Threads in Isolation


safe
safe

• Make worst case assumptions
• Doesnt work a thread works correctly only under
  assumptions about its environment
• In the worst case, the environment thread
  accesses the shared variables without holding a
  lock, so there is always a race

14
A Thread-Modular Approach
while(1) atomic old s if(s0) s
1 ? if(old0) x s 0

• Summarize each thread
• How it interacts with others w.r.t. property
• Key Idea Summary Automaton on global preds.

15
Verify (Thread Others Summary)


safe
safe

• Control Combinations Thread Summary
• Small (if summary is small)

16
Check that Summaries are Valid



µ
µ
safe
safe
17
Thread-Modular Verification



µ
µ
safe
safe


Assume-Guarantee Owicki-Gries 73 Chandy-Misra
81 Jones 83 Stark 85 Abadi-Lamport
93 Alur-Henzinger 96 McMillan
97 Flanagan-Qadeer 01

• Q Finding
• Summaries ?

safe
18
Thread-Modular Abstraction Refinement
Get new predicates from Counterexample
Not the Reachable States


Summarize



19
Thread-Modular Abstraction Refinement


Fixpoint
SAFE


Not the Reachable States


Summarize




20
Technical Details

• Summaries from Reachability Tree
• Nodes are nodes of the reachability tree
• Transitions obtained by taking adjacent
  thread-edges in the tree
• Label nodes with abstract states
• Quantify out local variables
• Label transitions with what variables get written
• Minimized by Stutter Bisimulation

21
Unbounded Threads

• System Thread Context
• Semantics
• Initial location counter 1 , elsewhere 0
• Operations
• 1. Pick edge w/ source location counter gt 0,
• 2. Source location counter --
• Target location counter
• Havoc variables on edge,
• Assume predicate on target loc
• k-Counter Abstraction
• Value gt k abstracted to 1
• e.g. k1 possible counter values 0,1,1

Summary Location Counter
1
1
1
0
0
1
0
Abs. State
True
s0
s1Æ s? 0
s1Æ s0
s1
22
More Technical Details

• Global Predicates on Summary Locations
• Craig Interpolation POPL04
• Abstract Counter parameter (k)
• Counterexample-guided Refinement
• Complete for finite state threads

23
Data Races in NesC Programs

• PL for Networked Embedded Systems Gay et al. 03
• Interrupts fire events, which fire other events
• or post tasks which run asynchronously
• Race-freedom important
• Non-trivial synchronization idioms
• Flow-based analysis
• Compiled to C

24
NesC Race Checking Results



Pre-processed
25
Case Study sense.nc
Interrupt 1 fires ? old state if (state
0) state 1 ? If (old 0) about
to write x
Interrupt 1 handler disables interrupt
2 BLAST finds information - proves no races
atomic old state if(state0)
state1 ? if(old0) x ?
Interrupt 2 fires ? state 0
Interrupt 1 fires ? old state if (state
0) state 1 ? If (old 0) about
to write x
26
Thank You!

• http//www.eecs.berkeley.edu/blast
• Acknowledgments Ranjit Jhala for the slides!