Citation Context

...s do (like DART [18] and Klee [6]), except that these test generators do not produce thread schedules. ESD saves the thread schedule of a synthesized execution in the form of happens-before relations =-=[25]-=- between specific program instructions. ESD can also save a strict schedule in the file, by recording the exact instructions on which the context was switched during synthesis, along with the switched...

Citation Context

...e critical edge is followed; otherwise, the search would miss the goal. ESD identifies the critical edges by starting from the goal block and working backward, in a manner similar to backward slicing =-=[37]-=-. Starting from B, the algorithm finds at each step a predecessor node in the CFG. For each such node, if only one of its outgoing edges can lead to B, then that edge is marked as critical. The curren...

Citation Context

...ecution file. Our current prototype can play back deadlocks involving mutexes and condition variables with negligible overhead. We are in the process of implementing playback for data races using PIN =-=[28]-=- for binary instrumentation; ESD can then control the interleaving of threads’ memory accesses. 7. Evaluation In this section we evaluate ESD’s effectiveness in reproducing real bugs in real systems (...

Citation Context

...states can be leveraged to reduce memory consumption—this is key to ESD’s scalability. 6.2 Execution Synthesis and Playback For the execution synthesis phase, ESD compiles the program to LLVM bitcode =-=[26]-=-, a low-level instruction set in static single assignment form. We chose LLVM because Klee operates on LLVM and because the associated compiler infrastructure provides rich static analysis facilities....

Citation Context

...the buggy behavior. ESD solves the constraints that accumulated along the path and computes all the inputs required for the program to execute that path, in a way similar to automated test generation =-=[6, 18]-=-. ESD relies on symbolic models of the filesystem [6] and the network stack to ensure all symbolic I/O stays consistent. Several programming constructs (such as recursion, system calls, and indirect c...

Citation Context

...ment 12 or not, both alternatives are considered possible. For the second thread, a similar analysis finds four possible paths to statement 9. In the dynamic analysis phase, ESD symbolically executes =-=[23]-=- the program in search of a guaranteed-feasible path. The search space is restricted to the paths identified during the static analysis phase. In our example, ESD determines that only path 1→2→3→4→7→....

Citation Context

...tes. In addition to synchronization primitives, ESD also introduces preemptions before instructions flagged as potential data races. ESD uses a dynamic data race detection algorithm similar to Eraser =-=[34]-=- and inserts preemption points wherever potentially harmful data races [30] are detected. Normally, dynamic data race detectors can miss races, because they only observe execution paths exercised by t...

Citation Context

...to by the program counter is executed and may cause corresponding updates to the state’s stack and address space.We chose this representation for compatibility with the Klee symbolic execution engine =-=[6]-=-, since the ESD prototype relies on (a modified version of) Klee. As new executions are forked, the corresponding execution states are added to a priority queue. At every step of the symbolic executio...

Citation Context

...of reproducing bugs is by using whole-system replay: the application is run inside a specialized virtual machine, which captures all relevant details of an execution, enabling it to be replayed later =-=[12, 13]-=-. This approach works well for bugs that occur relatively frequently. However, concurrency bugs in production are rare occurrences, so the performance and space overhead of always-on recording of the ...

Citation Context

...g branch condition and its desired value (true or false) are retrieved. For each variable x,y, ... in the branch condition, ESD finds the sets of instructions Dx,Dy, ... that are reaching definitions =-=[1]-=- of the variable. It then looks for combinations of instructions from Dx,Dy, ... that would give the branch condition the desired value, i.e., instructions for which there is a static guarantee that, ...

Citation Context

...dern machines. Complementing Static Analysis Tools with ESD: We see a clear opportunity in using ESD to weed out false positives generated by static analysis tools, such as race and deadlock checkers =-=[14]-=-. Static analysis is powerful and typically complete, but these properties come at the price of soundness: static analyzers commonly produce large numbers of false positives, and selecting the true po...

Citation Context

...t case (ESD does not require existing test cases), ESD could run concretely the initialization phase and automatically switch from concrete to symbolic execution later in the execution of the program =-=[8, 19]-=-, thus reducing execution synthesis time. 4. Thread Schedule Synthesis In the case of multi-threaded programs, ESD must also synthesize a schedule for interleaving the execution paths of the individua...

Citation Context

...loying symbolic execution. ESD builds upon techniques developed for these systems, most notably Klee [6]. In combining static analysis with symbolic execution, we were inspired by a series of systems =-=[7, 10, 11]-=- which compute inputs that take a program to a specified undesired state, such as the location of a crash. Unlike ESD, these systems are targeted at program states that can be deterministically reache...

Citation Context

...volved in debugging leads to error-prone patches, with many concurrency bug fixes either introducing new bugs or, instead of fixing the underlying bug, merely decreasing its probability of occurrence =-=[27]-=-. Increasingly parallel hardware causes software to experience increasingly concurrent executions,making latent bugs more likely to manifest, yet no easier to fix. In this paper, we introduce executio...

Citation Context

...y frequently. However, concurrency bugs in production are rare occurrences, so the performance and space overhead of always-on recording of the entire execution offers less payback. Reverse debugging =-=[24]-=- uses VMs to travel back and forth in an execution, which is useful in dealing with hardto-reproduce bugs; this approach typically incurs prohibitive recording overhead for bugs that occur infrequentl...

Citation Context

...hreads. For simplicity and clarity, we assume a sequential consistency model for memory shared among threads, an assumption present in most recent systems dealing with concurrency bugs (such as Chess =-=[29]-=-). An immediate consequence is that each machine instruction is assumed to execute atomically with respect to memory, which simplifies the exploration process. In the case of shared memory with relaxe...

Citation Context

...esired execution, thus obviating the need for any runtime observations. Recent work looked at replaying concurrency bugs, such as data races, while aiming to minimize the amount of userside recording =-=[2, 33]-=-. While similar in spirit to ESD, these tools still require recording all program inputs and the order of synchronization operations, thus adding overheads as high as 50%, which is hard to justify in ...

Citation Context

...of reproducing bugs is by using whole-system replay: the application is run inside a specialized virtual machine, which captures all relevant details of an execution, enabling it to be replayed later =-=[12, 13]-=-. This approach works well for bugs that occur relatively frequently. However, concurrency bugs in production are rare occurrences, so the performance and space overhead of always-on recording of the ...

Citation Context

...hout having to bound the number of context switches. We repeat, however, that Chess’s goals are different from ESD’s, so direct performance comparisons must be done carefully. Similarly to RaceFuzzer =-=[35]-=-, ESD dynamically detects potential data races and performs context switches before memory accesses suspected to be in a race. However, ESD’s approach is more precise, because it is targeted at a spec...

Citation Context

...d programmers do not have the means of directly controlling such events. Second, the probe effect—unintended alteration of program behavior through the introduction of instrumentation and breakpoints =-=[15]-=-—can make concurrency bugs “vanish” when hunted with a debugger. Third, variations in the OS and runtime environment (e.g., kernel or library version differences) may make it practically impossible to...

Citation Context

...loying symbolic execution. ESD builds upon techniques developed for these systems, most notably Klee [6]. In combining static analysis with symbolic execution, we were inspired by a series of systems =-=[7, 10, 11]-=- which compute inputs that take a program to a specified undesired state, such as the location of a crash. Unlike ESD, these systems are targeted at program states that can be deterministically reache...

Citation Context

...D, these tools still require recording all program inputs and the order of synchronization operations, thus adding overheads as high as 50%, which is hard to justify in production systems. Aftersight =-=[9]-=- is an efficient way to observe and analyze the behavior of running programs on production workloads. Aftersight decouples analysis from normal execution by logging non-deterministic VM inputs and rep...

Citation Context

... also identifies the need for getchar() to return ‘m’. For the second thread, all four paths appear feasible for the time being. Symbolic execution suffers from the notorious “path explosion” problem =-=[3]-=-. Execution synthesis therefore incorporates a number of techniques to cope with the large number of paths that typically get explored during symbolic execution. The foremost of these techniques is th...

Citation Context

...ad for bugs that occur infrequently. In contrast, ESD requires no tracing, so it presents unique advantages in dealing with rare events, such as concurrency bugs. Higher-level replay systems, like R2 =-=[20]-=-, can record library interactions and replay them. These approaches typically incur lower overhead than whole-system replay. ESD’s playback environment uses similar techniques, extending themwith the ...

Citation Context

...subset of a program’s threads that are involved in the deadlock. During schedule synthesis, ESD automatically detects mutex deadlocks by using a deadlock detector based on a resource allocation graph =-=[22]-=-. Deadlocks involving condition variables are more challenging to detect automatically— inferring whether a thread that is waiting on a condition variable will eventually be signaled by another thread...

Citation Context

...practical for production systems. Static analysis and symbolic execution were used to create vulnerability signatures [4] and to show that it is possible to automatically create exploits from patches =-=[5]-=-. ESD is similar to this work in that it aims to create inputs that execute the program toward a certain vulnerability. However, ESD addresses bugs more broadly than just input validation bugs and is ...

Citation Context

... Tools – Schedules: Even though program testing is different from debugging, we drew inspiration for schedule synthesis from tools that search for concurrency bugs, like Chess [29] and DeadlockFuzzer =-=[21]-=-. Still, there exist major differences. These tools exercise target programs in a special environment and, when a bug occurs, the tools are able to replay those bugs. In contrast, ESD reproduces bugs ...

Citation Context

...nd/or events; in ESD we go to the extreme of zero program tracing, in order to be practical for production systems. Static analysis and symbolic execution were used to create vulnerability signatures =-=[4]-=- and to show that it is possible to automatically create exploits from patches [5]. ESD is similar to this work in that it aims to create inputs that execute the program toward a certain vulnerability...

Citation Context

...loying symbolic execution. ESD builds upon techniques developed for these systems, most notably Klee [6]. In combining static analysis with symbolic execution, we were inspired by a series of systems =-=[7, 10, 11]-=- which compute inputs that take a program to a specified undesired state, such as the location of a crash. Unlike ESD, these systems are targeted at program states that can be deterministically reache...

Citation Context

...manifestation in a debugger. Alas, this approach is often challenging, especially for concurrency bugs—in a recent survey, almost 75% of respondents considered reproducibility to be hard or very hard =-=[17]-=-. There are multiple reasons for this: First, complex sequences of low-probability events (e.g., a particular thread schedule) are required for a concurrency bug to manifest, and programmers do not ha...

Citation Context

...esired execution, thus obviating the need for any runtime observations. Recent work looked at replaying concurrency bugs, such as data races, while aiming to minimize the amount of userside recording =-=[2, 33]-=-. While similar in spirit to ESD, these tools still require recording all program inputs and the order of synchronization operations, thus adding overheads as high as 50%, which is hard to justify in ...

Citation Context

...t case (ESD does not require existing test cases), ESD could run concretely the initialization phase and automatically switch from concrete to symbolic execution later in the execution of the program =-=[8, 19]-=-, thus reducing execution synthesis time. 4. Thread Schedule Synthesis In the case of multi-threaded programs, ESD must also synthesize a schedule for interleaving the execution paths of the individua...

Citation Context

...same time on the same socket, HawkNL deadlocks. Other bugs result in crashes. A security vulnerability in the ghttpd Web server is caused by a buffer overflow when processing the URL for GET requests =-=[16]-=-. The overflow occurs in the vsprintf function when the request is written to the log. A bug in the paste UNIX utility causes an invalid free for some inputs. The four bugs in the tac, mkdir, mknod, a...

Citation Context

...d scales to real systems. For example, it takes less than three minutes to synthesize an execution for a deadlock bug in SQLite, an embedded database engine with over 100 thousand lines of C/C++ code =-=[32]-=- used in Firefox, Skype, Mac OS X, Symbian OS, and other popular software [36]. In this paper, we give an overview of ESD (§2), describe sequential path synthesis (§3), thread schedule synthesis (§4),...