16
Marathon: Detecting Atomic- Set Serializability Violations with Conflict Graphs William Sumner Christian Hammer Julian Dolby Purdue Utah State IBM Watson RV 2011 - September 2011 - San Francisco, CA 1 Thursday, September 29, 2011

Marathon - RV2011

Embed Size (px)

DESCRIPTION

Presentation at Runtime Verification 2011

Citation preview

Page 1: Marathon - RV2011

Marathon: Detecting Atomic-Set Serializability Violations

with Conflict GraphsWilliam Sumner Christian Hammer Julian Dolby Purdue Utah State IBM Watson

RV 2011 - September 2011 - San Francisco, CA1Thursday, September 29, 2011

Page 2: Marathon - RV2011

Outline

Motivation: finding concurrency errors

Approach: atomic sets and serializability

Implementation: conflict graphs

Results

Related work and conclusions

2Thursday, September 29, 2011

Page 3: Marathon - RV2011

Finding Concurrency Errors

Parallel hardware is ubiquitous, even phones

Software must exploit this concurrency

Concurrency allows new kinds of bugs

Multiple threads simultaneously access data

Bugs when simultaneous access is “incorrect”

3Thursday, September 29, 2011

Page 4: Marathon - RV2011

Atomic Setsclass Point { double x; double y;}

Fields x and y make up a logical point

Fields x and y denote an atomic set

Atomic Set Serializability

Concurrent operations see consistent points

4Thursday, September 29, 2011

Page 5: Marathon - RV2011

Units of Workclass Point { double x; double y;}void move(int x, int y) { this.x += x; this.y += y;}

double mag() { return Math.sqrt(x*x+y*y);}

xmove mag

x

yy

x

xyy

Threads

5Thursday, September 29, 2011

Page 6: Marathon - RV2011

Concurrency Errorsclass Point { double x; double y;}void move(int x, int y) { this.x += x; this.y += y;}

double mag() { return Math.sqrt(x*x+y*y);}

xmove mag

x

yy

x

xyy

Threads

6Thursday, September 29, 2011

Page 7: Marathon - RV2011

Concurrency ErrorsLook for concurrency errors per atomic set

Improve accuracy:

Focus on related memory locations

Focus on conceptual units of work on them

Aid implementation:

Short-running units of work, small sets

Enables compact conflict graph structure

7Thursday, September 29, 2011

Page 8: Marathon - RV2011

Inferring Atomic Sets

Must infer atomic sets

Make approach applicable to existing code

Minimize burden on developer or tester

Exploit object structure to infer atomic sets

Assume each object defines an atomic set

Heuristics to include “child” objects

8Thursday, September 29, 2011

Page 9: Marathon - RV2011

“Child” Object Exampleclass Point { double x; double y;}

class Rectangle { Point ll; Point ur;}

double area() { return (ur.x - ll.x) * (ur.y - ll.y);}

heuristic: direct access to field of a field means field is a child

9Thursday, September 29, 2011

Page 10: Marathon - RV2011

Conflict Graph ImplementationA conflict graph records tasks, memory uses

A node in the graph is a unit of work

Edges capture memory dependence

write-read, read-write, write-write

Atomic sets model keep graph manageable

Individual units of work tend to be short

Old tasks can be garbage collected

10Thursday, September 29, 2011

Page 11: Marathon - RV2011

Conflict Graph Examples

x

move mag

x

yy

x

xyy

x

move mag

x

yy

x

xyy

WAR

RAWWAR

11Thursday, September 29, 2011

Page 12: Marathon - RV2011

Evaluation

Assess quality of error reports

how many bugs?

false positives: not real bugs?

false negatives: missed known bugs?

Measure overhead

Suite of standard benchmarks and real codes

12Thursday, September 29, 2011

Page 13: Marathon - RV2011

Evaluationbenchmark size cycles reports FP slowdown

(memory)slowdown

(disk)ConTest 241 141 139 5 1.4 1.1Jigsaw 142K 1 1 0 3.9 3.9Jspider 56K 4 4 0 1.2 1.2Weblech 1874 2 2 0 1.0 1.0ArrayBQ 1576 2 7 0 26.6 14.1ArrayList 2266 79 60 0 48.9 19.6LinkedBQ 1620 1 1 0 20.1 16.9

DelayQueue 1961 43 43 0 23.0 17.5Vector 2636 131 131 0 52.8 10.4

13Thursday, September 29, 2011

Page 14: Marathon - RV2011

Related Work

Low-level data races: do not denote errors

Atomicity: full heap atomicity vs atomic sets

Serializability: relaxed criteria vs atomic sets

Velodrome[]: bug focus, fuller implementation

Prior atomic sets: patterns vs conflict graph

14Thursday, September 29, 2011

Page 15: Marathon - RV2011

ConclusionsEfficient and sound concurrency bug finding

Overhead comparable or better than prior

Sound w.r.t. atomic set model

Atomic sets accurately model intent

Heuristics allow inference

Evaluated w.r.t. programmer intent

Few false positives and negatives

Future work: further refine heuristics15Thursday, September 29, 2011

Page 16: Marathon - RV2011

Evaluation

resultBuf[i] = vector.getFreeBlockIndex();if (resultBuf[i] != -1) { vector.markAsAllocatedBlock(resultBuf[i]);}

False negative example

API of AllocationVector not encapsulated

Requires client to synchronize pair of calls

16Thursday, September 29, 2011