Controlling Mutation and Aliases with Fractional Permissions

Size: px

Start display at page:

Download "Controlling Mutation and Aliases with Fractional Permissions"

Thomasine Blankenship
6 years ago
Views:

1 Controlling Mutation and Aliases with Fractional Permissions John Boyland University of Wisconsin- Milwaukee ECOOP 12

2 Outline of Session I. Fractional Permissions II. Applications III. Problems

3 I. Fractional Permissions

4 Structured Aliasing? My Thoughts

5 Structured Aliasing? My Thoughts Aliasing is relevant ONLY if mutable state.

6 Structured Aliasing? My Thoughts Aliasing is relevant ONLY if mutable state. For isolation/parallelism, we want tracking.

7 Structured Aliasing? My Thoughts Aliasing is relevant ONLY if mutable state. For isolation/parallelism, we want tracking. Fractions: don t copy tokens, split tokens.

8 Structured Aliasing? My Thoughts Aliasing is relevant ONLY if mutable state. For isolation/parallelism, we want tracking. Fractions: don t copy tokens, split tokens. Unify separation logic & ownership.

9 Fractional Permissions

10 Fractional Permissions Rough recipe:

11 Fractional Permissions Rough recipe: Separation Logic

12 Fractional Permissions Rough recipe: Separation Logic - Scalars

13 Fractional Permissions Rough recipe: Separation Logic - Scalars + Fractions

14 Fractional Permissions Rough recipe: Separation Logic - Scalars + Fractions + Nesting (AKA Adoption)

15 Separation Logic Linear heap predicates flow-sensitive state information Nonlinear scalar predicates Hoare logic, and e.g., y = x + z Linear and nonlinear connectives and, or, implication, existentials,... [Reynolds, O Hearn, Brookes, Parkinson...]

16 Minus Scalars Separation Logic intends (full) verification. We do verification of limited properties: aliasing, mutation, concurrency object structure, design patterns Thus we drop integer and boolean values: only interested in pointer values.

17 Plus Fractions We distinguish write (one) from read (less than one) permission to mutable state. Important for concurrency correctness. Some variants of SL have fractions in some limited situations. Fractions are endemic for us.

18 Plus Nesting Motivation: nonlinear (flow-insensitive) analysis is simpler. Add a way to express flow-insensitive ownership along with flow-sensitive uniqueness aka adoption [Fähndrich&DeLine 2002] Interesting interactions with fractions.

19 I. Outline Fractions Fractional Heaps Fractional Permission Logic

20 Fractions

21 Fractions Q + positive rational numbers (R + OK).

22 Fractions Q + positive rational numbers (R + OK). No zero (0 permission = no permission).

23 Fractions Q + positive rational numbers (R + OK). No zero (0 permission = no permission). Both addition and multiplication are total and permit cancellation.

24 Fractions Q + positive rational numbers (R + OK). No zero (0 permission = no permission). Both addition and multiplication are total and permit cancellation. Fractions can be arbitrarily small.

25 Fractions Q + positive rational numbers (R + OK). No zero (0 permission = no permission). Both addition and multiplication are total and permit cancellation. Fractions can be arbitrarily small. Fractions greater than one permitted in intermediate heaps.

26 Fractional Heaps A partial map from locations L to pairs of values V and fractions Q + L = O F, pointer and field V = O, pointers to objects. A memory has only fractions of one.

27 Fractional Heaps 1

28 Scaling Fractional Heaps 1 ½

29 Some Heaps Add 1

30 Some Heaps Add 1

31 Some Heaps Don t Add 1

32 Some Heaps Don t Add 1

33 Some Heaps Don t Add 1 Different Values Clash

34 Memory 1

35 Memory 1 whole fraction

36 Memory 1 not defined

37 Memory

38 Memory 1

39 Permission Logic o.f o 1 (o,f) o A unit permission (Wrigstad token )

40 Permission Logic Heap for 1 Heap for 2

41 Permission Logic 1 + 2

42 Permission Logic Π 1 +Π 2 Heap for 1 Heap for 2

43 Permission Logic Π 1 +Π 2

44 Permission Logic 0 q Heap for

45 Permission Logic 0 q q = 3/2

46 Permission Logic Existential: r (o.f r)+π obligatory unit permission yields witness Conditional: Γ?Π 1 :Π 2 Here Γ is a boolean formula true or false

47 Boolean Formulae true conjunction negation comparison Γ 1 Γ 2 Γ o = o All these can be true, false or unknown

48 Boolean Formulae existential unrestricted predicates calls can be recursive x Γ p(...) Either can be true or unknown (not false).

49 Boolean Formulae nesting Π o.f ownership indicates that is available in : there is Π 0, o.f o by itself, as with all formulae, has no heap. Known nesting may be less that actual. Π 1 Π 2 Π 0 +Π 1 =Π 2

50 Unit Permission Again o.f o (o,f) o { Π o.f 1

51 Unit Permission Again o.f o (o,f) o 1{ Π o.f Π 1 o.f where 1 Π 1 Π

52 Example: Point permission to write o s x and y fields: ( r o.x r)+ ( r o.y r) preceding permission nested in o s All field ( r o.x r)+ ( r o.y r) o.all

53 Example: Point permission to write o s x and y fields: ( r o.x r)+ ( r o.y r) model field preceding permission nested in o s All field ( r o.x r)+ ( r o.y r) o.all

54 Example: Point A point is an object we know has x and y: Point(r) = ( r r.x r )+ ( r r.y r ) o is a Point Point(o) o is a Point and we can read its state: Point(o)+q(o.All 0) r.all

55 Nesting o.x o x + o.y o y + o.all

56 Nesting o.x o x + o.y o y + o.all Point(o)+o.All 0 1

57 Carving Point(o)+q(o.All 0) (o,all) (o,x) (o,y) 1

58 Carving Point(o)+q(o.All 0) (o,all) (o,x) (o,y) 1 1

59 Carving Point(o)+q(o.All 0) (o,all) (o,x) (o,y) 1 1 1

60 Carving Point(o)+q(o.All 0) (o,all) (o,x) (o,y) q(o.x r x )+(q(o.x r x ) + q(o.all 0)) 1 1 1

61 In General: Invariants Invariant(o,...) nests state in o.all Invariant(o,...) + o.all 0 gives one access Carving permits breaking the invariant: o.x r x +((o.x r x ) + (o.all 0)) Until o.all 0 is needed again.

62 Linked-List Node Field data is a unique Point; Field next is a unique Node: Node(r) = rp r.data r p + r p.all 0 + Point(r p )+ r n r.next r n + r n.all 0 + Node(r n ) r.all

63 Linked-List Node Field data is a unique Point; Field next is a unique Node: Node(r) = rp r.data r p + r p.all 0 + Point(r p )+ r n r.next r n + r n.all 0 + Node(r n ) r.all Can you spot the problem?

64 Linked-List Node Field data is a unique Point; Field next is a unique Node: Node(r) = rp r.data r p + r p.all 0 + Point(r p )+ r n r.next r n + r n.all 0 + Node(r n ) r.all

65 Linked-List Node Field data is a unique Point; Field next is a unique Node: Node(r) = rp r.data r p + r p.all 0 + Point(r p )+ r n r.next r n + r n.all 0 + Node(r n ) r.all Every node points to a new next node!

66 Linked-List Node Node(r) = r p r.data r p + r p.all 0 + Point(r p )+ r n r.next r n + r.all r n =0?0 : r n.all 0 + Node(r n ) 0

67 Linked-List Node Node(r) = r p r.data r p + r p.all 0 + Point(r p )+ r n r.next r n + r.all r n =0?0 : r n.all 0 + Node(r n ) not null unique 0

68 Linked-List Node Node(r) = r p r.data r p + r p.all 0 + Point(r p )+ r n r.next r n + r.all r n =0?0 : r n.all 0 + Node(r n ) maybe null unique 0

69 Two Element List (n 1,All) (n 1,data) (p 1,All) (p 1,x) (p 1,y) (n 1,next) (n 2,All) (n 2,data) (p 2,All) (p 2,x) (p 2,y) (n 2,next) Node(n 1 )+ n 1.All 0 p 1 n 2 p 2 1

70 Two Element List (n 1,All) (n 1,data) (p 1,All) (p 1,x) (p 1,y) (n 1,next) (n 2,All) (n 2,data) (p 2,All) (p 2,x) (p 2,y) (n 2,next) Node(n 1 )+ n 1.All 0 p 1 n 2 p Node(n 1 )+ = + 2 (n 1.All 0) Node(n 1 )+ 1 2 (n 1.All 0) 1 1

71 Effective Uniqueness Read permission does not guarantee unique: n 1.data = n 2.data is possible DETOUR 1

72 1 Effective Uniqueness Read permission does not guarantee unique: n 1.data = n 2.data is possible

73 Node(l)+ l.all 0 Node n = l; Iteration while (n!= null) { Point p = n.data; p.x += 3; n = n.next; }

74 Node(l)+ l.all 0 Node n = l; Iteration while (n!= null) { Point p = n.data; p.x += 3; n = n.next; } Node(l)+(n = l)+ l.all 0

75 Node(l)+ l.all 0 Node n = l; Iteration while (n!= null) { Point p = n.data; p.x += 3; n = n.next; } Node(l)+(n = l)+ l.all 0 Node(n)+n.All 0+ n.all 0 + l.all 0

76 Node(l)+ l.all 0 Node n = l; Iteration while (n!= null) { Point p = n.data; p.x += 3; n = n.next; } Node(l)+(n = l)+ l.all 0 Node(n)+n.All 0+ n.all 0 + l.all 0 Point(p)+p.All 0+ p.all 0 + n.all 0+ n.all 0 + l.all 0

77 Node(l)+ l.all 0 Node n = l; Iteration while (n!= null) { Point p = n.data; p.x += 3; n = n.next; } Node(l)+(n = l)+ l.all 0 Node(n)+n.All 0+ n.all 0 + l.all 0 p.x r x + p.x r x + p.all 0+ p.all 0 + n.all 0+ n.all 0 + l.all 0

78 Node(l)+ l.all 0 Node n = l; Iteration while (n!= null) { Point p = n.data; p.x += 3; n = n.next; } Node(l)+(n = l)+ n =0?0:n.All 0 + Node(n)+ l.all 0 Node(n)+n.All 0+ n.all 0 + l.all 0 (n =0?0:n.All 0 + Node(n)) + l.all 0

79 II. Applications

80 Annotations as Sugar (maybe null) unique field s value nested with o.all 0 method effects are lent permissions writes(x.f) x.f r reads(x.f) z(x.f r) passed in on entry; passed out on exit

81 Annotations as Sugar (maybe null) unique field s value nested with o.all 0 method effects are lent permissions writes(x.f) x.f r reads(x.f) z(x.f r) passed in on entry; passed out on exit Fraction variable

82 Annotations as Sugar Shorthand: r.all r.all 0 Ownership: one object s state in another: owned(o)r r.all o.all

83 Independent Iterators interface Iterator { boolean hasnext(); Object next(); void remove(); }

84 Independent Iterators interface Iterator { reads(all) boolean hasnext(); writes(all) Object next(); writes(all) void remove(); }

85 Why Independent? 1. Utility methods can use iterator alone. 2. Iterators can be concatenated 3. Iteration creation can be delegated.

86 Why Independent? #1 class Util { writes(it.all) static int count(iterator it, Object x) { int c = 0; while (it.hasnext()) { if (x == it.next()) ++c; } return c; } } UTILITY

87 Why Independent? #2 class AppendIterator implements Iterator { unique Iterator it1; unique Iterator it2; AppendIterator(unique Iterator i1, unique Iterator i2) { it1 = i1; it2 = i2; } reads(all) boolean hasnext() { return it1.hasnext() it2.hasnext(); }... CONCATENATION

88 Why Independent? #3 class SpecializedCollection { Object[] data;... Iterator iterator() { return Arrays.asList(data).iterator(); }... } DELEGATION

89 Can Iterators be Independent? Collections are affected by iterators: Can remove using iterator. Iterators are affected by collections: If collection modified, iterators invalid.

90 Aliasing Iterator and collection share mutable state: Iterator Collection

91 Interference R-W; W-R; W-W 1. access through iterator 2. access through collection R-W: iterator becomes invalid W-R: collection results different W-W: both

92 Avoiding Interference 1 R-R is OK If we can prevent interference: we can pretend no state overlap Iterator Collection

93 Avoiding Interference 2 prevent collection writes while iterators in use prevent collection reads while remove iterator in use

94 Avoiding Interference 2 prevent collection writes while iterators in use prevent collection reads while remove iterator in use creating iterator requires read access creating remove iterator requires write access

95 Avoiding Interference 3 prevent collection writes while iterators in use prevent collection reads while remove iterator in use creating iterator encumbers read access creating remove iterator encumbers write access

96 List Representation class LinkedList<T, Object o> { class Node { T data; Node next; }

97 List Representation class LinkedList<T, Object o> { class Node { owned(o) T data; unique Node next; }

98 List Representation class LinkedList<T, Object o> { class Node { owned(o) T data; unique Node next; } r d r.data r d + (r d =0?0:r d.all r o.all) + r n r.next r n + (r n =0?0:r n.all + Node(r n,r o )) Node(r, r o )= r.all

99 List Representation class LinkedList<T, Object o> { class Node { owned(o) T data; unique Node next; } unique Node head;

100 List Representation class LinkedList<T, Object o> { class Node { owned(o) T data; unique Node next; } unique Node head; r h r.head r h + (r h =0?0:r h.all + Node(r h,r o )) LinkedList(r, r o )= r.all

101 Iterator Representation class LinkedList<T, Object o> { class Iterator<fraction q> { Node pre; }

102 Iterator Representation class LinkedList<T, Object o> { class Iterator<fraction q> { Node pre; } Iterator(r, r o,z,r l )= r p r.pre r p + r p =0?0:zr p.all + Node(r p,r o )+ (r p =0?0:zr p.all + Node(r p,r o )) + zr l.all r.all

103 Iterator Creation class LinkedList<T, Object o> { Iterator<z> iterator() { return new Iterator(); }

104 Iterator Creation class LinkedList<T, Object o> { Iterator<z> iterator() { return new Iterator(); } this In: zr t.all

105 Iterator Creation class LinkedList<T, Object o> { Iterator<z> iterator() { return new Iterator(); } In: zr t.all Out: r r.all + (r r.all + zr t.all + v) result

106 Iterator Creation class LinkedList<T, Object o> { Iterator<z> iterator() { return new Iterator(); } In: zr t.all Out: r r.all + (r r.all + zr t.all + v) some leftover permissions

107 Iterator Heaps LinkedList(l, o)+ 1 2 l.all 0 (l,all) (l,head) (n 1,All) (n 1,data) (n 1,next) (n 2,All) (n 2,data) (n 2,next) n 1 n 2 BEFORE 1 1

108 Iterator Heaps LinkedList(l, o)+ 1 2 l.all 0 (l,all) (l,head) (n 1,All) (n 1,data) (n 1,next) (n 2,All) (n 2,data) (n 2,next) n 1 n 2 Iterator(i, o, 1 2,l)+i.All + (i.all + 1 l.all + v) 2 BEFORE 1 SOMETIME AFTER 1

109 Iterator Heaps LinkedList(l, o)+ 1 2 l.all 0 (l,all) (l,head) (n 1,All) (n 1,data) (n 1,next) (n 2,All) (n 2,data) (n 2,next) n 1 n 2 Iterator(i, o, 1 2,l)+i.All + (i.all + 1 l.all + v) 2 BEFORE 1 SOMETIME AFTER 1

110 Iterator Heaps LinkedList(l, o)+ 1 2 l.all 0 (l,all) (l,head) (n 1,All) (n 1,data) (n 1,next) (n 2,All) (n 2,data) (n 2,next) n 1 n 2 Iterator(i, o, 1 2,l)+i.All + (i.all + 1 l.all + v) 2 n 2 (i,all) (i,pre) BEFORE 1 SOMETIME AFTER 1

111 Iterator Heaps LinkedList(l, o)+ 1 2 l.all 0 (l,all) (l,head) (n 1,All) (n 1,data) (n 1,next) (n 2,All) (n 2,data) (n 2,next) n 1 n 2 Iterator(i, o, 1 2,l)+i.All + (i.all + 1 l.all + v) 2 n 1 n 2 (i,all) (i,pre) BEFORE 1 SOMETIME AFTER 1

112 Concurrency Non-interacting parallelism: Divide permissions between threads. Mutual exclusion locks ( synchronized ): Protected permissions nested in lock. Volatile fields, can be accessed anytime: State of value nested in known location.

113 Noninteracting Parallelism 1

114 Noninteracting Parallelism 1 1 1

115 Noninteracting Parallelism 1

116 Synchronization

117 Synchronization Objects serving as locks are owned by Lock: l.all G.Lock

118 Synchronization Objects serving as locks are owned by Lock: l.all G.Lock State protected by a lock is nested in it: e.g. l.val l.all

119 Synchronization Objects serving as locks are owned by Lock: l.all G.Lock State protected by a lock is nested in it: e.g. l.val l.all Synchronization provides l.all: requires l.all or l after last locked.

120 Synchronization synchronized (p) { } p.x += 1;

121 Synchronization Point(r p ) (r p.all G.Lock) (l <r p ) synchronized (p) { p.x += 1; }

122 Synchronization Point(r p ) (r p.all G.Lock) (l <r p ) synchronized (p) { } p.x += 1; New formula that compares lock order. Here l is the previously locked location.

123 Synchronization Point(r p ) (r p.all G.Lock) (l <r p ) synchronized (p) { p.x += 1; } r p.all

124 Synchronization Point(r p ) (r p.all G.Lock) (l <r p ) synchronized (p) { } p.x += 1; r p.all r p.x+(r p.x + r p.all)

125 Synchronization THREAD GLOBAL synchronized (p) { } p.x += 1; 1 1

126 Synchronization THREAD GLOBAL synchronized (p) { } p.x += 1; 1 1

127 Synchronization THREAD GLOBAL synchronized (p) { } p.x += 1; 1 1

128 Synchronization synchronized (p) { } p.x += 1;

129 Synchronization REENTRANCY synchronized (p) { } p.x += 1;

130 Synchronization REENTRANCY r p.all synchronized (p) { p.x += 1; }

131 Synchronization synchronized (p) { p.x += 1; } REENTRANCY r p.all r p.all

132 Synchronization REENTRANCY r p.all synchronized (p) { } p.x += 1; r p.all r p.x+(r p.x + r p.all)

133 Synchronization REENTRANCY r p.all synchronized (p) { } p.x += 1; r p.all r p.x+(r p.x + r p.all) r p.all

134 Volatile Fields Can be assigned at any time. Value assigned should have state nested In known owner, or 2. In G.Lock, or 3. Fractionally in G.Immutable.

135 Volatile Fields (1) THREAD1 p = new Point(1,2); // nest p in thread2 THREAD2 Thread Object x.v = p; 1 1

136 Volatile Fields (1) THREAD1 THREAD2 p = new Point(1,2); // nest p in thread2 x.v = p; 1 1

137 Volatile Fields (1) THREAD1 THREAD2 p = new Point(1,2); // nest p in thread2 x.v = p; 1 1

138 Volatile Fields (1) THREAD1 THREAD2 p = new Point(1,2); // nest p in thread2 x.v = p; 1 1

139 Volatile Fields (2) THREAD1 GLOBAL p = new Point(1,2); // make p a lock x.v = p; 1 1

140 Volatile Fields (2) THREAD1 GLOBAL p = new Point(1,2); // make p a lock x.v = p; 1 1

141 Volatile Fields (2) THREAD1 GLOBAL p = new Point(1,2); // make p a lock x.v = p; 1 1

142 Volatile Fields (2) THREAD1 GLOBAL p = new Point(1,2); // make p a lock x.v = p; 1 1

143 Immutability Nest any fraction of r.all in G.Immutable: z (zr.all G.Immutable) Implicitly: Every thread nests a fraction of G.Immutable Every method gets a fraction of G.Immutable Fractions can get arbitrarily small.

144 Volatile Fields (3) THREAD1 THREAD2 p = new Point(1,2); // make p immutable x.v = p; (G,Immutable) (G,Immutable) 1 1

145 Volatile Fields (3) THREAD1 THREAD2 p = new Point(1,2); // make p immutable x.v = p; (G,Immutable) (G,Immutable) 1 1

146 Volatile Fields (3) THREAD1 THREAD2 p = new Point(1,2); // make p immutable x.v = p; (G,Immutable) (G,Immutable) 1 1

147 Volatile Fields (3) THREAD1 THREAD2 p = new Point(1,2); // make p immutable x.v = p; (G,Immutable) (G,Immutable) 1 1

148 III. Problems

149 AWT/Swing (J)Component state can only be accessed from Swing Event Threads If an Event Thread blocks on input (e.g. using a JDialog), new thread is created/reused. Runnable instances can be passed to Swing.

150 Java Concurrency wait() releases lock temporarily Thread.start(), Thread.join() Anyone can join a thread, multiple times java.util.concurrent.reentrantlock can lock/unlock independently

151

152 Related Work Ownership Reads Linearity

153 Related Work Ownership Reads [Clarke 01] Linearity

154 Related Work Ownership Reads [Clarke & Drossopoulou 02] Linearity

155 Related Work Ownership Reads [Müller & Rudich 07] Linearity

156 Related Work Ownership Reads Linearity

157 Related Work Ownership Reads Linearity [Ishtiaq & O Hearn 01]

158 Related Work Ownership Reads [Parkinson & Bierman 12] Linearity

159 Related Work Ownership Reads [Fähndrich & Deline 02] Linearity

160 Related Work Ownership Reads [Bornat et al 05/Brookes 06] Linearity

161 Related Work Ownership Reads Linearity

162 Related Work Ownership [Bierhoff & Aldrich 07] Reads Linearity

163

Modular Reasoning about Aliasing using Permissions

Modular Reasoning about Aliasing using Permissions John Boyland University of Wisconsin- Milwaukee FOAL 2015 Summary Permissions are non-duplicable tokens that give access to state. Permissions give effective