220 likes | 240 Views
This presentation explores an approach to automatically detect concurrency bugs in large-scale software systems using improved pattern matching techniques and semantic information. The goal is to identify common concurrency bug patterns and classify reported bugs for better bug detection. The presentation includes examples of concurrency bugs and introduces new bug patterns that can be used for automated bug detection.
E N D
Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information Slides taken from Shin Hong’s MS Thesis Defense Moonzoo Kim CS Dept. KAIST Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Approach • Verification techniques Model Checking Testing Precision Lock-based static analysis Pattern-based analysis Scalability • Related works • - Lock-based static analysis techniques • : RacerX, RELAY Lock discipline, Partial order among locks • - Pattern-based bug detection • : MetaL, FindBugs Low precision (Too many false alarms) Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Goal • Code-based automatic concurrency bug detection for large size system software Linux file system verification Concurrency bug detection technique Semantic Augmented Concurrency Bug Patterns Concurrency Bug Patterns Common bug patterns Concurrency Bug Classification Reported bug survey Change Log & Code Review Linux file system code Level of Abstraction • Idea: Automatically detect common concurrency bugs using • both syntactic and semantics code pattern matching Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Concurrency Bug Classification(1/3) • We survey previous concurrency bugs from Linux file systems • Search Linux Change Log 2.6.1 ~ 2.6.28 • Keyword: concurrency, data race, deadlock, livelock, file system, ext, etc. • In almost 300 documents, we found 40 bug reports (patches) related to both file system and concurrency bugs. • We construct concurrency bug classification to analyze the bug reports. • 5 different aspects • Symptom: • Data race (machine exception), Data race (Faulty state), Deadlock, Livelock. • Fault : • Design decision violations, Incorrect use of synch. idioms, Program logic error • Resolution: • {Insert, Remove, Change, Reorder} £ {Sync. operation, Data operation, Control operation} • Related synchronization mechanism: • Instruction, Barrier, Thread operations, Conditional variable, Lock, Complex lock, Semaphore • Synchronization granularity: • Kernel-level, File system-level, File-level, Inode-level • 27 bugs are classified Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Example of Concurrency Bug • Example Bug08 (Reported in Linux Change Log 2.6.11.11 /fs/ext3/balloc.c) - Symptom: Data race (Faulty state) - Fault: Incorrect use of synchronization idioms In ext3_discard_reservation(), it incorrectly use test and test-and-set idiom by missing the second testing. This may cause race condition, so that rsv_window_remove() can be invoked twice for the same object. - Resolution: Insert control operations - Related synchronization mechanism : Binary lock - Lock granularity: File system ext3_discard_reservation(inode * inode) { if (!rsv_is_empty(&rsv->rsv_window)) { spin_lock(rsv_lock) ; rsv_window_remove(inode->i_sb,rsv) ; spin_unlock(rsv_lock) ; } } /* Linux kernel 2.11.10 */ ext3_discard_reservation(inode * inode) { if (!rsv_is_empty(&rsv->rsv_window)) { spin_lock(rsv_lock) ; if (!rsv_is_empty(&rsv->rsv_window)) rsv_window_remove(inode->i_sb,rsv) ; spin_unlock(rsv_lock) ; } } /* Linux kernel 2.11.11 */ Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Concurrency Bug Classification • 13 bugs among 27 bugs in the concurrency bug classifications cannot be detected by conventional lock-based concurrency bug detection techniques. Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Concurrency Bug Patterns • Based on the bug analysis result by the classification, we define the 10 concurrency bug patterns in order to detect unrevealed bugs automatically by code pattern matching. Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Misused Test and Test-and-Set Bug Pattern int data; /*shared data*/ int func(){ if (test(data)) { /*test*/ lock () ; if (test(data)) {/*test*/ data = newvalue ; } unlock () ; } } /* Correct Code */ int data; /*shared data*/ int func(){ if (test(data)) { /*test*/ lock () ; data = newvalue ; } unlock () ; } } /* Incorrect Code */ test(data)might be false Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Concurrency Bug Patterns(3/3) • Bug detection result by pattern matching • Misused Test and Test and Set pattern: • We analyze 9 file systems with VFS layer in Linux 2.6.30.4. • 142 suspected bugs are revealed as false positive by manual review & discussion with maintainers. - Ex. A suspected bug detected from NFS /* In Linux kernel 2.6.30.4 /fs/nfs/nfs4state.c */ void nfs_free_seqid(nfs_seqid *seqid) { if (!list_empty(&seqid->list)) { sequence = seqid->sequence->sequence ; spin_lock(&sequence->lock); list_del(&seqid->list) ; spin_unlock(&clp->cl_lock); rpc_wake_up(&sequence->wait) ; } } Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Semantics Augmented Pattern Matching • There are the following main sources of false positives: • No parallel thread to be scheduled • Synchronized by other locks • Shared variable initializations without holding locks • We improve the bug pattern matching using semantic information to refine the bug detection results. Thread sensitive analysis Lock analysis Simple points-to analysis State space Bug pattern#1 Bug pattern#1 with semantics Program behavior (reachable states) Safe states (no error) Bug pattern#2 Bug pattern#2 with semantics Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
COBET Framework • We build a COncurrency Bug pattErn maTching framework (COBET) to support programming template for effective bug pattern detector generation upon EDG C/C++ parser. Phase I: Bug pattern description and pattern detector construction Bug 1 description Bug 2 description COBET synthesizer Bug pattern detector 2 Bug pattern detector 1 Phase II: Code pattern matching with semantic code checking Syntactic pattern matcher Semantic condition checker Semantic analysis engine Config. Thread starting functions Lock analysis Alias analysis Lock spec. Memory alloc. spec. Path analysis Target C src code AST generator COBET: Pattern-driven Concurrency Bug Detection Framework
COBET Synthesizer • Pattern description language (PDL) 1a:pattern1 { 2a: fun $f1{ 3a: if $cond { 4a: lock $l; 5a: \{if $cond { }} 6a: unlock $l; 7a:}}} 1b:pattern 2 { 2b: fun $f2 { 3b: write $w; 4b: }} Grammar of COBET PDL Example of incorrect test-test-set bug pattern Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Thread Sensitive Analysis (1/2) • Most concurrency errors are interleaved executions of two or more threads. • We extend each bug pattern to specify multiple disconnected code patterns which are necessary for bug occurrence. • The extended bug pattern matching inputs thread starting functions (system call handlers), thread-spawning operation, and interrupt-handler registering operations to notice execution starting points. Error execution Code pattern match #2 Code pattern match#1 Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Thread Sensitive Analysis(2/2) Ex. Extended Misused Test and Test-and-Set bug pattern • Condition: expr may read x Ex. A suspected bug of Misused Test and Test-and-Set from Proc file system • Code pattern #1 • if (expr) { • lock(m) ; • /* no if(expr) here*/ • ... • unlock(m) ; • Code pattern #2 • write(x) ; • Code pattern#2 Match-1 • Code pattern #1 Match-1 proc_get_sb() { … if (!ei->pid) ei->pid = find_get_pid(1) ; proc_get_sb() { ... ei = PROC_I(sb->s_root->d_inode); if (!ei->pid) { rcu_read_lock(); ei->pid=get_pid(find_pid_ns(1,ns)); rcu_read_unlock(); } ... • Code pattern#2 Match-2 proc_alloc_inode() { … ei = kmem_cache_alloc(...) ; if (!ei) return NULL ; ei->pid = NULL ; Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Lock Analysis (1/3) Lock analysis • We applied lock analysis to compute the set of locks held when a code pattern match is executed. • Inter-procedural, flow-sensitive, path-insensitive analysis (similar to RacerX). • The specification of lock acquiring(releasing) operations are given by users. Lock(A) Lock(B) Lock(A) Lock(C) LS = {A} Unlock(C) LS = {A,B} Code pattern match #2 Conflict! No concurrent execution is possible due to lock A. Code pattern match#1 Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Lock Analysis (2/3) • Code pattern#1 Match-1 • Code pattern#2 Match-1 • Code pattern#2 Match-2 sys_mount() sys_mount() compat_sys_futimesat() acquire lock_kernel() acquire lock_kernel() do_mount() do_mount() do_utimes() do_new_mount() do_new_mount() __user_walk_fd() do_kern_mount() do_kern_mount() real_lookup() vfs_kern_mount() vfs_kern_mount() acquire inode.i_mutex Lockset: {lock_kernel} Lockset: {lock_kernel} Lockset: {inode.i_mutexl} Conflict proc_get_sb(){ … ei=PROC_I(sb->s_root->d_inode); if (!ei->pid) { rcu_read_lock(); ei->pid=get_pid(find_pid_ns(1,… rcu_read_unlock(); } … proc_alloc_inode() { … ei = kmem_cache_alloc(… ; if (!ei) return NULL ; ei->pid = NULL ; proc_get_sb() { … if (!ei->pid) ei->pid = find_get_pid(1) ; Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Lock Analysis (3/3) • COBET uses an inter-procedural lock analysis • Transfer the lockset of a call site to the caller function analysis • To avoid redundant inter-procedural lock analysis, COBET semantic engine uses a cache that record analysis result for functions Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Points-to Analysis • Non-shared variables are free from concurrency errors. • A newly allocated heap variable is non-shared until it is linked to a global data structure. • These variables are initialized without any synchronization during non-shared period. • This type code would result false positives in the bug pattern matching for the lack of alias-sensitive analysis. Match 1-1 0: proc_get_sb() { 1: ... 2: ei = PROC_I(sb->s_root->d_inode); 3: if (!ei->pid) { 4: rcu_read_lock(); 5: ei->pid = get_pid(...; 6: rcu_read_unlock(); 7: } 8: ... Match 2-2 0:proc_alloc_inode() { 1: ... 2:ei = kmem_cache_alloc( ... 3: if (!ei) return NULL ; 4:ei->pid = NULL ; ... Non-shared: {} Non-shared: {ei} Non-shared: {ei} No other thread can access ei->pid. Concurrency Bug Detection through Improved Pattern Matching Using Semantic Information
Experiment Result (1/3) • We reviewed Linux Change Logs on file systems from 2.6 to 2.6.28 and defined the four bug patterns based on actual bug history. • Effectiveness • We applied the four bug pattern detectors to seven Linux file systems in kernel 2.6.30.4 • We detected the four new bugs confirmed by Linux maintainers COBET: Pattern-driven Concurrency Bug Detection Framework
Experiment Result (2/3) • Efficiency • We measured the false alarm reduction rate through the semantic analyses and time cost • The false alarms are reduced as additional analysis techniques are employed, and the time costs were not burdensome (8.34 sec for analyzing 193KLOC) COBET: Pattern-driven Concurrency Bug Detection Framework
Experiment Result (3/3) • Applicability • We applied the four bug detectors to Linux device drivers and network modules COBET: Pattern-driven Concurrency Bug Detection Framework Detected bug of “Misused Test and Test-and-Set” pattern
Conclusion • COBET framework • Pattern-based concurrency bug detection framework • Able to define and match various bug patterns. • Utilizes composite patterns with semantic conditions to improve accuracy • Empirical result • Defined four concurrency bug patterns with various synchronization mechanisms • Implement the four bug pattern detectors through COBET • Detect ten fresh and real bugs in Linux COBET: Pattern-driven Concurrency Bug Detection Framework