Safe Reactive Programming: the FunLoft Proposal

Similar documents
The Esterel language

Introduction 2 The first synchronous language (early 80 s) Gérard Berry and his team (École des Mines de Paris / INRIA Sophia-Antipolis) Imperative, s

Programming Safe Agents in Blueprint. Alex Muscar University of Craiova

A Deterministic Concurrent Language for Embedded Systems

Clock-directed Modular Code-generation for Synchronous Data-flow Languages

SugarCubes Implementation of Causality

Weak Memory Models: an Operational Theory

A Deterministic Concurrent Language for Embedded Systems

A Simple Example. The Synchronous Language Esterel. A First Try: An FSM. The Esterel Version. The Esterel Version. The Esterel Version

Synchronous Statecharts. Christian Motika

A Deterministic Concurrent Language for Embedded Systems

CSCI-GA Scripting Languages

Concurrent Objects and Linearizability

Synchronous Kahn Networks (ten years later)

Types for References, Exceptions and Continuations. Review of Subtyping. Γ e:τ τ <:σ Γ e:σ. Annoucements. How s the midterm going?

Predictable Execution with IEC 61499

Verifying Concurrent ML programs

Using and Compiling Esterel

Programming Languages Lecture 15: Recursive Types & Subtyping

The SugarCubes Tool Box

Lambda Calculus. Type Systems, Lectures 3. Jevgeni Kabanov Tartu,

Language Extensions. present [C and not pre(a or B or C)] then p else q end

Theoretical Corner: The Non-Interference Property

EE382N.23: Embedded System Design and Modeling

Petri Nets ee249 Fall 2000

Programming Languages

Synchronous Specification

ECE519 Advanced Operating Systems

Goal. CS152: Programming Languages. Lecture 15 Parametric Polymorphism. What the Library Likes. What The Client Likes. Start simpler.

Programming Languages for Real-Time Systems. LS 12, TU Dortmund

Pierce Ch. 3, 8, 11, 15. Type Systems

Static Analysis by A. I. of Embedded Critical Software

Written Presentation: JoCaml, a Language for Concurrent Distributed and Mobile Programming

Course on Probabilistic Methods in Concurrency. (Concurrent Languages for Probabilistic Asynchronous Communication) Lecture 1

Part VI. Imperative Functional Programming

A step towards reconciling GALS industrial design with formal verification

Hoare logic. A proof system for separation logic. Introduction. Separation logic

The design of a programming language for provably correct programs: success and failure

Cyber Physical System Verification with SAL

Programming Languages Lecture 14: Sum, Product, Recursive Types

Cover Page. The handle holds various files of this Leiden University dissertation

Compiling Esterel. Dumitru Potop-Butucaru. Stephen A. Edwards Gérard Berry

Lock-sensitive Interference Analysis for Java: Combining Program Dependence Graphs with Dynamic Pushdown Networks

Hiding local state in direct style: a higher-order anti-frame rule

A Transactional Model and Platform for Designing and Implementing Reactive Systems

We defined congruence rules that determine the order of evaluation, using the following evaluation

Simply-Typed Lambda Calculus

CS-XXX: Graduate Programming Languages. Lecture 9 Simply Typed Lambda Calculus. Dan Grossman 2012

Quis Custodiet Ipsos Custodes The Java memory model

CS 4110 Programming Languages & Logics. Lecture 35 Typed Assembly Language

λ calculus is inconsistent

From IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich

The Abstract Behavioral Specification Language

Parallel Computer Architecture Spring Memory Consistency. Nikos Bellas

Curing Schizophrenia by Program Rewriting in Esterel

Reactive Web Programming

CS 242. Fundamentals. Reading: See last slide

Models of concurrency & synchronization algorithms

Chapter 1 INTRODUCTION SYS-ED/ COMPUTER EDUCATION TECHNIQUES, INC.

The Esterel Language. The Esterel Version. Basic Ideas of Esterel

Overview. CMSC 330: Organization of Programming Languages. Concurrency. Multiprocessors. Processes vs. Threads. Computation Abstractions

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

CS 571 Operating Systems. Midterm Review. Angelos Stavrou, George Mason University

CS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011

Sémantique des Langages de Programmation (SemLP) DM : Region Types

MPRI course 2-4 Functional programming languages Exercises

CSCE 313: Intro to Computer Systems

The learning objectives of this chapter are the followings. At the end of this chapter, you shall

Hierarchical Pointer Analysis for Distributed Programs

CSCE 313 Introduction to Computer Systems. Instructor: Dezhen Song

Tutorial and Reference Manual

Multithreading and Interactive Programs

Type Inference Systems. Type Judgments. Deriving a Type Judgment. Deriving a Judgment. Hypothetical Type Judgments CS412/CS413

States Transitions Connectors Esterel Studio

Processes and Threads

Threading and Synchronization. Fahd Albinali

Jonathan Protzenko (INRIA)

Nominal games: a semantics paradigm for effectful languages

Foundations. Yu Zhang. Acknowledgement: modified from Stanford CS242

Reinhard v. Hanxleden 1, Michael Mendler 2, J. Aguado 2, Björn Duderstadt 1, Insa Fuhrmann 1, Christian Motika 1, Stephen Mercer 3 and Owen Brian 3

Concurrent & Distributed Systems Supervision Exercises

Mechanising a type-safe model of multithreaded Java with a verified compiler

Verasco: a Formally Verified C Static Analyzer

Agenda. Threads. Single and Multi-threaded Processes. What is Thread. CSCI 444/544 Operating Systems Fall 2008

Multiprocessors & Thread Level Parallelism

COMPUTER SCIENCE TRIPOS

CS 4110 Programming Languages & Logics

Concepts of programming languages

Reminder from last time

The Metalanguage λprolog and Its Implementation

Modeling, Testing and Executing Reo Connectors with the. Reo, Eclipse Coordination Tools

Lambda Calculus and Type Inference

15 212: Principles of Programming. Some Notes on Continuations

Programming Kotlin. Familiarize yourself with all of Kotlin s features with this in-depth guide. Stephen Samuel Stefan Bocutiu BIRMINGHAM - MUMBAI

Lecture #13: Type Inference and Unification. Typing In the Language ML. Type Inference. Doing Type Inference

Harvard School of Engineering and Applied Sciences Computer Science 152

Introduction to Multicore Programming

High-Level Small-Step Operational Semantics for Software Transactions

Chapter 4: Threads. Operating System Concepts. Silberschatz, Galvin and Gagne

Synchronous reactive programming

Transcription:

Safe Reactive Programming: the FunLoft Proposal Frédéric Boussinot MIMOSA Project, Inria Sophia-Antipolis (Joint work with Frédéric Dabrowski) http://www.inria.fr/mimosa/rp With support from ALIDECS SYNCHRON 2007 1

Introduction Why not a General Purpose Synchronous Language? Modularity: how to reuse code? Dynamicity: how to deal with non-static aspects? (ex: memory allocation) Asynchrony: how to deal with asynchronous aspects? (ex: blocking IOs) Safe programming? (ex: how to prove the termination of instants) Efficiency? (ex: how to benefit from multiprocessors) 2

Plan 1. Modularity & dynamicity: the causality issue 2. Mixing synchrony & asynchrony: the FairThreads model 3. Safe reactive programming: the FunLoft language 4. Efficiency: implementation on multicore architectures 5. Conclusion 3

Modularity (Compositionality) Question: how to define the specification associated with a given code, allowing this code to be used in various contexts? Problem with causality: specifications are over-complex Example: parallel combination of P and Q P = present s1 else emit s2 end, Q = present s2 then emit s1 end. P Q has no solution (causality error) (pause;p) Q is correct (constructive causality), but (pause;p) (pause;q) is not. (pause;pause;p) (pause;q) is correct, but... Information needed for putting P in parallel with Q without causality errors is as complex as the semantics (automaton) of P. No hope! The map is as large as the Empire... 4

Dynamicity Dynamic creation of new parallel components arise in many contexts: Interpretor: interpretation of a new entry Embedded system: new versions, adding of new functionalities Agent system: migrating agent reaching a new site Simulation: creation of new elements to simulate In all these contexts, it is difficultly acceptable that the creation of a new component could raise causality issues For both modularity and dynamicity concerns, causality issues are a major drawback 5

An Alternative to Causality Issues Delay to the next instant reaction to signal absence 1. present s then P else Q end: if s is present, P is immediately executed; if s is absent, Q is executed at the next instant. 2. If solutions with s present and s absent both exists, choose the one with absence. Example: in present s else emit s end, s is emitted at the next instant if it is absent Intuition: to be sure that a signal is absent you have to wait until the end of instant. Implementation: when waiting for s, execution suspends until s is emitted, or the instant terminates 6

Delayed Reaction to Absence Causality errors are ruled out Compositionality becomes achievable New parallel components can be added at run time SL, SugarCubes, ReactiveML, FairThreads,... are based on the delayed reaction to absence Limitations of expressivity: 1. No strong preemption (strong abort), only weak one 2. Values of signals not immediately available Pragmatics: not really severe restrictions... (anyway, to be compared to the introduction of pause statements to solve causality problems) Comparison with the standard approach (Esterel) still to be done for real-life programs 7

Plan 1. Modularity & dynamicity: the causality issue 2. Mixing synchrony & asynchrony: the FairThreads model 3. Safe reactive programming: the FunLoft language 4. Efficiency: implementation on multicore architectures 5. Conclusion 8

FairThreads Model of threads with shared memory Threads linked to a scheduler are run cooperatively and share the same instants. Synchronisation and communication through broadcast signals Several schedulers run asynchronously. Thread migration Unlinked threads run in a preemptive way 9

FairThreads - 2 GALS aspect of FairThreads: schedulers corresponds to locally synchronous areas; systems made of several schedulers are globally asynchronous Implementations: Java (restriction to a unique scheduler, 2002), Scheme (with specialised service threads, 2004), library of FairThreads in C (2005), LOFT (2006) Graphical simulations (cellular automata) 10

Many Problems Data-races (= interference = lack of atomicity, ex:!x+!x 2*!x) between linked and unlinked threads Data-races between threads linked to different schedulers Data-races between unlinked threads Non-cooperative thread linked to a scheduler (lack of reactivity) Uncontrolled creation of new threads Data with uncontrolled growing size (memory leaks) Buffering of communication between schedulers Actually, all are standard problems in concurrency and resource control! 11

Also Problems in Synchronous Languages These problems also exist for Synchronous Languages, at host language level module m : var x := Nil : list in loop x := f(x); pause end end end module Memory leaks: list f(list x) {return Cons(0,x);} Lack of reactivity: list f(list x) {return f(x);} Data-races in the context of GALS: list f(list x) {return Cons(global,Cons(global,x));} 12

Plan 1. Modularity & dynamicity: the causality issue 2. Mixing synchrony & asynchrony: the FairThreads model 3. Safe reactive programming: the FunLoft language 4. Efficiency: implementation on multicore architectures 5. Conclusion 13

FunLoft Inductive data types - First order functions Termination detection of recursively defined functions. Consequence: termination of instants ( reactivity ) Restriction on the flow of data carried by references and events (stratification) Consequence: bounded system size absence of memory leaks Separation of references (using a type and effect system): Schedulers own references shared by threads linked to them Threads own private references only accessible by them Consequence: atomicity of the cooperative model extended to unlinked threads and to multi-schedulers absence of data-races 14

FunLoft Basic Syntax p ::= x C(p,..., p) e ::= x C(e,..., e) match x with p > e... p > e f(e,..., e) let x = e in e ref e!e e:=e cooperate thread f(e,..., e) join e unlink e link s do e event generate e with e await e get all values e in e loop e while e do e Distinction function/module functions always terminate instantly; not mandatory for modules functions can be recursively defined, modules cannot Schedulers, functions, and modules defined at top-level only 15

Example of Code: Colliding Particles type particle_t = Particle of float ref * // x coord float ref * // y coord float ref * // x speed float ref * // y speed color_t // color Type of particles: Module defining the particle behaviour: let module particle_behavior (collide_event,color) = let s = new_particle (color) in begin thread bounce_behavior (s); thread collide_behavior (s,collide_event); thread draw_behavior (s); end Note: particle s is shared by the three threads 16

Collision Behaviour type a list = Nil_list Cons_list of a * a list let process_all_collisions (me,list) = match list with Nil_list -> () Cons_list (other,tail) -> begin collision (me,other); process_all_collisions (me,tail) end end let module collide_behavior (me,collide_event) = let r = ref Nil_list in loop begin generate collide_event with particle2coord (me); get_all_values collide_event in r; process_all_collisions (me,!r); inertia (me); end Function process all collisions proved to terminate. The loop in collide behavior proved to be not instantaneous 17

let module main () = let draw_event = event in let collide_event = event in begin end The Global System thread graphics (maxx,maxy,black); thread draw_processor (draw_event,size); repeat particle_number do thread particle_behavior (collide_event,draw_event,green); The program is ok: no possibility of data-races because shared particle data structures are only accessed by threads linked to the same scheduler 18

Static Analyses: Separation of the Memory Status public/private associated to references τ ref s : type of a public reference created in scheduler s τ ref : type of a private reference Memory separation property: A public reference created in the scheduler s can only be accessed by the threads linked to s A private reference can only be accessed by one unique thread Access effect = set of scheduler names Γ e:τ ref s,f Γ!e:τ,F {s} Γ e:τ ref,f Γ!e:τ,F 19

Checks: Separation of the Memory - 2 1. When linked to a scheduler, a thread should not access a public reference of an other scheduler 2. When unlinked a thread should not access a public reference Forbidden situations: Γ e:f F {s} Γ link s do e: Γ e: Γ unlink e: 20

Separation of the Memory - 3 One must also prevent a thread to access a private reference of another thread Check 3: parameters of a new thread should not be private f:τ ()/F Γ e i :τ i,f i τ i =τ i ref α i α i Γ thread f(e): F i Forbidden: private reference pointed to by a public reference 21

Separation of the Memory - 4 Check 4: a reference and its initializing value should have same status Γ e:τ,f τ=τ ref α α Γ ref s e:τ ref s,f Γ e:τ,f τ=τ ref α α= Γ ref e:τ ref,f Proof: Memory separation is preserved by rewriting in the formal operational semantics (extended with explicit ownership of private references) 22

Static Analyses: Memory Leaks References should not be used as accumulators let r = ref Nil_list let f () =!r let module m () = loop begin r := Cons_list (0,f()); cooperate end Stratification of references : region associated to each reference creation r : a list ref k Types with read/write effect: f : unit a list [read : k, write :] e 1 := e 2 adds the arrow k 1 k 2 in the information flow graph, for all k 1 written by e 1 and all k 2 read by e 2. Absence of cycles in the graph is checked; in m, k k 23

let f (r1,r2) = r1:=!r2 Inference with Constraints Types with effects and constraints f : a ref k b ref l unit [read : b ref l, write : a ref k ] ( a ref k b ref l ) let nok () = let r = ref N il list in f (r,r) a list ref k a list ref k k k error let ok () = let r = ref 0 in f (r,r) int ref k int ref k ok Constraints are collected during the construction of the most general unifier, and checked when complete 24

Termination of Recursive Functions type a list = Nil list Cons list of a a list Strict sub-term order: Cons list (head, tail) tail Lexicographic extension: f (a, Cons list (h, tail), t) f (a, tail, Cons list (h, t)) Analyses of chains of calls for arguments of inductive types let process all collisions (me, list) = match list with Nil list > () Cons list (other, tail) > begin collision (me, other); process all collisions (me, tail) end end list = Cons list(other, tail) list tail (me, list) (me, tail) 25

Several other Static Analyses No instantaneous loops No uncontrolled thread creation in loops loop begin thread m (); cooperate end No thread creation while unlinked (unlink thread m ()) Events used in correct context Generated values should also be stratified No reference embedded in generated value No event shared by distinct schedulers No use of events while unlinked Result: a well-typed program runs in bounded memory, without data-races, and instants always terminate 26

References Basic reactive model: A Synchronous pi-calculus, R. Amadio, Journal of Information and Computation 205, 9 (2007) 1470-1490. Memory separation only, 1 scheduler, no events: Cooperative Threads and Preemptive Computations, Dabrowski, F. and Boussinot, F., Proceedings of TV 06, Seattle, 2006. Model without distinction module/function nor join (memory separation proved) + polynomial resource control: Programmation Réactive Synchrone, Langage et Contrôle des Ressources, F. Dabrowski s Thesis, Paris 7, june 2007. Ongoing work: Formalisation of FunLoft, F. Boussinot, F. Dabrowski. 27

Plan 1. Modularity & dynamicity: the causality issue 2. Mixing synchrony & asynchrony: the FairThreads model 3. Safe reactive programming: the FunLoft language 4. Efficiency: implementation on multicore architectures 5. Conclusion 28

Multicore Programming How can a single application benefit from a multicore architecture? Answer: multithreading! General problem: how to get maximum of concurrency + absence of data-races + maximum of parallelism Specific problem: How to adapt the colliding particles simulation to multicore machines? Idea: 2 schedulers, each one simulating half of the particles. Problem 1: strong synchronisation between schedulers needed (to animate particles uniformly). Problem 2: collide event shared between the 2 schedulers (forbidden as the schedulers are asynchronous). 29

Proposal: Synchronised Schedulers Strong synchronisation between schedulers (common ends of instants), but parallelism during instants No sharing of memory (to avoid data races) Events shared among synchronised schedulers 30

Multithreaded Colliding Particles let s1 = scheduler and s2 = scheduler let module main () = let draw_event = event in let collide_event = event in begin link s1 do begin thread graphics (maxx,maxy,black); thread draw_processor (draw_event,size); repeat particle_number / 2 do thread particle_behavior (collide_event,draw_event,green); end; link s2 do repeat particle_number / 2 do thread particle_behavior (collide_event,draw_event,red); end 31

Demo CPU usage (left: 1 scheduler, right: 2 schedulers) 100% CPU 150% CPU Time to simulate 500 particles during 100 instants 1 sched 2 scheds real 0m21.832s 0m14.189s user 0m21.102s 0m21.369s sys 0m0.220s 0m0.379s Gain: 21/14 = 1.5 Gain (1000 instants) particles 100 200 300 400 500 600 1000 gain 1.2 1.3 1.4 1.51 1.52 1.56 1.57 32

Conclusion FunLoft is experimental and far from being a GPSL! Lack of realistic bounds (polynomial?) Over-restricted detection of termination of functions No distribution, no objects, etc... FunLoft provides: Concurrent programming with clear semantics Static analyses to prevent data-races and memory leaks, and to ensure reactivity Efficient implementation: large number of components Syntax for multithreaded applications on multicore architectures Compiler available at www.inria.fr/mimosa/rp/funloft 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback