Automatic analysis of DMA races using model checking and k-induction
- 134 Downloads
- 7 Citations
Abstract
Modern multicore processors, such as the Cell Broadband Engine, achieve high performance by equipping accelerator cores with small “scratch-pad” memories. The price for increased performance is higher programming complexity – the programmer must manually orchestrate data movement using direct memory access (DMA) operations. Programming using asynchronous DMA operations is error-prone, and DMA races can lead to nondeterministic bugs which are hard to reproduce and fix. We present a method for DMA race analysis in C programs. Our method works by automatically instrumenting a program with assertions modeling the semantics of a memory flow controller. The instrumented program can then be analyzed using state-of-the-art software model checkers. We show that bounded model checking is effective for detecting DMA races in buggy programs. To enable automatic verification of the correctness of instrumented programs, we present a new formulation of k-induction geared towards software, as a proof rule operating on loops. Our techniques are implemented as a tool, Scratch, which we apply to a large set of programs supplied with the IBM Cell SDK, in which we discover a previously unknown bug. Our experimental results indicate that our k-induction method performs extremely well on this problem class. To our knowledge, this marks both the first application of k-induction to software verification, and the first example of software model checking in the context of heterogeneous multicore processors.
Keywords
Model checking k-induction DMA Multicore programming Cell BEPreview
Unable to display preview. Download preview PDF.
References
- 1.Abadi M, Lamport L (1991) The existence of refinement mappings. Theor Comput Sci 82(2):253–284 MATHCrossRefMathSciNetGoogle Scholar
- 2.Aho AV, Lam MS, Sethi R, Ullman JD (2006) Compilers: principles, techniques and tools. Addison Wesley, Reading Google Scholar
- 3.Armoni R, Fix L, Fraer R, Huddleston S, Piterman N, Vardi MY (2005) SAT-based induction for temporal safety properties. Electron Notes Theor Comput Sci 119(2):3–16 CrossRefGoogle Scholar
- 4.Bellens P, Perez JM, Badia RM, Labarta J (2006) CellSs: a programming model for the Cell BE architecture. In: Proceedings of the 2006 ACM/IEEE conference on supercomputing (SC). ACM, New York, p 86 CrossRefGoogle Scholar
- 5.Beyer D, Henzinger TA, Jhala R, Majumdar R (2007) The software model checker Blast. Int J Softw Tools Technol Transf 9(5–6):505–525 CrossRefGoogle Scholar
- 6.Biere A, Cimatti A, Clarke EM, Strichman O, Zhu Y (2003) Bounded model checking. Adv Comput 58:118–149 Google Scholar
- 7.Bjesse P, Claessen K (2000) SAT-based verification without state space traversal. In: FMCAD. LNCS, vol 1954. Springer, Berlin, pp 372–389 Google Scholar
- 8.Botincan M, Dodds M, Donaldson AF, Parkinson MJ (2011) Automatic safety proofs for asynchronous memory operations. In: PPOPP. ACM, New York, pp 313–314 Google Scholar
- 9.Clarke E, Kroening D, Lerda F (2004) A tool for checking ANSI-C programs. In: TACAS. LNCS, vol 2988. Springer, Berlin, pp 168–176 Google Scholar
- 10.Clarke E, Kroening D, Sharygina N, Yorav K (2005) SATABS: SAT-based predicate abstraction for ANSI-C. In: TACAS. LNCS, vol 3440. Springer, Berlin, pp 570–574 Google Scholar
- 11.Cook B, Koskinen E (2011) Making prophecies with decision predicates. In: POPL. ACM, New York, pp 399–410 Google Scholar
- 12.Cooper P, Dolinsky U, Donaldson AF, Richards A, Riley C, Russell G (2010) Offload—automating code migration to heterogeneous multicore systems. In: HiPEAC. LNCS, vol 5952. Springer, Berlin, pp 337–352 Google Scholar
- 13.Cordeiro L (2010) SMT-based bounded model checking for multi-threaded software in embedded systems. In: ICSE (2). ACM, New York, pp 373–376 Google Scholar
- 14.Cordeiro L, Fischer B, Marques-Silva J (2009) SMT-based bounded model checking for embedded ANSI-C software. In: ASE Google Scholar
- 15.Déharbe D, Moreira AM (1997) Using induction and BDDs to model check invariants. In: CHARME. IFIP conference proceedings, vol 105. Chapman & Hall, London, pp 203–213 Google Scholar
- 16.Donaldson AF, Keir P, Lokhmotov A (2009) Compile-time and run-time issues in an auto-parallelisation system for the Cell BE processor. In: Euro-Par 2008 workshops. LNCS, vol 5415. Springer, Berlin, pp 163–173 CrossRefGoogle Scholar
- 17.Donaldson AF, Dolinsky U, Richards A, Russell G (2010) Automatic offloading of C++ for the Cell BE processor: a case study using Offload. In: MuCoCoS. IEEE Press, New York, pp 901–906 Google Scholar
- 18.Donaldson AF, Kroening D, Rümmer P (2010) Automatic analysis of scratch-pad memory code for heterogeneous multicore processors. In: TACAS. LNCS, vol 6015. Springer, Berlin, pp 280–295 Google Scholar
- 19.Donaldson AF, Haller L, Kroening D (2011) Strengthening induction-based race checking with lightweight static analysis. In: Jhala R, Schmidt DA (eds) VMCAI. LNCS, vol 6538. Springer, Berlin, pp 169–183 Google Scholar
- 20.Donaldson AF, Kroening D, Rümmer P (2011) SCRATCH: a tool for automatic analysis of DMA races. In: PPOPP. ACM, New York, pp 311–312 Google Scholar
- 21.Eén N, Sörensson N (2003) Temporal induction by incremental SAT solving. Electron Notes Theor Comput Sci 89(4) Google Scholar
- 22.Emmi M, Qadeer S, Rakamaric Z (2011) Delay-bounded scheduling. In: POPL. ACM, New York, pp 411–422 Google Scholar
- 23.Engler D, Ashcraft K (2003) RacerX: Effective, static detection of race conditions and deadlocks. In: SOSP. ACM, New York, pp 237–252 Google Scholar
- 24.Fatahalian K, Horn DR, Knight TJ, Leem L, Houston M, Park JY, Erez M, Ren M, Aiken A, Dally WJ, Hanrahan P (2006) Sequoia: programming the memory hierarchy. In: Supercomputing (SC). ACM, New York, p 83 Google Scholar
- 25.Flanagan C, Freund SN (2000) Type-based race detection for Java. In: PLDI. ACM, New York, pp 219–232 CrossRefGoogle Scholar
- 26.Flanagan C, Godefroid P (2005) Dynamic partial-order reduction for model checking software. In: POPL. ACM, New York, pp 110–121 Google Scholar
- 27.Franzén A (2006) Using satisfiability modulo theories for inductive verification of Lustre programs. Electron Notes Theor Comput Sci 144(1):19–33 CrossRefGoogle Scholar
- 28.Große D, Le HM, Drechsler R (2010) Proving transaction and system-level properties of untimed SystemC TLM designs. In: MEMOCODE. IEEE Press, New York, pp 113–122 Google Scholar
- 29.Hagen G, Tinelli C (2008) Scaling up the formal verification of Lustre programs with SMT-based techniques. In: FMCAD. IEEE Press, New York, pp 109–117 Google Scholar
- 30.Harel D (1980) On Folk theorems. Commun ACM 23(7):379–389 MATHCrossRefGoogle Scholar
- 31.Helmstetter C, Maraninchi F, Maillet-Contoz L, Moy M (2006) Automatic generation of schedulings for improving the test coverage of systems-on-a-chip. In: FMCAD. IEEE Press, New York, pp 171–178 Google Scholar
- 32.Hofstee HP (2005) Power efficient processor architecture and the Cell processor. In: HPCA. IEEE Press, New York, pp 258–262 Google Scholar
- 33.Honda K, Vasconcelos VT, Yoshida N (2009) Type-directed compilation for multicore programming. Electron Notes Theor Comput Sci 241:101–111 CrossRefGoogle Scholar
- 34.IBM. Example library API reference, version 3.1, July 2008 Google Scholar
- 35.IBM. Cell BE resource center, October 2009. http://www.ibm.com/developerworks/power/cell/
- 36.Ionkov L, Nyrhinen A, Mirtchovski A (2009) CellFS: Taking the “DMA” out of Cell programming. In: IPDPS. IEEE Press, New York, pp 1–8 Google Scholar
- 37.Kroening D, Strichman O (2003) Efficient computation of recurrence diameters. In: VMCAI. LNCS, vol 2575. Springer, Berlin, pp 298–309 Google Scholar
- 38.Lal A, Reps TW (2009) Reducing concurrent analysis under a context bound to sequential analysis. Form Methods Syst Des 35(1):73–97 MATHCrossRefGoogle Scholar
- 39.Lillieroth CJ, Singh S (1999) Formal verification of FPGA cores. Nord J Comput 6(3):299–319 MATHGoogle Scholar
- 40.McMillan KL (1999) Circular compositional reasoning about liveness. In: CHARME. LNCS, vol 1703. Springer, Berlin, pp 342–345 Google Scholar
- 41.Moore GE (1998) Cramming more components onto integrated circuits. Proc IEEE 86:82–85 CrossRefGoogle Scholar
- 42.Naik M, Aiken A, Whaley J (2006) Effective static race detection for Java. In: PLDI. ACM, New York, pp 308–319 Google Scholar
- 43.Savage S, Burrows M, Nelson G, Sobalvarro P, Anderson T (1997) Eraser: A dynamic data race detector for multithreaded programs. ACM Trans Comput Syst 15(4):391–411 CrossRefGoogle Scholar
- 44.Schuppan V, Biere A (2006) Liveness checking as safety checking for infinite state spaces. Electron Notes Theor Comput Sci 149(1):79–96 CrossRefMathSciNetGoogle Scholar
- 45.Sheeran M, Singh S, Stålmarck G (2000) Checking safety properties using induction and a SAT-solver. In: FMCAD. LNCS, vol 1954. Springer, Berlin, pp 108–125 Google Scholar
- 46.Vimjam VC, Hsiao MS (2007) Explicit safety property strengthening in SAT-based induction. In: VLSID. IEEE Press, New York, pp 63–68 Google Scholar
- 47.Yoshida N, Vasconcelos VT, Paulino H, Honda K (2008) Session-based compilation framework for multicore programming. In: FMCO. LNCS, vol 5751. Springer, Berlin, pp 226–246 Google Scholar