Generating Data Race Witnesses by an SMT-Based Analysis

DOI: 10.1007/978-3-642-20398-5_23
Source: DBLP

ABSTRACT Data race is one of the most dangerous errors in multithreaded programming, and despite intensive studies, it remains a notorious
cause of failures in concurrent systems. Detecting data races is already a hard problem, and yet it is even harder for a programmer
to decide whether or how a reported data race can appear in the actual program execution. In this paper we propose an algorithm for generating debugging
aid information called witnesses, which are concrete thread schedules that can deterministically trigger the data races. More specifically, given a concrete
execution trace, e.g. non-erroneous one which may have triggered a warning in Eraser-style data race detectors, we use a symbolic
analysis based on SMT solvers to search for a data race witness among alternative interleavings of events of that trace. Our
symbolic analysis precisely encodes the sequential consistency semantics using a scalable predictive model to ensure that
the reported witness is always feasible.

KeywordsData Race–Debug–SMT–Concurrent Programs

  • [Show abstract] [Hide abstract]
    ABSTRACT: We propose null-pointer dereferences as a target for finding bugs in concurrent programs using testing. A null-pointer dereference prediction engine observes an execution of a concurrent program under test and predicts alternate interleavings that are likely to cause null-pointer dereferences. Though accurate scalable prediction is intractable, we provide a carefully chosen novel set of techniques to achieve reasonably accurate and scalable prediction. We use an abstraction to the shared-communication level, take advantage of a static lock-set based pruning, and finally, employ precise and relaxed constraint solving techniques that use an SMT solver to predict schedules. We realize our techniques in a tool, ExceptioNULL, and evaluate it over 13 benchmark programs and find scores of null-pointer dereferences by using only a single test run as the prediction seed for each benchmark.
    Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering; 11/2012
  • [Show abstract] [Hide abstract]
    ABSTRACT: In our recent work, we addressed the problem of detecting serializability violations in a concurrent program using predictive analysis, where we used a graph-based method to derive a predictive model from a given test execution. The exploration of the predictive model to check alternate interleavings of events in the execution was performed explicitly, based on stateless model checking using dynamic partial order reduction (DPOR). Although this was effective on some benchmarks, the explicit enumeration was too expensive on other examples. This motivated us to examine alternatives based on symbolic exploration using SMT solvers. In this paper, we propose an SMT-based encoding for detecting serializability violations in our predictive model. SMT-based encodings for detecting simpler atomicity violations (with two threads and a single variable) have been used before, but to our knowledge, our work is the first to use them for serializability violations with any number of threads and variables. We also describe details of our DPOR-based explicit search and pruning, and present an experimental evaluation comparing the two search techniques. This provides some insight into the characteristics of the instances when one of these is superior to the other. These characteristics can then be used to predict the preferred technique for a given instance.
    Proceedings of the 7th international Haifa Verification conference on Hardware and Software: verification and testing; 12/2011
  • [Show abstract] [Hide abstract]
    ABSTRACT: Detection of data races in Java programs remains a difficult problem. The best static techniques produce many false positives, and also the best dynamic techniques leave room for improvement. We present a new technique called race directed scheduling that for a given race candidate searches for an input and a schedule that lead to the race. The search iterates a combination of concolic execution and schedule improvement, and turns out to find useful inputs and schedules efficiently. We use an existing technique to produce a manageable number of race candidates. Our experiments on 23 Java programs found 72 real races that were missed by the best existing dynamic techniques. Among those 72 races, 31 races were found with schedules that have between 1 million and 108 million events, which suggests that they are rare and hard-to-find races.
    Proceedings of the 19th ACM SIGPLAN symposium on Principles and practice of parallel programming; 02/2014


1 Download
Available from