Presentation is loading. Please wait.

Presentation is loading. Please wait.

C. Flanagan1Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity for Reliable Concurrent Software Joint work with Stephen Freund Shaz.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "C. Flanagan1Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity for Reliable Concurrent Software Joint work with Stephen Freund Shaz."— Presentation transcript:

1 C. Flanagan1Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity for Reliable Concurrent Software Joint work with Stephen Freund Shaz Qadeer Microsoft Research Cormac Flanagan UC Santa Cruz

2 C. Flanagan2Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Towards Reliable Multithreaded Software Multithreaded software –increasingly common (Java, C#, GUIs, servers) –decrease latency –exploit underlying hardware multi-core chips Heisenbugs due to thread interference –race conditions –atomicity violations Need tools to verify atomicity –dynamic analysis –type systems

3 C. Flanagan3Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Motivations for Atomicity 1.Beyond Race Conditions

4 C. Flanagan4Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Race Conditions class Ref { int i; void inc() { int t; t = i; i = t+1; }

5 C. Flanagan5Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Race Conditions class Ref { int i; void inc() { int t; t = i; i = t+1; } Ref x = new Ref(0); x.inc(); assert x.i == 2;

6 C. Flanagan6Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Race Conditions class Ref { int i; void inc() { int t; t = i; i = t+1; } Ref x = new Ref(0); parallel { x.inc(); // two calls happen x.inc(); // in parallel } assert x.i == 2; A race condition occurs if two threads access a shared variable at the same time at least one of those accesses is a write

7 C. Flanagan7Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Lock-Based Synchronization class Ref { int i; // guarded by this void inc() { int t; synchronized (x) { t = i; i = t+1; } Ref x = new Ref(0); parallel { x.inc(); // two calls happen x.inc(); // in parallel } assert x.i == 2; Field guarded by a lock Lock acquired before accessing field Ensures race freedom

8 C. Flanagan8Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Limitations of Race-Freedom class Ref { int i; // guarded by this void inc() { int t; synchronized (x) { t = i; i = t+1; } Ref x = new Ref(0); parallel { x.inc(); // two calls happen x.inc(); // in parallel } assert x.i == 2; Ref.inc() race-free behaves correctly in a multithreaded context

9 C. Flanagan9Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Limitations of Race-Freedom class Ref { int i; void inc() { int t; synchronized (this) { t = i; } synchronized (this) { i = t+1; }... } Ref.inc() race-free behaves incorrectly in a multithreaded context Race freedom does not prevent errors due to unexpected interactions between threads

10 C. Flanagan10Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Limitations of Race-Freedom class Ref { int i; void inc() { int t; synchronized (this) { t = i; i = t+1; } void read() { return i; }... } Ref.read() has a race condition behaves correctly in a multithreaded context Race freedom is not necessary to prevent errors due to unexpected interactions between threads

11 C. Flanagan11Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Race-Freedom Race-freedom is neither necessary nor sufficient to ensure the absence of errors due to unexpected interactions between threads Is there a more fundamental semantic correctness property?

12 C. Flanagan12Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Motivations for Atomicity 2. Enables Sequential Reasoning

13 C. Flanagan13Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Sequential Program Execution void inc() {.... } precond. postcond. inc()

14 C. Flanagan14Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Multithreaded Execution void inc() {.... }

15 C. Flanagan15Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Multithreaded Execution void inc() {.... }

16 C. Flanagan16Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Multithreaded Execution Atomicity guarantees concurrent threads do not interfere with atomic method enables sequential reasoning matches existing methodology

17 C. Flanagan17Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Motivations for Atomicity 3. Simple Specification

18 C. Flanagan18Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Model Checking of Software Models // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c  Model Checker filesystem model filesystem model Model Construction

19 C. Flanagan19Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Model Checking of Software // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c  Model Checker

20 C. Flanagan20Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Experience with Calvin Software Checker // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c expressed in terms of concrete state  Calvin theorem proving x

21 C. Flanagan21Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Experience with Calvin Software Checker // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Specification for filesystem.c Specification for filesystem.c concrete state  Calvin theorem proving abstract state Abstraction Invariant ? x

22 C. Flanagan22Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial The Need for Atomicity // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Sequential case: code inspection & testing mostly ok

23 C. Flanagan23Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial The Need for Atomicity // filesystem.c atomic void create(..) {... } atomic void unlink(..) {... } // filesystem.c atomic void create(..) {... } atomic void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } // filesystem.c void create(..) {... } void unlink(..) {... } Sequential case: code inspection & testing ok  Atomicity Checker

24 C. Flanagan24Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Motivations for Atomicity 1.Beyond Race Conditions 2.Enables Sequential Reasoning 3.Simple Specification

25 C. Flanagan25Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity The method inc() is atomic if concurrent threads do not interfere with its behavior Guarantees that for every execution there is a serial execution with same behavior         acq(this)t=i i=t+1rel(this)xyz         acq(this) t=i i=t+1rel(this)xyz         acq(this) t=i i=t+1rel(this)xyz

26 C. Flanagan26Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity Canonical property –(cmp. linearizability, serializability,...) Enables sequential reasoning –simplifies validation of multithreaded code Matches practice in existing code –most methods (80%+) are atomic –many interfaces described as “thread-safe” Can verify atomicity statically or dynamically –atomicity violations often indicate errors –leverages Lipton’s theory of reduction

27 C. Flanagan27Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Reduction [Lipton 75] acq(this)  Xt=i Y i=t+1Z rel(this)      acq(this)  X t=i Y i=t+1Z rel(this)         acq(this) X t=i Y i=t+1Z rel(this)        acq(this) X t=i Y i=t+1Z rel(this)      

28 C. Flanagan28Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Checking Atomicity atomic void inc() { int t; synchronized (this) { t = i; i = t + 1; } R: right-mover lock acquire L: left-mover lock release B: both-mover race-free variable access A: atomic conflicting variable access  Reducible blocks have form: (R|B)* [A] (L|B)* acq(this) t=i i=t+1 rel(this) R B B L A

29 C. Flanagan29Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Checking Atomicity (cont.) atomic void inc() { int t; synchronized (this) { t = i; } synchronized (this) { i = t + 1; } R: right-mover lock acquire L: left-mover lock release B: both-mover race-free variable access A: atomic conflicting variable access R B L R B L acq(this) t=i i=t+1 rel(this) acq(this) rel(this) Compound A A

30 C. Flanagan30Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial java.lang.StringBuffer /**... used by the compiler to implement the binary string concatenation operator... String buffers are safe for use by multiple threads. The methods are synchronized so that all the operations on any particular instance behave as if they occur in some serial order that is consistent with the order of the method calls made by each of the individual threads involved. */ /*# atomic */ public class StringBuffer {... } FALSE

31 C. Flanagan31Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial public class StringBuffer { private int count; public synchronized int length() { return count; } public synchronized void getChars(...) {... } atomic public synchronized void append(StringBuffer sb){ int len = sb.length();... sb.getChars(...,len,...);... } java.lang.StringBuffer sb.length() acquires lock on sb, gets length, and releases lock use of stale len may yield StringIndexOutOfBoundsException inside getChars(...) other threads can change sb

32 C. Flanagan32Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial public class StringBuffer { private int count; public synchronized int length() { return count; } public synchronized void getChars(...) {... } atomic public synchronized void append(StringBuffer sb){ int len = sb.length();... sb.getChars(...,len,...);... } java.lang.StringBuffer AAAA Compound

33 C. Flanagan33Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Tutorial Outline Part 1 –Introduction –Runtime analysis for atomicity Part 2 –Model checking for atomicity Part 3 –Type systems for concurrency and atomicity Part 4 –Beyond reduction – atomicity via “purity”

34 C. Flanagan34Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial

35 C. Flanagan35Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Part I continued: Runtime Analysis for Atomicity

36 C. Flanagan36Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomizer: Instrumentation Architecture Atomizer Instrumented Source Code javac +JVM Warning: method “append” may not be atomic at line 43 Runtime Lockset Reduction /*# atomic */ void append(...) {... } T1: begin_atomic T2: acquire(lock3) T2: read(x,5) T1: write(y,3) T1: end_atomic T2: release(lock3) event stream

37 C. Flanagan37Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomizer: Dynamic Analysis Lockset algorithm –from Eraser [Savage et al. 97] –identifies race conditions Reduction [Lipton 75] –proof technique for verifying atomicity, using information about race conditions

38 C. Flanagan38Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Analysis 1: Lockset Algorithm Tracks lockset for each field –lockset = set of locks held on all accesses to field Dynamically infers protecting lock for each field Empty lockset indicates possible race condition

39 C. Flanagan39Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial First access to o.f: LockSet( o.f ) = Held(curThread) = { x, y } Thread 1 synchronized(x) { synchronized(y) { o.f = 2; } o.f = 11; } Thread 2 synchronized(y) { o.f = 2; } Lockset Example

40 C. Flanagan40Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Subsequent access to o.f: LockSet( o.f ) := LockSet( o.f )  Held(curThread) = { x, y }  { x } = { x } Lockset Example Thread 1 synchronized(x) { synchronized(y) { o.f = 2; } o.f = 11; } Thread 2 synchronized(y) { o.f = 2; }

41 C. Flanagan41Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Subsequent access to o.f: LockSet( o.f ) := LockSet( o.f )  Held(curThread) = { x }  { y } = { } => race condition Lockset Example Thread 1 synchronized(x) { synchronized(y) { o.f = 2; } o.f = 11; } Thread 2 synchronized(y) { o.f = 2; }

42 C. Flanagan42Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Lockset Shared-exclusive Track lockset any thread r/w Shared-read/write Track lockset race condition!

43 C. Flanagan43Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Lockset with Thread Local Data Thread Local Shared-exclusive Track lockset first thread r/w any thread r/w Shared-read/write Track lockset race condition! second thread r/w

44 C. Flanagan44Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Lockset with Read Shared Data Thread Local Read Shared Shared-exclusive Track lockset first thread r/w any thread read any thread write any thread r/w Shared-read/write Track lockset race condition! second thread read second thread write

45 C. Flanagan45Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomizer: Dynamic Analysis Lockset algorithm –from Eraser [Savage et al. 97] –identifies race conditions Reduction [Lipton 75] –proof technique for verifying atomicity, using information about race conditions

46 C. Flanagan46Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Reduction [Lipton 75] acq(this)  Xt=i Y i=t+1Z rel(this)      acq(this)  X t=i Y i=t+1Z rel(this)         acq(this) X t=i Y i=t+1Z rel(this)        acq(this) X t=i Y i=t+1Z rel(this)      

47 C. Flanagan47Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial  Reducible methods: (R|B)* [N] (L|B)* Performing Reduction Dynamically R: right-mover –lock acquire L: left-mover –lock release B: both-mover –race-free field access N: non-mover –access to "racy" fields InRightInLeft R|B L|N start atomic block Error L|B R|N acq(lock) j=bal bal=j+n rel(lock) R B B L

48 C. Flanagan48Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomizer Review Instrumented code calls Atomizer runtime –on field accesses, sync ops, etc Lockset algorithm identifies races –used to classify ops as movers or non-movers Atomizer checks reducibility of atomic blocks –warns about atomicity violations

49 C. Flanagan49Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Evaluation 12 benchmarks –scientific computing, web server, std libraries,... –200,000+ lines of code Heuristics for atomicity –all synchronized blocks are atomic –all public methods are atomic, except main and run Slowdown:1.5x - 40x

50 C. Flanagan50Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial BenchmarkLines Base Time (s)Slowdown elevator50011.2- hedc29,9006.4- tsp7001.921.8 sor17,7001.31.5 moldyn1,30090.61.5 montecarlo3,6006.42.7 raytracer1,9004.841.8 mtrt11,3002.838.8 jigsaw90,1003.04.7 specJBB30,50026.212.1 webl22,30060.3- lib-java75,30596.5- Performance

51 C. Flanagan51Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Extensions Redundant lock operations are both-movers –re-entrant acquire/release –operations on thread-local locks –operations on lock A, if lock B always acquired before A Write-protected data

52 C. Flanagan52Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Write-Protected Data class Account { int bal; /*# atomic */ int read() { return bal; } /*# atomic */ void deposit(int n) { synchronized (this) { int j = bal; bal = j + n; } RBNLRBNL

53 C. Flanagan53Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Extensions Reduce Number of Warnings Total 341 Total 97

54 C. Flanagan54Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Evaluation Warnings: 97 (down from 341) Real errors (conservative): 7 False alarms due to: –simplistic heuristics for atomicity programmer should specify atomicity –false races –methods irreducible yet still "atomic" eg caching, lazy initialization No warnings reported in more than 90% of exercised methods

55 C. Flanagan55Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial public class StringBuffer { private int count; public synchronized int length() { return count; } public synchronized void getChars(...) {... } /*# atomic */ public synchronized void append(StringBuffer sb){ int len = sb.length();... sb.getChars(...,len,...);... } java.lang.StringBuffer StringBuffer.append is not atomic: Start: at StringBuffer.append(StringBuffer.java:701) at Thread1.run(Example.java:17) Commit: Lock Release at StringBuffer.length(StringBuffer.java:221) at StringBuffer.append(StringBuffer.java:702) at Thread1.run(Example.java:17) Error: Lock Acquire at StringBuffer.getChars(StringBuffer.java:245) at StringBuffer.append(StringBuffer.java:710) at Thread1.run(Example.java:17)

Download ppt "C. Flanagan1Atomicity for Reliable Concurrent Software - PLDI'05 Tutorial Atomicity for Reliable Concurrent Software Joint work with Stephen Freund Shaz."

Similar presentations

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.

Dataflow Analysis for Datarace-Free Programs (ESOP 11) Arnab De Joint work with Deepak DSouza and Rupesh Nasre Indian Institute of Science, Bangalore.
Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.

Types for Atomicity Authors: Cormac Flanagan, UC Santa Cruz Stephen Freund, Marina Lifshin, Williams College Shaz Qadeer, Microsoft Research Presentation.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.

Reduction, abstraction, and atomicity: How much can we prove about concurrent programs using them? Serdar Tasiran Koç University Istanbul, Turkey Tayfun.
Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,

Goldilocks: Efficiently Computing the Happens-Before Relation Using Locksets Tayfun Elmas 1, Shaz Qadeer 2, Serdar Tasiran 1 1 Koç University, İstanbul,
Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.

Verification of Multithreaded Object- Oriented Programs with Invariants Bart Jacobs, K. Rustan M. Leino, Wolfram Schulte.
A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.

A Randomized Dynamic Program Analysis for Detecting Real Deadlocks Koushik Sen CS 265.
Concurrency 101 Shared state. Part 1: General Concepts 2.

Concurrency 101 Shared state. Part 1: General Concepts 2.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
1 Beyond Reduction.... 2 Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } if (m == 0) { m = 1; return true; } else.

1 Beyond Reduction Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } if (m == 0) { m = 1; return true; } else.
Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)

Part IV: Exploiting Purity for Atomicity. Busy Acquire atomic void busy_acquire() { while (true) { if (CAS(m,0,1)) break; } } CAS(m,0,1) (fails) (succeeds)
Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.

Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs Stephen Freund Williams College Cormac Flanagan University of California, Santa Cruz.
Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)

Types for Atomicity in Multithreaded Software Shaz Qadeer Microsoft Research (Joint work with Cormac Flanagan)
CS294-32: Dynamic Data Race Detection Koushik Sen UC Berkeley.

CS294-32: Dynamic Data Race Detection Koushik Sen UC Berkeley.
Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.

Atomicity in Multi-Threaded Programs Prachi Tiwari University of California, Santa Cruz CMPS 203 Programming Languages, Fall 2004.
C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.

C. Flanagan1Types for Atomicity Cormac Flanagan UC Santa Cruz Stephen N. Freund Williams College Shaz Qadeer Microsoft Research Analysis of Concurrent.
/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.

/ PSWLAB Atomizer: A Dynamic Atomicity Checker For Multithreaded Programs By Cormac Flanagan, Stephen N. Freund 24 th April, 2008 Hong,Shin.
CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.

CS 263 Course Project1 Survey: Type Systems for Race Detection and Atomicity Feng Zhou, 12/3/2003.
Atomicity Violation Detection Prof. Moonzoo Kim CS492B Analysis of Concurrent Programs.

Atomicity Violation Detection Prof. Moonzoo Kim CS492B Analysis of Concurrent Programs.
Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Summarizing Procedures in Concurrent Programs Shaz Qadeer Sriram K. Rajamani Jakob Rehof Microsoft Research.

Similar presentations

Ads by Google