From: Brad Moore <brad.moore@shaw.ca>
Subject: Re: Safety of unprotected concurrent operations on constant objects
Date: Sun, 11 May 2014 00:56:18 -0600
Date: 2014-05-11T00:56:18-06:00 [thread overview]
Message-ID: <i9Fbv.9890$pa5.936@fx23.iad> (raw)
In-Reply-To: <10pk27v48vhcb$.1qkf6roq2yzjn$.dlg@40tude.net>
On 10/05/2014 2:27 PM, Dmitry A. Kazakov wrote:
>> If Foo calls Bar, and both Foo and Bar have the Task_Safe aspect, but
>> some time later the maintainer of Bar decides to change its
>> implementation to refer to some global variable or call some other
>> subprogram that doesn't have the Task_Safe aspect, the compiler would
>> force the programmer to remove the Task_Safe aspect from Bar.
>
> But this rule is just wrong. Calling unsafe operation from a safe one will
> be pretty much safe in most cases. The reverse is likely wrong.
This doesn't make sense to me. There should be no such thing as a Safe
operation that calls unsafe ones. Wouldn't that mean that the operation
is unsafe (to use concurrently)?
>
> Compare it with protected actions. It is safe to call an operation which
> itself is not protected from a protected operation on the context of a
> protected action.
But thats only true if the operation is only ever called from within
that same instance of the protected object (Something that could be
difficult to know without the aspect), and that there is only one
instance of that protected type of the protected object. Otherwise its
not safe to call from a protected operation as there could be other
concurrent calls calling the unsafe operation.
The following program illustrates this. If you run the program with a
small value of N (specified on the command line), say 100, then chances
are the program executes correctly to completion. However if you use a
larger value of N (say 1_000_000, the default), then the program fails,
due to the use of global variables. In Test1, the Unsafe function is
called directly from multiple tasks.
In Test2, the same Unsafe function is only called from protected
functions, but it still fails.
.
In both tests, the failures are due to function Unsafe failing its
Postcondition.
If the Task_Safe attribute existed, the compiler could have issued a
warning at compile time that the tasks were calling subprograms that
weren't Task_Safe, and the problems could have been avoided.
with Ada.Text_IO; use Ada.Text_IO;
with Ada.Exceptions; use Ada;
with Ada.Command_Line;
procedure Test_Task_Safety is
-- Defaults to 1_000_000, but can be specified on command line
N : constant Natural := (if Command_Line.Argument_Count >= 1 then
Natural'Value (Command_Line.Argument (1))
else 1_000_000);
Global_Data : Integer := 0;
function Unsafe (X : Natural) return Natural
with Post => Unsafe'Result = X + 1 --,
-- Task_Safe => False
;
function Unsafe (X : Natural) return Natural is
begin
Global_Data := X;
Global_Data := Global_Data + 1;
return Global_Data;
end Unsafe;
begin
New_Line;
Put_Line ("******************************** ");
Put_Line ("**** Test1 : Unsafe calls ***** ");
Put_Line ("******************************** ");
New_Line;
Test1 : declare
task type T1 is
end T1;
task body T1 is
Result : Natural := 0;
begin
for I in 1 .. N loop
Result := Unsafe (Result);
end loop;
Put_Line ("Result =" & Natural'Image (Result));
exception
when E : others =>
Put_Line ("Task_Died" &
Ada.Exceptions.Exception_Information (E));
end T1;
Workers : array (1 .. 10) of T1;
begin
null;
end Test1;
New_Line;
Put_Line ("********************************************************");
Put_Line ("**** Test2 : Unsafe calls from protected objects ***** ");
Put_Line ("********************************************************");
New_Line;
Test2 : declare
protected PO1 is
function Foo (X : Natural) return Natural;
end PO1;
protected PO2 is
function Bar (X : Natural) return Natural;
end PO2;
protected body PO1 is
function Foo (X : Natural) return Natural is
begin
return Unsafe (X);
end Foo;
end PO1;
protected body PO2 is
function Bar (X : Natural) return Natural is
begin
return Unsafe (X);
end Bar;
end PO2;
task type T1 is
end T1;
task body T1 is
Result : Natural := 0;
begin
for I in 1 .. N loop
Result := PO1.Foo (Result);
end loop;
Put_Line ("Result =" & Natural'Image (Result));
exception
when E : others =>
Put_Line ("Task_Died" &
Ada.Exceptions.Exception_Information (E));
end T1;
task type T2 is
end T2;
task body T2 is
Result : Natural := 0;
begin
for I in 1 .. N loop
Result := PO2.Bar (Result);
end loop;
Put_Line ("Result =" & Natural'Image (Result));
exception
when E : others =>
Put_Line ("Task_Died" &
Ada.Exceptions.Exception_Information (E));
end T2;
Foo_Workers : array (1 .. 10) of T1;
Bar_Workers : array (1 .. 10) of T2;
begin
null;
end Test2;
null;
end Test_Task_Safety;
Output:
********************************
**** Test1 : Unsafe calls *****
********************************
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Result = 1000000
********************************************************
**** Test2 : Unsafe calls from protected objects *****
********************************************************
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Task_DiedException name: SYSTEM.ASSERTIONS.ASSERT_FAILURE
Message: failed postcondition from test_task_safety.adb:15
Result = 1000000
Brad
>
> There is no reasonable rules to verify. Safety of an operation is *not*
> related to the safety of called operations, not transitive nor
> antitransitive.
>
next prev parent reply other threads:[~2014-05-11 6:56 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-02 8:42 Safety of unprotected concurrent operations on constant objects Natasha Kerensikova
2014-05-03 13:43 ` sbelmont700
2014-05-03 20:54 ` Natasha Kerensikova
2014-05-03 21:40 ` Simon Wright
2014-05-04 0:28 ` Jeffrey Carter
2014-05-04 7:46 ` Natasha Kerensikova
2014-05-04 8:06 ` Dmitry A. Kazakov
2014-05-04 15:18 ` sbelmont700
2014-05-04 15:57 ` Natasha Kerensikova
2014-05-04 18:30 ` sbelmont700
2014-05-04 19:34 ` Dmitry A. Kazakov
2014-05-05 19:04 ` Brad Moore
2014-05-05 21:23 ` Brad Moore
2014-05-04 21:44 ` Shark8
2014-05-05 8:39 ` Simon Wright
2014-05-05 15:11 ` Brad Moore
2014-05-05 16:36 ` Dmitry A. Kazakov
2014-05-06 6:00 ` Brad Moore
2014-05-06 8:11 ` Dmitry A. Kazakov
2014-05-06 8:48 ` Alejandro R. Mosteo
2014-05-06 9:49 ` G.B.
2014-05-06 12:19 ` Dmitry A. Kazakov
2014-05-06 12:58 ` G.B.
2014-05-06 15:00 ` Dmitry A. Kazakov
2014-05-06 16:24 ` G.B.
2014-05-06 19:14 ` Dmitry A. Kazakov
2014-05-07 6:49 ` Georg Bauhaus
2014-05-07 7:40 ` Dmitry A. Kazakov
2014-05-07 11:25 ` G.B.
2014-05-07 12:14 ` Dmitry A. Kazakov
2014-05-07 13:45 ` G.B.
2014-05-07 14:08 ` Dmitry A. Kazakov
2014-05-07 17:45 ` Simon Wright
2014-05-07 18:28 ` Georg Bauhaus
2014-05-07 4:59 ` J-P. Rosen
2014-05-07 7:30 ` Dmitry A. Kazakov
2014-05-07 8:26 ` J-P. Rosen
2014-05-07 9:09 ` Dmitry A. Kazakov
2014-05-07 11:29 ` J-P. Rosen
2014-05-07 12:36 ` Safety of unprotected concurrent operations on constant objects (was: Safety of unprotected concurrent operations on constant objects) Dmitry A. Kazakov
2014-05-07 14:04 ` Safety of unprotected concurrent operations on constant objects G.B.
2014-05-08 4:12 ` Brad Moore
2014-05-08 8:20 ` Dmitry A. Kazakov
2014-05-08 10:30 ` G.B.
2014-05-09 13:14 ` Brad Moore
2014-05-09 19:00 ` Dmitry A. Kazakov
2014-05-10 12:30 ` Brad Moore
2014-05-10 20:27 ` Dmitry A. Kazakov
2014-05-11 6:56 ` Brad Moore [this message]
2014-05-11 18:01 ` Brad Moore
2014-05-12 8:13 ` Dmitry A. Kazakov
2014-05-13 4:50 ` Brad Moore
2014-05-13 8:56 ` Dmitry A. Kazakov
2014-05-13 15:01 ` Brad Moore
2014-05-13 15:38 ` Brad Moore
2014-05-13 16:46 ` Simon Wright
2014-05-13 19:15 ` Dmitry A. Kazakov
2014-05-13 16:08 ` Dmitry A. Kazakov
2014-05-13 20:27 ` Randy Brukardt
2014-05-14 4:30 ` Shark8
2014-05-14 21:37 ` Randy Brukardt
2014-05-14 21:56 ` Robert A Duff
2014-05-15 1:21 ` Shark8
2014-05-14 14:30 ` Brad Moore
2014-05-15 8:03 ` Dmitry A. Kazakov
2014-05-15 13:21 ` Robert A Duff
2014-05-15 14:27 ` Dmitry A. Kazakov
2014-05-15 15:53 ` Robert A Duff
2014-05-15 16:30 ` Dmitry A. Kazakov
2014-10-26 17:11 ` Jacob Sparre Andersen
2014-05-08 19:52 ` Randy Brukardt
2014-05-06 16:22 ` Robert A Duff
2014-05-06 19:07 ` Dmitry A. Kazakov
2014-05-08 5:03 ` Brad Moore
2014-05-08 12:03 ` Brad Moore
2014-05-08 19:57 ` Randy Brukardt
2014-05-09 2:58 ` Brad Moore
2014-05-05 20:29 ` Natasha Kerensikova
2014-05-08 3:41 ` Randy Brukardt
2014-05-08 9:07 ` Natasha Kerensikova
2014-05-08 19:35 ` Randy Brukardt
2014-05-08 3:12 ` Randy Brukardt
2014-05-05 22:30 ` Brad Moore
2014-05-04 16:04 ` Peter Chapin
2014-05-04 18:07 ` Natasha Kerensikova
2014-05-04 18:55 ` Jeffrey Carter
2014-05-04 19:36 ` Simon Wright
2014-05-04 20:29 ` Jeffrey Carter
2014-05-05 22:46 ` Brad Moore
2014-05-04 20:25 ` Shark8
2014-05-04 23:33 ` sbelmont700
2014-05-05 7:38 ` Dmitry A. Kazakov
2014-05-08 3:45 ` Randy Brukardt
2014-05-08 3:19 ` Randy Brukardt
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox