skip to main content
10.1145/1693453.1693485acmconferencesArticle/Chapter ViewAbstractPublication PagesppoppConference Proceedingsconference-collections
research-article

Composable thread coloring

Published:09 January 2010Publication History

ABSTRACT

This paper introduces the language-independent concept of ``thread usage policy.'' Many multi-threaded software systems contain policies that regulate associations among threads, executable code, and potentially shared state. A system, for example, may constrain which threads are permitted to execute particular code segments, usually as a means to constrain those threads from accessing or writing particular elements of state. These policies ensure properties such as state confinement or reader/writer constraints, often without recourse to locking or transaction discipline.

Our approach allows developers to concisely document their thread usage policies in a manner that enables the use of sound scalable analysis to assess consistency of policy and as-written code. This paper identifies the key semantic concepts of our thread coloring language and illustrates how to use its succinct source-level annotations to express models of thread usage policies, following established annotation conventions for Java.

We have built a prototype static analysis tool, implemented as an integrated development environment plug-in (for the Eclipse IDE), that notifies developers of discrepancies between policy annotations and as-written code. Our analysis technique uses several underlying algorithms based on abstract interpretation, call-graphs, and type inference. The resulting overall analysis is both sound and composable. We have used this prototype analysis tool in case studies to model and analyze more than a million lines of code.

Our validation process included field trials on a wide variety of complex large-scale production code selected by the host organizations. Our in-field experience led us to focus on potential adoptability by real-world developers. We have developed techniques that can reduce annotation density to less than one line per thousand lines of code (KLOC). In addition, the prototype analysis tool supports an incremental and iterative approach to modeling and analysis. This approach enabled field trial partners to directly target areas of greatest concern and to achieve useful results within a few hours.

References

  1. R. Agarwal and S. D. Stoller. Type inference for parameterized race-free Java. In Proc. Conference on Verification, Model Checking and Abstract Interpretation, pages 149--160, 2004.Google ScholarGoogle ScholarCross RefCross Ref
  2. Jonathan Aldrich and Craig Chambers. Ownership Domains: Separating Aliasing Policy from Mechanism. In ECOOP, pages 1--25, 2004.Google ScholarGoogle Scholar
  3. AspectJ Team. The AspectJ Programming Guide, 2004. URL http://eclipse.org/aspectj/doc/released/-progguide/index.html.Google ScholarGoogle Scholar
  4. Kevin Bierhoff and Jonathan Aldrich. Lightweight Object Specification with Typestates. In FSE, pages 217--226, September 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Joseph Bowbeer. The last word in Swing threads -- Working with asynchronous models, May 2005. URL http://java.sun.com/products/-jfc/tsc/articles/threads/threads3.html.Google ScholarGoogle Scholar
  6. Chandrasekhar Boyapati and Martin Rinard. A parameterized type system for race-free Java programs. In OOPSLA, pages 56--69, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Chandrasekhar Boyapati, Robert Lee, and Martin Rinard. Ownership types for safe programming: preventing data races and deadlocks. In OOPSLA, pages 211--230, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. J. Boyland. Checking interference with fractional permissions. In R. Cousot, editor, Static Analysis: 10th International Symposium, volume 2694 of LNCS, pages 55--72, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. David G. Clarke, John M. Potter, and James Noble. Ownership types for flexible alias protection. In OOPSLA, pages 48--64, 1998. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. John Corwin, David F. Bacon, David Grove, and Chet Murthy. MJ: A Rational Module System for Java -- and its applications. In OOPSLA, pages 241--254, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Dawson Engler and Ken Ashcraft. RacerX: Effective, static detection of race conditions and deadlocks. In SOSP, pages 237--252, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Cormac Flanagan and Stephen N. Freund. Type-based race detection for Java. In PLDI, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Aaron Greenhouse. A Programmer-oriented Approach to Safe Concurrency. PhD thesis, Carnegie Mellon, May 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Aaron Greenhouse and John Boyland. An Object-Oriented effects system. In ECOOP, pages 205--229, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Aaron Greenhouse, T. J. Halloran, and William L. Scherlis. Observations on the assured evolution of concurrent Java programs. Sci. Comput. Program., 58(3):384--411, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Timothy J. Halloran. Towards a Scalable and Adoptable Approach to Analysis-based Verification of Mechanical Program Properties. PhD thesis, Carnegie Mellon, to appear.Google ScholarGoogle Scholar
  17. Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. Race checking by context inference. In PLDI, pages 1--13, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. JSR294 Expert Group. JSR 294: Improved modularity support in the Java programming language. URL http://jcp.org/en/jsr/detail?id=294.Google ScholarGoogle Scholar
  19. Mayur Naik, Alex Aiken, and John Whaley. Effective static race detection for Java. In PLDI '06, pages 308--319, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. D. L. Parnas. On the criteria to be used in decomposing systems into modules. Commun. ACM, 15(12):1053--1058, December 1972. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Polyvios Pratikakis, Jeffrey S. Foster, and Michael Hicks. Locksmith: Context-sensitive correlation analysis for race detection. In PLDI '06, pages 320--331, 2006. . Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. StaticFreeSoftware. Electric. URL http://www.staticfreesoft.com/productsFree.html.Google ScholarGoogle Scholar
  23. N. Sterling. Warlock: A static data race analysis tool. In USENIX Winter Technical Conference, pages 97--106, 1993.Google ScholarGoogle Scholar
  24. Dean F. Sutherland. The Code of Many Colors: Semi-automated Reasoning about Multi-Thread Policy for Java. PhD thesis, Carnegie Mellon University, Pittsburgh, PA 15213, May 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Yichen Xie and Alex Aiken. Context- and path-sensitive memory leak detection. SIGSOFT Softw. Eng. Notes, 30(5): 115--125, 2005. ISSN 0163-5948. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Composable thread coloring

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!