22Hong,Shin @ PSWLAB Type-Based Race Detection for J AVA by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong,Shin 2015-10-181Type-Based

/ 22Hong,Shin @ PSWLAB

Type-Based Race Detection for JAVA

by Cormac Flanagan, Stephen N. Freund

22nd Feb 2008presented by Hong,Shin

23年 4月 20日

1Type-Based Race Detection for JAVA


Introduction• Race condition occurs when two thread manipulate

a shared data structure simultaneously without synchronization.

• Race condition errors are schedule-dependent that these are difficult to catch using traditional testing technologies.Support lock-based synchronization discipline by

tracking the protecting lock for each shared field in the program and verifying that the appropriate lock is held whenever a shared field is accessed.

Express the reasoning and checks performed by this analysis as an extension of JAVA’s type system.

23年 4月 20日

Type-Based Race Detection for JAVA 2


Introduction 2/2

• Start by adopting the target system to a core subset of JAVA.

• And then extends the type system with a number of additional features:– classes parameterized by the locks– classes that are local to a particular thread

23年 4月 20日



CONCURRENT JAVA 1/2

• CONCURRENT JAVA is a multithreaded subset of JAVA.• Syntax

23年 4月 20日


if final modifier is present, then the field cannot be updated after initialization.


CONCURRENT JAVA 2/3

• Informal Semantics– CONCURRENT JAVA supports multithreaded programs by

including the operation fork e which spawn a new thread for the evaluation of e.

– Locks are provided: each object has an associated binary lock. The expression synchronized e1 in e2 is evaluated as follow:

(1) acquire the associated lock of e1 .

(2) e2 is then evaluated.

(3) release the associated lock of e1.

23年 4月 20日



CONCURRENT JAVA 3/31 class Account {

2 int balance = 0

3 int deposit(int x) {

4 this.balance = this.balance + x

5 }

6 }

7 let Account a = new Account in {

8 fork { a.deposit(10) }


10 }

23年 4月 20日


Schedule Scenario 2

<Thread 1> <Thread2>

8 call a.deposit(10)8 call

a.deposit(10)4 this.balance+x=10

4 this.balance+x=104 this.balance :=10

4 this.balance :=10

Schedule Scenario 1

<Thread 1> <Thread2>

8 call a.deposit(10)4 this.balance+x=104 this.balance:=10

8 call a.deposit(10)4

this.balance+x=204 this.balance :=20

1 class Account {

2 int balance = 0

3 int deposit(int x) {

4 synchronized this in {

5 this.balance = this.balance + x

6 }

7 }

8 }

9 let Account a = new Account in {



12 } /* Race-Free Account */


RACEFREE JAVA 1/1• Race conditions are commonly avoided by the lock-based

synchronization discipline.• The type system needs to verify that each field has a protecting lock

that is held whenever the field is accessed or updated.(1) associates a protecting lock with each field declaration.

→ programmers provide additional type annotations(2) tracks the set of locks held at each field access or update.

→ the type system automatically verifies that the locks are indeed held at each field access, field update, and call-site of the method.

• RACEFREE JAVA– An extended language of CONCURRENT JAVA

– The modified syntax

23年 4月 20日


field ::= [final]opt t fd guarded_by l = emeth ::= t mn (arg*) [requires ls]opt { e }ls ::= l*l ::= e


Type System 1/5• Type Judgment

– P ; E ; ls ` e : tP : the program being checkedE : an environment providing types for the free variables of els : a set of final expressions describing the locks that are held when the expression

e is evaluated.e : an expressiont : the type of e

• Type Rules– The type rules track the set of locks held each program point.

23年 4月 20日


{ }

P ; E ` fianl l : c checks that l is a final expression of some class type c


Type System 2/5

23年 4月 20日


Check that the lock l guarding fd is held at this program point; i.e., that l denotes the same lock as some expression l’ in current lock set.→ approximates semantic equivalence by syntactic equivalence, and simply to check that l ≡ l’.

P ; E ` fianl e1 : c checks that e1 is a final expression of some class type c

ex) final Object a = new Object final Object b = a int data guarded_by a

: synchronized b in { data = 0 }


Type System – Example 3/5

P :class Account {

int balance guarded_by this = 0

int deposit(int x)

synchronized this in {

this.balance =

this.balance + x

}

}

let Account a = new Account in {

fork { a.deposit(10 }

fork { a.deposit(10) }

}

23年 4月 20日


P ; Account this ` int P ; Account this ` Á P ; Account this, int x ; Á ` synchronized …. : int -------------------------[METHOD] P ; Account this `final this : Account P ; Account this ; Á ` 0 : int -------------------------[FIELD] E = Account this P ; Account this ` int balance guarded_by this=0 P ; Account this ` int deposit(int x) { … } -------------------[CLASS] P = class Account{ …} let Account a = new Account …. P ` class Account{…} P ; Á ; Á ` let Account a = new Account in … : int--------------------[PROG]` P : int


Type System – Example 4/5 P ; Account this, int x ` this : Account P ; Account this, int x ` (int balance guarded_by this = 0) 2 Account P ; Account this, int x ` this 2 {this} P ; Account this, int x ` int -------------------[EXP REF] P ; Account this, int x ; {this} ` this.balance+x : Account P ; Account this, int x ` (int balance guarded_by this = 0) 2 Account P ; Account this, int x ` this 2{this} P ; Account this, int x ; {this} ` this.balance+x -------------------[EXP ASSIGN] P ; Account this, int x `final this : Account

P ; Account this, int x ; {this} ` {this.balance=this.balance+x} : int------------------[EXP SYNC]P ; Account this, int x ; Á ` synchronized this in {this.balance=this.balance+x} : int

::

23年 4月 20日



Type System – Example 5/5

23年 4月 20日


P ; Account a ; Á ` a : Account P ; Account a ` (int deposit(int x)) 2 Account P ; Account a ; Á ` 10 : int P ; Account a ` Á µ Á P ; Account a ` int --------------------[EXP INVOKE] P ; Account a ` Á P ; Account a ; Á ` a.deposit(10) : int --------------------[EXP FORK] P ; Á ; Á ` new Account : Account P ; Account a ; Á ` fork{a.deposit(10)} fork{a.deposit(10)} : s P ; Á ; Á ` s---------------------[EXP LET] P = defn e <defn: class Account …, e: let Account ..>

P ` defn P ; Á ; Á ` let Account a = new Account in {…} : int--------------------[PROG]` P : int


External Locks 1/2• The only variable in scope at a field declaration is this, the

fields of an object must be protected by a lock that is accessible from the object.

• It is necessary to protect the fields of an object by some locks external to the object.Ex) In a linked list, the node objects in a list should be synchronized by a

lock which is outside of the node class.

• To accommodate this programming pattern, we extend RACEFREE JAVA to allow classes to be parameterized by external locks

defn ::= class cn<garg*> bodygarg ::= ghost t xc ::= cn<l*> | Object

23年 4月 20日



External Locks 2/2

23年 4月 20日



Thread-Local Classes 1/2

• Large multithreaded programs typically have sections of code that operate on data that is not shared across multiple threads.

• To accommodate this situation, the concept of thread-local classes is introduced.

• The language is extended to allow an optional thread_local modifier on class definitions and to make guarded_by clause on field declarations optional in a thread-local class.

defn ::= [thread_local]opt class cn <garg*> body

field ::= [final]opt t fd [guarded_by l]opt = e

23年 4月 20日



Thread-Local Classes 2/2

23年 4月 20日


• The type system must ensure that thread-local objects are not accessible from non thread-local objects. extends the rules not to eliminate this possibility.


Implementation 1/1

23年 4月 20日


• RACEFREE JAVA type system is extended to support full JAVA language in rccjava implementation.

• The comments that start with the character “#” are treated as type annotations by the tool.

• The tool was built on top of an existing JAVA front-end that includes a scanner, parser, and type checker.


Experiment Results 1/2

23年 4月 20日


•To test effectiveness of the tool, several multithreaded JAVA program was checked by the tool.• It was reported that the annotation process proceeded at a rate of 1000lines of code per programmer-hour.


Experiment Results 2/2

23年 4月 20日


1.class Vector {2. Object elementData[] /*# guarded_by this */3. int elementCount /*# guarded_by this */4. synchronized boolean removeAllElements() {5. :6. elementCount = 0 ;7. :8. }

9. synchronized int lastIndexOf(Object elem, int n) {10. for (int i = n ; --i >= 0 ; ) 11. if (elem.equals(elementData[i])) { … }12. }

13. int lastIndexOf(Object elem) {14. return lastIndexOf(elem, elementCount) ;15. }16.} Excerpt from java.util.Vector

Two threads work on the same Vector objectelementCount = 10 ;

<Thread1> <Thread2>

13 invokel lastIndexOf(elem)4 invoke synchronized

removeAllElements()5 elementCount = 0

14 invoke lastIndexOf(elem, 10) Race!


Conclusion• The type system enforces programmers to write locking

strategies of a program as annotations and checks whether the programmer wrote the program with the strategies or not.

• This type system enables race conditions to be detected early in the development cycle.

• The annotations can be used as documentation of locking strategies.

• Some synchronization patters are not supported in the type system(ex. reader-writer locks)

23年 4月 20日



Further work• Efficient and Precise Datarace Detection for Multithreaded

Object-Oriented Programs (PLDI’02)

• LOCKSMITH: Context-Sensitive Correlation Analysis for Race Detection(PLDI’06)

23年 4月 20日



Reference[1] Type-Based Race Detection for JAVA, Cormac

Flanagan, Stephen N. Freund, PLDI 2000

23年 4月 20日


Documents

22Hong,Shin @ PSWLAB Type-Based Race Detection for J AVA by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong,Shin 2015-10-181Type-Based