TypeBased Race Detection for JAVA by Cormac Flanagan
Type-Based Race Detection for JAVA by Cormac Flanagan, Stephen N. Freund 22 nd Feb 2008 presented by Hong, Shin 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 1 / 22
Introduction • Race condition occurs when two thread manipulate a shared data structure simultaneously without synchronization. • Race condition errors are schedule-dependent that these are difficult to catch using traditional testing technologies. èSupport lock-based synchronization discipline by tracking the protecting lock for each shared field in the program and verifying that the appropriate lock is held whenever a shared field is accessed. èExpress the reasoning and checks performed by this analysis as an extension of JAVA’s type system. 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 2 / 22
Introduction 2/2 • Start by adopting the target system to a core subset of JAVA. • And then extends the type system with a number of additional features: – classes parameterized by the locks – classes that are local to a particular thread 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 3 / 22
CONCURRENT JAVA 1/2 • CONCURRENT JAVA is a multithreaded subset of JAVA. • Syntax if final modifier is present, then the field cannot be updated after initialization. 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 4 / 22
CONCURRENT JAVA 2/3 • Informal Semantics – CONCURRENT JAVA supports multithreaded programs by including the operation fork e which spawn a new thread for the evaluation of e. – Locks are provided: each object has an associated binary lock. The expression synchronized e 1 in e 2 is evaluated as follow: (1) acquire the associated lock of e 1. (2) e 2 is then evaluated. (3) release the associated lock of e 1. 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 5 / 22
CONCURRENT JAVA 1 2 3 4 5 6 7 8 9 10 class Account { int balance = 0 int deposit(int x) { this. balance = this. balance + x } } let Account a = new Account in { fork { a. deposit(10) } } 1 2 3 4 5 6 7 8 9 10 11 12 class Account { int balance = 0 int deposit(int x) { synchronized this in { this. balance = this. balance + x } } } let Account a = new Account in { fork { a. deposit(10) } } /* Race-Free Account */ 2022 -01 -15 Type-Based Race Detection for JAVA 3/3 Schedule Scenario 1 <Thread 1> 8 call a. deposit(10) 4 this. balance+x=10 4 this. balance: =10 <Thread 2> 8 call a. deposit(10) 4 this. balance+x=20 4 this. balance : =20 Schedule Scenario 2 <Thread 1> 8 call a. deposit(10) 4 this. balance+x=10 4 this. balance : =10 <Thread 2> 8 call a. deposit(10) 4 this. balance+x=10 4 this. balance : =10 Hong, Shin @ PSWLAB 6 / 22
RACEFREE JAVA 1/1 • Race conditions are commonly avoided by the lock-based synchronization discipline. • The type system needs to verify that each field has a protecting lock that is held whenever the field is accessed or updated. (1) associates a protecting lock with each field declaration. → programmers provide additional type annotations (2) tracks the set of locks held at each field access or update. → the type system automatically verifies that the locks are indeed held at each field access, field update, and call-site of the method. • RACEFREE JAVA – An extended language of CONCURRENT JAVA – The modified syntax field meth ls l 2022 -01 -15 : : = [final]opt t fd guarded_by l = e t mn (arg*) [requires ls]opt { e } l* e Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 7 / 22
Type System 1/5 • Type Judgment – P ; E ; ls ` e : t P : the program being checked E : an environment providing types for the free variables of e ls : a set of final expressions describing the locks that are held when the expression e is evaluated. e : an expression t : the type of e • Type Rules – The type rules track the set of locks held each program point. P ; E ` fianl l : c checks that l is a final expression of some class type c {} 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 8 / 22
Type System 2/5 P ; E ` fianl e 1 : c checks that e 1 is a final expression of some class type c Check that the lock l guarding fd is held at this program point; i. e. , that l denotes the same lock as some expression l’ in current lock set. → approximates semantic equivalence by syntactic equivalence, and simply to check that l ≡ l’. ex) 2022 -01 -15 Type-Based Race Detection for JAVA final Object a = new Object final Object b = a int data guarded_by a : synchronized b in { data = 0 } Hong, Shin @ PSWLAB 9 / 22
Type System – Example P ; Account this ` int P ; Account this ` Á P ; Account this, int x ; Á ` synchronized …. : int -------------[METHOD] P ; Account this `final this : Account P ; Account this ; Á ` 0 : int -------------[FIELD] E = Account this P ; Account this ` int balance guarded_by this=0 P ; Account this ` int deposit(int x) { … } ----------[CLASS] P = class Account{ …} let Account a = new Account …. P ` class Account{…} P ; Á ` let Account a = new Account in … : int ----------[PROG] ` P : int 2022 -01 -15 Type-Based Race Detection for JAVA 3/5 P: class Account { int balance guarded_by this = 0 int deposit(int x) synchronized this in { this. balance = this. balance + x } } let Account a = new Account in { fork { a. deposit(10 } fork { a. deposit(10) } } Hong, Shin @ PSWLAB 10 / 22
Type System – Example P P ; ; Account this, int int x x ` ` 4/5 this : Account (int balance guarded_by this = 0) 2 Account this 2 {this} int ----------[EXP REF] P ; Account this, int x ; {this}` this. balance+x : Account P ; Account this, int x ` (int balance guarded_by this = 0) 2 Account P ; Account this, int x ` this 2{this} P ; Account this, int x ; {this} ` this. balance+x ----------[EXP ASSIGN] P ; Account this, int x `final this : Account P ; Account this, int x ; {this}` {this. balance=this. balance+x} : int ---------[EXP SYNC] P ; Account this, int x ; Á ` synchronized this in {this. balance=this. balance+x} : int : : 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 11 / 22
Type System – Example 5/5 P ; Account a ; Á ` a : Account P ; Account a ` (int deposit(int x)) 2 Account P ; Account a ; Á ` 10 : int P ; Account a ` Á µ Á P ; Account a ` int ----------[EXP INVOKE] P ; Account a ` Á P ; Account a ; Á ` a. deposit(10) : int ----------[EXP FORK] P ; Á ` new Account : Account P ; Account a ; Á ` fork{a. deposit(10)} : s P; Á; Á`s -----------[EXP LET] P = defn e <defn: class Account …, e: let Account. . > P ` defn P ; Á ` let Account a = new Account in {…} : int ----------[PROG] ` P : int 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 12 / 22
External Locks 1/2 • The only variable in scope at a field declaration is this, the fields of an object must be protected by a lock that is accessible from the object. • It is necessary to protect the fields of an object by some locks external to the object. Ex) In a linked list, the node objects in a list should be synchronized by a lock which is outside of the node class. • To accommodate this programming pattern, we extend RACEFREE JAVA to allow classes to be parameterized by external locks defn : : = class cn<garg*> body garg : : = ghost t x c : : = cn<l*> | Object 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 13 / 22
External Locks 2022 -01 -15 Type-Based Race Detection for JAVA 2/2 Hong, Shin @ PSWLAB 14 / 22
Thread-Local Classes 1/2 • Large multithreaded programs typically have sections of code that operate on data that is not shared across multiple threads. • To accommodate this situation, the concept of thread-local classes is introduced. • The language is extended to allow an optional thread_local modifier on class definitions and to make guarded_by clause on field declarations optional in a thread-local class. defn : : = [thread_local]opt class cn <garg*> body field : : = [final]opt t fd [guarded_by l]opt = e 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 15 / 22
Thread-Local Classes 2/2 • The type system must ensure that thread-local objects are not accessible from non thread-local objects. è extends the rules not to eliminate this possibility. 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 16 / 22
Implementation 1/1 • RACEFREE JAVA type system is extended to support full JAVA language in rccjava implementation. • The comments that start with the character “#” are treated as type annotations by the tool. • The tool was built on top of an existing JAVA front-end that includes a scanner, parser, and type checker. 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 17 / 22
Experiment Results 1/2 • To test effectiveness of the tool, several multithreaded JAVA program was checked by the tool. • It was reported that the annotation process proceeded at a rate of 1000 lines of code per programmer-hour. 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 18 / 22
![Experiment Results 2/2 1. class Vector { 2. Object element. Data[] /*# guarded_by this](http://slidetodoc.com/presentation_image_h2/72c5856fceda9e947e433666e9d762bf/image-19.jpg "Experiment Results 2/2 1. class Vector { 2. Object element. Data[] /*# guarded_by this")
Experiment Results 2/2 1. class Vector { 2. Object element. Data[] /*# guarded_by this */ 3. int element. Count /*# guarded_by this */ 4. synchronized boolean remove. All. Elements() { 5. : 6. element. Count = 0 ; 7. : 8. } 9. synchronized int last. Index. Of(Object elem, int n) { 10. for (int i = n ; --i >= 0 ; ) 11. if (elem. equals(element. Data[i])) { … } 12. } 13. int last. Index. Of(Object elem) { 14. return last. Index. Of(elem, element. Count) ; 15. } 16. } Excerpt from java. util. Vector Two threads work on the same Vector object element. Count = 10 ; <Thread 1> 13 invokel last. Index. Of(elem) 14 invoke last. Index. Of(elem, 10) Race! 2022 -01 -15 <Thread 2> 4 invoke synchronized remove. All. Elements() 5 element. Count = 0 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 19 / 22
Conclusion • The type system enforces programmers to write locking strategies of a program as annotations and checks whether the programmer wrote the program with the strategies or not. • This type system enables race conditions to be detected early in the development cycle. • The annotations can be used as documentation of locking strategies. • Some synchronization patters are not supported in the type system (ex. reader-writer locks) 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 20 / 22
Further work • Efficient and Precise Datarace Detection for Multithreaded Object. Oriented Programs (PLDI’ 02) • LOCKSMITH: Context-Sensitive Correlation Analysis for Race Detection(PLDI’ 06) 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 21 / 22
![Reference [1] Type-Based Race Detection for JAVA, Cormac Flanagan, Stephen N. Freund, PLDI 2000](http://slidetodoc.com/presentation_image_h2/72c5856fceda9e947e433666e9d762bf/image-22.jpg "Reference [1] Type-Based Race Detection for JAVA, Cormac Flanagan, Stephen N. Freund, PLDI 2000")
Reference [1] Type-Based Race Detection for JAVA, Cormac Flanagan, Stephen N. Freund, PLDI 2000 2022 -01 -15 Type-Based Race Detection for JAVA Hong, Shin @ PSWLAB 22 / 22
- Slides: 22