SLIDE 1
Chair of Software Engineering
Two topics
- 1. Concurrent Programming Is Easy
- 2. Developments at the Chair of Software Engineering:
an overview
2
Concurrent Programming Is Easy Bertrand Meyer ETH Zurich & - - PowerPoint PPT Presentation
Concurrent Programming Is Easy Bertrand Meyer ETH Zurich & - - PowerPoint PPT Presentation
Chair of Software Engineering Concurrent Programming Is Easy Bertrand Meyer ETH Zurich & Eiffel Software Future Of Software Engineering ETH Zurich Symposium, November 2010 Two topics 1. Concurrent Programming Is Easy 2. Developments at
SLIDE 2
SLIDE 3
3
Moore‘s Law
Clock speed flattening sharply Transistor count still rising
Source: Intel
SLIDE 4
Concurrency
Multicore, Internet, high-performance computing…
4
Multi-core processing is taking the industry on a fast-moving and exciting ride into profoundly new territory. The defining paradigm in computing performance has shifted inexorably from raw clock speed to parallel operations and energy efficiency. (Intel) Multicore processors represent
- ne of the largest technology
transitions in the computing industry today, with deep implications for how we develop
- software. (Rick Rashid)
Multicore: This is the
- ne which will have the
biggest impact on us. We have never had a problem to solve like
- this. A breakthrough is
- needed. (Bill Gates)
Faster Chips Are Leaving Programmers in Their Dust (John Markoff, NY Times, 2007)
SLIDE 5
5
Concurrent programming is supposed to be hard…
SLIDE 6
The chasm
Qsort = last → end → Qsort □ in?x → ((INx // up:Qsort) //down:Qsort) Inx
= in?y → ((up.in!y → INx ) <y > x> (down.in!y → INx ))
□ last → up.last → down.last → OUTAx OUTAx = up.out?y → out!y → OUTAx □ up.end → out!x → OUTB OUTB = down.out?y → out!y → OUTB □ down.end → end → X X = last → end → X □ in?x → INx
6
| |
CSP, Source: A.W. Roscoe
SLIDE 7
7
The chasm
SLIDE 8
8
Wrong assumptions
“Objects are naturally concurrent ” (Milner)
- Many attempts, often based on “Active objects”
(a self-contradictory notion)
- Lead to artificial issue of “Inheritance anomaly”
“Concurrency is the basic scheme, sequential programming a special case ” (many)
- Correct in principle, but in practice we understand
sequential best
SLIDE 9
Active objects can be programmed
deferred class PROCESS feature live do from setup until over loop step end tear_down end
- ver: BOOLEAN deferred end
setup deferred end step do end tear_down deferred end end
9
SLIDE 10
10
SCOOP mechanism
Simple Concurrent Object-Oriented Programming CACM (1993) & Object-Oriented Software Construction, 1997 Prototype implementation at ETH (since 2007); production version at Eiffel Software, released in steps starting November 2010 Most up-to-date descriptions:
- Piotr Nienaltowski’s 2007 ETH PhD dissertation, see
http://se.ethz.ch/people/nienaltowski/papers/thesis.pdf
- Benjamin Morandi, Sebastian S. Bauer and Bertrand Meyer SCOOP - A
contract-based concurrent object-oriented programming model, in Proc.
- f LASER summer school on Software Engineering 2007/2008, ed. P.
Müller, LNCS 6029, Springer-Verlag, July 2010, pages 41-90, see http://se.ethz.ch/~meyer/publications/concurrency/scoop_laser.pdf
Piotr Nienaltowski, Benjamin Morandi, Sebastian Nanz, Scott West, Volkan Arslan (Eiffel Software: Emmanuel Stapf, Alexander Kogtenkov, Ian King)
SLIDE 11
What we write in sequential code
transfer (source, target: separate ACCOUNT; value: INTEGER) require source.balance >= value do source.withdraw (value) target.deposit (value) ensure source.balance = old source.balance - value target.balance = old target.balance + value end invariant balance >= 0
11
SLIDE 12
A better version
transfer (source, target: separate ACCOUNT; value: INTEGER) require source.balance >= value do source.withdraw (value) target.deposit (value) ensure source.balance = old source.balance - value target.balance = old target.balance + value end … invariant balance >= 0
12
SLIDE 13
Make this concurrent!
transfer (source, target: separate ACCOUNT; value: INTEGER) require source.balance >= value do source.withdraw (value) target.deposit (value) ensure source.balance = old source.balance - value target.balance = old target.balance + value end … invariant balance >= 0
13
SLIDE 14
14
Dining philosophers
SLIDE 15
15
Dining philosophers in SCOOP
class PHILOSOPHER inherit PROCESS rename setup as getup redefine step end feature {BUTLER} step do think ; eat (left, right) end eat (l, r : separate FORK)
- - Eat, having grabbed l and r.
do … end end
SLIDE 16
16
put (b : [G ] ; v : G )
- - Store v into b.
require not b.is_full do … ensure not b.is_empty b.item = v end QUEUE BUFFER my_queue : [T ] … if not my_queue.is_full then put (my_queue, t ) end BUFFER QUEUE
put item, remove
SLIDE 17
17
Reasoning about objects: sequential
{INV and Prer } bodyr {INV and Postr } ___________________________________ {Prer’ } x.r (a) {Postr’ }
Priming represents actual-formal argument substitution
Only n proofs if n exported routines!
SLIDE 18
18
In a concurrent context
Only n proofs if n exported routines? {INV and Prer } bodyr {INV and Postr } ___________________________________ {Prer’} x.r (a) {Postr’}
Client 1 r1 Client 2 r2 Client 3 r3
No overlapping!
SLIDE 19
19
SCOOP rules
- One processor per object: “handler”
- At most one feature (operation) active on an object at
any time
SLIDE 20
20
Object-oriented computation
To perform a computation is
- To apply certain actions
- To certain objects
- Using certain processors
Processor Actions Objects
SLIDE 21
21
What makes an application concurrent?
Processor: Thread of control supporting sequential execution of instructions on one or more objects Can be implemented as:
- Computer CPU
- Process
- Thread
- …
Processor Actions Objects
SLIDE 22
22
Feature call: sequential
x.r (a)
Processor
Client Supplier
previous
x.r (a)
next r (x : A) do … end
SLIDE 23
23
Feature call: asynchronous
Client Supplier
previous
x.r (a)
next r (x : A) do … end
Client’s handler Supplier’s handler
SLIDE 24
24
The fundamental difference
To wait or not to wait:
- If same processor, synchronous
- If different processor, asynchronous
Difference must be captured by syntax:
- x: T
- x: separate T -- Potentially different processor
Fundamental semantic rule: x.r (a) waits for non- separate x, doesn’t wait for separate x.
SLIDE 25 The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again.
25
put (b : [G ] ; v : G )
- - Store v into b.
require not b.is_full do … ensure not b.is_empty b.item = v end QUEUE BUFFER my_queue : [T ] … if not my_queue.is_full then put (my_queue, t ) end BUFFER QUEUE
put item, remove
SLIDE 26
26
Synchronization rule A call with separate arguments waits until:
- The corresponding objects are all available
- Preconditions hold
It will hold the arguments for the duration of the routine’s execution
“Separate call”: x.f (a) -- where a is separate
SLIDE 27
27
Dining philosophers
class PHILOSOPHER inherit PROCESS rename setup as getup redefine step end feature {BUTLER} step do think ; eat (left, right) end eat (l, r : separate FORK)
- - Eat, having grabbed l and r.
do … end end
SLIDE 28
Bank transfer
transfer (source, target: separate ACCOUNT; value: INTEGER) require source.balance >= value do source.withdraw (value) target.deposit (value) ensure source.balance = old source.balance - value target.balance = old target.balance + value end … invariant balance >= 0
28
SLIDE 29
29
Resynchronization
No explicit mechanism needed for client to resynchronize with supplier after separate call. The client will wait only when it needs to:
x.f
x.g (a) y.f … value := x.some_query
Wait here!
Denis Caromel (Nice)
SLIDE 30
Refined proof rule (partial correctness)
{INV ∧ Prer (x)} bodyr {INV ∧ Postr (x)}
{Prer (a cont)} x.r (a) {Postr (a cont)}
Hoare-style sequential reasoning Controlled expressions are locked by current processor
Piotr Nienaltowski
SLIDE 31
31
Elevator example architecture
For maximal concurrency, all objects are separate
Inheritance Client
SLIDE 32
Two topics
- 1. Concurrent Programming Is Easy
- 2. Developments at the Chair of Software Engineering:
an overview
32
SLIDE 33
Funding
ETH Swiss National Science Foundation Hasler Stiftung Gebert-Ruf Stiftung
33
SLIDE 34
Verification As a Matter of Course Arbiter
Programmer
Suggestions
Auto. prover Sep. prover AutoFix AutoTest
Test case generation
EVE
Suggestions
Test execution
Test results
Inter. prover
Invariant inference Alias analysis
SLIDE 35
Unifying framework: Eiffel
Method and language Language is ECMA- and ISO-standardized Full object-oriented model Built-in contracts Void safety (no null pointer dereferencing) Extensive development environment (EiffelStudio)
35
SLIDE 36
Push-button testing: AutoTest
Now part of EiffelStudio
- Test generation:
- Fully automatic generation of test cases
- Oracles are contracts
- Integration with regression testing
- Found hundreds of bugs in libraries & apps
- Test extraction: generate tests from failures
- Manual testing (à la Junit)
36
I.Ciupa, A. Leitner, M. Oriol,
- A. Pretschner, E. Stapf, Yi Wei…
SLIDE 37
Faults found per second
37
fc (t) Time Faults
SLIDE 38
Proofs
Built-in proof tools, built on Microsoft’s Boogie Separation logic prover (Stephan van Staden, Cristiano Calcagno)
38
Martin Nordio, Carlo Furia, Julian Tschannen, Nadia Polikarpova, Bernd Schoeller, …
SLIDE 39
Full specifications: MML
class STACK [G] feature {SPECIFICATION} feature push (x: G) require not full do … ensure top = old x count= old count + 1 end … end
39
Nadia Polikarpova, Bernd Schoeller, Tobias Widmer
model: MML_SEQUENCE model = old model + [x] Sequence concatenation
SLIDE 40
Invariant generation
Static and dynamic approaches
- Statically: postcondition weakening
- Dynamically: learn from test runs, in connection with
AutoTest (and using Michael Ernst’s Daikon)
40
Carlo Furia, Yi Wei
SLIDE 41
Invariant generation on standard examples
Carlo Furia
SLIDE 42
Alias calculus
Goal: provide automatic detection of possible aliasing, allowing sound proofs of programs involving pointers
42
SLIDE 43
Alias calculus
43
SLIDE 44
Automatic fix suggestion
AutoFix: use data mining techniques and contracts to propose corrections after detecting a failure
44
Yi Wei, Yu Pei (& Andreas Leitner) Andreas Zeller, Valentin Dallmeier (Sarrebruck)
SLIDE 45
45
Verification As a Matter of Course Arbiter
Programmer
Suggestions
Auto. prover Sep. prover AutoFix AutoTest
Test case generation
EVE
Suggestions
Test execution
Test results
Inter. prover
Invariant inference Alias analysis
SLIDE 46
46
Concurrency
Further developments of the SCOOP model
- Theory (structured operational semantics)
- Deadlock prevention and detection
- Robotics applications (Ganesh Ramanathan)
Piotr Nienaltowski, Benjamin Morandi, Sebastian Nanz, Scott West, Volkan Arslan… (Eiffel Software: Emmanuel Stapf, Alexander Kogtenkov, Ian King)
SLIDE 47
47
An application: hexapod robot
Centralised control Distributed control Balance sensing Load sensing
Ganesh Ramanathan, Sebastian Nanz, Benjamin Morandi, Scott West
SLIDE 48
48
The Tripod gait
Alternating protraction and retraction of tripod pairs
- Begin protraction only if partner legs are down
- Depress legs only if partner legs have retracted
- Begin retraction when partner legs are up
SLIDE 49
49
Education research
Introductory programming: “Inverted Curriculum” (outside-in approach), since 2003 Distributed Software Engineering: DOSE course (Distributed and Outsourced Software Engineering) Distributed student project (ETH, U. Zurich, Politecnico di Milano, Ukraine, Russia, Hungary, Argentina, Korea, Vietnam, …)
Michela Pedroni, Karine Arnout, Manuel Oriol & many students
SLIDE 50
50
Distributed software development
CloudStudio: software development on the cloud Sought: a new approach to configuration management
Martin Nordio
SLIDE 51
51