Presentation is loading. Please wait.

Presentation is loading. Please wait.

Type-Safe Multithreading in Cyclone Dan Grossman Cornell University TLDI 2003 18 Jan 2003.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Type-Safe Multithreading in Cyclone Dan Grossman Cornell University TLDI 2003 18 Jan 2003."— Presentation transcript:

1 Type-Safe Multithreading in Cyclone Dan Grossman Cornell University TLDI 2003 18 Jan 2003

2 Cyclone Multithreading, Dan Grossman2 Cyclone + threads = ? Cyclone is a safe language at the C level Target domains often use threads Races are a notorious source of errors –Automated help would be welcome Data races can violate safety –Safety guarantee requires prevention

3 18 Jan 2003Cyclone Multithreading, Dan Grossman3 Data races break safety Data race: one thread mutating some memory while another thread accesses it (w/o synchronization) 1.Pointer update must be atomic shared-memory MP semantics must be sane source pointers must translate to addresses 2.Writing addresses atomically insufficient struct SafeArr { int len; int* arr; }; if(p->len > i) *p=*p2 // p2 longer (p->arr)[i]=42;

4 18 Jan 2003Cyclone Multithreading, Dan Grossman4 Preventing data races Dynamic –Detect races as they occur –Control scheduling and preemption –... Static –Don’t have threads –Don’t have thread-shared memory –Require mutexes for all memory –Require mutexes for shared memory –Require sound synchronization for shared memory –...

5 18 Jan 2003Cyclone Multithreading, Dan Grossman5 Lock types The type system ensures that: For each (shared) data object, there exists a lock that a thread must hold to access the object Flanagan, Abadi, Freund, Qadeer –invented basic approach –found real Java bugs Boyapati, Rinard, Lee –reuse code for shared and local data –advanced features I have not adapted

6 18 Jan 2003Cyclone Multithreading, Dan Grossman6 Contributions 1.Adapt the approach to a C-level language 2.Integrate with parametric polymorphism 3.Integrate/compare with region-based memory management 4.Kinds to explain thread-local data and code reuse 5.Type-safety result for 1, 2, and 4 for an abstract machine where data races violate safety

7 18 Jan 2003Cyclone Multithreading, Dan Grossman7 The plan from here Multithreading language –terms –types –kinds Limitations Formalism: insight into why it’s safe Related work

8 18 Jan 2003Cyclone Multithreading, Dan Grossman8 Multithreading terms spawn(f,p,sz) run f(p2) in a thread where *p2 is a shallow copy of *p and sz is sizeof(*p) –new thread starts with no locks held –new thread terminates when f returns –allows *p to be thread-local sync e s acquire lock e, run s, release lock newlock() create a new lock nonlock a pseudolock for thread-local data Only sync requires language support (others are C terms with Cyclone types)

9 18 Jan 2003Cyclone Multithreading, Dan Grossman9 Simple examples (w/o types) Suppose *p1 is shared (lock lk ) and *p2 is local Caller-locks: void f(int *p) { /* use *p */ } sync lk { f(p1) }; f(p2); Callee-locks: void g(int *p, lock_t l) { sync l {/* use *p */} } g(p1,lk); g(p2,nonlock);

10 18 Jan 2003Cyclone Multithreading, Dan Grossman10 Types Obligation: Each shared memory location has a lock that is acquired before access Key: Lock names (types of kind L) in pointer types and lock types – int*`L is a type for pointers to locations guarded by a lock with type lock_t –mutual exclusion b/c lock_t is a singleton Thread-local locations use lock name loc newlock() has type  `L. lock_t nonlock has type lock_t

11 18 Jan 2003Cyclone Multithreading, Dan Grossman11 Access rights Obligation: Each shared memory location has a lock that is acquired before access Key: Each program point has a set of lock names –using location guarded by `L requires `L in set ( loc is always in set) – sync e s adds `L if e has type lock_t –functions have explicit preconditions (default is caller locks) Lexical scope on sync convenient but nonessential

12 18 Jan 2003Cyclone Multithreading, Dan Grossman12 Examples, with types Suppose *p1 is shared (lock lk ) and *p2 is local Caller-locks: void f(int*`L p ;{`L}){/* use *p */} sync lk { f(p1) }; f(p2); Callee-locks: void g(int*`L p, lock_t l ;{}) { sync l {/*use *p */} } g(p1,lk); g(p2,nonlock);

13 18 Jan 2003Cyclone Multithreading, Dan Grossman13 Second-order lock types Functions universally quantify over lock names Existential types for data structures struct LkInt { int*`L; lock_t ;}; (same race problem as SafeArr example) Type constructors for reusing locks struct Lst { int*`L hd; struct Lst *`L tl; }; Easy to add because Cyclone had second-order types

14 18 Jan 2003Cyclone Multithreading, Dan Grossman14 The plan from here Multithreading language –terms –types –kinds Limitations Formalism: insight into why it’s safe Related work No data races only if local data is really local

15 18 Jan 2003Cyclone Multithreading, Dan Grossman15 Enforcing loc A possible type for spawn: void spawn(void f(`a*loc ;{}), `a*`L, sizeof_t ;{`L}); But not any `a will do We already have different kinds of type variables: L for locks A for all (non-lock) types Examples: loc::L, int*`L::A, struct T :: A

16 18 Jan 2003Cyclone Multithreading, Dan Grossman16 Enforcing loc cont’d Enrich kinds with sharabilities, S or U loc::LU newlock() has type  `L::LS. lock_t A type is sharable only if every part is sharable Every type is (possibly) unsharable Unsharable is the default void spawn (void f(`a*;{}), `a*`L, sizeof_t ;{`L}); Keeps local data local

17 18 Jan 2003Cyclone Multithreading, Dan Grossman17 Threads shortcomings Global variables need top-level locks Shared data enjoys an initialization phase Object migration Read-only data and reader/writer locks Semaphores, signals,... Deadlock (not a safety problem)...

18 18 Jan 2003Cyclone Multithreading, Dan Grossman18 The plan from here Multithreading language –terms –types –kinds Limitations Formalism: insight into why it’s safe Related work

19 18 Jan 2003Cyclone Multithreading, Dan Grossman19 Abstract Machine Program state: (H, L0, (L1,s1),..., (Ln,sn)) One heap (local vs. shared not a run-time notion) Li are disjoint lock sets: a lock is available (L0) or held by some thread A thread has held locks (Li) and control state (si) Thread scheduling non-deterministic –any thread can take the next primitive step

20 18 Jan 2003Cyclone Multithreading, Dan Grossman20 Dynamic semantics Single-thread steps can: –change/create a heap location –acquire/release/create a lock –spawn a thread –rewrite the thread’s statement (control-stack) Mutation takes two steps. Informally: H[x  v], x=v ’ ; s  H[x  junk(v ’ )],x=junk(v ’ ); s  H[x  v ’ ], s Data races exist and can lead to stuck threads

21 18 Jan 2003Cyclone Multithreading, Dan Grossman21 Static semantics – source Distinguishes statements and left/right expressions (as does dynamic semantics and C) Type-checking right-expressions:  ;  ;  ;  |– e :   : type variables and their kinds  : term variables and their types & lock-names  : effect constraints (for polymorphism)  : effect (lock names currently allowed) junk expressions never well-typed in source Largely conventional – no surprises

22 18 Jan 2003Cyclone Multithreading, Dan Grossman22 Static semantics – program state Evaluation preserves implicit structure on the heap spawn preserves the invariant because of the kind restriction on its argument Acquiring/releasing a lock “recolors” the shared heap L0 s1 L1 s2 L2... sn Ln... S U

23 18 Jan 2003Cyclone Multithreading, Dan Grossman23 No data races Invariant on where junk(v) can appear: –Color has one junk if si is mutating an element –Else color is junk-free So no thread gets stuck due to junk Theorem: thread stuck only if waiting on lock (can deadlock) L0 s1 L1 s2 L2... sn Ln... S U

24 18 Jan 2003Cyclone Multithreading, Dan Grossman24 Formalism summary One run-time heap (colors and boxes for the proof) A trick for making data races a problem Straightforward type system for source programs Syntactic safety proof requires understanding how the type system imposes structure on the heap...... which was invaluable in understanding, “what’s really going on” especially with spawn First proof for a system with thread-local data

25 18 Jan 2003Cyclone Multithreading, Dan Grossman25 Related work This work in line of Flanagan, Boyapati, et al. Guava (race-free Java, rigid local/shared distinction) Bug-finding tools (ESC/Java, Warlock,...) Dynamic race detection (novel code and run-time) Other safe low-level languages (CCured, Vault, PCC, TAL,...) single-threaded Cannot implement an array-bounds check in the presence of data races

26 18 Jan 2003Cyclone Multithreading, Dan Grossman26 Conclusions Data races and safe C do not mix well Static support for lock-based mutual exclusion becoming well understood Designed and formalized multithreading for Cyclone May need more bells and whistles for realistic multithreaded programs Implementation high on the to-do list

27 18 Jan 2003Cyclone Multithreading, Dan Grossman27 [End of Presentation – an auxiliary slide follows]

28 18 Jan 2003Cyclone Multithreading, Dan Grossman28 Important extensions (see the paper) Parametric polymorphism –What locks are needed to access an `a –How do we ensure these locks are acquired while allowing polymorphic code Region-based memory management –How do we prevent one thread from accessing objects another thread has deallocated –Type systems for regions and locks very similar, so what do the differences teach us

Download ppt "Type-Safe Multithreading in Cyclone Dan Grossman Cornell University TLDI 2003 18 Jan 2003."

Similar presentations

50.003: Elements of Software Construction Week 6 Thread Safety and Synchronization.

50.003: Elements of Software Construction Week 6 Thread Safety and Synchronization.
Programming Languages and Paradigms

Programming Languages and Paradigms
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.

Current Techniques in Language-based Security David Walker COS 597B With slides stolen from: Steve Zdancewic University of Pennsylvania.
Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,

Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Chapter 6: Process Synchronization

Chapter 6: Process Synchronization
INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.

INF 212 ANALYSIS OF PROG. LANGS Type Systems Instructors: Crista Lopes Copyright © Instructors.
Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.

Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.

Typed Assembly Languages COS 441, Fall 2004 Frances Spalding Based on slides from Dave Walker and Greg Morrisett.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Summer School on Language-Based Techniques for Integrating with the External World Types for Safe C-Level Programming Part 3: Basic Cyclone-Style Region-

Summer School on Language-Based Techniques for Integrating with the External World Types for Safe C-Level Programming Part 3: Basic Cyclone-Style Region-
A Type System for Preventing Data Races and Deadlocks in the Java Virtual Machine Language Pratibha Permandla Michael Roberson Chandrasekhar Boyapati University.

A Type System for Preventing Data Races and Deadlocks in the Java Virtual Machine Language Pratibha Permandla Michael Roberson Chandrasekhar Boyapati University.
Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.

Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.

On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
CS444/CS544 Operating Systems Synchronization 2/21/2007 Prof. Searleman

CS444/CS544 Operating Systems Synchronization 2/21/2007 Prof. Searleman

Similar presentations

Ads by Google