Ruixue Li,Bin Yu,Xu Lu,Lei Ke,Jiawei Chen,Zixuan Yuan,Jingxian Wang,Cong Tian,Yansong Dong

DOI: https://doi.org/10.1145/3691620.3695325

2024-01-01

Abstract:Interrupt-driven programs are widely used in safety-critical fields like aerospace and embedded systems. However, the unpredictable interleaving of Interrupt Service Routines (ISRs) can lead to concurrency bugs, particularly atomicity violations when ISRs preempt atomic sequences of instructions. To address this, we propose a dynamic approach for detecting atomicity violations in interrupt-driven programs. Extensive experiments demonstrate that our method is more precise and efficient than related approaches.

Jingwen Zhao,Yanxia Wu,Yun Feng,Jibin Dong,Changting Shi

DOI: https://doi.org/10.1002/smr.2725

2024-01-01

Abstract:Atomicity violation bugs are a frequent problem in concurrency. Because of the unpredictable nature of thread interleaving, most current methods are unable to differentiate between harmful and benign atomicity violations. This makes it challenging to determine the existence of an actual bug. This paper presents a method for detecting atomicity violation bugs in programs based on user interaction. First, UserTrack matches access interleaving patterns to identify all potential violations. We then verify the programmer's atomicity intent between two logical access operations on the same thread and filter out some candidates. Finally, a user interaction mechanism checks the paths that do not produce atomicity violations when threads are interleaved. Our method focuses on a small number of interesting states and interleavings, while allowing the programmer to impose constraints on thread interleavings and explore all executions that satisfy these constraints. We continuously gather information through user feedback results and detect atomicity violation bugs that truly go against the programmer's intent. We evaluated the method using benchmark tests, which demonstrated the effectiveness of UserTrack in detecting atomicity violations. This method verifies the atomicity intent between nonserializable interleaving and logical access operations, allows programmers to impose constraints on thread interleaving, and explores all executions that satisfy these constraints and continuously gain information through user feedback to identify atomicity violation bugs that truly violate the programmer's intent. image

Yuan Zhang,Lei Qu,Yifei Wu,Leihuan Wu,Tingting Yu,Rui Chen,Weiqiang Kong

DOI: https://doi.org/10.1145/3705311

IF: 3.685

2024-01-01

ACM Transactions on Software Engineering and Methodology

Abstract:Detecting atomicity violations effectively in interrupt-driven programs is difficult due to the asymmetric concurrency interleaving of interrupts. Current approaches face two main challenges: (1) A large number of false positives are generated by efficient static analysis techniques. (2) Loops with large or unknown bounds in these programs limit the scalability of the bounded verification techniques. To address these challenges, we present NIChecker, a new bounded verification tool designed to detect atomicity violations in interrupt-driven programs. The key ideas are: (1) Transforming an interrupt-driven program into a bounded sequential C program through lazy sequentialization technique. This sequential program accurately models interrupt masking and nested interrupt execution. (2) Combining a refined loop abstraction technique with our sequentialization to enhance the efficiency of detecting programs with intractable loops. (3) Integrating slicing and an interleaving path reduction technique known as preemption point reduction in NIChecker to shrink the explored state space. We prove the bounded correctness of our translation and discuss the impact of our optimizations. We evaluate NIChecker on 31 academic benchmark programs and 18 real-world interrupt-driven programs. Our results show that NIChecker achieves better precision, a lower false positive rate, and a significant verification speed-up than related state-of-the-art tools.

Xiang Du,Liangze Yin,Haining Feng,Wei Dong

DOI: https://doi.org/10.1109/apsec53868.2021.00033

2021-01-01

Abstract:Due to the non-deterministic occurring of interrupt service routines, vulnerabilities of interrupt-driven programs, such as data race and atomicity violation, are usually hard to discover. Static analysis is an effective method for vulnerability analysis of interrupt-driven programs. However, existing techniques usually produce a large number of false alarms, which limits the application of static analysis in practice. To achieve high precision in vulnerability analysis of interrupt-driven programs, this paper proposes a program verification enhanced precise analysis method. For each potential vulnerability detected by static analysis, we propose a vulnerability validation approach which employs program verification to further automatically verify its feasibility. We have implemented a prototype of our method on top of CBMC. Experimental results on both an academic benchmark and 24 real-world programs show that our method can successfully identify true vulnerabilities and achieve a high precise analysis.

Pengfei Wang,Jens Krinke,Xu Zhou,Kai Lu

DOI: https://doi.org/10.1002/cpe.5160

2019-01-01

Abstract:SummaryConcurrency bugs, such as atomicity‐violation bugs, are difficult to detect due to the uncertainty of thread‐scheduling. It is particularly difficult to conduct a thorough bug fix when an atomicity‐violation bug can be triggered by different buggy interleavings. This paper proposes a prediction‐based approach to comprehensively detect atomicity‐violation bugs. A bug fix can be incomplete when the developer cannot have all the buggy interleavings. Based on the candidate interleavings, this approach can predict unmanifested atomicity‐violation bugs from a non‐buggy execution and comprehensively display all the buggy interleavings for the same bug to assist a thorough fix. We use a monitored execution to record execution traces and predict potential buggy interleavings based on the candidate interleavings identified from the trace. Then, we use controlled executions to verify the predicted buggy interleavings by controlling the thread‐scheduling. We implemented a prototype tool called AVPredictor and evaluated it with real‐world tests. Experiments show that AVPredictor can effectively find all the known atomicity‐violation bugs as well as a previously unknown bug together with all the buggy interleavings for each bug. The runtime overhead is 13x for the monitored execution and 18x for the controlled execution.

Yu Wang,Junjing Shi,Linzhang Wang,Jianhua Zhao,Xuandong Li

DOI: https://doi.org/10.1145/2875913.2875943

2015-01-01

Abstract:Interrupt-driven programs are often embedded in safety-critical systems to perform hardware/resource dependent data operation tasks, such as data acquisition, processing, and transformation. The interrupt programs and tasks may happen in parallel which in a result causes indeterminist concurrent problems at runtime. Data race is one of the most popular problems challenging researchers and practitioners. Various static analysis, software testing approaches have been proposed to detect data races in source code, testing, and even production run. However, static analysis may report too many false positives due to the lack of execution information. Dynamic testing may miss some important races since it could not generate adequate test cases to test all possible execution scenarios. In this paper, we propose a hybrid approach to detect data races in interrupt-driven programs based on static analysis and dynamic simulation. We implemented a prototype tool and conducted a controlled experiment to demonstrate the applicability of our approach.

Mingxing Zhang,Yongwei Wu,Shan Lu,Shanxiang Qi,Jinglei Ren,Weimin Zheng

DOI: https://doi.org/10.1109/tse.2016.2531666

IF: 7.4

2016-01-01

IEEE Transactions on Software Engineering

Abstract:Concurrency bugs are notoriously difficult to eradicate during software testing because of their non-deterministic nature. Moreover, fixing concurrency bugs is time-consuming and error-prone. Thus, tolerating concurrency bugs during production runs is an attractive complementary approach to bug detection and testing. Unfortunately, existing bug-tolerating tools are usually either 1) constrained in types of bugs they can handle or 2) requiring roll-back mechanism, which can hitherto not be fully achieved efficiently without hardware supports. This paper presents a novel program invariant, called Anticipating Invariant (AI), which can help anticipate bugs before any irreversible changes are made. Benefiting from this ability of anticipating bugs beforehand, our software-only system is able to forestall the failures with a simple thread stalling technique, which does not rely on execution roll-back and hence has good performance Experiments with 35 real-world concurrency bugs demonstrate that AI is capable of detecting and tolerating most types of concurrency bugs, including both atomicity and order violations. Two new bugs have been detected and confirmed by the corresponding developers. Performance evaluation with 6 representative parallel programs shows that AI incurs negligible overhead (<1%) for many nontrivial desktop and server applications.

Yin Wang,Peng Liu,Terence Kelly,Stéphane Lafortune,Spyros A. Reveliotis,Charles Zhang

DOI: https://doi.org/10.1109/CDC.2012.6426112

2012-01-01

Abstract:Atomicity violations are among the most severe and prevalent defects in concurrent software. Numerous algorithms and tools have been developed to detect atomicity bugs, but few solutions exist to automatically fix such bugs. Some existing solutions add locks to enforce atomicity, which can introduce deadlocks into programs. Our recent work avoids deadlock bugs in concurrent programs by adding control logic synthesized using Discrete Event Systems theory. In this paper, we extend this control framework to address single-variable atomicity violation bugs. We use the same class of Petri net models as in our prior work to capture program semantics, and handle atomicity violations by control specifications in the form of linear inequalities. We propose two methodologies for synthesizing control logic that enforces these linear inequalities without causing deadlocks; the resulting control logic is embedded into the program's source code by program instrumentation. These results extend the scope of concurrency bugs in software systems that can be handled by techniques from control engineering. Case studies involving two real Java programs demonstrate our solution procedure.

WU Xueguang,WEN Yanjun,WANG Ji,FU Xiutao,QI Yanxia,GU Bin

DOI: https://doi.org/10.3778/j.issn.1673-9418.2011.12.003

2011-01-01

Abstract:In C programs with multiple interruptions, the interleaving of interruptions may cause some unexpected interleaving executions and even wrong execution results. A kind of frequently occurred error is that the atomicity of programs is violated because of data race. To solve this problem, this paper introduces the abstract execution semantics for C programs under multiple interruptions, gives an atomicity definition based on the access of shared variables, presents the data race and atomicity checking algorithms based on the atomicity definition, and adopts function abstraction technique to reduce the traversed state space. At last, it designs and implements a prototype checker named MIDAC (multiple interruption C program data race and atomicity checker), and the experimental results demonstrate its effectiveness on several practical programs.

Qingkai Shi,Jeff Huang,Zhenyu Chen,Baowen Xu

DOI: https://doi.org/10.1109/tse.2015.2477820

IF: 7.4

2016-01-01

IEEE Transactions on Software Engineering

Abstract:Atomicity is a fundamental property to guarantee the isolation of a work unit (i.e., a sequence of related events in a thread) from concurrent threads. However, ensuring atomicity is often very challenging due to complex thread interactions. We present an approach to help developers verify whether such work units, which have triggered bugs due to certain violations of atomicity, are sufficiently synchronized or not by locks introduced for fixing the bugs. A key feature of our approach is that it combines the fortes of both bug-driven and change-aware techniques, which enables it to effectively verify synchronizations by testing only a minimal set of suspicious atomicity violations without any knowledge on the to-be-isolated work units, thus being more efficient and practical than other approaches. Besides, unlike existing approaches, our approach effectively utilizes all the inferred execution traces even they may not be completely feasible, such that the verification algorithm can converge much faster. We demonstrate via extensive evaluation that our approach is much more effective and efficient than the state-of-the-arts. Besides, we show that although there have existed sound automatic fixing techniques for atomicity violations, our approach is still necessary and useful for quality assurance of concurrent programs, because the assumption behind our approach is much weaker. We have also investigated one of the largest bug databases and found that insufficient synchronizations are common and difficult to be found in software development.

Minxue Pan,Shouyu Chen,Yu Pei,Tian Zhang,Xuandong Li

DOI: https://doi.org/10.1109/icse.2019.00037

2019-01-01

Abstract:The widespread real-time and embedded systems are mostly interrupt-driven because their heavy interaction with the environment is often initiated by interrupts. With the interrupt arrival being unpredictable and the interrupt handling being preemptive, a large number of possible system behaviours are generated, which makes the correctness assurance of such systems difficult and costly. Model checking is considered to be one of the effective methods for exhausting behavioural state space for correctness. However, existing modelling approaches for interrupt-driven systems are based on either calculus or automata theory, and have a steep learning curve. To address this problem, we propose a new modelling language called interrupt sequence diagram (ISD). By extending the popular UML sequence diagram notations, the ISD supports the modelling of interrupts' essential features visually and concisely. We also propose an automata-based semantics for ISD, based on which ISD can be transformed to a subset of hybrid automata so as to leverage the abundant off-the-shelf checkers. Experiments on examples from both real-world and existing literature were conducted, and the results demonstrate our approach's usability and effectiveness.

Yu Wang,Fengjuan Gao,Linzhang Wang,Tingting Yu,Ke Wang,Jianhua Zhao,Xuandong Li

2023-05-29

Abstract:Interrupt-driven programs are widely deployed in safety-critical embedded systems to perform hardware and resource dependent data operation tasks. The frequent use of interrupts in these systems can cause race conditions to occur due to interactions between application tasks and interrupt handlers (or two interrupt handlers). Numerous program analysis and testing techniques have been proposed to detect races in multithreaded programs. Little work, however, has addressed race condition problems related to hardware interrupts. In this paper, we present SDRacer, an automated framework that can detect, validate and repair race conditions in interrupt-driven embedded software. It uses a combination of static analysis and symbolic execution to generate input data for exercising the potential races. It then employs virtual platforms to dynamically validate these races by forcing the interrupts to occur at the potential racing points. Finally, it provides repair candidates to eliminate the detected races. We evaluate SDRacer on nine real-world embedded programs written in C language. The results show that SDRacer can precisely detect and successfully fix race conditions.

Software Engineering

Changming Liu,Deqing Zou,Peng Luo,Bin B. Zhu,Hai Jin

DOI: https://doi.org/10.1145/3274694.3274718

2018-01-01

Abstract:With a growing demand of concurrent software to exploit multi-core hardware capability, concurrency vulnerabilities have become an inevitable threat to the security of today's IT industry. Existing concurrent program detection schemes focus mainly on detecting concurrency errors such as data races, atomicity violation, etc., with little attention paid to detect concurrency vulnerabilities that may be exploited to infringe security. In this paper, we propose a heuristic framework that combines both static analysis and fuzz testing to detect targeted concurrency vulnerabilities such as concurrency buffer overflow, double free, and use-after-free. The static analysis locates sensitive concurrent operations in a concurrent program, categorizes each finding into a potential type of concurrency vulnerability, and determines the execution order of the sensitive operations in each finding that would trigger the suspected concurrency vulnerability. The results are then plugged into the fuzzer with the execution order fixed by the static analysis in order to trigger the suspected concurrency vulnerabilities. In order to introduce more variance which increases possibility that the concurrency errors can be triggered, we also propose manipulation of thread scheduling priority to enable a fuzzer such as AFL to effectively explore thread interleavings in testing a concurrent program. To the best of our knowledge, this is the first fuzzer that is capable of effectively exploring concurrency errors. In evaluating the proposed heuristic framework with a benchmark suit of six real-world concurrent C programs, the framework detected two concurrency vulnerabilities for the proposed concurrency vulnerability detection, both being confirmed to be true positives, and produced three new crashes for the proposed interleaving exploring fuzzer that existing fuzzers could not produce. These results demonstrate the power and effectiveness of the proposed heuristic framework in detecting concurrency errors and vulnerabilities.

Jie Su,Zuchao Yang,Hengrui Xing,Jiyu Yang,Cong Tian,Zhenhua Duan

DOI: https://doi.org/10.1007/978-3-031-30820-8_38

2023-01-01

Abstract:PIChecker is a tool for verifying reachability properties of concurrent C programs. It moderates the trace-space explosion problem, aggravated by thread alternation, through utilizing the PC-DPOR and C-Intp techniques. The PC-DPOR technique constructs a constrained dependency graph to refine dependencies between transitions. With this basis, the inherent imprecision of the dependence over-approximation can be overcome. Thereby, many redundant equivalent traces are prevented from being explored. On the other hand, the C-Intp technique performs conditional interpolation to confine the reachable regions of states, so that infeasible conditional branches which occur more frequently in concurrent verification tasks could be pruned automatically. We have implemented the above techniques on top of the open-source program analysis framework CPAchecker

Jingwen Zhao,Yanxia Wu,Jibin Dong

DOI: https://doi.org/10.1007/s11227-024-06189-4

IF: 3.3

2024-01-01

The Journal of Supercomputing

Abstract:Interrupt-driven programs are widely used in embedded systems with high security requirements. However, uncertain interleaving execution of tasks and interrupts may cause concurrency bugs, with data races being a significant factor in threatening security. Most of the previous research has focused on detecting data races in multi-threaded programs. And existing static analysis methods for interrupt-related data race detection often produce many false positives. This paper presents IntRace, an accurate and efficient static detection technique for interrupt data race. IntRace eliminates false data race by analyzing potential concurrency relationships and path reachability. It first identifies all race candidate pairs using access interleaving pattern matching. Then for each pair of operational accesses, IntRace analyzes potential concurrency relationships, including the special case of interrupt nesting, and uses this information to filter out access pairs that cannot concurrently access the same location. Finally, it checks the feasibility of events in the access pairs by constructing path constraints, which effectively eliminating infeasible paths in concurrent contexts. In addition, IntRace was evaluated on benchmark tests and 9 real embedded programs. The experimental results show that IntRace reduces the false positive rate by 73.2

Haining Feng,Liangze Yin,Wenfeng Lin,Xudong Zhao,Wei Dong

DOI: https://doi.org/10.1109/qrs-c51114.2020.00084

2020-01-01

Abstract:Interrupt-driven programs are widely used in aerospace, medical equipment, and other embedded systems that require extreme safety and stability. However, uncertain interrupt interleaving executions may cause serious data race problems. Static analysis is an important technology to detect data race problems. Existing methods are either too conservative to have low accuracy, or bring lots of false alarms, there still need a more effective solution. The program verification tool CBMC has an excellent performance in the analysis and verification of C multi-threaded modeling, but it doesn't support interrupt-driven programs. In this paper, we proposed a method based on CBMC to detect data race in interrupt-driven programs. Our method achieved accurate analysis of interrupt-driven programs by performing analysis toward interrupt preemption and synchronization semantics, and further validation of the program can be supported. Experiments results on related benchmarks demonstrate our approach's usability and effectiveness.

Xueguang Wu,Yanjun Wen,Liqian Chen,Wei Dong,Ji Wang

DOI: https://doi.org/10.1109/SERE-C.2013.33

2013-01-01

Abstract:In Cyber-Physical Systems with interrupt mechanism, interrupts may cause unexpected interleaving executions and even wrong execution results. A kind of frequently occurred errors are caused by data race. We present an approach under the framework of bounded model checking (BMC) to detect data race for interrupt driven programs. The key idea is to automatically serialize a concurrent interrupt driven program as a non-deterministic sequential program, whose possible execution set includes all the possible executions of the interrupt driven program. Moreover, our approach checks data race in the sequential program and collects all the path condition of the data race location. On this basis, we leverage bounded model checking to convert all the path conditions into SMT formulae. Furthermore, our analysis uses a decision procedure to determine whether the formula is satisfiable, from which the analysis eliminates false alarms which can't occur in real concurrent executions. A prototype based on CBMC is implemented and preliminary experimental results are encouraging.

Xinyu Feng,Zhong Shao,Yu Guo,Yuan Dong

DOI: https://doi.org/10.1007/s10817-009-9118-9

2009-01-01

Journal of Automated Reasoning

Abstract:Hardware interrupts are widely used in the world’s critical software systems to support preemptive threads, device drivers, operating system kernels, and hypervisors. Handling interrupts properly is an essential component of low-level system programming. Unfortunately, interrupts are also extremely hard to reason about: they dramatically alter the program control flow and complicate the invariants in low-level concurrent code (e.g., implementation of synchronization primitives). Existing formal verification techniques—including Hoare logic, typed assembly language, concurrent separation logic, and the assume-guarantee method—have consistently ignored the issues of interrupts; this severely limits the applicability and power of today’s program verification systems. In this paper we present a novel Hoare-logic-like framework for certifying low-level system programs involving both hardware interrupts and preemptive threads. We show that enabling and disabling interrupts can be formalized precisely using simple ownership-transfer semantics, and the same technique also extends to the concurrent setting. By carefully reasoning about the interaction among interrupt handlers, context switching, and synchronization libraries, we are able to—for the first time—successfully certify a preemptive thread implementation and a large number of common synchronization primitives. Our work provides a foundation for reasoning about interrupt-based kernel programs and makes an important advance toward building fully certified operating system kernels and hypervisors.

Qichang Chen,Zhanfang Chen,Zhuang Liu,Xin Feng,Zhengang Jiang,Liqiang Wang,Hongyi Ma,Ping Guo

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.1576

2013-01-01

Abstract:The reality of multi-core hardware has made concurrent programs pervasive. Unfortunately, writing correct concurrent programs is difficult. Atomicity violation, which is caused by concurrent executions unexpectedly violating the atomicity of a certain code region, is one of the most common concurrency errors. However, atomicity violation bugs are hard to find using traditional testing and debugging techniques. In this paper, we investigate an approach based on machine learning techniques (specifically decision tree and support vector machine (SVM)) for classifying the benign atomicity violations from the harmful ones. A benign atomicity violation is known not to affect the program's correctness even it happens. We formulate our problem as a supervised-learning problem and apply these two machine learning techniques to classify the atomicity violation report. Our experimental evaluation shows that the proposed method is effective in identifying the benign atomicity violation warnings.

Jia-Ju Bai,Julia Lawall,Shi-Min Hu

DOI: https://doi.org/10.1145/3381990

2018-01-01

ACM Transactions on Computer Systems

Abstract:Atomic context is an execution state of the Linux kernel in which kernel code monopolizes a CPU core. In this state, the Linux kernel may only perform operations that cannot sleep, as otherwise a system hang or crash may occur. We refer to this kind of concurrency bug as a sleep-in-atomic-context (SAC) bug. In practice, SAC bugs are hard to find, as they do not cause problems in all executions. In this article, we propose a practical static approach named DSAC to effectively detect SAC bugs in the Linux kernel. DSAC uses three key techniques: (1) a summary-based analysis to identify the code that may be executed in atomic context, (2) a connection-based alias analysis to identify the set of functions referenced by a function pointer, and (3) a path-check method to filter out repeated reports and false bugs. We evaluate DSAC on Linux 4.17 and find 1,159 SAC bugs. We manually check all the bugs and find that 1,068 bugs are real. We have randomly selected 300 of the real bugs and sent them to kernel developers. 220 of these bugs have been confirmed, and 51 of our patches fixing 115 bugs have been applied.