Specifying Multithreaded Java semantics for Program Verification

Slides:



Advertisements
Similar presentations
Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Advertisements

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
An Case for an Interleaving Constrained Shared-Memory Multi-Processor Jie Yu and Satish Narayanasamy University of Michigan.
Architecture-aware Analysis of Concurrent Software Rajeev Alur University of Pennsylvania Amir Pnueli Memorial Symposium New York University, May 2010.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
D u k e S y s t e m s Time, clocks, and consistency and the JMM Jeff Chase Duke University.
An Case for an Interleaving Constrained Shared-Memory Multi- Processor CS6260 Biao xiong, Srikanth Bala.
Jan Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.
Oct Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.
Slides 8d-1 Programming with Shared Memory Specifying parallelism Performance issues ITCS4145/5145, Parallel Programming B. Wilkinson Fall 2010.
“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.
Specifying Java Thread Semantics Using a Uniform Memory Model Jason Yue Yang Ganesh Gopalakrishnan Gary Lindstrom School of Computing University of Utah.
Spring 2010ACS-3913 Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.
1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.
CS510 Concurrent Systems Class 5 Threads Cannot Be Implemented As a Library.
Synchronization CSCI 444/544 Operating Systems Fall 2008.
Analyzing the CRF Java Memory Model Yue Yang Ganesh Gopalakrishnan Gary Lindstrom School of Computing University of Utah.
Winter 2007ACS-3913 Ron McFadyen1 Singleton To guarantee that there is at most one instance of a class we can apply the singleton pattern. Singleton Static.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
Memory Consistency Models Some material borrowed from Sarita Adve’s (UIUC) tutorial on memory consistency models.
Exceptions and Mistakes CSE788 John Eisenlohr. Big Question How can we improve the quality of concurrent software?
ICOM 5995: Performance Instrumentation and Visualization for High Performance Computer Systems Lecture 7 October 16, 2002 Nayda G. Santiago.
1 Abstraction  Identify important aspects and ignore the details  Permeates software development programming languages are abstractions built on hardware.
1 Concurrent Languages – Part 1 COMP 640 Programming Languages.
CDP 2013 Based on “C++ Concurrency In Action” by Anthony Williams, The C++11 Memory Model and GCCThe C++11 Memory Model and GCC Wiki and Herb Sutter’s.
Dynamic Analysis of Multithreaded Java Programs Dr. Abhik Roychoudhury National University of Singapore.
Compactly Representing Parallel Program Executions Ankit Goel Abhik Roychoudhury Tulika Mitra National University of Singapore.
Shared Memory Consistency Models. SMP systems support shared memory abstraction: all processors see the whole memory and can perform memory operations.
Memory Consistency Models. Outline Review of multi-threaded program execution on uniprocessor Need for memory consistency models Sequential consistency.
Java Thread and Memory Model
The Singleton Pattern SE-2811 Dr. Mark L. Hornick 1.
Multiprocessor Cache Consistency (or, what does volatile mean?) Andrew Whitaker CSE451.
SPL/2010 Guarded Methods and Waiting 1. SPL/2010 Reminder! ● Concurrency problem: asynchronous modifications to object states lead to failure of thread.
Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Concurrency & Dynamic Programming.
ICFEM 2002, Shanghai Reasoning about Hardware and Software Memory Models Abhik Roychoudhury School of Computing National University of Singapore.
Thread basics. A computer process Every time a program is executed a process is created It is managed via a data structure that keeps all things memory.
Detecting Atomicity Violations via Access Interleaving Invariants
Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)
Agenda  Quick Review  Finish Introduction  Java Threads.
Testing Concurrent Programs Sri Teja Basava Arpit Sud CSCI 5535: Fundamentals of Programming Languages University of Colorado at Boulder Spring 2010.
740: Computer Architecture Memory Consistency Prof. Onur Mutlu Carnegie Mellon University.
Lecture 20: Consistency Models, TM
Healing Data Races On-The-Fly
Synchronization.
The Singleton Pattern SE-2811 Dr. Mark L. Hornick.
Memory Consistency Models
Threads Cannot Be Implemented As a Library
Chapter 4: Multithreaded Programming
Memory Consistency Models
About the Presentations
runtime verification Brief Overview Grigore Rosu
Threads and Memory Models Hal Perkins Autumn 2011
Implementing synchronization
Threads and Memory Models Hal Perkins Autumn 2009
Lecture 22: Consistency Models, TM
Programming with Shared Memory Specifying parallelism
Memory Consistency Models
CSE 451: Operating Systems Autumn 2003 Lecture 7 Synchronization
CSE 451: Operating Systems Autumn 2005 Lecture 7 Synchronization
CSE 451: Operating Systems Winter 2003 Lecture 7 Synchronization
CSE 153 Design of Operating Systems Winter 19
Relaxed Consistency Part 2
Relaxed Consistency Finale
Compilers, Languages, and Memory Models
Programming with Shared Memory - 3 Recognizing parallelism
Programming with Shared Memory Specifying parallelism
Lecture: Consistency Models, TM
Problems with Locks Andrew Whitaker CSE451.
More concurrency issues
Presentation transcript:

Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)

Java Multithreading Threads communicate via shared variables. Threads run on uni- or multi-processors Semantics given as abstract rules : Java Memory Model (JMM). Any multithreading implementation must respect JMM. Supports locking via synchronized statements Locking may be avoided for performance. ICSE 2002, Orlando FL

Unsychronized code if (inst == null) synchronized (Singleton.class){ inst = new Singleton(); return inst ; } if (inst == null) synchronized (Singleton.class){ inst = new Singleton(); } return inst; ICSE 2002, Orlando FL

Shared variable access without locks Initially : A = 0, B = 0 while (A != 1) {}; return B B = 1; A = 1; || Expected returned value = 1 ICSE 2002, Orlando FL

What may happen B = 1; A = 1; while (A != 1) {}; return B || May happen if threads are executed on different processors, or even by compiler re-ordering A= 1 return B B = 1 Returned value = 0 ICSE 2002, Orlando FL

Sequential Consistency Programmer expects statements within a thread to complete in program order: Sequential Consistency Each thread proceeds in program order Operations across threads are interleaved Op1 Op’’ Op2 Op’ violates SC Op’ ; Op’’ ; Op1; Op2; || ICSE 2002, Orlando FL

Is this a problem ? YES !! Programmers expect SC Verification techniques assume SC execution SC not guaranteed by execution platforms Not demanded by Java language spec. Unrealistic for any future spec. to demand YES !! ICSE 2002, Orlando FL

Organization Shared variable access without locks Candidate solutions Specifying the Java Memory Model (JMM) Using JMM for verification ICSE 2002, Orlando FL

1. Program with caution Always synchronize (and acquire lock) before writing a shared object For these programs, any execution is SC Unacceptable performance overheads for low-level libraries Software libraries from other sources cannot be guaranteed to be properly synchronized ICSE 2002, Orlando FL

2. Change the Semantics Current semantics called Java Memory Model (JMM). Part of Java language spec. Weaker than Sequential Consistency. Allows certain re-orderings within threads Currently being considered for revision Existing/future JMM bound to be weaker than SC – Does not solve the problem ICSE 2002, Orlando FL

3. Use the semantics Develop a formal executable description of the Java Memory Model Use it for program debugging, verification JMM captures all possible behaviors for any implementation – Platform independent reasoning Adds value to existing program verification techniques ICSE 2002, Orlando FL

Organization Shared variable access without locks Candidate solutions Specifying the Java Memory Model (JMM) Using JMM for verification ICSE 2002, Orlando FL

JMM Overview Each shared variable v has A master copy A local copy in each thread Threads read and write local/master copies by actions Imposes ordering constraints on actions Not multithreaded implementation guide ICSE 2002, Orlando FL

JMM Actions Master copy of v Local copy of v in t read(v,t) load(v,t) Master copy of v Local copy of v in t write(v,t) store(v,t) Actions invoked by Program Execution: use/assign(t,v) Read from/ Write into local copy of v in t lock/unlock(t) Acquire/Release lock on shared variables ICSE 2002, Orlando FL

Formal Specification Asynchronous concurrent composition Th1 || Th2 || … || Thn || MM Local state of each thread modeled as cache ( Local copy, Stale bit, Dirty bit ) Queues for incomplete reads/writes Local state of MM ( Master copies, Lock ownership info ) ICSE 2002, Orlando FL

Specifying JMM Actions Each action is a guarded command G  B Evaluate G; If true execute B atomically Example: Use of variable v by thread t  stale[t,v]  return local_copy[t,v] Applicability of action stated as guard In rule-based description, several rules determine the applicability ICSE 2002, Orlando FL

Understanding JMM A store must intervene between an assign assign(t,v) < store(t,v) load(t,v) assign(t, v) < load(t,v)  A store must intervene between an assign and a load action for a variable v by thread t ICSE 2002, Orlando FL

Understanding JMM assign(t, v) < store(t,v) load(t,v) assign(t,v) < write(t,v) < read(t,v) < load(t,v) assign(t,v) < load(t,v)   read/write actions on the master copy of v by thread t are performed in the order of corresponding load/store actions ICSE 2002, Orlando FL

Understanding JMM Applicability of an action depends on several rules in the rule-based description This is what makes the model “hard to understand” Operation description specifies applicability as guard assign(t,v) : empty(read_queue[t,v]) -> …. ICSE 2002, Orlando FL

Executable model Java threads invoke use,assign,lock,unlock Action executed by corresponding commands Threads block if the next action not enabled To enable these, store,write,load,read are executed in any order provided guard holds Example: To enable assign, a load is executed (if there was an earlier read) ICSE 2002, Orlando FL

Organization Shared variable access without locks Candidate solutions Specifying the Java Memory Model (JMM) Using JMM for verification ICSE 2002, Orlando FL

Verifying Unsynchronized Code assign(B,1) assign(A,1) While (use(A) !=1){} use(B) || use/assign invoke corresponding guarded commands load/store/read/write executed to enable use/assign Exhaustive state space exploration shows use(B) may return 1 or 0 ICSE 2002, Orlando FL

Program verification Composing executable JMM allows search The state space explosion problem  Most Java programs are “properly synchronized” and hence SC execution Unsynchronized code appears in low-level fragments which are frequently executed These programs are small, so …  ICSE 2002, Orlando FL

One possibility User chooses one program path in each thread (Creative step) Exhaustively check all possible execution traces from chosen program paths (Automated state space exploration: Can verify invariants) Choosing program paths requires understanding source code, not JMM ICSE 2002, Orlando FL

Case Study: Double Checked Locking Idiom for lazy instantiation of a singleton Check whether garbage data-fields can be returned by this object initialization routine Verification by composing the JMM reveals: Incompletely instantiated object can be returned Due to re-ordering of writes within constructor Detected by prototype invariant checker in 0.15 sec ICSE 2002, Orlando FL

Summary Executable specification of Multithreaded Java semantics Using the specification for debugging multithreaded programs Similar approach has been studied before in the context of hardware multiprocessors How to correct the bugs found (the harmful re-orderings) ? ICSE 2002, Orlando FL

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.