CS 294 32 Dynamic Partial Order Reduction Koushik

Exponential Blowup t 1: Computation tree for a single thread Computation tree for two

Solution n All paths in the tree are not important for statement reachability q

Equivalent Paths Initially x = 0 and y = 0 t 1: t 2:

Independent transitions s B R n B B and R are independent transitions if

Existing Approaches n Static Partial Order Reduction q q Valmari 91, Peled 93, Godefroid

Example: static partial-order reduction Global Vars lock m int i 1, i 2 int

Dynamic partial-order reduction n Static POR relies on static analysis q q n to

n n Focus on Race-Detection and Flipping Algorithm and Concolic Testing: j. CUTE Race-Detection

Event n (t, l, a) q q n If thread t executes the statement

Sequential Relation n n e = (t, l, a) and e’ = (t’, l’,

Causal Relation (Happens-Before Relation) n n e = (t, l, a) and e’ =

Equivalent Paths n n Definition: Two execution paths are equivalent if they are linearizations

Race Relation n Not so strict definition (see paper for the strict definition) e

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2:

DPOR (POPL 05) Example Thread t 1: 1: x : = 1 2: y

DPOR Problem Thread t 1: 1: x : = 1 2: x : =

j. CUTE n Key Observation: Concolic execution is ideal for testing concurrent programs with

j. CUTE Example z = input(); Thread t 1: 1: x : = 3

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1:

Race Detection Dynamic Vector Clock Algorithm [FSE’ 03, TACAS’ 04] n Vector clock V

Race Flipping: Hijack Thread Scheduler n n Ensure that only one thread is executing

j. CUTE n n n j. CUTE can test multi-threaded Java programs URL: http:

Sun Microsystem’s JDK 1. 4 Library n java. util package provides thread-safe data-structure classes

Sun Microsystem’s JDK 1. 4 Library Name Runtime in seconds # of Paths #

Honeywell’s DEOS real-time scheduling kernel n Operating system developed for use in small business

Slides: 80

Download presentation

CS 294 -32: Dynamic Partial Order Reduction Koushik Sen UC Berkeley

Exponential Blowup t 1: Computation tree for a single thread Computation tree for two threads Scheduler choice: thread switch if (x==100) = 1 else a=2 t 2: a if (y==9) a=3 else a=4 Conditional statement

Solution n All paths in the tree are not important for statement reachability q q n Many paths are equivalent to each other Prune equivalent paths => Partial Order Reduction Generate inputs along with Partial Order Reduction

Equivalent Paths Initially x = 0 and y = 0 t 1: t 2: x=3 y=2 x=0, y=0 x=3 y=2 x=3 One partial order Same partial order Different linear order => Different Path => Equivalent Path

Independent transitions s B R n B B and R are independent transitions if 1. 2. n R they commute: B ∘ R = R ∘ B neither enables nor disables the other Example: x = 3 and y = 2 are independent

Existing Approaches n Static Partial Order Reduction q q Valmari 91, Peled 93, Godefroid 96, SPIN model checkerby Holzmann, Verisoft Limitation n n Results in a large dependent relation Pointers -> Whether two pointers point to the same location is determined conservatively (May point-to) Results in over-approximation of the dependency relation Limited POR

Example: static partial-order reduction Global Vars lock m int i 1, i 2 int x=0 int n=100 char[] a n n Thread 1 lock(m) i 1 : = x++ unlock(m) for( ; i 1<n; i 1+=2) a[i 1] : = ‘b’ Thread 2 lock(m) i 2 : = x++ unlock(m) for( ; i 2<n; i 2+=2) a[i 2] : = ‘r’ Static analysis gives may-alias (according to static analysis) q i 1, i 2 are thread-local never alias (in practice) q x is protected by m q but a[i 1] and a[i 2] may alias Static POR gives O(n 2) explored states and transitions q but only two possible terminating states

Dynamic partial-order reduction n Static POR relies on static analysis q q n to yield approximate information about run-time behavior pointers => coarse information => limited POR => path explosion Dynamic POR q q while model checker executes the program, it sees exactly which threads access which locations use to simultaneously reduce the path space while model-checking

n n Focus on Race-Detection and Flipping Algorithm and Concolic Testing: j. CUTE Race-Detection and Flipping Algorithm is a simplified form of DPOR q Proof of correctness in the presence of inputs and conditionals

Event n (t, l, a) q q n If thread t executes the statement labeled l and the access type is a a 2 {w, r, l, u, ? } An execution path is a sequence of events

Sequential Relation n n e = (t, l, a) and e’ = (t’, l’, a’) e C e’ q q t 0 e = e', or t=t’ and e appears before e' in , or t t’, t created the thread t’, and e appears before e'' in , where e'' is the fork event on t creating the thread t’, or there exists an event e'' in such that e C e'' and e'' C e'. 1: x=1 2: fork(8) 3: y=2 4: lock(m) 5: x=3 6: unlock(m) 7: halt e 1 e 2 e 3 e 4 e 5 e 6 e 7 t 1 8: lock(m) 9: x=4 10: unlock(m) 11: y=5 12: halt e 9 e 10 e 11 e 12 e 13 e 8

Causal Relation (Happens-Before Relation) n n e = (t, l, a) and e’ = (t’, l’, a’) e ¹ e’ q q q n e C e’, or e appears before e' in and both access a shared memory location m and one of the accesses is update (write, lock acquire, release), or there exists an event e'' in such that e ¹ e'' and e'' ¹ e'. ¹ is a partial order relation t 0 1: x=1 2: fork(8) 3: y=2 4: lock(m) 5: x=3 6: unlock(m) 7: halt e 1 e 2 e 3 e 4 e 5 e 6 e 7 t 1 8: lock(m) 9: x=4 10: unlock(m) 11: y=5 12: halt e 9 e 10 e 11 e 12 e 13 e 8

Equivalent Paths n n Definition: Two execution paths are equivalent if they are linearizations of the same partial order Proposition: Exploration of one linear order of each partial order is sufficient for statement reachability

Race Relation n Not so strict definition (see paper for the strict definition) e = (t, l, a) and e’ = (t’, l’, a’) e l e’ q q q e ¹ e’ Not (e C e’ or e’ C e) There exists no e 1 such that e ¹ e 1 and e 1 ¹ e’ n Where e 1 is not equal to e or e’ x : = 1 y : = 2 y : = 3 x : = 4 Partial Order 1. Events in race relation can be permuted by changing schedule 2. What happens if we have locks? (see paper)

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Thread t 2: 1: y : = 3 2: x : = 4

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Thread t 2: 1: y : = 3 2: x : = 4 Execution 1 x : = 1 y : = 2 y : = 3 x : = 4

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 1 {} x : = 1 {} Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 x : = 1 y : = 3 {} y : = 2 {} y : = 3 x : = 4 Partial Order Postponed x : = 4

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 1 {} x : = 1 { t 1 } Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 {} Race x : = 1 y : = 3 y : = 2 {} y : = 3 x : = 4 Partial Order Postponed x : = 4

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 1 {} x : = 1 { t 1 } Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 Race x : = 1 y : = 3 y : = 2 y : = 3 x : = 4 Partial Order Postponed x : = 4 Backtrack Here

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 2 {} x : = 1 { t 1 } Thread t 2: 1: y : = 3 2: x : = 4 y : = 3 {} x : = 1 x : = 4 y : = 3 x : = 4 y : = 2 Partial Order Postponed {} y : = 2

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 2 { t 1 } x : = 1 { t 1 , t 2} Thread t 2: 1: y : = 3 2: x : = 4 Race y : = 3 {} x : = 1 Race x : = 4 y : = 3 x : = 4 y : = 2 Partial Order Postponed {} y : = 2

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 2 { t 1 } x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 Race x : = 1 Race y : = 3 x : = 4 y : = 2 Partial Order Postponed y : = 2 Backtrack Here

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 3 { t 1 } y : = 3 {} Thread t 2: 1: y : = 3 2: x : = 4 {} y : = 3 x : = 4 x : = 1 y : = 2 Partial Order Postponed x : = 1 {} y : = 2

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 3 { t 1 } y : = 3 { t 2} Thread t 2: 1: y : = 3 2: x : = 4 y : = 3 x : = 4 x : = 1 y : = 2 Partial Order Postponed {} Race x : = 1 {} y : = 2

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 3 { t 1 } y : = 3 { t 2} Thread t 2: 1: y : = 3 2: x : = 4 y : = 3 x : = 4 x : = 1 y : = 2 Partial Order Postponed Race x : = 1 y : = 2 Backtrack Here

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 4 { t 1 } y : = 3 { t 2} Thread t 2: 1: y : = 3 2: x : = 4 x : = 1 {} y : = 3 y : = 2 x : = 1 {} x : = 4 y : = 2 x : = 4 Partial Order Postponed

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 4 { t 1, t 2} y : = 3 Thread t 2: 1: y : = 3 2: x : = 4 Race { t 1, t 2} x : = 1 {} y : = 3 Race y : = 2 x : = 1 {} x : = 4 y : = 2 x : = 4 Partial Order Postponed Done! Cannot Backtrack Here

DPOR (POPL 05) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 1 Persistent { } {} { t 1} { t 2} { } {} x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 Race x : = 1 y : = 3 y : = 2 y : = 3 x : = 4 Partial Order Postponed x : = 4

DPOR (POPL 05) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 2 { t 1} { t 2} { t 1 , t 2} { } {} y : = 3 x : = 1 x : = 4 y : = 3 x : = 4 Partial Order Persistent x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 Postponed y : = 2

DPOR (POPL 05) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 3 x : = 4 Partial Order { t 1 } { t 2} { t 1 } {} {} x : = 4 y : = 3 y : = 2 Persistent y : = 3 Thread t 2: 1: y : = 3 2: x : = 4 x : = 1 Postponed x : = 1 y : = 2

DPOR (POPL 05) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 4 Persistent { t 1, t 2} {} {} y : = 3 Thread t 2: 1: y : = 3 2: x : = 4 x : = 1 y : = 3 y : = 2 x : = 1 x : = 4 y : = 2 x : = 4 Partial Order Postponed

DPOR Problem Thread t 1: 1: x : = 1 2: x : = 2 Thread t 2: 1: y : = 1 2: x : = 3 • DPOR (both approaches) explores all 6 execution paths => No reduction • Example in the POPL 05 paper has error • • Think about it Need Sleep Set to obtain reduction

Sleep Set Example

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Thread t 2: 1: y : = 3 2: x : = 4

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Thread t 2: 1: y : = 3 2: x : = 4 Execution 1 x : = 1 y : = 2 y : = 3 x : = 4

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 1 Delayed {} {} x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 x : = 1 y : = 3 y : = 2 y : = 3 x : = 4 Partial Order Postponed x : = 4

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 1 Delayed {} {} { t 1 } {} {} {} x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 Race x : = 1 y : = 3 y : = 2 y : = 3 x : = 4 Partial Order Postponed x : = 4

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 1 Delayed {} {} { t 1 } Backtrack Here {} {} {} x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 Race x : = 1 y : = 3 y : = 2 y : = 3 x : = 4 Partial Order Postponed x : = 4

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 1 Delayed {} {} { t 1 } Backtrack Here {} x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 {} Race x : = 1 y : = 3 y : = 2 {} y : = 3 x : = 4 Partial Order Postponed x : = 4

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 2 {} {} { t 1 } {} {} y : = 3 x : = 1 x : = 4 y : = 3 x : = 4 Partial Order Delayed x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 Postponed y : = 2

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 2 Race x : = 1 { t 1 } {} { t 1 } X Race {} {} y : = 3 x : = 4 Partial Order Delayed x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 Postponed y : = 2

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 2 { t 1 } x : = 1 { t 1 } Thread t 2: 1: y : = 3 2: x : = 4 Race x : = 1 X Race x : = 4 Partial Order Delayed {} Nothing to Backtrack { t } Here 1 y : = 3 {} { t 1 } {} {} x : = 4 y : = 3 y : = 2 Postponed y : = 2

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 2 { t 1 } Race x : = 1 Backtrack Here {} X Race x : = 4 { t 1 } {} {} y : = 3 x : = 4 y : = 3 Partial Order Delayed x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 Postponed y : = 2

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 2 { t 1 } Backtrack Here {} { t 1 } Race y : = 3 { t 1 } x : = 1 X Race x : = 4 y : = 3 x : = 4 Partial Order Delayed x : = 1 Thread t 2: 1: y : = 3 2: x : = 4 y : = 2 Postponed {} y : = 2

DPOR (Race-detection and flipping) Example Thread t 1: 1: x : = 1 2: y : = 2 Execution 3 x : = 4 Partial Order { t 1 } {} {} x : = 4 y : = 3 y : = 2 Delayed y : = 3 Thread t 2: 1: y : = 3 2: x : = 4 x : = 1 Postponed x : = 1 {} y : = 2 {}

j. CUTE n Key Observation: Concolic execution is ideal for testing concurrent programs with complex data inputs q q Use symbolic execution to generate new inputs Use concrete execution to perform partial order reduction n Explore “Interesting” thread schedules or total orders ? q Where to perform context switches? q How to perform context switches?

j. CUTE Example z = input(); Thread t 1: 1: x : = 3 Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR;

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set {}

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 {} x 3, z z 0 {} Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set x : =3 x 3, z 17

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 { t 1 } x 3, z z 0 {} x 2, z z 0 {} Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set x : =3 x 3, z 17 x : =2 x 2, z 17

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set x : =3 x 3, z 17 x 3, z z 0 x : =2 x 2, z 17 x 2, z z 0 2*z+1 ==x x 2, z 17 x 2, z z 0 Backtrack Here { t 1 }

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set { t 1 }

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 { t 1 } x 2, z z 0 {} Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set x : =2 x 2, z 17

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 { t 1 } x 2, z z 0 { t 2 } Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set x : =2 x 2, z 17 2*z+1 ==x x 2, z 17 2*z 0+1!=2 x 2, z z 0 x : =3 x 3, z 17 x 3, z z 0 {}

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 { t 1 } x 2, z z 0 { t 2 } Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set x : =2 x 2, z 17 2*z+1 ==x x 2, z 17 x 2, z z 0 x : =3 x 3, z 17 x 3, z z 0 Backtrack Here

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set { t 1 } { t 2 }

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 { t 1 , t 2} x 2, z z 0 { t 2 } x 3, z z 0 {} Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set x : =2 x 2, z 17 x : =3 x 3, z 17

j. CUTE Example z = input(); Concrete State Symbolic State Thread t 1: 1: x : = 3 x 0, z 17 x 0, z z 0 { t 1 , t 2} x 2, z z 0 { t 1 , t 2} x 3, z z 0 {} Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Path Constraint + Postponed Set x : =2 x 2, z 17 x : =3 x 3, z 17 2*z+1 ==x x 3, z 17 2*z 0+1!=3 x 3, z z 0

j. CUTE Example z = input(); Thread t 1: 1: x : = 3 Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Concrete State x 0, z 1 Symbolic State x 0, z z 0 Path Constraint + Postponed Set { t 1 , t 2} {}

j. CUTE Example z = input(); Thread t 1: 1: x : = 3 Thread t 2: 1: x : = 2 2: if (2*z + 1 == x) 3: ERROR; Concrete State x 0, z 1 Symbolic State Path Constraint + Postponed Set x 0, z z 0 { t 1 , t 2} x 2, z z 0 { t 1 , t 2} x 3, z z 0 {} x : =2 x 2, z 1 x : =3 x 3, z 1 2*z+1 ==x x 3, z 1 ERROR 2*z 0+1=3 x 3, z z 0 {}

Race Detection Dynamic Vector Clock Algorithm [FSE’ 03, TACAS’ 04] n Vector clock V : Threads ! Nat n Vi be vector clock for each thread ti. n Vxa and Vxw vector clocks for each shared variable x. n Algorithm: 1. if eik is a shared memory access, then n Vi[i] Ã Vi[i] + 1 2. if eik is a read of a variable x then n Vi Ã max{Vi, Vxw} n Vxa Ã max{Vxa, Vi} 3. if eik is a write of a variable x then n Vxw Ã Vxa Ã Vi Ã max{Vxa, Vi} Lemma: For any two events e ¹ e’ iff Ve · Ve’

Race Flipping: Hijack Thread Scheduler n n Ensure that only one thread is executing Create a tester thread (tsched) Associate a semaphore sem(t) with each thread t Before any shared memory access by t release control to the tester thread V(sem(tsched)); P(sem(t)); q n Tester thread schedules a thread t V(sem(t)); P(sem(tsched));

j. CUTE n n n j. CUTE can test multi-threaded Java programs URL: http: //osl. cs. uiuc. edu/~ksen/cute/ Next generation testing tools q n n Combines Testing and Model-Checking j. CUTE supports generation of JUnit test cases The tools also support replay of a buggy execution

Sun Microsystem’s JDK 1. 4 Library n java. util package provides thread-safe data-structure classes q n n Linked. List, Array. List, Hash. Set, Tee. Map, etc. Widely used Found previously undocumented concurrency related problems q Data race, Infinite Loop, Uncaught Exceptions, and Deadlocks List l 1 = Collections. synchronized. List(new Linked. List()); List l 2 = Collections. synchronized. List(new Linked. List()); l 1. add(null); l 2. add(null); // Create two threads // let thread 1 run l 1. clear(); // let thread 2 run l 2. contains. All(l 1) ;

Sun Microsystem’s JDK 1. 4 Library Name Runtime in seconds # of Paths # of Threads % Branch Coverage # of Functions Tested # of Bugs Found data races+ deadlocks+ infinite loops+ exceptions Vector 5519 20000 5 76. 38 16 1+9+0+2 Array. List 6811 20000 5 75. 00 16 3+9+0+3 Linked. List 4401 11523 5 82. 05 15 3+3+1+1 Linked. Hash Set 7303 20000 5 67. 39 20 3+9+0+2 Tree. Set 7333 20000 5 54. 93 26 4+9+0+2 Hash. Set 7449 20000 5 69. 56 20 19+9+0+2

Honeywell’s DEOS real-time scheduling kernel n Operating system developed for use in small business aircraft q n j. CUTE found the subtle time-partitioning error in < 1 minute Java Pathfinder from NASA Ames ran out of memory on the original program q q Had to test manually created abstraction Took 11 minutes to discover the same error in the abstraction