Rely-Guarantee Protocols for Safe Interference Over Shared Memory Filipe David Oliveira Militao˜ CMU-CS-15-146 December 2015
Total Page:16
File Type:pdf, Size:1020Kb
Rely-Guarantee Protocols for Safe Interference over Shared Memory Filipe David Oliveira Militao˜ CMU-CS-15-146 December 2015 School of Computer Science Departamento de Informatica´ Computer Science Department & Faculdade de Cienciasˆ e Tecnologia Carnegie Mellon University Universidade Nova de Lisboa Pittsburgh, PA 15213, USA Quinta da Torre, 2829-516 Caparica, Portugal Thesis Committee: Dr. Jonathan Aldrich1, chair Dr. Lu´ıs Caires2, chair Dr. Frank Pfenning1 Dr. Antonio´ Ravara2 Dr. Karl Crary1 Dr. Vasco Vasconcelos4 Dr. Neelakantan Krishnaswami3 (1Carnegie Mellon University, USA) (2Universidade Nova de Lisboa, Portugal) (3University of Birmingham, UK) (4Universidade de Lisboa, Portugal) Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy. Copyright c 2015 Filipe David Oliveira Militao˜ This research was partially sponsored by Funda¸c˜aopara a Ciˆenciae Tecnologia (Portuguese Foundation for Science and Technology) through the Carnegie Mellon j Portugal Program under grant SFRH / BD / 33765 / 2009 and the Information and Communication Technology Insti- tute at Carnegie Mellon University, INTERFACES NGN44-2009-2012, the Aeminium project SE38-2009-2012, CITI PEst-OE / EEI / UI0527 / 2011, FCT/MEC NOVA LINCS PEst UID/CEC/04516/2013, the U.S. National Science Foundation under grant #CCF-1116907 “Foundations of Permission-Based Object-Oriented Languages”, and the U.S. Air Force Research Laboratory. The views and conclusions contained in this document are those of the author and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government or any other entity. Keywords: programming languages; interference control; linearity; typestates; rely-guarantee protocols; concurrency; shared mutable state. Abstract Mutable state can be useful in certain algorithms, to structure programs, or for efficiency purposes. However, when shared mutable state is used in non-local or non- obvious ways, the interactions that can occur via aliases to that shared memory can be a source of program errors. Undisciplined uses of shared state may unsafely interfere with local reasoning as other aliases may interleave their changes to the shared state in unexpected ways. We propose a novel technique, rely-guarantee protocols, that structures the interactions between aliases and ensures that only safe interference is possible. We present a linear type system outfitted with our novel sharing mechanism that enables controlled interference over shared mutable resources. Each alias is assigned separate, local roles encoded in a protocol abstraction that constrains how an alias can legally use that shared state. By following the spirit of rely-guarantee reasoning, our rely-guarantee protocols ensure that only safe interference can occur but still allow many interesting uses of shared state, such as going beyond invariant and monotonic usages. This thesis describes the three core mechanisms that enable our type-based tech- nique to work: 1) we show how a protocol models an alias’s perspective on how the shared state evolves and constrains that alias’s interactions with the shared state; 2) we show how protocols can be used while enforcing the agreed interference contract; and finally, 3) we show how to check that all local protocols to some shared state can be safely composed to ensure globally safe interference over that shared memory. The interference caused by shared state is rooted at how the uses of different aliases to that state may be interleaved (perhaps even in non-deterministic ways) at run-time. There- fore, our technique is mostly agnostic as to whether this interference was the result of alias interleaving caused by sequential or concurrent semantics. We show imple- mentations of our technique in both settings, and highlight their differences. Because sharing is “first-class” (and not tied to a module), we show a polymorphic procedure that enables abstract compositions of protocols. Thus, protocols can be specialized or extended without requiring specific knowledge of the interference produce by other protocols to that state. We show that protocol composition can ensure safety even when considering abstracted protocols. We show that this core composition mecha- nism is sound, decidable (without the need for manual intervention), and provide an algorithm implementation. iv Acknowledgments I thank my advisors, Jonathan Aldrich and Lu´ıs Caires, for all the discussions, feedback, and technical assistance. I specially thank Jonathan for the tireless openness to discussion and healthy encouragement that enabled the shift in direction that led to this work. Although doing these “late” changes was quite challenging, I personally found your passion for research and exceptional professionalism to be both inspiring and instrumental in keeping me motivated to pursue this work. Thank you Jonathan! This work is also the culmination of several iterations, refinements, and clarifi- cations to address feedback from countless other sources (beyond my advisors). At- tempting to list all individuals would invariably risk missing important sources, al- though I appreciate all feedback that improved and shaped the work into its final form. Still, I specially thank all members of the Plaid group at CMU and the PLASTIC group at FCT/UNL, the thesis committee members, and the many anonymous reviewers for all the comments and feedback on this work, in all its forms. Finally, I thank friends and family for encouragement and support throughout all these years. I specially thank Joao˜ Gomes, Andre´ DaSilva, Lu´ısa Cochito, my sis- ter (Susana Militao),˜ my brother (Miguel Militao),˜ and my parents (Lu´ısa Oliveira and Jose´ Militao).˜ And, naturally, Lury, Gotsky, Timmy “Timotio”´ Ti-No-Ni,´ Boris Fagundes-Pa,´ Fellini, and others for healthy distractions. vi Contents 1 Introduction1 1.1 Approach Overview..................................2 1.2 Example: Shared Pipe.................................4 1.3 Thesis Statement...................................6 1.3.1 Hypothesis: Modularity, Composition, and Expressiveness.........6 1.3.2 Hypothesis: Automation...........................7 1.3.3 Hypothesis: Soundness............................7 1.4 Contributions.....................................8 1.5 Thesis Outline.....................................8 2 Preliminary System 11 2.1 Starting Language................................... 12 2.1.1 Operation Semantics............................. 13 2.1.2 Types Grammar................................ 14 2.1.3 Type System................................. 14 2.2 Extension: Mutable State............................... 18 2.2.1 Grammar................................... 20 2.2.2 Operational Semantics............................ 21 2.2.3 Type System................................. 21 2.2.4 Subtyping................................... 26 2.2.5 Technical Results............................... 27 2.3 Some Abbreviations.................................. 29 2.4 Typestate Examples.................................. 31 2.4.1 Stack Object................................. 31 2.4.2 Stateful Pair.................................. 35 2.5 Modeling the “Behavior” of Hidden State...................... 38 2.5.1 Closer Comparison with “Behavior”-Oriented Designs........... 41 2.6 Related Work..................................... 46 3 Rely-Guarantee Protocols in the Sequential Setting 51 3.1 Approach in a Nutshell................................ 52 3.2 Pipe Example Overview............................... 54 3.3 Using Protocols to Share Mutable State....................... 56 vii 3.3.1 Specifying Rely-Guarantee Protocols.................... 57 3.3.2 Checking Protocol Splitting......................... 59 3.3.3 Using Shared State.............................. 64 3.3.4 Framing State................................. 67 3.3.5 Consumer Code................................ 69 3.4 Summary of Extensions................................ 69 3.4.1 Technical Results............................... 73 3.5 Additional Examples................................. 75 3.5.1 Sharing a Stack................................ 75 3.5.2 Capturing Local Knowledge......................... 76 3.5.3 Iteratively Sharing State........................... 78 3.6 Related Work..................................... 80 4 Polymorphic Protocol Composition and the Concurrent Setting 85 4.1 A Protocol for Modeling join ............................. 86 4.2 Polymorphic Protocol Composition......................... 90 4.2.1 Existential-Universal Interaction....................... 90 4.2.2 Inner Step Extension............................. 93 4.3 Technical Development................................ 94 4.3.1 Well-Formed Protocols............................ 95 4.3.2 Protocol Composition Rules......................... 96 4.3.3 Operational Semantics............................ 101 4.3.4 Type System................................. 105 4.3.5 Technical Results............................... 108 4.4 Additional Examples................................. 114 4.4.1 MVars..................................... 114 4.4.2 Shared Pair.................................. 115 4.4.3 Pipe Example, Revisited........................... 116 4.5 Encoding Typeful Message-Passing Concurrency.................. 118 4.5.1 Brief Overview................................ 119 4.5.2 Encoding send and receive ........................ 120 4.5.3 Buyer-Seller-Shipper Example........................ 122 4.6 Related Work....................................