Upload
honorato-graham
View
26
Download
3
Embed Size (px)
DESCRIPTION
Advanced Topics in Object Technology. Bertrand Meyer. Lecture 26: Concurrent O-O principles. Design by Contract. class BOUNDED_QUEUE [ G ] feature put ( x : G ) is -- Add x to queue. require not is_full do … ensure not is_empty end remove : G is - PowerPoint PPT Presentation
Citation preview
ATOT - Lecture 26, 30 June 2003
1
Chair of Software Engineering
Advanced Topics in Object Technology
Bertrand Meyer
ATOT - Lecture 26, 30 June 2003
2
Chair of Software Engineering
Lecture 26:
Concurrent O-O principles
ATOT - Lecture 26, 30 June 2003
3
Chair of Software Engineering
class BOUNDED_QUEUE [G]
feature
put (x: G) is-- Add x to queue.
requirenot is_full
do…
ensurenot is_empty
end
remove: G is-- Delete oldest element from queue.
requirenot is_empty
do…
ensurenot is_full
end
Design by Contract
ATOT - Lecture 26, 30 June 2003
4
Chair of Software Engineering
The contract model (cont’d)
invariant
maxcount = capacity – 10 <= oldestoldest <= capacity0 <= nextnext <= capacityabs (next – oldest) < capacity
end
1oldest
capacity
maxcount
next
ATOT - Lecture 26, 30 June 2003
5
Chair of Software Engineering
The contract of a feature
Client
Supplier
(Satisfy precondition:)
Make sure queue not full.
(Satisfy postcondition:)
Insert x, making sure queue is not empty.
Obligations
(From postcondition:)
Make queue not empty, x added.
(From precondition:)
Simpler processing thanks to assumption that queue not full.
Benefits
ATOT - Lecture 26, 30 June 2003
6
Chair of Software Engineering
The correctness of a class
(1-n) For every exported routine r:
{INV and prer} dor {INV and postr}
(1-m) For every creation procedure cp:
{precp} docp {postcp and INV}
a.f (…)
a.g (…)
a.f (…)
create a.make (…)S1
S2
S3
S4
ATOT - Lecture 26, 30 June 2003
7
Chair of Software Engineering
Express messages?
An express message is a message that must be treated right away, interrupting any current routine call. But: how do we preserve the consistency of
objects (invariants)?
The model will support a restricted form of express messages, which does not conflict with provability.
Unit of granularity for mutual exclusion is routine call.
But: can be interrupted, causing an exception.
ATOT - Lecture 26, 30 June 2003
8
Chair of Software Engineering
Provability
Proof rule for routines:
{ INV p } Body (r) { INV q }
p Pre (r) q Post (r)
{ p’ } Call (r) { q’ }
p Pre (r) q Post (r)
In other words: to prove the validity of all calls, it suffices to prove (once!) the correctness of the body.
ATOT - Lecture 26, 30 June 2003
9
Chair of Software Engineering
What becomes of the contract model?
q: BOUNDED_QUEUE [X]a: X...if not q.is_full then
q.put (a)end
Or:
q.removeq.put (x)
But: this does not work for separate threads of control!
What do preconditions now mean?
ATOT - Lecture 26, 30 June 2003
10
Chair of Software Engineering
Reserving an object
q: separate BOUNDED_QUEUE [X]a: X...a := q.item
... Other instructions (not calling remove) ...q.remove
How do we guarantee that item and remove apply to the same buffer element?
Proposed answer: Just use encapsulation. Argument passing serves as reservation. If object busy (processor not available), block object; processor will service other object if possible.
ATOT - Lecture 26, 30 June 2003
11
Chair of Software Engineering
Reserving an object (cont’d)
class BUFFER_ACCESS [X]
feature
put (q: separate BOUNDED_QUEUE [G]; x: G) is-- Insert x into q, waiting if necessary-- until there is room.
requirenot q.is_full
doq.put (x)
ensurenot q.is_empty
end
ATOT - Lecture 26, 30 June 2003
12
Chair of Software Engineering
Reserving an object (cont’d)
remove (q: separate BOUNDED_QUEUE [G]) is-- Remove an element from q, waiting if -- necessary until there is such an element.
requirenot q.is_empty
doq.remove
ensurenot q.is_full
end
item (q: separate BOUNDED_QUEUE [G]): G is-- Oldest element not yet consumed
... Left to reader ...
end
ATOT - Lecture 26, 30 June 2003
13
Chair of Software Engineering
Semantic rules
With the class as shown on the previous pages, the call
put (q)
will block until: q is available. The precondition not q.is_full is true.
The new rule only affects: Separate arguments. Precondition clauses which include calls on
separate targets (i.e. x.f with x separate).
ATOT - Lecture 26, 30 June 2003
14
Chair of Software Engineering
The original proof rule
{ INV p } Body (r) { INV q }
p Pre (r) q Post (r)
{ p’ } Call (r) { q’ }
p Pre (r) q Post (r)
ATOT - Lecture 26, 30 June 2003
15
Chair of Software Engineering
The new proof rule
{ INV p } Body (r) { INV q }p Nonsep_Pre (r) q Nonsep_Post (r)
{ p’ } Call (r) { q’ } p Nonsep_Pre (r) q Nonsep_Post (r)
Nonsep_pre (r): set of clauses in r’s precondition which do not involve any separate calls.
Similarly for Nonsep_post (r).
ATOT - Lecture 26, 30 June 2003
16
Chair of Software Engineering
Wait by necessity
r (...; t: separate SOME_TYPE; ...) is do
...t.f (...)other_instructions
end
When do we wait?
ATOT - Lecture 26, 30 June 2003
17
Chair of Software Engineering
Wait by necessity (cont’d)
For example:
r (...; t: separate SOME_TYPE; ...) is do
...t.p (...)other_instruction_1...other_instruction_nk := t.some_value
end
Wait on queries (calls to attributes and functions), not procedure calls.
WAIT HERE
ATOT - Lecture 26, 30 June 2003
18
Chair of Software Engineering
Blocking semantics is not always appropriate
f: FILE
...
if f /= Void and then f.readable thenf.some_input_routine
-- some_input_routine is any routine-- that reads data from the file; -- its precondition is readable.
end
ATOT - Lecture 26, 30 June 2003
19
Chair of Software Engineering
Duels
Request immediate service: immediate_service
Accept immediate service: yield
Exception in challenger
Exception in holder; serve challenger.
Challenger waits
Challenger waits
normal_service immediate_service
insist
yield
Challenger
Holder
ATOT - Lecture 26, 30 June 2003
20
Chair of Software Engineering
Dining philosophers
ATOT - Lecture 26, 30 June 2003
21
Chair of Software Engineering
Dining philosophers (cont’d)
separate class PHILOSOPHER
inherit PROCESS
rename setup as getup
end
create
make
feature {BUTLER}step is
dothinkeat (left, right)
end
ATOT - Lecture 26, 30 June 2003
22
Chair of Software Engineering
Dining philosophers (cont’d)
feature {NONE}
left, right: separate FORK-- The two required forks
getup is-- Take any necessary initialization action.
do ...
endthink is
-- Any appropriate action.do
... end
eat (l, r: separate FORK) is-- Eat, having grabbed l and r.
do ...
end
end
ATOT - Lecture 26, 30 June 2003
23
Chair of Software Engineering
A binary tree class, non-parallel
class BINARY_TREE [G]
feature
left, right: BINARY_TREE [G]
nodes: INTEGER is-- Number of nodes in this tree
doResult := node_count (left) + node_count (right) + 1
end
feature {NONE}
node_count (b: BINARY_TREE [G]): INTEGER is-- Number of nodes in b
doif b /= Void then
Result := b.nodesend
end
end
ATOT - Lecture 26, 30 June 2003
24
Chair of Software Engineering
A binary tree class: Parallel version
separate class BINARY_TREE [G]
feature
left, right: BINARY_TREE [G]
… Other features …
nodes: INTEGER
update_nodes is-- Update nodes to reflect number of nodes in this-- tree.
donodes := 1compute_nodes (left)compute_nodes (right)adjust_nodes (left)adjust_nodes (right)
end
ATOT - Lecture 26, 30 June 2003
25
Chair of Software Engineering
Parallel version (cont’d)
feature {NONE}
compute_nodes (b: BINARY_TREE [G]) is-- Update information about the number of nodes in
b.do
if b /= Void thenb.update_nodes
endend
adjust_nodes (b: BINARY_TREE [G]) is-- Adjust number of nodes from those in b.
doif b /= Void then
nodes := nodes + b.nodesend
end
end
ATOT - Lecture 26, 30 June 2003
26
Chair of Software Engineering
Other examples in OOSC-2
Coroutines Locking a resource — semaphores An elevator control system A watchdog mechanism (execute an action, but
take control back if not done after t seconds)
ATOT - Lecture 26, 30 June 2003
27
Chair of Software Engineering
Two-level architecture
SCOOP
….NET THREADS
ATOT - Lecture 26, 30 June 2003
28
Chair of Software Engineering
.NET remoting library
Provides a good basis for SCOOP:
AppDomains: Partition object set Marshal by Value, Marshal by Reference All types are potentially remotable Threading library
ATOT - Lecture 26, 30 June 2003
29
Chair of Software Engineering
AppDomains
“Almaviva”name
landlord
loved_one
O1
“Figaro”O2
“Susanna”
O3
Context
Context
AppDomain AppDomainProcess
ATOT - Lecture 26, 30 June 2003
30
Chair of Software Engineering
Challenges
Conceptual: Systematic approach to deadlock prevention Precise fairness policies Proof rules, actual proofs.
Organizational: Language & compiler integration
But also an opportunity Building industrial-grade software in a university
But: ETH CS tradition; Dept and university support
ATOT - Lecture 26, 30 June 2003
31
Chair of Software Engineering
End of lecture 26