static lock capabilities for deadlock-freedom
TRANSCRIPT
![Page 1: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/1.jpg)
Static Lock Capabilities for Deadlock-Freedom
Colin S. [email protected]
University of Washington
TLDI, January 28, 2012Joint work with Michael D. Ernst and Dan Grossman
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 1 / 16
![Page 2: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/2.jpg)
Verifying Deadlock Freedom
Deadlock
A cycle of threads, each blocked waiting for a resource held by the nextthread in the cycle.
T1 → T2 → . . .→ Tn, T1 = Tn
Goal
Statically verify deadlock freedom for fine-grained locking
Balanced binary trees
Resizable hash tables
Array elements
Circular lists
Approach
A static (capability) type system
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 2 / 16
![Page 3: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/3.jpg)
Deadlock-Free Code
Assuming n2 == n1.left and n3 == n1.right:Thread1 : sync n2 {}Thread2 : sync n3 {}Thread3 : sync n1 {sync n1.left {sync n1.right {}}}Thread4 : sync n1 {sync n1.right {sync n1.left {}}}
n1↙ ↘
n2 n3
Prior static approaches require either:
A total ordering on n1’s children (rejects T3 or T4), or
Disallow interior pointers (n2, n3, rejecting T1 and T2)
Lock capabilities impose neither restriction.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 3 / 16
![Page 4: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/4.jpg)
Deadlock-Free Code
Assuming n2 == n1.left and n3 == n1.right:Thread1 : sync n2 {}Thread2 : sync n3 {}Thread3 : sync n1 {sync n1.left {sync n1.right {}}}Thread4 : sync n1 {sync n1.right {sync n1.left {}}}
n1↙ ↘
n2 n3
Prior static approaches require either:
A total ordering on n1’s children (rejects T3 or T4), or
Disallow interior pointers (n2, n3, rejecting T1 and T2)
Lock capabilities impose neither restriction.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 3 / 16
![Page 5: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/5.jpg)
Lock Capabilities
Lock Capability
A static capability that permits acquiring additional locks
Baked into a type-and-effect system
Proved sound (they prevent deadlock)
Straightforward extensions
Scale to handle a set of diverse structuresI with the help of some extensions to plumb singleton types
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 4 / 16
![Page 6: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/6.jpg)
Intuition: Tree-Based Ordering
Fine-grained locking in a binary tree:
Acquiring one lock while holdingnone avoids deadlock;“First lock is free”
Following tree order deeplythrough the tree avoidsdeadlock.
Assuming children are acquiredonly while holding the parentlock, locking siblings avoidsdeadlock.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 5 / 16
![Page 7: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/7.jpg)
Intuition: Tree-Based Ordering
Fine-grained locking in a binary tree:
Acquiring one lock while holdingnone avoids deadlock;“First lock is free”
Following tree order deeplythrough the tree avoidsdeadlock.
Assuming children are acquiredonly while holding the parentlock, locking siblings avoidsdeadlock.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 5 / 16
![Page 8: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/8.jpg)
Intuition: Tree-Based Ordering
Fine-grained locking in a binary tree:
Acquiring one lock while holdingnone avoids deadlock;“First lock is free”
Following tree order deeplythrough the tree avoidsdeadlock.
Assuming children are acquiredonly while holding the parentlock, locking siblings avoidsdeadlock.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 5 / 16
![Page 9: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/9.jpg)
Intuition: Tree-Based Ordering
Fine-grained locking in a binary tree:
Acquiring one lock while holdingnone avoids deadlock;“First lock is free”
Following tree order deeplythrough the tree avoidsdeadlock.
Assuming children are acquiredonly while holding the parentlock, locking siblings avoidsdeadlock.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 5 / 16
![Page 10: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/10.jpg)
Intuition: Tree-Based Ordering
Fine-grained locking in a binary tree:
Acquiring one lock while holdingnone avoids deadlock;“First lock is free”
Following tree order deeplythrough the tree avoidsdeadlock.
Assuming children are acquiredonly while holding the parentlock, locking siblings avoidsdeadlock.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 5 / 16
![Page 11: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/11.jpg)
Generalizing Beyond Trees
Trees → Tree-shaped Partial Orders
In an immutable tree-shaped partial ordering, a thread may acquire a lockl when:
It holds no other locks, or
It holds a lock l ′ and l is a child of l ′
Notice:
No ordering imposed between siblings
No restriction on aliases
Harder:
Early lock releases
Modifying the partial order
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 6 / 16
![Page 12: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/12.jpg)
Generalizing Beyond Trees
Trees → Tree-shaped Partial Orders
In an immutable tree-shaped partial ordering, a thread may acquire a lockl when:
It holds no other locks, or
It holds a lock l ′ and l is a child of l ′
Notice:
No ordering imposed between siblings
No restriction on aliases
Harder:
Early lock releases
Modifying the partial order
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 6 / 16
![Page 13: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/13.jpg)
Generalizing Beyond Trees
Trees → Tree-shaped Partial Orders
In an immutable tree-shaped partial ordering, a thread may acquire a lockl when:
It holds no other locks, or
It holds a lock l ′ and l is a child of l ′
Notice:
No ordering imposed between siblings
No restriction on aliases
Harder:
Early lock releases
Modifying the partial order
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 6 / 16
![Page 14: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/14.jpg)
Lock Capabilities
c l a s s TreeNode {guardedBy〈this〉 TreeNode left ;guardedBy〈this〉 TreeNode right ;
}
←− Parent lock x grants capability 〈x〉
←− Child type includes the guarding capability:x .right : guardedBy〈x〉 TreeNode
lock (x) in lock (x .right) in . . .
May only acquire lock of type guardedBy〈x〉when holding lock x (or no locks at all).
Deadlock freedom follows from thecapability granting relation being a forest
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 7 / 16
![Page 15: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/15.jpg)
Lock Capabilities
c l a s s TreeNode {guardedBy〈this〉 TreeNode left ;guardedBy〈this〉 TreeNode right ;
}
←− Parent lock x grants capability 〈x〉
←− Child type includes the guarding capability:x .right : guardedBy〈x〉 TreeNode
lock (x) in lock (x .right) in . . .
May only acquire lock of type guardedBy〈x〉when holding lock x (or no locks at all).
Deadlock freedom follows from thecapability granting relation being a forest
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 7 / 16
![Page 16: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/16.jpg)
Lock Capabilities
c l a s s TreeNode {guardedBy〈this〉 TreeNode left ;guardedBy〈this〉 TreeNode right ;
}
←− Parent lock x grants capability 〈x〉
←− Child type includes the guarding capability:x .right : guardedBy〈x〉 TreeNode
lock (x) in lock (x .right) in . . .
May only acquire lock of type guardedBy〈x〉when holding lock x (or no locks at all).
Deadlock freedom follows from thecapability granting relation being a forest
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 7 / 16
![Page 17: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/17.jpg)
Lock Capabilities
c l a s s TreeNode {guardedBy〈this〉 TreeNode left ;guardedBy〈this〉 TreeNode right ;
}
←− Parent lock x grants capability 〈x〉
←− Child type includes the guarding capability:x .right : guardedBy〈x〉 TreeNode
lock (x) in lock (x .right) in . . .
May only acquire lock of type guardedBy〈x〉when holding lock x (or no locks at all).
Deadlock freedom follows from thecapability granting relation being a forest
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 7 / 16
![Page 18: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/18.jpg)
Lock Capabilities
c l a s s TreeNode {guardedBy〈this〉 TreeNode left ;guardedBy〈this〉 TreeNode right ;
}
←− Parent lock x grants capability 〈x〉
←− Child type includes the guarding capability:x .right : guardedBy〈x〉 TreeNode
lock (x) in lock (x .right) in . . .
May only acquire lock of type guardedBy〈x〉when holding lock x (or no locks at all).
Deadlock freedom follows from thecapability granting relation being a forest
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 7 / 16
![Page 19: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/19.jpg)
Structures with Cycles
A forest-shaped capability granting relation doesn’t require forest-shapeddata structures. For example, here is a circular list:
This circular list has cycles in the heap, but a tree-shaped capabilitygranting relation.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 8 / 16
![Page 20: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/20.jpg)
Structures with Cycles
A forest-shaped capability granting relation doesn’t require forest-shapeddata structures. For example, here is a circular list:
This circular list has cycles in the heap, but a tree-shaped capabilitygranting relation.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 8 / 16
![Page 21: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/21.jpg)
Supporting Mutable Structures
Lock relationships can change dynamically, so we need:
Strong Updates=⇒ weakened form of uniqueness
Preserving Acyclicity=⇒ track shape of capability-granting relation
Releasing Out-Of-Order=⇒ restrictions on lock acquisition
I No time to discuss out-of-order releases
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 9 / 16
![Page 22: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/22.jpg)
Supporting Mutable Structures
Lock relationships can change dynamically, so we need:
Strong Updates=⇒ weakened form of uniqueness
Preserving Acyclicity=⇒ track shape of capability-granting relation
Releasing Out-Of-Order=⇒ restrictions on lock acquisition
I No time to discuss out-of-order releases
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 9 / 16
![Page 23: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/23.jpg)
Supporting Mutable Structures
Lock relationships can change dynamically, so we need:
Strong Updates=⇒ weakened form of uniqueness
Preserving Acyclicity=⇒ track shape of capability-granting relation
Releasing Out-Of-Order=⇒ restrictions on lock acquisition
I No time to discuss out-of-order releases
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 9 / 16
![Page 24: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/24.jpg)
Supporting Mutable Structures
Lock relationships can change dynamically, so we need:
Strong Updates=⇒ weakened form of uniqueness
Preserving Acyclicity=⇒ track shape of capability-granting relation
Releasing Out-Of-Order=⇒ restrictions on lock acquisition
I No time to discuss out-of-order releases
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 9 / 16
![Page 25: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/25.jpg)
Supporting Mutable Structures
Lock relationships can change dynamically, so we need:
Strong Updates=⇒ weakened form of uniqueness
Preserving Acyclicity=⇒ track shape of capability-granting relation
Releasing Out-Of-Order=⇒ restrictions on lock acquisition
I No time to discuss out-of-order releases
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 9 / 16
![Page 26: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/26.jpg)
Changing Capability Grants
The capability granting relation that determines each lock’s guard mustallow changes.
Partial Uniqueness
A single reference carries the guard information for an object
1 u guardedBy〈x〉 TreeNode “Unique” with guard information∞ guardless TreeNode Duplicable, no guard information
Partial Strong Updates
Guard information is isolated, enabling strong updates to the guard
x : u guardedBy〈y〉 TreeNode −→ x : u guardedBy〈z〉 TreeNode
Goal: Type system infers strong updates without explicit guidance
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 10 / 16
![Page 27: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/27.jpg)
Changing Capability Grants
The capability granting relation that determines each lock’s guard mustallow changes.
Partial Uniqueness
A single reference carries the guard information for an object
1 u guardedBy〈x〉 TreeNode “Unique” with guard information∞ guardless TreeNode Duplicable, no guard information
Partial Strong Updates
Guard information is isolated, enabling strong updates to the guard
x : u guardedBy〈y〉 TreeNode −→ x : u guardedBy〈z〉 TreeNode
Goal: Type system infers strong updates without explicit guidance
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 10 / 16
![Page 28: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/28.jpg)
Changing Tree Structure
public TreeNode {
public u_guardedBy〈this〉 TreeNode left;
public u_guardedBy〈this〉 TreeNode right;
}
...
guardless TreeNode a;
...
lock(a) {
lock(a.left) {
lock(a.left.left) {
let b = dread(a.left) in
let c = dread(b.left) in
c.left := dread(b);
a.left := dread(c);
} } }
Destructive Readsdread(p) atomically assigns null to path p and returnsthe old value, preventing duplication.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 11 / 16
![Page 29: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/29.jpg)
Preserving Acyclicity
Changes to the capability-granting relation must not create cycles.
We track disjointness of capability-granting trees in a flow-sensitivemanner.
Removing an edge produces two mutually disjoint trees
Adding an edge between two mutually disjoint trees produces one tree
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 12 / 16
![Page 30: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/30.jpg)
The Core Type System
Core typing judgement:
Υ; Γ; L ` e : τ ;Υ′
Two theorems proven for basic lock capabilities with reordering:1 Type Preservation
I Long, straightforward
2 Deadlock Freedom PreservationI Extended semantics with capability-use log in graph form, modeling
thread dependencies
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 13 / 16
![Page 31: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/31.jpg)
The Core Type System
Core typing judgement:tree disjointness
Υ; Γ; L ` e : τ ;Υ′
Two theorems proven for basic lock capabilities with reordering:1 Type Preservation
I Long, straightforward
2 Deadlock Freedom PreservationI Extended semantics with capability-use log in graph form, modeling
thread dependencies
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 13 / 16
![Page 32: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/32.jpg)
The Core Type System
Core typing judgement:tree disjointness
Υ; Γ; L ` e : τ ;Υ′
local variable typing
Two theorems proven for basic lock capabilities with reordering:1 Type Preservation
I Long, straightforward
2 Deadlock Freedom PreservationI Extended semantics with capability-use log in graph form, modeling
thread dependencies
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 13 / 16
![Page 33: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/33.jpg)
The Core Type System
Core typing judgement:tree disjointness
Υ; Γ; L ` e : τ ;Υ′
local variable typing held locks (≡ capabilities)
Two theorems proven for basic lock capabilities with reordering:1 Type Preservation
I Long, straightforward
2 Deadlock Freedom PreservationI Extended semantics with capability-use log in graph form, modeling
thread dependencies
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 13 / 16
![Page 34: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/34.jpg)
The Core Type System
Core typing judgement:tree disjointness
Υ; Γ; L ` e : τ ;Υ′
local variable typing held locks (≡ capabilities)
Two theorems proven for basic lock capabilities with reordering:1 Type Preservation
I Long, straightforward
2 Deadlock Freedom PreservationI Extended semantics with capability-use log in graph form, modeling
thread dependencies
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 13 / 16
![Page 35: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/35.jpg)
Proposed Extensions
“Plumbing” Extensions:
Arrays (treated as object with integer-named fields)
Fixed guards (no strong update, but sharing guard info)
External capabilitiesI Parameterized classes a la RCC/JavaI class CircularListNode<ghost List l> {
fixed_guard<l> CircularListNode<l> next;
fixed_guard<l> CircularListNode<l> prev;
...
}
More substantial extensions:
Unstructured Locking (requires more precise capability tracking)
Combination with lock levels
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 14 / 16
![Page 36: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/36.jpg)
Proposed Extensions
“Plumbing” Extensions:
Arrays (treated as object with integer-named fields)
Fixed guards (no strong update, but sharing guard info)
External capabilitiesI Parameterized classes a la RCC/JavaI class CircularListNode<ghost List l> {
fixed_guard<l> CircularListNode<l> next;
fixed_guard<l> CircularListNode<l> prev;
...
}
More substantial extensions:
Unstructured Locking (requires more precise capability tracking)
Combination with lock levels
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 14 / 16
![Page 37: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/37.jpg)
Proposed Extensions
“Plumbing” Extensions:
Arrays (treated as object with integer-named fields)
Fixed guards (no strong update, but sharing guard info)
External capabilitiesI Parameterized classes a la RCC/JavaI class CircularListNode<ghost List l> {
fixed_guard<l> CircularListNode<l> next;
fixed_guard<l> CircularListNode<l> prev;
...
}
More substantial extensions:
Unstructured Locking (requires more precise capability tracking)
Combination with lock levels
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 14 / 16
![Page 38: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/38.jpg)
Proposed Extensions
“Plumbing” Extensions:
Arrays (treated as object with integer-named fields)
Fixed guards (no strong update, but sharing guard info)
External capabilitiesI Parameterized classes a la RCC/JavaI class CircularListNode<ghost List l> {
fixed_guard<l> CircularListNode<l> next;
fixed_guard<l> CircularListNode<l> prev;
...
}
More substantial extensions:
Unstructured Locking (requires more precise capability tracking)
Combination with lock levels
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 14 / 16
![Page 39: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/39.jpg)
Proposed Extensions
“Plumbing” Extensions:
Arrays (treated as object with integer-named fields)
Fixed guards (no strong update, but sharing guard info)
External capabilitiesI Parameterized classes a la RCC/JavaI class CircularListNode<ghost List l> {
fixed_guard<l> CircularListNode<l> next;
fixed_guard<l> CircularListNode<l> prev;
...
}
More substantial extensions:
Unstructured Locking (requires more precise capability tracking)
Combination with lock levels
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 14 / 16
![Page 40: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/40.jpg)
Examples
Splay Tree RotationI Captured by SafeJava and Chalice, but SafeJava special-cases
Array Element Locking (with array extension)I Only addressed by Gadara, which may over-synchronize
Circular Lists (with external capabilities and fixed guard extensions)I List used in OS kernelsI Each list node guarded by a central list objectI Allows parallelism between threads using single nodes and one thread
using multiple
Dining Philosophers (with external capabilities, fixed guards, andexplicit unlock)
I All “chopstick” locks guarded by central lockI Threads “eat” by locking central lock, then chopsticks, then releasing
central lockI Can build hierarchy of intermediate locks for improved parallelism
All handled cleanly by a single general approach.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 15 / 16
![Page 41: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/41.jpg)
Examples
Splay Tree RotationI Captured by SafeJava and Chalice, but SafeJava special-cases
Array Element Locking (with array extension)I Only addressed by Gadara, which may over-synchronize
Circular Lists (with external capabilities and fixed guard extensions)I List used in OS kernelsI Each list node guarded by a central list objectI Allows parallelism between threads using single nodes and one thread
using multiple
Dining Philosophers (with external capabilities, fixed guards, andexplicit unlock)
I All “chopstick” locks guarded by central lockI Threads “eat” by locking central lock, then chopsticks, then releasing
central lockI Can build hierarchy of intermediate locks for improved parallelism
All handled cleanly by a single general approach.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 15 / 16
![Page 42: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/42.jpg)
Examples
Splay Tree RotationI Captured by SafeJava and Chalice, but SafeJava special-cases
Array Element Locking (with array extension)I Only addressed by Gadara, which may over-synchronize
Circular Lists (with external capabilities and fixed guard extensions)I List used in OS kernelsI Each list node guarded by a central list objectI Allows parallelism between threads using single nodes and one thread
using multiple
Dining Philosophers (with external capabilities, fixed guards, andexplicit unlock)
I All “chopstick” locks guarded by central lockI Threads “eat” by locking central lock, then chopsticks, then releasing
central lockI Can build hierarchy of intermediate locks for improved parallelism
All handled cleanly by a single general approach.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 15 / 16
![Page 43: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/43.jpg)
Examples
Splay Tree RotationI Captured by SafeJava and Chalice, but SafeJava special-cases
Array Element Locking (with array extension)I Only addressed by Gadara, which may over-synchronize
Circular Lists (with external capabilities and fixed guard extensions)I List used in OS kernelsI Each list node guarded by a central list objectI Allows parallelism between threads using single nodes and one thread
using multiple
Dining Philosophers (with external capabilities, fixed guards, andexplicit unlock)
I All “chopstick” locks guarded by central lockI Threads “eat” by locking central lock, then chopsticks, then releasing
central lockI Can build hierarchy of intermediate locks for improved parallelism
All handled cleanly by a single general approach.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 15 / 16
![Page 44: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/44.jpg)
Examples
Splay Tree RotationI Captured by SafeJava and Chalice, but SafeJava special-cases
Array Element Locking (with array extension)I Only addressed by Gadara, which may over-synchronize
Circular Lists (with external capabilities and fixed guard extensions)I List used in OS kernelsI Each list node guarded by a central list objectI Allows parallelism between threads using single nodes and one thread
using multiple
Dining Philosophers (with external capabilities, fixed guards, andexplicit unlock)
I All “chopstick” locks guarded by central lockI Threads “eat” by locking central lock, then chopsticks, then releasing
central lockI Can build hierarchy of intermediate locks for improved parallelism
All handled cleanly by a single general approach.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 15 / 16
![Page 45: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/45.jpg)
Contributions
Introduced lock capabilitiesI New approach to verifying deadlock freedomI Well-suited to fine-grained lockingI Suitable for any verification approach, we used types
Proved soundness: lock capabilities ensure deadlock freedom
Sketched useful, straightforward extensions
Showed how lock capabilities can verify deadlock freedom forimportant, challenging examples
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 16 / 16
![Page 46: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/46.jpg)
Backup Slides
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 17 / 16
![Page 47: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/47.jpg)
Splay Tree Rotation
c l a s s Node {u guardedBy<t h i s>Node l e f t ;u guardedBy<t h i s>Node r i g h t ;
}. . .
l e t f i n a l n = . . . i nl o c k ( n ) {
l e t final x = n . r i g h t i ni f ( x ) {
l o c k ( x ) {i f ( x . l e f t ) {let final v name = x.left in
l o c k ( x . l e f t ) {l e t v = dread( x . l e f t ) i nlet final w name = v.right in
l e t w = dread( v . r i g h t ) i n// v . r i g h t := xv . r i g h t := dread( n . r i g h t ) ;x . l e f t := dread(w ) ;n . r i g h t := dread( v ) ;
}}}}}
Differences from regular codeare highlighted. Most can beinferred by a compiler.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 18 / 16
![Page 48: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/48.jpg)
Array-order Locking
Array-order locking is generally undecidable; lock capabilities enable arestricted form to be verified. In our core language extended with arraysand integers:l e t f i n a l a r r , u n i q u e a = new u guardedBy Object [ n ] i n. . .l o c k ( a r r ) {
l o c k ( a r r [ i ] ) {l o c k ( a r r [ j ] ) {
. . .}
}}
Note that we don’t need to compare i and j!
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 19 / 16
![Page 49: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/49.jpg)
Circular Lists
The list of running processes in an OS kernel is circularIt requires fine-grained locking for performance.Atomic resource transfer requires locking multiple processes.There is no sensible ordering on processes.
In our core language extended with fixed guards and external capabilities:c l a s s C i r c u l a r L i s t {
f i x e d<t h i s> C i r c u l a r L i s t N o d e<t h i s> head ;}c l a s s C i r c u l a r L i s t N o d e<g h o s t C i r c u l a r L i s t l i s t > {
f i x e d g u a r d< l i s t > C i r c u l a r L i s t N o d e< l i s t > p r e v ;f i x e d g u a r d< l i s t > C i r c u l a r L i s t N o d e< l i s t > n e x t ;u guardedBy<t h i s> Object data ;
}
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 20 / 16
![Page 50: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/50.jpg)
Orphaned Locks
Acyclic capability granting is only half ofsoundness:
p u b l i c TreeNode {p u b l i c u guardedBy〈this〉TreeNode l e f t ;p u b l i c u guardedBy〈this〉TreeNode r i g h t ;
}. . .g u a r d l e s s TreeNode a ;. . .l o c k ( a ) {
l o c k ( a . l e f t ) {l o c k ( a . l e f t . l e f t ) {
l e t b = dread ( a . l e f t ) i nl e t c = dread ( b . l e f t ) i nc . l e f t := dread ( b ) ;a . l e f t := dread ( c ) ;
} // r e l e a s e clock(a.left) { // l o c k c aga in
// do stuff}
}}
l o c k ( n ) { // l o c k clock(n.left) { // l o c k b
// DEADLOCK!!!}
}
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 21 / 16
![Page 51: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/51.jpg)
Orphaned Locks
Acyclic capability granting is only half ofsoundness:
p u b l i c TreeNode {p u b l i c u guardedBy〈this〉TreeNode l e f t ;p u b l i c u guardedBy〈this〉TreeNode r i g h t ;
}. . .g u a r d l e s s TreeNode a ;. . .l o c k ( a ) {
l o c k ( a . l e f t ) {l o c k ( a . l e f t . l e f t ) {
l e t b = dread ( a . l e f t ) i nl e t c = dread ( b . l e f t ) i nc . l e f t := dread ( b ) ;a . l e f t := dread ( c ) ;
} // r e l e a s e clock(a.left) { // l o c k c aga in
// DEADLOCK!!!}
}}
l o c k ( n ) { // l o c k clock(n.left) { // l o c k b
// DEADLOCK!!!}
}
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 21 / 16
![Page 52: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/52.jpg)
Theorem: Type Preservation
Syntactic proof
Extended typing rules add:I Heap typing ΣI Per-thread capability grants φi : Value→ Variable
(or intuitively, Lock→ Lock)
Requires many invariantsI Most are natural (e.g. well-formed environments)I A few natural to preserve, subtle to state
F e.g. relating multiple threads’ assertions about the capability-grantingrelation
I Full details in TR
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 22 / 16
![Page 53: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/53.jpg)
Theorem: Deadlock Freedom Preservation
Deadlock freedom is a preservationproof:
Build a labeled graph of howthreads use capabilities
Prove there is never a pathbetween a single thread’s locksusing capabilities of multiplethreads.
Detailed sketch in paper, full proof inTR.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 23 / 16
![Page 54: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/54.jpg)
Dining Philosophers
The problem:
The canonical deadlock example
n philosophers eating at a circular tableI Only n chopsticks, one to each side of each philosopherI Must share chopsticks (locks) with neighborsI Philosophers are greedy and won’t put down chopstick (release lock)
until they’ve eaten
There is no way to put a consistent structural ordering on chopsticks(locks)
With support for lock capabilities with unstructured locking:
Capability-granting relation identical to the circular list
With releasing “global” lock early:I Serializes acquisitionI Allows parallelism between threads holding multiple locks
Verifiably deadlock-free solution that allows some parallelism withsimple code
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 24 / 16
![Page 55: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/55.jpg)
Dining Philosophers
The problem:
The canonical deadlock example
n philosophers eating at a circular tableI Only n chopsticks, one to each side of each philosopherI Must share chopsticks (locks) with neighborsI Philosophers are greedy and won’t put down chopstick (release lock)
until they’ve eaten
There is no way to put a consistent structural ordering on chopsticks(locks)
With support for lock capabilities with unstructured locking:
Capability-granting relation identical to the circular list
With releasing “global” lock early:I Serializes acquisitionI Allows parallelism between threads holding multiple locks
Verifiably deadlock-free solution that allows some parallelism withsimple code
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 24 / 16
![Page 56: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/56.jpg)
Background: Lock Levels
The program’s locks arepartitioned into levels, and theprogrammer specifies a partialorder on levels.
Lock Levels Locking Protocol
A thread may acquire a lock lwhen:
It holds no other locks, or
l is in a lock level orderedafter the level of all locksheld
Limitations:
Requires total ordering onany set of locks heldconcurrently.
Can’t deal with reordering,except for SafeJava andChalice.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 25 / 16
![Page 57: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/57.jpg)
Comparing Lock Levels and Lock Capabilities
Fundamental philosophical difference: with lock levels, acquiring a lockrestricts the set of locks the thread may then acquire, while with lockcapabilities, acquiring a lock extends the set of locks the thread may thenacquire.
Lock Capabilities
Are well-suited to fine-grainedlocking and reordering locks
Allow some locking withouttotal orderings
Poorly-suited for lockingunrelated “distant” locks
Lock Levels
Are well-suited to lockingunrelated “distant” locks
Require total ordering on locksheld simultaneously
Poorly suited for fine-grainedlocking, or reordering locks
I Except Chalice, which has avery smart variation
It is possible to integrate the two for a more expressive system.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 26 / 16
![Page 58: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/58.jpg)
Comparing Lock Levels and Lock Capabilities
Fundamental philosophical difference: with lock levels, acquiring a lockrestricts the set of locks the thread may then acquire, while with lockcapabilities, acquiring a lock extends the set of locks the thread may thenacquire.
Lock Capabilities
Are well-suited to fine-grainedlocking and reordering locks
Allow some locking withouttotal orderings
Poorly-suited for lockingunrelated “distant” locks
Lock Levels
Are well-suited to lockingunrelated “distant” locks
Require total ordering on locksheld simultaneously
Poorly suited for fine-grainedlocking, or reordering locks
I Except Chalice, which has avery smart variation
It is possible to integrate the two for a more expressive system.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 26 / 16
![Page 59: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/59.jpg)
Comparing Lock Levels and Lock Capabilities
Fundamental philosophical difference: with lock levels, acquiring a lockrestricts the set of locks the thread may then acquire, while with lockcapabilities, acquiring a lock extends the set of locks the thread may thenacquire.
Lock Capabilities
Are well-suited to fine-grainedlocking and reordering locks
Allow some locking withouttotal orderings
Poorly-suited for lockingunrelated “distant” locks
Lock Levels
Are well-suited to lockingunrelated “distant” locks
Require total ordering on locksheld simultaneously
Poorly suited for fine-grainedlocking, or reordering locks
I Except Chalice, which has avery smart variation
It is possible to integrate the two for a more expressive system.
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 26 / 16
![Page 60: Static Lock Capabilities for Deadlock-Freedom](https://reader033.vdocuments.net/reader033/viewer/2022051715/589aec341a28abe6468bc2ea/html5/thumbnails/60.jpg)
Chalice (Leino & Muller, ESOP’09, ’10)
Combines a clever variant of levelswith fractional permissions:
Uses a dense lattice of levels,not discrete
I For any levels l0, l1, exists l ′
s.t. l0 @ l ′ @ l1
Uses fractional permissions on aghost field µ to reorder
These add great flexibility over otherlock level systems.
class TreeNode {
TreeNode left , right;
// declare full permission
// on left.µ, right.µ }
...
lock (n) {
reorder n.left.µ after n.µ;lock (n.left) {
reorder n.right.µ after n.left.µ;lock (n.right) {...}
} }
Approaches lock capabilities, but
Requires explicit reordering
Full permissions for reorderingloses external references
Fails to exploit that this structuredoesn’t need ordering on children
Colin S. Gordon (University of Washington) Lock Capabilities for Deadlock Freedom TLDI’12 27 / 16