Abstract
Instruction reordering and interleavings in program execution under relaxed memory semantics result in non-intuitive behaviors, making it difficult to provide assurances about program correctness. Studies have shown that up to 90% of the concurrency bugs reported by state-of-the-art static analyzers are false alarms. As a result, filtering false alarms and detecting real concurrency bugs is a challenging problem. Unsurprisingly, this problem has attracted the interest of the research community over the past few decades. Nonetheless, many of the existing techniques rely on analyzing source code, rarely consider the effects introduced by compilers, and assume a sequentially consistent memory model. In a practical setting, however, developers often do not have access to the source code, and even commodity architectures such as x86 and ARM are not sequentially consistent.
In this work, we present Bird, a prototype tool, to dynamically detect harmful data races in x86 binaries under relaxed memory models, TSO and PSO. Bird employs source-DPOR to explore all distinct feasible interleavings for a multithreaded application. Our evaluation of Bird on 42 publicly available benchmarks and its comparison with the state-of-the-art tools indicate Bird’s potential in effectively detecting data races in software binaries.
- [1] ETAPS 2019. COMP 2019—8th International Competition on Software Verification. Retrieved February 19, 2022 from https://sv-comp.sosy-lab.org/2019/.Google Scholar
- [2] . 2006. Types for safe locking: Static race detection for Java. ACM Transactions on Programming Languages and Systems 28, 2 (2006), 207–255.Google ScholarDigital Library
- [3] . 2014. Optimal dynamic partial order reduction. ACM SIGPLAN Notices 49, 1 (2014), 373–384.Google ScholarDigital Library
- [4] . 2017. Stateless model checking for TSO and PSO. Acta Informatica 54, 8 (2017), 789–818.Google ScholarDigital Library
- [5] . 2017. Source sets: A foundation for optimal dynamic partial order reduction. Journal of the ACM 64, 4 (Aug. 2017), Article 25, 49 pages. Google ScholarDigital Library
- [6] . 2017. Source sets: A foundation for optimal dynamic partial order reduction. Journal of the ACM 64, 4 (2017), 25.Google ScholarDigital Library
- [7] . 2019. Verification of programs under the release-acquire semantics. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’19). ACM, New York, NY, 1117–1132. Google ScholarDigital Library
- [8] . 2017. Context-sensitive dynamic partial order reduction. In Computer Aided Verification, and (Eds.). Springer International, Cham, Switzerland, 526–543.Google Scholar
- [9] . 2013. Software verification for weak memory via program transformation. In Proceedings of the European Symposium on Programming. 512–532.Google ScholarDigital Library
- [10] . 2011. Litmus: Running tests against hardware. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems. 41–44.Google ScholarCross Ref
- [11] . 2016. BinGold: Towards robust binary analysis by extracting the semantics of binary code as semantic flow graphs (SFGs). Digital Investigation 18 (2016), S11–S22.Google ScholarDigital Library
- [12] . 2018. Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly. No Starch Press.Google Scholar
- [13] . 2016. ARCHER: Effectively spotting data races in large OpenMP applications. In Proceedings of the 2016 IEEE International Parallel and Distributed Processing Symposium (IPDPS’16). IEEE, Los Alamitos, CA, 53–62.Google ScholarCross Ref
- [14] . 2006. Unraveling data race detection in the Intel thread checker. In Proceedings of the 1st Workshop on Software Tools for MultiCore Systems (STMCS’06).Google Scholar
- [15] . 2011. Mathematizing C++ concurrency. In Proceedings of the 38th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL’11). ACM, New York, NY, 55–66. Google ScholarDigital Library
- [16] . 2016. Stateless model checking with data-race preemption points. ACM SIGPLAN Notices 51, 10 (
Oct. 2016), 477–493. Google ScholarDigital Library - [17] . 2011. Sound and complete monitoring of sequential consistency for relaxed memory models. In Tools and Algorithms for the Construction and Analysis of Systems, and (Eds.). Springer, Berlin, Germany, 11–25.Google ScholarCross Ref
- [18] . 2004. Finding stale-value errors in concurrent programs. Concurrency and Computation: Practice and Experience 16, 12 (2004), 1161–1172.Google ScholarDigital Library
- [19] . 1991. Race Frontier: Reproducing data races in parallel-program debugging. ACM SIGPLAN Notices 26, 7 (1991), 145–154.Google ScholarDigital Library
- [20] . 2008. Dataflow analysis for concurrent programs using datarace detection. In Proceedings of the 29th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’08). ACM, New York, NY, 316–326. Google ScholarDigital Library
- [21] . 2003. Framework for testing multi-threaded Java programs. Concurrency and Computation: Practice and Experience 15, 3–5 (2003), 485–499.Google ScholarCross Ref
- [22] . 2012. IFRit: Interference-free regions for dynamic data-race detection. ACM SIGPLAN Notices 47 (2012), 467–484.Google Scholar
- [23] . 2017. BARRACUDA: Binary-level analysis of runtime RAces in CUDA programs. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’17). ACM, New York, NY, 126–140. Google ScholarDigital Library
- [24] . 2007. Goldilocks: A race and transaction-aware Java runtime. ACM SIGPLAN Notices 42 (2007), 245–255.Google Scholar
- [25] . 2014. TSO-CC: Consistency directed cache coherence for TSO. In Proceedings of the 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA’14). 165–176. Google ScholarCross Ref
- [26] . 2009. FastTrack: Efficient and precise dynamic race detection. ACM SIGPLAN Notices 44 (2009), 121–133.Google Scholar
- [27] . 2005. Dynamic partial-order reduction for model checking software. ACM SIGPLAN Notices 40, 1 (
Jan. 2005), 110–121. Google ScholarDigital Library - [28] . 1990. Using partial orders to improve automatic verification methods. In Proceedings of the International Conference on Computer Aided Verification. 176–185.Google Scholar
- [29] . 2008. Concurrency at Microsoft: An exploratory survey. In Proceedings of the CAV Workshop on Exploiting Concurrency Efficiently and Correctly.Google Scholar
- [30] . 1996. Partial-Order Methods for the Verification of Concurrent Systems: An Approach to the State-Explosion Problem, Vol. 1032. Springer, Heidelberg, Germany.Google ScholarCross Ref
- [31] . 2003. Type-safe multithreading in cyclone. ACM SIGPLAN Notices 38 (2003), 13–25.Google Scholar
- [32] . 2011. Malware classification using instruction frequencies. In Proceedings of the 2011 ACM Symposium on Research in Applied Computation. 298–300.Google ScholarDigital Library
- [33] . n.d. DataRaceBenchmark: Concurrency Benchmarks. Retrieved February 19, 2022 from https://github.com/marchartung/DataRaceBenchmark/; https://github.com/marchartung/DataRaceBenchmark/find/master.Google Scholar
- [34] . 2019. Pinpoint data races via testing and classification. In Proceedings of the 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW’19). IEEE, Los Alamitos, CA, 386–393.Google ScholarCross Ref
- [35] . 2014. Maximal sound predictive race detection with control flow abstraction. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’14). ACM, New York, NY, 337–348. Google ScholarDigital Library
- [36] . 2011. Persuasive prediction of concurrency access anomalies. In Proceedings of the 2011 International Symposium on Software Testing and Analysis. ACM, New York, NY, 144–154.Google ScholarDigital Library
- [37] . 2016. Maximal causality reduction for TSO and PSO. ACM SIGPLAN Notices 51, 10 (2016), 447–461.Google ScholarDigital Library
- [38] . 2019. Rapid identification of shared memory in multithreaded embedded systems with static scheduling. In Proceedings of the 48th International Conference on Parallel Processing: Workshops (ICPP’19). ACM, New York, NY, Article
15 , 8 pages. Google ScholarDigital Library - [39] . 2019. Razzer: Finding kernel race bugs through fuzzing. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP’19). IEEE, Los Alamitos, CA, 754–768.Google ScholarCross Ref
- [40] . 2006. Symbolic model checking of concurrent programs using partial orders and on-the-fly transactions. In Computer Aided Verification, and (Eds.). Springer, Berlin, Germany, 286–299.Google Scholar
- [41] . 2009. Static data race detection for concurrent programs with asynchronous calls. In Proceedings of the 7th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC/FSE’09). ACM, New York, NY, 13–22. Google ScholarDigital Library
- [42] . 2007. Fast and accurate static data-race detection for concurrent programs. In Proceedings of the International Conference on Computer Aided Verification. 226–239.Google ScholarCross Ref
- [43] . 2012. Data races vs. data race bugs: Telling the difference with portend. ACM SIGPLAN Notices 47, 4 (2012), 185–198.Google ScholarDigital Library
- [44] . 2009. Precise data race detection in a relaxed memory model using heuristic-based model checking. In Proceedings of the 2009 IEEE/ACM International Conference on Automated Software Engineering. 495–499.Google ScholarDigital Library
- [45] . 2018. Effective stateless model checking for C/C++ concurrency. Proceedings of the ACM on Programming Languages 2, POPL (2018), Article 17, 32 pages. Google ScholarDigital Library
- [46] . 2019. Model checking for weakly consistent libraries. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’19). ACM, New York, NY, 96–110. Google ScholarDigital Library
- [47] . 2020. HMC: Model checking for hardware memory models. In Proceedings of the 25th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’20). ACM, New York, NY, 1157–1171. Google ScholarDigital Library
- [48] . 2020. Testing concurrency on the JVM with Lincheck. In Proceedings of the 25th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP’20). ACM, New York, NY, 423–424. Google ScholarDigital Library
- [49] . 2016. Taming release-acquire consistency. ACM SIGPLAN Notices 51, 1 (
Jan. 2016), 649–662. Google ScholarDigital Library - [50] . 2019. Robustness against release/acquire semantics. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’19). ACM, New York, NY, 126–141. Google ScholarDigital Library
- [51] . 2019. Time, clocks, and the ordering of events in a distributed system. In Concurrency: The Works of Leslie Lamport, Dahlia Malkhi (Ed). ACM Books, New York, NY, 179–196.Google Scholar
- [52] . 2017. Dynamic race detection for C++ 11. ACM SIGPLAN Notices 52, 1 (2017), 443–457.Google ScholarDigital Library
- [53] . 2017. Dynamic race detection for C++11. In Proceedings of the 44th ACM SIGPLAN Symposium on Principles of Programming Languages (POPL’17). ACM, New York, NY, 443–457. Google ScholarDigital Library
- [54] . 2005. Pin: Building customized program analysis tools with dynamic instrumentation. ACM SIGPLAN Notices 40 (2005), 190–200.Google Scholar
- [55] . 2021. C11Tester: A race detector for C/C++ atomics. In Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. 630–646.Google ScholarDigital Library
- [56] . 1987. Trace theory. In Proceedings of an Advanced Course on Petri Nets: Central Models and Their Properties, Advances in Petri Nets 1986—Part II. Springer-Verlag, Berlin, Germany, 279–324. http://dl.acm.org/citation.cfm?id=647422.725772.Google ScholarCross Ref
- [57] . 1993. Partial order backtracking. Journal of Artificial Intelligence Research 1 (1993), 17–24.Google Scholar
- [58] . n.d. SCTBench: C/C++ Pthread Benchmarks. Retrieved February 19, 2022 from https://github.com/mc-imperial/sctbench.Google Scholar
- [59] . 2010. AtomTracker: A comprehensive approach to atomic region inference and violation detection. In Proceedings of the 2010 43rd Annual IEEE/ACM International Symposium on Microarchitecture. IEEE, Los Alamitos, CA, 287–297.Google ScholarDigital Library
- [60] . 2006. Effective static race detection for Java. In Proceedings of the 27th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’06). ACM, New York, NY, 308–319. Google ScholarDigital Library
- [61] . 2007. Automatically classifying benign and harmful data races using replay analysis. ACM SIGPLAN Notices 42 (2007), 22–31.Google Scholar
- [62] . 2013. CDSchecker: Checking concurrent data structures written with C/C++ atomics. In Proceedings of the 2013 ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA’13). ACM, New York, NY, 131–150. Google ScholarDigital Library
- [63] . 2003. Hybrid dynamic data race detection. In Proceedings of the 9th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP’03). ACM, New York, NY, 167–178. Google ScholarDigital Library
- [64] . 2010. Falcon: Fault localization in concurrent programs. In Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering—Volume 1. ACM, New York, NY, 245–254.Google ScholarDigital Library
- [65] . 2019. Fast, sound, and effectively complete dynamic race prediction. Proceedings of the ACM on Programming Languages 4, POPL (2019), 1–29.Google ScholarDigital Library
- [66] . 2018. Partial-Order Reduction. Springer International, Cham, Switzerland, 173–190. Google ScholarCross Ref
- [67] . 2001. Relaxed visibility enhances partial order reduction. Formal Methods in System Design 19, 3 (2001), 275–289.Google ScholarDigital Library
- [68] . 2008. McBoost: Boosting scalability in malware collection and analysis using statistical classification of executables. In Proceedings of the 2008 Annual Computer Security Applications Conference (ACSAC’08). IEEE, Los Alamitos, CA, 301–310.Google ScholarDigital Library
- [69] . 2020. Resettable encoded vector clock for causality analysis with an application to dynamic race detection. IEEE Transactions on Parallel and Distributed Systems 32, 4 (2020), 772–785.Google ScholarDigital Library
- [70] . 2017. Simplifying ARM concurrency: Multicopy-atomic axiomatic and operational models for ARMv8. Proceedings of the ACM on Programming Languages 2, POPL (Dec. 2017), Article 19, 29 pages. Google ScholarDigital Library
- [71] . 2020. SmartTrack: Efficient predictive race detection. In Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’20). ACM, New York, NY, 747–762. Google ScholarDigital Library
- [72] . 2014. How developers use data race detection tools. In Proceedings of the 5th Workshop on Evaluation and Usability of Programming Languages and Tools. 43–51.Google ScholarDigital Library
- [73] . 2010. Idea: Opcode-sequence-based malware detection. In Proceedings of the International Symposium on Engineering Secure Software and Systems. 35–43.Google ScholarDigital Library
- [74] . 1997. Eraser: A dynamic data race detector for multithreaded programs. ACM Transactions on Computer Systems 15, 4 (
Nov. 1997), 391–411. Google ScholarDigital Library - [75] . 2005. Scaling model checking of dataraces using dynamic information. In Proceedings of the 10th ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming (PPoPP’05). ACM, New York, NY, 107–118. Google ScholarDigital Library
- [76] . n.d. Thread-modular analysis of release-acquire concurrency. arXiv preprint arXiv:2107.02346 [accepted in SAS’21] (n.d.).Google Scholar
- [77] . 2011. RACEZ: A lightweight and non-invasive race detection tool for production applications. In Proceedings of the 2011 33rd International Conference on Software Engineering (ICSE’11). IEEE, Los Alamitos, CA, 401–410.Google ScholarDigital Library
- [78] . 2016. SOK: (State of) the art of war: Offensive techniques in binary analysis. In Proceedings of the 2016 IEEE Symposium on Security and Privacy (SP’16). IEEE, Los Alamitos, CA, 138–157.Google ScholarCross Ref
- [79] . 2012. Sound predictive race detection in polynomial time. ACM SIGPLAN Notices 47 (2012), 387–400.Google Scholar
- [80] . 1993. WARLOCK—A static data race analysis tool. In Proceedings of the USENIX Winter 1993 Conference. 97–106.Google Scholar
- [81] . 2015. Verifying read-copy-update in a logic for weak memory. ACM SIGPLAN Notices 50, 6 (2015), 110–120.Google ScholarDigital Library
- [82] . 2014. Enforcing forward-edge control-flow integrity in GCC and LLVM. In Proceedings of the 23rd USENIX Security Symposium (USENIX’14). 941–955.Google Scholar
- [83] . 2017. TriCheck: Memory model verification at the trisection of software, hardware, and ISA. ACM SIGPLAN Notices 52, 4 (
April 2017), 119–133. Google ScholarDigital Library - [84] . 1996. The state explosion problem. In Advanced Course on Petri Nets. Springer, 429–528.Google Scholar
- [85] . 2011. Detecting and surviving data races using complementary schedules. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles. 369–384.Google ScholarDigital Library
- [86] . 2007. RELAY: Static race detection on millions of lines of code. In Proceedings of the the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering (ESEC-FSE’07). ACM, New York, NY, 205–214. Google ScholarDigital Library
- [87] . 2008. Peephole partial order reduction. In Tools and Algorithms for the Construction and Analysis of Systems, and (Eds.). Springer, Berlin, Germany, 382–396.Google ScholarCross Ref
- [88] . 2013. Parallelizing data race detection. ACM SIGPLAN Notices 48, 4 (
March 2013), 27–38. Google ScholarDigital Library - [89] . 2012. Binary Analysis for Code Reconstruction of Control Software. Diploma Thesis. Hamburg University of Technology.Google Scholar
- [90] . 2018. VerifiedFT: A verified, high-performance precise dynamic race detector. In Proceedings of the 23rd ACM SIGPLAN Symposium on Principles and Practice of Parallel Programming. ACM, New York, NY, 354–367.Google ScholarDigital Library
- [91] . 2008. Inspect: A Runtime Model Checker for Multithreaded C Programs. Technical Report UUCS-08-004. University of Utah.Google Scholar
- [92] . 2008. Efficient stateful dynamic partial order reduction. In Model Checking Software, , , and (Eds.). Springer, Berlin, Germany.Google Scholar
- [93] . 2012. Maple: A coverage-driven testing tool for multithreaded programs. ACM SIGPLAN Notices 47 (2012), 485–502.Google Scholar
- [94] . 2005. RaceTrack: Efficient detection of data race conditions via adaptive tracking. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP’05). ACM, New York, NY, 221–234. Google ScholarDigital Library
- [95] . n.d. DPthread—Deterministic Pthread Benchmarks. Retrieved February 19, 2022 from https://github.com/heechul/dpthread.Google Scholar
- [96] . 2015. Dynamic partial order reduction for relaxed memory models. ACM SIGPLAN Notices 50 (2015), 250–259.Google Scholar
- [97] . 2017. ProRace: Practical data race detection for production use. ACM SIGPLAN Notices 52, 4 (2017), 149–162.Google ScholarDigital Library
Index Terms
- BiRD: Race Detection in Software Binaries under Relaxed Memory Models
Recommendations
Verification of STM on relaxed memory models
Software transactional memories (STM) are described in the literature with assumptions of sequentially consistent program execution and atomicity of high level operations like read, write, and abort. However, in a realistic setting, processors use ...
Testing concurrent programs on relaxed memory models
ISSTA '11: Proceedings of the 2011 International Symposium on Software Testing and AnalysisHigh-performance concurrent libraries, such as lock-free data structures and custom synchronization primitives, are notoriously difficult to write correctly. Such code is often implemented without locks, instead using plain loads and stores and low-...
Verifying dynamic race detection
CPP 2017: Proceedings of the 6th ACM SIGPLAN Conference on Certified Programs and ProofsWriting race-free concurrent code is notoriously difficult, and data races can result in bugs that are difficult to isolate and reproduce. Dynamic race detection can catch data races that cannot (easily) be detected statically. One approach to dynamic ...
Comments