Bo Zhou,Iulian Neamtiu,Rajiv Gupta

DOI: https://doi.org/10.1145/2745802.2745807

2015-01-01

Abstract:Concurrency bugs are difficult to find and fix. To help with finding and fixing concurrency bugs, prior research has mostly focused on static or dynamic analyses for finding specific classes of bugs. We present an approach whose focus is understanding the differences between concurrency and non-concurrency bugs, the differences among various concurrency bug classes, and predicting bug quantity, type, and location, from patches, bug reports and bug-fix metrics. First, we show that bug characteristics and bug-fixing processes vary significantly among different kinds of concurrency bugs and compared to non-concurrency bugs. Next, we build a quantitative predictor model to estimate concurrency bugs appearance in future releases. Then, we build a qualitative predictor that can predict the type of concurrency bug for a newly-filed bug report. Finally, we build a bug location predictor to indicate the likely source code location for newly-reported bugs. We validate the effectiveness of our approach on three popular projects, Mozilla, KDE, and Apache.

Hongliang Liang,Mingyue Li,Jianli Wang

DOI: https://doi.org/10.1145/3380786.3391401

2020-01-01

Abstract:A challenge faced by concurrency bug detection techniques is the lack of ground-truth corpora, i.e., a lot of true concurrency bugs, making it difficult to evaluate and verify these technologies and tools, e.g., to precisely measure their false negative and false positive rates. In this paper, we present DRInject, a novel dynamic debugging based technique for producing ground-truth corpora by automatically and quickly injecting lots of realistic data race bugs into program source code. Each data race bug is assured by injecting modifying code to a global variable in two concurrency threads. These bugs are realistic in that they are embedded deep with programs and are triggered by real inputs. We have injected over 600 data race bugs into 10 benchmark or real-world programs, including water-nsquared, X264 and libvips. Moreover, we evaluated four data race detectors using the produced buggy programs and found there are much improvement space for these tools. Preliminary experiments show that DRInject can inject data race bugs in large scale programs and evaluate detect tools with fundamental quantities like false negative and false positive rate, which forms the basis to generate large bug corpora for the future research in concurrency software.

Ziyi Lin,Darko Marinov,Hao Zhong,Yuting Chen,Jianjun Zhao

DOI: https://doi.org/10.1109/ase.2015.87

2015-01-01

Abstract:Researchers have proposed various approaches to detect concurrency bugs and improve multi-threaded programs, but performing evaluations of these approaches still remains a substantial challenge. We survey the existing evaluations and find out that they often use code or bugs not representative of real world. To improve representativeness, we have prepared JaConTeBe, a benchmark suite of 47 confirmed concurrency bugs from 8 popular open-source projects, supplemented with test cases for reproducing buggy behaviors. Running three approaches on JaConTeBe shows that our benchmark suite confirms some limitations of the three approaches. We submitted JaConTeBe to the SIR repository (a software-artifact repository for rigorous controlled experiments), and it was included as a part of SIR.

Manna Wu,Bo Zhou,Wei Shi

DOI: https://doi.org/10.1145/1643823.1643911

2009-01-01

Abstract:In this paper, we describe a new test framework for concurrent programs. Testing on concurrent programs remains difficult due to the non-deterministic nature of concurrent programs. Approaches are proposed to surmount this difficulty. However, few of them are really effective. A new self-adaptive test framework is proposed to alleviate this problem, since it is impossible to solve it completely. This framework which is based on the study of concurrent test points tests each concurrent program like a circuit, while concurrent test points like components of the circuit. The original reason of concurrent bugs stems from the resource sharing among multiple processes or threads. Therefore, a controller is introduced in the framework to increasingly intensify resource competition via test data controlling, aiming to trigger concurrent bugs' emerging sooner once they exist.

Shixiong Zhao,Rui Gu,Haoran Qiu,Tsz On Li,Yuexuan Wang,Heming Cui,Junfeng Yang

DOI: https://doi.org/10.1109/DSN.2018.00033

2018-01-01

Abstract:Just like bugs in single-threaded programs can lead to vulnerabilities, bugs in multithreaded programs can also lead to concurrency attacks. We studied 31 real-world concurrency attacks, including privilege escalations, hijacking code executions, and bypassing security checks. We found that compared to concurrency bugs' traditional consequences (e.g., program crashes), concurrency attacks' consequences are often implicit, extremely hard to be observed and diagnosed by program developers. Moreover, in addition to bug-inducing inputs, extra subtle inputs are often needed to trigger the attacks. These subtle features make existing tools ineffective to detect concurrency attacks. To tackle this problem, we present OWL, the first practical tool that models general concurrency attacks' implicit consequences and automatically detects them. We implemented OWL in Linux and successfully detected five new concurrency attacks, including three confirmed and fixed by developers, and two exploited from previously known and well-studied concurrency bugs. OWL has also detected seven known concurrency attacks. Our evaluation shows that OWL eliminates 94.1% of the reports generated by existing concurrency bug detectors as false positive, greatly reducing developers' efforts on diagnosis. All OWL source code, concurrency attack exploit scripts, and results are available on github.com/hku-systems/owl.

Xiao-Hong SU,Zhen YU,Tian-Tian WANG,Pei-Jun MA

DOI: https://doi.org/10.11897/SP.J.1016.2015.02215

2015-01-01

Abstract:The prevalent multi-core architecture today makes real concurrency come true.In order to benefit from the concurrency power of hardware,concurrent programming is becoming more and more popular.However,out of inherent concurrency and non-determinism,concurrent programs are more likely to suffer from concurrency bugs,which are hard to detect,debug and repair.In this paper,we point out the trend that software development is turning toward concurrent model from sequential model.We reveal three characteristics respectively for concurrent programs and concurrency bugs and explore three challenges confronted by concurrency bug analysis.We then divide concurrency bugs into four categories,i.e.deadlock,data race,atomicity violation and order violation and investigate relations among them.For each category of concurrency bugs, we make analyses,comparisons and summarizations on previous researches about how to quickly expose,in time detect and efficiently avoid them.At last,we look into the research priorities in future from the following five aspects:smart and quick concurrency bugs exposure,common and accurate concurrency bug detection,deterministic replay support,collaborative design involving software and hardware and new concurrent programming model.

Mingxing Zhang,Yongwei Wu,Shan Lu,Shanxiang Qi,Jinglei Ren,Weimin Zheng

DOI: https://doi.org/10.1109/tse.2016.2531666

IF: 7.4

2016-01-01

IEEE Transactions on Software Engineering

Abstract:Concurrency bugs are notoriously difficult to eradicate during software testing because of their non-deterministic nature. Moreover, fixing concurrency bugs is time-consuming and error-prone. Thus, tolerating concurrency bugs during production runs is an attractive complementary approach to bug detection and testing. Unfortunately, existing bug-tolerating tools are usually either 1) constrained in types of bugs they can handle or 2) requiring roll-back mechanism, which can hitherto not be fully achieved efficiently without hardware supports. This paper presents a novel program invariant, called Anticipating Invariant (AI), which can help anticipate bugs before any irreversible changes are made. Benefiting from this ability of anticipating bugs beforehand, our software-only system is able to forestall the failures with a simple thread stalling technique, which does not rely on execution roll-back and hence has good performance Experiments with 35 real-world concurrency bugs demonstrate that AI is capable of detecting and tolerating most types of concurrency bugs, including both atomicity and order violations. Two new bugs have been detected and confirmed by the corresponding developers. Performance evaluation with 6 representative parallel programs shows that AI incurs negligible overhead (<1%) for many nontrivial desktop and server applications.

Yan Hu,Jun Yan,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1007/s10586-016-0537-1

2016-01-01

Cluster Computing

Abstract:Concurrency bugs usually manifest under very rare conditions, and reproducing such bugs can be a challenging task. To reproduce concurrency bugs with a given input, one would have to explore the vast interleaving space, searching for erroneous schedules. The challenges are compounded in a big data environment. This paper explores the topic of concurrency bug reproduction using runtime data. We approach the concurrency testing and bug reproduction problem differently from existing literature, by emphasizing on the preemptable synchronization points. In our approach, a light-weight profiler is implemented to monitor program runs, and collect synchronization points where thread scheduler could intervene and make scheduling decisions. Traces containing important synchronization API calls and shared memory accesses are recorded and analyzed. Based on the preemptable synchronization points, we build a reduced preemption set (RPS) to narrow down the search space for erroneous schedules. We implement an optimized preemption-bounded schedule search algorithm and an RPS directed search algorithm, in order to reproduce concurrency bugs more efficiently. Those schedule exploration algorithms are integrated into our prototype, Profile directed Event driven Dynamic AnaLysis (PEDAL). The runtime data consisting of synchronization points is used as a source of feedback for PEDAL. To demonstrate utility, we evaluate the performance of PEDAL against those of two systematic concurrency testing tools. The findings demonstrate that PEDAL can detect concurrency bugs more quickly with given inputs, and consuming less memory. To prove its scalability in a big data environment, we use PEDAL to analyze several real concurrency bugs in large scale multithread programs, namely: Apache, and MySQL.

DongDong Deng,GuoLiang Jin,Marc de Kruijf,Ang Li,Ben Liblit,Shan Lu,ShanXiang Qi,JingLei Ren,Karthikeyan Sankaralingam,LinHai Song,YongWei Wu,MingXing Zhang,Wei Zhang,WeiMin Zheng

DOI: https://doi.org/10.1007/s11432-015-5315-9

2015-01-01

Science China Information Sciences

Abstract:Concurrency bugs are becoming widespread with the emerging ubiquity of multicore processors and multithreaded software. They manifest during production runs and lead to severe losses. Many effective concurrency-bug detection tools have been built. However, the dependability of multi-threaded software does not improve until these bugs are handled statically or dynamically. This article discusses our recent progresses on fixing, preventing, and recovering from concurrency bugs.

Zhendong Wu,Kai Lu,Xiaoping Wang,Xu Zhou

DOI: https://doi.org/10.1109/QSIC.2013.67

2013-01-01

Abstract:Many concurrency bugs are extremely difficult to be detected by random test due to huge input space and huge interleaving space. The multicore technology trend worsens this problem. We propose an innovative, collaborative approach called ColFinder to detect concurrency bugs effectively and efficiently. ColFinder uses static analysis to identify potential buggy statements. With respect to these statements, ColFinder uses program slicing to cut the original programs into smaller programs. Finally, it uses dynamic active test to verify whether the potential buggy statements will trigger real bugs. We implement a prototype of ColFinder, and evaluate it with several real-world programs. It significantly improves the probability of bug manifestation, from 0.75% to 89%. Additionally, ColFinder makes the time of bug manifestation obviously reduced by program slicing, with an average of 33%.

Wenwen Wang,Chenggang Wu,Pen-Chung Yew,Xiang Yuan,Zhenjiang Wang,Jianjun Li,Xiaobing Feng

DOI: https://doi.org/10.1145/2555243.2555276

2014-01-01

Abstract:Non-determinism in concurrent programs makes their debugging much more challenging than that in sequential programs. To mitigate such difficulties, we propose a new technique to automatically locate buggy shared memory accesses that triggered concurrency bugs. Compared to existing fault localization techniques that are based on empirical statistical approaches, this technique has two advantages. First, as long as enough successful runs of a concurrent program are collected, the proposed technique can locate buggy memory accesses to the shared data even with only one single failed run captured, as opposed to the need of capturing multiple failed runs in other statistical approaches. Second, the proposed technique is more precise because it considers memory accesses in those failed runs that terminate prematurely.

Ziyi Lin,Yilei Zhou,Hao Zhong,Yuting Chen,Haibo Yu,Jianjun Zhao

DOI: https://doi.org/10.1587/transinf.2016edp7388

2017-01-01

IEICE Transactions on Information and Systems

Abstract:When debugging bugs, programmers often prepare test cases to reproduce buggy behaviours. However, for concurrent programs, test cases alone are typically insufficient to reproduce buggy behaviours, due to the nondeterminism of multi-threaded executions. In literature, various approaches have been proposed to reproduce buggy behaviours for concurrency bugs deterministically, but to the best of our knowledge, they are still limited. In particular, we have recognized three debugging scenarios from programming practice, but existing approaches can handle only one of the scenarios. In this paper, we propose a novel approach, called SPDebugger, that provides finer-grained thread controlling over test cases, programs under test, and even third party library code, to reproduce the pre-designed thread execution schedule. The evaluation shows that SPDebugger handles more debugging scenarios than the state-of-the-art tool, called IMUnit, with similar human effort.

Zan Wang,Haichi Wang,Shuang Liu,Jun Sun,Haoyu Wang,Junjie Chen

DOI: https://doi.org/10.1109/ICECCS51672.2020.00025

2020-01-01

Abstract:Concurrency bugs are notoriously hard to identify and fix. A systematic way of avoiding concurrency bugs is to design and implement a locking policy that consistently guards all shared variables. Concurrency bugs thus can be viewed as the result of an illy-designed or poorly implemented locking policy. The trouble is that the locking policy is often not documented, which makes debugging concurrency bugs clueless. We argue that it is too late to debug concurrency bugs after programming is done and we instead detect and fix them while they are being implemented. In this work, we propose an approach named IFIX which flags potential concurrency bugs and recommends fixes while the bugs are introduced. The key idea is to automatically conjecture what the intended locking policy is based on static analysis and recommend fixes accordingly. The recommended fixes are present to the programmer promptly and the user feedback (i.e., whether the certain recommendation is selected) is used to refine the conjectured locking policy and consequently future fixes. IFIX is evaluated on 43 concurrent programs, and through a user study with 30 programmers. The experiment results and user feedback show that IFIX is efficient, accurate and user-friendly.

Dongwen Zhang,Penghao Qi,Yang Zhang

DOI: https://doi.org/10.1109/access.2021.3116027

IF: 3.9

2021-01-01

IEEE Access

Abstract:Go provides a new concurrency mechanism based on message-passing, which brings a series of new concurrency bugs. The existing tools are highly dependent on model-checking methods in which they take the source program as the input of model-checking tools to detect the potential concurrent bugs. However, these methods can only qualitatively obtain the concurrency of the program but not obtain the exact number of concurrency bugs in the program. Meanwhile, these approaches are not sensitive to dead codes, which are prone to false negatives. Furthermore, few works have been done on detecting WaitGroup-related bugs in Go concurrent programming, which may cause deadlock. To this end, this paper proposes a novel approach GoDetector to detect concurrent bugs. GoDetector uses a detecting algorithm and a pushdown automaton to verify the channel-related concurrent bugs and WaitGroup-related concurrent bugs separately. To support the evaluation of the tool, 30 benchmarks are collected from the existing tools. GoDetector reports 2 channel safety errors, 29 deadlocks, and 11 WaitGroup-related errors. Compared with the existing tool Godel, GoDetector has the capacity to report more concurrency bugs and fewer false positives. GoDetector also offers additional support for the detection of WaitGroup variables. The experimental results indicate that GoDetector is more efficient at detecting the concurrency in regards to accuracy and diversity.

Changming Liu,Deqing Zou,Peng Luo,Bin B. Zhu,Hai Jin

DOI: https://doi.org/10.1145/3274694.3274718

2018-01-01

Abstract:With a growing demand of concurrent software to exploit multi-core hardware capability, concurrency vulnerabilities have become an inevitable threat to the security of today's IT industry. Existing concurrent program detection schemes focus mainly on detecting concurrency errors such as data races, atomicity violation, etc., with little attention paid to detect concurrency vulnerabilities that may be exploited to infringe security. In this paper, we propose a heuristic framework that combines both static analysis and fuzz testing to detect targeted concurrency vulnerabilities such as concurrency buffer overflow, double free, and use-after-free. The static analysis locates sensitive concurrent operations in a concurrent program, categorizes each finding into a potential type of concurrency vulnerability, and determines the execution order of the sensitive operations in each finding that would trigger the suspected concurrency vulnerability. The results are then plugged into the fuzzer with the execution order fixed by the static analysis in order to trigger the suspected concurrency vulnerabilities. In order to introduce more variance which increases possibility that the concurrency errors can be triggered, we also propose manipulation of thread scheduling priority to enable a fuzzer such as AFL to effectively explore thread interleavings in testing a concurrent program. To the best of our knowledge, this is the first fuzzer that is capable of effectively exploring concurrency errors. In evaluating the proposed heuristic framework with a benchmark suit of six real-world concurrent C programs, the framework detected two concurrency vulnerabilities for the proposed concurrency vulnerability detection, both being confirmed to be true positives, and produced three new crashes for the proposed interleaving exploring fuzzer that existing fuzzers could not produce. These results demonstrate the power and effectiveness of the proposed heuristic framework in detecting concurrency errors and vulnerabilities.

Bo Liu,Zhengwei Qi,Bin Wang,Ruhui Ma

DOI: https://doi.org/10.1109/icsme.2014.42

2014-01-01

Abstract:Concurrent programs are known to be difficult to test and maintain. These programs often fail because of concurrency bugs caused by non-deterministic interleavings among shared memory accesses. Even though a concurrency bug can be detected, it is still hard to isolate the root cause of the bug, due to the challenge in understanding the complex thread interleavings or schedules. In this paper, we propose a practical and precise isolation technique for concurrent bugs called Pinso that seeks to exploit the non-deterministic nature of concurrency bugs and accurately find the root causes of program error, to further help developers maintain concurrent programs. Pinso profiles runtime inter-thread interleavings based on a set of summarized memory access patterns, and then, isolates suspicious interleaving patterns in the triaging phase. Using a filtration-oriented scheduler, Pinso effectively eliminates false positives that are irrelevant to the bug. We evaluate Pinso with 11 real-world concurrency bugs, including single- and multi-variable violation, from sever/desktop concurrent applications (MySQL, Apache, and several others). Experiments indicate that our tool accurately isolates the root causes of all the bugs.

ZHUChengcheng,DONG Lida

DOI: https://doi.org/10.3969/j.issn.1001-2400.2015.02.028

2015-01-01

Abstract:Due to the sharing of resources,the deadlocks often occur as concurrency bugs in multithreaded software.This paper utilizes the Petri net to model multithreaded software and use the mixed integer programming tool to test the concurrency bugs in it.Currently,multithreaded software using the mutex can be modeled and tested by the Gadara nets.Multithreaded software using semaphores can be modeled by S*PR nets,but there is no theory to support the mixed integer programming-based concurrency bugs test method for them.This paper defines a subclass of S*PR nets,i.e.,SEM-S*PR nets.The initial marking of resource places in it can be greater than 1 and branches can use resources symmetrically.Thus,it can model a class of multithreaded software using semaphores.By structural analysis,it can be proved that a SEM-S*PR net is live if and only if all its siphons are always marked during execution.This result ensures that the mixed integer programming techniques can also be applied for detecting concurrency bugs in multithreaded software modeled by SEM-S* PR nets.Finally,two concurrency bug test examples are introduced,and the results show the validity of this work.

Dennis Jeffrey,Yan Wang,Chen Tian,Rajiv Gupta

DOI: https://doi.org/10.1002/spe.1040

2011-01-01

Software Practice and Experience

Abstract:Memory-related program failures in multithreaded programs can be caused by a variety of bugs. Concurrency bugs can occur due to unexpected or incorrect thread interleavings during execution. Other kinds of memory bugs, such as buffer overflows and uninitialized reads, may also occur in multithreaded as well as single-threaded programs. Most prior techniques for isolating these bugs are specialized, addressing only one type of concurrency bug or certain types of other memory bugs. The memory corruption caused by these bugs can also undergo significant propagation during program execution. When a program failure finally occurs due to memory corruption, the true root cause of the failure may be effectively concealed as significant portions of memory may have become corrupted. We propose a general framework that can isolate the root cause of any failure in a multithreaded program that involves memory corruption and reveals at least a subset of this memory corruption. This includes three important types of concurrency bugs—data races, atomicity violations, and order violations—as well as other kinds of memory bugs. To account for propagation of memory corruption, our approach uses a dynamic technique called ‘execution suppression’ that iteratively reveals memory corruption in a failing execution to isolate the true root cause of the failure. Copyright © 2011 John Wiley & Sons, Ltd.

Jian Cao,Xin Yang,Yu Jiang,Han Liu,Weiliang Ying,Xian Zhang

DOI: https://doi.org/10.1145/3196398.3196451

2018-01-01

Abstract:Race detection is increasingly popular, both in the academic research and in industrial practice. However, there is no specialized and comprehensive dataset of the data race, making it difficult to achieve the purpose of effectively evaluating race detectors or developing efficient race detection algorithms. In this paper, we presented JBench, a dataset with a total number of 985 data races from real-world applications and academic artifacts. We pointed out the locations of data races, provided source code, provided running commands and standardized storage structure. We also analyzed all the data races and classified them from four aspects: variable type, code structure, method span and cause. Furthermore, we discussed usages of the dataset in two scenarios: optimize race detection techniques and extract concurrency patterns.

Zhe Wang,Chenggang Wu,Xiang Yuan,Zhenjiang Wang,Jianjun Li,Pen-Chung Yew,Jeff Huang,Xiaobing Feng,Yanyan Lan,Yunji Chen,Yuanming Lai,Yong Guan

DOI: https://doi.org/10.1109/icse.2015.94

IF: 7.4

2018-01-01

IEEE Transactions on Software Engineering

Abstract:Multi-threaded programs play an increasingly important role in current multi-core environments. Exposing concurrency bugs and debugging such multi-threaded programs have become quite challenging due to their inherent non-determinism. In order to eliminate such non-determinism, many approaches such as record-and-replay and other similar bug reproducing systems have been proposed. However, those approaches often suffer significant performance degradation because they require a large amount of recorded information and/or long analysis and replay time. In this paper, we propose an effective approach, ReCBuLC, to take advantage of the hardware clocks available on modern processors. The key idea is to reduce the recording overhead and analyzing events' global order by using time stamps recorded in each thread. Those timestamps are used to determine the global orders of shared accesses. To avoid the large overhead incurred in accessing system-wide global clock, we opt to use local per-core clocks that incur much less access overhead. We then propose techniques to resolve differences among local clocks and obtain an accurate global event order. By using per-core clocks, state-of-the-art bug reproducing systems such as PRES and CLAP can reduce the recording overheads by 1% ~ 85%, and the analysis time by 84.66% ~ 99.99%, respectively.