Generating Data Race Witnesses by an SMT-Based Analysis

DOI: 10.1007/978-3-642-20398-5_23
Source: DBLP

ABSTRACT Data race is one of the most dangerous errors in multithreaded programming, and despite intensive studies, it remains a notorious
cause of failures in concurrent systems. Detecting data races is already a hard problem, and yet it is even harder for a programmer
to decide whether or how a reported data race can appear in the actual program execution. In this paper we propose an algorithm for generating debugging
aid information called witnesses, which are concrete thread schedules that can deterministically trigger the data races. More specifically, given a concrete
execution trace, e.g. non-erroneous one which may have triggered a warning in Eraser-style data race detectors, we use a symbolic
analysis based on SMT solvers to search for a data race witness among alternative interleavings of events of that trace. Our
symbolic analysis precisely encodes the sequential consistency semantics using a scalable predictive model to ensure that
the reported witness is always feasible.

KeywordsData Race–Debug–SMT–Concurrent Programs

  • [Show abstract] [Hide abstract]
    ABSTRACT: Testing concurrent programs is a challenging problem due to interleaving explosion: even for a fixed set of inputs, there is a huge number of concurrent runs that need to be tested to account for scheduler behavior. Testing all possible schedules is not practical. Consequently, most effective testing algorithms only test a select subset of runs. For example, limiting testing to runs that contain data races or atomicity violations has been shown to capture a large proportion of concurrency bugs. In this paper we present a general approach to concurrent program testing that is based on techniques from artificial intelligence (AI) automated planning. We propose a framework for predicting concurrent program runs that violate a collection of generic correctness specifications for concurrent programs, namely runs that contain data races, atomicity violations, or null-pointer dereferences. Our prediction is based on observing an arbitrary run of the program, and using information collected from this run to model the behavior of the program, and to predict new runs that contain bugs with one of the above noted violation patterns. We characterize the problem of predicting such new runs as an AI sequential planning problem with the temporally extended goal of achieving a particular violation pattern. In contrast to many state-of-the-art approaches, in our approach feasibility of the predicted runs is guaranteed and, therefore, all generated runs are fully usable for testing. Moreover, our planning-based approach has the merit that it can easily accommodate a variety of violation patterns which serve as the selection criteria for guiding search in the state space of concurrent runs. This is achieved by simply modifying the planning goal. We have implemented our approach using state-of-the-art AI planning techniques and tested it within the Penelope concurrent program testing framework [35]. Nevertheless, the approach is general and is amenable to a variety of program testing frameworks. Our experiments with a benchmark suite showed that our approach is very fast and highly effective, finding all known bugs.
    International Journal on Software Tools for Technology Transfer 01/2014;
  • [Show abstract] [Hide abstract]
    ABSTRACT: Detection of data races in Java programs remains a difficult problem. The best static techniques produce many false positives, and also the best dynamic techniques leave room for improvement. We present a new technique called race directed scheduling that for a given race candidate searches for an input and a schedule that lead to the race. The search iterates a combination of concolic execution and schedule improvement, and turns out to find useful inputs and schedules efficiently. We use an existing technique to produce a manageable number of race candidates. Our experiments on 23 Java programs found 72 real races that were missed by the best existing dynamic techniques. Among those 72 races, 31 races were found with schedules that have between 1 million and 108 million events, which suggests that they are rare and hard-to-find races.
    Proceedings of the 19th ACM SIGPLAN symposium on Principles and practice of parallel programming; 02/2014
  • [Show abstract] [Hide abstract]
    ABSTRACT: We propose null-pointer dereferences as a target for finding bugs in concurrent programs using testing. A null-pointer dereference prediction engine observes an execution of a concurrent program under test and predicts alternate interleavings that are likely to cause null-pointer dereferences. Though accurate scalable prediction is intractable, we provide a carefully chosen novel set of techniques to achieve reasonably accurate and scalable prediction. We use an abstraction to the shared-communication level, take advantage of a static lock-set based pruning, and finally, employ precise and relaxed constraint solving techniques that use an SMT solver to predict schedules. We realize our techniques in a tool, ExceptioNULL, and evaluate it over 13 benchmark programs and find scores of null-pointer dereferences by using only a single test run as the prediction seed for each benchmark.
    Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering; 11/2012


Available from