C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.

Slides:

Advertisements

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Advertisements

Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.

50.003: Elements of Software Construction Week 6 Thread Safety and Synchronization.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Concurrency 101 Shared state. Part 1: General Concepts 2.

Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)

Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.

Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

Atomicity Violation Detection Prof. Moonzoo Kim CS492B Analysis of Concurrent Programs.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.

Atomicity: A powerful concept for analyzing concurrent software Shaz Qadeer Microsoft Research.

C. FlanaganTypes for Race Freedom1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.

C. FlanaganAtomicity for Reliable Concurrent Software - PLDI'05 Tutorial1 Atomicity for Reliable Concurrent Software Part 3a: Types for Race-Freedom and.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.

C. FlanaganDynamic Analysis for Atomicity1. C. Flanagan2Dynamic Analysis for Atomicity Atomicity The method inc() is atomic if concurrent threads do not.

C. Flanagan1Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity for Reliable Concurrent Software Joint work with Stephen Freund Shaz.

Runtime Atomicity Analysis of Multi-threaded Programs Focus is on the paper: “Atomizer: A Dynamic Atomicity Checker for Multithreaded Programs” by C. Flanagan.

Types for Atomicity in Multithreaded Software Cormac Flanagan Systems Research Center HP Labs.

Type Inference David Walker COS 441. Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs useful.

Type Inference David Walker CS 510, Fall Criticisms of Typed Languages Types overly constrain functions & data polymorphism makes typed constructs.

Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.

1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.

Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund.

Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz.

29-Jun-15 Java Concurrency. Definitions Parallel processes—two or more Threads are running simultaneously, on different cores (processors), in the same.

CS510 Concurrent Systems Class 5 Threads Cannot Be Implemented As a Library.

Cormac Flanagan UC Santa Cruz Velodrome: A Sound and Complete Dynamic Atomicity Checker for Multithreaded Programs Jaeheon Yi UC Santa Cruz Stephen Freund.

/ PSWLAB Eraser: A Dynamic Data Race Detector for Multithreaded Programs By Stefan Savage et al 5 th Mar 2008 presented by Hong,Shin Eraser:

C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research.

Threading and Concurrency Issues ● Creating Threads ● In Java ● Subclassing Thread ● Implementing Runnable ● Synchronization ● Immutable ● Synchronized.

Computer Science and Engineering College of Engineering The Ohio State University Interfaces The credit for these slides goes to Professor Paul Sivilotti.

/ PSWLAB Type-Based Race Detection for J AVA by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong,Shin Type-Based.

SPL/2010 Safety 1. SPL/2010 system designing for concurrent execution environments ● system: collection of objects and their interactions ● system properties:

Hello.java Program Output 1 public class Hello { 2 public static void main( String [] args ) 3 { 4 System.out.println( “Hello!" ); 5 } // end method main.

ABSTRACT The real world is concurrent. Several things may happen at the same time. Computer systems must increasingly contend with concurrent applications.

Reduction: A powerful technique for analyzing concurrent software Shaz Qadeer Microsoft Research Collaborators: Cormac Flanagan, UC Santa Cruz Stephen.

Internet Software Development Controlling Threads Paul J Krause.

Practical Reduction for Store Buffers Ernie Cohen, Microsoft Norbert Schirmer, DFKI.

COMPSCI 230 S2C 2015 Software Design and Construction Synchronization (cont.) Lecture 4 of Theme C.

CS399 New Beginnings Jonathan Walpole. 2 Concurrent Programming & Synchronization Primitives.

ICFEM 2002, Shanghai Reasoning about Hardware and Software Memory Models Abhik Roychoudhury School of Computing National University of Singapore.

/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.

Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)

A Calculus of Atomic Actions Tayfun Elmas, Shaz Qadeer and Serdar Tasiran POPL ‘ – Seminar in Distributed Algorithms Cynthia Disenfeld 27/05/2013.

Simplifying Linearizability Proofs Using Reduction and Abstraction Serdar Tasiran Koc University, Istanbul, Turkey Tayfun Elmas, Ali Sezgin, Omer Subasi.

© 2011 Pearson Education, publishing as Addison-Wesley Chapter 1: Computer Systems Presentation slides for Java Software Solutions for AP* Computer Science.

A Calculus of Atomic Actions Serdar Tasiran Koc University, Istanbul, Turkey Tayfun ElmasShaz Qadeer Koc University Microsoft Research.

Multithreading / Concurrency

Specifying Multithreaded Java semantics for Program Verification

Concurrency Specification

Threads and Memory Models Hal Perkins Autumn 2011

Atomicity in Multithreaded Software

Over-Approximating Boolean Programs with Unbounded Thread Creation

Threads and Memory Models Hal Perkins Autumn 2009

Java Concurrency 17-Jan-19.

Java Concurrency.

CS333 Intro to Operating Systems

Java Concurrency.

Threads and Multithreading

Java Concurrency 29-May-19.

Presentation transcript:

C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent Software Types for Atomicity

C. Flanagan2Types for Atomicity Race Conditions class Ref { int i; void inc() { int t; t = i; i = t+1; } Ref x = new Ref(0); parallel { x.inc(); // two calls happen x.inc(); // in parallel } assert x.i == 2; A race condition occurs if two threads access a shared variable at the same time at least one of those accesses is a write

C. Flanagan3Types for Atomicity Lock-Based Synchronization class Ref { int i; // guarded by this void inc() { int t; synchronized (this) { t = i; i = t+1; } Ref x = new Ref(0); parallel { x.inc(); // two calls happen x.inc(); // in parallel } assert x.i == 2; Field guarded by a lock Lock acquired before accessing field Ensures race freedom

C. Flanagan4Types for Atomicity Limitations of Race-Freedom class Ref { int i; // guarded by this void inc() { int t; synchronized (this) { t = i; i = t+1; } Ref x = new Ref(0); parallel { x.inc(); // two calls happen x.inc(); // in parallel } assert x.i == 2; Ref.inc() race-free behaves correctly in a multithreaded context

C. Flanagan5Types for Atomicity Limitations of Race-Freedom class Ref { int i; void inc() { int t; synchronized (this) { t = i; } synchronized (this) { i = t+1; }... } Ref.inc() race-free behaves incorrectly in a multithreaded context Race freedom does not prevent errors due to unexpected interactions between threads

C. Flanagan6Types for Atomicity Limitations of Race-Freedom class Ref { int i; void inc() { int t; synchronized (this) { t = i; i = t+1; } synchronized void read() { return i; }... }

C. Flanagan7Types for Atomicity Limitations of Race-Freedom class Ref { int i; void inc() { int t; synchronized (this) { t = i; i = t+1; } void read() { return i; }... } Ref.read() has a race condition behaves correctly in a multithreaded context Race freedom is not necessary to prevent errors due to unexpected interactions between threads

C. Flanagan8Types for Atomicity Race-Freedom Race-freedom is neither necessary nor sufficient to ensure the absence of errors due to unexpected interactions between threads

C. Flanagan9Types for Atomicity Atomicity The method inc() is atomic if concurrent threads do not interfere with its behavior Guarantees that for every execution there is a serial execution with same behavior         acq(this)t=i i=t+1rel(this)xyz         acq(this) t=i i=t+1rel(this)xyz         acq(this) t=i i=t+1rel(this)xyz

C. Flanagan10Types for Atomicity Motivations for Atomicity 1.Stronger property than race freedom

C. Flanagan11Types for Atomicity Motivations for Atomicity 1.Stronger property than race freedom 2.Enables sequential reasoning

C. Flanagan12Types for Atomicity Sequential Program Execution void inc() {.... } precond. postcond. inc()

C. Flanagan13Types for Atomicity Multithreaded Execution void inc() {.... }

C. Flanagan14Types for Atomicity Multithreaded Execution void inc() {.... }

C. Flanagan15Types for Atomicity Multithreaded Execution Atomicity guarantees concurrent threads do not interfere with atomic method

C. Flanagan16Types for Atomicity Motivations for Atomicity 1.Stronger property than race freedom 2.Enables sequential reasoning 3.Simple, powerful correctness property

C. Flanagan17Types for Atomicity Model Checking of Software Models // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c  Model Checker filesystem model filesystem model Model Construction

C. Flanagan18Types for Atomicity Model Checking of Software // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c  Model Checker

C. Flanagan19Types for Atomicity Experience with Calvin Software Checker // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c expressed in terms of concrete state  Calvin theorem proving x

C. Flanagan20Types for Atomicity Experience with Calvin Software Checker // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c concrete state  Calvin theorem proving abstract state Abstraction Invariant ? x

C. Flanagan21Types for Atomicity Experience with Calvin Software Checker global_invariant (\forall int i; inodeLocks[i] == null ==> 0 <= inodeBlocknos[i] && inodeBlocknos[i] < Daisy.MAXBLOCK) */ requires 0 <= inodenum && inodenum < Daisy.MAXINODE; requires i != null requires DaisyLock.inodeLocks[inodenum] == \tid modifies i.blockno, i.size, i.used, i.inodenum ensures i.blockno == inodeBlocknos[inodenum] ensures i.size == inodeSizes[inodenum] ensures i.used == inodeUsed[inodenum] ensures i.inodenum == inodenum ensures 0 <= i.blockno && i.blockno < Daisy.MAXBLOCK static void readi(long inodenum, Inode i) { i.blockno = Petal.readLong(STARTINODEAREA + (inodenum * Daisy.INODESIZE)); i.size = Petal.readLong(STARTINODEAREA + (inodenum * Daisy.INODESIZE) + 8); i.used = Petal.read(STARTINODEAREA + (inodenum * Daisy.INODESIZE) + 16) == 1; i.inodenum = inodenum; // read the right bytes, put in inode }

C. Flanagan22Types for Atomicity The Need for Atomicity // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Sequential case: code inspection & testing mostly ok

C. Flanagan23Types for Atomicity The Need for Atomicity // filesystem.c atomic void create(..) {... } atomic void unlink(..) {... } // filesystem.c atomic void create(..) {... } atomic void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Sequential case: code inspection & testing ok  Atomicity Checker

C. Flanagan24Types for Atomicity Motivations for Atomicity 1.Stronger property than race freedom 2.Enables sequential reasoning 3.Simple, powerful correctness property

C. Flanagan25Types for Atomicity Atomicity Canonical property –(cmp. serializability, linearizability,...) Enables sequential reasoning –simplifies validation of multithreaded code Matches practice in existing code –most methods (80%+) are atomic –many interfaces described as “thread-safe” Can verify atomicity statically or dynamically –atomicity violations often indicate errors –leverages Lipton’s theory of reduction

C. Flanagan26Types for Atomicity Reduction [Lipton 75] acq(this)  Xt=i Y i=t+1Z rel(this)      acq(this)  X t=i Y i=t+1Z rel(this)         acq(this) X t=i Y i=t+1Z rel(this)        acq(this) X t=i Y i=t+1Z rel(this)      

C. Flanagan27Types for Atomicity Movers right-mover –lock acquire S0S0 S1S1 S2S2 acq(this)x S0S0 T1T1 S2S2 x

C. Flanagan28Types for Atomicity Movers right-mover –lock acquire left-mover –lock release S7S7 T6T6 S5S5 rel(this)z S7S7 S6S6 S5S5 z

C. Flanagan29Types for Atomicity Movers right-mover –lock acquire left-mover –lock acquire both-mover –race-free field access S2S2 S3S3 S4S4 r=baly S2S2 T3T3 S4S4 y S2S2 T3T3 S4S4 x S2S2 S3S3 S4S4 x

C. Flanagan30Types for Atomicity Movers right-mover –lock acquire left-mover –lock acquire both-mover –race-free field access non-mover (atomic) –access to "racy" fields S2S2 S3S3 S4S4 r=baly S1S1 x

C. FlanaganTypes for Atomicity31  composition rules: right; mover = rightright; left = atomic right; atomic = atomic atomic; atomic = cmpd Code Classification right:lock acquire left:lock release (both) mover:race-free variable access atomic:conflicting variable access acq(this) j=bal bal=j+n rel(this) right mover mover left atomic

C. FlanaganTypes for Atomicity32 acq(this) bal=j+n rel(this) right mover left Composing Atomicities atomic acq(this) j=bal rel(this) atomic compound void deposit(int n) { int j; synchronized(this) { j = bal; } synchronized(this) { bal = j + n; } }

C. Flanagan33Types for Atomicity Conditional Atomicity atomic void deposit(int n) { synchronized(this) { right int j = bal; mover bal = j + n; mover } left } atomic void depositTwice(int n) { synchronized(this) { deposit(n); atomic } X atomic

C. Flanagan34Types for Atomicity Conditional Atomicity atomic void deposit(int n) { synchronized(this) { right mover int j = bal; mover mover bal = j + n; mover mover } left mover } atomic void depositTwice(int n) { synchronized(this) { deposit(n); atomic } if this already held atomic mover

C. Flanagan35Types for Atomicity Conditional Atomicity (this ? mover : atomic) void deposit(int n) { synchronized(this) { right mover int j = bal; mover mover bal = j + n; mover mover } left mover } atomic void depositTwice(int n) { synchronized(this) { deposit(n); (this ? mover : atomic) }

C. Flanagan36Types for Atomicity Conditional Atomicity Details In conditional atomicity (x?b 1 :b 2 ), x must be a lock expression (ie, constant) Composition rules a ; (x?b 1 :b 2 ) = x ? (a;b 1 ) : (a;b 2 )

C. Flanagan37Types for Atomicity java.lang.StringBuffer /**... used by the compiler to implement the binary string concatenation operator... String buffers are safe for use by multiple threads. The methods are synchronized so that all the operations on any particular instance behave as if they occur in some serial order that is consistent with the order of the method calls made by each of the individual threads involved. */ public atomic class StringBuffer {... } FALSE

C. Flanagan38Types for Atomicity java.lang.StringBuffer is not Atomic! public atomic StringBuffer { private int count guarded_by this; public synchronized int length() { return count; } public synchronized void getChars(...) {... } public synchronized void append(StringBuffer sb){ int len = sb.length();... sb.getChars(...,len,...);... } AAAA C AAAA sb.length() acquires the lock on sb, gets the length, and releases lock use of stale len may yield StringIndexOutOfBoundsException inside getChars(...) other threads can change sb  append(...) is not atomic

C. Flanagan39Types for Atomicity java.lang.Vector interface Collection { atomic int length(); atomic void toArray(Object a[]); } class Vector { int count; Object data[]; atomic Vector(Collection c) { count = c.length(); atomic data = new Object[count]; mover... c.toArray(data); atomic } compound X

C. Flanagan40Types for Atomicity Atomicity Inference

C. Flanagan41Types for Atomicity Unannotated Java Program atomicity inference Rcc/Sat Atomicity Warnings Program with Atomicity Annotations Bohr Type inference for atomicity –finds smallest atomicity for each method Bohr

C. Flanagan42Types for Atomicity Atomicity Inference class A { int f guarded_by this; int g guarded_by x; void m() {...} } Atomicity Constraints Solution Constraint Solver class A { int f guarded_by this; int g guarded_by x; atomic void m() {...} } Program w/ Locking Annotations Program w/ Atomicity Annotations

C. Flanagan43Types for Atomicity Atomicity Details Partial order of atomicities const error compound atomic mover x?mover:atomic

C. Flanagan44Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } 1.Add atomicity variables

C. Flanagan45Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } 2. Generate constraints over atomicity variables s ≤  i 3. Find assignment A Atomicity expression s ::= const | mover | atomic | cmpd | error |  | s 1 ; s 2 | x ? s 1 : s 2 | S(l, s) | WFA(E, s)

C. Flanagan46Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const;this?mover:error)))

C. Flanagan47Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error)))

C. Flanagan48Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank { final Account c;  2 void double() { synchronized(this.c) { int x = this.c.bal; this.c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) S(l,a): atomicity of synchronized(l) { e } where e has atomicity a S(l, mover)= l ? mover : atomic S(l, atomic)= atomic S(l, compound)= compound S(l, l?b 1 :b 2 )= S(l,b 1 ) S(l, m?b 1 :b 2 )= m ? S(l,b 1 ) : S(l,b 2 ) if l  m

C. Flanagan49Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) ≤  1

C. Flanagan50Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) ≤  1 (const; (this?mover:error)[this:=c]) (const;WFA(E,  1 [this := this.a])))) replace this with name of receiver

C. Flanagan51Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) ≤  1 S(a, ((const; c?mover:error); (const;  1 [this := c])) ≤  2 Delayed Substitution

C. Flanagan52Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) ≤  1 S(c, ((const; c?mover:error); (const;  1 [this := c]))) ≤  2

C. Flanagan53Types for Atomicity Delayed Substitutions Given  [x := e] –suppose  becomes (x?mover:atomic) and e does not have const atomicity –then (e?mover:atomic) is not valid WFA(E, b) = smallest atomicity b' where –b ≤ b' –b' is well-typed and constant in E WFA(E, (e?mover:atomic)) = atomic

C. Flanagan54Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) ≤  1 S(c, ((const; c?mover:error); (const; WFA(E,  1 [this:=c])))) ≤  2

C. Flanagan55Types for Atomicity 3. Compute Least Fixed Point Initial assignment A:  1 =  2 = const Algorithm: –pick constraint s ≤  such that A(s) ≤ A(  ) –set A(  ) to A(  ) ㄩ A(s) –repeat until quiescence

C. Flanagan56Types for Atomicity class Account { int bal guarded_by this; (this ? mover : atomic) void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank { (c ? mover : atomic) void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); }

C. Flanagan57Types for Atomicity Validation (excludes Rcc/Sat time)

C. Flanagan58Types for Atomicity Inferred Atomicities

C. Flanagan59Types for Atomicity Thread-Safe Classes

C. Flanagan60Types for Atomicity Related Work Reduction –[Lipton 75, Lamport-Schneider 89,...] –other applications: model checking [Stoller-Cohen 03, Flanagan-Qadeer 03] dynamic analysis [Flanagan-Freund 04, Wang-Stoller 04] Atomicity inference –type and effect inference [Talpin-Jouvelot 92,...] –dependent types [Cardelli 88] –ownership, dynamic [Sastakur-Agarwal-Stoller 04]

C. Flanagan61Types for Atomicity Conclusions And Future Directions Atomicity a fundamental concept –improves over race freedom –matches programmer intuition and practice –simplifies reasoning about correctness –enables concise and trustable documentation Many approaches for verifying atomicity –static type systems –dynamic checking (tomorrow) –... hybrid checkers... –... model checkers...