Goblint_lib.RaceAnalysis
Data race analysis (race
).
Data race analysis with tries for offsets and type-based memory locations for open code.
Accesses are to memory locations (memos) which consist of a root and offset. Root can be:
Accesses are (now) collected to sets for each corresponding memo, after points-to sets are resolved, during postsolving.
Race checking is performed per-memo, except must additionally account for accesses to other memos (see diagram below):
s.f
can race with access to a prefix like s
, which writes an entire struct at once;s.f
can race with type-based access like (struct S).f
;(struct S).f
can race with type-based access to a suffix like (int)
.(struct T).s.f
can race with type-based access like (struct S)
, which is a combination of the above.These are accounted for lazily (unlike in the past).
Prefixes (a.k.a. inner distribution) are handled using a trie data structure enriched with lattice properties. Race checking starts at the root and passes accesses to ancestor nodes down to children.
Type suffixes (a.k.a. outer distribution) are handled by computing successive immediate type suffixes transitively and accessing corresponding offsets from corresponding root tries in the global invariant.
Type suffix prefixes (for the combination of the two) are handled by passing type suffix accesses down when traversing the prefix trie.
Race checking happens at each trie node with the above three access sets at hand using Access.group_may_race
. All necessary combinations between the four classes are handled, but unnecessary repeated work is carefully avoided. E.g. accesses which are pairwise checked at some prefix are not re-checked pairwise at a node. Thus, races (with prefixes or type suffixes) are reported for most precise memos with actual accesses: at the longest prefix and longest type suffix.
Additionally, accesses between prefix and type suffix intersecting at a node are checked. These races are reported at the unique memo at the intersection of the prefix and the type suffix. This requires an implementation hack to still eagerly do outer distribution, but only of empty access sets. It ensures that corresponding trie nodes exist for traversal later.
Given C declarations:
struct S {
int f;
};
struct T {
struct S s;
};
struct T t;
Example structure of related memos for race checking:
(int) (S) (T) \ / \ / \ f s t \ / \ / f s \ / f
where:
(int)
is a type-based memo root for the primitive int
type;(S)
and (T)
are short for (struct S)
and (struct T)
, which are type-based memo roots;/
, so access paths run diagonally from top-right to bottom-left;\
.All same-node races:
t.s.f
and t.s.f
is checked/reported at t.s.f
.t.s
and t.s
is checked/reported at t.s
.t
and t
is checked/reported at t
.(T).s.f
and (T).s.f
is checked/reported at (T).s.f
.(T).s
and (T).s
is checked/reported at (T).s
.(T)
and (T)
is checked/reported at (T)
.(S).f
and (S).f
is checked/reported at (S).f
.(S)
and (S)
is checked/reported at (S)
.(int)
and (int)
is checked/reported at (int)
.All prefix races:
t.s.f
and t.s
is checked/reported at t.s.f
.t.s.f
and t
is checked/reported at t.s.f
.t.s
and t
is checked/reported at t.s
.(T).s.f
and (T).s
is checked/reported at (T).s.f
.(T).s.f
and (T)
is checked/reported at (T).s.f
.(T).s
and (T)
is checked/reported at (T).s
.(S).f
and (S)
is checked/reported at (S).f
.All type suffix races:
t.s.f
and (T).s.f
is checked/reported at t.s.f
.t.s.f
and (S).f
is checked/reported at t.s.f
.t.s.f
and (int)
is checked/reported at t.s.f
.(T).s.f
and (S).f
is checked/reported at (T).s.f
.(T).s.f
and (int)
is checked/reported at (T).s.f
.(S).f
and (int)
is checked/reported at (S).f
.t.s
and (T).s
is checked/reported at t.s
.t.s
and (S)
is checked/reported at t.s
.(T).s
and (S)
is checked/reported at (T).s
.t
and (T)
is checked/reported at t
.All type suffix prefix races:
t.s.f
and (T).s
is checked/reported at t.s.f
.t.s.f
and (T)
is checked/reported at t.s.f
.t.s.f
and (S)
is checked/reported at t.s.f
.(T).s.f
and (S)
is checked/reported at (T).s.f
.t.s
and (T)
is checked/reported at t.s
.All prefix-type suffix races:
t.s
and (T).s.f
is checked/reported at t.s.f
.t.s
and (S).f
is checked/reported at t.s.f
.t.s
and (int)
is checked/reported at t.s.f
.t
and (T).s.f
is checked/reported at t.s.f
.t
and (S).f
is checked/reported at t.s.f
.t
and (int)
is checked/reported at t.s.f
.t
and (T).s
is checked/reported at t.s
.t
and (S)
is checked/reported at t.s
.(T).s
and (S).f
is checked/reported at (T).s.f
.(T).s
and (int)
is checked/reported at (T).s.f
.(T)
and (S).f
is checked/reported at (T).s.f
.(T)
and (int)
is checked/reported at (T).s.f
.(T)
and (S)
is checked/reported at (T).s
.(S)
and (int)
is checked/reported at (S).f
.module Spec : sig ... end
Data race analyzer without base --- this is the new standard