From: Brad Moore <brad.moore@shaw.ca>
Subject: Re: Safety of unprotected concurrent operations on constant objects
Date: Tue, 06 May 2014 00:00:40 -0600
Date: 2014-05-06T00:00:40-06:00 [thread overview]
Message-ID: <eT_9v.574$dr.264@fx27.iad> (raw)
In-Reply-To: <t7a0jcl05g1h.11jb75b2jg1l7.dlg@40tude.net>
On 05/05/2014 10:36 AM, Dmitry A. Kazakov wrote:
> On Mon, 05 May 2014 09:11:05 -0600, Brad Moore wrote:
>
>> Eg. For Ada.Containers.Vectors...
>>
>> type Vector is tagged private
>> with
>> Constant_Indexing => Constant_Reference,
>> Variable_Indexing => Reference,
>> Default_Iterator => Iterate,
>> Iterator_Element => Element_Type,
>> Task_Safe => False;
>>
>> Then programmers could apply the aspect to their own abstractions, which
>> better defines the contract of the subprogram or type.
>
> Task safety is not a type property. Even for a tagged type an unsafe
> operation can be defined later on. For non-tagged types it is even less
> clear which operations must be safe and which not.
>
> Furthermore, task-safety cannot be inherited or composed. At least not
> without massive overhead to prevent deadlocking when two safe types meet as
> mutable parameters of a safe subprogram.
I agree that such a property is not likely inheritable or composable,
and I don't think we'd want it to be. I think conceivably it could
apply to a type, however. It may be that such an aspect could only be
applicable to tagged types, and only would apply to the primitive
subprograms of that type. The aspect, if true would become false for any
derivations of that type, unless those derived types also explicitly set
the aspect to True.
If such an aspect were explicitly specified as false for the standard
containers, for instance, it would pretty much describe
the state of affairs today that have been mentioned in this thread,
but hopefully more obvious to the user. That is, you really cant count
on any of the subprograms in the containers as being task safe, even
though some of them may be in a given implementation.
However, it might make sense to specify certain primitive subprograms of
a type as being task safe. For instance, the Element subprogram of the
Ada.Containers.Vectors is task safe in the current GNAT implementation.
If that subprogram were to have the aspect specified as True in some
future version of Ada, then users of that container would at least know
that particular call is guaranteed to be task safe by its contract. This
should be fairly straight forward for similar calls that do not modify
the container or the elements of the container.
It gets trickier for subprograms that do modify the object, such as the
Replace_Element subprogram of Ada.Containers.Vectors. That call is
currently task safe in GNAT, so long as two tasks do not attempt to
replace the same element.The usage of the container object in that call
itself is task safe, as it does not modify state global to the container
object, but the elements contained in the container are not task safe.
So if we wanted to specify concurrent usage for such a subprogram, maybe
you'd need two aspects; Task_Safe, and Task_Safe_Components.
procedure Replace_Element
(Container : in out Vector;
Index : Index_Type;
New_Item : Element_Type)
with Task_Safe=>True,
Task_Safe_Components => False;
>
> And, just how this contract is supposed to be verified?
>
I see it more as a contract or promise made by the implementer to the
users of that subprogram that concurrent calls to the subprogram will
work. In other words, the implementer has designed the call to be task
safe, using whatever means, and has committed to keep the call task safe
in the future, by having that property associated with the subprogram
specification.
At this point, I have doubts that the compiler could 100% guarantee that
a subprogram call is task safe, but there are likely rules and
restrictions that could be applied that would allow the compiler to
catch many problems.
In particular, the aspect could restrict the associated subprogram to
disallow:
(1) Calls on other non-protected subprograms that are not Pure or
Task_Safe;
(2) Dependence on global variables that are neither atomic nor task nor
protected.
These would be static checks that could be applied at compile time.
next prev parent reply other threads:[~2014-05-06 6:00 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-02 8:42 Safety of unprotected concurrent operations on constant objects Natasha Kerensikova
2014-05-03 13:43 ` sbelmont700
2014-05-03 20:54 ` Natasha Kerensikova
2014-05-03 21:40 ` Simon Wright
2014-05-04 0:28 ` Jeffrey Carter
2014-05-04 7:46 ` Natasha Kerensikova
2014-05-04 8:06 ` Dmitry A. Kazakov
2014-05-04 15:18 ` sbelmont700
2014-05-04 15:57 ` Natasha Kerensikova
2014-05-04 18:30 ` sbelmont700
2014-05-04 19:34 ` Dmitry A. Kazakov
2014-05-05 19:04 ` Brad Moore
2014-05-05 21:23 ` Brad Moore
2014-05-04 21:44 ` Shark8
2014-05-05 8:39 ` Simon Wright
2014-05-05 15:11 ` Brad Moore
2014-05-05 16:36 ` Dmitry A. Kazakov
2014-05-06 6:00 ` Brad Moore [this message]
2014-05-06 8:11 ` Dmitry A. Kazakov
2014-05-06 8:48 ` Alejandro R. Mosteo
2014-05-06 9:49 ` G.B.
2014-05-06 12:19 ` Dmitry A. Kazakov
2014-05-06 12:58 ` G.B.
2014-05-06 15:00 ` Dmitry A. Kazakov
2014-05-06 16:24 ` G.B.
2014-05-06 19:14 ` Dmitry A. Kazakov
2014-05-07 6:49 ` Georg Bauhaus
2014-05-07 7:40 ` Dmitry A. Kazakov
2014-05-07 11:25 ` G.B.
2014-05-07 12:14 ` Dmitry A. Kazakov
2014-05-07 13:45 ` G.B.
2014-05-07 14:08 ` Dmitry A. Kazakov
2014-05-07 17:45 ` Simon Wright
2014-05-07 18:28 ` Georg Bauhaus
2014-05-07 4:59 ` J-P. Rosen
2014-05-07 7:30 ` Dmitry A. Kazakov
2014-05-07 8:26 ` J-P. Rosen
2014-05-07 9:09 ` Dmitry A. Kazakov
2014-05-07 11:29 ` J-P. Rosen
2014-05-07 12:36 ` Safety of unprotected concurrent operations on constant objects (was: Safety of unprotected concurrent operations on constant objects) Dmitry A. Kazakov
2014-05-07 14:04 ` Safety of unprotected concurrent operations on constant objects G.B.
2014-05-08 4:12 ` Brad Moore
2014-05-08 8:20 ` Dmitry A. Kazakov
2014-05-08 10:30 ` G.B.
2014-05-09 13:14 ` Brad Moore
2014-05-09 19:00 ` Dmitry A. Kazakov
2014-05-10 12:30 ` Brad Moore
2014-05-10 20:27 ` Dmitry A. Kazakov
2014-05-11 6:56 ` Brad Moore
2014-05-11 18:01 ` Brad Moore
2014-05-12 8:13 ` Dmitry A. Kazakov
2014-05-13 4:50 ` Brad Moore
2014-05-13 8:56 ` Dmitry A. Kazakov
2014-05-13 15:01 ` Brad Moore
2014-05-13 15:38 ` Brad Moore
2014-05-13 16:46 ` Simon Wright
2014-05-13 19:15 ` Dmitry A. Kazakov
2014-05-13 16:08 ` Dmitry A. Kazakov
2014-05-13 20:27 ` Randy Brukardt
2014-05-14 4:30 ` Shark8
2014-05-14 21:37 ` Randy Brukardt
2014-05-14 21:56 ` Robert A Duff
2014-05-15 1:21 ` Shark8
2014-05-14 14:30 ` Brad Moore
2014-05-15 8:03 ` Dmitry A. Kazakov
2014-05-15 13:21 ` Robert A Duff
2014-05-15 14:27 ` Dmitry A. Kazakov
2014-05-15 15:53 ` Robert A Duff
2014-05-15 16:30 ` Dmitry A. Kazakov
2014-10-26 17:11 ` Jacob Sparre Andersen
2014-05-08 19:52 ` Randy Brukardt
2014-05-06 16:22 ` Robert A Duff
2014-05-06 19:07 ` Dmitry A. Kazakov
2014-05-08 5:03 ` Brad Moore
2014-05-08 12:03 ` Brad Moore
2014-05-08 19:57 ` Randy Brukardt
2014-05-09 2:58 ` Brad Moore
2014-05-05 20:29 ` Natasha Kerensikova
2014-05-08 3:41 ` Randy Brukardt
2014-05-08 9:07 ` Natasha Kerensikova
2014-05-08 19:35 ` Randy Brukardt
2014-05-08 3:12 ` Randy Brukardt
2014-05-05 22:30 ` Brad Moore
2014-05-04 16:04 ` Peter Chapin
2014-05-04 18:07 ` Natasha Kerensikova
2014-05-04 18:55 ` Jeffrey Carter
2014-05-04 19:36 ` Simon Wright
2014-05-04 20:29 ` Jeffrey Carter
2014-05-05 22:46 ` Brad Moore
2014-05-04 20:25 ` Shark8
2014-05-04 23:33 ` sbelmont700
2014-05-05 7:38 ` Dmitry A. Kazakov
2014-05-08 3:45 ` Randy Brukardt
2014-05-08 3:19 ` Randy Brukardt
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox