Runtime Safety Analysis of Multithreaded Programs

1
Runtime Safety Analysis of Multithreaded Programs

• Koushik Sen
• University of Illinois at
• Urbana-Champaign, USA

Co-authors Grigore Rosu and Gul Agha
2
Talk Overview

• Motivation
• MultiPathExplorer
• Motivating example
• Instrumentation based on vector clocks
• Predict specification violations at runtime
• System architecture
• Further Applications
• Conclusion and Future Work

3
Increasing Software Reliability

• Current solutions
• Human review of code and testing
• Most used in practice
• Usually ad-hoc, intensive human support
• (Advanced) Static analysis
• Often scales up
• False positives and negatives, annotations
• (Traditional) Formal methods
• Model checking and theorem proving
• General, good confidence, do not always scale up

4
Runtime Verification

• Merge testing and temporal logic specification
• Specify safety properties in proper temporal
  logic.
• Monitor safety properties against a run of the
  program.
• Examples JPaX (NASA Ames), Upenn's Java MaC
  analyzes the observed run.
• Disadvantage Lack of coverage.

Run
Naïve Observer
5
Our Approach Smart Observer

• Ideas
• A single execution trace contains more
  information than appears at first sight
• Extract other possible runs from a single
  execution
• Analyze all these runs intelligently.
• A technique between model checking and testing.

Run
Smart Observer
6
Talk Overview

• Motivation
• MultiPathExplorer
• Motivating example
• Instrumentation based on vector clocks
• Predict specification violations at runtime
• System architecture
• Further Applications
• Conclusion and Future Work

7
MultiPathExplorer JMPaX (Java)

• Based on smart observers
• Smartness obtained by proper instrumentation
  vector clocks
• Possible global states generated dynamically ?
  form a lattice
• Analysis is performed on a level-by-level basis
  in the lattice of global states

8
Motivating Example Safe Landing
Safe Landing Land the air/space craft only after
approval from ground and only if, since then, the
radio signal has not been lost

• Three variables
• Landing indicating air/space craft is landing
• Approved indicating landing has been approved
• Radio indicating radio signal is live

?Landing ? ?Approved, ?Radio?
9
Code of a Landing Controller

• Two threaded program to control landing

• int landing 0, approved 0, radio 1
• void thread1()
• askLandingApproval()
• if (approved 1)
• print("Landing approved") landing1
  print("Landing started")
• else print("Landing not approved")
• void askLandingApproval()
• if (radio 1) approved 1 else
  approved 0
• void thread2()
• while (true) checkRadio()

10
Landing Safety Violation

• Suppose the plane has received approval for
  landing and just before it started landing the
  radio signal went off
• the plane must abort landing!
• A simple observer will most likely not detect the
  bug.
• JMPaX can construct a possible run in which radio
  goes off between approval and landing

approved 1
landing 1
11
Talk Overview

• Motivation
• MultiPathExplorer
• Motivating example
• Instrumentation based on vector clocks
• Predict specification violations at runtime
• System architecture
• Further Applications
• Conclusion and Future Work

12
Events in Multithreaded Programs

• Given n threads p1, p2, ..., pn,
• A multithreaded execution is a sequence of events
  e1 e2 er of type
• internal or,
• read of a shared variable or,
• write of a shared variable.
• eij represents the jth event generated by thread
  pi since the start of its execution.

13
Causality in Multithreaded Programs

• Define the partial order Á on the set of events
  as follows
• eik Á eil if k lt l
• e Á e' if there is some x 2 S such that e ltx e'
  and at least one of e, e is a write.
• e Á e'' if e Á e' and e' Á e''.

14
Vector Clocks and Relevant Events

• Consider a subset R of relevant events.
• (typically those writing specifications
  variables)
• R-relevant causality is a relation C µ Á
• C is a projection of Á on R R.
• We provide a technique based on vector clocks
  that correctly implements the relevant causality
  relation.

15
Vector Clock Algorithm

• Let Vi be an n-dimensional vector of natural
  numbers for each thread pi.
• Let Vxa and Vxw be vectors for each shared
  variable x.
• if eik is relevant, i.e., if eik 2 R, then
• Vii à Vii 1
• if eik is a read of a variable x then
• Vi à maxVi,Vxw
• Vxa à maxVxa,Vi
• if eik is a write of a variable x then
• Vxw à Vxa à Vi à maxVxa,Vi
• if eik is relevant then
• send message h eik, i, Vi i to observer.

16
Correspondence with Standard Vector Clocks
17
Implementing Causality by Vector Clocks

• Theorem If he, i, Vi and he', j, V' i are
  messages sent by our algorithm, then
• e C e' iff Vi V'i
• If i and j are not given, then
• e C e' iff V lt V

18
Example with Two Threads

• thread T1
• x
• ...
• y x 1

• thread T2
• z x 1
• ...
• x

(initially x -1)
19
Relevant Global State

• The program state after the events
  ek11,ek22,...,eknn is called a relevant global
  multithreaded state or simply a state.
• A state ?k1 k2 kn is called consistent if and
  only if it can be seen in some possible run of
  the system.

20
MultiThreaded Run

• e1e2 eR is a multithreaded run iff it
  generates a sequence of global states ?K0 ?K1
  ?KR such that
• each ?Kr is consistent and
• ?Kr after event er becomes ?Kr1.
• (consecutive states)

21
Computation Lattice

• We say ? À ?' when there is some run in which ?
  and ?' are consecutive states
• Consistent global states together with the
  transitive closure of À form a lattice
• Multithreaded runs are paths in the lattice

22
Example Revisited

• thread T1
• x
• ...
• y x 1

• thread T2
• z x 1
• ...
• x

23
Monitoring Safety Formula
(x gt 0) ! (y 0), (y gt z))s
24
Safety Violation in a Possible Run
(x gt 0) ! (y 0), (y gt z))s
25
Talk Overview

• Motivation
• MultiPathExplorer
• Motivating example
• Instrumentation based on vector clocks
• Predict specification violations at runtime
• System architecture
• Further Applications
• Conclusion and Future Work

26
Safety Against All Runs

• Number of possible runs can be exponential
• Traverse the state lattice level by level
• Avoids analyzing an exponential number of runs
• Maintain a queue of events
• Enqueue an event as soon as it arrives
• Construct a new level from the set of states in
  the previous level and the events in the queue
• Monitor safety formula against all states in a
  level using dynamic programming and intelligent
  merging.

27
Algorithm Pseudocode

• for each (e 2 Q)
• if exists s 2 CurrentLevel s.t. isNextState(s,e)
  then
• NextLevel à addToSet(NextLevel,createState(s,e))
  
• if isUnnecessary(s) then
• remove(s,CurrentLevel)
• if isEmpty(CurrentLevel) then
• monitorAll(NextLevel)
• CurrentLevel à NextLevel NextLevel Ã
• Q Ã removeUnnecessaryEvents(CurrentLevel,Q)

28
Complexity

• Time complexity is O(w.2m.n)
• w width of the lattice
• m size of the formula
• n length of the run
• Memory used is O(w.2m)
• w width of the lattice
• m number of temporal operators in the formula
• Further optimizations
• Consider bounded width w of queue Q

29
Reason for Efficiency
s00
s11
s12
s21
s32
s31
s41
30
JMPaX Architecture
31
Further Applications

• Security
• Security policies as safety requirements
• Predict safety violations efficiently!

?communicate(A,B,K) ? ? (sendKey(S,(A,B),K) ?
? requestKey(S,A,B))
32
Contributions

• Introduce vector clock algorithm in multithreaded
  systems to capture relevant causality.
• Efficiently Predict safety errors from successful
  runs.
• A modular implementation of the above ideas in a
  analysis tool, JMPaX.
• http//fsl.cs.uiuc.edu/jmpax/ for JMPaX prototype.

33
Future Work

• Evaluate JMPaX on real, large applications
• Develop predictive algorithms for other
  requirements specification logics
• Consider a superset of partial order to gain
  efficiency
• Find more scalable techniques that can fill the
  gap between model checking and testing
• Integrate with NASA Ames Java PathExplorer Tool
  (JPaX).