Presentation is loading. Please wait.

Presentation is loading. Please wait.

C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research.

Published byOscar Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research."— Presentation transcript:

1 C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research

2 C. FlanaganType Systems for Multithreaded Software2 Towards Reliable Multithreaded Software Multithreaded software –increasingly common (Java, C#, GUIs, servers) –decrease latency, exploit underlying hardware Heisenbugs due to thread interference –race conditions –atomicity violations Need type systems for multithreaded software

3 C. FlanaganType Systems for Multithreaded Software3 Race Conditions class Ref { int i; void add(Ref r) { i = i + r.i; }

4 C. FlanaganType Systems for Multithreaded Software4 Race Conditions class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); x.add(y); assert x.i == 6;

5 C. FlanaganType Systems for Multithreaded Software5 Race Conditions class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { x.add(y); // two calls happen x.add(y); // in parallel } assert x.i == 6; A race condition occurs if two threads access a shared variable at the same time at least one of those accesses is a write

6 C. FlanaganType Systems for Multithreaded Software6 Lock-Based Synchronization class Ref { int i; // guarded by this void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; Field guarded by a lock Lock acquired before accessing field Ensures race freedom

7 C. FlanaganType Systems for Multithreaded Software7 Verifying Race Freedom with Types class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; Race freedom –key correctness property Rccjava –race condition checker –verifies race freedom –extra type annotations express locking discipline

8 C. FlanaganType Systems for Multithreaded Software8 Verifying Race Freedom with Types class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6;

9 C. FlanaganType Systems for Multithreaded Software9 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: this  { this, r }

10 C. FlanaganType Systems for Multithreaded Software10 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: this  { this, r } check: this[this:=r] = r  { this, r } replace this by r

11 C. FlanaganType Systems for Multithreaded Software11 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: this  { this, r } check: this[this:=r] = r  { this, r } check: {this,r}[this:=x,r:=y]  { x, y } replace formals this,r by actuals x,y

12 C. FlanaganType Systems for Multithreaded Software12 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: {this,r}[this:=x,r:=y]  { x, y } check: this  { this, r } check: this[this:=r] = r  { this, r } check: {this,r}[this:=x,r:=y]  { x, y } Soundness Theorem: Well-typed programs are race-free replace formals this,r by actuals x,y

13 C. FlanaganType Systems for Multithreaded Software13 Type Inference for Race-Freedom Annotated Program: class Ref { int i guarded_by this;... Unannotated Program: class Ref { int i;... Error: potential race on field i unsatisfiable satisfiable Boolean Formula Satisfying Assignment SAT Solver

14 C. FlanaganType Systems for Multithreaded Software14 Experimental Results: Race Freedom

15 C. FlanaganType Systems for Multithreaded Software15 Beyond Race Freedom: Types for Atomicity

16 C. FlanaganType Systems for Multithreaded Software16 Limitations of Race-Freedom class Ref { int i;... void inc() { int t; synchronized (this) { t = i; i = t + 1; }... } inc() race-free behaves correctly in a multithreaded context

17 C. FlanaganType Systems for Multithreaded Software17 Limitations of Race-Freedom class Ref { int i;... void inc() { int t; synchronized (this) { t = i; } synchronized (this) { i = t+1; }... } inc() race-free behaves incorrectly in a multithreaded context Race freedom does not prevent errors due to unexpected interactions between threads

18 C. FlanaganType Systems for Multithreaded Software18 Atomicity The method inc() is atomic if concurrent threads do not interfere with its behavior –(maximal non-interference property) Guarantees that for every interleaved execution there is a serial execution with same behavior         acq(this)t=i i=t+1rel(this)xyz         acq(this) t=i i=t+1rel(this)xyz         acq(this) t=i i=t+1rel(this)xyz

19 C. FlanaganType Systems for Multithreaded Software19 Atomicity Canonical property –(cmp. linearizability, serializability,...) Enables sequential reasoning –simplifies validation of multithreaded code Matches existing practice –most methods (80%+) are atomic Verifiable using type systems –atomicity violations often indicate errors –Lipton’s theory of reduction

20 C. FlanaganType Systems for Multithreaded Software20 Reduction [Lipton 75] acq(this)  Xt=i Y i=t+1Z rel(this)      acq(this)  X t=i Y i=t+1Z rel(this)         acq(this) X t=i Y i=t+1Z rel(this)        acq(this) X t=i Y i=t+1Z rel(this)      

21 C. FlanaganType Systems for Multithreaded Software21 Checking Atomicity atomic void inc() { int t; synchronized (this) { t = i; i = t + 1; } R: right-mover lock acquire L: left-mover lock release B: both-mover race-free variable access A: atomic conflicting variable access  Reducible blocks have form: R* [A] L* acq(this) t=i i=t+1 rel(this) R B B L A

22 C. FlanaganType Systems for Multithreaded Software22 Checking Atomicity (cont.) atomic void inc() { int t; synchronized (this) { t = i; } synchronized (this) { i = t + 1; } R: right-mover lock acquire L: left-mover lock release B: both-mover race-free variable access A: atomic conflicting variable access R B L R B L acq(this) t=i i=t+1 rel(this) acq(this) rel(this) Compound A A

23 C. FlanaganType Systems for Multithreaded Software23 Conditional Atomicity atomic void inc() { int t; synchronized (this) { t = i; i = t + 1; } atomic void incByTwo() { inc(); }

24 C. FlanaganType Systems for Multithreaded Software24 Conditional Atomicity atomic void inc() { int t; synchronized (this) { t = i; i = t + 1; } atomic void incByTwo() { synchronized (this) { inc(); }

25 C. FlanaganType Systems for Multithreaded Software25 Conditional Atomicity (this ? mover : atomic) void inc() { int t; synchronized (this) { t = i; i = t + 1; } atomic void incByTwo() { synchronized (this) { inc(); }

26 C. FlanaganType Systems for Multithreaded Software26 java.lang.StringBuffer /**... used by the compiler to implement the binary string concatenation operator... String buffers are safe for use by multiple threads. The methods are synchronized so that all the operations on any particular instance behave as if they occur in some serial order that is consistent with the order of the method calls made by each of the individual threads involved. */ public atomic class StringBuffer {... } FALSE

27 C. FlanaganType Systems for Multithreaded Software27 class StringBuffer { private int count; synchronized int length() { return count; } synchronized void getChars(...) {... } atomic synchronized void append(StringBuffer sb){ int len = sb.length();... sb.getChars(...,len,...);... } java.lang.StringBuffer AAAA Compound

28 C. FlanaganType Systems for Multithreaded Software28 Unannotated Java Program atomicity inference Rcc/Sat Atomicity Warnings Program with Atomicity Annotations Type Inference for Atomicity Finds most precise atomicity for each method Leverages race-free type inference algorithm (Rcc/Sat) Bohr

29 C. FlanaganType Systems for Multithreaded Software29 Atomicity Inference class Ref { int i guarded_by this; void inc() {...} } Atomicity Constraints Solution Constraint Solver class Ref { int i guarded_by this; atomic void inc(){...} } Program w/ Locking Annotations Program w/ Atomicity Annotations

30 C. FlanaganType Systems for Multithreaded Software30 Thread-Safe Classes

31 C. FlanaganType Systems for Multithreaded Software31 Benchmarks

32 C. FlanaganType Systems for Multithreaded Software32 Summary Concurrency errors are notorious and subtle –race conditions –atomicity violations Can be detected/prevented using types –type checking and type inference tractable and reasonably precise –over 80% of methods in jbb are atomic

33 C. FlanaganType Systems for Multithreaded Software33 Type Systems for Multithreaded Software Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research

Download ppt "C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.

Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.
QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.

QED: A Simplifier for Concurrent Programs Shaz Qadeer Microsoft Research Joint work with Tayfun ElmasAli SezginSerdar Tasiran.
50.003: Elements of Software Construction Week 6 Thread Safety and Synchronization.

50.003: Elements of Software Construction Week 6 Thread Safety and Synchronization.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.

5.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts with Java – 8 th Edition Chapter 5: CPU Scheduling.
Concurrency 101 Shared state. Part 1: General Concepts 2.

Concurrency 101 Shared state. Part 1: General Concepts 2.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)

Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)
Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.

Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.
Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.

Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.
Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)

Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.

C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Atomicity Violation Detection Prof. Moonzoo Kim CS492B Analysis of Concurrent Programs.

Atomicity Violation Detection Prof. Moonzoo Kim CS492B Analysis of Concurrent Programs.
Generalizing Reduction and Abstraction to Simplify Concurrent Programs: The QED Approach Shaz Qadeer Microsoft Research Redmond, WA Serdar Taşıran Serdar.

Generalizing Reduction and Abstraction to Simplify Concurrent Programs: The QED Approach Shaz Qadeer Microsoft Research Redmond, WA Serdar Taşıran Serdar.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Similar presentations

Ads by Google