Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)

Slides:



Advertisements
Similar presentations
Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.
Advertisements

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)
Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Atomicity Violation Detection Prof. Moonzoo Kim CS492B Analysis of Concurrent Programs.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
Atomicity: A powerful concept for analyzing concurrent software Shaz Qadeer Microsoft Research.
C. FlanaganTypes for Race Freedom1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.
C. FlanaganAtomicity for Reliable Concurrent Software - PLDI'05 Tutorial1 Atomicity for Reliable Concurrent Software Part 3a: Types for Race-Freedom and.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.
C. FlanaganDynamic Analysis for Atomicity1. C. Flanagan2Dynamic Analysis for Atomicity Atomicity The method inc() is atomic if concurrent threads do not.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
C. Flanagan1Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity for Reliable Concurrent Software Joint work with Stephen Freund Shaz.
Runtime Atomicity Analysis of Multi-threaded Programs Focus is on the paper: “Atomizer: A Dynamic Atomicity Checker for Multithreaded Programs” by C. Flanagan.
Types for Atomicity in Multithreaded Software Cormac Flanagan Systems Research Center HP Labs.
Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz.
29-Jun-15 Java Concurrency. Definitions Parallel processes—two or more Threads are running simultaneously, on different cores (processors), in the same.
Part II: Atomicity for Software Model Checking. Class Account { int balance; static int MIN = 0, MAX = 100; bool synchronized deposit(int n) { int t =
Cormac Flanagan UC Santa Cruz Velodrome: A Sound and Complete Dynamic Atomicity Checker for Multithreaded Programs Jaeheon Yi UC Santa Cruz Stephen Freund.
Synchronization CSCI 444/544 Operating Systems Fall 2008.
/ PSWLAB Eraser: A Dynamic Data Race Detector for Multithreaded Programs By Stefan Savage et al 5 th Mar 2008 presented by Hong,Shin Eraser:
Taming Concurrency: A Program Verification Perspective Shaz Qadeer Microsoft Research.
C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research.
Object Oriented Programming Lecture 8: Introduction to laboratorial exercise – part II, Introduction to GUI frames in Netbeans, Introduction to threads.
Runtime Refinement Checking of Concurrent Data Structures (the VYRD project) Serdar Tasiran Koç University, Istanbul, Turkey Shaz Qadeer Microsoft Research,
Threading and Concurrency Issues ● Creating Threads ● In Java ● Subclassing Thread ● Implementing Runnable ● Synchronization ● Immutable ● Synchronized.
/ PSWLAB Type-Based Race Detection for J AVA by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong,Shin Type-Based.
Threads CS 3250 Some of these slides contain material by Professor Chuck Allison.
Reduction: A powerful technique for analyzing concurrent software Shaz Qadeer Microsoft Research Collaborators: Cormac Flanagan, UC Santa Cruz Stephen.
Internet Software Development Controlling Threads Paul J Krause.
Shared Memory Consistency Models. SMP systems support shared memory abstraction: all processors see the whole memory and can perform memory operations.
Bugs (part 1) CPS210 Spring Papers  Bugs as Deviant Behavior: A General Approach to Inferring Errors in System Code  Dawson Engler  Eraser: A.
School of Computer Science & Information Technology G6DICP - Lecture 4 Variables, data types & decision making.
ICFEM 2002, Shanghai Reasoning about Hardware and Software Memory Models Abhik Roychoudhury School of Computing National University of Singapore.
Effective Static Deadlock Detection Mayur Naik* Chang-Seo Park +, Koushik Sen +, David Gay* *Intel Research, Berkeley + UC Berkeley.
Fall 2008Programming Development Techniques 1 Topic 20 Concurrency Section 3.4.
Effective Static Deadlock Detection Mayur Naik (Intel Research) Chang-Seo Park and Koushik Sen (UC Berkeley) David Gay (Intel Research)
Serialization Sets A Dynamic Dependence-Based Parallel Execution Model Matthew D. Allen Srinath Sridharan Gurindar S. Sohi University of Wisconsin-Madison.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
Aritra Sengupta, Man Cao, Michael D. Bond and Milind Kulkarni PPPJ 2015, Melbourne, Florida, USA Toward Efficient Strong Memory Model Support for the Java.
Multithreaded Programming in Java David Meredith Aalborg University.
Agenda  Quick Review  Finish Introduction  Java Threads.
1 Announcements HW9: Java Concurrency Due Monday May 9 th Tests in HW Server coming up Check your grades in Rainbow Grades! Homework Server survey:
Language-Based Security: Overview of Types Deepak Garg Foundations of Security and Privacy October 27, 2009.
Detecting Data Races in Multi-Threaded Programs
Healing Data Races On-The-Fly
Multithreading / Concurrency
CS 3214 Computer Systems Lecture 21 Godmar Back.
CSE 332: Locks and Deadlocks
Lecture 8 Thread Safety.
Concurrency Specification
Threads and Memory Models Hal Perkins Autumn 2011
Atomicity in Multithreaded Software
Threads and Memory Models Hal Perkins Autumn 2009
Threads and Multithreading
Lecture 8 Thread Safety.
Multithreaded Programming in Java
String Class.
CSE 332: Concurrency and Locks
Presentation transcript:

Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)

Multithreaded Programs Operating systems Databases, web servers, browsers, GUIs,... Modern languages: Java, C# Processor 1 Processor 2                         Thread 1 Thread 2 Thread 3 Thread 4

Reliable Multithreaded Software ? Correctness Problem –does program behaves correctly for all inputs and all interleavings? –very hard to ensure with testing Bugs due to concurrency are insidious –non-deterministic, timing dependent –data corruption, crashes –difficult to detect, reproduce, eliminate Linux 2.4 log has 36 synchronization bug fixes

Multithreaded Program Execution Thread 1... int t1 = hits; hits = t   t2=hitshits=t2+1t1=hitshits=t1+1    hits=0 hits=2  t2=hits hits=t2+1 t1=hitshits=t1+1     hits=0 hits=1   t2=hitshits=t2+1t1=hits hits=t1+1     hits=0 hits=1  Thread 2... int t2 = hits; hits = t

Race Conditions A race condition occurs if two threads access a shared variable at the same time, and at least one of the accesses is a write Thread 1... int t1 = hits; hits = t Thread 2... int t2 = hits; hits = t

Preventing Race Conditions Using Locks Lock can be held by at most one thread Race conditions are prevented using locks –associate a lock with each shared variable –acquire lock before accessing variable Thread 1 synchronized(lock) { int t1 = hits; hits = t1 + 1 } Thread 2 synchronized(lock) { int t2 = hits; hits = t2 + 1 }          hits=0 hits=2 acq t1=hits hits=t1+1 rel acq t2=hits hits=t2+2 rel

Race detection Static: –Sterling 93, Aiken-Gay 98, Flanagan-Abadi 99, Flanagan-Freund 00, Boyapati-Rinard 01, von Praun-Gross 01, Boyapati-Lee-Rinard 02, Grossman 03 Dynamic: –Eraser (Savage et al. 97) –Choi et al. 02

int balance; Race-free bank account void deposit (int n) { synchronized (this) {; balance = balance + n; }

int balance; Bank account void deposit (int n) { synchronized (this) { balance = balance + n; } int read( ) { int r; synchronized (this) { r = balance; } return r; } void withdraw(int n) { int r = read( ); synchronized (this) { balance = r – n; } Race-freedom not sufficient! Thread 1 deposit(10); Thread 2 withdraw(10); balance = 10

int balance; Atomic bank account (I) void deposit (int n) { synchronized (this) { balance = balance + n; } int read( ) { int r; synchronized (this) { r = balance; } return r; } void withdraw(int n) { synchronized (this) { balance = balance – n; }

java.lang.StringBuffer (jdk 1.4) “String buffers are safe for use by multiple threads. The methods are synchronized so that all the operations on any particular instance behave as if they occur in some serial order that is consistent with the order of the method calls made by each of the individual threads involved.”

java.lang.StringBuffer is buggy! public final class StringBuffer { private int count; private char[ ] value;. public synchronized StringBuffer append (StringBuffer sb) { if (sb == null) sb = NULL; int len = sb.length( ); int newcount = count + len; if (newcount > value.length) expandCapacity(newcount); sb.getChars(0, len, value, count); // use of stale len count = newcount; return this; } public synchronized int length( ) { return count; } public synchronized void getChars(...) {... } }

int balance; Atomic bank account (II) void deposit (int n) { synchronized (this) { balance = balance + n; } int read( ) { return balance; } void withdraw(int n) { synchronized (this) { balance = balance – n; } Race-freedom not necessary!

Race-Freedom Race-freedom is neither necessary nor sufficient to ensure the absence of errors due to unexpected interactions between threads Is there a more fundamental semantic correctness property?

Atomicity A method is atomic if it seems to execute “in one step” even in presence of concurrently executing threads Common concept –“(strict) serializability” in databases –“linearizability” in concurrent objects –“thread-safe” multithreaded libraries “String buffers are safe for use by multiple threads. …” Fundamental semantic correctness property

Definition of Atomicity deposit is atomic if for every interleaved execution, there is a non-interleaved execution with the same behavior         acq(this)r=balbal=r+nrel(this)xyz         acq(this)r=balbal=r+nrel(this)xyz         acq(this)r=balbal=r+nrel(this)xyz  Non-interleaved execution of deposit  Interleaved executions of deposit

blue thread holds lock  red thread does not hold lock  operation y does not access balance  operations commute S0S0 S1S1 S2S2 S3S3 S4S4 S7S7 S6S6 S5S5 acq(this)r=balbal=r+nrel(this)xyz S0S0 T1T1 T2T2 T3T3 S4S4 S7S7 T6T6 S5S5 acq(this)r=balbal=r+nrel(this)xyz S0S0 T1T1 S2S2 T3T3 S4S4 S7S7 S6S6 S5S5 yr=balbal=r+nrel(this)xacq(this)z S0S0 T1T1 T2T2 T3T3 S4S4 S7S7 S6S6 S5S5 r=balbal=r+nrel(this)xyz Reduction (Lipton 76) S0S0 S1S1 S2S2 T3T3 S4S4 S7S7 S6S6 S5S5 acq(this)r=balbal=r+nrel(this)yz x blue thread holds lock after acquire  operation x does not modify lock  operations commute

Type System for Atomicity Assign to each statement an atomicity that characterizes the statement’s behavior –five atomicities: R, L, B, A, C –does the statement left or right commute with steps of other threads? –is the statement atomic?

 B : both right + left commutes –variable access holding lock  A : atomic action, non-commuting –access unprotected variable Five Atomicities R : right commutes –lock acquire S0S0 S1S1 S2S2 acq(this)x S0S0 T1T1 S2S2 x S7S7 T6T6 S5S5 rel(this)z S7S7 S6S6 S5S5 z  L : left commutes –lock release  C : compound, non-atomic statement S2S2 S3S3 S4S4 r=baly S2S2 T3T3 S4S4 y S2S2 T3T3 S4S4 x S2S2 S3S3 S4S4 x

Sequentially Composing Atomicities  Use atomicities to perform reduction  Lipton: any sequence R* ; A ; L* is atomic CCCCCC CCCAAA CCCLLL CARARR CARLBB CARLB; R ; B ; A ; L ; A A R R ; A ; L ; R ; A ; L ; A C A S0S0. S5S5 R* A L*xY... S0S0. S5S5 R* A L* x Y...

Atomicities for Conditionals If E has atomicity ae and S1 has atomicity a1 and S2 has atomicity a2 then if (E) S1 else S2 has atomicity ae ; (a1  a2) L A B R C

int balance; Bank account /*# atomicity A */ void deposit (int x) { acquire(this); int r = balance; balance = r + x; release(this); } /*# atomicity A */ int read( ) { int r; acquire(this); r = balance; release(this); return r; } /*# atomicity A */ void withdraw(int x) { int r = read( ); acquire(this); balance = r – x; release(this); } RBBLRBBL RBLBRBLB ARBLARBL AA A /*# guarded_by this */

int balance; Bank account /*# atomicity A */ void deposit (int x) { acquire(this); int r = balance; balance = r + x; release(this); } /*# atomicity A */ int read( ) { int r; acquire(this); r = balance; release(this); return r; } /*# atomicity A */ void withdraw(int x) { acquire(this); int r = balance; balance = r – x; release(this); } RBBLRBBL RBLBRBLB RBBLRBBL AAA /*# guarded_by this */

int balance; Bank account /*# atomicity A */ void deposit (int x) { acquire(this); int r = balance; balance = r + x; release(this); } /*# atomicity A */ int read( ) { return balance; } /*# atomicity A */ void withdraw(int x) { acquire(this); int r = balance; balance = r – x; release(this); } RBALRBAL RBALRBAL AA A /*# write_guarded_by this */

Conditional atomicity public class Vector … { public boolean synchronized removeElement(Object obj) { modCount++; int i = indexOf(obj); if (i >= 0) { removeElementAt(i); return true; } return false; } public int synchronized indexOf(Object elem) { … } public void synchronized removeElementAt(int index) { … } … }

Conditional atomicity public class Vector … { /*# atomicity A */ public boolean synchronized removeElement(Object obj) { modCount++; int i = indexOf(obj); if (i >= 0) { removeElementAt(i); return true; } return false; } /*# atomicity A */ public int synchronized indexOf(Object elem) { … } /*# atomicity A */ public void synchronized removeElementAt(int index) { … } … }

Conditional atomicity public class Vector … { /*# atomicity A */ public boolean synchronized removeElement(Object obj) { modCount++; A int i = indexOf(obj); if (i >= 0) { A removeElementAt(i); return true; } return false; } /*# atomicity A */ public int synchronized indexOf(Object elem) { … } /*# atomicity A */ public void synchronized removeElementAt(int index) { … } … } Unable to prove atomicity of removeElement !

Conditional atomicity public class Vector … { /*# atomicity A */ public boolean synchronized removeElement(Object obj) { modCount++; int i = indexOf(obj); if (i >= 0) { removeElementAt(i); return true; } return false; } /*# conditional_atomicity this ? B : A */ public int synchronized indexOf(Object elem) { … } /*# conditional_atomicity this ? B : A */ public void synchronized removeElementAt(int index) { … } … }

Conditional atomicity public class Vector … { /*# atomicity A */ public boolean synchronized removeElement(Object obj) { modCount++; B int i = indexOf(obj); if (i >= 0) { B removeElementAt(i); return true; } return false; } /*# conditional_atomicity this ? B : A */ public int synchronized indexOf(Object elem) { … } /*# conditional_atomicity this ? B : A */ public void synchronized removeElementAt(int index) { … } … }

Soundness Theorem Suppose an interleaved execution of a well-typed program reaches state S where no thread is executing an atomic method in S Then there is a non-interleaved execution of the program that also reaches S Details in TLDI 03 and PLDI 03

Atomicity Checker for Java Leverage Race Condition Checker to check that protecting lock is held when variables accessed Found several atomicity violations –java.lang.StringBuffer –java.lang.String –java.net.URL

Experience with Atomicity Checker Class Size (lines) Annotations per KLOC totalguardreq.atomicarrayesc. Inflater Deflater PrintWriter Vector URL StringBuffer String Total

Conclusions Programmers want conceptual atomicity of fine-grained computation

Conclusions Programmers want conceptual atomicity of fine-grained computation Notion of atomicity is useful –code documentation –simplifies formal (and informal) reasoning

“String buffers are safe for use by multiple threads. The methods are synchronized so that all the operations on any particular instance behave as if they occur in some serial order that is consistent with the order of the method calls made by each of the individual threads involved.” “String buffers are atomic”

Conclusions Programmers want conceptual atomicity of fine-grained computation Notion of atomicity is useful –code documentation –simplifies formal (and informal) reasoning Race-freedom is neither necessary nor sufficient for atomicity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.