Type-Based Race Detection for J AVA
description
Transcript of Type-Based Race Detection for J AVA
/ 22Hong,Shin @ PSWLAB
Type-Based Race Detection for JAVA
by Cormac Flanagan, Stephen N. Freund
22nd Feb 2008presented by Hong,Shin
23年 4月 20日
1Type-Based Race Detection for JAVA
/ 22Hong,Shin @ PSWLAB
Introduction• Race condition occurs when two thread manipulate
a shared data structure simultaneously without synchronization.
• Race condition errors are schedule-dependent that these are difficult to catch using traditional testing technologies.Support lock-based synchronization discipline by
tracking the protecting lock for each shared field in the program and verifying that the appropriate lock is held whenever a shared field is accessed.
Express the reasoning and checks performed by this analysis as an extension of JAVA’s type system.
23年 4月 20日
Type-Based Race Detection for JAVA 2
/ 22Hong,Shin @ PSWLAB
Introduction 2/2
• Start by adopting the target system to a core subset of JAVA.
• And then extends the type system with a number of additional features:– classes parameterized by the locks– classes that are local to a particular thread
23年 4月 20日
Type-Based Race Detection for JAVA 3
/ 22Hong,Shin @ PSWLAB
CONCURRENT JAVA 1/2
• CONCURRENT JAVA is a multithreaded subset of JAVA.• Syntax
23年 4月 20日
Type-Based Race Detection for JAVA 4
if final modifier is present, then the field cannot be updated after initialization.
/ 22Hong,Shin @ PSWLAB
CONCURRENT JAVA 2/3
• Informal Semantics– CONCURRENT JAVA supports multithreaded programs by
including the operation fork e which spawn a new thread for the evaluation of e.
– Locks are provided: each object has an associated binary lock. The expression synchronized e1 in e2 is evaluated as follow:
(1) acquire the associated lock of e1 .
(2) e2 is then evaluated.
(3) release the associated lock of e1.
23年 4月 20日
Type-Based Race Detection for JAVA 5
/ 22Hong,Shin @ PSWLAB
CONCURRENT JAVA 3/31 class Account {
2 int balance = 0
3 int deposit(int x) {
4 this.balance = this.balance + x
5 }
6 }
7 let Account a = new Account in {
8 fork { a.deposit(10) }
9 fork { a.deposit(10) }
10 }
23年 4月 20日
Type-Based Race Detection for JAVA 6
Schedule Scenario 2
<Thread 1> <Thread2>
8 call a.deposit(10)8 call
a.deposit(10)4 this.balance+x=10
4 this.balance+x=104 this.balance :=10
4 this.balance :=10
Schedule Scenario 1
<Thread 1> <Thread2>
8 call a.deposit(10)4 this.balance+x=104 this.balance:=10
8 call a.deposit(10)4
this.balance+x=204 this.balance :=20
1 class Account {
2 int balance = 0
3 int deposit(int x) {
4 synchronized this in {
5 this.balance = this.balance + x
6 }
7 }
8 }
9 let Account a = new Account in {
10 fork { a.deposit(10) }
11 fork { a.deposit(10) }
12 } /* Race-Free Account */
/ 22Hong,Shin @ PSWLAB
RACEFREE JAVA 1/1• Race conditions are commonly avoided by the lock-based
synchronization discipline.• The type system needs to verify that each field has a protecting lock
that is held whenever the field is accessed or updated.(1) associates a protecting lock with each field declaration.
→ programmers provide additional type annotations(2) tracks the set of locks held at each field access or update.
→ the type system automatically verifies that the locks are indeed held at each field access, field update, and call-site of the method.
• RACEFREE JAVA– An extended language of CONCURRENT JAVA
– The modified syntax
23年 4月 20日
Type-Based Race Detection for JAVA 7
field ::= [final]opt t fd guarded_by l = emeth ::= t mn (arg*) [requires ls]opt { e }ls ::= l*l ::= e
/ 22Hong,Shin @ PSWLAB
Type System 1/5• Type Judgment
– P ; E ; ls ` e : tP : the program being checkedE : an environment providing types for the free variables of els : a set of final expressions describing the locks that are held when the expression
e is evaluated.e : an expressiont : the type of e
• Type Rules– The type rules track the set of locks held each program point.
23年 4月 20日
Type-Based Race Detection for JAVA 8
{ }
P ; E ` fianl l : c checks that l is a final expression of some class type c
/ 22Hong,Shin @ PSWLAB
Type System 2/5
23年 4月 20日
Type-Based Race Detection for JAVA 9
Check that the lock l guarding fd is held at this program point; i.e., that l denotes the same lock as some expression l’ in current lock set.→ approximates semantic equivalence by syntactic equivalence, and simply to check that l ≡ l’.
P ; E ` fianl e1 : c checks that e1 is a final expression of some class type c
ex) final Object a = new Object final Object b = a int data guarded_by a
: synchronized b in { data = 0 }
/ 22Hong,Shin @ PSWLAB
Type System – Example 3/5
P :class Account {
int balance guarded_by this = 0
int deposit(int x)
synchronized this in {
this.balance =
this.balance + x
}
}
let Account a = new Account in {
fork { a.deposit(10 }
fork { a.deposit(10) }
}
23年 4月 20日
Type-Based Race Detection for JAVA 10
P ; Account this ` int P ; Account this ` Á P ; Account this, int x ; Á ` synchronized …. : int -------------------------[METHOD] P ; Account this `final this : Account P ; Account this ; Á ` 0 : int -------------------------[FIELD] E = Account this P ; Account this ` int balance guarded_by this=0 P ; Account this ` int deposit(int x) { … } -------------------[CLASS] P = class Account{ …} let Account a = new Account …. P ` class Account{…} P ; Á ; Á ` let Account a = new Account in … : int--------------------[PROG]` P : int
/ 22Hong,Shin @ PSWLAB
Type System – Example 4/5 P ; Account this, int x ` this : Account P ; Account this, int x ` (int balance guarded_by this = 0) 2 Account P ; Account this, int x ` this 2 {this} P ; Account this, int x ` int -------------------[EXP REF] P ; Account this, int x ; {this} ` this.balance+x : Account P ; Account this, int x ` (int balance guarded_by this = 0) 2 Account P ; Account this, int x ` this 2{this} P ; Account this, int x ; {this} ` this.balance+x -------------------[EXP ASSIGN] P ; Account this, int x `final this : Account
P ; Account this, int x ; {this} ` {this.balance=this.balance+x} : int------------------[EXP SYNC]P ; Account this, int x ; Á ` synchronized this in {this.balance=this.balance+x} : int
::
23年 4月 20日
Type-Based Race Detection for JAVA 11
/ 22Hong,Shin @ PSWLAB
Type System – Example 5/5
23年 4月 20日
Type-Based Race Detection for JAVA 12
P ; Account a ; Á ` a : Account P ; Account a ` (int deposit(int x)) 2 Account P ; Account a ; Á ` 10 : int P ; Account a ` Á µ Á P ; Account a ` int --------------------[EXP INVOKE] P ; Account a ` Á P ; Account a ; Á ` a.deposit(10) : int --------------------[EXP FORK] P ; Á ; Á ` new Account : Account P ; Account a ; Á ` fork{a.deposit(10)} fork{a.deposit(10)} : s P ; Á ; Á ` s---------------------[EXP LET] P = defn e <defn: class Account …, e: let Account ..>
P ` defn P ; Á ; Á ` let Account a = new Account in {…} : int--------------------[PROG]` P : int
/ 22Hong,Shin @ PSWLAB
External Locks 1/2• The only variable in scope at a field declaration is this, the
fields of an object must be protected by a lock that is accessible from the object.
• It is necessary to protect the fields of an object by some locks external to the object.Ex) In a linked list, the node objects in a list should be synchronized by a
lock which is outside of the node class.
• To accommodate this programming pattern, we extend RACEFREE JAVA to allow classes to be parameterized by external locks
defn ::= class cn<garg*> bodygarg ::= ghost t xc ::= cn<l*> | Object
23年 4月 20日
Type-Based Race Detection for JAVA 13
/ 22Hong,Shin @ PSWLAB
External Locks 2/2
23年 4月 20日
Type-Based Race Detection for JAVA 14
/ 22Hong,Shin @ PSWLAB
Thread-Local Classes 1/2
• Large multithreaded programs typically have sections of code that operate on data that is not shared across multiple threads.
• To accommodate this situation, the concept of thread-local classes is introduced.
• The language is extended to allow an optional thread_local modifier on class definitions and to make guarded_by clause on field declarations optional in a thread-local class.
defn ::= [thread_local]opt class cn <garg*> body
field ::= [final]opt t fd [guarded_by l]opt = e
23年 4月 20日
Type-Based Race Detection for JAVA 15
/ 22Hong,Shin @ PSWLAB
Thread-Local Classes 2/2
23年 4月 20日
Type-Based Race Detection for JAVA 16
• The type system must ensure that thread-local objects are not accessible from non thread-local objects. extends the rules not to eliminate this possibility.
/ 22Hong,Shin @ PSWLAB
Implementation 1/1
23年 4月 20日
Type-Based Race Detection for JAVA 17
• RACEFREE JAVA type system is extended to support full JAVA language in rccjava implementation.
• The comments that start with the character “#” are treated as type annotations by the tool.
• The tool was built on top of an existing JAVA front-end that includes a scanner, parser, and type checker.
/ 22Hong,Shin @ PSWLAB
Experiment Results 1/2
23年 4月 20日
Type-Based Race Detection for JAVA 18
•To test effectiveness of the tool, several multithreaded JAVA program was checked by the tool.• It was reported that the annotation process proceeded at a rate of 1000lines of code per programmer-hour.
/ 22Hong,Shin @ PSWLAB
Experiment Results 2/2
23年 4月 20日
Type-Based Race Detection for JAVA 19
1.class Vector {2. Object elementData[] /*# guarded_by this */3. int elementCount /*# guarded_by this */4. synchronized boolean removeAllElements() {5. :6. elementCount = 0 ;7. :8. }
9. synchronized int lastIndexOf(Object elem, int n) {10. for (int i = n ; --i >= 0 ; ) 11. if (elem.equals(elementData[i])) { … }12. }
13. int lastIndexOf(Object elem) {14. return lastIndexOf(elem, elementCount) ;15. }16.} Excerpt from java.util.Vector
Two threads work on the same Vector objectelementCount = 10 ;
<Thread1> <Thread2>
13 invokel lastIndexOf(elem)4 invoke synchronized
removeAllElements()5 elementCount = 0
14 invoke lastIndexOf(elem, 10) Race!
/ 22Hong,Shin @ PSWLAB
Conclusion• The type system enforces programmers to write locking
strategies of a program as annotations and checks whether the programmer wrote the program with the strategies or not.
• This type system enables race conditions to be detected early in the development cycle.
• The annotations can be used as documentation of locking strategies.
• Some synchronization patters are not supported in the type system(ex. reader-writer locks)
23年 4月 20日
Type-Based Race Detection for JAVA 20
/ 22Hong,Shin @ PSWLAB
Further work• Efficient and Precise Datarace Detection for Multithreaded
Object-Oriented Programs (PLDI’02)
• LOCKSMITH: Context-Sensitive Correlation Analysis for Race Detection(PLDI’06)
23年 4月 20日
Type-Based Race Detection for JAVA 21
/ 22Hong,Shin @ PSWLAB
Reference[1] Type-Based Race Detection for JAVA, Cormac
Flanagan, Stephen N. Freund, PLDI 2000
23年 4月 20日
Type-Based Race Detection for JAVA 22