Detecting and Verifying Event-Driven Races in Mobile Apps
Concurrency bugs are notoriously difficult to debug, and situation becomes even worse on mobile platforms due to their asynchronous programming model. Android, the dominant mobile platform, has been plagued by concurrency errors ever since its inception, and the majority of those errors are event-driven races, a new type of race caused by nondeterministic order of events that access the same memory with at least one write access. Prior researches have proposed several dynamic approaches to discover harmful event-driven races. However, due to their dynamic nature, these approaches suffer from coverage and false negative issues. Moreover, they produce false positives, cannot reproduce races, and cannot distinguish between benign and harmful races.
In this dissertation, we present an effective approach to systematically detect, verify and classify event-driven races for Android apps. The approach is composed of three sub-systems: First, to our best knowledge, the first static event-driven race detector named SIERRA. By employing novel action-sensitive pointer analysis, a static happens-before graph and symbolic execution based refinement, SIERRA can effectively find true races with high accuracy and acceptable performance. On our benchmark suite, the races SIERRA finds is a super set of those reported by a state-of-art dynamic detector(29.5 vs 4 true races per app) which demonstrates the advantage of a sound static approach. Second, a versatile yet lightweighted record-and-replay tool named VALERA which uses a novel sensor and eventstream driven approach to record-and-replay. VALERA’s low overhead (about 1% for either record or replay) and precise schedule replay allows it to reproduce event-driven races for bug fixing. Finally, a race verification and classification approach named ERVA, which uses event dependency graphs, event flipping, and replay to filter out false positives; for true positives, ERVA further distinguish benign races from harmful races by state comparison.