1 / 14

Correct Concurrency with Chalice

Correct Concurrency with Chalice. K. Rustan M. Leino Research in Software Engineering ( RiSE ) MSR Redmond. Joint work with: Peter Müller, ETH Zurich Jan Smans, KU Leuven. INRIA-MSR 16 January 2009 Orsay , France. Chalice. Experimental language with focus on: Share-memory concurrency

wendy-rojas
Download Presentation

Correct Concurrency with Chalice

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Correct Concurrency with Chalice K. Rustan M. Leino Research in Software Engineering (RiSE)MSR Redmond Joint work with: Peter Müller, ETH ZurichJan Smans, KU Leuven INRIA-MSR 16 January 2009 Orsay, France

  2. Chalice • Experimental language with focus on: • Share-memory concurrency • Static verification • Features: • Object/class-based memory (no subclassing) • Fractional-permissions model • Locks: mutual exclusion and readers/writers • Two-state monitor invariants • Deadlock prevention • Dynamic lock re-ordering

  3. Permissions • Every memory location has an associated permission, which dynamically can be divided between threads and monitors • acc(o.x, p) specifies that the holder has p% permission to location o.x • acc(o.x) = acc(o.x, 100)

  4. Encoding • Value of o.x is stored in Heap[o,x] • Current thread’s permission for o.x is stored in Mask[o,x] Mask Heap

  5. Predicate evaluation • The evaluation of a predicate results in a transfer of permissions • For method M() requires Pre ensures Post • caller exhales Pre and inhales Post • calleeinhales Pre and exhales Post • Exhaling acc(o.x, p) amounts to: assert p ≤ Mask[o,x];Mask[o,x] := Mask[o,x] – p; • As in linear logic and separation logic, acc(o.x)  acc(o.x) is equivalent to false

  6. More about predicates • A predicate must be defined • o.x = 25 bad • acc(o.x)  o.x = 25 good • Note that acc expressions can be guarded • o ≠ null  acc(o.x) • acc expressions can appear only in positive positions in predicates

  7. Object life cycle share thread local shared new release acquired unshare acquire

  8. Monitor invariants • A monitor invariant holds when an object is in the shared state • class C { invariant J; … } • A monitor invariant must hold permissions for the locations it mentions

  9. Monitor invariant checks share thread local shared new release acquired unshare acquire

  10. Threads • Fork/join provide asynchronous calls • Roughly: • call o.M() • Exhale Pre; Inhale Post • fork o.M() • Exhale Pre • join o.M() • Inhale Post

  11. Preventing deadlocks • When shared, an object is inserted into a global ordering among monitors • share p between o and q • Monitors must be acquired in ascending order • Position in locking order can be changed with the reorderstatement

  12. -autoMagic • Filling in specifications to make them defined • o ≠ null  acc(o.x)  o.x = 5can be written just as:o.x = 5 • Demo: RockBand

  13. Example • Hand-over-hand locking

  14. Advanced permissions • A permission is a pair (p,n) • Intuitively, (p,n) represents the permission p + n* • rd(o.x, n) specifies n* • rd(o.x) = rd(o.x, 1) • rd(o.x, *) specifies an unbounded supply of ’s • Issue: good specification of read access

More Related