1 / 18

GUI Threading Explained and Verified

GUI Threading Explained and Verified. Michael Ernst U. of Washington, Seattle, USA IMDEA Software Institute, Madrid, Spain joint work with Colin Gordon, Sai Zhang, Werner Dietl , and others http://checkerframework.org/. Invalid UI updates. void method1() {

levi-holland
Download Presentation

GUI Threading Explained and Verified

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GUI ThreadingExplained and Verified Michael Ernst U. of Washington, Seattle, USA IMDEA Software Institute, Madrid, Spain joint work with Colin Gordon, Sai Zhang, Werner Dietl, and others http://checkerframework.org/

  2. Invalid UI updates void method1() { mylabel.setText("Hello from method1"); } void method2() { mylabel.setText("Hello from method2"); } // Corrected method2 void method2() { Display.syncExec(new Runnable { void run() {mylabel.setText("Hello from method2()"); } }); } Making the same change to method1 is unnecessary and dangerous (new concurrency errors) Hello from method1 http://www.myeclipseide.com/PNphpBB2-printview-t-26285-start-0.html

  3. GUI threading errors are common • One of the top 3 SWT exceptions • Tens of thousands of search results • >2700 Eclipse bug reports • Possibly long-lived • One >10 years old in Eclipse! Android Swing

  4. A single-threaded GUI program Single-threaded program Accept user input Update the display Long-running computations Problem: unresponsive UI

  5. A multi-threaded GUI program GUI thread Background worker thread Accept user input Update the display Long-running computations Must not access the UI • Simultaneous access to UI from 2 threads: Race condition • Data corruption (lost & partial updates) • Crashes

  6. GUI thread discipline Only the UI thread may access UI objects • Most GUI methods must run only on the UI thread • E.g. JLabel.setText() Other threads should use: syncExec(new Runnable{ run(){ … } }) Advantages: • Simple specification • Responsive UI • Atomic updates without explicit synchronization Problem: It’s easy to make mistakes

  7. Programmer must remember calling context  public void updateView() {setupTitle(this.title);} For each method: • Can I access the UI in the body of this method? • When is it safe to call this method? • UI libraries may not document this behavior well Idea: Automated program analysis to find and prevent UI threading errors

  8. Two analyses to detect GUI threading errors • Heuristic analysis • Requires no programmer effort • Finds many bugs in practice • GUI Error Detector: https://guierrordetector.googlecode.com/ • Type system • Sound; gives a guarantee • Requires modest programmer effort • Yields machine-checked documentation • GUI Effect Checker: http://checkerframework.org/ Sai Zhang This talk Colin Gordon

  9. Where may a method be called? Relationship between them: • Only called from UI thread @UIEffect • Safe to be called from any thread @SafeEffect “Effect” because this is an effect system • A type system approximates values (e.g., Integer) • An effect system approximates side effects or behavior (Java’s checked exceptions are also an effect system.) @UIEffect @UIEffect @SafeEffect @SafeEffect

  10. Annotated code class JLabel { … @UIEffectpublic void setText(String s); } class Client { … @SafeEffectpublic void updateView() { myJlabel.setText("New Title"); // ERROR } @UIEffectpublic void refreshView() { myJlabel.setText("New Title"); // OK } }

  11. Polymorphic effects interface Runnable {@??Effect public void run();} Runnable: • Sometimes used for the UI thread • Sometimes used for background threads Should it be annotated as @UIEffector @SafeEffect? Solution: polymorphism Analogy: List<String> vs. List<Integer> Similarly, Runnable<@UIEffect> vs. Runnable<@SafeEffect> (Actual syntax: @PolyUI Runnable) Preserves backward compatibility with the JDK

  12. Using the GUI Effect Checker • Run javac with GUI Effect Checker plug-in javac--processor GuiEffectCheckerMyFile.java • IDEs are also supported • Examine error reports • Add annotations to clarify program • Repeat until you can’t fix more errors One-time process! Low incremental cost. developer *.java javac + GUI Effect Checker UI-correct program code annotations error reports

  13. Case studies • Few false positives • Usually code smells • Would be avoided if starting with GUI Effect Checker • Modest annotation burden: • 7 annotations / 1000 LOC • 4300 LOC / hour

  14. Type qualifiers • In Java 8: annotations on types @Untainted String query; List<@NonNullString> strings; myGraph = (@Immutable Graph) tmpGraph; class UnmodifiableList<T> implements @Readonly List<@Readonly T> {} • Backward-compatible: compile with any Java compiler List</*@NonNull*/ String> strings;

  15. Benefits of type qualifiers • Find bugs in programs • Guarantee the absence of errors • Improve documentation • Improve code structure & maintainability • Aid compilers, optimizers, and analysis tools • Reduce number of assertions and run-time checks • Possible negatives: • Must write the types (or use type inference) • False positives are possible (can be suppressed)

  16. What bugs can you detect & prevent? The annotation you write: The property you care about: • Null dereferences • Mutation and side-effects • Concurrency: locking • Security: encryption,tainting • Aliasing • Equality tests • Strings: localization,regular expression syntax,signature representation,format string syntax • Enumeractions • Typestate (e.g., open/closed files) Users can write their own checkers • @NonNull • @Immutable • @GuardedBy • @Encrypted@OsTrusted, @Untainted… • @Linear • @Interned • @Localized@Regex@FullyQualified@Format • @Fenum • @State

  17. What a checker guarantees • The program satisfies the type property. There are: • no bugs (of particular varieties) • no wrong annotations • Caveat 1: only for code that is checked • Native methods • Reflection • Code compiled without the pluggable type checker • Suppressed warnings • Indicates what code a human should analyze • Checking part of a program is still useful • Caveat 2: The checker itself might contain an error

  18. Pluggable type-checkingfor bug detection and verification • GUI Effect Checker: • Polymorphic effect system for UI threading • Simple & effective • Finds bugs • Modest annotation burden • Additional checkers exist for dozens of other bugs • Distributed with the Checker Framework • Try it today! http://checkerframework.org

More Related