Efficient, Software-Only Data Race Exceptions Swarnendu Biswasy Minjia Zhangy Michael D. Bondy Brandon Luciax y Ohio State University x Carnegie Mellon University {biswass,zhanminj,mikebond}@cse.ohio-state.edu, [email protected] Ohio State CSE Technical Report #OSU-CISRC-3/15-TR04, March 2015 Abstract should provide strong data race semantics that programming Data races complicate programming language semantics, languages can rely on, and (2) developers require efficient and a data race is often a bug. Existing techniques detect data tools for detecting data races. races and define their semantics by detecting conflicts be- The risk presented by data races strongly suggests that tween synchronization-free regions (SFRs). However, such programming languages should provide strong semantic techniques either modify hardware or slow programs dra- guarantees for executions with data races, but doing so ef- matically, preventing always-on use today. ficiently is complex and challenging. As a testament to that This paper describes Valor, a sound, precise, software- complexity, modern languages such as Java and C++ sup- DRF0 only region conflict detection analysis that achieves high port variants of , providing few or no guarantees for performance by eliminating costly analysis on each read op- executions with data races [2, 3, 9, 10, 42, 66] (Section 2). eration that prior approaches require. Valor instead logs a These languages remain useful by providing strong seman- region’s reads and lazily detects conflicts for logged reads tics with a guarantee of not only SC but also serializabil- when the region ends. We have also developed FastRCD, a ity of synchronization-free regions in the absence of data conflict detector that leverages the epoch optimization strat- races [3, 11, 42, 43, 53]. Modern languages should provide with egy of the FastTrack data race detector. similarly strong semantics for executions data races. We evaluate Valor, FastRCD, and FastTrack, showing A promising approach to data race semantics is to detect halt that Valor dramatically outperforms FastRCD and Fast- problematic data races and the execution with an excep- Track. Valor is the first region conflict detector to provide tion [21, 42, 45]. Exceptional semantics for data races sim- strong semantic guarantees for data races with under 2X plify programming language specifications by limiting the slowdown. We also show that Valor is an effective data effects of executions that exhibit data races. A prerequisite race detector, providing an appealing cost–coverage tradeoff to treating data races as exceptions is having a mechanism compared with FastTrack. Overall, Valor advances the state that dynamically detects problematic races with no false pos- of the art in always-on support for strong behavioral guaran- itives and is efficient enough for always-on use. tees for data races, and in sound, precise race detection. Such an efficient, precise data race detector is also valu- able for finding and fixing data races, both before and after 1. Introduction deployment. During development, high overheads are prob- Data races are a fundamental barrier to providing well- lematic, wasting limited resources. Developers shy away defined programming language specifications and to writ- from using intrusive tools that do not allow them to test re- ing correct shared-memory, multithreaded programs. A data alistic program executions [44]. Moreover, the manifestation race occurs when two accesses to the same memory loca- of a data race is dependent on an execution’s inputs, environ- tion are conflicting—executed by different threads and at ments, and thread interleavings. A data race may not occur in least one is a write—and concurrent—not ordered by syn- hours of program execution [69], sometimes requiring weeks chronization operations [4]. to reproduce, diagnose, and fix if it is contingent on specific Data races can cause programs to exhibit confusing and environmental conditions [29, 40, 62]. Detecting such data incorrect behavior. They can lead to sequential consistency races requires analyzing production executions, making per- (SC), atomicity, and order violations [40, 53] that may cor- formance a key constraint. rupt data, cause a crash, or prevent forward progress [25, 34, Thus, providing strong semantic guarantees and detecting 51]. The Northeastern electricity blackout of 2003 [62] is a data races each require precise, efficient techniques. Design- testament to the danger posed by data races. ing such precise, efficient mechanisms is the central problem The complexity and risk associated with data races pro- we explore in this work. vide the two main motivations for this work: (1) systems 1 Existing approaches. Existing sound and precise dynamic Both FastRCD and Valor report region conflicts when data race detectors slow program executions by an order of an access in one thread conflicts with an access that was magnitude or more in order to determine which conflicting executed by another thread in an ongoing region—which accesses are concurrent according to the happens-before re- is a sufficient condition for detecting every data race that lation [21, 24, 36, 54] (Section 2). Other prior techniques could violate region serializability. We show that FastRCD avoid detecting happens-before races soundly (no false nega- and Valor are still precise even if regions are bounded only tives), instead detecting conflicts only between operations in at synchronization release operations. FastRCD and Valor concurrent synchronization-free regions (SFRs) [20, 42, 45]. thus detect conflicts between release-free regions (RFRs) by Every SFR conflict corresponds to a data race, but not ev- default, which we show helps to amortize per-region costs. ery data race corresponds to an SFR conflict. Detecting SFR We have implemented FastRCD and Valor, as well as conflicts provides the useful property that an execution with the state-of-the-art FastTrack analysis [24], in a high-perfor- no region conflicts corresponds to a serialization of SFRs. mance Java virtual machine. We evaluate and compare the This guarantee extends to executions with data races the performance, characteristics, and race detection coverage of strong property that DRF0 already provides for data-race- these three analyses on a variety of large, multithreaded Java free executions [2, 3, 11, 43]. Unfortunately, existing region benchmarks. Valor incurs the lowest overheads of any sound, conflict detectors are impractical, relying on custom hard- precise, software conflict detection system that we are aware ware or slowing programs substantially [20, 42, 45]. of, adding only 96% average overhead. By contrast, our implementation of FastTrack adds 342% Our Approach average overhead over baseline execution, which is compa- This work aims to provide a practical, efficient, software- rable to the 8.5X slowdown (750% overhead) reported by only region conflict detector that is useful for giving data prior work [24]—particularly in light of implementation dif- races clear semantics and for reporting real data races. Our ferences (Section 7.2). FastRCD incurs most but not all of key insight is that tracking the last readers of each shared FastTrack’s costs, adding 283% overhead on average. Valor variable is not necessary for sound and precise region con- is not only substantially faster than existing approaches that flict detection. As a result of this insight, we introduce a provide strong semantic guarantees, but its <2X slowdown novel sound and precise region conflict detection analysis is fast enough for pervasive use during development and called Valor. Valor records the last region to write each testing, including end-user alpha and beta tests, and poten- shared variable, but it does not record the last region(s) to tially in some production systems. Valor thus represents a read each variable. Instead, it logs information about each significant advancement of the state of the art: the first ap- read in thread-local logs, so each thread can later validate its proach with under 100% time overhead that provides useful, logged reads to ensure that no conflicting writes occurred in strong semantic guarantees to existing languages for execu- the meantime. Valor thus detects write–write and write–read tions both with and without races on commodity systems. conflicts eagerly (i.e., at the second conflicting access), but it detects read–write conflicts lazily. We note that some soft- 2. Background and Motivation ware transactional memory (STM) systems make use of sim- Detecting data races soundly and precisely enables provid- ilar insights about eager and lazy conflict detection, but their ing strong execution guarantees, but sound1 and precise dy- mechanisms are imprecise, and they do not target providing namic analysis adds high run-time overhead [24]. Detecting execution guarantees or detecting data races (Section 8.3). conflicts between synchronization-free regions (SFRs) pro- Alongside Valor, we also developed FastRCD, which is vides strong execution guarantees, but existing approaches an adaptation of the efficient FastTrack happens-before de- rely on custom hardware [42, 45] or add high overhead [20]. tector [24] for region conflict detection. FastRCD does not Providing a strong execution model. track the happens-before relation, but it tracks the regions Modern programming that last wrote and read each shared variable. As such, Fast- languages (Java and C++) have memory models that are data-race-free-0 RCD provides somewhat lower overhead than FastTrack but variants of the