C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.
OO Programming in Java Objectives for today: Overriding the toString() method Polymorphism & Dynamic Binding Interfaces Packages and Class Path.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Background for “KISS: Keep It Simple and Sequential” cs264 Ras Bodik spring 2005.
Generic programming in Java
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)
A Parameterized Type System for Race-Free Java Programs Paper by Boyapti & Rinard, 2001 Christopher Dentel ETH, Concepts of Concurrent Computation, 2012.
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
ADVERSARIAL MEMORY FOR DETECTING DESTRUCTIVE RACES Cormac Flanagan & Stephen Freund UC Santa Cruz Williams College PLDI 2010 Slides by Michelle Goodstein.
Threading Part 2 CS221 – 4/22/09. Where We Left Off Simple Threads Program: – Start a worker thread from the Main thread – Worker thread prints messages.
“THREADS CANNOT BE IMPLEMENTED AS A LIBRARY” HANS-J. BOEHM, HP LABS Presented by Seema Saijpaul CS-510.
C. FlanaganTypes for Race Freedom1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.
Java Generics.
C. FlanaganAtomicity for Reliable Concurrent Software - PLDI'05 Tutorial1 Atomicity for Reliable Concurrent Software Part 3a: Types for Race-Freedom and.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Slides prepared by Rose Williams, Binghamton University Chapter 13 Interfaces and Inner Classes.
Modular Verification of Multithreaded Software Shaz Qadeer Compaq Systems Research Center Shaz Qadeer Compaq Systems Research Center Joint work with Cormac.
Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.
Type Systems For Distributed Data Sharing Ben Liblit Alex AikenKathy Yelick.
C. Flanagan1Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity for Reliable Concurrent Software Joint work with Stephen Freund Shaz.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.
Types for Atomicity in Multithreaded Software Cormac Flanagan Systems Research Center HP Labs.
Synchronization in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
1 A Modular Checker for Multithreaded Programs Cormac Flanagan HP Systems Research Center Joint work with Shaz Qadeer Sanjit A. Seshia.
Thread-Modular Verification Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund Shaz Qadeer Joint work with Cormac Flanagan Stephen Freund.
Verifying Commit-Atomicity Using Model Checking Cormac Flanagan University of California, Santa Cruz.
Mechanized Metatheory for User- Defined Type Extensions Dan Marino, Brian Chin, Todd Millstein UCLA Gang Tan Boston College Robert J. Simmons, David Walker.
Program Analysis Mooly Sagiv Tel Aviv University Sunday Scrieber 8 Monday Schrieber.
0wn3rship Types John Whaley CS343 Stanford University May 19, 2004.
Cormac Flanagan UC Santa Cruz Velodrome: A Sound and Complete Dynamic Atomicity Checker for Multithreaded Programs Jaeheon Yi UC Santa Cruz Stephen Freund.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Cormac Flanagan University of California, Santa Cruz Hybrid Type Checking.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.
C. FlanaganType Systems for Multithreaded Software1 Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research.
Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.
Types for Programs and Proofs Lecture 1. What are types? int, float, char, …, arrays types of procedures, functions, references, records, objects,...
07 Coding Conventions. 2 Demonstrate Developing Local Variables Describe Separating Public and Private Members during Declaration Explore Using System.exit.
/ PSWLAB Type-Based Race Detection for J AVA by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong,Shin Type-Based.
Race Checking by Context Inference Tom Henzinger Ranjit Jhala Rupak Majumdar UC Berkeley.
ABSTRACT The real world is concurrent. Several things may happen at the same time. Computer systems must increasingly contend with concurrent applications.
Automated Software Engineering with Concurrent Class Machines Radu Grosu SUNY at Stony Brook joint work with Y. Liu, S. Smolka, S.Stoller, J. Yan SUNY.
COMP 111 Threads and concurrency Sept 28, Tufts University Computer Science2 Who is this guy? I am not Prof. Couch Obvious? Sam Guyer New assistant.
Sharing Objects  Synchronization  Atomicity  Specifying critical sections  Memory visibility  One thread’s modification seen by the other  Visibility.
Learning Symbolic Interfaces of Software Components Zvonimir Rakamarić.
Motivation  Parallel programming is difficult  Culprit: Non-determinism Interleaving of parallel threads But required to harness parallelism  Sequential.
PROGRAMMING TESTING B MODULE 2: SOFTWARE SYSTEMS 22 NOVEMBER 2013.
PROGRAMMING PRE- AND POSTCONDITIONS, INVARIANTS AND METHOD CONTRACTS B MODULE 2: SOFTWARE SYSTEMS 13 NOVEMBER 2013.
Extended Static Checking for Java Cormac Flanagan Joint work with: Rustan Leino, Mark Lillibridge, Greg Nelson, Jim Saxe, and Raymie Stata Compaq Systems.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
Specifying Multithreaded Java semantics for Program Verification Abhik Roychoudhury National University of Singapore (Joint work with Tulika Mitra)
A Calculus of Atomic Actions Tayfun Elmas, Shaz Qadeer and Serdar Tasiran POPL ‘ – Seminar in Distributed Algorithms Cynthia Disenfeld 27/05/2013.
Eraser: A dynamic Data Race Detector for Multithreaded Programs Stefan Savage, Michael Burrows, Greg Nelson, Patrick Sobalvarro, Thomas Anderson Presenter:
Types for Programs and Proofs
Locking discipline inference and checking Michael D
University of Washington, USA Università di Verona, Italy NFM 2016
Concurrency Specification
Threads and Memory Models Hal Perkins Autumn 2011
Atomicity in Multithreaded Software
Over-Approximating Boolean Programs with Unbounded Thread Creation
Generic programming in Java
Threads and Memory Models Hal Perkins Autumn 2009
Programming Languages 2nd edition Tucker and Noonan
Presentation transcript:

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College

C. FlanaganSAS’04: Type Inference Against Races2 Software Validation & Verification Standard approach: Testing –test coverage problem Multithreaded software –increasing widespread (Java, C#, GUIs, servers) –testing inadequate due to test coverage scheduling coverage An important application for static analysis!

C. FlanaganSAS’04: Type Inference Against Races3 Errors in Multithreaded Software class Ref { int i; void add(Ref r) { i = i + r.i; }

C. FlanaganSAS’04: Type Inference Against Races4 Errors in Multithreaded Software class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); x.add(y); assert x.i == 6;

C. FlanaganSAS’04: Type Inference Against Races5 Errors in Multithreaded Software class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { x.add(y); // two calls happen x.add(y); // in parallel } assert x.i == 6; A race condition occurs if two threads access a shared variable at the same time at least one of those accesses is a write

C. FlanaganSAS’04: Type Inference Against Races6 Lock-Based Synchronization class Ref { int i; // guarded by this void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; Field guarded by a lock Lock acquired before accessing field Ensures race freedom

C. FlanaganSAS’04: Type Inference Against Races7 Verifying Race Freedom Race freedom a key correctness property Rccjava [Flanagan-Freund, PLDI’99] –race condition checker for Java –verifies race freedom using a static analysis –analysis expressed as a type system –type annotations to specify locking discipline guarded_by, requires,...

C. FlanaganSAS’04: Type Inference Against Races8 Verifying Race Freedom with Types class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6;

C. FlanaganSAS’04: Type Inference Against Races9 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: this  { this, r }

C. FlanaganSAS’04: Type Inference Against Races10 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: this  { this, r } check: this[this:=r] = r  { this, r } replace this by r

C. FlanaganSAS’04: Type Inference Against Races11 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: this  { this, r } check: this[this:=r] = r  { this, r } check: {this,r}[this:=x,r:=y]  { x, y } replace formals this,r by actuals x,y

C. FlanaganSAS’04: Type Inference Against Races12 Verifying Race Freedom with Types class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; check: {this,r}[this:=x,r:=y]  { x, y } check: this  { this, r } check: this[this:=r] = r  { this, r } check: {this,r}[this:=x,r:=y]  { x, y } Soundness Theorem: Well-typed programs are race-free replace formals this,r by actuals x,y

C. FlanaganSAS’04: Type Inference Against Races13 Basic Type Inference class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6;

C. FlanaganSAS’04: Type Inference Against Races14 Basic Type Inference static final Object m =new Object(); class Ref { int i; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; Iterative GFP algorithm: [Flanagan-Freund, PASTE’01] Start with maximum set of annotations

C. FlanaganSAS’04: Type Inference Against Races15 Basic Type Inference static final Object m =new Object(); class Ref { int i guarded_by this, m; void add(Ref r) { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; Iterative GFP algorithm: [Flanagan-Freund, PASTE’01] Start with maximum set of annotations

C. FlanaganSAS’04: Type Inference Against Races16 Basic Type Inference static final Object m =new Object(); class Ref { int i guarded_by this, m; void add(Ref r) requires this, r, m { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; Iterative GFP algorithm: [Flanagan-Freund, PASTE’01] Start with maximum set of annotations

C. FlanaganSAS’04: Type Inference Against Races17 Basic Type Inference static final Object m =new Object(); class Ref { int i guarded_by this, m; void add(Ref r) requires this, r, m { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; X X Iterative GFP algorithm: [Flanagan-Freund, PASTE’01] Start with maximum set of annotations Iteratively remove all incorrect annotations

C. FlanaganSAS’04: Type Inference Against Races18 Basic Type Inference static final Object m =new Object(); class Ref { int i guarded_by this, m; void add(Ref r) requires this, r, m { i = i + r.i; } Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (x,y) { x.add(y); } } assert x.i == 6; X X Iterative GFP algorithm: [Flanagan-Freund, PASTE’01] Start with maximum set of annotations Iteratively remove all incorrect annotations Check each field still has a protecting lock Sound, complete, fast But type system too basic

C. FlanaganSAS’04: Type Inference Against Races19 Harder Example: External Locking class Ref { int i; void add(Ref r) { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Field i of x and y protected by external lock m Not typable with basic type system –m not in scope at i Requires more expressive type system with ghost parameters

C. FlanaganSAS’04: Type Inference Against Races20 Ghost Parameters on Classes class Ref { int i; void add(Ref r) { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6;

C. FlanaganSAS’04: Type Inference Against Races21 Ghost Parameters on Classes class Ref { int i; void add(Ref r) { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Ref parameterized by external ghost lock g

C. FlanaganSAS’04: Type Inference Against Races22 Ghost Parameters on Classes class Ref { int i guarded_by g; void add(Ref r) { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Ref parameterized by external ghost lock g Field i guarded by g

C. FlanaganSAS’04: Type Inference Against Races23 Ghost Parameters on Classes class Ref { int i guarded_by g; void add(Ref r) requires g { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Ref parameterized by external ghost lock g Field i guarded by g g held when add called

C. FlanaganSAS’04: Type Inference Against Races24 Ghost Parameters on Classes class Ref { int i guarded_by g; void add(Ref r) requires g { i = i + r.i; } Object m = new Object(); Ref x = new Ref(0); Ref y = new Ref(3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Ref parameterized by external ghost lock g Field i guarded by g g held when add called Argument r also parameterized by g

C. FlanaganSAS’04: Type Inference Against Races25 Ghost Parameters on Classes class Ref { int i guarded_by g; void add(Ref r) requires g { i = i + r.i; } Object m = new Object(); Ref x = new Ref (0); Ref y = new Ref (3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; Ref parameterized by external ghost lock g Field i guarded by g g held when add called Argument r also parameterized by g x and y parameterized by lock m

C. FlanaganSAS’04: Type Inference Against Races26 Type Checking Ghost Parameters class Ref { int i guarded_by g; void add(Ref r) requires g { i = i + r.i; } Object m = new Object(); Ref x = new Ref (0); Ref y = new Ref (3); parallel { synchronized (m) { x.add(y); } } assert x.i == 6; check: {g} [this:=x,r:=y, g:=m ]  {m}

C. FlanaganSAS’04: Type Inference Against Races27 Type Inference with Ghosts HARD –iterative GFP algorithm does not work –check may fail because of two annotations which should we remove? –requires backtracking search NP-complete! Our approach –reduce type inference to SAT –use fast, modern SAT solver (Chaff)

C. FlanaganSAS’04: Type Inference Against Races28 Reducing Type Inference to SAT class Ref { int i; void add(Ref r) { i = i + r.i; }

C. FlanaganSAS’04: Type Inference Against Races29 Reducing Type Inference to SAT class Ref { int i; void add(Ref r) { i = i + r.i; }

C. FlanaganSAS’04: Type Inference Against Races30 Reducing Type Inference to SAT class Ref { int i; void add(Ref r) { i = i + r.i; } Add ghost parameters to each class declaration

C. FlanaganSAS’04: Type Inference Against Races31 Reducing Type Inference to SAT class Ref { int i guarded_by  1 ; void add(Ref r) { i = i + r.i; } Add ghost parameters to each class declaration Add guarded_by  i to each field declaration –type inference resolves  i to some lock

C. FlanaganSAS’04: Type Inference Against Races32 Reducing Type Inference to SAT class Ref { int i guarded_by  1 ; void add(Ref r) { i = i + r.i; } Add ghost parameters to each class declaration Add guarded_by  i to each field declaration –type inference resolves  i to some lock Add to each class reference

C. FlanaganSAS’04: Type Inference Against Races33 Reducing Type Inference to SAT class Ref { int i guarded_by  1 ; void add(Ref r) requires  { i = i + r.i; } Add ghost parameters to each class declaration Add guarded_by  i to each field declaration –type inference resolves  i to some lock Add to each class reference Add requires  i to each method –type inference resolves  i to some set of locks

C. FlanaganSAS’04: Type Inference Against Races34 Reducing Type Inference to SAT class Ref { int i guarded_by  1 ; void add(Ref r) requires  { i = i + r.i; } Constraints:  1  { this, g }  2  { this, g }   { this, g, r }  1    1 [this := r, g:=  2 ]  

C. FlanaganSAS’04: Type Inference Against Races35 Constraints:  1  { this, g }  2  { this, g }   { this, g, r }  1    1 [this := r, g:=  2 ]   Reducing Type Inference to SAT Encoding:  1 = (b1 ? this : g )  2 = (b2 ? this : g )  = { b3 ? this, b4 ? g, b5 ? r } class Ref { int i guarded_by  1 ; void add(Ref r) requires  { i = i + r.i; } Use boolean variables b1,...,b5 to encode choices for  1,  2, 

C. FlanaganSAS’04: Type Inference Against Races36 Constraints:  1  { this, g }  2  { this, g }   { this, g, r }  1    1 [this := r, g:=  2 ]   Reducing Type Inference to SAT class Ref { int i guarded_by  1 ; void add(Ref r) requires  { i = i + r.i; }  1 [this := r, g:=  2 ]   Use boolean variables b1,...,b5 to encode choices for  1,  2,  Encoding:  1 = (b1 ? this : g )  2 = (b2 ? this : g )  = { b3 ? this, b4 ? g, b5 ? r }

C. FlanaganSAS’04: Type Inference Against Races37 Constraints:  1  { this, g }  2  { this, g }   { this, g, r }  1    1 [this := r, g:=  2 ]   Reducing Type Inference to SAT class Ref { int i guarded_by  1 ; void add(Ref r) requires  { i = i + r.i; }  1 [this := r, g:=  2 ]   (b1 ? this : g ) [this := r, g:=  2 ]   Use boolean variables b1,...,b5 to encode choices for  1,  2,  Encoding:  1 = (b1 ? this : g )  2 = (b2 ? this : g )  = { b3 ? this, b4 ? g, b5 ? r }

C. FlanaganSAS’04: Type Inference Against Races38 Constraints:  1  { this, g }  2  { this, g }   { this, g, r }  1    1 [this := r, g:=  2 ]   Reducing Type Inference to SAT class Ref { int i guarded_by  1 ; void add(Ref r) requires  { i = i + r.i; }  1 [this := r, g:=  2 ]   (b1 ? this : g ) [this := r, g:=  2 ]   (b1 ? r :  2 )   Use boolean variables b1,...,b5 to encode choices for  1,  2,  Encoding:  1 = (b1 ? this : g )  2 = (b2 ? this : g )  = { b3 ? this, b4 ? g, b5 ? r }

C. FlanaganSAS’04: Type Inference Against Races39 Constraints:  1  { this, g }  2  { this, g }   { this, g, r }  1    1 [this := r, g:=  2 ]   Reducing Type Inference to SAT class Ref { int i guarded_by  1 ; void add(Ref r) requires  { i = i + r.i; }  1 [this := r, g:=  2 ]   (b1 ? this : g ) [this := r, g:=  2 ]   (b1 ? r :  2 )   (b1 ? r : (b2 ? this : g ))  { b3 ? this, b4 ? g, b5 ? r } Use boolean variables b1,...,b5 to encode choices for  1,  2,  Encoding:  1 = (b1 ? this : g )  2 = (b2 ? this : g )  = { b3 ? this, b4 ? g, b5 ? r }

C. FlanaganSAS’04: Type Inference Against Races40 Constraints:  1  { this, g }  2  { this, g }   { this, g, r }  1    1 [this := r, g:=  2 ]   Reducing Type Inference to SAT class Ref { int i guarded_by  1 ; void add(Ref r) requires  { i = i + r.i; }  1 [this := r, g:=  2 ]   (b1 ? this : g ) [this := r, g:=  2 ]   (b1 ? r :  2 )   (b1 ? r : (b2 ? this : g ))  { b3 ? this, b4 ? g, b5 ? r } Use boolean variables b1,...,b5 to encode choices for  1,  2,  Encoding:  1 = (b1 ? this : g )  2 = (b2 ? this : g )  = { b3 ? this, b4 ? g, b5 ? r } Clauses: (b1  b5) (  b1  b2  b3) (  b1   b2  b4)

C. FlanaganSAS’04: Type Inference Against Races41 Overview of Type Inference SAT soln: b1=false... Constraint Solution:  1 = g... SAT problem: (b1  b5)... Constraints:  1  { this, g }... Add Unknowns: class Ref { int i guarded_by  1 ;... Annotated Program: class Ref { int i guarded_by g;... Unannotated Program: class Ref { int i;... b1,... encodes choice for  1,... Chaff SAT solver Error: potential race on field i unsatisfiable satisfiable

C. FlanaganSAS’04: Type Inference Against Races42 Improving Precision Synchronization not necessary if –only a single thread exists –object never escapes its creating thread –object has not yet escaped its creating thread –read-shared field read-only after it escapes its creating thread –code is unreachable Fields guarded_by expressions, not just vars –must be a constant expression –bound on size

C. FlanaganSAS’04: Type Inference Against Races43 Implementation Full Java programming language –inheritance, subtyping, interfaces –inner classes, static fields and methods Separate SAT problem for each field decl –to identify fields with potential race conditions Generate MAX-SAT optimization problem –minimize number+complexity of error messages Supports extra manual annotations /*# no_warn */, /*# single_threaded */ more ghost parameters, extra lock expressions,...

C. FlanaganSAS’04: Type Inference Against Races44 Experimental Results

C. FlanaganSAS’04: Type Inference Against Races45 Summary Type inference for rccjava is NP-complete –due to ghost parameters –requires backtracking search Reduce type inference to SAT –adequately fast up to 30,000 LOC –precise: % of fields verified race free

C. FlanaganSAS’04: Type Inference Against Races46 Future Work Atomicity –a key semantic correctness property for multithreaded code –a method is atomic if concurrent threads do not interfere with its behavior –sequential reasoning is OK for atomic methods Developing type-based analysis for atomicity –leverages information about race conditions –early result: 85% of methods in jbb are atomic!

C. FlanaganSAS’04: Type Inference Against Races47 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.