ABSTRACT
This paper introduces the language-independent concept of ``thread usage policy.'' Many multi-threaded software systems contain policies that regulate associations among threads, executable code, and potentially shared state. A system, for example, may constrain which threads are permitted to execute particular code segments, usually as a means to constrain those threads from accessing or writing particular elements of state. These policies ensure properties such as state confinement or reader/writer constraints, often without recourse to locking or transaction discipline.
Our approach allows developers to concisely document their thread usage policies in a manner that enables the use of sound scalable analysis to assess consistency of policy and as-written code. This paper identifies the key semantic concepts of our thread coloring language and illustrates how to use its succinct source-level annotations to express models of thread usage policies, following established annotation conventions for Java.
We have built a prototype static analysis tool, implemented as an integrated development environment plug-in (for the Eclipse IDE), that notifies developers of discrepancies between policy annotations and as-written code. Our analysis technique uses several underlying algorithms based on abstract interpretation, call-graphs, and type inference. The resulting overall analysis is both sound and composable. We have used this prototype analysis tool in case studies to model and analyze more than a million lines of code.
Our validation process included field trials on a wide variety of complex large-scale production code selected by the host organizations. Our in-field experience led us to focus on potential adoptability by real-world developers. We have developed techniques that can reduce annotation density to less than one line per thousand lines of code (KLOC). In addition, the prototype analysis tool supports an incremental and iterative approach to modeling and analysis. This approach enabled field trial partners to directly target areas of greatest concern and to achieve useful results within a few hours.
- R. Agarwal and S. D. Stoller. Type inference for parameterized race-free Java. In Proc. Conference on Verification, Model Checking and Abstract Interpretation, pages 149--160, 2004.Google Scholar
Cross Ref
- Jonathan Aldrich and Craig Chambers. Ownership Domains: Separating Aliasing Policy from Mechanism. In ECOOP, pages 1--25, 2004.Google Scholar
- AspectJ Team. The AspectJ Programming Guide, 2004. URL http://eclipse.org/aspectj/doc/released/-progguide/index.html.Google Scholar
- Kevin Bierhoff and Jonathan Aldrich. Lightweight Object Specification with Typestates. In FSE, pages 217--226, September 2005. Google Scholar
Digital Library
- Joseph Bowbeer. The last word in Swing threads -- Working with asynchronous models, May 2005. URL http://java.sun.com/products/-jfc/tsc/articles/threads/threads3.html.Google Scholar
- Chandrasekhar Boyapati and Martin Rinard. A parameterized type system for race-free Java programs. In OOPSLA, pages 56--69, 2001. Google Scholar
Digital Library
- Chandrasekhar Boyapati, Robert Lee, and Martin Rinard. Ownership types for safe programming: preventing data races and deadlocks. In OOPSLA, pages 211--230, 2002. Google Scholar
Digital Library
- J. Boyland. Checking interference with fractional permissions. In R. Cousot, editor, Static Analysis: 10th International Symposium, volume 2694 of LNCS, pages 55--72, 2003. Google Scholar
Digital Library
- David G. Clarke, John M. Potter, and James Noble. Ownership types for flexible alias protection. In OOPSLA, pages 48--64, 1998. Google Scholar
Digital Library
- John Corwin, David F. Bacon, David Grove, and Chet Murthy. MJ: A Rational Module System for Java -- and its applications. In OOPSLA, pages 241--254, 2003. Google Scholar
Digital Library
- Dawson Engler and Ken Ashcraft. RacerX: Effective, static detection of race conditions and deadlocks. In SOSP, pages 237--252, 2003. Google Scholar
Digital Library
- Cormac Flanagan and Stephen N. Freund. Type-based race detection for Java. In PLDI, 2000. Google Scholar
Digital Library
- Aaron Greenhouse. A Programmer-oriented Approach to Safe Concurrency. PhD thesis, Carnegie Mellon, May 2003. Google Scholar
Digital Library
- Aaron Greenhouse and John Boyland. An Object-Oriented effects system. In ECOOP, pages 205--229, 1999. Google Scholar
Digital Library
- Aaron Greenhouse, T. J. Halloran, and William L. Scherlis. Observations on the assured evolution of concurrent Java programs. Sci. Comput. Program., 58(3):384--411, 2005. Google Scholar
Digital Library
- Timothy J. Halloran. Towards a Scalable and Adoptable Approach to Analysis-based Verification of Mechanical Program Properties. PhD thesis, Carnegie Mellon, to appear.Google Scholar
- Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. Race checking by context inference. In PLDI, pages 1--13, 2004. Google Scholar
Digital Library
- JSR294 Expert Group. JSR 294: Improved modularity support in the Java programming language. URL http://jcp.org/en/jsr/detail?id=294.Google Scholar
- Mayur Naik, Alex Aiken, and John Whaley. Effective static race detection for Java. In PLDI '06, pages 308--319, 2006. Google Scholar
Digital Library
- D. L. Parnas. On the criteria to be used in decomposing systems into modules. Commun. ACM, 15(12):1053--1058, December 1972. Google Scholar
Digital Library
- Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. Locksmith: Context-sensitive correlation analysis for race detection. In PLDI '06, pages 320--331, 2006. . Google Scholar
Digital Library
- StaticFreeSoftware. Electric. URL http://www.staticfreesoft.com/productsFree.html.Google Scholar
- N. Sterling. Warlock: A static data race analysis tool. In USENIX Winter Technical Conference, pages 97--106, 1993.Google Scholar
- Dean F. Sutherland. The Code of Many Colors: Semi-automated Reasoning about Multi-Thread Policy for Java. PhD thesis, Carnegie Mellon University, Pittsburgh, PA 15213, May 2008. Google Scholar
Digital Library
- Yichen Xie and Alex Aiken. Context- and path-sensitive memory leak detection. SIGSOFT Softw. Eng. Notes, 30(5): 115--125, 2005. ISSN 0163-5948. Google Scholar
Digital Library
Index Terms
Composable thread coloring
Recommendations
Composable thread coloring
PPoPP '10This paper introduces the language-independent concept of ``thread usage policy.'' Many multi-threaded software systems contain policies that regulate associations among threads, executable code, and potentially shared state. A system, for example, may ...
Composable Transactional Objects: A Position Paper
Proceedings of the 23rd European Symposium on Programming Languages and Systems - Volume 8410Memory transactions provide programmers with a convenient abstraction for concurrent programs: a keyword such as atomic designating a region of code that appears, from the perspective of concurrent threads, to execute atomically. Unfortunately, existing ...
The code of many colors: relating threads to code and shared state
We introduce a thread colors model as a way to express design intent concerning the relationships between threads, executable code, and shared state. By expressing the model as annotations in code, it is possible to formally link the model with source ...







Comments