1 / 22

Type-Based Race Detection for J AVA

Type-Based Race Detection for J AVA. by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong,Shin. Introduction. Race condition occurs when two thread manipulate a shared data structure simultaneously without synchronization.

chaka
Download Presentation

Type-Based Race Detection for J AVA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Type-Based Race Detection for JAVA by Cormac Flanagan, Stephen N. Freund 22nd Feb 2008 presented by Hong,Shin Type-Based Race Detection for JAVA

  2. Introduction • Race condition occurs when two thread manipulate a shared data structure simultaneously without synchronization. • Race condition errors are schedule-dependent that these are difficult to catch using traditional testing technologies. • Support lock-based synchronization discipline by tracking the protecting lock for each shared field in the program and verifying that the appropriate lock is held whenever a shared field is accessed. • Express the reasoning and checks performed by this analysis as an extension of JAVA’s type system. Type-Based Race Detection for JAVA

  3. Introduction 2/2 • Start by adopting the target system to a core subset of JAVA. • And then extends the type system with a number of additional features: • classes parameterized by the locks • classes that are local to a particular thread Type-Based Race Detection for JAVA

  4. CONCURRENT JAVA 1/2 • CONCURRENT JAVA is a multithreaded subset of JAVA. • Syntax if final modifier is present, then the field cannot be updated after initialization. Type-Based Race Detection for JAVA

  5. CONCURRENT JAVA2/3 • Informal Semantics • CONCURRENT JAVA supports multithreaded programs by including the operation fork e which spawn a new thread for the evaluation of e. • Locks are provided: each object has an associated binary lock. The expression synchronized e1 in e2is evaluated as follow: (1) acquire the associated lock of e1 . (2) e2 is then evaluated. (3) release the associated lock of e1. Type-Based Race Detection for JAVA

  6. CONCURRENT JAVA 3/3 Schedule Scenario 1 <Thread 1> <Thread2> 8 call a.deposit(10) 4 this.balance+x=10 4 this.balance:=10 8 call a.deposit(10) 4 this.balance+x=20 4 this.balance :=20 1 class Account { 2 int balance = 0 • int deposit(int x) { 4 this.balance = this.balance + x 5 } 6 } 7 let Account a = new Account in { 8 fork { a.deposit(10) } 9 fork { a.deposit(10) } 10 } Schedule Scenario 2 <Thread 1> <Thread2> 8 call a.deposit(10) 8 call a.deposit(10) 4 this.balance+x=10 4 this.balance+x=10 4 this.balance :=10 4 this.balance :=10 • 1 class Account { • int balance = 0 • int deposit(int x) { • synchronized this in { • this.balance = this.balance + x • } • } • } • let Account a = new Account in { • fork { a.deposit(10) } • fork { a.deposit(10) } • } /* Race-Free Account */ Type-Based Race Detection for JAVA

  7. RACEFREE JAVA 1/1 • Race conditions are commonly avoided by the lock-based synchronization discipline. • The type system needs to verify that each field has a protecting lock that is held whenever the field is accessed or updated. (1) associates a protecting lock with each field declaration. → programmers provide additional type annotations (2) tracks the set of locks held at each field access or update. → the type system automatically verifies that the locks are indeed held at each field access, field update, and call-site of the method. • RACEFREE JAVA • An extended language of CONCURRENT JAVA • The modified syntax field::= [final]optt fdguarded_byl = e meth ::= t mn (arg*) [requiresls]opt{ e } ls ::= l* l ::= e Type-Based Race Detection for JAVA

  8. Type System 1/5 • Type Judgment • P ; E ; ls`e : t P : the program being checked E : an environment providing types for the free variables of e ls : a set of final expressions describing the locks that are held when the expression e is evaluated. e : an expression t : the type of e • Type Rules • The type rules track the set of locks held each program point. { } P ; E`fianll : c checks that l is a final expression of some class type c Type-Based Race Detection for JAVA

  9. Type System 2/5 P ; E `fianl e1 : c checks that e1 is a final expression of some class type c Check that the lock l guarding fd is held at this program point; i.e., that l denotes the same lock as some expression l’ in current lock set. → approximates semantic equivalence by syntactic equivalence, and simply to check that l≡ l’. ex) final Object a = new Object final Object b = a int data guarded_by a : synchronized b in { data = 0 } Type-Based Race Detection for JAVA

  10. Type System – Example 3/5 P ; Account this ` int P ; Account this `Á P ; Account this, int x ; Á` synchronized …. : int -------------------------[METHOD] P ; Account this `final this : Account P ; Account this ; Á` 0 : int -------------------------[FIELD] E = Account this P ; Account this ` int balance guarded_by this=0 P ; Account this ` int deposit(int x) { … } -------------------[CLASS] P = class Account{ …} let Account a = new Account …. P ` class Account{…} P ; Á ; Á` let Account a = new Account in … : int --------------------[PROG] ` P : int P : class Account { int balance guarded_by this = 0 int deposit(int x) synchronized this in { this.balance = this.balance + x } } let Account a = new Account in { fork { a.deposit(10 } fork { a.deposit(10) } } Type-Based Race Detection for JAVA

  11. Type System – Example 4/5 P ; Account this, int x ` this : Account P ; Account this, int x ` (int balance guarded_by this = 0) 2 Account P ; Account this, int x ` this 2 {this} P ; Account this, int x ` int -------------------[EXP REF] P ; Account this, int x ; {this} ` this.balance+x : Account P ; Account this, int x ` (int balance guarded_by this = 0) 2 Account P ; Account this, int x ` this 2{this} P ; Account this, int x ; {this} ` this.balance+x -------------------[EXP ASSIGN] P ; Account this, int x `final this : Account P ; Account this, int x ; {this} ` {this.balance=this.balance+x} : int ------------------[EXP SYNC] P ; Account this, int x ; Á` synchronized this in {this.balance=this.balance+x} : int : : Type-Based Race Detection for JAVA

  12. Type System – Example 5/5 P ; Account a ; Á` a : Account P ; Account a ` (int deposit(int x)) 2 Account P ; Account a ; Á` 10 : int P ; Account a `ÁµÁ P ; Account a ` int --------------------[EXP INVOKE] P ; Account a `Á P ; Account a ; Á` a.deposit(10) : int --------------------[EXP FORK] P ; Á ; Á` new Account : Account P ; Account a ; Á` fork{a.deposit(10)} fork{a.deposit(10)} : s P ; Á ; Á` s ---------------------[EXP LET] P = defn e <defn: class Account …, e: let Account ..> P ` defn P ; Á ; Á` let Account a = new Account in {…} : int --------------------[PROG] ` P : int Type-Based Race Detection for JAVA

  13. External Locks 1/2 • The only variable in scope at a field declaration is this, the fields of an object must be protected by a lock that is accessible from the object. • It is necessary to protect the fields of an object by some locks external to the object. Ex) In a linked list, the node objects in a list should be synchronized by a lock which is outside of the node class. • To accommodate this programming pattern, we extend RACEFREE JAVA to allow classes to be parameterized by external locks defn ::= classcn<garg*> body garg ::= ghostt x c ::= cn<l*> | Object Type-Based Race Detection for JAVA

  14. External Locks 2/2 Type-Based Race Detection for JAVA

  15. Thread-Local Classes 1/2 • Large multithreaded programs typically have sections of code that operate on data that is not shared across multiple threads. • To accommodate this situation, the concept of thread-local classes is introduced. • The language is extended to allow an optional thread_local modifier on class definitions and to make guarded_by clause on field declarations optional in a thread-local class. defn::=[thread_local]optclasscn <garg*> body field::= [final]optt fd [guarded_by l]opt = e Type-Based Race Detection for JAVA

  16. Thread-Local Classes 2/2 • The type system must ensure that thread-local objects are not accessible from non thread-local objects. • extends the rules not to eliminate this possibility. Type-Based Race Detection for JAVA

  17. Implementation 1/1 • RACEFREE JAVA type system is extended to support full JAVA language in rccjava implementation. • The comments that start with the character “#” are treated as type annotations by the tool. • The tool was built on top of an existing JAVA front-end that includes a scanner, parser, and type checker. Type-Based Race Detection for JAVA

  18. Experiment Results 1/2 • To test effectiveness of the tool, several multithreaded JAVA program was checked by the tool. • It was reported that the annotation process proceeded at a rate of 1000lines of code per programmer-hour. Type-Based Race Detection for JAVA

  19. Experiment Results 2/2 class Vector { Object elementData[] /*# guarded_by this */ int elementCount /*# guarded_by this */ synchronized boolean removeAllElements() { : elementCount = 0 ; : } synchronized int lastIndexOf(Object elem, int n) { for (int i = n ; --i >= 0 ; ) if (elem.equals(elementData[i])) { … } } int lastIndexOf(Object elem) { return lastIndexOf(elem, elementCount) ; } } Excerpt from java.util.Vector Two threads work on the same Vector object elementCount = 10 ; <Thread1><Thread2> 13 invokel lastIndexOf(elem) 4 invoke synchronized removeAllElements() 5 elementCount = 0 14 invoke lastIndexOf(elem, 10)  Race! Type-Based Race Detection for JAVA

  20. Conclusion • The type system enforces programmers to write locking strategies of a program as annotations and checks whether the programmer wrote the program with the strategies or not. • This type system enables race conditions to be detected early in the development cycle. • The annotations can be used as documentation of locking strategies. • Some synchronization patters are not supported in the type system (ex. reader-writer locks) Type-Based Race Detection for JAVA

  21. Further work • Efficient and Precise Datarace Detection for Multithreaded Object-Oriented Programs (PLDI’02) • LOCKSMITH: Context-Sensitive Correlation Analysis for Race Detection(PLDI’06) Type-Based Race Detection for JAVA

  22. Reference [1] Type-Based Race Detection for JAVA, Cormac Flanagan, Stephen N. Freund, PLDI 2000 Type-Based Race Detection for JAVA

More Related