Author ORCID Identifier

https://orcid.org/0009-0007-0633-422X

Date of Award

Spring 5-2026

Document Type

Thesis (Master's)

Department or Program

Computer Science

First Advisor

Christophe Hauser

Second Advisor

Sergey Bratus

Third Advisor

Siddhartha Jayanti

Abstract

Concurrent programs introduce a class of bugs that depend jointly on both program inputs and thread schedules. Exposing these bugs requires simultaneously reasoning about which code paths are reachable and which thread interleavings are possible. At the same time, many existing tools handle the problem insufficiently. Race detectors observe only the interleavings that the OS happens to produce. Fuzzers explore inputs without controlling schedules. Tools that address both dimensions together exist, but are built on interpretation-based symbolic executors that incur considerable overhead.

We present WeaveCC, a practical concurrency testing tool for C/C++ programs that jointly explores inputs and thread schedules. We implement WeaveCC on top of SymCC, a compiler-based concolic execution engine that instruments programs at the LLVM IR level and executes them at near-native speed. In particular, WeaveCC combines SymCC’s input exploration with a deterministic preemption-bounded scheduler, a happens-before race detector, and a record-and-replay mechanism that enables deterministic bug reproduction. We further introduce a symbolic-aware scheduling heuristic that prioritizes thread interleavings involving accesses to symbolically tracked shared memory.

To evaluate WeaveCC, we introduce WeaveBench, a benchmark suite of 12 C programs (8 buggy, 4 safe) in which each buggy program is designed to require joint reasoning over both inputs and schedules. Experiments show that neither input-only nor schedule-only exploration is sufficient to expose the target bugs, whereas WeaveCC's joint exploration finds all eight, most within seconds. Against AFL++ with ThreadSanitizer, WeaveCC finds the bug in all eight vulnerable programs, while AFL++ misses it in seven of eight and detects the remaining bug unreliably. All bug-triggering executions are deterministically reproducible via WeaveCC's record-and-replay system.

Download

Share

COinS