Abstract
Stateless model checking is a powerful technique for testing concurrent programs, but suffers from exponential state space explosion when the test input parameters are too large. Several reduction techniques can mitigate this explosion, but even after pruning equivalent interleavings, the state space size is often intractable. Most prior tools are limited to preempting only on synchronization APIs, which reduces the space further, but can miss unsynchronized thread communication bugs. Data race detection, another concurrency testing approach, focuses on suspicious memory access pairs during a single test execution. It avoids concerns of state space size, but may report races that do not lead to observable failures, which jeopardizes a user’s willingness to use the analysis.
We present Quicksand, a new stateless model checking framework which manages the exploration of many state spaces using different preemption points. It uses state space estimation to prioritize jobs most likely to complete in a fixed CPU budget, and it incorporates data-race analysis to add new preemption points on the fly. Preempting threads during a data race’s instructions can automatically classify the race as buggy or benign, and uncovers new bugs not reachable by prior model checkers. It also enables full verification of all possible schedules when every data race is verified as benign within the CPU budget. In our evaluation, Quicksand found 1.25x as many bugs and verified 4.3x as many tests compared to prior model checking approaches.
- P. Abdulla, S. Aronis, B. Jonsson, and K. Sagonas. Optimal dynamic partial order reduction. In Principles of Programming Languages, POPL ’14, pages 373–384. ACM, 2014. Google Scholar
Digital Library
- S. V. Adve and H.-J. Boehm. Memory models: A case for rethinking parallel languages and hardware. Commun. ACM, 53(8):90–101, Aug. 2010. Google Scholar
Digital Library
- S. V. Adve and K. Gharachorloo. Shared memory consistency models: A tutorial. Computer, 29(12):66–76, Dec. 1996. Google Scholar
Digital Library
- T. Ball, S. Burckhardt, K. E. Coons, M. Musuvathi, and S. Qadeer. Preemption sealing for efficient concurrency testing. In Tools and Algorithms for the Construction and Analysis of Systems, TACAS’10, pages 420–434. Springer-Verlag, 2010. Google Scholar
Digital Library
- A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler. A few billion lines of code later: Using static analysis to find bugs in the real world. Commun. ACM, 53(2):66–75, Feb. 2010. Google Scholar
Digital Library
- P. Bielik, V. Raychev, and M. Vechev. Scalable race detection for Android applications. In Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2015, pages 332–348. ACM, 2015. Google Scholar
Digital Library
- B. Blum. Landslide: Systematic dynamic race detection in kernel space. Master’s thesis, Carnegie Mellon University, Pittsburgh, PA, USA, May 2012.Google Scholar
- B. Blum. Soundness proofs for iterative deepening. Technical Report CMU-PDL-16-103, Carnegie Mellon University, September 2016.Google Scholar
- H.-J. Boehm. How to miscompile programs with ”benign” data races. In Hot Topics in Parallelism, HotPar’11, pages 3–3. USENIX Association, 2011. Google Scholar
Digital Library
- H.-J. Boehm. Position paper: Nondeterminism is unavoidable, but data races are pure evil. In Relaxing Synchronization for Multicore and Manycore Scalability, RACES ’12, pages 9–14. ACM, 2012. Google Scholar
Digital Library
- H.-J. Boehm and S. V. Adve. Foundations of the C++ concurrency memory model. In Programming Language Design and Implementation, PLDI ’08, pages 68–78. ACM, 2008. Google Scholar
Digital Library
- S. Burckhardt, P. Kothari, M. Musuvathi, and S. Nagarakatte. A randomized scheduler with probabilistic guarantees of finding bugs. In Architectural Support for Programming Languages and Operating Systems, ASPLOS XV, pages 167–178. ACM, 2010. Google Scholar
Digital Library
- K. E. Coons, S. Burckhardt, and M. Musuvathi. Gambit: Effective unit testing for concurrency libraries. In Principles and Practice of Parallel Programming, PPoPP ’10, pages 15– 24. ACM, 2010. Google Scholar
Digital Library
- K. E. Coons, M. Musuvathi, and K. S. McKinley. Bounded partial-order reduction. In Object Oriented Programming Systems Languages & Applications, OOPSLA ’13, pages 833–848. ACM, 2013. Google Scholar
Digital Library
- H. Cui, J. Simsa, Y.-H. Lin, H. Li, B. Blum, X. Xu, J. Yang, G. A. Gibson, and R. E. Bryant. Parrot: A practical runtime for deterministic, stable, and reliable threads. In Symposium on Operating Systems Principles, SOSP ’13, pages 388–405. ACM, 2013. Google Scholar
Digital Library
- B. Demsky and P. Lam. SATCheck: SAT-directed stateless model checking for SC and TSO. In Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2015, pages 20–36. ACM, 2015. Google Scholar
Digital Library
- D. Eckhardt. Pebbles kernel specification. http://www.cs. cmu.edu/~410-s16/p2/kspec.pdf, 2016.Google Scholar
- D. Eckhardt. Project 2: User level thread library. http: //www.cs.cmu.edu/~410-s16/p2/thr_lib.pdf, 2016.Google Scholar
- L. Effinger-Dean, B. Lucia, L. Ceze, D. Grossman, and H.-J. Boehm. Ifrit: Interference-free regions for dynamic datarace detection. In Object Oriented Programming Systems Languages and Applications, OOPSLA ’12, pages 467–484. ACM, 2012. Google Scholar
Digital Library
- D. Engler and K. Ashcraft. RacerX: Effective, static detection of race conditions and deadlocks. In Symposium on Operating Systems Principles, SOSP ’03, pages 237–252. ACM, 2003. Google Scholar
Digital Library
- J. Erickson, M. Musuvathi, S. Burckhardt, and K. Olynyk. Effective data-race detection for the kernel. In Operating Systems Design and Implementation, OSDI’10, pages 1–16. USENIX Association, 2010. Google Scholar
Digital Library
- C. Flanagan and S. N. Freund. Fasttrack: Efficient and precise dynamic race detection. In Programming Language Design and Implementation, PLDI ’09, pages 121–133. ACM, 2009. Google Scholar
Digital Library
- C. Flanagan and P. Godefroid. Dynamic partial-order reduction for model checking software. In Principles of Programming Languages, POPL ’05, pages 110–121. ACM, 2005. Google Scholar
Digital Library
- P. Fonseca, R. Rodrigues, and B. B. Brandenburg. SKI: Exposing kernel concurrency bugs through systematic schedule exploration. In Operating Systems Design and Implementation, OSDI’14, pages 415–431. USENIX Association, 2014. Google Scholar
Digital Library
- P. Godefroid. VeriSoft: A tool for the automatic analysis of concurrent reactive software. In Computer Aided Verification, CAV ’97, pages 476–479. Springer-Verlag, 1997. Google Scholar
Digital Library
- H. Guo, M. Wu, L. Zhou, G. Hu, J. Yang, and L. Zhang. Practical software model checking via dynamic interface reduction. In Symposium on Operating Systems Principles, SOSP ’11, pages 265–278. ACM, 2011. Google Scholar
Digital Library
- G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279–295, May 1997. Google Scholar
Digital Library
- C.-H. Hsiao, J. Yu, S. Narayanasamy, Z. Kong, C. L. Pereira, G. A. Pokam, P. M. Chen, and J. Flinn. Race detection for event-driven mobile applications. In Programming Language Design and Implementation, PLDI ’14, pages 326–336. ACM, 2014. Google Scholar
Digital Library
- J. Huang. Stateless model checking concurrent programs with maximal causality reduction. In Programming Language Design and Implementation, PLDI 2015, pages 165–174. ACM, 2015. Google Scholar
Digital Library
- C. S. Jensen, A. Møller, V. Raychev, D. Dimitrov, and M. Vechev. Stateless model checking of event-driven applications. In Object-Oriented Programming, Systems, Languages, and Applications, OOPSLA 2015, pages 57–73. ACM, 2015. Google Scholar
Digital Library
- B. Kasikci, C. Zamfir, and G. Candea. Data races vs. data race bugs: Telling the difference with Portend. In Architectural Support for Programming Languages and Operating Systems, ASPLOS XVII, pages 185–198. ACM, 2012. Google Scholar
Digital Library
- C. Killian, J. W. Anderson, R. Jhala, and A. Vahdat. Life, death, and the critical transition: finding liveness bugs in systems code. In Networked Systems Design & Implementation, NSDI’07, pages 18–18. USENIX Association, 2007. Google Scholar
Digital Library
- R. E. Korf. Iterative-deepening-A: An optimal admissible tree search. In International Joint Conference on Artificial Intelligence, IJCAI’85, pages 1034–1036. Morgan Kaufmann Publishers Inc., 1985. Google Scholar
Digital Library
- L. Lamport. Time, clocks, and the ordering of events in a distributed system. Commun. ACM, 21(7):558–565, July 1978. Google Scholar
Digital Library
- T. Leesatapornwongsa, M. Hao, P. Joshi, J. F. Lukman, and H. S. Gunawi. SAMC: Semantic-aware model checking for fast discovery of deep bugs in cloud systems. In Operating Systems Design and Implementation, OSDI’14, pages 399– 414. USENIX Association, 2014. Google Scholar
Digital Library
- P. S. Magnusson, M. Christensson, J. Eskilson, D. Forsgren, G. H˚allberg, J. Högberg, F. Larsson, A. Moestedt, and B. Werner. Simics: A full system simulation platform. Computer, 35(2):50–58, Feb. 2002. Google Scholar
Digital Library
- P. Maiya, A. Kanade, and R. Majumdar. Race detection for Android applications. In Programming Language Design and Implementation, PLDI ’14, pages 316–325. ACM, 2014. Google Scholar
Digital Library
- A. Mazurkiewicz. Trace theory. In Advances in Petri Nets 1986, Part II on Petri Nets: Applications and Relationships to Other Models of Concurrency, pages 279–324. Springer-Verlag New York, Inc., 1987.Google Scholar
- P. McKenney and J. Walpole. What is RCU, fundamentally? https://lwn.net/Articles/262464/, 2007.Google Scholar
- M. Musuvathi and S. Qadeer. Iterative context bounding for systematic testing of multithreaded programs. In Programming Language Design and Implementation, PLDI ’07, pages 446–455. ACM, 2007. Google Scholar
Digital Library
- M. Musuvathi, S. Qadeer, T. Ball, G. Basler, P. A. Nainar, and I. Neamtiu. Finding and reproducing heisenbugs in concurrent programs. In Operating Systems Design and Implementation, OSDI’08, pages 267–280. USENIX Association, 2008. Google Scholar
Digital Library
- S. Narayanasamy, Z. Wang, J. Tigani, A. Edwards, and B. Calder. Automatically classifying benign and harmful data races using replay analysis. In Programming Language Design and Implementation, PLDI ’07, pages 22–31. ACM, 2007. Google Scholar
Digital Library
- N. Nethercote and J. Seward. Valgrind: a framework for heavyweight dynamic binary instrumentation. In Programming Language Design and Implementation, PLDI ’07, pages 89–100. ACM, 2007. Google Scholar
Digital Library
- R. O’Callahan and J.-D. Choi. Hybrid dynamic data race detection. In Principles and Practice of Parallel Programming, PPoPP ’03, pages 167–178. ACM, 2003. Google Scholar
Digital Library
- B. Pfaff, A. Romano, and G. Back. The Pintos instructional operating system kernel. In Computer Science Education, SIGCSE ’09, pages 453–457. ACM, 2009. Google Scholar
Digital Library
- E. Pozniansky and A. Schuster. Efficient on-the-fly data race detection in multithreaded C++ programs. In Principles and Practice of Parallel Programming, PPoPP ’03, pages 179– 190. ACM, 2003. Google Scholar
Digital Library
- S. Savage, M. Burrows, G. Nelson, P. Sobalvarro, and T. Anderson. Eraser: A dynamic data race detector for multithreaded programs. ACM Trans. Comput. Syst., 15(4):391– 411, Nov. 1997. Google Scholar
Digital Library
- K. Sen. Race directed random testing of concurrent programs. In Programming Language Design and Implementation, PLDI ’08, pages 11–21. ACM, 2008. Google Scholar
Digital Library
- K. Serebryany and T. Iskhodzhanov. ThreadSanitizer: Data race detection in practice. In Workshop on Binary Instrumentation and Applications, WBIA ’09, pages 62–71. ACM, 2009. Google Scholar
Digital Library
- J. Simsa. Systematic and Scalable Testing of Concurrent Programs. PhD thesis, Carnegie Mellon University, Pittsburgh, PA, USA, 2013. Google Scholar
Digital Library
- J. Simsa, R. Bryant, and G. Gibson. dBug: Systematic evaluation of distributed systems. In Systems Software Verification, SSV’10, pages 3–3. USENIX Association, 2010. Google Scholar
Digital Library
- J. Simsa, R. Bryant, G. Gibson, and J. Hickey. Efficient Exploratory Testing of Concurrent Systems. Technical Report CMU-PDL-11-113, Carnegie Mellon University, November 2011.Google Scholar
- J. Simsa, R. Bryant, and G. Gibson. Runtime estimation and resource allocation for concurrency testing. Technical Report CMU-PDL-12-113, Carnegie Mellon University, December 2012.Google Scholar
- J. Simsa, R. Bryant, G. Gibson, and J. Hickey. Concurrent systematic testing at scale. Technical Report CMU-PDL-12-101, Carnegie Mellon University, May 2012.Google Scholar
- Y. Smaragdakis, J. Evans, C. Sadowski, J. Yi, and C. Flanagan. Sound predictive race detection in polynomial time. In Principles of Programming Languages, POPL ’12, pages 387–400. ACM, 2012. Google Scholar
Digital Library
- P. Thomson, A. F. Donaldson, and A. Betts. Concurrency testing using schedule bounding: An empirical study. In Principles and Practice of Parallel Programming, PPoPP ’14, pages 15–28. ACM, 2014. Google Scholar
Digital Library
- J. Yang, T. Chen, M. Wu, Z. Xu, X. Liu, H. Lin, M. Yang, F. Long, L. Zhang, and L. Zhou. MODIST: transparent model checking of unmodified distributed systems. In Networked Systems Design and Implementation, NSDI’09, pages 213– 228. USENIX Association, 2009. Google Scholar
Digital Library
- Y. Yang, X. Chen, G. Gopalakrishnan, and R. M. Kirby. Efficient stateful dynamic partial order reduction. In Workshop on Model Checking Software, SPIN ’08, pages 288–305. Springer-Verlag, 2008. Google Scholar
Digital Library
- N. Zhang, M. Kusano, and C. Wang. Dynamic partial order reduction for relaxed memory models. In Programming Language Design and Implementation, PLDI 2015, pages 250– 259. ACM, 2015. Google Scholar
Digital Library
Index Terms
Stateless model checking with data-race preemption points
Recommendations
Stateless model checking with data-race preemption points
OOPSLA 2016: Proceedings of the 2016 ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and ApplicationsStateless model checking is a powerful technique for testing concurrent programs, but suffers from exponential state space explosion when the test input parameters are too large. Several reduction techniques can mitigate this explosion, but even after ...
Fair stateless model checking
PLDI '08Stateless model checking is a useful state-space exploration technique for systematically testing complex real-world software. Existing stateless model checkers are limited to the verification of safety properties on terminating programs. However, ...
Model checking transactional memories
PLDI '08: Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and ImplementationModel checking software transactional memories (STMs) is difficult because of the unbounded number, length, and delay of concurrent transactions and the unbounded size of the memory. We show that, under certain conditions, the verification problem can ...







Comments