c. flanagantype systems for multithreaded software1 cormac flanagan uc santa cruz stephen n. freund...

C. Flanagan Type Systems for Multithreaded Software 1

Type Systems for Multithreaded Software

Cormac FlanaganUC Santa Cruz

Stephen N. FreundWilliams College

Shaz QadeerMicrosoft Research


Towards Reliable Multithreaded Software

• Multithreaded software– increasingly common (Java, C#, GUIs, servers)– decrease latency, exploit underlying hardware

• Heisenbugs due to thread interference– race conditions– atomicity violations

• Need type systems for multithreaded software


Race Conditions

class Ref { int i; void add(Ref r) { i = i + r.i; }}


Race Conditions

class Ref { int i; void add(Ref r) { i = i + r.i; }} Ref x = new Ref(0);Ref y = new Ref(3);

x.add(y); x.add(y);

assert x.i == 6;


Race Conditions

class Ref { int i; void add(Ref r) { i = i + r.i; }} Ref x = new Ref(0);Ref y = new Ref(3);parallel { x.add(y); // two calls happen x.add(y); // in parallel}assert x.i == 6;

A race condition occurs if

• two threads access a shared variable at the same time

• at least one of those accesses is a write


Lock-Based Synchronization

class Ref { int i; // guarded by this void add(Ref r) { i = i + r.i; }} Ref x = new Ref(0);Ref y = new Ref(3);parallel { synchronized (x,y) { x.add(y); } synchronized (x,y) { x.add(y); }}assert x.i == 6;

• Field guarded by a lock

• Lock acquired before accessing field

• Ensures race freedom


Verifying Race Freedom with Types

class Ref { int i; void add(Ref r) { i = i + r.i; }} Ref x = new Ref(0);Ref y = new Ref(3);parallel { synchronized (x,y) { x.add(y); } synchronized (x,y) { x.add(y); }}assert x.i == 6;

• Race freedom – key correctness

property

• Rccjava– race condition checker– verifies race freedom– extra type annotations

express locking discipline



class Ref { int i; void add(Ref r) { i = i + r.i; }} Ref x = new Ref(0);Ref y = new Ref(3);parallel { synchronized (x,y) { x.add(y); } synchronized (x,y) { x.add(y); }}assert x.i == 6;



class Ref { int i guarded_by this; void add(Ref r) requires this, r { i = i + r.i; }} Ref x = new Ref(0);Ref y = new Ref(3);parallel { synchronized (x,y) { x.add(y); } synchronized (x,y) { x.add(y); }}assert x.i == 6;

check: this { this, r }




check: this { this, r } check: this[this:=r] = r { this, r }

replace this by r





check: {this,r}[this:=x,r:=y] { x, y }

replace formals this,rby actuals x,y







Soundness Theorem:Well-typed programs are race-free

replace formals this,rby actuals x,y


Type Inference for Race-Freedom

Annotated Program:class Ref { int i guarded_by this; ...

Unannotated Program:class Ref { int i; ...

Error: potential race on field i

unsatisfiable

satisfiable

BooleanFormula

SatisfyingAssignment

SATSolver


Experimental Results: Race Freedom

Program

Lines

of

code

Number

of Fields

Manual

Annotations

(per KLOC)

I nference

time

(s/KLOC)

% fields

race

free

elevator 529 23 7.6 9.5 100tsp 723 37 6.9 9.5 92sor 687 29 1.5 6.6 100raytracer 1,982 77 2.5 10.6 95moldyn 1,408 107 2.1 8.9 94montecarlo 3,674 110 0.3 5.6 100mtrt 11,315 181 1.0 12.3 98jbb 30,519 787 1.5 90.9 97


Beyond Race Freedom:

Types for Atomicity


Limitations of Race-Freedom

class Ref { int i; ... void inc() { int t; synchronized (this) { t = i; i = t + 1; } } ...}

inc()• race-free• behaves correctly in a

multithreaded context


Limitations of Race-Freedom

class Ref { int i; ... void inc() { int t; synchronized (this) { t = i; } synchronized (this) { i = t+1; } } ...}

inc()• race-free• behaves incorrectly in a

multithreaded context

Race freedom does not prevent errors due to unexpected interactionsbetween threads


Atomicity•The method inc() is atomic if concurrent

threads do not interfere with its behavior– (maximal non-interference property)

•Guarantees that for every interleaved

execution

•there is a serial execution with same behavior acq(this) t=i i=t+1 rel(this)x y z

acq(this) t=i i=t+1 rel(this)x y z

acq(this) t=i i=t+1 rel(this)x y z


Atomicity• Canonical property

– (cmp. linearizability, serializability, ...)

• Enables sequential reasoning– simplifies validation of multithreaded code

• Matches existing practice – most methods (80%+) are atomic

• Verifiable using type systems– atomicity violations often indicate errors– Lipton’s theory of reduction


Reduction [Lipton 75]acq(this)

X t=i Y i=t+1 Z rel(this)

acq(this)

X t=iY i=t+1 Zrel(this)

acq(this) X t=iY i=t+1 Z rel(this)

acq(this)X t=iY i=t+1 Z rel(this)


Checking Atomicity

atomic void inc() { int t; synchronized (this) { t = i; i = t + 1; } }

R: right-mover lock acquireL: left-mover lock releaseB: both-mover race-free variable

accessA: atomic conflicting variable

access

Reducible blocks have form: R* [A] L*

acq(this) t=i i=t+1 rel(this)

R B B L

A


Checking Atomicity (cont.)

atomic void inc() { int t; synchronized (this) { t = i; } synchronized (this) { i = t + 1; }}

R: right-mover lock acquireL: left-mover lock releaseB: both-mover race-free variable

accessA: atomic conflicting variable

access

R B L R B L

acq(this)t=i i=t+1 rel(this)acq(this) rel(this)

Compound

AA


Conditional Atomicity

atomic void inc() { int t; synchronized (this) { t = i; i = t + 1; }}

atomic void incByTwo() {

inc(); inc();

}



atomic void inc() { int t; synchronized (this) { t = i; i = t + 1; }}

atomic void incByTwo() { synchronized (this) { inc(); inc(); }}



(this ? mover : atomic) void inc() { int t; synchronized (this) { t = i; i = t + 1; }}

atomic void incByTwo() { synchronized (this) { inc(); inc(); }}


java.lang.StringBuffer/** ... used by the compiler to implement the binary

string concatenation operator ... String buffers are safe for use by multiple

threads. The methods are synchronized so that all the operations on any particular instance behave as if they occur in some serial order that is consistent with the order of the method calls made by each of the individual threads involved.

*/public atomic class StringBuffer { ... }

FALSE


class StringBuffer { private int count; synchronized int length() { return count; } synchronized void getChars(...) { ... } atomic synchronized void append(StringBuffer sb){

int len = sb.length(); ... ... ... sb.getChars(...,len,...); ... }}

java.lang.StringBuffer

A

ACompound


UnannotatedJava

Program

atomicityinference

Rcc/Sat

AtomicityWarnings

Program withAtomicity

Annotations

Type Inference for Atomicity• Finds most precise atomicity for each method• Leverages race-free type inference algorithm

(Rcc/Sat)

Bohr


Atomicity Inference

class Ref { int i guarded_by this; void inc() {...}}

AtomicityConstraints

ConstraintsSolution

ConstraintSolver

class Ref { int i guarded_by this; atomic void inc(){...}}

Program w/ Locking Annotations

Program w/ Atomicity Annotations


Thread-Safe Classes

0

20

40

60

80

100

String

String

Buffe

r

Vecto

r

Infla

ter

Deflat

er

ZipFile

Obs

erva

ble

Synch

List

URL

PrintW

riter

Synch

Bool

Synch

Doubl

e

Class

% A

tom

ic

Methods Synch. Blocks


Benchmarks

0

20

40

60

80

100

elevator tsp sor ray-tracer moldyn monte-carlo

mtrt jbb

Program

% A

tom

ic

Methods Synch. Blocks


Summary• Concurrency errors are notorious and

subtle– race conditions– atomicity violations

• Can be detected/prevented using types – type checking and type inference tractable and

reasonably precise– over 80% of methods in jbb are atomic


Type Systems for Multithreaded Software

Cormac FlanaganUC Santa Cruz

Stephen N. FreundWilliams College

Shaz QadeerMicrosoft Research

c. flanagantype systems for multithreaded software1 cormac flanagan uc santa cruz stephen n. freund...

Documents