From: Brad Moore <brad.moore@shaw.ca>
Subject: Re: Safety of unprotected concurrent operations on constant objects
Date: Wed, 07 May 2014 23:03:21 -0600
Date: 2014-05-07T23:03:21-06:00 [thread overview]
Message-ID: <tdEav.19842$gl6.19122@fx11.iad> (raw)
In-Reply-To: <6ve3i79bog3t.uojmmyur7v75.dlg@40tude.net>
On 06/05/2014 1:07 PM, Dmitry A. Kazakov wrote:
> On Tue, 06 May 2014 12:22:59 -0400, Robert A Duff wrote:
>
>> Brad Moore <brad.moore@shaw.ca> writes:
>>
>>> However, it might make sense to specify certain primitive subprograms of
>>> a type as being task safe.
>>
>> What exactly do you mean by "task safe", either for a type, or for
>> a subprogram? E.g. if Element is task safe, does that mean calls
>> to Element are atomic with respect to each other?
>
> It means, in my interpretation, that the post-condition of the operation
> [and the object's invariant] is true for any number of tasks Wi calling the
> operation independently at any point Ti of real-time.
That's a nice definition. It does cover a broad set of cases including
pure functions, protected operations, sets of function calls whose
parameters do not conflict, mutex guarded calls, etc.
>
>> If both Element
>> and Replace_Element are task safe, does that mean calls to Element
>> and Replace_Element are atomic; i.e. if one task calls Element,
>> and another calls Replace_Element, those two calls are serialized?
>
> No. It could be atomic in order to ensure the post-condition.
>
>> Why primitive subprograms? What about class-wide subprograms
>> declared in the same package?
As explained in another email, I was worried about non-tagged types.
eg.
type T is record ... end record with Task_Safe => True;
type U is record ... end record with Task_Safe => False;
function Bar (X1 : T; X2 : U) return Integer;
It might be confusing or onerous for the reader to determine if Bar
is task safe or not, particularly if there is a long list of
parameters.
I think Class-wide subprograms declared in the same package however
could probably be lumped in with the primitive functions, and the aspect
could apply to those as well..
>
> That was my question too. Presumably, primitive operations were considered
> building blocks for class-wide operations, which, under this assumption,
> would be safe per design for some, rather, weak [as you pointed below]
> post-conditions.
>
>> Does task safety imply absence of deadlock?
>
> Pragmatically, the answer could be no, if more than one object involved.
> Yes, for single object.
>
> Safety of any subset of a set of objects is stronger than safety of
> individual objects.
>
It would be nice if it could imply the absence of deadlock, but I think
that might be too lofty a goal.
>> Suppose we have an atomic increment function (calls to it are
>> serialized), and Counter is initially 0, and one task does
>> "X := Incr (Counter);" and another task does "Y := Incr (Counter);".
>> A third task waits for those two to terminate, and then calls
>> procedure P, which prints X followed by Y. Is P task safe?
>
> See above, that depends on the post-condition of P.
I think non-determinism is a different property that is independent of
task safety. There is no reason to believe P is incorrect. It may very
well satisfy it's post-condition. as Dmitry says.
>
>> I understand task safety in an informal way, but I'm not sure
>> how to decribe it formally. And if the definition depends on
>> the intent of the programmer (perhaps expressed in comments),
>> we can't expect a compiler to check it. ;-)
>
> Right. Minimally, the semantics must be stated formally using pre- and
> post-conditions.
>
Even without a formal definition of task safety, the compiler could
check that a task safe subprogram only calls other task safe
subprograms. (Subprograms that have been explicitly marked by the
subprogrammer as being task safe). That'd be a good start actually.
But I think it would be better if the compiler could provide more safety.
A task safe call should probably not be a potentially blocking call, I
think.
A task safe subprogram should also not modify global variables that
aren't protected, or atomic.
This would add quite a bit of safety, I think but maybe there are other
restrictions that could be added also.
next prev parent reply other threads:[~2014-05-08 5:03 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-02 8:42 Safety of unprotected concurrent operations on constant objects Natasha Kerensikova
2014-05-03 13:43 ` sbelmont700
2014-05-03 20:54 ` Natasha Kerensikova
2014-05-03 21:40 ` Simon Wright
2014-05-04 0:28 ` Jeffrey Carter
2014-05-04 7:46 ` Natasha Kerensikova
2014-05-04 8:06 ` Dmitry A. Kazakov
2014-05-04 15:18 ` sbelmont700
2014-05-04 15:57 ` Natasha Kerensikova
2014-05-04 18:30 ` sbelmont700
2014-05-04 19:34 ` Dmitry A. Kazakov
2014-05-05 19:04 ` Brad Moore
2014-05-05 21:23 ` Brad Moore
2014-05-04 21:44 ` Shark8
2014-05-05 8:39 ` Simon Wright
2014-05-05 15:11 ` Brad Moore
2014-05-05 16:36 ` Dmitry A. Kazakov
2014-05-06 6:00 ` Brad Moore
2014-05-06 8:11 ` Dmitry A. Kazakov
2014-05-06 8:48 ` Alejandro R. Mosteo
2014-05-06 9:49 ` G.B.
2014-05-06 12:19 ` Dmitry A. Kazakov
2014-05-06 12:58 ` G.B.
2014-05-06 15:00 ` Dmitry A. Kazakov
2014-05-06 16:24 ` G.B.
2014-05-06 19:14 ` Dmitry A. Kazakov
2014-05-07 6:49 ` Georg Bauhaus
2014-05-07 7:40 ` Dmitry A. Kazakov
2014-05-07 11:25 ` G.B.
2014-05-07 12:14 ` Dmitry A. Kazakov
2014-05-07 13:45 ` G.B.
2014-05-07 14:08 ` Dmitry A. Kazakov
2014-05-07 17:45 ` Simon Wright
2014-05-07 18:28 ` Georg Bauhaus
2014-05-07 4:59 ` J-P. Rosen
2014-05-07 7:30 ` Dmitry A. Kazakov
2014-05-07 8:26 ` J-P. Rosen
2014-05-07 9:09 ` Dmitry A. Kazakov
2014-05-07 11:29 ` J-P. Rosen
2014-05-07 12:36 ` Safety of unprotected concurrent operations on constant objects (was: Safety of unprotected concurrent operations on constant objects) Dmitry A. Kazakov
2014-05-07 14:04 ` Safety of unprotected concurrent operations on constant objects G.B.
2014-05-08 4:12 ` Brad Moore
2014-05-08 8:20 ` Dmitry A. Kazakov
2014-05-08 10:30 ` G.B.
2014-05-09 13:14 ` Brad Moore
2014-05-09 19:00 ` Dmitry A. Kazakov
2014-05-10 12:30 ` Brad Moore
2014-05-10 20:27 ` Dmitry A. Kazakov
2014-05-11 6:56 ` Brad Moore
2014-05-11 18:01 ` Brad Moore
2014-05-12 8:13 ` Dmitry A. Kazakov
2014-05-13 4:50 ` Brad Moore
2014-05-13 8:56 ` Dmitry A. Kazakov
2014-05-13 15:01 ` Brad Moore
2014-05-13 15:38 ` Brad Moore
2014-05-13 16:46 ` Simon Wright
2014-05-13 19:15 ` Dmitry A. Kazakov
2014-05-13 16:08 ` Dmitry A. Kazakov
2014-05-13 20:27 ` Randy Brukardt
2014-05-14 4:30 ` Shark8
2014-05-14 21:37 ` Randy Brukardt
2014-05-14 21:56 ` Robert A Duff
2014-05-15 1:21 ` Shark8
2014-05-14 14:30 ` Brad Moore
2014-05-15 8:03 ` Dmitry A. Kazakov
2014-05-15 13:21 ` Robert A Duff
2014-05-15 14:27 ` Dmitry A. Kazakov
2014-05-15 15:53 ` Robert A Duff
2014-05-15 16:30 ` Dmitry A. Kazakov
2014-10-26 17:11 ` Jacob Sparre Andersen
2014-05-08 19:52 ` Randy Brukardt
2014-05-06 16:22 ` Robert A Duff
2014-05-06 19:07 ` Dmitry A. Kazakov
2014-05-08 5:03 ` Brad Moore [this message]
2014-05-08 12:03 ` Brad Moore
2014-05-08 19:57 ` Randy Brukardt
2014-05-09 2:58 ` Brad Moore
2014-05-05 20:29 ` Natasha Kerensikova
2014-05-08 3:41 ` Randy Brukardt
2014-05-08 9:07 ` Natasha Kerensikova
2014-05-08 19:35 ` Randy Brukardt
2014-05-08 3:12 ` Randy Brukardt
2014-05-05 22:30 ` Brad Moore
2014-05-04 16:04 ` Peter Chapin
2014-05-04 18:07 ` Natasha Kerensikova
2014-05-04 18:55 ` Jeffrey Carter
2014-05-04 19:36 ` Simon Wright
2014-05-04 20:29 ` Jeffrey Carter
2014-05-05 22:46 ` Brad Moore
2014-05-04 20:25 ` Shark8
2014-05-04 23:33 ` sbelmont700
2014-05-05 7:38 ` Dmitry A. Kazakov
2014-05-08 3:45 ` Randy Brukardt
2014-05-08 3:19 ` Randy Brukardt
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox