atomizer: a dynamic atomicity checker for multithreaded programs

/ 36Hong,Shin @ PSWLAB

Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs

By Cormac Flanagan, Stephen N. Freund24th April, 2008

Hong,Shin

23年 4月 20日

1Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs


Contents• Introduction• Multithreaded Programs– Formal definition of multithreaded program– The standard semantics of execution– The serialized semantics of execution– Atomicity requirements

• Dynamic Atomicity Checking– Reduction– Checking atomicity via reduction

• Inferring Protecting Locks

23年 4月 20日


2


Introduction 1/4

• A race condition occurs when two threads simultaneously access the same data variable, and at least one of the access is a write.

• In practice, race conditions are commonly avoided by protecting each data structure with a lock.

• Unfortunately, the absence of race condition is not sufficient to ensure the absence of errors due to unexpected interference between threads.

23年 4月 20日


3


Introduction 2/4

public final class StringBuffer { public synchronized int length() { … } public synchronized void getChars(int sBegin,int sEnd,char [] dst,int dBegin) { … } public synchronized void delete(int start, int end) { … }

public synchronized StringBuffer append(StringBuffer sb) { int len = sb.length() ;

... /* other threads may change sb.length()

e.g. other thread invokes sb.delete(…) */

sb.getChars(0, len, value, count) ;...

}}

23年 4月 20日


4

• Example: java.lang.StringBuffer


Introduction 3/4StringBuffer A contains “Hello”StringBuffer B contains “World”

<Thread 1> <Thread 2>Lock(A.lock) ;Lock(B.lock) ;int len = B.length() ; /* len = 5 */Unlock(B.lock) ;

Lock(B.lock) ;B.delete(4,5) /* B contains

“Worl”. B.length() = 4 */Unlock(B.lock) ;

Lock(B.lock) ;B.getChars(0, len, buf, 0) /* Error */

23年 4月 20日


5


Introduction 4/4• Atomicity

– The construction of reliable multithreaded software requires the development and application of more systematic methods for controlling the interference between concurrent threads.

– A code block is atomic if for every (arbitrarily interleaved) program execution, there is an equivalent execution with the same overall behavior(result state) where the atomic method is executed serially(the code block’s execution is not interleaved with actions of other threads).

• Atomizer– Dynamic analysis for detecting atomicity violations.– For each code block annotated as being atomic, our analysis

verifies that an execution of that code block is not affected by and does not interfere with other thread.

23年 4月 20日


6


Multithreaded Programs 1/9

• To provide a formal basis for reasoning about interference between threads, formalizing an execution semantics for multithreaded programs is necessary.

Threads– A multithreaded program consists of a number of

concurrently executing threads.

– Each thread has an associated thread identifier t 2 Tid .

23年 4月 20日


7



Global store

– The threads communicate through a global store ¾,

which is shared by all threads.

– The global store maps program variable x to value v.

– The global store records the state of each lock variable m

2 Lock.

if ¾(m) = t , then the lock m is held by thread t.

if ¾(m) = ? , then the lock is not held by any thread.

23年 4月 20日


8



Local store

– Each thread has its own local store ¼ containing data not manipulated by other threads(e.g. program counter of that thread)

State

– A state Σ = (¾, ¦ ) ¾ : a global store

¦ : a mapping from thread identifiers t to the local store ¦(t) of each thread.

– Program execution starts in an initial state

Σ0 =(¾0 , ¦0)

23年 4月 20日


9


Multithreaded Programs 4/9• We model the behavior of each thread in a

multithreaded program as the transition relation T :T µ Tid £ LocalStore £ Operation £ LocalStore

T ( t, ¼, a, ¼‘) holds

if the thread t can take a step from a state with local store ¼, performing the operation a 2 Operation on the global store, yielding a new local store ¼ ‘.

a 2 Operation ::=rd(x, v) | wr(x, v) read(write) a value v from a variable x

| acq(m) | rel(m) acquire(release) a lock m

| begin | end | ² beginning and end of an atomic block

² is an empty operation23年 4月 20日


10



Standard Semantics• The relation ¾ !a

t ¾‘ models the effect of an

operation a by thread t on the global store ¾.

23年 4月 20日


11



• The transition relation Σ ! Σ’ performs a single step of an arbitrarily chosen thread.

– A transition sequence Σ0 !* Σ’ models the arbitrary interleaving of the various threads of a multithreaded program, starting from the initial state Σ0.

• Standard semantics: Σ ! Σ’

T(t,¦(t),a,¼‘) ¾ !at ¾’

(¾, ¦) ! (¾‘ , ¦[t := ¼‘])

23年 4月 20日


12



Serialized Semantics• Assume the function A:LocalStore!N indicates the

number of atomic blocks that are currently active.A(¦0(t)) = 0 , for 8 t 2 Tid.

if T(t, ¼, begin, ¼‘) then A(¼‘)=A(¼)+1.if T(t, ¼, end, ¼‘) then A(¼)>0 and

A(¼‘)=A(¼)-1.if T(t, ¼, a, ¼‘) for a {begin, end} then A(¼‘)

= A(¼).

• The relation A(¦) holds at a state if any thread is inside an atomic block.

A(¦) =def 9t2Tid.(A(¦(t)) 0).23年 4月 20日


13



• The serialization transition relation does not interleave the execution of an atomic block with instructions of concurrent threads.

• Serialized semantics: Σ Σ‘

T(t, ¦(t), a, ¼‘) , ¾ !at ¾‘ , 8ut.A(¦(u))=0

(¾,¦ ) (¾‘, ¦[t:=¼‘])

23年 4月 20日


14



Atomicity requirement• For any program execution (¾0, ¦0) !* (¾, ¦)

where :A(¦), there should exist an equivalent serialized execution.(¾0,¦0) * (¾, ¦)

• Any execution of a correctly synchronized program should satisfy this requirement.

23年 4月 20日


15


Dynamic Atomicity Checking1/14• The standard semantics is instrumented to

detect atomicity requirement violation dynamically.

• Lipton’s theory of reduction forms the basis of this approach.– This theory is based on the notion of right-mover

and left-mover actions.

23年 4月 20日


16


Dynamic Atomicity Checking2/14• For any execution where the action b performed by one thread is

immediately followed by an action c of a concurrent threads,

the action b is a right-mover if the action b and c can be swapped without changing the resulting state.

• For any execution where the action c performed by one thread immediately follows an action b of a concurrent thread,

an action c is a left-mover if the action b and c can be swapped without changing the resulting state.

23年 4月 20日


17


Dynamic Atomicity Checking3/14• The lock acquire operation can be moved to the right

without changing the resulting state.– A concurrent thread can neither acquire nor release the lock

until the thread releases the lock.– Each lock acquire operation is a right-mover.

• The lock release operation can be moved to the left without changing the resulting state.– A concurrent thread can neither acquire nor release the lock

since the thread acquired the lock.– Each lock release operation is a left-mover.

23年 4月 20日


18


Dynamic Atomicity Checking4/14• For an access(read or write) to a variable that is

shared by multiple threads, (1) if the variable is protected by some lock that is held

whenever the variable is accessed,

- No other thread can access the variable between the lock acquire

and the release of the thread. - Each access to that variable as a both-mover (both right-mover and left-mover)

(2) if the variable is not consistently protected by some lock, - Each access to that variable as a non-mover.

23年 4月 20日


19


Dynamic Atomicity Checking5/14

<thread1> <thread2>

lock(m) ;read(x, 0) ;

lock(n) ; read(y,

3) ;write(x, 1) ;

write(y,0) ;

unlock(n) ;

unlock(m) ;

23年 4月 20日


20

<thread1> <thread2>


lock(n) ;write(x,1) ;

read(y, 3) ;

write(y,0) ;

unlock(m) ;

unlock(n) ;

Left

<thread1> <thread2>

lock(m) ;read(x, 0) ;write(x,1) ;unlock(m);

lock(n) ; read(y,

3) ;

write(y,0) ;

unlock(n) ;

/* shared variable */int x ; /* protected by lock m */int y ; /* protected by lock n */

Right



• A path through an atomic code block of a thread should contain a sequence of right-movers, followed by at most one non-mover and then a sequence of left-movers.

• This path can be reduced to an equivalent serial execution with the same resulting state, where the path is executed without any interleaved actions by other threads.

23年 4月 20日


21



23年 4月 20日


22

<thread1> <thread2>


lock(n) ;

read(y, 3) ;

write(z,0) ;

read(z, 0) ;write(x, 1) ;

write(y,0) ;

unlock(n) ;

unlock(m) ;

<thread1> <thread2>


lock(n) ;

read(y, 3) ;

write(z,0) ;

read(z, 0) ;

read(z,0) ;write(x, 1) ;

write(y,0) ;

unlock(n) ;

unlock(m) ;

<thread1> <thread2>


lock(n) ;

read(y, 3) ;

write(z,0) ;

read(z,0) ;

read(z, 0) ;write(x, 1) ;

write(y,0) ;

unlock(n) ;

unlock(m) ;

int x ; /* protected by lock m */ int y ; /* protected by lock n */int z ; /* not protected by any lock */

Left

Right


Dynamic Atomicity Checking8/14• Assume the programmer provides a partial function P that

maps protected shared variables to associated locks.P : Variable Lock

if P(x) is undefined, then x is not protected by any lock.• To record whether each thread is in the right-mover part

of an atomic block or in the left-mover part , the state space is extended to include an instrumentation store

Á : Tid ! {InRight, InLeft}Á0(t) = InRight for 8t2Tid

Each state is now a triple (¾, Á, ¦)

• If A(¦(t)) 0, then the thread t is inside an atomic block.

and Á(t) indicates whether the thread is in the right-mover or left-mover.

23年 4月 20日


23


Dynamic Atomicity Checking9/14• The relation Σ )a

t updates the instrumentation store

whenever thread t performs operation a.

23年 4月 20日


24



23年 4月 20日


25



23年 4月 20日


26



23年 4月 20日


27


Dynamic Atomicity Checking13/14Instrumented semantics: Σ ) Σ’ and Σ ) wrong

23年 4月 20日


28

• Theorem (Equivalence of Semantics)1. if (¾, Á, ¦) )* (¾‘, Á‘, ¦‘ ), then (¾,¦) !* (¾‘,¦‘ )2. if (¾, ¦) !* (¾‘, ¦‘ ) then 8Á either

(a) (¾,Á,¦) )* wrong(b) 9Á‘ such that (¾,Á,¦) )* (¾‘, Á‘, ¦‘ )

• Theorem (Instrumented Reduction)if (¾0, Á0, ¦0 ) )* (¾, Á, ¦) and :A(¦) then

(¾0 , ¦0 ) * (¾, ¦)



StringBuffer A contains “Hello”

StringBuffer B contains “World”

<Thread 1>

Lock(A.lock) ;Lock(B.lock) ;int len = B.length() ;Unlock(B.lock) ;Lock(B.lock) ;B.getChars(0, len, buf, 0)

23年 4月 20日


29

Atomic block beginsRight-moverRight-moverBoth-moverLeft-moverRight-mover /* Error */


Inferring Protecting Locks 1/3

• The previous semantics relies on the programmer to specify protecting locks for shared variables.

• The semantics is extended to infer protecting locks, using Eraser’s Lockset algorithm.

• The instrumentation store Á is extended to map each variable x to a set of candidate locks for x.

Á : (Tid ! {InRight, InLeft}) [ (Variable ! 2Lock)Á0(x) = Lock 8x 2 Variable

H(t,¾) = {m2Lock | ¾(m) = t }

23年 4月 20日


30


Inferring Protecting Locks 2/3

• The relation updates the extended instrumentation store whenever thread t performs operation a on the global store.

23年 4月 20日


31


Inferring Protecting Locks 3/3• Instrumented Semantics 2: and wrong

23年 4月 20日


32

• Theorem (Equivalence of Semantics 2)

• Theorem (Instrumented Reduction 2


Automated Data Race Detection using CBMC 1/2

• To check every path in a thread, it is necessary to consider the changing of value of a shared variable between releasing and acquiring its corresponding lock.(e.g. Unlock before I/O pattern)

23年 4月 20日


33

/* shared variables */ int A, int B ; Lock m ; Lock n ; <thread1> <thread2>lock(m) ; lock(m) A = 1 ; A = 0 ;unlock(m) ; unlock(m) ;lock(m) ; lock(n) ; if (A == 1 ) B = 1 ; else B = 0 ; unlock(n) ;unlock(m) ; B is not consistently

protected by any lock

Set

Unlock

Lock

Read


Automated Data Race Detection using CBMC 2/2

• But in checking the sequence of threads can not detect this data race error.

23年 4月 20日


34

/* shared variables */ int A, int B ; Lock m ; Lock n ;

<thread1>lock(m) ; A = 1 ;unlock(m) ;lock(m) ; if (A == 1 ) else B = 0 ; unlock(m) ;<thread2>lock(m) A = 0 ;

…

This branch never be

taken

Additional code that change the value of A should be inserted here

(1)Identify what variables are in this pattern in the program(2)Change the value of the shared variable between unlock

and lock


Further Work• Reduction: A Method of Proving Properties of Parallel

Programs, B. Wegbreit

• High-Level Data Race, C Artho, K Havelund, A Biere

23年 4月 20日


35


Reference[1] Atomizer: A Dynamic Atomicity Checker For Multithreaded

ProgramsCormac Flanagan, Stephen N. Freund, ACM SIGPLAN 2004

23年 4月 20日


36

atomizer: a dynamic atomicity checker for multithreaded programs

Documents