Types for atomicity

Ensuring the correctness of multithreaded programs is difficult, due to the potential for unexpected and nondeterministic interactions, between threads. Previous work addressed this problem by devising tools for detecting race conditions, a situation where two threads simultaneously access the same data variable, and at least one of the accesses is a write. Unfortunately, verifying the absence of such simultaneous-access race conditions is neither necessary nor sufficient to ensure the absence of errors due to unexpected thread interactions.We propose that a stronger non-interference property is required, namely the atomicity of code blocks, and we present a type system for specifying and verifying such atomicity properties. The type system allows statement blocks and functions to be annotated with the keyword atomic. If the program type checks, then the type system guarantees that for any arbitrarily-interleaved program execution, there is a corresponding execution with equivalent behavior in which the instructions of each atomic block executed by a thread are not interleaved with instructions from other threads. This property allows programmers to reason about the behavior of well-typed programs at a higher level of granularity, where each atomic block is executed "in one step", thus signi .cantly simplifying both formal and informal reasoning.Our type system is sufficient to verify a number of interesting examples. For example,it can prove that many methods of java.util. Vector are atomic, even though some methods have benign race conditions, and would be rejected by earlier type systems for race detection.

[1]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[2]  Scott D. Stoller,et al.  Model-checking multi-threaded distributed Java programs , 2000, International Journal on Software Tools for Technology Transfer.

[3]  Derek L. Bruening Systematic testing of multithreaded Java programs , 1999 .

[4]  David Gay,et al.  Barrier inference , 1998, POPL '98.

[5]  C. A. R. Hoare,et al.  Monitors: an operating system structuring concept , 1974, CACM.

[6]  Jong-Deok Choi,et al.  Efficient and precise datarace detection for multithreaded object-oriented programs , 2002, PLDI '02.

[7]  Thomas R. Gross,et al.  Object race detection , 2001, OOPSLA '01.

[8]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[9]  Richard J. Lipton,et al.  Reduction: a method of proving properties of parallel programs , 1975, CACM.

[10]  Leslie Lamport,et al.  Reduction in TLA , 1998, CONCUR.

[11]  Dan Grossman,et al.  Type-safe multithreading in cyclone , 2003, TLDI '03.

[12]  Jayadev Misra,et al.  A discipline of multiprogramming: programming theory for distributed applications , 2001 .

[13]  Greg Nelson,et al.  Extended static checking for Java , 2002, PLDI '02.

[14]  Stephen N. Freund,et al.  Type-based race detection for Java , 2000, PLDI '00.

[15]  Michael Burrows,et al.  Eraser: a dynamic data race detector for multithreaded programs , 1997, TOCS.

[16]  Martín Abadi,et al.  Types for Safe Locking , 1999, ESOP.

[17]  Leslie Lamport,et al.  Pretending Atomicity , 1989 .

[18]  Martin C. Rinard,et al.  A parameterized type system for race-free Java programs , 2001, OOPSLA '01.

[19]  Nicholas Sterling,et al.  WARLOCK - A Static Data Race Analysis Tool , 1993, USENIX Winter.

[20]  Stephen N. Freund,et al.  Checking Concise Specifications for Multithreaded Software , 2004, J. Object Technol..

[21]  Ralph-Johan Back A Method for Refining Atomicity in Parallel Algorithms , 1989, PARLE.

[22]  Thomas W. Doeppner,et al.  Parallel program correctness through refinement , 1977, POPL.