SLIDE 1
Kill-Safe Synchronization Abstractions
Matthew Flatt University of Utah Robert Bruce Findler University of Chicago
1
Sibling Food-Sharing Protocol
2
Kill-Safe Synchronization Abstractions Matthew Flatt Robert Bruce - - PowerPoint PPT Presentation
Kill-Safe Synchronization Abstractions Matthew Flatt Robert Bruce - - PowerPoint PPT Presentation
Kill-Safe Synchronization Abstractions Matthew Flatt Robert Bruce Findler University of Utah University of Chicago 1 Sibling Food-Sharing Protocol 2 Sibling Food-Sharing Protocol 3 Sibling Food-Sharing Protocol 4 Sibling Food-Sharing
SLIDE 2
SLIDE 3
Sibling Food-Sharing Protocol
3
SLIDE 4
Sibling Food-Sharing Protocol
4
SLIDE 5
Sibling Food-Sharing Protocol
5
SLIDE 6
Sibling Food-Sharing Protocol
6
SLIDE 7
Sibling Food-Sharing Protocol
7
SLIDE 8
Sibling Food-Sharing Protocol
- By inspection, the protocol is fair
- No parental supervision required
8
SLIDE 9
Sharing among Processes
9
SLIDE 10
Sharing among Processes
10
SLIDE 11
Sharing among Processes
11
SLIDE 12
Sharing among Processes
12
SLIDE 13
Sharing among Processes
- Queue should be safe and fair
- Should require no kernel supervision
13
SLIDE 14
Sharing in Java
synchronized
14
SLIDE 15
Sharing in Java
synchronized Thread.stop ⇒ synchronized isn't enough
15
SLIDE 16
Sharing in Java
synchronized Thread.stop ⇒ synchronized isn't enough
16
SLIDE 17
Sharing in Java
synchronized ... Thread.stop ⇒ synchronized isn't enough
17
SLIDE 18
Sharing in Java
synchronized ... Thread.stop ⇒ synchronized isn't enough ∴ Java has no Thread.stop
18
SLIDE 19
Why Terminate?
- Execute code in a programming environment (DrScheme)
19
SLIDE 20
Why Terminate?
- Execute code in a programming environment (DrScheme)
- Cancel actions that allocate resources (HTML browser)
20
SLIDE 21
Why Terminate?
- Execute code in a programming environment (DrScheme)
- Cancel actions that allocate resources (HTML browser)
- Stop misbehaving servlets (web server)
21
SLIDE 22
Building Kill-Safe Abstractions
abstraction abstraction thread-safe abstraction thread-safe abstraction kill-safe thread-safe abstraction kill-safe thread-safe abstraction
22
SLIDE 23
Building Kill-Safe Abstractions
abstraction abstraction Programmer effort — but generally understood thread-safe abstraction thread-safe abstraction kill-safe thread-safe abstraction kill-safe thread-safe abstraction
23
SLIDE 24
Building Kill-Safe Abstractions
abstraction abstraction Programmer effort — but generally understood thread-safe abstraction thread-safe abstraction Programmer effort — the subject of this talk kill-safe thread-safe abstraction kill-safe thread-safe abstraction
24
SLIDE 25
Building Kill-Safe Abstractions
abstraction abstraction Start with Concurrent ML [Reppy 88] thread-safe abstraction thread-safe abstraction kill-safe thread-safe abstraction kill-safe thread-safe abstraction
25
SLIDE 26
Building Kill-Safe Abstractions
abstraction abstraction Start with Concurrent ML [Reppy 88] thread-safe abstraction thread-safe abstraction Add MzScheme's custodians and a little more kill-safe thread-safe abstraction kill-safe thread-safe abstraction
26
SLIDE 27
Sharing in Concurrent ML
27
SLIDE 28
Sharing in Concurrent ML
28
SLIDE 29
Sharing in Concurrent ML
29
SLIDE 30
Sharing in Concurrent ML
Abstraction-as-process naturally supports termination
30
SLIDE 31
Sharing in Concurrent ML
Abstraction-as-process naturally supports termination Remaining problem: who controls the abstraction's process?
31
SLIDE 32
Managing Processes and Threads
32
SLIDE 33
Managing Processes and Threads
33
SLIDE 34
Managing Processes and Threads
= custodian = capability to execute
34
SLIDE 35
Managing Processes and Threads
= custodian = capability to execute
35
SLIDE 36
Managing with Custodians
36
SLIDE 37
Managing with Custodians
37
SLIDE 38
Managing with Custodians
38
SLIDE 39
Managing with Custodians
39
SLIDE 40
Managing with Custodians
Queue terminated with servlet
40
SLIDE 41
Thread-Safe Abstractions
A language to support abstractions:
- Concurrent ML primitives for thread communication
- Custodians for process hierarchy
Each abstraction:
- Manager thread for state
41
SLIDE 42
Towards Kill Safety with Custodians
42
SLIDE 43
Towards Kill Safety with Custodians
43
SLIDE 44
Towards Kill Safety with Custodians
Not kill-safe among servlets
44
SLIDE 45
Kill Safety through Joint Custody
45
SLIDE 46
Kill Safety through Joint Custody
46
SLIDE 47
Kill Safety through Joint Custody
47
SLIDE 48
Kill Safety through Joint Custody
48
SLIDE 49
Kill Safety through Joint Custody
Queue runs exactly as long as servlets
49
SLIDE 50
Why a Thread can have Multiple Custodians
50
SLIDE 51
Why a Thread can have Multiple Custodians
51
SLIDE 52
Why a Thread can have Multiple Custodians
52
SLIDE 53
Why a Thread can have Multiple Custodians
53
SLIDE 54
Why a Thread can have Multiple Custodians
54
SLIDE 55
Why a Thread can have Multiple Custodians
Queue is only mostly dead
55
SLIDE 56
Why a Thread can have Multiple Custodians
Queue is only mostly dead
56
SLIDE 57
Why a Thread can have Multiple Custodians
Use queue ⇒ grant custodian
57
SLIDE 58
Kill-Safe Abstractions
A language to support abstractions:
- Concurrent ML primitives for thread communication
- Custodians for process hierarchy
- Operation to grant a thread another custodian
Each abstraction:
- Manager thread for state
- Each action grants custodian to manager thread
58
SLIDE 59
Non-Solution #1 — Atomic Region
= atomic
59
SLIDE 60
Non-Solution #1 — Atomic Region
= atomic Queue might harm
- ther servlets
60
SLIDE 61
Non-Solution #2 — Disjoint Process
61
SLIDE 62
Non-Solution #2 — Disjoint Process
62
SLIDE 63
Non-Solution #2 — Disjoint Process
63
SLIDE 64
Non-Solution #2 — Disjoint Process
Queue runs forever
64
SLIDE 65
Non-Solution #3 — Meta-Servlet
65
SLIDE 66
Non-Solution #3 — Meta-Servlet
Merely moves the “kernel”
66
SLIDE 67
Solution — Joint Custody
67
SLIDE 68
Details (See Paper)
- Custodians granted through thread-resume
- CML's guard-evt a natural place for thread-resume
- Improved nack-guard-evt for two-step protocols
- Kill-safe does not always imply break-safe, nor vice-versa
68
SLIDE 69
A Thread-Safe Queue
(define-struct safe-q (put-ch get-ch)) (define (safe-queue) (define q (queue)) (define get-ch (channel)) (define put-ch (channel)) (define (q-loop) (sync (choice-evt (wrap-evt (channel-send get-ch (peek q)) (lambda () (get q))) (wrap-evt (channel-recv put-ch) (lambda (v) (put q v))))) (q-loop)) (spawn q-loop) (make-safe-q put-ch get-ch)) (define (safe-get sq) (channel-recv (safe-q-get-ch sq))) (define (safe-put sq v) (channel-send (safe-q-put-ch sq) v))
69
SLIDE 70
A Kill-Safe Queue
(define-struct safe-q (manager-t put-ch get-ch)) (define (safe-queue) (define q (queue)) (define get-ch (channel)) (define put-ch (channel)) (define (q-loop) (sync (choice-evt (wrap-evt (channel-send get-ch (peek q)) (lambda () (get q))) (wrap-evt (channel-recv put-ch) (lambda (v) (put q v))))) (q-loop)) (define manager-t (spawn q-loop)) (make-safe-q manager-t put-ch get-ch)) (define (safe-get sq) (resume sq) (channel-recv (safe-q-get-ch sq))) (define (safe-put sq v) (resume sq) (channel-send (safe-q-put-ch sq) v)) (define (resume sq) (thread-resume (safe-q-manager-t sq) (current-thread)))
70