TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel
0 likes857 views
The document discusses a method developed by the Institute for System Programming of the Russian Academy of Sciences for detecting data race conditions in the Linux kernel, identifying concurrency bugs as a significant source of errors. It outlines a lightweight core algorithm that uses predicate abstraction and techniques like reachability analysis to analyze synchronization primitives and shared data access across threads. The study emphasizes the tool's capability for precise warnings, adaptable to various tasks, and its application in identifying real race conditions in industry projects.
![11
Reachability analysis
based on predicate abstraction
{},[]
{},[]
{lock}, []
{}, []
{lock},[]
{}, []
{}, []
{}, []
{lock}, []
{lock}, []
{lock}, []
{}, []
{}, []
{}, []
int global;
int func(int var) {
if (var) {
lock();
}
global++;
if (var) {
unlock();
}
}
{}, []](https://image.slidesharecdn.com/1725-170323100802/85/TMPA-2017-Predicate-Abstraction-Based-Configurable-Method-for-Data-Race-Detection-in-Linux-Kernel-11-320.jpg)
![12
Reachability analysis
based on predicate abstraction
{}
{}
{lock}, [var != 0]
{}, [var == 0]
{lock}
{}, [var != 0]
{}, [var == 0]
{}
{lock}, [var != 0]
{lock}, [var != 0]
{lock}, [var != 0]
{}, [var == 0]
{}, [var == 0]
{}, [var != 0]
int global;
int func(int var) {
if (var) {
lock();
}
global++;
if (var) {
unlock();
}
}](https://image.slidesharecdn.com/1725-170323100802/85/TMPA-2017-Predicate-Abstraction-Based-Configurable-Method-for-Data-Race-Detection-in-Linux-Kernel-12-320.jpg)
![14
Example of False Alarm
adm8211_start(dev)
adm8211_init_rings(dev)
request_irq(adm8211_interrupt)
dev->priv->tx_buffers[entry]->skb
adm8211_interrupt(dev)
dev->priv->tx_buffers[entry]->skb](https://image.slidesharecdn.com/1725-170323100802/85/TMPA-2017-Predicate-Abstraction-Based-Configurable-Method-for-Data-Race-Detection-in-Linux-Kernel-14-320.jpg)
![15
Example of False Alarm
adm8211_start(dev)
adm8211_interrupt(dev)request_irq(adm8211_interrupt)
dev->priv->tx_buffers[entry]->skb
dev->priv->tx_buffers[entry]->skb](https://image.slidesharecdn.com/1725-170323100802/85/TMPA-2017-Predicate-Abstraction-Based-Configurable-Method-for-Data-Race-Detection-in-Linux-Kernel-15-320.jpg)
![18
Анализ разделяемых данных
struct my_struct {
int *b;
} *А;
int func() {
int *a;
a = malloc();
If
(undef_value) {
A->b = a;
}
*a = 1;
}
Доступ к разделяемым данным – потенциальная
гонка
{}
{a → local}
{a → local}
{a → shared}
{a → shared}
[undef_value !
= 0]
[undef_value
== 0]](https://image.slidesharecdn.com/1725-170323100802/85/TMPA-2017-Predicate-Abstraction-Based-Configurable-Method-for-Data-Race-Detection-in-Linux-Kernel-18-320.jpg)
TMPA-2017: Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel
- 1. Institute for System Programming of the Russian Academy of Sciences Predicate Abstraction Based Configurable Method for Data Race Detection in Linux Kernel Pavel Andrianov, Vadim Mutilin, Alexey Khoroshilov
- 2. 2 int global; Race Condition Thread 1 { ... global = 1; ... } Thread 2 { ... global = 2; ... } A situation, in which simultaneous accesses to the same memory location take place from several threads, one of the accesses is write
- 3. 3 Real Data Race drivers/net/wireless/marvell/libertas/libertas.ko disconnect: … kfree_skb(priv->currenttxskb); priv->currenttxskb = NULL; priv->tx_pending_len = 0; ... transmit: spin_lock(&priv->driver_lock, flags) if (priv->currenttxskb == NULL) return; … priv->currenttxskb->protocol = eth_type_trans(priv->currenttxskb, priv->dev); netif_rx(priv->currenttxskb); … spin_unlock(&priv->driver_lock, flags)
- 4. 4 Commit
- 5. 5 Motivation ● Concurrency bugs make up 20% of all across the file systems (A Study of Linux File System Evolution, FAST'13) ● Data race conditions make up 17% of all errors in the Linux kernel (Analysis of typical faults in Linux operating system drivers, Proceedings ISP RAN)
- 6. 6 Other Tools Fast and imprecise Precise, but slow Example: RELAY Example: Threader Difficult to adjust a tool to a particular task Adjustable analysis?
- 7. 7 Lockset Algorithm Potential data race is a situation, when accesses to the same shared data occur with disjoint sets of locks from two parallel threads, one access is write.
- 8. 8 Potential Race Condition … *a = 1; ... … mutex_lock(); *a = 1; mutex_unlock(); ... ● A disjoint set of synchronization primitives ● The same shared data ● Accesses from different threads, which can be executed simultaneously ● Real (reachable) paths
- 9. 9 Lightweight core algorithm Method overview A set of warnings Lockset algorithm Shared analysis Heavyweight extensions CEGAR Thread analysis Precise warnings Imprecise warnings
- 10. 10 Counter Example Guided Abstraction Refinement Error? Safe Counterexample Feasible? Abstraction Refinement Unsafe No Yes YesNo Solver Analysis Interpolation
- 11. 11 Reachability analysis based on predicate abstraction {},[] {},[] {lock}, [] {}, [] {lock},[] {}, [] {}, [] {}, [] {lock}, [] {lock}, [] {lock}, [] {}, [] {}, [] {}, [] int global; int func(int var) { if (var) { lock(); } global++; if (var) { unlock(); } } {}, []
- 12. 12 Reachability analysis based on predicate abstraction {} {} {lock}, [var != 0] {}, [var == 0] {lock} {}, [var != 0] {}, [var == 0] {} {lock}, [var != 0] {lock}, [var != 0] {lock}, [var != 0] {}, [var == 0] {}, [var == 0] {}, [var != 0] int global; int func(int var) { if (var) { lock(); } global++; if (var) { unlock(); } }
- 13. 13 Two Ways of Refinement Analysis Refinement Analysis Refinement
- 14. 14 Example of False Alarm adm8211_start(dev) adm8211_init_rings(dev) request_irq(adm8211_interrupt) dev->priv->tx_buffers[entry]->skb adm8211_interrupt(dev) dev->priv->tx_buffers[entry]->skb
- 15. 15 Example of False Alarm adm8211_start(dev) adm8211_interrupt(dev)request_irq(adm8211_interrupt) dev->priv->tx_buffers[entry]->skb dev->priv->tx_buffers[entry]->skb
- 16. 16 Example of Linux Driver module_init() catc_probe() catc_open() module_exit() usb_register_driver() register_netdev() catc_close() catc_disconnect() unregister_netdev() usb_deregister() usb_driver net_device
- 17. 17 Example of Model entry_point usb_driver handlers usb_register_driver usb_deregister() net_device handlers register_netdev() unregister_netdev()
- 18. 18 Анализ разделяемых данных struct my_struct { int *b; } *А; int func() { int *a; a = malloc(); If (undef_value) { A->b = a; } *a = 1; } Доступ к разделяемым данным – потенциальная гонка {} {a → local} {a → local} {a → shared} {a → shared} [undef_value ! = 0] [undef_value == 0]
- 19. 19 Анализ примитивов синхронизации int global; int func(int var) { if (var) { lock(); } global++; if (var) { unlock(); } } {} {} {lock} {} {lock} {} {lock} {} {lock} {lock} {} {} {} {}
- 20. 20 Thread Analysis int global; Int start() { global = 0; pthread_create(&thread, .., worker, ..); pthread_join(&thread); result = global; } {1.1} {1.1} {1.1, 2.1}{1.1} {1.1, 2.1}{1.1, 2.0} {1.1, 2.1}{1.1} {1.1} int worker() { global++; }
- 22. 22 Results Unsafes Unknowns Safes Time, h Memory, Gb + Threads, + Refinement 5 61 51 3.2 8.1 - Threads, + Refinement 6 67 44 4.1 4.0 + Threads, - Refinement 27 57 49 2.3 8.2 - Threads, - Refinement 186 54 43 2.1 3.5 113 modules of OS Linux 4.5-rc1 subsystem drivers/net/wireless/
- 23. 23 2219 warnings at drivers/ ● 2219 warnings = 270 unsafe drivers ● 55% - imprecision of environment model ● 10% - simple memory model ● 10% - operations with lists ● 10% - other inaccuracies in our analysis ● 15% - true races ● 290 true warnings = 32 bugs
- 24. 24 Conclusion ● Flexible adjustment of the balance between resources and accuracy ● Applicable to industry projects ● Real race conditions are found