1 / 17

DRACULA: Efficient Detectors of Data Races in Signal Handlers

Learn about DRACULA, a tool that detects data races in signal handlers using a watchpoint mechanism. Discover its idea, algorithm, scalability, evaluation, false positives, false negatives, and conclusion.

grisham
Download Presentation

DRACULA: Efficient Detectors of Data Races in Signal Handlers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DRACULA: Detector of Data Races in Signals Handlers T. Tahara et al. Tokyo Institute of Technology APSEC 2008 Gan Lin Nov. 07, 2011

  2. Contents • Background • DRACULA • Idea • Algorithm • Implementation • Scalability • Evaluation • False positives • False negatives • Conclusion TaGO08

  3. Background • Data Race • Occurred when a shared memory is accessed by multiple threads simultaneously, and at least one thread modifies the value of the memory. Thread_1 Thread_2 x = 10; Thread_1{x++;} Thread_2{x++;} mov x, %eax add $1 %eax st %eax, x mov x, %eax add $1 %eax st %eax, x 1 3 2 4 6 5 %eax = %eax = 10 %eax = 11 %eax = %eax = 10 %eax = 11 x = 10 x = 11 x = 11 TaGO08

  4. Background • Signal • A software interrupt that sent by the kernel or a process (using the kill system call) to notify a process that an event of some type has occurred in the system; • After receiving the signal, the normal execution flow of the process is preempted, the signal is handled instead; • The process can either ignore the signal, suspend, terminate, or catch the signal by executing a user-level function called a signal handler; • After handling the signal, the process continue. TaGO08

  5. Background x = n main sigalrm signal(SIGALRM, sigalrm); ualarm(10000, 10000); … read(x); receive SIGALRM; write(x+1); read(x); write(x+1); … read(x); write(x+1); x = n + 1 TaGO08

  6. DRACULA • Idea • Dynamically trace the accesses to global variables using watchpoint mechanism in /proc FS or debug registers: • Stops the debuggee when it attempts to access a global variable; • Deliberately send a signal to the debuggee and resume the debuggee; (invoke signal handler) • If there is another access to the same global variable watchpoint again stop the debuggee; • check the code address, whether the debuggee is stopped in a signal handler or not. TaGO08

  7. DRACULA 3 2 4 5 increase the chance of detecting data races TaGO08

  8. DRACULA • Algorithm • where the debuggee is stopped. • in signal handler • return from signal handler. • code that already checked. • code which examination are not complete. • restart the debuggee. TaGO08

  9. DRACULA R1(Read, PC1, SP1, a) W2(Write, PC2, SP2, b) W3(Write, PC3, SP3, a) R4(Read, PC4, SP4, b) V = a, b S = 2(SIGINT) main hanlder = 2 hanlder = 0 Report handler pc = sp = va = pc = PC4 sp = SP4 va = b pc = PC3 sp = SP3 va = a pc = PC2 sp = SP2 va = b pc = PC1 sp = SP1 va = a R1-W3 R1-W3 W2-R4 R1 W2 1 4 W3 R4 6 2 old_pc = NULL old_sp = NULL old_va = NULL old_pc = PC1 old_sp = SP1 old_va = a old_pc = PC2 old_sp = SP2 old_va = b 7 3 5 8 pc_sig_set = Ф pc_sig_set = (PC1, 2) pc_sig_set = (PC1, 2)(PC2, 2) 9 TaGO08

  10. DRACULA • Implementation • --early-stop: make DRACULA terminate after a first race is report. • rd.in: specifies the list of signals and global variables to be checked, and the maximum depth of nested signal handler. • On Solaris 10, /proc are used. (1,800 lines in C) • On Debian Linux, debug registers are used. (1,400 lines in C) TaGO08

  11. Scalability • Time complexity: O(P×V×S+S2) -> O(P×V) • Space complexity: O(V×S) TaGO08

  12. Evaluation • Environments • Solaris 10 (UltraSPARC-II 360MHz×2, 512MB RAM) • Debian Linux 4.0 (Intel Pentium M 1GHz, 512MB RAM) • Benchmark • Bash-3.0 (89,000 lines in C, 510 global variables) TaGO08

  13. Evaluation * # of the corresponding access positions in signal handlers Table 1. # of data races in Bash-3.0 reported by DRACULA on Solaris 10 & Debian Linux 4.0 TaGO08

  14. Evaluation * max data size of pc_sig_set at runtime Table 2. Execution speed of DRACULA’S detecting data races in Bash-3.0 TaGO08

  15. Evaluation • False positives • A variable can be atomically access without synchronization mechanisms. • Save and restore the value of global variable before and after the access to the global variable in signal handler. • Structures and arrays are used. • False negatives • Data races not in the execution path. • Data races on heap data. • Data races occurring a transaction consisting of multiple data access TaGO08

  16. Conclution • To detect data races in signal handlers, they present a new tools called DRACULA, that uses watchpoint facilities to simplify the detection process, it dynamically trace the accesses to global variables, and deliberately send signals to the process just before it access a global variable and which increase the occurrence rate of data races in signal handlers, thus make DRACULA efficient. TaGO08

  17. Thank you Q&A TaGO08

More Related