Download - TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel
![Page 1: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/1.jpg)
Institute for System Programming of the Russian Academy of Sciences
Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel
Pavel Andrianov, Vadim Mutilin, Alexey Khoroshilov
![Page 2: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/2.jpg)
2
int global;
Race Condition
Thread 1
{
...
global = 1;
...
}
Thread 2
{
...
global = 2;
...
}
A situation, in which simultaneous accesses to the same memory location take place from several threads, one of the accesses is write
![Page 3: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/3.jpg)
3
Real Data Race drivers/net/wireless/marvell/libertas/libertas.ko
disconnect:
…
kfree_skb(priv->currenttxskb);
priv->currenttxskb = NULL;
priv->tx_pending_len = 0;
...
transmit:
spin_lock(&priv->driver_lock, flags)
if (priv->currenttxskb == NULL)
return;
…
priv->currenttxskb->protocol = eth_type_trans(priv->currenttxskb,
priv->dev);
netif_rx(priv->currenttxskb);
…
spin_unlock(&priv->driver_lock, flags)
![Page 4: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/4.jpg)
4
Commit
![Page 5: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/5.jpg)
5
Motivation
● Concurrency bugs make up 20% of all across the file systems (A Study of Linux File System Evolution, FAST'13)
● Data race conditions make up 17% of all errors in the Linux kernel (Analysis of typical faults in Linux operating system drivers, Proceedings ISP RAN)
![Page 6: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/6.jpg)
6
Other Tools
Fast and imprecise Precise, but slowExample: RELAY Example: Threader
Difficult to adjust a tool to a particular task
Adjustable analysis?
![Page 7: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/7.jpg)
7
Lockset Algorithm
Potential data race is a situation, when accesses to the same shared data occur with disjoint sets of locks from two parallel threads, one access is write.
![Page 8: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/8.jpg)
8
Potential Race Condition
…
*a = 1;
...
…
mutex_lock();
*a = 1;
mutex_unlock();
...
● A disjoint set of synchronization primitives● The same shared data● Accesses from different threads, which can be
executed simultaneously● Real (reachable) paths
![Page 9: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/9.jpg)
9
Lightweight core algorithm
Method overview
A set of warnings
Lockset algorithm
Shared analysis
Heavyweight extensions
CEGARThread analysis
Precise warnings Imprecise warnings
![Page 10: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/10.jpg)
10
Counter Example Guided Abstraction Refinement
Error? Safe
Counterexample
Feasible?
Abstraction Refinement
Unsafe
No
Yes
YesNo
Solver
Analysis
Interpolation
![Page 11: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/11.jpg)
11
Reachability analysisbased on predicate abstraction
{},[]
{},[]
{lock}, []
{}, []
{lock},[]
{}, []
{}, []
{}, []
{lock}, []
{lock}, []
{lock}, []
{}, []
{}, []
{}, []
int global;
int func(int var) {
if (var) {
lock();
}
global++;
if (var) {
unlock();
}
}
{}, []
![Page 12: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/12.jpg)
12
Reachability analysisbased on predicate abstraction
{}
{}
{lock}, [var != 0]
{}, [var == 0]
{lock}
{}, [var != 0]
{}, [var == 0]
{}
{lock}, [var != 0]
{lock}, [var != 0]
{lock}, [var != 0]
{}, [var == 0]
{}, [var == 0]
{}, [var != 0]
int global;
int func(int var) {
if (var) {
lock();
}
global++;
if (var) {
unlock();
}
}
![Page 13: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/13.jpg)
13
Two Ways of Refinement
Analysis
Refinement
Analysis
Refinement
![Page 14: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/14.jpg)
14
Example of False Alarmadm8211_start(dev)
adm8211_init_rings(dev)
request_irq(adm8211_interrupt)
dev->priv->tx_buffers[entry]->skb
adm8211_interrupt(dev)
dev->priv->tx_buffers[entry]->skb
![Page 15: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/15.jpg)
15
Example of False Alarm
adm8211_start(dev)
adm8211_interrupt(dev)request_irq(adm8211_interrupt)
dev->priv->tx_buffers[entry]->skb
dev->priv->tx_buffers[entry]->skb
![Page 16: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/16.jpg)
16
Example of Linux Drivermodule_init()
catc_probe()
catc_open()
module_exit()
usb_register_driver()
register_netdev()
catc_close()
catc_disconnect()
unregister_netdev()
usb_deregister()
usb_driver net_device
![Page 17: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/17.jpg)
17
Example of Model entry_point usb_driver
handlers
usb_register_driver
usb_deregister()
net_device handlers
register_netdev()
unregister_netdev()
![Page 18: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/18.jpg)
18
Анализ разделяемых данных
struct my_struct {
int *b;
} *А;
int func() {
int *a;
a = malloc();
If (undef_value) {
A->b = a;
}
*a = 1;
} Доступ к разделяемым данным – потенциальная гонка
{}
{a → local}
{a → local}
{a → shared}
{a → shared}
[undef_value != 0]
[undef_value == 0]
![Page 19: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/19.jpg)
19
Анализ примитивов синхронизации
int global;
int func(int var) {
if (var) {
lock();
}
global++;
if (var) {
unlock();
}
}
{}
{}
{lock}
{} {lock}
{} {lock}
{} {lock}
{lock}
{}
{}
{}
{}
![Page 20: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/20.jpg)
20
Thread Analysis
int global;
Int start() {
global = 0;
pthread_create(&thread, .., worker, ..);
pthread_join(&thread);
result = global;
}
{1.1}
{1.1}
{1.1, 2.1}{1.1}
{1.1, 2.1}{1.1, 2.0}
{1.1, 2.1}{1.1}
{1.1}
int worker() {
global++;
}
![Page 21: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/21.jpg)
21
Method Overview
![Page 22: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/22.jpg)
22
Results
Unsafes Unknowns Safes Time, h Memory, Gb
+ Threads,+ Refinement
5 61 51 3.2 8.1
- Threads,+ Refinement
6 67 44 4.1 4.0
+ Threads,- Refinement
27 57 49 2.3 8.2
- Threads,- Refinement
186 54 43 2.1 3.5
113 modules of OS Linux 4.5-rc1 subsystem drivers/net/wireless/
![Page 23: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/23.jpg)
23
2219 warnings at drivers/
● 2219 warnings = 270 unsafe drivers● 55% - imprecision of environment model● 10% - simple memory model● 10% - operations with lists● 10% - other inaccuracies in our analysis● 15% - true races
● 290 true warnings = 32 bugs
![Page 24: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/24.jpg)
24
Conclusion
● Flexible adjustment of the balance between resources and accuracy
● Applicable to industry projects● Real race conditions are found
![Page 25: TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel](https://reader031.vdocuments.us/reader031/viewer/2022020301/58e4ac4c1a28abbb038b599d/html5/thumbnails/25.jpg)
25
Thank you!
Questions?