CS 263 Course Project 1

Survey: Type Systems for Race Detection and Atomicity

Feng Zhou, zf@cs12/3/2003

CS 263 Course Project 2

The Problem and Approaches

• Interleaved execution in multi-threaded applications may lead to wrong results

• Reasons:– Race condition: concurrent accesses to a shared variable

with at least one write– Use of “stale” data

• Static tools– Warlock (93) – program analysis, ANSI C– Rccjava(00), atomicity types(03) – type systems– ESC/java(02) – more powerful automatic theorem proving– RacerX(03) – inter-procedural analysis

• Dynamic tools– Eraser – tracking locksets and intersections

CS 263 Course Project 3

Rccjava: Type-Based Race Detector

• Cormac Flanagan, 2000• Supports lock-based synchronization discipline• Basic annotations: “guarded_by” and

“requires”

class Account { private int balance = 0 /*# guarded_by this */; private void update(int x) /*# requires this */ { balance = x; } public void deposit(int n) { synchronized(this) { update(balance + n); } }}

CS 263 Course Project 4

Type Checking by Tracking Locksets

class Account { private int balance = 0 /*# guarded_by this */; private void update(int x) /*# requires this */ {

balance = x; }

public void deposit(int n) { synchronized(this) { update(balance + n); } }}

lockset={this}

this lockset ?

lockset={}

lockset = {this}this lockset ?

CS 263 Course Project 5

More complex annotations and constructs

• Problems with this simple scheme,– There are complex locking schemes used in real apps– Requires too many annotations– Produces a lot of spurious race reports

• Features to solve these problems:• Classes parameterized by locks

– Allows fields to be protected by external locks. E.g elements of a list protected by a lock on the list

– Implemented using “ghost” parameters to classes

• Thread-local objects– Enforced by the type system

• Mechanisms for escaping the type system– Unsound

CS 263 Course Project 6

• Assignment to a shared field

• Class Instantiation with ghost parameters

Sample Typing Rules

CS 263 Course Project 7

Beyond Race Detection: A Type and Effect System for Atomicity

• Flanagan03, based on rccjava• Atomicity: a separate property of

expressions/methodsconst < mover < atomic < cmpd < error

• Const: does not depend on or change any state• Mover: operations that can commute with any

concurrent operations from other threads– example: an access to field f guarded by lock l with l held

• Atomic: behaves exactly the same when running concurrently with other threads or in serial

• Cmpd: none of the previous ones• Error: violates the locking discipline

CS 263 Course Project 8

A Type and Effect System for Atomicity (2)

• Iterative closures and compositions– mover* mover– atomic atomic cmpd– mover* atomic mover* atomic

• Typing rules,

CS 263 Course Project 9

Example of atomicity checking

atomic int readBalance() { int t; synchronized (this) { t = balance; } return t;}

atomic int withdraw(int amt) { int b = readBalance(); synchronized (this) { balance = b – ant; }}

AA

A

Acmpd

CS 263 Course Project 10

Reported Application

• Run on several standard JDK1.4 classes:StringBuffer, String,PrintWriter,Vector…

• Sized from 296 LOC to 2399 LOC• Found one bug in StringBuffer