a true positives theorem for a static race detector
play

A True Positives Theorem for a Static Race Detector Nikos - PowerPoint PPT Presentation

Jun 17, 2023 •231 likes •688 views

A True Positives Theorem for a Static Race Detector Nikos Gorogiannis Peter OHearn Ilya Sergey Key Messages Unsound (and incomplete) static analyses can be principled , satisfying meaningful theorems that help to understand their

  1. A True Positives Theorem 
 for a Static Race Detector Nikos Gorogiannis Peter O’Hearn Ilya Sergey

  2. Key Messages Unsound (and incomplete) static analyses can be principled , satisfying meaningful theorems 
 that help to understand their behaviour and guide their design One can have an unsound but effective static analysis, 
 which has significant industrial impact, 
 and which is supported by a meaningful theorem . 2

  3. Context 1.We had a demonstrably-effective industrial analysis: 
 RacerD (OOPSLA'18); >3k fixes in Facebook Java codebase 2.No soundness theorem 3

  4. Static Analyses for Bug Detection

  5. Context 1. We had a demonstrably-effective industrial analysis: 
 RacerD (OOPSLA'18); >3k fixes in Facebook Java 2. No soundness theorem 3. Architecture: compositional abstract interpreter 4. No heuristic alarm filtering Just ad hoc? Our reaction: 
 Semantics/theory should understand/explain, not lecture. 5

  6. Conjecture True Positives Theorem: 
 Under certain assumptions, the static bug detector reports no false positives . 6

  7. Static Analyses 
 for Program Validation 7

  8. The Essence of Static Analysis “abstraction” α C e p program 
 property 
 execution of interest 8

  9. α e 1 p α e 2 9

  10. Static Analysis p 1 e 1 p 2 e 2 concreteSem ( c ) = e 3 e 6 e 4 p 3 e 5 p 4 10

  11. Static Analysis p 1 } “has bugs” e 1 p 2 e 2 } concreteSem ( c ) = e 3 e 6 e 4 p 3 e 5 “correct” p 4 11

  12. Verifier 
 or a 
 Bug Detector? 12

  13. Program Verifier true positive p 1 e 1 false positive p 2 e 2 e 3 e 6 e 4 true negative p 3 e 5 true negative p 4 13

  14. Sound Program Verifier true positive p 1 e 1 false positive p 2 e 2 e 3 e 6 e 4 true negative p 3 e 5 true negative p 4 14

  15. Sound Program Verifier true positive p 1 e 1 false positive p 2 e 2 e 3 e 6 e 4 true negative p 3 e 5 true negative p 4 abstract over-approximation < 15

  16. Sound Program Verifier true positive p 1 e 1 false positive p 2 e 2 e 3 e 6 e 4 true negative p 3 e 5 true negative p 4 abstract over-approximation < 16

  17. Sound Program Verifier true positive p 1 Developer : e 1 Go away, that never happens! false positive p 2 e 2 e 3 e 6 e 4 true negative p 3 e 5 true positive p 4 if (n == VERY_UNLIKELY_VALUE) { bug.explode(); } else { // do nothing } 17

  18. Unsound Program “Verifier” true positive p 1 e 1 false positive p 2 e 2 e 3 e 6 e 4 true negative p 3 e 5 false negative p 4 if (n == VERY_UNLIKELY_VALUE) { bug.explode(); } else { // do nothing } 18

  19. “Sound” Program Verifier true positive p 1 e 1 false positive p 2 e 2 e 3 e 6 e 6 e 4 true negative p 3 e 5 false negative p 4 19

  20. “Sound” Program Verifier true positive p 1 e 1 false positive p 2 e 2 e 3 e 6 e 4 true negative p 3 e 5 concrete under-approximation abstract over-approximation < 20

  21. Sound Static Verifiers • False negatives (bugs missed) are bad • False positives (non-bugs reported) are okay • Constructed as over-approximation ( of under-approximation ) • Soundness Theorem : 
 Under certain assumptions about the programs, the analyser has no false negatives . 21

  22. p 1 } “has bugs” e 1 p 2 e 2 } e 3 e 6 e 4 p 3 e 5 “correct” p 4 22

  23. Static Bug Finder true positive p 1 e 1 false positive p 2 e 2 e 3 e 6 e 4 true negative p 3 e 5 false negative p 4 23

  24. Unsound Static Bug Finder true positive p 1 e 1 false positive p 2 e 2 e 3 e 6 e 4 true negative p 3 e 5 false negative p 4 24

  25. Sound (but imprecise) Static Bug Finder true positive p 1 e 1 false negative p 2 e 2 e 3 e 6 e 4 true negative p 3 e 5 false negative p 4 abstract under-approximation < 25

  26. Loss of Precision in Static Bug Finders if (n != VERY_UNLIKELY_VALUE) { e 2 // bug happens here } else { e 3 // normal execution } Idea: over-approximate in concrete semantics! 26

  27. Sound (but Imprecise) Static Bug Finder true positive p 1 e 1 false negative p 2 e 2 Let’s merge these executions into Let’s consider these two equivalent! one that subsumes both! e 3 e 6 e 4 true negative p 3 e 5 false negative p 4 27

  28. if (*) { // bug happens here } else { true positive p 1 // normal execution } e 1 false negative true positive p 2 p 2 e 2 e 23 overApproxConcreteSem (c) = 1. e 3 e 6 e 4 true negative p 3 e 5 false negative p 4 28

  29. Sound Static Bug Finder if (*) { // bug happens here } else { true positive p 1 // normal execution } e 1 true positive p 2 e 23 overApproxConcreteSem (c) = 1. e 6 e 4 true negative p 3 e 5 false negative p 4 concrete over-approximation abstract under-approximation < 29

  30. Towards Sound Static Bug Finders (this work) • False negatives (bugs missed) are okay • False positives (non-bugs reported) are bad • Constructed as under-approximation of over-approximation • Soundness (True Positives) Theorem : 
 Under certain assumptions about the programs, the analyser has no false positives . 30

  31. A Recipe for True Positives Theorem Over-approximate semantic elements to make up for “difficult” dynamic execution aspects 
 1. Example: replace conditions and loops with their non-deterministic versions Pick abstraction α for over-approximated executions that provably identifies “buggy” behaviours: 
 2. ∀ e: execution, hasBug ( α ( e )) ⇒ execution e has a bug Design an abstract semantics asem , so it is complete wrt. α and over-approximated concrete semantics: 
 3. ∀ c : program, asem (c) = α ( overApproxConcreteSem (c)) Together, asem and hasBug provide a TP-sound static bug finder. 4. 31

  32. Case Study: RacerDX • A provably TP-Sound version of Facebook’s RacerD concurrency analyser 
 (Blackshear et al., OOPSLA’18) • Buggy executions: data races in lock-based concurrent programs • Syntactic assumptions : 
 Java programs with well-scoped locking ( synchronised ), no recursion, reflection, dynamic class loading; global variables are ignored. • Concrete over-approximation : 
 Loops and conditionals are non-deterministic. 32

  33. A True Race class Burble { class Bloop { public int f = 1; public void meps(Bloop b) { } synchronized ( this ) { System.out.println(b.f); } } public void reps(Bloop b) { b.f = 42; } public void beps(Bloop b) { b = new Bloop(); b.f = 239; } } 33

  34. A False Race class Burble { class Bloop { public int f = 1; public void meps(Bloop b) { } synchronized ( this ) { System.out.println(b.f); } } public void reps(Bloop b) { b.f = 42; Path prefix b is “ unstable ” ( “ wobbly ” ), 
 } as it’s reassigned, hence race is evaded. public void beps(Bloop b) { b = new Bloop(); b.f = 239; } } 34

  35. Complete Abstraction for Race Detection (W, L, A) class Burble { public void meps(Bloop b) { synchronized ( this ) { System.out.println(b.f); } “Wobbly” paths, Accesses/locks } touched during execution with formals/fields public void reps(Bloop b) { b.f = 42; Locking level } public void beps(Bloop b) { b = new Bloop(); • asem ( meps(b) ) = ({b.f}, 0, {R(b.f, 1)}) b.f = 239; } } • asem ( reps(b) ) = ({b.f}, 0, {W(b.f, 0)}) • asem ( beps(b) ) = ({b, b.f}, 0, {W(b, 0), W(b.f, 0)}) 35

  36. Analysing Summaries for Races class Burble { • asem ( meps(b) ) = ({b.f}, 0, {R(b.f, 1)}) public void meps(Bloop b) { synchronized ( this ) { System.out.println(b.f); • asem ( reps(b) ) = ({b.f}, 0, {W(b.f, 0)}) } } • asem ( beps(b) ) = ({b, b.f}, 0, {W(b, 0), W(b.f, 0)}) public void reps(Bloop b) { b.f = 42; } public void beps(Bloop b) { b = new Bloop(); meps(b) || reps(b) ⇒ Can race, b.f = 239; } } report a bug! 36

  37. Analysing Summaries for Races class Burble { • asem ( meps(b) ) = ({b.f}, 0, {R(b.f, 1)}) public void meps(Bloop b) { synchronized ( this ) { System.out.println(b.f); • asem ( reps(b) ) = ({b.f}, 0, {W(b.f, 0)}) } } • asem ( beps(b) ) = ({b, b.f}, 0, {W(b, 0), W(b.f, 0)}) public void reps(Bloop b) { b.f = 42; } public void beps(Bloop b) { b = new Bloop(); meps(b) || beps(b) ⇒ Maybe don’t race, b.f = 239; } } don’t report a bug 37

  38. Formal Result RacerDX enjoys the True Positives Theorem wrt . Data Race Detection (Details in the paper) 38

  39. Evaluation What is the price to pay for having the TP Theorem? (Reporting no bugs whatsoever is TP-Sound) 39

  40. RacerD vs RacerDX Target LOC D CPU DX CPU CPU ± % D Reps DX Reps Reps ± % D avrora 76k 103 102 0.4% 143 92 36% Chronicle-Map 45k 196 196 0.1% 2 2 0% jvm-tools 33k 106 109 -3.6% 30 26 13% RxJava 273k 76 69 9.2% 166 134 19% sun f ow 25k 44 44 -1.4% 97 42 57% xalan-j 175k 144 137 5.0% 326 295 10% (b) Evaluation results. CPU columns are in seconds; Reps are distinct reports; 40

  41. RacerD vs RacerDX Target LOC D CPU DX CPU CPU ± % D Reps DX Reps Reps ± % D avrora 76k 103 102 0.4% 143 92 36% Chronicle-Map 45k 196 196 0.1% 2 2 0% jvm-tools 33k 106 109 -3.6% 30 26 13% RxJava 273k 76 69 9.2% 166 134 19% sun f ow 25k 44 44 -1.4% 97 42 57% xalan-j 175k 144 137 5.0% 326 295 10% (b) Evaluation results. CPU columns are in seconds; Reps are distinct reports; 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A True Positives Theorem for a Static Race Detector Presentation by Julia Belyakova and Artem

A True Positives Theorem for a Static Race Detector Presentation by Julia Belyakova and Artem

A True Positives Theorem for a Static Race Detector Presentation by Julia Belyakova and Artem Pelenitsyn For CS 7580 (instructor: Jan Vitek), 10/30/2019 A subset of slides is taken from Ilya Sergeys web page Static Analyses for Program

1.11k views • 75 slides
Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work

Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work

Compositional Static Race Detection at Scale, without False Positives Ilya Sergey Joint work with Sam Blackshear, Peter OHearn, Nikos Gorogiannis Key Messages Static analyses for concurrency can be made scalable and precise . Unsound

827 views • 80 slides
# of true positives true positive rate = # of known positives (Proportion of actual positives

# of true positives true positive rate = # of known positives (Proportion of actual positives

True positive rate (Sensitivity) # of true positives true positive rate = # of known positives (Proportion of actual positives that are correctly identified) True negative rate (Specificity) # of true negatives true negative rate = # of known

475 views • 24 slides
# of true positives true positive rate = # of known positives (Proportion of actual positives

# of true positives true positive rate = # of known positives (Proportion of actual positives

True positive rate (Sensitivity) # of true positives true positive rate = # of known positives (Proportion of actual positives that are correctly identified) True negative rate (Specificity) # of true negatives true negative rate = # of known

402 views • 18 slides
Washington, DC As of April 8 Total Number Percent Positives All 1523 100 Race Unknown 536

Washington, DC As of April 8 Total Number Percent Positives All 1523 100 Race Unknown 536

2 Washington, DC As of April 8 Total Number Percent Positives All 1523 100 Race Unknown 536 35.2 White 253 16.6 Black/African American 542 35.6 Asian 20 1.3 American Indian/Alaska Native 6 .4 Native Hawaiian Pacific Islander

408 views • 13 slides
Looking Inside a Race Detector kavya @kavya719 data race detection data races when two+

Looking Inside a Race Detector kavya @kavya719 data race detection data races when two+

Looking Inside a Race Detector kavya @kavya719 data race detection data races when two+ threads concurrently access a shared memory location, at least one access is a write. data race // Shared variable R R R var count = 0 W R

691 views • 57 slides
Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming

Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming

Introduction Static State Versioning Version Computation Conclusion Static Versioning of Global State for Race Condition Detection Steffen Keul Dept. of Programming Languages and Compilers Institute of Software Technology University of

577 views • 28 slides
Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener

Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener

Introduction Static Analysis by Example Interactive Theorem Proving in Coq Bliss? - Not Quite Yet... Static Analysis and Interactive Theorem Proving - A Match Made in Heaven ? Jael E. Kriener University of Kent, Canterbury November 18, 2011

429 views • 25 slides
Static Data Race Detection for SPMD Programs via an Extended Polyhedral Representation Prasanth

Static Data Race Detection for SPMD Programs via an Extended Polyhedral Representation Prasanth

Static Data Race Detection for SPMD Programs via an Extended Polyhedral Representation Prasanth Chatarasi, Jun Shirako, Vivek Sarkar Habanero Extreme Scale Software Research Group Department of Computer Science Rice University 6th

657 views • 37 slides
PointsTo Static Use-After-Free Detector for C/C++ Presented by: Peter Goodman PointsTo detects

PointsTo Static Use-After-Free Detector for C/C++ Presented by: Peter Goodman PointsTo detects

PointsTo Static Use-After-Free Detector for C/C++ Presented by: Peter Goodman PointsTo detects use-after-free bugs Static, whole-program analyzer that finds use-after-free bugs in C/C++ code Implemented in C++ as an LLVM plugin that

591 views • 26 slides
Eraser: A Dynamic Data Race Detector for Multithreaded Programs Review Introduce tool to

Eraser: A Dynamic Data Race Detector for Multithreaded Programs Review Introduce tool to

Eraser: A Dynamic Data Race Detector for Multithreaded Programs Review Introduce tool to help eliminate data races Threads must use mutex locks Finds bugs during dynamic executions Checks shared variables on heap or global vars

275 views • 6 slides
ThreadSanitizer APIs for External Libraries Kuba Mracek, Apple ThreadSanitizer

ThreadSanitizer APIs for External Libraries Kuba Mracek, Apple ThreadSanitizer

ThreadSanitizer APIs for External Libraries Kuba Mracek, Apple ThreadSanitizer ThreadSanitizer Data race detector ThreadSanitizer Data race detector LLVM IR instrumentation: ThreadSanitizer Data race detector LLVM

706 views • 47 slides
Proof: The theorem is proven using this scheme: a. j. Definition of invertible. j. d.

Proof: The theorem is proven using this scheme: a. j. Definition of invertible. j. d.

2.3 Characterizations of Invertible Matrices Theorem 8 (The Invertible Matrix Theorem) Let A be a square n n matrix. The the following statements are equivalent (i.e., for a given A , they are either all true or all false). a. A is an invertible

223 views • 4 slides
Static Analysis of Race-Free Interrupt-Driven Programs Deepak DSouza Department of Computer

Static Analysis of Race-Free Interrupt-Driven Programs Deepak DSouza Department of Computer

Data Flow Analysis Concurrent Programs Race-Free Programs Sync-CFG Analysis Analysis Static Analysis of Race-Free Interrupt-Driven Programs Deepak DSouza Department of Computer Science and Automation Indian Institute of Science,

981 views • 47 slides
Detecting Data Races in Multi-Threaded Programs Eraser A Dynamic Data-Race Detector for

Detecting Data Races in Multi-Threaded Programs Eraser A Dynamic Data-Race Detector for

Detecting Data Races in Multi-Threaded Programs Eraser A Dynamic Data-Race Detector for Multi-Threaded Programs MultiRace An Efficient On-the-Fly Data-Race Detection Tool for Multi-Threaded C++ Programs John C. Linford Slide 1 / 31 Key

606 views • 31 slides
LLOV : A Fast Static Data-Race Checker for OpenMP Programs Utpal Bora PhD Student Computer

LLOV : A Fast Static Data-Race Checker for OpenMP Programs Utpal Bora PhD Student Computer

LLOV : A Fast Static Data-Race Checker for OpenMP Programs Utpal Bora PhD Student Computer Science and Engineering IIT Hyderabad, India February 23, 2020 Bora, Utpal (IITH) LLVM-Performance@CGO20 1 / 29 Table of Contents Motivation for

888 views • 60 slides
PUBLIC POLICY TOWARD ABUSE OF FIRM DOMINANCE Outline Public policy: false positives and

PUBLIC POLICY TOWARD ABUSE OF FIRM DOMINANCE Outline Public policy: false positives and

PUBLIC POLICY TOWARD ABUSE OF FIRM DOMINANCE Outline Public policy: false positives and false negatives Cases Outline Public policy: false positives and false negatives Cases Basic trade-off: Type I and Type II errors Errors

434 views • 21 slides
M onkey: O ptimal N avigable Key -Value Store Niv Dayan, Manos Athanassoulis, Stratos Idreos

M onkey: O ptimal N avigable Key -Value Store Niv Dayan, Manos Athanassoulis, Stratos Idreos

M onkey: O ptimal N avigable Key -Value Store Niv Dayan, Manos Athanassoulis, Stratos Idreos storage is cheaper inserts &amp; updates price workload per GB time storage is cheaper inserts &amp; updates price workload per GB time need

1.38k views • 123 slides
in the Range-Based Constraint Manager dm Balogh adam.balogh@ericsson.com Euro LLVM 2019

in the Range-Based Constraint Manager dm Balogh adam.balogh@ericsson.com Euro LLVM 2019

Multiplication and Division in the Range-Based Constraint Manager dm Balogh adam.balogh@ericsson.com Euro LLVM 2019 Brussels, Belgium Ericsson 2019-04-08 Ericsson Internal | 2018-02-21 Range-Based Constraint Manager Default in

187 views • 18 slides
Stemming VSM, session 10 CS6200: Information Retrieval Slides by: Jesse Anderton Stemming A

Stemming VSM, session 10 CS6200: Information Retrieval Slides by: Jesse Anderton Stemming A

Stemming VSM, session 10 CS6200: Information Retrieval Slides by: Jesse Anderton Stemming A stemming algorithm converts words to k i t a b a book their root forms (stems) in order to focus k i t a b i my book on their underlying

407 views • 9 slides
The European Commissions science and knowledge service Joint Research Centre Why machine

The European Commissions science and knowledge service Joint Research Centre Why machine

The European Commissions science and knowledge service Joint Research Centre Why machine learning may lead to unfairness Songl Tolan 1 , Marius Miron 1 , Emilia Gomez 1,2 , Carlos Castillo 2 1 European Commissions Joint Research Centre 2

663 views • 50 slides
CSI5180. MachineLearningfor BioinformaticsApplications Fundamentals of Machine Learning tasks

CSI5180. MachineLearningfor BioinformaticsApplications Fundamentals of Machine Learning tasks

CSI5180. MachineLearningfor BioinformaticsApplications Fundamentals of Machine Learning tasks and performance metrics by Marcel Turcotte Version November 6, 2019 Preamble Preamble 2/47 Preamble Fundamentals of Machine Learning tasks

823 views • 65 slides
Intrus ntrusion ion Det Detection, ection, Fi Fire rewalls, alls, an and d Intr ntrusion

Intrus ntrusion ion Det Detection, ection, Fi Fire rewalls, alls, an and d Intr ntrusion

Intrus ntrusion ion Det Detection, ection, Fi Fire rewalls, alls, an and d Intr ntrusion usion Pr Prevention ention Professor Patrick McDaniel ECE 590 03 (Guest lecture) Intrusion Detection Systems Authorized eavesdropper

607 views • 23 slides
Optimizing unit test execution in large software programs using dependency analysis Taesoo Kim,

Optimizing unit test execution in large software programs using dependency analysis Taesoo Kim,

Optimizing unit test execution in large software programs using dependency analysis Taesoo Kim, Ramesh Chandra and Nickolai Zeldovich MIT CSAIL Running unit tests takes too long Its our policy to make sure all tests pass at all times .

967 views • 51 slides

More recommend