A Programmer-Oriented Approach to Safe Concurrency Aaron Greenhouse May 2003 CMU-CS-03-135 Computer Science Department School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy. Thesis Committee: William L. Scherlis, Chair Thomas Gross, Co-Chair Guy E. Blelloch John Boyland, University of Wisconsin–Milwaukee Copyright c 2003 Aaron Greenhouse Effort sponsored in part through the High Dependability Computing Program from NASA Ames cooperative agree- ment NCC-2-1298, in part by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Lab- oratory (AFRL), Air Force Materiel Command, USAF, under agreement number F30602-99-2-0522, and in part through the Carnegie Mellon School of Computer Science Siebel Scholars Program. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsement, either expressed or implied, of NASA, DARPA, AFRL, or the U.S. Government. Keywords: Java, concurrency, multi-threading, analysis, annotation, software engineering tools, program understanding, assurance, thread-safety For Irachka. Abstract Assuring and evolving concurrent programs requires understanding the concurrency- related design decisions used in their implementation. In Java-style shared-memory programs, these decisions include which state is shared, how access to it is regulated, and the policy that distinguishes desired concurrency from race conditions. Source code often does not reveal these design decisions because they rarely have purely local manifestations in the code, or because they cannot be inferred from code. Many pro- grammers believe it is too difficult to explicate the models in ordinary practice. As a result, this design intent is usually not expressed, and it is therefore generally infeasible to assure that concurrent programs are free of race conditions. This thesis is about a practicable approach to capturing and expressing design in- tent, and, through the use of annotations and composable static analyses, assuring con- sistency of code and intent as both evolve. We use case studies from production Java code and a prototype analysis tool to explore the costs and benefits of a new annotation- based approach for expressing design intent. Our annotations express “mechanical” properties that programmers must already be considering, such as lock–state associ- ations, uniqueness of references, and conceptual aggregations of state. Our analyses reveal race conditions in a variety of case study samples which were drawn from li- brary code and production open source projects. We developed a prototype tool that embodies static analysis techniques for assuring consistency between code and models (expressed as code annotations). Our experience with the tool provides some preliminary evidence of the practicability of our approach for ordinary programmers on deadlines. The dominant design consideration for the tool was adherence to the principle of “early gratification”—some assurance can be obtained with minimal or no annotation effort, and additional increments of annotation are rewarded with additional increments of assurance. The novel technical features of this approach include (1) regions as flexible ag- gregations of state that can cross object boundaries, (2) a region-based object-oriented effects system; (3) analysis to track the association of locks with regions, (4) policy descriptions for allowable method interleavings, and (5) an incremental process for inserting, validating, and exploiting annotations. Acknowledgements It’s been a longer journey than I originally intended, but I’m finally done with my dissertation. This was not a solitary journey, and I owe thanks to the many people who gave me support along the way. Obviously, I would like to thank my advisor, Bill Scherlis, for his invaluable advice, guidance, encouragement, and enthusiasm. I’d like to thank my co-advisor, Thomas Gross, and the rest of my committee for their time and for the helpful feedback they have provided. My research wasn’t performed in a vacuum, and without the research and engineering results of the other members of the Fluid Group, this dissertation would never have been possible. Thank you, John Boyland, Edwin Chan, Tim Halloran, Elissa Newman, Dean Sutherland, and everyone else. I’d like to thank my wife, Irene, for her unfailing support in all things. Her exceptional patience and emotional support during the past few months have been invaluable to the completion of this dissertation and preservation of my well-being. I’d like to thank my parents, Anna and Gerald Greenhouse, who besides bringing me into the world—a big win for me—also instilled in me the appreciation for learning and education that got me into this mess to begin with. I’d like to thank my newly acquired in-laws, Alla and Victor Sorokorensky, for their support. I’d like to thank my only long-term office-mate, Orna Raz, for putting up with me. I hope our discussions have been as useful for your research as they have been for mine. On a more serious note, I would like to thank the taxpayers of the United States of America. Without their support my work could never have been funded. I would also like to thank Siebel Systems for their support of the Siebel Scholars Program. On a less serious note, I would like the thank the fortune cookie that I received earlier this week for its vote of encouragement: “Soon you will be sitting on top of the world.” So thank you, tasty vii snack treat, and know that you were consumed to support a worthwhile activity! Finally, I should point out that examples used in this dissertation are taken from copyrighted sources: • The Apache/Jakarta Log4j logging library is Copyright c 1999 The Apache Software Foun- dation. All Rights Reserved. • The W3C Jigsaw web server is Copyright c 1998 World Wide Web Consortium, (Mas- sachusetts Institute of Technology, Institut National de Recherche en Informatique et en Au- tomatique, Keio University). All Rights Reserved. • The Java 2 SDK, Standard Edition, Version 1.4.1 is Copyright c 2003 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All Rights Reserved. viii Contents 1 Introduction 1 1.1 Missing Design Information ............................. 1 1.1.1 Kinds of Software Information . ....................... 3 1.1.2 Recording Design Intent ........................... 5 1.1.3 Intent vs. Accident . ............................. 6 1.1.4 Assuring Consistency Between Intent and Code . ............ 7 1.2 Concurrency-Related Design Intent . ....................... 8 1.2.1 Establishing Safe Concurrency . ....................... 9 1.3 Example: Missing Models . ............................. 10 1.3.1 Class BoundedFIFO ............................. 11 1.3.2 The State of BoundedFIFO ......................... 13 1.3.3 Protecting BoundedFIFO .......................... 13 1.3.4 Evolution and Misunderstood Intent . .................. 15 1.3.5 Summary . .................................. 16 1.4 Evolution and Unknown Intent ............................ 18 1.5 Locking Design and Representation Invariants . .................. 20 1.6 Towards a Generative Approach ........................... 22 1.6.1 Source-level Program Transformation . .................. 23 1.6.2 The Generative Approach . ....................... 24 1.6.3 Tool Support ................................. 25 1.7 Outline ........................................ 25 2 Concurrency and Java 27 2.1 Shared-Memory Concurrent Programming ...................... 28 2.2 Lock-Based Concurrency Management ....................... 29 x CONTENTS 2.2.1 Missing Intent . ............................. 30 2.3 Condition Variables .................................. 31 2.4 Monitors ........................................ 32 2.5 Additional Risks of Concurrency ........................... 32 3 Recording Design Intent 33 3.1 Analysis and Assurance of Design Intent ....................... 33 3.2 The FLUIDJAVA Language . ............................. 34 3.2.1 The Language ................................. 34 3.2.2 Language Predicates ............................. 35 3.2.3 Typing Rules ................................. 37 3.3 Labeling Expressions ................................. 40 3.4 Binding Context Analysis . ............................. 41 4 An Object-Oriented Effects System 45 4.1 Regions Identify State ................................. 47 4.1.1 The Region Hierarchy ............................ 47 4.1.2 An Example ................................. 48 4.1.3 Regions and Subclasses ........................... 50 4.2 Targets and State Aliasing . ............................. 50 4.2.1 Kinds of Targets . ............................. 51 4.2.2 Targets and Method Effects . ....................... 52 4.3 Effects . ........................................ 53 4.3.1 Computing Effects . ............................. 54 4.3.2 Comparing Effects . ............................. 54 4.3.3 Checking Declared Effects . ....................... 55 4.4 Example: Class AtomicInteger .......................... 56 4.5 Example: Class BoundedFIFO ............................ 58 4.5.1 Annotating BoundedFIFO .......................... 59 4.6 State Aggregation through Uniqueness . ....................... 60 4.7 State Aggregation