Michael D Bond University of Texas at Austin Graham Z Baker Tufts MIT Lincoln Laboratory We dont make a lot of the bug detectors you use We make a lot of the bug detectors you use ID: 229095
Download Presentation The PPT/PDF document "Breadcrumbs: Efficient Context Sensitivi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Breadcrumbs: Efficient Context Sensitivity for Dynamic Bug Detection Analyses
Michael D. BondUniversity of Texas at Austin
Graham Z. BakerTufts / MIT Lincoln Laboratory
We don't make a lot of the bug detectors you use. We make a lot of the bug detectors you use better.
Samuel Z.
Guyer
Tufts UniversitySlide2
Example: Dynamic data race detector
Thread A
Thread Bwrite x
unlock mlock mwrite
x
read
xSlide3
Example: dynamic data race detector
Thread A
Thread Bwrite x
unlock mlock mwrite
x
read
x
race!Slide4
Example: dynamic data race detector
Thread AThread B
write x
unlock mlock mwrite x
read
x
race!
T
@
A
T’
@
B
T’’
@
ASlide5
Example: dynamic data race detector
Thread AThread B
write x
unlock mlock mwrite x
read
x
race!
How is
this race
reported?
T
@
A
T’
@
B
T’’
@
ASlide6
Reporting a race
Thread AThread B
write x
unlock mlock mwrite x
read
x
T
@
A
T’
@
B
T’’
@
A
loc1
loc2
loc3
race!Slide7
Reporting a race
Thread AThread B
write x
read x
race!
T’
@
B
T’’
@
A
write
x
unlock
m
lock
m
T
@
A
loc1
loc2
loc3
AbstractDataTreeNode.indexOfChild
():426
AbstractDataTreeNode.storeStrings():536Slide8
Reporting a race
Thread AThread B
write x
read x
race!
T’
@
B
T’’
@
A
write
x
unlock
m
lock
m
T
@
A
loc1
loc2
loc3
AbstractDataTreeNode.indexOfChild
():426
AbstractDataTreeNode.storeStrings():536
Problem
: not much informationSlide9
Full stack traces
Thread A
Thread B
write xread x
race!
T’
@
B
T’’
@
A
write
x
unlock
m
lock
m
T
@
A
loc1
loc2
loc3
AbstractDataTreeNode.indexOfChild():426
AbstractDataTreeNode.childAtOrNull():212
DeltaDataTree.lookup():666
ElementTree.includes():528
Workspace.getResourceInfo():1135
Resource.getResourceInfo():973
Project.hasNature():479
JavaProject.hasJavaNature():224
JavaProject.computeExpandedClasspath():430
JavaProject.getExpandedClasspath():1444
...
EclipseStarter.run():376
...
AbstractDataTreeNode.storeStrings():536
DataTreeNode.storeStrings():343
AbstractDataTreeNode.storeStrings():541
DataTreeNode.storeStrings():343
...
ElementTree.shareStrings():706
SaveManager.shareStrings():1154
...
StringPoolJob.shareStrings():124
...
Worker.run():76
...Slide10
Context sensitivity
Big impact on static analysisBetter informationBetter precisionCritical in modern software:
Intensive code reuse (e.g., frameworks)Many small methodsHighly dynamic behaviorWhat about dynamic analysis?Slide11
How hard is this?
Thread AThread B
write
xread x
race!
T’
@
B
T’’
@
A
write
x
unlock
m
lock
m
T
@
A
loc1
loc2
loc3
AbstractDataTreeNode.indexOfChild():426
AbstractDataTreeNode.childAtOrNull():212
DeltaDataTree.lookup():666
ElementTree.includes():528
Workspace.getResourceInfo():1135
Resource.getResourceInfo():973
Project.hasNature():479
JavaProject.hasJavaNature():224
JavaProject.computeExpandedClasspath():430
JavaProject.getExpandedClasspath():1444
...
EclipseStarter.run():376
...
AbstractDataTreeNode.storeStrings():536
DataTreeNode.storeStrings():343
AbstractDataTreeNode.storeStrings():541
DataTreeNode.storeStrings():343
...
ElementTree.shareStrings():706
SaveManager.shareStrings():1154
...
StringPoolJob.shareStrings():124
...
Worker.run():76
...Slide12
How hard is this?
Thread AThread B
write
xread x
race!
T’
@
B
T’’
@
A
write
x
unlock
m
lock
m
T
@
A
loc1
loc2
loc3
AbstractDataTreeNode.indexOfChild():426
AbstractDataTreeNode.childAtOrNull():212
DeltaDataTree.lookup():666
ElementTree.includes():528
Workspace.getResourceInfo():1135
Resource.getResourceInfo():973
Project.hasNature():479
JavaProject.hasJavaNature():224
JavaProject.computeExpandedClasspath():430
JavaProject.getExpandedClasspath():1444
...
EclipseStarter.run():376
...
AbstractDataTreeNode.storeStrings():536
DataTreeNode.storeStrings():343
AbstractDataTreeNode.storeStrings():541
DataTreeNode.storeStrings():343
...
ElementTree.shareStrings():706
SaveManager.shareStrings():1154
...
StringPoolJob.shareStrings():124
...
Worker.run():76
...
EASY
Race discovered hereSlide13
How hard is this?
Thread AThread B
write
xread x
race!
T’
@
B
T’’
@
A
write
x
unlock
m
lock
m
T
@
A
loc1
loc2
loc3
AbstractDataTreeNode.indexOfChild():426
AbstractDataTreeNode.childAtOrNull():212
DeltaDataTree.lookup():666
ElementTree.includes():528
Workspace.getResourceInfo():1135
Resource.getResourceInfo():973
Project.hasNature():479
JavaProject.hasJavaNature():224
JavaProject.computeExpandedClasspath():430
JavaProject.getExpandedClasspath():1444
...
EclipseStarter.run():376
...
AbstractDataTreeNode.storeStrings():536
DataTreeNode.storeStrings():343
AbstractDataTreeNode.storeStrings():541
DataTreeNode.storeStrings():343
...
ElementTree.shareStrings():706
SaveManager.shareStrings():1154
...
StringPoolJob.shareStrings():124
...
Worker.run():76
...
EASY
HARD
Previously recorded informationSlide14
Challenge
Many events might need context information e.g., race detector: every read and write (!)Existing approachesWalk the stack: up to 100X slowdown
Build calling context tree: 2-3X, plus spaceContext
ContextContext
Context
Context
Context
Context
Context
Context
Context
Context
BUGSlide15
Goal
Compact representation of calling contexts Fast correct execution
Print out stack trace when bug detected
E
fficient context sensitivity for
dynamic bug detectorsSlide16
Starting point
Represent a calling context in 1 word ⎯ PCC value
Computed online, low overhead ⎯ <5% BUT, no way to decode a PCC value
Probabilistic Calling ContextBond and McKinley OOPSLA 07
✓
✓
✘Slide17
With PCC: analysis is context sensitive
Thread AThread B
write x
unlock mlock mwrite x
read
x
race!
T
@
A
T’
@
B
T’’
@
A
pcc1
pcc2
pcc3
0xFE9A651B
0x59C2DF08Slide18
How PCC works
CallerCallee
m(
)k()
k
(
);
j
(
);
h
(
);
current
PCC
callsite
ID
p
’ =
f
(
p
,
c
)
new PCC
=
(
3
p
+
c
)
mod
2
32
…
…
…
At
each call site…Slide19
At
each call site…
CallerCallee
m()
k
(
)
k
(
);
j
(
);
h
(
);
current
PCC
callsiteID
p
’ =
f
(
p
,
c
)
new PCC
=
(
3
p
+
c
)
mod
2
32
…
…
…
p
= 0 in main()
…
…
p
=
f
(…
f
(
f
(
f
(0, c
0
), c
1
), c
2
)…,
c
n
)
How PCC worksSlide20
Breadcrumbs
Problem: decode PCC value Find a sequence of callsite
IDs such that p = f(…f( f( f(0, c0), c1), c2)…, cn)i.e.,
invert the hash functionSlide21
Breadcrumbs
Problem: decode PCC value pFind a sequence of
callsite IDs such that p = f(…f( f( f(0, c0), c1), c2)…, cn)
i.e., invert the hash functionKey: f is invertibleGiven p’ and
c
unique
p
such that
p
’
=
f
(p
,
c
)“Peel off” callsites until we reach 0 (main)
3 and 2
32 relatively primeSlide22
Decode stack trace bottom-up
PCC value = 0x5A93CF09
g():2Start at bottom
of call stackSlide23
Decode stack trace bottom-up
PCC value = 0x5A93CF09
g():2
PCC value = 0x089C3A02Use static call graph to determine callersand apply f
-1
f
-1
(
0x5A93CF09
,
g
():2
)Slide24
Decode stack trace bottom-up
PCC value = 0x5A93CF09
g():2d():9
PCC value = 0x0
PCC value = 0x089C3A02
PCC value = 0x59C2DF08
Continue until main() and
p
= 0
f
-1
(
0x5A93CF09
,
g
():2
)
f
-1
(
0x5A93CF09
,
d():9
)Slide25
Decode stack trace bottom-up
PCC value = 0x5A93CF09
g():2d():9
a():5
main():44
…
PCC value = 0x0
PCC value = 0x089C3A02
PCC value = 0x59C2DF08
Continue until main() and
p
= 0
f
-1
(
0x5A93CF09
,
g
():2
)
f
-1
(
0x5A93CF09
,
d():9
)
…Slide26
Problem
: blind search of call graph
e():5f():4
g():2…
d():9
a():5
main():44
…
PCC value = 0x0
…
…
b():3
…
…
PCC value = 0x5A93CF09
Statically possible contexts >> 2
64
c():8
h():3
j():8
Need more
informationSlide27
Idea: record per-callsite PCC values
e():5
f():4g():2
…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
b():3
…
…
Add
hash table
at
each call site
0x089C3A02Slide28
Very easy search
e():5
f():4
g():2…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
b():3
…
…
Which caller is the right one?
PCC value = 0x5A93CF09
PCC value = 0x0Slide29
Very easy search
e():5
f():4
g():2…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
b():3
…
…
Invert
f
to find
p
PCC value = 0x5A93CF09
PCC value = 0x0
f
-1
(
0x5A93CF09
,
g
():2
)
0x089C3A02Slide30
Very easy search
e():5
f():4
g():2…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
b():3
…
…
New
p
value will
be in caller’s
hash table
PCC value = 0x5A93CF09
PCC value = 0x0
✓
✘
f
-1
(
0x5A93CF09
,
g
():2
)
0x089C3A02Slide31
Very easy search
e():5
f():4
g():2…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
b():3
…
…
And continue…
PCC value = 0x5A93CF09
PCC value = 0x0
0x59C2DF08
f
-1
(
0x5A93CF09
,
d():9
)
f
-1
(
0x5A93CF09
,
g
():2
)
0x089C3A02Slide32
Very easy search
e():5
f():4
g():2…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
b():3
…
…
PCC value = 0x5A93CF09
PCC value = 0x0
✓
✘
0x59C2DF08
f
-1
(
0x5A93CF09
,
d():9
)
f
-1
(
0x5A93CF09
,
g
():2
)
0x089C3A02
And continue…Slide33
Very easy search
e():5
f():4
g():2…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
b():3
…
…
PCC value = 0x5A93CF09
PCC value = 0x0
0x59C2DF08
f
-1
(
0x5A93CF09
,
d():9
)
f
-1
(
0x5A93CF09
,
g
():2
)
0x089C3A02
Not really searching at all
…Slide34
antlr
chart
eclipsefophsqldbjythonluindex
pmdxalanjbb
geomean
0
20
40
60
80
100
120
140
160
% overhead
With per-
callsite
sets
JikesRVM
DaCapo
benchmarks
#
set ops
528m
201m
857m
21m
158m
3,624m
217m
270m
738m
137m
PCC onlySlide35
Observation
e():5
f():4g():2
…d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
b():3
…
…
A few
call sites account for a huge fraction of costSlide36
Idea: stop tracking hot call sites
e():5
f():4g():2
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
…
…
b():3
Throw out
hash table
and instrumentationSlide37
antlr
chart
eclipsefophsqldbjythonluindex
pmdxalanjbb
geomean
0
20
40
60
80
100
120
140
160
% overhead
t
= 100,000
t
= 100
t
= 10,000
No threshold
t
= 1,000
PCC only
Is it enough information?
Tunable
“
hotness” thresholdSlide38
Decoding: hybrid search
e():5
f():4
g():2…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
…
…
b():3
Which caller is the right one?
PCC value = 0x5A93CF09Slide39
Decoding: hybrid search
e():5
f():4
g():2…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
…
…
b():3
Which caller is the right one?
PCC value = 0x5A93CF09
✓
f
-1
(
0x5A93CF09
,
g
():2
)
0x089C3A02Slide40
Decoding: hybrid search
e():5
f():4
g():2…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
…
…
b():3
No information: must explore both paths
PCC value = 0x5A93CF09
0x59C2DF08
f
-1
(
0x5A93CF09
,
d():9
)
f
-1
(
0x5A93CF09
,
g
():2
)
0x089C3A02Slide41
Heuristic search
(see paper)
e():5f():4
g():2…
d():9
a():5
main():44
…
c():8
h():3
…
…
j():8
…
…
b():3
Sometimes fails to decode a context
PCC value = 0x5A93CF09
0x59C2DF08
f
-1
(
0x5A93CF09
,
d():9
)
f
-1
(
0x5A93CF09
,
g
():2
)
0x089C3A02Slide42
antlr
chart
eclipsefophsqldbjython
luindexpmd
xalan
jbb
0
20
40
60
80
100
120
140
160
% overhead
100
%
100
%
100
%
100
%
100
%
47
%
47
%
47
%
82
%
95
%
100
%
100
%
100
%
100
%
100
%
89
%
95
%
95
%
97
%
97
%
Race detection
results
(go to
Pacer
talk tomorrow!)
t
= 100,000
t
= 100
t
= 10,000
No threshold
t
= 1,000
geomeanSlide43
Summary
Make any dynamic bug detector context sensitiveMore in the paper:Description of search algorithmWhat kinds of bug detectors will benefitResults for two real bug detectors
(both quantitative and qualitative)Available as patch to JikesRVMSlide44
Related work
Reconstruct contexts from PC and SP [
Mytkowicz et al. 2009] [Inoue and Nakatani 2009]Very low overhead, but little entropy in these valuesPath profiling approach [Sumner et al. 2010]Uses multiple integers to represent calling context exactlyBoth require offline training, pre-computed info
Challenge for complex, highly dynamic softwareSlide45
Thank You
Questions?Slide46
Goals
Represent calling context compactlyEasily take place of static program locations Fast correct execution
For deployed or field-testing environment Decode back into stack trace when neededCould expensive, but cost paid offlineSlide47
Calling context representation
Calling context stored in 1 word ⎯ PCC
valueEssentially a hash of sequence of call site IDs Computed online, low overhead <5%PCC values computed incrementally, at each call site BUT, no way to decode a PCC valueCan distinguish, but not identify calling contexts
✓
✓
✘
Started with
Probabilistic Calling Context
Bond and McKinley OOPSLA 07Slide48
Summary
Make any dynamic bug detector context sensitiveTunable overhead/precision tradeoffSweet spot: 10% to 20% overhead at threshold 1,000 to 10,000
ChallengesLong sequences of hot callsitesDeep recursionAvailable as patch to JikesRVMSlide49
antlr
chart
eclipsefophsqldbjythonluindex
pmdxalanjbb
geomean
0
20
40
60
80
100
120
140
160
% overhead
Tradeoff:
cost
vs
decoding
t
= 100,000
t
= 100
t
= 10,000
No threshold
t
= 1,000
PCC onlySlide50
100
%
100%100%
100%
100
%
antlr
chart
eclipse
fop
hsqldb
jython
luindex
pmd
xalan
jbb
geomean
0
20
40
60
80
100
120
140
160
% overhead
47
%
47
%
47
%
82
%
95
%
100
%
100
%
100
%
100
%
100
%
89
%
95
%
95
%
97
%
97
%