/ PSWLAB Type-Based Race Detection for J AVA by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong,Shin Type-Based Race Detection for JAVA

/ PSWLAB Introduction Race condition occurs when two thread manipulate a shared data structure simultaneously without synchronization. Race condition errors are schedule-dependent that these are difficult to catch using traditional testing technologies.  Support lock-based synchronization discipline by tracking the protecting lock for each shared field in the program and verifying that the appropriate lock is held whenever a shared field is accessed.  Express the reasoning and checks performed by this analysis as an extension of J AVA ’s type system Type-Based Race Detection for JAVA2

/ PSWLAB Introduction 2/2 Start by adopting the target system to a core subset of J AVA. And then extends the type system with a number of additional features: – classes parameterized by the locks – classes that are local to a particular thread Type-Based Race Detection for JAVA3

/ PSWLAB C ONCURRENT J AVA 1/2 C ONCURRENT J AVA is a multithreaded subset of J AVA. Syntax Type-Based Race Detection for JAVA4 if final modifier is present, then the field cannot be updated after initialization.

/ PSWLAB C ONCURRENT J AVA2/3 Informal Semantics – C ONCURRENT J AVA supports multithreaded programs by including the operation fork e which spawn a new thread for the evaluation of e. – Locks are provided: each object has an associated binary lock. The expression synchronized e 1 in e 2 is evaluated as follow: (1) acquire the associated lock of e 1. (2) e 2 is then evaluated. (3) release the associated lock of e Type-Based Race Detection for JAVA5

/ PSWLAB C ONCURRENT J AVA 3/3 1class Account { 2 int balance = 0 3 int deposit(int x) { 4 this.balance = this.balance + x 5 } 6} 7let Account a = new Account in { 8 fork { a.deposit(10) } 9 fork { a.deposit(10) } 10} Type-Based Race Detection for JAVA6 Schedule Scenario 2 8 call a.deposit(10) 4 this.balance+x=10 4 this.balance :=10 Schedule Scenario 1 8 call a.deposit(10) 4 this.balance+x=10 4 this.balance:=10 8 call a.deposit(10) 4 this.balance+x=20 4 this.balance :=20 1class Account { 2 int balance = 0 3 int deposit(int x) { 4 synchronized this in { 5 this.balance = this.balance + x 6 } 7 } 8} 9let Account a = new Account in { 10 fork { a.deposit(10) } 11 fork { a.deposit(10) } 12} /* Race-Free Account */

/ PSWLAB R ACE F REE J AVA1/1 Race conditions are commonly avoided by the lock-based synchronization discipline. The type system needs to verify that each field has a protecting lock that is held whenever the field is accessed or updated. (1) associates a protecting lock with each field declaration. → programmers provide additional type annotations (2) tracks the set of locks held at each field access or update. → the type system automatically verifies that the locks are indeed held at each field access, field update, and call-site of the method. R ACE F REE J AVA – An extended language of C ONCURRENT J AVA – The modified syntax Type-Based Race Detection for JAVA7 field::= [ final ] opt t fd guarded_by l = e meth::= t mn (arg*) [ requires ls] opt { e } ls::= l* l::= e

/ PSWLAB Type System 1/5 Type Judgment – P ; E ; ls ` e : t P : the program being checked E : an environment providing types for the free variables of e ls : a set of final expressions describing the locks that are held when the expression e is evaluated. e : an expression t : the type of e Type Rules – The type rules track the set of locks held each program point Type-Based Race Detection for JAVA8 { } P ; E ` fianl l : c checks that l is a final expression of some class type c

/ PSWLAB Type System 2/ Type-Based Race Detection for JAVA9 Check that the lock l guarding fd is held at this program point; i.e., that l denotes the same lock as some expression l ’ in current lock set. → approximates semantic equivalence by syntactic equivalence, and simply to check that l ≡ l ’. P ; E ` fianl e 1 : c checks that e 1 is a final expression of some class type c ex) final Object a = new Object final Object b = a int data guarded_by a : synchronized b in { data = 0 }

/ PSWLAB Type System – Example 3/5 P : class Account { int balance guarded_by this = 0 int deposit(int x) synchronized this in { this.balance = this.balance + x } } let Account a = new Account in { fork { a.deposit(10 } fork { a.deposit(10) } } Type-Based Race Detection for JAVA10 P ; Account this ` int P ; Account this ` Á P ; Account this, int x ; Á ` synchronized …. : int [METHOD] P ; Account this ` final this : Account P ; Account this ; Á ` 0 : int [FIELD] E = Account this P ; Account this ` int balance guarded_by this=0 P ; Account this ` int deposit(int x) { … } [CLASS] P = class Account{ …} let Account a = new Account …. P ` class Account{…} P ; Á ; Á ` let Account a = new Account in … : int [PROG] ` P : int

/ PSWLAB Type System – Example 4/5 P ; Account this, int x ` this : Account P ; Account this, int x ` (int balance guarded_by this = 0) 2 Account P ; Account this, int x ` this 2 {this} P ; Account this, int x ` int [EXP REF] P ; Account this, int x ; {this} ` this.balance+x : Account P ; Account this, int x ` (int balance guarded_by this = 0) 2 Account P ; Account this, int x ` this 2 {this} P ; Account this, int x ; {this} ` this.balance+x [EXP ASSIGN] P ; Account this, int x ` final this : Account P ; Account this, int x ; {this} ` {this.balance=this.balance+x} : int [EXP SYNC] P ; Account this, int x ; Á ` synchronized this in {this.balance=this.balance+x} : int : : Type-Based Race Detection for JAVA11

/ PSWLAB Type System – Example 5/ Type-Based Race Detection for JAVA12 P ; Account a ; Á ` a : Account P ; Account a ` (int deposit(int x)) 2 Account P ; Account a ; Á ` 10 : int P ; Account a ` Á µ Á P ; Account a ` int [EXP INVOKE] P ; Account a ` Á P ; Account a ; Á ` a.deposit(10) : int [EXP FORK] P ; Á ; Á ` new Account : Account P ; Account a ; Á ` fork{a.deposit(10)} fork{a.deposit(10)} : s P ; Á ; Á ` s [EXP LET] P = defn e P ` defn P ; Á ; Á ` let Account a = new Account in {…} : int [PROG] ` P : int

/ PSWLAB External Locks 1/2 The only variable in scope at a field declaration is this, the fields of an object must be protected by a lock that is accessible from the object. It is necessary to protect the fields of an object by some locks external to the object. Ex) In a linked list, the node objects in a list should be synchronized by a lock which is outside of the node class. To accommodate this programming pattern, we extend R ACE F REE J AVA to allow classes to be parameterized by external locks defn ::= class cn body garg ::= ghost t x c ::= cn | Object Type-Based Race Detection for JAVA13

/ PSWLAB External Locks 2/ Type-Based Race Detection for JAVA14

/ PSWLAB Thread-Local Classes 1/2 Large multithreaded programs typically have sections of code that operate on data that is not shared across multiple threads. To accommodate this situation, the concept of thread-local classes is introduced. The language is extended to allow an optional thread_local modifier on class definitions and to make guarded_by clause on field declarations optional in a thread-local class. defn ::= [ thread_local ] opt class cn body field ::= [ final ] opt t fd [ guarded_by l] opt = e Type-Based Race Detection for JAVA15

/ PSWLAB Thread-Local Classes 2/ Type-Based Race Detection for JAVA16 The type system must ensure that thread-local objects are not accessible from non thread-local objects.  extends the rules not to eliminate this possibility.

/ PSWLAB Implementation 1/ Type-Based Race Detection for JAVA17 R ACE F REE J AVA type system is extended to support full J AVA language in rccjava implementation. The comments that start with the character “#” are treated as type annotations by the tool. The tool was built on top of an existing J AVA front-end that includes a scanner, parser, and type checker.

/ PSWLAB Experiment Results 1/ Type-Based Race Detection for JAVA18 To test effectiveness of the tool, several multithreaded JAVA program was checked by the tool. It was reported that the annotation process proceeded at a rate of 1000lines of code per programmer-hour.

/ PSWLAB Experiment Results 2/ Type-Based Race Detection for JAVA19 1.class Vector { 2. Object elementData[] /*# guarded_by this */ 3. int elementCount /*# guarded_by this */ 4. synchronized boolean removeAllElements() { 5. : 6. elementCount = 0 ; 7. : 8. } 9. synchronized int lastIndexOf(Object elem, int n) { 10. for (int i = n ; --i >= 0 ; ) 11. if (elem.equals(elementData[i])) { … } 12. } 13. int lastIndexOf(Object elem) { 14. return lastIndexOf(elem, elementCount) ; 15. } 16.} Excerpt from java.util.Vector Two threads work on the same Vector object elementCount = 10 ; 13 invokel lastIndexOf(elem) 4 invoke synchronized removeAllElements() 5 elementCount = 0 14 invoke lastIndexOf(elem, 10)  Race!

/ PSWLAB Conclusion The type system enforces programmers to write locking strategies of a program as annotations and checks whether the programmer wrote the program with the strategies or not. This type system enables race conditions to be detected early in the development cycle. The annotations can be used as documentation of locking strategies. Some synchronization patters are not supported in the type system (ex. reader-writer locks) Type-Based Race Detection for JAVA20

/ PSWLAB Further work Efficient and Precise Datarace Detection for Multithreaded Object- Oriented Programs (PLDI’02) LOCKSMITH: Context-Sensitive Correlation Analysis for Race Detection(PLDI’06) Type-Based Race Detection for JAVA21

/ PSWLAB Reference [1] Type-Based Race Detection for JAVA, Cormac Flanagan, Stephen N. Freund, PLDI Type-Based Race Detection for JAVA22