From: Brad Moore <brad.moore@shaw.ca>
Subject: Re: Safety of unprotected concurrent operations on constant objects
Date: Thu, 08 May 2014 06:03:38 -0600
Date: 2014-05-08T06:03:38-06:00 [thread overview]
Message-ID: <toKav.16239$tH.8133@fx31.iad> (raw)
In-Reply-To: <tdEav.19842$gl6.19122@fx11.iad>
On 14-05-07 11:03 PM, Brad Moore wrote:
> On 06/05/2014 1:07 PM, Dmitry A. Kazakov wrote:
>> On Tue, 06 May 2014 12:22:59 -0400, Robert A Duff wrote:
>>
>>> Brad Moore <brad.moore@shaw.ca> writes:
>>>
>>>> However, it might make sense to specify certain primitive
>>>> subprograms of
>>>> a type as being task safe.
>>>
>>> What exactly do you mean by "task safe", either for a type, or for
>>> a subprogram? E.g. if Element is task safe, does that mean calls
>>> to Element are atomic with respect to each other?
>>
>> It means, in my interpretation, that the post-condition of the operation
>> [and the object's invariant] is true for any number of tasks Wi
>> calling the
>> operation independently at any point Ti of real-time.
>
> That's a nice definition. It does cover a broad set of cases including
> pure functions, protected operations, sets of function calls whose
> parameters do not conflict, mutex guarded calls, etc.
>
>
>>
>>> If both Element
>>> and Replace_Element are task safe, does that mean calls to Element
>>> and Replace_Element are atomic; i.e. if one task calls Element,
>>> and another calls Replace_Element, those two calls are serialized?
>>
>> No. It could be atomic in order to ensure the post-condition.
>>
>>> Why primitive subprograms? What about class-wide subprograms
>>> declared in the same package?
>
> As explained in another email, I was worried about non-tagged types.
> eg.
> type T is record ... end record with Task_Safe => True;
> type U is record ... end record with Task_Safe => False;
>
> function Bar (X1 : T; X2 : U) return Integer;
>
> It might be confusing or onerous for the reader to determine if Bar
> is task safe or not, particularly if there is a long list of
> parameters.
>
> I think Class-wide subprograms declared in the same package however
> could probably be lumped in with the primitive functions, and the aspect
> could apply to those as well..
>
>
>>
>> That was my question too. Presumably, primitive operations were
>> considered
>> building blocks for class-wide operations, which, under this assumption,
>> would be safe per design for some, rather, weak [as you pointed below]
>> post-conditions.
>>
>>> Does task safety imply absence of deadlock?
>>
>> Pragmatically, the answer could be no, if more than one object involved.
>> Yes, for single object.
>>
>> Safety of any subset of a set of objects is stronger than safety of
>> individual objects.
>>
>
> It would be nice if it could imply the absence of deadlock, but I think
> that might be too lofty a goal.
>
>>> Suppose we have an atomic increment function (calls to it are
>>> serialized), and Counter is initially 0, and one task does
>>> "X := Incr (Counter);" and another task does "Y := Incr (Counter);".
>>> A third task waits for those two to terminate, and then calls
>>> procedure P, which prints X followed by Y. Is P task safe?
>>
>> See above, that depends on the post-condition of P.
>
> I think non-determinism is a different property that is independent of
> task safety. There is no reason to believe P is incorrect. It may very
> well satisfy it's post-condition. as Dmitry says.
>
>>
>>> I understand task safety in an informal way, but I'm not sure
>>> how to decribe it formally. And if the definition depends on
>>> the intent of the programmer (perhaps expressed in comments),
>>> we can't expect a compiler to check it. ;-)
>>
>> Right. Minimally, the semantics must be stated formally using pre- and
>> post-conditions.
>>
>
> Even without a formal definition of task safety, the compiler could
> check that a task safe subprogram only calls other task safe
> subprograms. (Subprograms that have been explicitly marked by the
> subprogrammer as being task safe). That'd be a good start actually.
>
> But I think it would be better if the compiler could provide more safety.
>
> A task safe call should probably not be a potentially blocking call, I
> think.
>
> A task safe subprogram should also not modify global variables that
> aren't protected, or atomic.
>
> This would add quite a bit of safety, I think but maybe there are other
> restrictions that could be added also.
Actually, I have second thoughts about disallowing calls to entries from
a "task_safe" subprogram. It should be allowed, as the rules about
potentially blocking operations would help prevent calling an entry from
another entry.
But I think the idea could be carried further. Another property of a
subprogram that is important to know is whether it is a blocking call or
not. That is another attribute that would be nice to capture in the
contract. I think it would be useful to have a Blocking aspect that
could be similarly applied to a subprogram specification.
I see it working something like the following;
- A Blocking call is viewed conceptually as being a Task Safe call (as
it should). It is a more specific kind of a task safe call.
- The Blocking aspect may be optionally applied to any subprogram,
whether it is actually blocking or not. If the subprogram is not
blocking, it might mean that the programmer is reserving the right to
make it a blocking call in the future, or that other implementations of
the specification might be blocking.
- If a subprogram directly has task or protected object entry calls,
then it cannot be explicitly specified as having the Task_Safe aspect.
It must instead be specified as having the Blocking aspect.
(Alternatively the subprogram can be left without any aspect
specification. It is only used if the programmer wants to capture these
details in the contract of the subprogram, but then the subprogram is
not Task Safe, i.e. the Task_Safe aspect is false)
- A Task Safe program can only call other Task_Safe subprograms or
Blocking subprograms. If the Task_Safe subprogram calls a Blocking
Subprogram, then it cannot be explicitly specified as having the
Task_Safe aspect. It must instead have the Blocking Aspect specified.
(or no aspect specification, or specified as false meaning that the
subprogram is not Task Safe, i.e. the Task_Safe aspect is false)
-- Examples
function Foo return Integer with Blocking;
function Bar return Integer with Task_Safe;
Bar cannot call Foo, unless the specification is modified to either;
function Bar return Integer with Blocking
or
function Bar return Integer with Task_Safe => False;
(or)
function Bar return Integer;
Regards,
Brad
next prev parent reply other threads:[~2014-05-08 12:03 UTC|newest]
Thread overview: 94+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-02 8:42 Safety of unprotected concurrent operations on constant objects Natasha Kerensikova
2014-05-03 13:43 ` sbelmont700
2014-05-03 20:54 ` Natasha Kerensikova
2014-05-03 21:40 ` Simon Wright
2014-05-04 0:28 ` Jeffrey Carter
2014-05-04 7:46 ` Natasha Kerensikova
2014-05-04 8:06 ` Dmitry A. Kazakov
2014-05-04 15:18 ` sbelmont700
2014-05-04 15:57 ` Natasha Kerensikova
2014-05-04 18:30 ` sbelmont700
2014-05-04 19:34 ` Dmitry A. Kazakov
2014-05-05 19:04 ` Brad Moore
2014-05-05 21:23 ` Brad Moore
2014-05-04 21:44 ` Shark8
2014-05-05 8:39 ` Simon Wright
2014-05-05 15:11 ` Brad Moore
2014-05-05 16:36 ` Dmitry A. Kazakov
2014-05-06 6:00 ` Brad Moore
2014-05-06 8:11 ` Dmitry A. Kazakov
2014-05-06 8:48 ` Alejandro R. Mosteo
2014-05-06 9:49 ` G.B.
2014-05-06 12:19 ` Dmitry A. Kazakov
2014-05-06 12:58 ` G.B.
2014-05-06 15:00 ` Dmitry A. Kazakov
2014-05-06 16:24 ` G.B.
2014-05-06 19:14 ` Dmitry A. Kazakov
2014-05-07 6:49 ` Georg Bauhaus
2014-05-07 7:40 ` Dmitry A. Kazakov
2014-05-07 11:25 ` G.B.
2014-05-07 12:14 ` Dmitry A. Kazakov
2014-05-07 13:45 ` G.B.
2014-05-07 14:08 ` Dmitry A. Kazakov
2014-05-07 17:45 ` Simon Wright
2014-05-07 18:28 ` Georg Bauhaus
2014-05-07 4:59 ` J-P. Rosen
2014-05-07 7:30 ` Dmitry A. Kazakov
2014-05-07 8:26 ` J-P. Rosen
2014-05-07 9:09 ` Dmitry A. Kazakov
2014-05-07 11:29 ` J-P. Rosen
2014-05-07 12:36 ` Safety of unprotected concurrent operations on constant objects (was: Safety of unprotected concurrent operations on constant objects) Dmitry A. Kazakov
2014-05-07 14:04 ` Safety of unprotected concurrent operations on constant objects G.B.
2014-05-08 4:12 ` Brad Moore
2014-05-08 8:20 ` Dmitry A. Kazakov
2014-05-08 10:30 ` G.B.
2014-05-09 13:14 ` Brad Moore
2014-05-09 19:00 ` Dmitry A. Kazakov
2014-05-10 12:30 ` Brad Moore
2014-05-10 20:27 ` Dmitry A. Kazakov
2014-05-11 6:56 ` Brad Moore
2014-05-11 18:01 ` Brad Moore
2014-05-12 8:13 ` Dmitry A. Kazakov
2014-05-13 4:50 ` Brad Moore
2014-05-13 8:56 ` Dmitry A. Kazakov
2014-05-13 15:01 ` Brad Moore
2014-05-13 15:38 ` Brad Moore
2014-05-13 16:46 ` Simon Wright
2014-05-13 19:15 ` Dmitry A. Kazakov
2014-05-13 16:08 ` Dmitry A. Kazakov
2014-05-13 20:27 ` Randy Brukardt
2014-05-14 4:30 ` Shark8
2014-05-14 21:37 ` Randy Brukardt
2014-05-14 21:56 ` Robert A Duff
2014-05-15 1:21 ` Shark8
2014-05-14 14:30 ` Brad Moore
2014-05-15 8:03 ` Dmitry A. Kazakov
2014-05-15 13:21 ` Robert A Duff
2014-05-15 14:27 ` Dmitry A. Kazakov
2014-05-15 15:53 ` Robert A Duff
2014-05-15 16:30 ` Dmitry A. Kazakov
2014-10-26 17:11 ` Jacob Sparre Andersen
2014-05-08 19:52 ` Randy Brukardt
2014-05-06 16:22 ` Robert A Duff
2014-05-06 19:07 ` Dmitry A. Kazakov
2014-05-08 5:03 ` Brad Moore
2014-05-08 12:03 ` Brad Moore [this message]
2014-05-08 19:57 ` Randy Brukardt
2014-05-09 2:58 ` Brad Moore
2014-05-05 20:29 ` Natasha Kerensikova
2014-05-08 3:41 ` Randy Brukardt
2014-05-08 9:07 ` Natasha Kerensikova
2014-05-08 19:35 ` Randy Brukardt
2014-05-08 3:12 ` Randy Brukardt
2014-05-05 22:30 ` Brad Moore
2014-05-04 16:04 ` Peter Chapin
2014-05-04 18:07 ` Natasha Kerensikova
2014-05-04 18:55 ` Jeffrey Carter
2014-05-04 19:36 ` Simon Wright
2014-05-04 20:29 ` Jeffrey Carter
2014-05-05 22:46 ` Brad Moore
2014-05-04 20:25 ` Shark8
2014-05-04 23:33 ` sbelmont700
2014-05-05 7:38 ` Dmitry A. Kazakov
2014-05-08 3:45 ` Randy Brukardt
2014-05-08 3:19 ` Randy Brukardt
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox