synchdesign.html

Concurrent Programming in Java

<html><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html> <head>
<title>
Designing Objects for Concurrency
</title>
</head>

<BODY bgcolor=#ffffee vlink=#0000aa link=#cc0000>

<h1>
Designing Objects for Concurrency
</h1>

Objects within multithreaded Java programs interact. Interacting
objects involved in multiple threads require synchronization (unless
they happen to be <a href="immut.html" tppabs="http://www.foi.hr/~dpavlin/java/mirrors/g.oswego.edu/dl/pats/immut.html">immutable</a>).  But piecemeal
approaches to object synchronization do not scale well. Instead of
adding synchronization constructs here and there to sequential
designs, it is a much better idea to start out thinking about the
<em>logical</em> conditions or <em>guards</em> under which each method
you write may execute in a concurrent setting. If every object
performs actions only when it is safe to do so, and the mechanics are
properly implemented with Java synchronization mechanisms, then you can
be sure that an application using these objects will not encounter any
errors due to object inconsistency.  <p>

This practice reflects a design policy that
 <P>
<strong>
    It is better to do nothing at all than to do something
    that compromises object integrity.
</strong>

<P> Another way of saying this is that whenever there is a choice, it
is a much better bet to choose <EM>SAFETY</EM> -- the property that
nothing bad happens, over <EM>LIVENESS</EM> -- the property that
anything happens at all.

<p>
According to this view, it is even
preferable to deadlock a set of objects (have them each wait for each
other in an endless chain) than to have them mutually interfere with
each other, leaving one or more of them in inconsistent states, thus
causing them to later take random, even dangerous actions. This stance
is especially attractive considering that clients that do not want to
encounter the delays of unknown duration associated with guarded
methods can always spawn new <A
HREF="javascript:if(confirm('http://g.oswego.edu/dl/pats/javaconc.html  \n\nThis file was not retrieved by Teleport Pro, because it is addressed on a domain or path outside the boundaries set for its Starting Address.  \n\nDo you want to open it from the server?'))window.location='http://g.oswego.edu/dl/pats/javaconc.html'" tppabs="http://g.oswego.edu/dl/pats/javaconc.html">Threads</A> to wait
them out.  Implementations are generally obligated to make good on
this policy by preventing actions from occurring when objects are
unable to perform them, and conversely, actually performing them when
they are able.

<p> This sense of safety is a distinguishing characteristic of
reusable concurrent classes versus one-shot application classes. In
one-shot settings, you may know enough about the context that an
object is used in to not bother thinking through the consequences of
arbitrary concurrency. But when you are constructing the building
blocks for entire suites of applications or systems, you cannot afford
to ignore such issues.  And even for one-shot applications, the
consequences of the lack of proper synchronization are very difficult
to predict and time-consuming to diagnose in a buggy program. So, if
nothing else, planning for concurrency ahead of time is usually more
time-effective than trying to deal with problems after the fact.
(However, for ways to rescue sequential designs, see especially,
the <a href="coordinators.html" tppabs="http://www.foi.hr/~dpavlin/java/mirrors/g.oswego.edu/dl/pats/coordinators.html"> Coordinator</a> pattern.)
<P>



<H3>
<A NAME="secCounter">
Bounded Counter
</H3>

Here is a variation of a classic <EM>counting semaphore</EM>, that
will be used as the main running example for describing designs and
design patterns for objects with guarded actions .  It is defined
using an <CODE>interface</CODE> to provide scaffolding for different
implementations:


<PRE>
interface BoundedCounter {
  public static final int minVal = 0;  // minimum allowed value()
  public static final int maxVal = 10; // maximum allowed value()

  public int value(); // invariant: minVal &lt;= value() &lt;= maxVal
  public void inc();  // increment only when value() &lt; maxVal
  public void dec();  // decrement only when value() &gt; minVal
}
</PRE>


<p> To distinguish design-level concerns from implementation issues,
we'll use a shorthand pidgin-java notation to express guards, placing
them in double square brackets.  Using guards, an abstract implementation
class would look like:

<PRE>
class BoundedCounterV0 implements BoundedCounter {

  public synchronized int value() { return count_; }
  public synchronized void inc()  [[ when count_ &lt; maxVal ]] { ++count_; }
  public synchronized void dec()  [[ when count_ &gt; minVal ]] { --count_; } 

  public BoundedCounterV0(        { count_ = minValue; }

  private int count_; 
}
</PRE>

The idea here is that the <CODE>BoundedCounter </CODE> is obligated to
keep <CODE>count</CODE> between <CODE>minVal</CODE> and
<CODE>maxVal</CODE>. So it can only increment or decrement the
<CODE>count</CODE> when it is within these bounds. In a purely
sequential program, you might program this to raise an exception if a
<CODE>dec</CODE> message is received when the <CODE>count_</CODE> is
<CODE>minVal</CODE>. But in a concurrent setting, we instead want to
postpone any action, so that it may occur sometime later if and when
the <CODE>count</CODE> becomes greater than <CODE>minVal</CODE> via an
<CODE>inc</CODE> message.  <P>

While this example is pretty boring, it is conveniently simple for
illustrating techniques, and turns out to be a good model for several
common concurrent object designs.  For example, you might
think it more interesting and relevant if you think of
<CODE>dec</CODE> and <CODE>inc</CODE> as standins for methods that
give out and take back a fixed number of resources rather than just
counting their use, or for those in a classic fixed-length buffer:
 <P>

<PRE>
interface BoundedBuffer {
  public static final int CAPACITY = 10; 

  public int    count();        // invariant: 0 &lt;= count() &lt;= CAPACITY
  public void   put(Object x);  // add only when count() &lt; CAPACITY
  public Object take();         // remove only when count() &gt; 0
}
</PRE>

Designs for BoundedCounter can be transformed into those for
BoundedBuffer by translating:
<ul>
  <li> minVal -- 0
  <li> maxVal -- CAPACITY
  <li> value -- count
  <li> inc -- put (adding code to actually place object in an array slot)
  <li> dec -- take (adding code to remove and return object).
</ul>

Also, there's no real reason except simplicity of examples to require
<code>minVal</code> and <code>maxVal</code> to be <code>static</code>
constants. In more realistic versions, these might be per-object
constants, established in constructors.

<H2>
<A NAME="secGuardMechanics"></A>
Implementing Guards
</H2>


The standard coding idiom for expressing guarded waits is a simple
<CODE>while</CODE> loop. To help ensure that this is always done
correctly, it is good practice to encapsulate it in its own non-public
method: <P>


Guarded Form:
<PRE>
  [[ when cond ]] { action(); }
</PRE>
Java:
<PRE>
  private synchronized void waitUntilCond() {
    while (!cond) try { wait(); } catch (InterruptedException ex) {}
  }
  ...
  
  { waitUntilCond(); action(); }
</PRE>

<p>


As a general rule, condition waits should always be placed in while