Download - Data races in Java and static analysis
![Page 1: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/1.jpg)
Data races in Java and static analysis
Frederic Dabrowski
1INRIA, LANDE
Frederic Dabrowski (INRIA, LANDE) Static race detection 1 / 33
![Page 2: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/2.jpg)
Outline
1 Concurrency in Java
2 Static Detection of dataraces
lock-based typing
{
Flanagan, Abadi & Freund
Boyapati, Lee & Rinard
Points-to analysis : Naik & Aiken(Points-to analysis + Type and effect system)
3 Conclusion and ongoing work
Frederic Dabrowski (INRIA, LANDE) Static race detection 2 / 33
![Page 3: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/3.jpg)
Concurrency in Java
Frederic Dabrowski (INRIA, LANDE) Static race detection 3 / 33
![Page 4: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/4.jpg)
Concurrency in Java
Concurrency model
Thread-based concurrency : shared memory (fields of shared objects)
lexically scoped locking construct : synchronized(x){. . .}
Preemptive scheduling (Interleaving semantics)
Frederic Dabrowski (INRIA, LANDE) Static race detection 4 / 33
![Page 5: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/5.jpg)
Concurrency in Java
Interleaving semantics
(small step)sequential semantics
t, Mem →seq t ′, Mem′
interleaving semantics
ti , Mem →seq t ′i , Mem′
{. . . , ti , . . .}, Mem →inter {. . . , t ′i , . . .}, Mem′
Problem : This semantics is incomplete with respect to the Java MemoryModel, unless you write well-synchronized programs
Frederic Dabrowski (INRIA, LANDE) Static race detection 5 / 33
![Page 6: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/6.jpg)
Concurrency in Java
Natural hypothesis : sequential consistency
Intuivively, sequential consistency means that all executions respect theprogram order.
void mn(){a a should not observe b
. . .
b
}
Problem : enforcing sequential consistency for all Java programsmakes many of the compiler/processor optimizations illegal.
Why ? some optimizations assume well-synchronized programs !
Frederic Dabrowski (INRIA, LANDE) Static race detection 6 / 33
![Page 7: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/7.jpg)
Concurrency in Java
Example : code reordering (cache mechanisms,...)
Original code Optimized code
C .f = C .g = 0 C .f = C .g = 01 : x = C .g ; 3 : y = C .f ;2 : C .f = 1; 4 : C .g = 1;
2 : C .f = 1; 4 : C .g = 1;1 : x = C .g ; 3 : y = C .f ;
{Perm(1, 2, 3, 4) | 1 < 2, 3 < 4} {Perm(1, 2, 3, 4) | 2 < 1, 4 < 3}
{x=1,y=1}2 4 31
3
1
2
4
3
1
3 {x=0,y=0}
1 {x=0,y=0}
{x=0,y=1}
2 {x=1,y=0}4 original
optimized
Frederic Dabrowski (INRIA, LANDE) Static race detection 7 / 33
![Page 8: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/8.jpg)
Concurrency in Java
Behaviors captured by the interleaving sem.
Admissible behaviors (w.r.t the JMM)
Sequential consitency
Java’s memory model is weak memory model
All executions of well-synchronized programs are sequentially consistent a.
aManson, Pugh & Adve : The Java Memory Model (Special Popl issue)
Programs must be well-synchronyzedseveral static analysis depend on it
Frederic Dabrowski (INRIA, LANDE) Static race detection 8 / 33
![Page 9: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/9.jpg)
Concurrency in Java
Well-synchronized programs
(P1) : For all execution ( w.r.t the interleaving semantics), everyconflicting actions a and b are synchronized
synchronized(C ){(1 : x = C .g); (2 : C .f = 1)}
synchronized(C ){(3 : y = C .f ); (4 : C .g = 1)}
1:x=C.glock(C) lock(C) 4:C.y=1 unlock(C)unlock(C)
seq locking seq
2:C.f=1 3:y=C.f
lock(C) lock(C) unlock(C)unlock(C)
seq locking seq
3:y=C.f 4:C.y=1 2:C.f=11:x=C.g
seq seq
compiler/jvm/jit : (P1) ⇒ every exec. is captured by the inter. sem.
Frederic Dabrowski (INRIA, LANDE) Static race detection 9 / 33
![Page 10: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/10.jpg)
Concurrency in Java
Happens-before relation
≺hb is the transitive closure of the following rules :
sequentiality at ≺1hb bt
start/join synchronisation
{
t.start() ≺1hb at
at ≺1hb t.join()
lock-based synchronisation
{
unlock(m) ≺1hb lock(m)
write(x .f ) ≺1hb read(x .f ) (f volatile)
Frederic Dabrowski (INRIA, LANDE) Static race detection 10 / 33
![Page 11: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/11.jpg)
Concurrency in Java
Data races
definition (JMM) : a program has a data race is there exists anexecution with two conflicting actions not not ordered by ≺hb.
alternative definition : a program has a data race if there exists anexecution such that, at some point, there is a non deterministic choice(interleaving semantics) among two conflicting actions.
Problem (undecidable) :
Given a program, are all executions of that program race free ?
Frederic Dabrowski (INRIA, LANDE) Static race detection 11 / 33
![Page 12: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/12.jpg)
Static detection of data races
Frederic Dabrowski (INRIA, LANDE) Static race detection 12 / 33
![Page 13: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/13.jpg)
RCC Java
[PLDI’00] Type-based race detection for Java (Flanagan and Freund)
supports classes parameterized by locks of given types (Dependenttypes)
introduce a notion of thread local classes
Fields protected by locks (static fields)
Encapsulation : self-protected class
Extend previous work based on a simple thread calculus
Frederic Dabrowski (INRIA, LANDE) Static race detection 13 / 33
![Page 14: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/14.jpg)
Example
class A〈ghost Object x〉{Object y = new Object() guarded by x ;void set(Object z) requires x{
this.y = z ;}
}
class B{final Object z = new Object();A〈this.z〉 x = new A〈this.z〉();void f (){
synchronized(this.z){set(new Object())}}
}
Frederic Dabrowski (INRIA, LANDE) Static race detection 14 / 33
![Page 15: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/15.jpg)
Ownership types
[OOPSLA’02] Ownership types for safe programming : preventing data races and
deadlocks (Boyapati, Lee and Rinard)
Basic idea
Write generic code and create different instance with different protectionmechanisms.
Frederic Dabrowski (INRIA, LANDE) Static race detection 15 / 33
![Page 16: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/16.jpg)
Ownership types
Ownership types
Each object is owned by
another object (final field)
itself (self)
a thread (thisThread)
class C 〈Owner0, Owner1, . . .〉 {. . . new D〈Owner1〉() . . .}
Frederic Dabrowski (INRIA, LANDE) Static race detection 16 / 33
![Page 17: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/17.jpg)
Ownership types
Static analysis
1 The ownership relation builds a forest of trees
2 The fields of an object must be protected by the ancester of thisobject (a root, i.e. an object protected by itself or a thread)
Extensions
support for read-only/single pointer objects
Frederic Dabrowski (INRIA, LANDE) Static race detection 17 / 33
![Page 18: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/18.jpg)
Ownership types
Example
class Account〈thisOwner〉{int balance = 0;void deposit(int x) requires thisOwner{
this.balance = this.balance + x ;}
}Account 〈thisThread〉 a1 = new Account〈thisThread〉a1.deposit(10);
final Account〈self 〉 a2 = new Account〈self 〉;fork{synchronized(a2){a2.deposit(10); }}
Account〈a2〉 a3 = new Account〈a2〉;
Frederic Dabrowski (INRIA, LANDE) Static race detection 18 / 33
![Page 19: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/19.jpg)
Type inference
[VMCAI’04] Type Inference for Parameterized Race-Free Java (Agarwaland Stoller)
idea :
Perform a set of execution
Extract types from this set
Check types
problem : incomplete
[SAS’04, SCP’07] Type inference against races (Flanagan and Freund)
consider parameterization of classes as introduced by Boyapati,Leeand Rinard
by reduction of the problem of finding a satisfying assignment for aboolean formula (NP-complete)
Frederic Dabrowski (INRIA, LANDE) Static race detection 19 / 33
![Page 20: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/20.jpg)
Bytecode analysis
[Sigplan Not.] A type system for preventing data races and deadlocks inthe java virtual machine language(Permandla, Roberson, Boyapati)
problem : monitorenter/monitorexit replace synchronized blockssolution : use indexed types to recover structured locking
Indexed types : [TCS’03] A type system for JVM threads (Laneve)
very simple alias analysis
i : Load n, {. . . n 7→ τ . . .}, stack− > {. . . n 7→ τi . . .}, τi :: stack
Frederic Dabrowski (INRIA, LANDE) Static race detection 20 / 33
![Page 21: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/21.jpg)
Limitations of type-based approaches
very strict lock-based discipline
can’t handle other synchronization patterns
Frederic Dabrowski (INRIA, LANDE) Static race detection 21 / 33
![Page 22: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/22.jpg)
Naik and Aiken & al
Frederic Dabrowski (INRIA, LANDE) Static race detection 22 / 33
![Page 23: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/23.jpg)
a = new h1[N];for(i = 0; i < N; i + +){
a[i ] = new h2;a[i ].f = new h3;
}
while (∗){x = a[∗];fork{
sync(x){x .f .g = ∗; }}
}
2h (2)h (1)
2h (n)
2h (1)3h (2)3
h (n)3
2h (2)h (1)
2h (n)
2h (2)3
h (n)3
h (1)3
Frederic Dabrowski (INRIA, LANDE) Static race detection 23 / 33
![Page 24: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/24.jpg)
Language
s ::= | x = null | x = new h
| x = y | x = y .f | x .f = y
| s1; s2 | if (∗) then s1 else s2 | whilew (∗) do s
h allocation sitew ∈ W loop counter
Dynamic semantics
Obj ::= 〈h, π〉 π : W → N
C ::= {. . .Obj ⊲ Obj ′ . . .}
Frederic Dabrowski (INRIA, LANDE) Static race detection 24 / 33
![Page 25: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/25.jpg)
Conditional Must Not Aliasing
synchronized(x){x .f .g = ∗;
}
synchronized(y){y .f .g = ∗;
}
Conditional Must Not Aliasing
must not alias(x , y) ⇒ must not alias(x .f , y .f )
Frederic Dabrowski (INRIA, LANDE) Static race detection 25 / 33
![Page 26: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/26.jpg)
Disjoint Reachability
Disjoint reachability
h ∈ DRC (H) ⇔
o1.h ∈ H ∧ (o1 ⊲ o) ∈ C+∧
o2.h ∈ H ∧ (o2 ⊲ o) ∈ C+∧ ⇒ o1 = o2
o.h = h
Abstraction
Obj ::= 〈h, Π〉
h ::= h | ⊤Π : W 7→ N⊤
N⊤ = {0, 1,⊤}
Π(w) = 0 w not activeΠ(w) = ⊤ w unknownΠ(w) = Π′(w) = 1 same iteration
Judgments : W , Π, Γ ⊢ s : Γ′, K
h ∈ DRK (H) DRK (H) is a safe appr. of DRC (H)
Frederic Dabrowski (INRIA, LANDE) Static race detection 26 / 33
![Page 27: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/27.jpg)
Disjoint reachability
Examples
h2 ∈ DRK ({h1})?
while1 (∗){x = new h1;y = new h2;x .f = y ;
}
YES : {〈h1, (1)〉⊲〈h2, (1)〉}
while1 (∗){x = new h1;while2 (∗){
y = new h2;x .f = y ;
}}
YES : {〈h1, (1, 0)〉⊲〈h2, (1, 1)〉}
while1 (∗){y = new h2;
while2 (∗){x = new h1;x .f = y ;}
}
NO : {〈h1, (1, 1)〉⊲〈h2, (1, 0)〉}
Frederic Dabrowski (INRIA, LANDE) Static race detection 27 / 33
![Page 28: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/28.jpg)
Disjoint reachability
W , Π, Γ ⊢ x = new h : Γ[x 7→ 〈Π′, h〉], ∅
W , Π, Γ ⊢ x = y : Γ[x 7→ Γ(y)] W , Π, Γ ⊢ x .f = y , Γ, K
W , Π, Γ ⊢ x = y .f : Γ[x 7→ 〈λw .⊤,⊤〉], ∅
W , Π, Γ ⊢ s1 : Γ′, K1 W , Π, Γ′ ⊢ s1 : Γ′′, K2
W , Π, Γ ⊢ s1; s2 : Γ′′, K1 ∪ K2
W , Π, Γ ⊢ s1 : Γ1, K1 W , Π, Γ ⊢ s1 : Γ2, K2
W , Π, Γ ⊢ if (∗) then s1 else s2 : Γ1 ⊔ Γ2, K1 ∪ K2
W ∪ {w}, Π, Γw+⊢ s : Γ, K Π(w) 6= 0
W , Π, Γ ⊢ whilew (∗) do s : Γ, K
Frederic Dabrowski (INRIA, LANDE) Static race detection 28 / 33
![Page 29: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/29.jpg)
Conflicting pairs elimination
Static analysis
Call graph construction and context-sensitive points-to analysis
Type and effect system
Frederic Dabrowski (INRIA, LANDE) Static race detection 29 / 33
![Page 30: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/30.jpg)
Conflicting pairs elimination
reachable pairscomputation
aliasing pairscomputation
escaping pairscomputation
may happen inparallel pairs
computation
unlocked pairscomputation
may happen inparallelanalysis
conditional mustnot aliasanalysis
thread−escapeanalysis
call−graphconstruction
analysisalias
Frederic Dabrowski (INRIA, LANDE) Static race detection 30 / 33
![Page 31: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/31.jpg)
Soundness
Sound modulo :
reflection
dynamic loading
native methods
libraries ? ? ?
Frederic Dabrowski (INRIA, LANDE) Static race detection 31 / 33
![Page 32: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/32.jpg)
Conclusion and ongoing work
Data races detection is important
Objects offer a good framework
Type systems can handle strict lock-based discipline but lack moreelaborated synchronisation patterns
Points-to analysis can give very precise results but is much morecomplex
Frederic Dabrowski (INRIA, LANDE) Static race detection 32 / 33
![Page 33: Data races in Java and static analysis](https://reader035.vdocuments.site/reader035/viewer/2022070222/613c179222e01a42d40e8f9b/html5/thumbnails/33.jpg)
Conclusion and ongoing work
Ongoing workCertification of a static analysis for data race detection in Coq
1 Context-sensitive points-to analysis
Certification of a result checker in Coq
2 Static analysis for data race detection
Formalisation of aiken’s type and effect system for Java BytecodeFormalisation of successive stagesCertification in Coq
Frederic Dabrowski (INRIA, LANDE) Static race detection 33 / 33