Type Systems for Multithreaded Software PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: Type Systems for Multithreaded Software


1
Type Systems for Multithreaded Software
  • Cormac Flanagan
  • UC Santa Cruz

Stephen N. Freund Williams College Shaz
Qadeer Microsoft Research
2
Towards Reliable Multithreaded Software
  • Multithreaded software
  • increasingly common (Java, C, GUIs, servers)
  • decrease latency, exploit underlying hardware
  • Heisenbugs due to thread interference
  • race conditions
  • atomicity violations
  • Need type systems for multithreaded software

3
Race Conditions
class Ref int i void add(Ref r) i
i r.i
4
Race Conditions
class Ref int i void add(Ref r) i
i r.i Ref x new
Ref(0) Ref y new Ref(3) x.add(y)
x.add(y) assert x.i 6
5
Race Conditions
class Ref int i void add(Ref r) i
i r.i Ref x new
Ref(0) Ref y new Ref(3) parallel
x.add(y) // two calls happen x.add(y)
// in parallel assert x.i 6
  • A race condition occurs if
  • two threads access a shared variable at the same
    time
  • at least one of those accesses is a write

6
Lock-Based Synchronization
class Ref int i // guarded
by this void add(Ref r) i i
r.i Ref x new Ref(0) Ref y
new Ref(3) parallel synchronized (x,y)
x.add(y) synchronized (x,y) x.add(y)
assert x.i 6
  • Field guarded by a lock
  • Lock acquired before accessing field
  • Ensures race freedom

7
Verifying Race Freedom with Types
class Ref int i void add(Ref r) i
i r.i Ref x new
Ref(0) Ref y new Ref(3) parallel
synchronized (x,y) x.add(y) synchronized
(x,y) x.add(y) assert x.i 6
  • Race freedom
  • key correctness property
  • Rccjava
  • race condition checker
  • verifies race freedom
  • extra type annotations express locking discipline

8
Verifying Race Freedom with Types
class Ref int i void add(Ref r) i
i r.i Ref x new
Ref(0) Ref y new Ref(3) parallel
synchronized (x,y) x.add(y) synchronized
(x,y) x.add(y) assert x.i 6
9
Verifying Race Freedom with Types
class Ref int i guarded_by this void
add(Ref r) requires this, r i i
r.i Ref x new Ref(0) Ref y
new Ref(3) parallel synchronized (x,y)
x.add(y) synchronized (x,y) x.add(y)
assert x.i 6
?
check this ? this, r
10
Verifying Race Freedom with Types
class Ref int i guarded_by this void
add(Ref r) requires this, r i i
r.i Ref x new Ref(0) Ref y
new Ref(3) parallel synchronized (x,y)
x.add(y) synchronized (x,y) x.add(y)
assert x.i 6
?
check this ? this, r
check thisthisr r ? this, r
?
replace this by r
11
Verifying Race Freedom with Types
class Ref int i guarded_by this void
add(Ref r) requires this, r i i
r.i Ref x new Ref(0) Ref y
new Ref(3) parallel synchronized (x,y)
x.add(y) synchronized (x,y) x.add(y)
assert x.i 6
?
check this ? this, r
check thisthisr r ? this, r
?
replace formals this,r by actuals x,y
?
check this,rthisx,ry ? x, y
12
Verifying Race Freedom with Types
class Ref int i guarded_by this void
add(Ref r) requires this, r i i
r.i Ref x new Ref(0) Ref y
new Ref(3) parallel synchronized (x,y)
x.add(y) synchronized (x,y) x.add(y)
assert x.i 6
?
check this ? this, r
check thisthisr r ? this, r
?
replace formals this,r by actuals x,y
?
check this,rthisx,ry ? x, y
check this,rthisx,ry ? x, y
?
Soundness Theorem Well-typed programs are
race-free
13
Type Inference for Race-Freedom
Boolean Formula
Unannotated Program class Ref int i ...
SATSolver
Error potential race on field i
unsatisfiable
satisfiable
Satisfying Assignment
Annotated Program class Ref int i
guarded_by this ...
14
Experimental Results Race Freedom
15
Beyond Race FreedomTypes for Atomicity
16
Limitations of Race-Freedom
class Ref int i ... void inc()
int t synchronized (this) t i
i t 1 ...
  • inc()
  • race-free
  • behaves correctly in a multithreaded context

17
Limitations of Race-Freedom
class Ref int i ... void inc()
int t synchronized (this) t i
synchronized (this) i t1
...
  • inc()
  • race-free
  • behaves incorrectly in a multithreaded context

Race freedom does not prevent errors due to
unexpected interactions between threads
18
Atomicity
  • The method inc() is atomic if concurrent threads
    do not interfere with its behavior
  • (maximal non-interference property)
  • Guarantees that for every interleaved execution
  • there is a serial execution with same behavior

19
Atomicity
  • Canonical property
  • (cmp. linearizability, serializability, ...)
  • Enables sequential reasoning
  • simplifies validation of multithreaded code
  • Matches existing practice
  • most methods (80) are atomic
  • Verifiable using type systems
  • atomicity violations often indicate errors
  • Liptons theory of reduction

20
Reduction Lipton 75
acq(this)
X
ti
Y
it1
Z
rel(this)
?
?
?
?
?
?
?
?
21
Checking Atomicity
atomic void inc() int t synchronized
(this) t i i t 1
  • R right-mover lock acquire
  • L left-mover lock release
  • B both-mover race-free variable access
  • A atomic conflicting variable access

acq(this)
ti
it1
rel(this)
R B B L
A
  • Reducible blocks have form R A L

22
Checking Atomicity (cont.)
atomic void inc() int t synchronized
(this) t i synchronized
(this) i t 1
  • R right-mover lock acquire
  • L left-mover lock release
  • B both-mover race-free variable access
  • A atomic conflicting variable access

R B L
R B L
23
Conditional Atomicity
atomic void inc() int t synchronized
(this) t i i t 1
atomic void incByTwo() inc()
inc()
24
Conditional Atomicity
atomic void inc() int t synchronized
(this) t i i t 1
atomic void incByTwo() synchronized
(this) inc() inc()
25
Conditional Atomicity
(this ? mover atomic) void inc() int t
synchronized (this) t i i t
1 atomic void incByTwo()
synchronized (this) inc()
inc()
26
java.lang.StringBuffer
  • /
  • ... used by the compiler to implement the
    binary string concatenation operator ...
  • String buffers are safe for use by multiple
    threads. The methods are synchronized so that all
    the operations on any particular instance behave
    as if they occur in some serial order that is
    consistent with the order of the method calls
    made by each of the individual threads involved.
  • /

FALSE
public atomic class StringBuffer ...
27
java.lang.StringBuffer
  • class StringBuffer
  • private int count
  • synchronized int length() return count
  • synchronized void getChars(...) ...
  • atomic synchronized void append(StringBuffer
    sb)
  • int len sb.length()
  • ...
  • ...
  • ...
  • sb.getChars(...,len,...)
  • ...

A A
Compound
28
Type Inference for Atomicity
  • Finds most precise atomicity for each method
  • Leverages race-free type inference algorithm
    (Rcc/Sat)

Bohr
Unannotated Java Program
Rcc/Sat
Program with Atomicity Annotations
atomicity inference
Atomicity Warnings
29
Atomicity Inference
Program w/ Locking Annotations
class Ref int i guarded_by this void inc()
...
Atomicity Constraints
Constraint Solver
Program w/ Atomicity Annotations
class Ref int i guarded_by this atomic
void inc()...
Constraints Solution
30
Thread-Safe Classes
31
Benchmarks
32
Summary
  • Concurrency errors are notorious and subtle
  • race conditions
  • atomicity violations
  • Can be detected/prevented using types
  • type checking and type inference tractable and
    reasonably precise
  • over 80 of methods in jbb are atomic

33
Type Systems for Multithreaded Software
  • Cormac Flanagan
  • UC Santa Cruz

Stephen N. Freund Williams College Shaz
Qadeer Microsoft Research
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Type Systems for Multithreaded Software" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!