Presentation is loading. Please wait.

Presentation is loading. Please wait.

C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.

Published byFelix Hampton Modified over 9 years ago

Similar presentations

Presentation on theme: "C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent."— Presentation transcript:

1 C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent Software Types for Atomicity

2 C. Flanagan2Types for Atomicity Race Conditions class Ref { int i; void inc() { int t; t = i; i = t+1; } Ref x = new Ref(0); parallel { x.inc(); // two calls happen x.inc(); // in parallel } assert x.i == 2; A race condition occurs if two threads access a shared variable at the same time at least one of those accesses is a write

3 C. Flanagan3Types for Atomicity Lock-Based Synchronization class Ref { int i; // guarded by this void inc() { int t; synchronized (this) { t = i; i = t+1; } Ref x = new Ref(0); parallel { x.inc(); // two calls happen x.inc(); // in parallel } assert x.i == 2; Field guarded by a lock Lock acquired before accessing field Ensures race freedom

4 C. Flanagan4Types for Atomicity Limitations of Race-Freedom class Ref { int i; // guarded by this void inc() { int t; synchronized (this) { t = i; i = t+1; } Ref x = new Ref(0); parallel { x.inc(); // two calls happen x.inc(); // in parallel } assert x.i == 2; Ref.inc() race-free behaves correctly in a multithreaded context

5 C. Flanagan5Types for Atomicity Limitations of Race-Freedom class Ref { int i; void inc() { int t; synchronized (this) { t = i; } synchronized (this) { i = t+1; }... } Ref.inc() race-free behaves incorrectly in a multithreaded context Race freedom does not prevent errors due to unexpected interactions between threads

6 C. Flanagan6Types for Atomicity Limitations of Race-Freedom class Ref { int i; void inc() { int t; synchronized (this) { t = i; i = t+1; } synchronized void read() { return i; }... }

7 C. Flanagan7Types for Atomicity Limitations of Race-Freedom class Ref { int i; void inc() { int t; synchronized (this) { t = i; i = t+1; } void read() { return i; }... } Ref.read() has a race condition behaves correctly in a multithreaded context Race freedom is not necessary to prevent errors due to unexpected interactions between threads

8 C. Flanagan8Types for Atomicity Race-Freedom Race-freedom is neither necessary nor sufficient to ensure the absence of errors due to unexpected interactions between threads

9 C. Flanagan9Types for Atomicity Atomicity The method inc() is atomic if concurrent threads do not interfere with its behavior Guarantees that for every execution there is a serial execution with same behavior         acq(this)t=i i=t+1rel(this)xyz         acq(this) t=i i=t+1rel(this)xyz         acq(this) t=i i=t+1rel(this)xyz

10 C. Flanagan10Types for Atomicity Motivations for Atomicity 1.Stronger property than race freedom

11 C. Flanagan11Types for Atomicity Motivations for Atomicity 1.Stronger property than race freedom 2.Enables sequential reasoning

12 C. Flanagan12Types for Atomicity Sequential Program Execution void inc() {.... } precond. postcond. inc()

13 C. Flanagan13Types for Atomicity Multithreaded Execution void inc() {.... }

14 C. Flanagan14Types for Atomicity Multithreaded Execution void inc() {.... }

15 C. Flanagan15Types for Atomicity Multithreaded Execution Atomicity guarantees concurrent threads do not interfere with atomic method

16 C. Flanagan16Types for Atomicity Motivations for Atomicity 1.Stronger property than race freedom 2.Enables sequential reasoning 3.Simple, powerful correctness property

17 C. Flanagan17Types for Atomicity Model Checking of Software Models // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c  Model Checker filesystem model filesystem model Model Construction

18 C. Flanagan18Types for Atomicity Model Checking of Software // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c  Model Checker

19 C. Flanagan19Types for Atomicity Experience with Calvin Software Checker // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c expressed in terms of concrete state  Calvin theorem proving x

20 C. Flanagan20Types for Atomicity Experience with Calvin Software Checker // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c concrete state  Calvin theorem proving abstract state Abstraction Invariant ? x

21 C. Flanagan21Types for Atomicity Experience with Calvin Software Checker /*@ global_invariant (\forall int i; inodeLocks[i] == null ==> 0 <= inodeBlocknos[i] && inodeBlocknos[i] < Daisy.MAXBLOCK) */ //@ requires 0 <= inodenum && inodenum < Daisy.MAXINODE; //@ requires i != null //@ requires DaisyLock.inodeLocks[inodenum] == \tid //@ modifies i.blockno, i.size, i.used, i.inodenum //@ ensures i.blockno == inodeBlocknos[inodenum] //@ ensures i.size == inodeSizes[inodenum] //@ ensures i.used == inodeUsed[inodenum] //@ ensures i.inodenum == inodenum //@ ensures 0 <= i.blockno && i.blockno < Daisy.MAXBLOCK static void readi(long inodenum, Inode i) { i.blockno = Petal.readLong(STARTINODEAREA + (inodenum * Daisy.INODESIZE)); i.size = Petal.readLong(STARTINODEAREA + (inodenum * Daisy.INODESIZE) + 8); i.used = Petal.read(STARTINODEAREA + (inodenum * Daisy.INODESIZE) + 16) == 1; i.inodenum = inodenum; // read the right bytes, put in inode }

22 C. Flanagan22Types for Atomicity The Need for Atomicity // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Sequential case: code inspection & testing mostly ok

23 C. Flanagan23Types for Atomicity The Need for Atomicity // filesystem.c atomic void create(..) {... } atomic void unlink(..) {... } // filesystem.c atomic void create(..) {... } atomic void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Sequential case: code inspection & testing ok  Atomicity Checker

24 C. Flanagan24Types for Atomicity Motivations for Atomicity 1.Stronger property than race freedom 2.Enables sequential reasoning 3.Simple, powerful correctness property

25 C. Flanagan25Types for Atomicity Atomicity Canonical property –(cmp. serializability, linearizability,...) Enables sequential reasoning –simplifies validation of multithreaded code Matches practice in existing code –most methods (80%+) are atomic –many interfaces described as “thread-safe” Can verify atomicity statically or dynamically –atomicity violations often indicate errors –leverages Lipton’s theory of reduction

26 C. Flanagan26Types for Atomicity Reduction [Lipton 75] acq(this)  Xt=i Y i=t+1Z rel(this)      acq(this)  X t=i Y i=t+1Z rel(this)         acq(this) X t=i Y i=t+1Z rel(this)        acq(this) X t=i Y i=t+1Z rel(this)      

27 C. Flanagan27Types for Atomicity Movers right-mover –lock acquire S0S0 S1S1 S2S2 acq(this)x S0S0 T1T1 S2S2 x

28 C. Flanagan28Types for Atomicity Movers right-mover –lock acquire left-mover –lock release S7S7 T6T6 S5S5 rel(this)z S7S7 S6S6 S5S5 z

29 C. Flanagan29Types for Atomicity Movers right-mover –lock acquire left-mover –lock acquire both-mover –race-free field access S2S2 S3S3 S4S4 r=baly S2S2 T3T3 S4S4 y S2S2 T3T3 S4S4 x S2S2 S3S3 S4S4 x

30 C. Flanagan30Types for Atomicity Movers right-mover –lock acquire left-mover –lock acquire both-mover –race-free field access non-mover (atomic) –access to "racy" fields S2S2 S3S3 S4S4 r=baly S1S1 x

31 C. FlanaganTypes for Atomicity31  composition rules: right; mover = rightright; left = atomic right; atomic = atomic atomic; atomic = cmpd Code Classification right:lock acquire left:lock release (both) mover:race-free variable access atomic:conflicting variable access acq(this) j=bal bal=j+n rel(this) right mover mover left atomic

32 C. FlanaganTypes for Atomicity32 acq(this) bal=j+n rel(this) right mover left Composing Atomicities atomic acq(this) j=bal rel(this) atomic compound void deposit(int n) { int j; synchronized(this) { j = bal; } synchronized(this) { bal = j + n; } }

33 C. Flanagan33Types for Atomicity Conditional Atomicity atomic void deposit(int n) { synchronized(this) { right int j = bal; mover bal = j + n; mover } left } atomic void depositTwice(int n) { synchronized(this) { deposit(n); atomic } X atomic

34 C. Flanagan34Types for Atomicity Conditional Atomicity atomic void deposit(int n) { synchronized(this) { right mover int j = bal; mover mover bal = j + n; mover mover } left mover } atomic void depositTwice(int n) { synchronized(this) { deposit(n); atomic } if this already held atomic mover

35 C. Flanagan35Types for Atomicity Conditional Atomicity (this ? mover : atomic) void deposit(int n) { synchronized(this) { right mover int j = bal; mover mover bal = j + n; mover mover } left mover } atomic void depositTwice(int n) { synchronized(this) { deposit(n); (this ? mover : atomic) }

36 C. Flanagan36Types for Atomicity Conditional Atomicity Details In conditional atomicity (x?b 1 :b 2 ), x must be a lock expression (ie, constant) Composition rules a ; (x?b 1 :b 2 ) = x ? (a;b 1 ) : (a;b 2 )

37 C. Flanagan37Types for Atomicity java.lang.StringBuffer /**... used by the compiler to implement the binary string concatenation operator... String buffers are safe for use by multiple threads. The methods are synchronized so that all the operations on any particular instance behave as if they occur in some serial order that is consistent with the order of the method calls made by each of the individual threads involved. */ public atomic class StringBuffer {... } FALSE

38 C. Flanagan38Types for Atomicity java.lang.StringBuffer is not Atomic! public atomic StringBuffer { private int count guarded_by this; public synchronized int length() { return count; } public synchronized void getChars(...) {... } public synchronized void append(StringBuffer sb){ int len = sb.length();... sb.getChars(...,len,...);... } AAAA C AAAA sb.length() acquires the lock on sb, gets the length, and releases lock use of stale len may yield StringIndexOutOfBoundsException inside getChars(...) other threads can change sb  append(...) is not atomic

39 C. Flanagan39Types for Atomicity java.lang.Vector interface Collection { atomic int length(); atomic void toArray(Object a[]); } class Vector { int count; Object data[]; atomic Vector(Collection c) { count = c.length(); atomic data = new Object[count]; mover... c.toArray(data); atomic } compound X

40 C. Flanagan40Types for Atomicity Atomicity Inference

41 C. Flanagan41Types for Atomicity Unannotated Java Program atomicity inference Rcc/Sat Atomicity Warnings Program with Atomicity Annotations Bohr Type inference for atomicity –finds smallest atomicity for each method Bohr

42 C. Flanagan42Types for Atomicity Atomicity Inference class A { int f guarded_by this; int g guarded_by x; void m() {...} } Atomicity Constraints Solution Constraint Solver class A { int f guarded_by this; int g guarded_by x; atomic void m() {...} } Program w/ Locking Annotations Program w/ Atomicity Annotations

43 C. Flanagan43Types for Atomicity Atomicity Details Partial order of atomicities const error compound atomic mover x?mover:atomic

44 C. Flanagan44Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } 1.Add atomicity variables

45 C. Flanagan45Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } 2. Generate constraints over atomicity variables s ≤  i 3. Find assignment A Atomicity expression s ::= const | mover | atomic | cmpd | error |  | s 1 ; s 2 | x ? s 1 : s 2 | S(l, s) | WFA(E, s)

46 C. Flanagan46Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const;this?mover:error)))

47 C. Flanagan47Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error)))

48 C. Flanagan48Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank { final Account c;  2 void double() { synchronized(this.c) { int x = this.c.bal; this.c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) S(l,a): atomicity of synchronized(l) { e } where e has atomicity a S(l, mover)= l ? mover : atomic S(l, atomic)= atomic S(l, compound)= compound S(l, l?b 1 :b 2 )= S(l,b 1 ) S(l, m?b 1 :b 2 )= m ? S(l,b 1 ) : S(l,b 2 ) if l  m

49 C. Flanagan49Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) ≤  1

50 C. Flanagan50Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) ≤  1 (const; (this?mover:error)[this:=c]) (const;WFA(E,  1 [this := this.a])))) replace this with name of receiver

51 C. Flanagan51Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) ≤  1 S(a, ((const; c?mover:error); (const;  1 [this := c])) ≤  2 Delayed Substitution

52 C. Flanagan52Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) ≤  1 S(c, ((const; c?mover:error); (const;  1 [this := c]))) ≤  2

53 C. Flanagan53Types for Atomicity Delayed Substitutions Given  [x := e] –suppose  becomes (x?mover:atomic) and e does not have const atomicity –then (e?mover:atomic) is not valid WFA(E, b) = smallest atomicity b' where –b ≤ b' –b' is well-typed and constant in E WFA(E, (e?mover:atomic)) = atomic

54 C. Flanagan54Types for Atomicity class Account { int bal guarded_by this;  1 void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank {  2 void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); } S(this, ((const; this?mover:error); (const; this?mover:error))) ≤  1 S(c, ((const; c?mover:error); (const; WFA(E,  1 [this:=c])))) ≤  2

55 C. Flanagan55Types for Atomicity 3. Compute Least Fixed Point Initial assignment A:  1 =  2 = const Algorithm: –pick constraint s ≤  such that A(s) ≤ A(  ) –set A(  ) to A(  ) ㄩ A(s) –repeat until quiescence

56 C. Flanagan56Types for Atomicity class Account { int bal guarded_by this; (this ? mover : atomic) void deposit(int n) { synchronized(this) { int j = this.bal; j = this.bal + n; } class Bank { (c ? mover : atomic) void double(final Account c) { synchronized(c) { int x = c.bal; c.deposit(x); }

57 C. Flanagan57Types for Atomicity Validation (excludes Rcc/Sat time)

58 C. Flanagan58Types for Atomicity Inferred Atomicities

59 C. Flanagan59Types for Atomicity Thread-Safe Classes

60 C. Flanagan60Types for Atomicity Related Work Reduction –[Lipton 75, Lamport-Schneider 89,...] –other applications: model checking [Stoller-Cohen 03, Flanagan-Qadeer 03] dynamic analysis [Flanagan-Freund 04, Wang-Stoller 04] Atomicity inference –type and effect inference [Talpin-Jouvelot 92,...] –dependent types [Cardelli 88] –ownership, dynamic [Sastakur-Agarwal-Stoller 04]

61 C. Flanagan61Types for Atomicity Conclusions And Future Directions Atomicity a fundamental concept –improves over race freedom –matches programmer intuition and practice –simplifies reasoning about correctness –enables concise and trustable documentation Many approaches for verifying atomicity –static type systems –dynamic checking (tomorrow) –... hybrid checkers... –... model checkers...

Download ppt "C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.

Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 8.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 8.
50.003: Elements of Software Construction Week 6 Thread Safety and Synchronization.

50.003: Elements of Software Construction Week 6 Thread Safety and Synchronization.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
Concurrency 101 Shared state. Part 1: General Concepts 2.

Concurrency 101 Shared state. Part 1: General Concepts 2.
Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)

Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)
Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.

Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.
Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)

Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Atomicity Violation Detection Prof. Moonzoo Kim CS492B Analysis of Concurrent Programs.

Atomicity Violation Detection Prof. Moonzoo Kim CS492B Analysis of Concurrent Programs.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.
ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.

ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.
Atomicity: A powerful concept for analyzing concurrent software Shaz Qadeer Microsoft Research.

Atomicity: A powerful concept for analyzing concurrent software Shaz Qadeer Microsoft Research.
C. FlanaganTypes for Race Freedom1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.

C. FlanaganTypes for Race Freedom1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.
C. FlanaganAtomicity for Reliable Concurrent Software - PLDI'05 Tutorial1 Atomicity for Reliable Concurrent Software Part 3a: Types for Race-Freedom and.

C. FlanaganAtomicity for Reliable Concurrent Software - PLDI'05 Tutorial1 Atomicity for Reliable Concurrent Software Part 3a: Types for Race-Freedom and.

Similar presentations

Ads by Google