Abstract
When an individual task can be forcefully terminated at any time, cooperating tasks must communicate carefully. For example, if two tasks share an object, and if one task is terminated while it manipulates the object, the object may remain in an inconsistent or frozen state that incapacitates the other task. To support communication among terminable tasks, language run-time systems (and operating systems) provide kill-safe abstractions for inter-task communication. No kill-safe guarantee is available, however, for abstractions that are implemented outside the run-time system.In this paper, we show how a run-time system can support new kill-safe abstractions without requiring modification to the run-time system, and without requiring the run-time system to trust any new code. Our design frees the run-time implementor to provide only a modest set of synchronization primitives in the trusted computing base, while still allowing tasks to communicate using sophisticated abstractions.
- G. Back, W. Hsieh, and J. Lepreau. Processes in KaffeOS: Isolation, resource management, and sharing in Java. In Proc. USENIX Conference on Operating Systems Design and Im-plementation, pages 333--346, Oct. 2000.]] Google ScholarDigital Library
- G. Back, P. Tullmann, L. Stoller, W. C. Hsieh, and J. Lepreau. Java operating systems: Design and implementation. In Proceedings of the USENIX 2000 Technical Conference, pages 197--210, San Diego, CA, June 2000.]]Google Scholar
- B. N. Bershad, S. Savage, P. Pardyak, E. G. Sirer, M. Fiuczynski, D. Becker, S. Eggers, and C. Chambers. Extensibility, safety and performance in the SPIN operating system. In Proc. ACM Symposium on Operating Systems Principles, pages 267--284, Dec. 1995.]] Google ScholarDigital Library
- D. L. Black, D. B. Golub, D. P. Julin, R. F. Rashid, R. P. Draves, R. W. Dean, A. Forin, J. Barrera, H. Tokuda, G.-R. Malan, and D. Bohman. Microkernel operating system architecture and Mach. Journal of Information Processing, 14(4):442--453, 1991.]]Google Scholar
- M. Flatt. PLT MzScheme: Language Manual, 2004. www.mzscheme.org.]]Google Scholar
- M. Flatt, R. B. Findler, S. Krishnamurthi, and M. Felleisen. Programming languages as operating systems (or revenge of the son of the Lisp machine). In Proc. ACM International Conference on Functional Programming, pages 138--147, Sept. 1999.]] Google ScholarDigital Library
- P. Graunke, S. Krishnamurthi, S. V. D. Hoeven, and M. Felleisen. Programming the Web with high-level programming languages. In Proc. European Symposium on Programming, volume 2028 of Lecture Notes in Computer Science. Springer-Verlag, 2001.]] Google ScholarDigital Library
- S. P. Harbison. Modula-3. Prentice Hall, 1991.]] Google ScholarDigital Library
- C. Hawblitzel, C.-C. Chang, G. Czajkowski, D. Hu, and T. von Eicken. Implementing multiple protection domains in Java. In Proc. of USENIX Annual Technical Conference, pages 259--270, June 1998.]] Google ScholarDigital Library
- C. Hawblitzel and T. von Eicken. Luna: a flexible Java protection system. In Proc. USENIX Conference on Operating Systems Design and Implementation, Oct. 2002.]] Google ScholarDigital Library
- C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall, Englewood Cliffs, NJ, 1985.]] Google ScholarDigital Library
- I. M. Leslie, D. McAuley, R. J. Black, T. Roscoe, P. R. Barham, D. M. Evers, R. Fairburns, and E. A. Hyden. The design and implementation of an operating system to support distributed multimedia applications. IEEE Journal on Selected Areas in Communications, 14(7):1280--1297, Sept. 1996.]]Google ScholarDigital Library
- B. Liskov and R. Scheifler. Guardians and actions: Linguistics support for robust, distributed systems. ACM Transactions on Computing Systems, 5(3):381--404, 1983.]] Google ScholarDigital Library
- S. Marlow, S. L. Peyton Jones, A. Moran, and J. H. Reppy. Asynchronous exceptions in Haskell. In Proc. ACM Conference on Programming Language Design and Implementation, pages 274--285, 2001.]] Google ScholarDigital Library
- R. Milner. Communication and Concurrency. International Series in Computer Science. Prentice Hall, 1989.]] Google ScholarDigital Library
- National Institute of Standards and Technology (U.S.). POSIX: portable operating system interface for computer environments, Sept. 1988.]]Google Scholar
- P. Panangaden and J. H. Reppy. The essence of Concurrent ML. In F. Nielson, editor, ML with Concurrency: Design, Analysis, Implementation and Application, Monographs in Computer Science, pages 5--29. Springer-Verlag, 1997.]]Google Scholar
- D. Redell, Y. Dalal, T. Horsley, H. Lauer, W. Lynch, P. McJones, H. Murray, and S. Purcell. Pilot: An operating system for a personal computer. Communications of the ACM, 23(2):81--92, Feb. 1980.]] Google ScholarDigital Library
- J. H. Reppy. Synchronous operations as first-class values. In Proc. ACM Conference on Programming Language Design and Implementation, pages 250--259, 1988.]] Google ScholarDigital Library
- J. H. Reppy. Higher-Order Concurrency. PhD thesis, Cornell University, 1992.]] Google ScholarDigital Library
- J. H. Reppy. Concurrent Programming in ML. Cambridge University Press, 1999.]] Google ScholarDigital Library
- A. Rudys, J. Clements, and D. S. Wallach. Termination in language-based systems. ACM Transactions on Information and System Security, 5(3):138--168, 2002.]] Google ScholarDigital Library
- A. Rudys and D. S. Wallach. Transactional rollback for language-based systems. In Proc. International Conference on Dependable Systems and Networks, June 2002.]] Google ScholarDigital Library
- Soper, P., specification lead. JSR 121: Application isolation API specification, 2003. http://www.jcp.org/.]]Google Scholar
Index Terms
- Kill-safe synchronization abstractions
Recommendations
Kill-safe synchronization abstractions
PLDI '04: Proceedings of the ACM SIGPLAN 2004 conference on Programming language design and implementationWhen an individual task can be forcefully terminated at any time, cooperating tasks must communicate carefully. For example, if two tasks share an object, and if one task is terminated while it manipulates the object, the object may remain in an ...
Accepting blame for safe tunneled exceptions
PLDI '16Unhandled exceptions crash programs, so a compile-time check that exceptions are handled should in principle make software more reliable. But designers of some recent languages have argued that the benefits of statically checked exceptions are not ...
Accepting blame for safe tunneled exceptions
PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and ImplementationUnhandled exceptions crash programs, so a compile-time check that exceptions are handled should in principle make software more reliable. But designers of some recent languages have argued that the benefits of statically checked exceptions are not ...
Comments