Download presentation
Presentation is loading. Please wait.
1
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College
2
C. FlanaganSAS’04: Type Inference Against Races2 Software Validation & Verification Standard approach: Testing –test coverage problem Multithreaded software –increasing widespread (Java, C#, GUIs, servers) –testing inadequate due to test coverage scheduling coverage An important application for static analysis!
3
C. FlanaganSAS’04: Type Inference Against Races3 Errors in Multithreaded Software class Ref { int i; void add(Ref r) { i = i + r.i; }
4
C. FlanaganSAS’04: Type Inference Against Races4 Errors in Multithreaded Software class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); x.add(y); assert x.i == 6;
5
C. FlanaganSAS’04: Type Inference Against Races5 Errors in Multithreaded Software class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { x.add(y); // two calls happen x.add(y); // in parallel } assert x.i == 6; A race condition occurs if two threads access a shared variable at the same time at least one of those accesses is a write
6
C. FlanaganSAS’04: Type Inference Against Races6 Lock-Based Synchronization class Ref { int i; // guarded by this void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; Field guarded by a lock Lock acquired before accessing field Ensures race freedom
7
C. FlanaganSAS’04: Type Inference Against Races7 Verifying Race Freedom Race freedom a key correctness property Rccjava [Flanagan-Freund, PLDI’99] –race condition checker for Java –verifies race freedom using a static analysis –analysis expressed as a type system –type annotations to specify locking discipline guarded_by, requires,...
8
C. FlanaganSAS’04: Type Inference Against Races8 Verifying Race Freedom with Types class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6;
9
C. FlanaganSAS’04: Type Inference Against Races9 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: this { this, r }
10
C. FlanaganSAS’04: Type Inference Against Races10 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: this { this, r } check: this[this:=r] = r { this, r } replace this by r
11
C. FlanaganSAS’04: Type Inference Against Races11 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: this { this, r } check: this[this:=r] = r { this, r } check: {this,r}[this:=x,r:=y] { x, y } replace formals this,r by actuals x,y
12
C. FlanaganSAS’04: Type Inference Against Races12 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: {this,r}[this:=x,r:=y] { x, y } check: this { this, r } check: this[this:=r] = r { this, r } check: {this,r}[this:=x,r:=y] { x, y } Soundness Theorem: Well-typed programs are race-free replace formals this,r by actuals x,y
13
C. FlanaganSAS’04: Type Inference Against Races13 Basic Type Inference class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6;
14
C. FlanaganSAS’04: Type Inference Against Races14 Basic Type Inference static final Object m =new Object(); class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; Iterative GFP algorithm: [Flanagan-Freund, PASTE’01] Start with maximum set of annotations
15
C. FlanaganSAS’04: Type Inference Against Races15 Basic Type Inference static final Object m =new Object(); class Ref { int i guarded_by this, m; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; Iterative GFP algorithm: [Flanagan-Freund, PASTE’01] Start with maximum set of annotations
16
C. FlanaganSAS’04: Type Inference Against Races16 Basic Type Inference static final Object m =new Object(); class Ref { int i guarded_by this, m; void add(Ref r) requires this, r, m { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; Iterative GFP algorithm: [Flanagan-Freund, PASTE’01] Start with maximum set of annotations
17
C. FlanaganSAS’04: Type Inference Against Races17 Basic Type Inference static final Object m =new Object(); class Ref { int i guarded_by this, m; void add(Ref r) requires this, r, m { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; X X Iterative GFP algorithm: [Flanagan-Freund, PASTE’01] Start with maximum set of annotations Iteratively remove all incorrect annotations
18
C. FlanaganSAS’04: Type Inference Against Races18 Basic Type Inference static final Object m =new Object(); class Ref { int i guarded_by this, m; void add(Ref r) requires this, r, m { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; X X Iterative GFP algorithm: [Flanagan-Freund, PASTE’01] Start with maximum set of annotations Iteratively remove all incorrect annotations Check each field still has a protecting lock Sound, complete, fast But type system too basic
19
C. FlanaganSAS’04: Type Inference Against Races19 Harder Example: External Locking class Ref { int i; void add(Ref r) { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Field i of x and y protected by external lock m Not typable with basic type system –m not in scope at i Requires more expressive type system with ghost parameters
20
C. FlanaganSAS’04: Type Inference Against Races20 Ghost Parameters on Classes class Ref { int i; void add(Ref r) { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6;
21
C. FlanaganSAS’04: Type Inference Against Races21 Ghost Parameters on Classes class Ref { int i; void add(Ref r) { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Ref parameterized by external ghost lock g
22
C. FlanaganSAS’04: Type Inference Against Races22 Ghost Parameters on Classes class Ref { int i guarded_by g; void add(Ref r) { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Ref parameterized by external ghost lock g Field i guarded by g
23
C. FlanaganSAS’04: Type Inference Against Races23 Ghost Parameters on Classes class Ref { int i guarded_by g; void add(Ref r) requires g { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Ref parameterized by external ghost lock g Field i guarded by g g held when add called
24
C. FlanaganSAS’04: Type Inference Against Races24 Ghost Parameters on Classes class Ref { int i guarded_by g; void add(Ref r) requires g { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Ref parameterized by external ghost lock g Field i guarded by g g held when add called Argument r also parameterized by g
25
C. FlanaganSAS’04: Type Inference Against Races25 Ghost Parameters on Classes class Ref { int i guarded_by g; void add(Ref r) requires g { i = i + r.i; } Object m = new Object(); Ref x = new Ref (0); Ref y = new Ref (3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Ref parameterized by external ghost lock g Field i guarded by g g held when add called Argument r also parameterized by g x and y parameterized by lock m
26
C. FlanaganSAS’04: Type Inference Against Races26 Type Checking Ghost Parameters class Ref { int i guarded_by g; void add(Ref r) requires g { i = i + r.i; } Object m = new Object(); Ref x = new Ref (0); Ref y = new Ref (3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; check: {g} [this:=x,r:=y, g:=m ] {m}
27
C. FlanaganSAS’04: Type Inference Against Races27 Type Inference with Ghosts HARD –iterative GFP algorithm does not work –check may fail because of two annotations which should we remove? –requires backtracking search NP-complete! Our approach –reduce type inference to SAT –use fast, modern SAT solver (Chaff)
28
C. FlanaganSAS’04: Type Inference Against Races28 Reducing Type Inference to SAT class Ref { int i; void add(Ref r) { i = i + r.i; }
29
C. FlanaganSAS’04: Type Inference Against Races29 Reducing Type Inference to SAT class Ref { int i; void add(Ref r) { i = i + r.i; }
30
C. FlanaganSAS’04: Type Inference Against Races30 Reducing Type Inference to SAT class Ref { int i; void add(Ref r) { i = i + r.i; } Add ghost parameters to each class declaration
31
C. FlanaganSAS’04: Type Inference Against Races31 Reducing Type Inference to SAT class Ref { int i guarded_by 1 ; void add(Ref r) { i = i + r.i; } Add ghost parameters to each class declaration Add guarded_by i to each field declaration –type inference resolves i to some lock
32
C. FlanaganSAS’04: Type Inference Against Races32 Reducing Type Inference to SAT class Ref { int i guarded_by 1 ; void add(Ref r) { i = i + r.i; } Add ghost parameters to each class declaration Add guarded_by i to each field declaration –type inference resolves i to some lock Add to each class reference
33
C. FlanaganSAS’04: Type Inference Against Races33 Reducing Type Inference to SAT class Ref { int i guarded_by 1 ; void add(Ref r) requires { i = i + r.i; } Add ghost parameters to each class declaration Add guarded_by i to each field declaration –type inference resolves i to some lock Add to each class reference Add requires i to each method –type inference resolves i to some set of locks
34
C. FlanaganSAS’04: Type Inference Against Races34 Reducing Type Inference to SAT class Ref { int i guarded_by 1 ; void add(Ref r) requires { i = i + r.i; } Constraints: 1 { this, g } 2 { this, g } { this, g, r } 1 1 [this := r, g:= 2 ]
35
C. FlanaganSAS’04: Type Inference Against Races35 Constraints: 1 { this, g } 2 { this, g } { this, g, r } 1 1 [this := r, g:= 2 ] Reducing Type Inference to SAT Encoding: 1 = (b1 ? this : g ) 2 = (b2 ? this : g ) = { b3 ? this, b4 ? g, b5 ? r } class Ref { int i guarded_by 1 ; void add(Ref r) requires { i = i + r.i; } Use boolean variables b1,...,b5 to encode choices for 1, 2,
36
C. FlanaganSAS’04: Type Inference Against Races36 Constraints: 1 { this, g } 2 { this, g } { this, g, r } 1 1 [this := r, g:= 2 ] Reducing Type Inference to SAT class Ref { int i guarded_by 1 ; void add(Ref r) requires { i = i + r.i; } 1 [this := r, g:= 2 ] Use boolean variables b1,...,b5 to encode choices for 1, 2, Encoding: 1 = (b1 ? this : g ) 2 = (b2 ? this : g ) = { b3 ? this, b4 ? g, b5 ? r }
37
C. FlanaganSAS’04: Type Inference Against Races37 Constraints: 1 { this, g } 2 { this, g } { this, g, r } 1 1 [this := r, g:= 2 ] Reducing Type Inference to SAT class Ref { int i guarded_by 1 ; void add(Ref r) requires { i = i + r.i; } 1 [this := r, g:= 2 ] (b1 ? this : g ) [this := r, g:= 2 ] Use boolean variables b1,...,b5 to encode choices for 1, 2, Encoding: 1 = (b1 ? this : g ) 2 = (b2 ? this : g ) = { b3 ? this, b4 ? g, b5 ? r }
38
C. FlanaganSAS’04: Type Inference Against Races38 Constraints: 1 { this, g } 2 { this, g } { this, g, r } 1 1 [this := r, g:= 2 ] Reducing Type Inference to SAT class Ref { int i guarded_by 1 ; void add(Ref r) requires { i = i + r.i; } 1 [this := r, g:= 2 ] (b1 ? this : g ) [this := r, g:= 2 ] (b1 ? r : 2 ) Use boolean variables b1,...,b5 to encode choices for 1, 2, Encoding: 1 = (b1 ? this : g ) 2 = (b2 ? this : g ) = { b3 ? this, b4 ? g, b5 ? r }
39
C. FlanaganSAS’04: Type Inference Against Races39 Constraints: 1 { this, g } 2 { this, g } { this, g, r } 1 1 [this := r, g:= 2 ] Reducing Type Inference to SAT class Ref { int i guarded_by 1 ; void add(Ref r) requires { i = i + r.i; } 1 [this := r, g:= 2 ] (b1 ? this : g ) [this := r, g:= 2 ] (b1 ? r : 2 ) (b1 ? r : (b2 ? this : g )) { b3 ? this, b4 ? g, b5 ? r } Use boolean variables b1,...,b5 to encode choices for 1, 2, Encoding: 1 = (b1 ? this : g ) 2 = (b2 ? this : g ) = { b3 ? this, b4 ? g, b5 ? r }
40
C. FlanaganSAS’04: Type Inference Against Races40 Constraints: 1 { this, g } 2 { this, g } { this, g, r } 1 1 [this := r, g:= 2 ] Reducing Type Inference to SAT class Ref { int i guarded_by 1 ; void add(Ref r) requires { i = i + r.i; } 1 [this := r, g:= 2 ] (b1 ? this : g ) [this := r, g:= 2 ] (b1 ? r : 2 ) (b1 ? r : (b2 ? this : g )) { b3 ? this, b4 ? g, b5 ? r } Use boolean variables b1,...,b5 to encode choices for 1, 2, Encoding: 1 = (b1 ? this : g ) 2 = (b2 ? this : g ) = { b3 ? this, b4 ? g, b5 ? r } Clauses: (b1 b5) ( b1 b2 b3) ( b1 b2 b4)
41
C. FlanaganSAS’04: Type Inference Against Races41 Overview of Type Inference SAT soln: b1=false... Constraint Solution: 1 = g... SAT problem: (b1 b5)... Constraints: 1 { this, g }... Add Unknowns: class Ref { int i guarded_by 1 ;... Annotated Program: class Ref { int i guarded_by g;... Unannotated Program: class Ref { int i;... b1,... encodes choice for 1,... Chaff SAT solver Error: potential race on field i unsatisfiable satisfiable
42
C. FlanaganSAS’04: Type Inference Against Races42 Improving Precision Synchronization not necessary if –only a single thread exists –object never escapes its creating thread –object has not yet escaped its creating thread –read-shared field read-only after it escapes its creating thread –code is unreachable Fields guarded_by expressions, not just vars –must be a constant expression –bound on size
43
C. FlanaganSAS’04: Type Inference Against Races43 Implementation Full Java programming language –inheritance, subtyping, interfaces –inner classes, static fields and methods Separate SAT problem for each field decl –to identify fields with potential race conditions Generate MAX-SAT optimization problem –minimize number+complexity of error messages Supports extra manual annotations /*# no_warn */, /*# single_threaded */ more ghost parameters, extra lock expressions,...
44
C. FlanaganSAS’04: Type Inference Against Races44 Experimental Results
45
C. FlanaganSAS’04: Type Inference Against Races45 Summary Type inference for rccjava is NP-complete –due to ghost parameters –requires backtracking search Reduce type inference to SAT –adequately fast up to 30,000 LOC –precise: 92-100% of fields verified race free
46
C. FlanaganSAS’04: Type Inference Against Races46 Future Work Atomicity –a key semantic correctness property for multithreaded code –a method is atomic if concurrent threads do not interfere with its behavior –sequential reasoning is OK for atomic methods Developing type-based analysis for atomicity –leverages information about race conditions –early result: 85% of methods in jbb are atomic!
47
C. FlanaganSAS’04: Type Inference Against Races47 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.