Efficient Model Checking of Data Races withAutomatically-extracted Distance-based Fitness Functions

João Paulo, Elton Alves, Marcelo Damorim, Fernando Castor

“The biggest sea change in software development since the OO revolution is knocking at the door, and its name is Concurrency”.

Herb Sutter

Concurrent Programming

• Is too hard!– Error prone

• It’s difficult to debug and find errors• Most programmers thinks that know how to

do it, but they don’t • NonDeterminism, Deadlocks, Data Races…

Race Conditionpublic class Ref { int i; void inc() { int t = i + 1; i = t; } public static void main(String args[]){ final Ref ref = new Ref(); new Thread(new Runnable(){ public void run(){ ref.inc(); } }).start(); new Thread(new Runnable(){ public void run(){ref.inc(); } }).start(); assert ref.i == 2; }}

A race condition occurs if

• two threads access a shared variable at the same time without synchronization

• at least one of those accesses is a write

public class Ref {

int i;void inc() { synchronized (this) { int t = i + 1; i = t; }}public static void main(String args[]) {

final Ref ref = new Ref();new Thread(new Runnable() {

public void run() { ref.inc();}}).start();new Thread(new Runnable() {

public void run() { ref.inc();}}).start(); assert ref.i == 2; }}

• Field Guarded by Lock

• Lock acquired before the thread enter in block

• Ensure race freedom

Guarantees the mutual exclusion

So, we need (an easy) way to discover these kind error

And there’s some tools to help us…

Program Model Checking

• It performs model checking directly into the code

• Rigorous method that exhaustively explores all possible SUT behaviors

• Is it a test?

Model Checking

Fonte: http://babelfish.arc.nasa.gov/trac/jpf/wiki/intro/testing_vs_model_checking

Java PathFinder(JPF)

• An explicit state software model checker – Focus is on finding bugs in Java programs– Developed by NASA since 1999– Turned Open Source in 2005

• State Explosion problem

State Explosion

# thread #Atomic Section

Scheduling

2 2 6

2 8 12.870

2 16 601.080.390

How JPF Works

• Backtracking• State Matching• Partial Order Reduction• Listener

How do we Detect Potencial Races?

• Using a customized JPF listener• For each PUTFIELD or GETFIELD– Get Object Reference• Get the accessed Field

– Get Current Thread» Get Current Instruction

• Get the set of Acquireds Locks

How do we Detect Potencial Races?[2]

• So, we have a report like this:

Account-Listener-Result.txt

How do we Detect Potencial Races?[3]

• which can be simplified for this

Account-compacted.txt

How good is our solution?

• Running Subject account , input 6• JPF go through 27.670 states• The solution converges in just 67 states• = 0,002 < 1 % of search State

Account-6-output.txt

But we have some false positives…

And we don´t want them.

Our Research Idea

• Guide Model Checking• Attempt to Avoid State explosion• Uses heuristics to classifies a given a state– Interesting State has value 0– Boring State has value Integer.Max

• Uses distance based fitness function

Our work-in-progress

• Find a heuristic function to guide the Model Checking

• Evaluate the function• This is harder than we thought

Our work-in-progress[2]CallTrace cg; /* computed on-the-fly */AccessPair[] goals; /* computed on-the-fly */MethodInfo driver; /* test driver */

int eval(State jpfState) { ThreadInfo[] tis = jpfState.threadInfos(); TraceInfo ti = cg.getTrace(); for(int i=0; i<tis.length; i++) {

MethodInfo ma = tis[j].getCurrentMethod(); foreach p:Pair in goals { int d = dist(ti, p.mx) * dist(ti, p.my); if (d < min) min = d; } } return min;}

int dist(TraceInfo tSource, MethodInfo mDest) { int result = shortestPath(cg, tSource, mDest); if (result == -1) { // mDest not reachable from mSource return shortestPathFromDriver(cg, driver, mSource, mDest); }}

If we are not so good to do it…

• The research goal could moves to compare the ‘potencial data race’ finded with other approaches

Thanks