Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Parameterized Type System for Race-Free Java Programs Chandrasekhar Boyapati Martin Rinard Laboratory for Computer Science Massachusetts Institute of.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Parameterized Type System for Race-Free Java Programs Chandrasekhar Boyapati Martin Rinard Laboratory for Computer Science Massachusetts Institute of."— Presentation transcript:

1 A Parameterized Type System for Race-Free Java Programs Chandrasekhar Boyapati Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology {chandra, rinard}@lcs.mit.edu

2 Data races in multithreaded programs Two threads concurrently access same data At least one access is a write No synchronization to separate accesses Thread 1: x = x + 1; Thread 2: x = x + 2;

3 Why data races are a problem Some correct programs contain data races But most races are programming errors Code intended to execute atomically Synchronization omitted by mistake Consequences can be severe Non-deterministic, timing-dependent bugs Difficult to detect, reproduce, eliminate

4 Avoiding data races Thread 1: x = x + 1; Thread 2: x = x + 2;

5 Avoiding data races Thread 1: lock(l); x = x + 1; unlock(l); Thread 2: lock(l); x = x + 2; unlock(l); Associate a lock with every shared mutable data Acquire lock before data access Release lock after data access

6 Avoiding data races Thread 1: lock(l); x = x + 1; unlock(l); Thread 2: lock(l); x = x + 2; unlock(l); Problem: Locking is not enforced! Inadvertent programming errors…

7 Our solution A static type system for OO programs Well-typed programs are free of races

8 Our solution A static type system for OO programs Well-typed programs are free of races Programmers specify How each object is protected from races In types of variables pointing to objects Type checkers statically verify That objects are used only as specified

9 Protection mechanism of an object Specifies the lock protecting the object, or Specifies that object needs no locks b’cos The object is immutable, or The object is not shared, or There is a unique pointer to the object

10 Types are proofs Type checker Translator (Removes extra types) Compiler JVM Java bytecodes + Extra types Java

11 Outline Motivation Type system Experience Related work Conclusions

12 Race-free Account program class Account { int balance = 0; int deposit(int x) { this.balance += x; } Account a1 = new Account; fork (a1) { synchronized (a1) in { a1.deposit(10); } }; Account a2 = new Account; a2.deposit(10);

13 Race-free Account program class Account { int balance = 0; int deposit(int x) { this.balance += x; } Account a1 = new Account; fork (a1) { synchronized (a1) in { a1.deposit(10); } }; Account a2 = new Account; a2.deposit(10); Thread t; t.start(); fork (t) { t.start(); } Java: Concurrent Java: 

14 Race-free Account program class Account { int balance = 0; int deposit(int x) { this.balance += x; } Account a1 = new Account; fork (a1) { synchronized (a1) in { a1.deposit(10); } }; Account a2 = new Account; a2.deposit(10);

15 Statically verifiable race-free program class Account  thisOwner  { int balance = 0; int deposit(int x) requires (this) { this.balance += x; } final Account  self  a1 = new Account  self  ; fork (a1) { synchronized (a1) in { a1.deposit(10); } }; Account  thisThread  a2 = new Account  thisThread  ; a2.deposit(10);

16 Statically verifiable race-free program thisOwner protects the Account class Account  thisOwner  { int balance = 0; int deposit(int x) requires (this) { this.balance += x; } final Account  self  a1 = new Account  self  ; fork (a1) { synchronized (a1) in { a1.deposit(10); } }; Account  thisThread  a2 = new Account  thisThread  ; a2.deposit(10);

17 Statically verifiable race-free program a1 is protected by its lock a2 is thread-local class Account  thisOwner  { int balance = 0; int deposit(int x) requires (this) { this.balance += x; } final Account  self  a1 = new Account  self  ; fork (a1) { synchronized (a1) in { a1.deposit(10); } }; Account  thisThread  a2 = new Account  thisThread  ; a2.deposit(10);

18 Statically verifiable race-free program class Account  thisOwner  { int balance = 0; int deposit(int x) requires (this) { this.balance += x; } final Account  self  a1 = new Account  self  ; fork (a1) { synchronized (a1) in { a1.deposit(10); } }; Account  thisThread  a2 = new Account  thisThread  ; a2.deposit(10); deposit requires lock on “this”

19 class Account  thisOwner  { int balance = 0; int deposit(int x) requires (this) { this.balance += x; } final Account  self  a1 = new Account  self  ; fork (a1) { synchronized (a1) in { a1.deposit(10); } }; Account  thisThread  a2 = new Account  thisThread  ; a2.deposit(10); Statically verifiable race-free program a1 is locked before calling deposit a2 need not be locked

20 Type system Basic type system: Locks, thread-local objects Object ownership Type system Type inference Extensions: Unique pointers, read-only objects

21 Object ownership Every object has an owner An object can be owned by Itself Another object Special per-thread owner called thisThread thisThread Thread2 objects Thread1 objects Potentially shared objects

22 Ownership properties Owner of an object does not change over time Ownership relation forms a forest of rooted trees Roots can have self loops thisThread Thread2 objects Thread1 objects Potentially shared objects

23 Ownership properties Every object is protected by its root owner To gain exclusive access to an object, it is Necessary and sufficient to lock its root owner A thread implicitly holds the lock on its thisThread thisThread Thread2 objects Thread1 objects Potentially shared objects

24 Basic type system Object ownership Type system Type inference

25 class TStack { TNode head; void push(T value) {…} T pop() {…} } class TNode { TNode next; T value; … } class T {…} TStack program value next head value next value next … … … TStack TNode’s T’s

26 TStack program class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … } class TNode  thisOwner, TOwner  { TNode  thisOwner, TOwner  next; T  TOwner  value; … } TStack  thisThread, thisThread  s1; TStack  thisThread, self  s2; TStack TNode’s T’s

27 Parameterizing classes Classes are parameterized with one or more owners First owner owns the “this” object class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … } class TNode  thisOwner, TOwner  { TNode  thisOwner, TOwner  next; T  TOwner  value; … } TStack  thisThread, thisThread  s1; TStack  thisThread, self  s2; TStack TNode’s T’s

28 Instantiating classes Classes can be instantiated with final expressions E.g., with “this” class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … } class TNode  thisOwner, TOwner  { TNode  thisOwner, TOwner  next; T  TOwner  value; … } TStack  thisThread, thisThread  s1; TStack  thisThread, self  s2; TStack TNode’s T’s

29 Instantiating classes Classes can be instantiated with formal parameters E.g., with “thisOwner” or “TOwner” class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … } class TNode  thisOwner, TOwner  { TNode  thisOwner, TOwner  next; T  TOwner  value; … } TStack  thisThread, thisThread  s1; TStack  thisThread, self  s2; TStack TNode’s T’s

30 Instantiating classes Classes can be instantiated with “thisThread” class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … } class TNode  thisOwner, TOwner  { TNode  thisOwner, TOwner  next; T  TOwner  value; … } TStack  thisThread, thisThread  s1; TStack  thisThread, self  s2; thisThread TStack TNode’s T’s

31 Instantiating classes Classes can be instantiated with “self” class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … } class TNode  thisOwner, TOwner  { TNode  thisOwner, TOwner  next; T  TOwner  value; … } TStack  thisThread, thisThread  s1; TStack  thisThread, self  s2; thisThread TStack TNode’s T’s

32 Requires clauses class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … T  TOwner  pop() requires (this) { if (head == null) return null; T  TOwner  value = head.value(); head = head.next(); return value; } class TNode  thisOwner, TOwner  { T  TOwner  value() requires (this) {…} TNode  thisOwner, TOwner  next() requires (this) {…} … } Methods can require threads to have locks on root owners of objects

33 Type checking pop method value next head value next value next … … … TStack TNode’s T’s class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … T  TOwner  pop() requires (this) { if (head == null) return null; T  TOwner  value = head.value(); head = head.next(); return value; } class TNode  thisOwner, TOwner  { T  TOwner  value() requires (this) {…} TNode  thisOwner, TOwner  next() requires (this) {…} … }

34 Type checking pop method Locks held thisThread, RootOwner(this) class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … T  TOwner  pop() requires (this) { if (head == null) return null; T  TOwner  value = head.value(); head = head.next(); return value; } class TNode  thisOwner, TOwner  { T  TOwner  value() requires (this) {…} TNode  thisOwner, TOwner  next() requires (this) {…} … }

35 Type checking pop method Locks held thisThread, RootOwner(this) Locks required RootOwner(this) class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … T  TOwner  pop() requires (this) { if (head == null) return null; T  TOwner  value = head.value(); head = head.next(); return value; } class TNode  thisOwner, TOwner  { T  TOwner  value() requires (this) {…} TNode  thisOwner, TOwner  next() requires (this) {…} … }

36 Type checking pop method Locks held thisThread, RootOwner(this) Locks required ? class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … T  TOwner  pop() requires (this) { if (head == null) return null; T  TOwner  value = head.value(); head = head.next(); return value; } class TNode  thisOwner, TOwner  { T  TOwner  value() requires (this) {…} TNode  thisOwner, TOwner  next() requires (this) {…} … }

37 Type checking pop method Locks held thisThread, RootOwner(this) Locks required RootOwner(head) class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … T  TOwner  pop() requires (this) { if (head == null) return null; T  TOwner  value = head.value(); head = head.next(); return value; } class TNode  thisOwner, TOwner  { T  TOwner  value() requires (this) {…} TNode  thisOwner, TOwner  next() requires (this) {…} … }

38 Type checking pop method Locks held thisThread, RootOwner(this) Locks required RootOwner(head) = RootOwner(this) class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … T  TOwner  pop() requires (this) { if (head == null) return null; T  TOwner  value = head.value(); head = head.next(); return value; } class TNode  thisOwner, TOwner  { T  TOwner  value() requires (this) {…} TNode  thisOwner, TOwner  next() requires (this) {…} … }

39 Type checking pop method Locks held thisThread, RootOwner(this) Locks required RootOwner(this), RootOwner(head) = RootOwner(this) class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … T  TOwner  pop() requires (this) { if (head == null) return null; T  TOwner  value = head.value(); head = head.next(); return value; } class TNode  thisOwner, TOwner  { T  TOwner  value() requires (this) {…} TNode  thisOwner, TOwner  next() requires (this) {…} … }

40 Type checking pop method class TStack  thisOwner, TOwner  { TNode  this, TOwner  head; … T  TOwner  pop() requires (this) { if (head == null) return null; T  TOwner  value = head.value(); head = head.next(); return value; } class TNode  thisOwner, TOwner  { T  TOwner  value() requires (this) {…} TNode  thisOwner, TOwner  next() requires (this) {…} … }

41 Type checking client code class TStack  thisOwner, TOwner  { T  TOwner  pop() requires (this) {…} … } final TStack  self, self  s = …; fork (s) { synchronized (s) in { s.pop(); } };

42 Type checking client code Locks held thisThread, s class TStack  thisOwner, TOwner  { T  TOwner  pop() requires (this) {…} … } final TStack  self, self  s = …; fork (s) { synchronized (s) in { s.pop(); } };

43 Type checking client code Locks held thisThread, s Locks required RootOwner(s) = s class TStack  thisOwner, TOwner  { T  TOwner  pop() requires (this) {…} … } final TStack  self, self  s = …; fork (s) { synchronized (s) in { s.pop(); } };

44 Basic type system Object ownership Type system Type inference

45 Inferring owners of local variables class A  oa1, oa2  {…} class B  ob1, ob2, ob3  extends A  ob1, ob3  {…} class C { void m(B  this, oc1, thisThread  b) { A a1; B b1; b1 = b; a1 = b1; }

46 Inferring owners of local variables class A  oa1, oa2  {…} class B  ob1, ob2, ob3  extends A  ob1, ob3  {…} class C { void m(B  this, oc1, thisThread  b) { A  x1, x2  a1; B  x3, x4, x5  b1; b1 = b; a1 = b1; } Augment unknown types with owners

47 Inferring owners of local variables Gather constraints x3 = this x4 = oc1 x5 = thisThread class A  oa1, oa2  {…} class B  ob1, ob2, ob3  extends A  ob1, ob3  {…} class C { void m(B  this, oc1, thisThread  b) { A  x1, x2  a1; B  x3, x4, x5  b1; b1 = b; a1 = b1; }

48 Inferring owners of local variables Gather constraints x3 = this x4 = oc1 x5 = thisThread x1 = x3 x2 = x5 class A  oa1, oa2  {…} class B  ob1, ob2, ob3  extends A  ob1, ob3  {…} class C { void m(B  this, oc1, thisThread  b) { A  x1, x2  a1; B  x3, x4, x5  b1; b1 = b; a1 = b1; }

49 class A  oa1, oa2  {…} class B  ob1, ob2, ob3  extends A  ob1, ob3  {…} class C { void m(B  this, oc1, thisThread  b) { A  this, thisThread  a1; B  this, oc1, thisThread  b1; b1 = b; a1 = b1; } Inferring owners of local variables Solve constraints x3 = this x4 = oc1 x5 = thisThread x1 = x3 x2 = x5

50 class A  oa1, oa2  {…} class B  ob1, ob2, ob3  extends A  ob1, ob3  {…} class C { void m(B  this, oc1, thisThread  b) { A  this, thisThread  a1; B  this, oc1, thisThread  b1; b1 = b; a1 = b1; } Inferring owners of local variables Solve constraints Only equality constraints between owners Takes almost linear time to solve x3 = this x4 = oc1 x5 = thisThread x1 = x3 x2 = x5

51 Default types To further reduce programming overhead Single threaded programs require almost no programming overhead

52 Outline Motivation Type system Experience Related work Conclusions

53 Multithreaded server programs ProgramLines of codeLines changed http server56326 chat server30821 stock quote server24212 game server 8710 phone (database) server30210

54 Java libraries ProgramLines of codeLines changed java.io.OutputStream13403 java.io.BufferedWriter25309 java.io.OutputStreamWriter26611 java.io.Writer17706 java.io.PrintStream56814 java.io.FilterOutputStream14805 java.util.Vector99235 java.util.ArrayList53318

55 Java libraries Java has two classes for resizable arrays java.util.Vector Self synchronized, do not create races Always incur synchronization overhead java.util.ArrayList No unnecessary synchronization overhead Could be used unsafely to create races We provide generic resizable arrays Safe, but no unnecessary overhead

56 Java libraries Java programs contain unnecessary locking Much analysis work to remove unnecessary locking Aldrich, Chambers, Sirer, Eggers ( SAS ‘99 ) Whaley, Rinard ( OOPSLA ‘99 ) Choi, Gupta, Serrano, Sreedhar, Midkiff ( OOPSLA ‘99 ) Blanchet ( OOPSLA ‘99 ) Bogda, Holzle ( OOPSLA ‘99 ) Ruf ( PLDI ‘00 ) Our implementation Avoids unnecessary locking Without sacrificing safety

57 Additional benefits of race-free types Data races expose the effects of Weak memory consistency models Standard compiler optimizations

58 What is the value of z? Thread 1: y=0; x=1; Thread 2: z=x+y; Initially: x=0; y=1;

59 What is the value of z? Thread 1: y=0; x=1; Thread 2: z=x+y; Initially: x=0; y=1; z=x+y; y=0; x=1; z=1 y=0; z=x+y; x=1; z=0 y=0; x=1; z=x+y; z=1 Possible Interleavings

60 What is the value of z? Thread 1: y=0; x=1; Thread 2: z=x+y; Initially: x=0; y=1; z=x+y; y=0; x=1; z=1 y=0; z=x+y; x=1; z=0 y=0; x=1; z=x+y; z=1 x=1; z=x+y; y=0; z=2 !!! Possible Interleavings Above instruction reordering legal in single-threaded programs Violates sequential consistency in multithreaded programs

61 Additional benefits of race-free types Data races expose effects of Weak memory consistency models Standard compiler optimizations Data races complicate program analysis Data races complicate human understanding Race-free languages Eliminate these issues Make multithreaded programming more tractable

62 Outline Motivation Type system Experience Related work Conclusions

63 Tools to detect races Static race detection systems Sterling ( USENIX ‘93 ) Detlefs, Leino, Nelson, Saxe ( SRC ‘98 ) Engler, Chen, Hallem, Chou, Chelf ( SOSP ‘01 ) Dynamic race detection systems Steele ( POPL ‘90 ) Dinning, Schonberg ( PPoPP ‘90 ) Savage, Burrows, Nelson, Sobalvarro, Anderson ( SOSP ‘97 ) Praun, Gross ( OOPSLA ’01 )

64 Type systems to prevent races Race-free Java Flanagan and Freund ( PLDI ’00 ) Guava Bacon, Strom, Tarafdar ( OOPSLA ’00 )

65 Other related type systems Ownership types Clarke, Potter, Noble ( OOPSLA ’98 ), ( ECOOP ’01 ) Region types Grossman, Morrisett, Jim, Hicks, Wang, Cheney ( Cornell‘01 ) Parameterized types for Java Myers, Bank, Liskov ( POPL ’97 ) Agesen, Freund, Mitchell ( OOPSLA ’97 ) Bracha, Odersky, Stoutamire, Wadler ( OOPSLA ’98 ) Cartwright, Steele ( OOPSLA ’98 )

66 Conclusions Data races make programs hard to debug We presented race-free static type system Our type system is expressive Programs can be reliable and efficient

67 A Parameterized Type System for Race-Free Java Programs Chandrasekhar Boyapati Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology {chandra, rinard}@lcs.mit.edu

Download ppt "A Parameterized Type System for Race-Free Java Programs Chandrasekhar Boyapati Martin Rinard Laboratory for Computer Science Massachusetts Institute of."

Similar presentations

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,

Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO and THOMAS ANDERSON.

Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO and THOMAS ANDERSON.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.

Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.
Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)

Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)
A Parameterized Type System for Race-Free Java Programs Paper by Boyapti & Rinard, 2001 Christopher Dentel ETH, Concepts of Concurrent Computation, 2012.

A Parameterized Type System for Race-Free Java Programs Paper by Boyapti & Rinard, 2001 Christopher Dentel ETH, Concepts of Concurrent Computation, 2012.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
CS444/CS544 Operating Systems Synchronization 2/16/2006 Prof. Searleman

CS444/CS544 Operating Systems Synchronization 2/16/2006 Prof. Searleman
Concurrency and Thread Yoshi. Two Ways to Create Thread Extending class Thread – Actually, we need to override the run method in class Thread Implementing.

Concurrency and Thread Yoshi. Two Ways to Create Thread Extending class Thread – Actually, we need to override the run method in class Thread Implementing.
“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.

“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Ownership Types for Safe Programming: Preventing Data Races and Deadlocks Chandrasekhar Boyapati Robert Lee Martin Rinard Laboratory for Computer Science.

Ownership Types for Safe Programming: Preventing Data Races and Deadlocks Chandrasekhar Boyapati Robert Lee Martin Rinard Laboratory for Computer Science.
Chandrasekhar Boyapati Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Programming.

Chandrasekhar Boyapati Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Programming.
Ownership Types for Object Encapsulation Barbara Liskov Chandrasekhar Boyapati Liuba Shrira Laboratory for Computer Science Massachusetts Institute of.

Ownership Types for Object Encapsulation Barbara Liskov Chandrasekhar Boyapati Liuba Shrira Laboratory for Computer Science Massachusetts Institute of.
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.

Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.
A Type System for Preventing Data Races and Deadlocks in the Java Virtual Machine Language Pratibha Permandla Michael Roberson Chandrasekhar Boyapati University.

A Type System for Preventing Data Races and Deadlocks in the Java Virtual Machine Language Pratibha Permandla Michael Roberson Chandrasekhar Boyapati University.
Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.

Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.

Similar presentations

Ads by Google