Post on 01-Jan-2016
description
transcript
GUI ThreadingExplained and Verified
Michael Ernst
U. of Washington, Seattle, USAIMDEA Software Institute, Madrid, Spain
joint work with Colin Gordon, Sai Zhang, Werner Dietl, and othershttp://checkerframework.org/
2
Hello from method1void method1() { mylabel.setText("Hello from method1");}
void method2() { mylabel.setText("Hello from method2");}
// Corrected method2void method2() { Display.syncExec(new Runnable { void run() { mylabel.setText("Hello from method2()"); } });}
Making the same change to method1 is unnecessary and dangerous (new concurrency errors)
Invalid UI updates
http://www.myeclipseide.com/PNphpBB2-printview-t-26285-start-0.html
3
GUI threading errors are common
• One of the top 3 SWT exceptions• Tens of thousands of search results• >2700 Eclipse bug reports• Possibly long-lived• One >10 years old in Eclipse!
SwingAndroid
Accept user inputUpdate the displayLong-running computations
A single-threaded GUI program
Single-threaded program
Problem: unresponsive UI
Accept user inputUpdate the display
A multi-threaded GUI program
GUI threadLong-running computationsBackground worker thread
Must not access the UI
Simultaneous access to UI from 2 threads: Race condition• Data corruption (lost & partial updates)• Crashes
GUI thread discipline
Only the UI thread may access UI objects• Most GUI methods must run only on the UI thread• E.g. JLabel.setText()
Other threads should use:syncExec(new Runnable{ run(){ … } })
Advantages:• Simple specification• Responsive UI• Atomic updates without explicit synchronization
Problem: It’s easy to make mistakes
Programmer must remember calling context
For each method:• Can I access the UI in the body of this method?• When is it safe to call this method?• UI libraries may not document this behavior well
public void updateView() { setupTitle(this.title);}
Idea:Automated program analysisto find and prevent UI threading errors
Two analyses to detect GUI threading errors
• Heuristic analysis• Requires no programmer effort• Finds many bugs in practice• GUI Error Detector: https://guierrordetector.googlecode.com/
• Type system• Sound; gives a guarantee• Requires modest programmer effort• Yields machine-checked documentation• GUI Effect Checker: http://checkerframework.org/
Thistalk
Colin Gordon
Sai Zhang
Where may a method be called?
• Only called from UI thread@UIEffect
• Safe to be called from any thread@SafeEffect
“Effect” because this is an effect system• A type system approximates values (e.g., Integer)• An effect system approximates side effects or behavior
(Java’s checked exceptions are also an effect system.)
@UIEffect
@SafeEffect
@UIEffect
@SafeEffect
Relationship between them:
10
Annotated codeclass JLabel { …
@UIEffect public void setText(String s);
}
class Client { …
@SafeEffect public void updateView() {
myJlabel.setText("New Title"); // ERROR
}
@UIEffect public void refreshView() {
myJlabel.setText("New Title"); // OK
}
}
Polymorphic effects
Runnable:• Sometimes used for the UI thread• Sometimes used for background threads
Should it be annotated as @UIEffect or @SafeEffect?
Solution: polymorphismAnalogy: List<String> vs. List<Integer>Similarly, Runnable<@UIEffect> vs. Runnable<@SafeEffect>
(Actual syntax: @PolyUI Runnable)
Preserves backward compatibility with the JDK
interface Runnable { @??Effect public void run();}
12
Using the GUI Effect Checker• Run javac with GUI Effect Checker plug-in
javac --processor GuiEffectChecker MyFile.java• IDEs are also supported
• Examine error reports• Add annotations to clarify program• Repeat until you can’t fix more errors
One-time process! Low incremental cost.
*.javadeveloperjavac +
GUI Effect Checker
code
annotations
error reports
UI-correct program
Case studiesProgram Defects
foundFalse positive
warningsAnnos/KLOC
EclipseRunner 1 0 10HudsonEclipse 3 2 4S3dropbox 2 0 21SudokuSolver 2 0 8Eclipse Color Theme 0 0 3LogViewer 0 1 17JVMMonitor 0 9 7Subclipse 1 13 8
Modest annotation burden:• 7 annotations / 1000 LOC• 4300 LOC / hour
Few false positives• Usually code smells• Would be avoided
if starting with GUI Effect Checker
Type qualifiers
• In Java 8: annotations on types
@Untainted String query;List<@NonNull String> strings;myGraph = (@Immutable Graph) tmpGraph;class UnmodifiableList<T> implements @Readonly List<@Readonly T> {}
• Backward-compatible: compile with any Java compilerList</*@NonNull*/ String> strings;
Benefits of type qualifiers
• Find bugs in programs• Guarantee the absence of errors
• Improve documentation• Improve code structure & maintainability
• Aid compilers, optimizers, and analysis tools• Reduce number of assertions and run-time checks
• Possible negatives:• Must write the types (or use type inference)• False positives are possible (can be suppressed)
What bugs can you detect & prevent?
• Null dereferences • Mutation and side-effects• Concurrency: locking• Security: encryption,
tainting• Aliasing• Equality tests • Strings: localization,
regular expression syntax,signature representation,format string syntax
• Enumeractions• Typestate (e.g., open/closed files)
Users can write their own checkers
• @NonNull• @Immutable• @GuardedBy• @Encrypted@OsTrusted, @Untainted…
• @Linear• @Interned• @Localized@Regex@FullyQualified@Format
• @Fenum• @State
The annotation you write:The property you care about:
What a checker guarantees
• The program satisfies the type property. There are:• no bugs (of particular varieties)• no wrong annotations
• Caveat 1: only for code that is checked• Native methods• Reflection• Code compiled without the pluggable type checker• Suppressed warnings
• Indicates what code a human should analyze• Checking part of a program is still useful
• Caveat 2: The checker itself might contain an error
19
Pluggable type-checkingfor bug detection and verification• GUI Effect Checker:• Polymorphic effect system for UI threading• Simple & effective• Finds bugs• Modest annotation burden
• Additional checkers exist for dozens of other bugs• Distributed with the Checker Framework
• Try it today! http://checkerframework.org