Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Washington, USA Università di Verona, Italy NFM 2016

Published byBarry Matthews Modified over 5 years ago

Similar presentations

Presentation on theme: "University of Washington, USA Università di Verona, Italy NFM 2016"— Presentation transcript:

1 University of Washington, USA Università di Verona, Italy NFM 2016
Semantics for locking specifications Michael D. Ernst, Damiano Macedonio, Massimo Merro, Fausto Spoto University of Washington, USA Università di Verona, Italy NFM 2016

2 Concurrency: essential but error-prone
Essential for performance (exploit multiple cores) Design component of GUIs Data races: concurrent access to shared data easy mistake to make leads to corrupted data structures difficult to reproduce and diagnose

3 Thread-unsafe code class BankAccount { int balance; void withdraw(int amount) { int oldBal = this.balance; int newBal = oldBal - amount; this.balance = newBal; } ...

4 Data race example Shared account Initial balance = 500 Thread 1:
sharedAccount.withdraw(50) int oldBal = this.balance; int newBal = oldBal - amount; this.balance = newBal; Thread 2: sharedAccount.withdraw(100) int oldBal = this.balance; int newBal = oldBal - amount; this.balance = newBal; 500 500 I'm thirsty and want to buy a round at the Cantina. So I withdraw 50 Galactic Standard Credits. Galactic Standard Credits. My spouse wants to purchase a used R2 unit (or: a moisture harvesting droid) from some upstanding Jawa entrepreneurs. So she withdraws 100 Galactic Standard Credits.] There is a data race on the balance field of the shared account. [The Imperial Bank is motivated to prevent this situation, and their solution is locking.]There is a data race on the balance field of the shared account. 500 50 500 100 450 400 Withdrawals = 150 Final balance = 450

5 Solution: locking Locking: Only one thread can aquire the lock
class BankAccount { int balance; void withdraw(int amount) { int oldBal = this.balance; int newBal = oldBal - amount; this.balance = newBal; } ... Locking: Only one thread can aquire the lock No concurrent access to data Which lock to hold? Object acctLock; @GuardedBy(“acctLock”) int balance; int balance; synchronized (acctLock) { Key issues: Names vs. values Aliasing }

6 Locking discipline = which locks to hold when accessing what data
@GuardedBy("lock1") int w; @GuardedBy("lock2") int x; @GuardedBy("lock2") int y; int z; Write locking discipline as documentation and for use by tools @GuardedBy [Goetz 2006] is a de-facto standard On GitHub, 35,000 uses in 7,000 files Its semantics is informal, ambiguous, and incorrect (allows data races) Similar problems with other definitions annotation is a de-facto standard for expressing a locking discipline; GitHub contains 35K uses in 7K files.] [every interpretation is incorrect and permits data races]

7 Contributions Formal semantics for locking disciplines
unambiguous prevents data races two variants: value-based, name-based Two implementations: type-checker that validates use of locking inference tool that infers locking discipline Experiments: are often inconsistent with informal semantics permit data races even when consistent Type-checker alidates programmer-written locking discipline, expressed annotations.

8 Concurrency background
Each object is associated with a monitor or intrinsic lock. specification of locking discipline Date d = new List lst = ...; synchronized (d) { lst.add(...) lst.remove(...) otherList = lst; } synchronized statement or method locks the monitor. guard expression; arbitrary, e.g. a.b().f guard expression; arbitrary, e.g. a.b().f Exiting the statement or method unlocks the monitor. Our implementations handle explicit locks too.

9 Defining a locking discipline
Guard expression: Aliases? Reassignment? Side effects? Scoping? Guard expression: Aliases? Reassignment? Scoping? Defining a locking discipline Value protection answers Yes No Def site Informally: “If program element x is annotated a thread may only use x while holding the lock L.” MyObject lock; @GuardedBy("lock.field") Pair shared; @GuardedBy("lock.field") Pair alias; synchronized (lock.field) { shared.a = 22; alias = shared; } Element being guarded: Name or value? Aliases? Reassignments? Side effects? Element being guarded: Name or value? Aliases? Reassignments? Side effects? Value Yes Current allows data races, ours does not What is a use? Any occurrence of name? Dereferences of name? Dereferences of value? What is a use? Occurrence of name? Dereference of name? (x.f) Dereference of value? ← current ← better

10 Name protection Value protection … not value protection
MyObject lock; @GuardedBy("lock") Pair shared; Pair alias; Name protection Value protection … not value protection … not name protection synchronized (lock) { alias = shared; } alias.a = ... shared = alias; synchronized (lock) { shared.a = ... } Suffers a data race No data race

11 Locking discipline semantics providing value protection
type qualifier @GuardedBy("lock") Pair shared; type variable Suppose expression x has type: @GuardedBy(L) C When the program dereferences a value that has ever been bound to x, the program holds the lock on the value of expression L. The referent of L must not change while the thread holds the lock. A use is a dereference Type system constraint; may lock an alias No restriction on copying, argument-passing (including as the receiver), or returning values. [[ * Note: The protection is shallow. It applies to the value that x evaluates to, not to all values reachable from it. ]] cv No reassignment of guard expression. Side effects permitted (do not affect the monitor).

12 Locking discipline semantics providing name protection
@GuardedBy("lock") Pair shared; variable annotation type variable Suppose variable v is declared When the program accesses v, which must not be aliased, the program holds the lock on the value of expression L. L may only be “itself” or “this”. A use is a variable read or write No aliasing permitted These are strong restrictions Guarantees L always evaluates to the same value

13 Key contributions Two formal semantics (name-based and value-based)
Core calculus based on RaceFreeJava [Abadi TOPLAS 2006] Structural Operational Semantics Definitions of accessed variables and dereferenced locations Proofs of correctness By contradiction: assume data race show locking discipline must have been violated

14 Static analysis of a locking discipline
Goal is to determine facts about values Program is written in terms of facts about variables Analysis computes an approximation (an abstraction) of values each expression may evaluate to of locks currently held by the program Both abstractions are sound

15 Enforcement of value semantics via type-checking
[Ernst ICSE 2016] Type rule: If x , then L must be held when x is dereferenced Type system also supports method pre/postconditions annotations) side effect annotations type qualifier polymorphism reflection flow-sensitive type inference No annotations are related by subtyping Why L2)? Side effects and aliasing

16 Inference of both semantics via abstract interpretation
[Spoto TOPLAS 2003] Expression e if e’s fields are accessed only when L is held [Nikolic ICTAC 2012] Acquired on entry to sync(…) { … }. Released on exit or side effect.

17 Inference implementation
Where is the guarded element used? Name protection: syntactic uses of variable Value protection: estimate via creation points analysis What expressions are locked at those points? Definite aliasing analysis Side effect analysis Viewpoint adaptation (contextualization) Whole-program analysis Makes closed-world assumption Type-checking is modular, incremental

18 Experimental evaluation of value semantics
[Ernst ICSE 2016] 15 programs, 1.3 MLOC BitcoinJ, Daikon, Derby, Eclipse, Guava, Jetty, Velicity, Zookeeper, Tomcat, … 5 contain annotations 661 correct annotations Candidates: annotations written by the programmer or inferred by our tool Correct: program never suffers a data race on the element Determined by manual analysis Results: Inference: precision 100%, recall 83% Type-checking: precision 100%, recall 99% Programmers: precision 50%, recall 42% Due to complex reasoning Numbers are with respect to inference results Due to limitations of Java syntax

19 Programmer mistakes Errors in every program that programmers annotated with respect to both value and name semantics Creating external aliases Lock writes but not reads Syntax errors Omitted annotations

20 Implementations Type checker: Inference:
Lock Checker, distributed with the Checker Framework Live demo: Inference: Julia abstract interpretation

21 Related work Name-based semantics: JML, JCIP, rccjava [Abadi TOPLAS 2006], … Heuristic checking tools: Warlock, ESC/Modula-3, ESC/Java Unsound inference: [Naik PLDI 2006] uses may-alias, [Rose CSJP 2004] is dynamic Sound inference for part of Java [Flanagan SAS 2004] Type-and-effect type systems: heavier-weight, detects deadlocks too Ownership types

22 Contributions Formal semantics for locking disciplines
unambiguous prevents data races two variants: value-based, name-based Two implementations: type-checker that validates use of locking discipline inference tool that infers locking discipline Experiments: are often inconsistent with informal semantics permit data races even when consistent with informal semantics Type-checker alidates programmer-written locking discipline, expressed annotations.

Download ppt "University of Washington, USA Università di Verona, Italy NFM 2016"

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.

An Abstract Interpretation Framework for Refactoring P. Cousot, NYU, ENS, CNRS, INRIA R. Cousot, ENS, CNRS, INRIA F. Logozzo, M. Barnett, Microsoft Research.
Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.

Compilation 2011 Static Analysis Johnni Winther Michael I. Schwartzbach Aarhus University.
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Concurrency 101 Shared state. Part 1: General Concepts 2.

Concurrency 101 Shared state. Part 1: General Concepts 2.
Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO and THOMAS ANDERSON.

Eraser: A Dynamic Data Race Detector for Multithreaded Programs STEFAN SAVAGE, MICHAEL BURROWS, GREG NELSON, PATRICK SOBALVARRO and THOMAS ANDERSON.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.

Taming Win32 Threads with Static Analysis Jason Yang Program Analysis Group Center for Software Excellence (CSE) Microsoft Corporation.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.

Checking and Inferring Local Non-Aliasing Alex AikenJeffrey S. Foster UC BerkeleyUMD College Park John KodumalTachio Terauchi UC Berkeley.
CS444/CS544 Operating Systems Synchronization 2/16/2006 Prof. Searleman

CS444/CS544 Operating Systems Synchronization 2/16/2006 Prof. Searleman
C. FlanaganAtomicity for Reliable Concurrent Software - PLDI'05 Tutorial1 Atomicity for Reliable Concurrent Software Part 3a: Types for Race-Freedom and.

C. FlanaganAtomicity for Reliable Concurrent Software - PLDI'05 Tutorial1 Atomicity for Reliable Concurrent Software Part 3a: Types for Race-Freedom and.
C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.

C. FlanaganSAS’04: Type Inference Against Races1 Type Inference Against Races Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College.
Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.

Confined Types Encapsulation and modularity Seminar November, 2005 presented by: Guy Gueta.
Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.

Mayur Naik Alex Aiken John Whaley Stanford University Effective Static Race Detection for Java.
Slides prepared by Rose Williams, Binghamton University Chapter 13 Interfaces and Inner Classes.

Slides prepared by Rose Williams, Binghamton University Chapter 13 Interfaces and Inner Classes.
CS444/CS544 Operating Systems Synchronization 2/21/2007 Prof. Searleman

CS444/CS544 Operating Systems Synchronization 2/21/2007 Prof. Searleman
Type Systems For Distributed Data Sharing Ben Liblit Alex AikenKathy Yelick.

Type Systems For Distributed Data Sharing Ben Liblit Alex AikenKathy Yelick.
1 Program Analysis Mooly Sagiv Tel Aviv University 640-6706 Textbook: Principles of Program Analysis.

1 Program Analysis Mooly Sagiv Tel Aviv University Textbook: Principles of Program Analysis.

Similar presentations

Ads by Google