0wn3rship Types John Whaley CS343 Stanford University May 19, 2004.

Slides:



Advertisements
Similar presentations
Chapter 22 Implementing lists: linked implementations.
Advertisements

Guy Golan-GuetaTel-Aviv University Nathan Bronson Stanford University Alex Aiken Stanford University G. Ramalingam Microsoft Research Mooly Sagiv Tel-Aviv.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Mooly Sagiv and Greta Yorsh School of Computer Science Tel-Aviv University Modern Compiler Design.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
Portability and Safety Mahdi Milani Fard Dec, 2006 Java.
. Smart Pointers. Memory Management u One of the major issues in writing C/C++ code is managing dynamically allocated memory u Biggest question is how.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
CS 211 Inheritance AAA.
A Parameterized Type System for Race-Free Java Programs Paper by Boyapti & Rinard, 2001 Christopher Dentel ETH, Concepts of Concurrent Computation, 2012.
CS 326 Programming Languages, Concepts and Implementation Instructor: Mircea Nicolescu Lecture 18.
CPSC 388 – Compiler Design and Construction
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Threading Part 2 CS221 – 4/22/09. Where We Left Off Simple Threads Program: – Start a worker thread from the Main thread – Worker thread prints messages.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Vertically Integrated Analysis and Transformation for Embedded Software John Regehr University of Utah.
Specialized Reference Counting Garbage Collection using Data Structure Annotations By Eric Watkins and Dzin Avots for CS 343 Spring 2002.
Ownership Types for Safe Programming: Preventing Data Races and Deadlocks Chandrasekhar Boyapati Robert Lee Martin Rinard Laboratory for Computer Science.
Chandrasekhar Boyapati Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Programming.
Programming Language Semantics Java Threads and Locks Informal Introduction The Java Specification Language Chapter 17.
A Type System for Preventing Data Races and Deadlocks in the Java Virtual Machine Language Pratibha Permandla Michael Roberson Chandrasekhar Boyapati University.
Laboratory for Computer Science Massachusetts Institute of Technology Ownership Types for Safe Region-Based Memory Management in Real-Time Java Chandrasekhar.
A Parameterized Type System for Race-Free Java Programs Chandrasekhar Boyapati Martin Rinard Laboratory for Computer Science Massachusetts Institute of.
1 Sharing Objects – Ch. 3 Visibility What is the source of the issue? Volatile Dekker’s algorithm Publication and Escape Thread Confinement Immutability.
Data Abstraction and Object- Oriented Programming CS351 – Programming Paradigms.
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
Ownership Types for Object Encapsulation Authors:Chandrasekhar Boyapati Barbara Liskov Liuba Shrira Presented by: Charles Lin Course: CMSC 631.
Cormac Flanagan UC Santa Cruz Velodrome: A Sound and Complete Dynamic Atomicity Checker for Multithreaded Programs Jaeheon Yi UC Santa Cruz Stephen Freund.
Memory Management for Real-Time Java Wes Beebee and Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology Supported by: DARPA.
Peter Juszczyk CS 492/493 - ISGS. // Is this C# or Java? class TestApp { static void Main() { int counter = 0; counter++; } } The answer is C# - In C#
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Programming Languages and Paradigms Object-Oriented Programming.
OOPs Object oriented programming. Based on ADT principles  Representation of type and operations in a single unit  Available for other units to create.
EE4E. C++ Programming Lecture 1 From C to C++. Contents Introduction Introduction Variables Variables Pointers and references Pointers and references.
CSC3315 (Spring 2009)1 CSC 3315 Programming Languages Hamid Harroud School of Science and Engineering, Akhawayn University
Object Oriented Programming: Java Edition By: Samuel Robinson.
Threading and Concurrency Issues ● Creating Threads ● In Java ● Subclassing Thread ● Implementing Runnable ● Synchronization ● Immutable ● Synchronized.
Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO, and THOMAS ANDERSON Ethan.
/ PSWLAB Type-Based Race Detection for J AVA by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong,Shin Type-Based.
Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.
Java Objects and Classes. Overview n Creating objects that belong to the classes in the standard Java library n Creating your own classes.
C++ Memory Overview 4 major memory segments Key differences from Java
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
A Universe-Type-Based Verification Technique for Mutable Static Fields and Methods Alexander J Summers Sophia Drossopoulou Imperial College London Peter.
Inter-Type Declarations in AspectJ Awais Rashid Steffen Zschaler © Awais Rashid, Steffen Zschaler 2009.
November 2005Scott Stoller, Stony Brook University1 Detecting Potential Deadlocks with Static Analysis and Run-Time Monitoring Rahul Agarwal, Liqiang Wang,
OOP in C++ CS 124. Program Structure C++ Program: collection of files Source (.cpp) files be compiled separately to be linked into an executable Files.
1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.
How to Compile Aspects with Real-Time Java Pengcheng Wu Northeastern University Mar. 14, 2005 FOAL Workshop with AOSD’05.
Pointer and Escape Analysis for Multithreaded Programs Alexandru Salcianu Martin Rinard Laboratory for Computer Science Massachusetts Institute of Technology.
Engineering Classes. Objectives At the conclusion of this lesson, students should be able to: Explain why it is important to correctly manage dynamically.
Reference Types CSE301 University of Sunderland Harry R Erwin, PhD.
Using Escape Analysis in Dynamic Data Race Detection Emma Harrington `15 Williams College
Fiber Based Job Systems Seth England. Preemptive Scheduling Competition for resources Use of synchronization primitives to prevent race conditions in.
Classes CS 162 (Summer 2009). Parts of a Class Instance Fields Methods.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
Java Thread Programming
Design issues for Object-Oriented Languages
Memory Management.
Types for Programs and Proofs
Java Programming Language
Threads Cannot Be Implemented As a Library
Seminar in automatic tools for analyzing programs with dynamic memory
Threads and Memory Models Hal Perkins Autumn 2011
Threads and Memory Models Hal Perkins Autumn 2009
CISC/CMPE320 - Prof. McLeod
Java Concurrency 29-May-19.
CSE 332: Concurrency and Locks
Presentation transcript:

0wn3rship Types John Whaley CS343 Stanford University May 19, 2004

June 10, 2004Ownership Types1 j00 got 0wn3d!!!1!

June 10, 2004Ownership Types2 What are ownership types? Statically-enforced object encapsulation An object can own the objects in its fields * If the pointers to those objects are unique Moreorless, owned objects are the ones that could be inlined into their containing objects.

June 10, 2004Ownership Types3 Must go through parent Momma object Baby objects “ The Gatekeeper ”

June 10, 2004Ownership Types4 Ownership types to prevent data races Intuition: a lock that protects an object can protect its encapsulated objects. We don’t care about locking for: –Immutable objects –Thread-local objects (owned by “thisThread”) If pointer is unique, the owner can safely be changed.

June 10, 2004Ownership Types5 Where to lock? Combined Account Checking Savings Can lock on parent object Can lock on each child object individually What are the tradeoffs?

June 10, 2004Ownership Types6 Thread 1 Thread 2 Thread n … Lock 1 Lock n Lock 2 Lock 3 Associate a partial order for locks Acquire locks in that order Preventing deadlocks~ ~

June 10, 2004Ownership Types7 Specifying partial order Programmers specify lock ordering using: –Static lock levels –Recursive data structures Mutable trees Monotonic DAGs –Runtime ordering Type checker statically verifies: –Locks are acquired in descending order –Specified order is a partial order

June 10, 2004Ownership Types8 Lock Level Based Partial Orders Lock levels are partially ordered Locks belong to lock levels Threads must acquire locks in descending order of lock levels

June 10, 2004Ownership Types9 savingsAccount belongs to savingsLevel checkingAccount belongs to checkingLevel class CombinedAccount { LockLevel savingsLevel; LockLevel checkingLevel < savingsLevel; final Account  self : savingsLevel  savingsAccount = new Account(); final Account  self : checkingLevel  checkingAccount = new Account(); int balance() locks (savingsLevel) { synchronized (savingsAccount) { synchronized (checkingAccount) { return savingsAccount.balance + checkingAccount.balance; }}} } Example locks are acquired in descending order checkingLevel < savingsLevel locks held by callers > savingsLevel balance can acquire these locks

June 10, 2004Ownership Types10 Tree Based Partial Orders Locks in a level can be tree-ordered Using data structures with tree backbones –Doubly linked lists –Trees with parent/sibling pointers –Threaded trees…

June 10, 2004Ownership Types11 class Node  self : l  { tree Node  self : l  left; tree Node  self : l  right; synchronized void rotateRight() locks (this) { Node x = this.right; synchronized (x) { Node v = x.left; synchronized (v) { Node w = v.right; v.right = null; x.left = w; this.right = v; v.right = x; }}} } x this v w y this v x y u w u Tree Based Partial Orders nodes must be locked in tree order nodes are locked in tree order

June 10, 2004Ownership Types12 DAG Based Partial Orders Locks in a level can be DAG-ordered DAGs cannot be arbitrarily modified DAGs can be built bottom-up by –Allocating a new node –Initializing its DAG fields Uses a lightweight shape analysis class Node  self : l  { dag Node  self : l  left; dag Node  self : l  left; dag Node  self : l  right; dag Node  self : l  right; …}

June 10, 2004Ownership Types13 class Account implements Dynamic { int balance = 0; void deposit(int x) requires (this) { balance += x; } void withdraw(int x) requires (this) { balance -= x; } } void transfer(Account  self : v  a1, Account  self : v  a2, int x) locks(v) { synchronized (a1, a2) in { a1.withdraw(x); a2.deposit(x); } } Runtime Ordering of Locks Account objects are dynamically ordered locks are acquired in runtime order

June 10, 2004Ownership Types14 Questions How does this compare to other race detection techniques? –Flanagan & Freund, Type-based Race Detection –Who can guard objects/fields? How does this relate to atomicity?

June 10, 2004Ownership Types15 Another use of ownership Use ownership for region-based analysis –Put encapsulated objects in a single region –When parent object becomes unreachable, all children also become unreachable Extend the idea of ownership –Owner can be object or region –Regions are well-nested, so we maintain tree property

June 10, 2004Ownership Types16 Programs can create a region Allocate objects in a region Delete a region & free all objects in it Region-Based Memory Management

June 10, 2004Ownership Types17 Type System for Regions class Stack  stackOwner, dataOwner  { Node  this, dataOwner  head; Node  this, dataOwner  head;} class Node  nodeOwner, dataOwner  { Node  nodeOwner, dataOwner  next; Node  nodeOwner, dataOwner  next; Data  dataOwner  data; Data  dataOwner  data;} (RegionHandle  r1  h1) { (RegionHandle  r2  h2) { (RegionHandle  r2  h2) { Stack  r1, r1  s1; Stack  r1, r1  s1; Stack  r2, r1  s2; Stack  r2, r1  s2; Stack  r1, r2  s3; // illegal Stack  r1, r2  s3; // illegal}} Scoping alone does not ensure safety in presence of subtyping First owner must be same as or nested in other owners

June 10, 2004Ownership Types18 Special regions: –Garbage collected heap –Immortal region Runtime provides: –Region handle of most nested region –Region handle of an object Type checker statically infers: –If a region handle is in scope Other Details

June 10, 2004Ownership Types19 Real-Time Java Region types especially useful for Real-Time Java –RT threads cannot use garbage collected heap –RT threads can use immortal memory –RT threads can use regions –RT threads cannot read heap references –RT threads cannot overwrite heap references

June 10, 2004Ownership Types20 Real-Time Java Uses dynamic checks to check: –No pointers from outer to inner regions –Nesting of regions forms a hierarchy –RT threads do not read heap refs –RT threads do not overwrite heap refs This is pretty nasty! Can use the type system to statically find bugs, and also prove most checks are unnecessary.

June 10, 2004Ownership Types21 Regions for multithreading Use sub-regions within shared regions, to avoid memory leaks. –Subregions can be deallocated e.g. after each loop iteration “Typed portal fields” for controlled inter- thread communication –Wormhole between threads Also finds priority inversion bugs.

June 10, 2004Ownership Types22 Programming Overhead # Lines annotated # Lines of code Program Database Server Game Server HTTP Server Image Recognition java.util.Hashtable java.util.Vector Barnes Water

June 10, 2004Ownership Types23 RTJ Dynamic Checking Overhead Execution Time (sec) Static Checks Speed Up Dynamic Checks Program 13% Barnes 24% Water 18% save 10% thinning cross 25% load 21% Image Recognition

June 10, 2004Ownership Types24 Strengths Guarantees that there are no race conditions or deadlocks in the program! –Catches all problems at compile time. –Never have to deal with debugging races! Expressive enough for real code. –Handles many common paradigms. Intelligent annotations. –Does the smart thing most of the time. Basically zero dynamic overhead.

June 10, 2004Ownership Types25 More Strengths Statically guarantees there will not be any real-time violations. –Also eliminates most dynamic checks, real performance improvement. Programmer can encode what should happen, and compiler will automatically flag the violations. Scalable and modular –Supports separate compilation Encapsulation is a good software engineering practice.

June 10, 2004Ownership Types26 Question: Annotation Burden Intraprocedural type inference for local variables Intelligent defaults for ownership Users can specify defaults as well Their experience: –Annotate one out of thirty lines –Is this good? bad? Compare to Flanagan: 20/1000 lines

June 10, 2004Ownership Types27 Weaknesses Very ad-hoc approach –Add random features to handle the problems they happened to run into. –Add features that are easy to implement. No indication of what can or cannot be expressed in their system. Only intraprocedural type inference. –Requires lots of annotations, most of which could probably be inferred automatically. Only handles race conditions, not atomicity.

June 10, 2004Ownership Types28 Ownership restrictions Ownership forces your object graph to be a tree. –How realistic is this? What if you want to control access to multiple resources? –Resources must be put under a single object. –This means for semantic encapsulation you also forced into structural encapsulation.

June 10, 2004Ownership Types29 Conclusion Ownership types give you lots of nice properties. –Can prove encapsulation –Can prove no data races or deadlocks –Can prove correct usage of regions But the ownership model is very restrictive. –Single owner, no sharing –Mixes up different notions of encapsulation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.