A Verified Implementation of Priority Monitors in Java
Java monitors as implemented in the java.util.concurrent.locks package provide no-priority nonblocking monitors. That is, threads signalled after blocking on a condition queue do not proceed immediately, but they have to wait until both the signalling thread and possibly some of the others which have requested the lock release it. This can be a source of errors (if threads that get in the middle leave the monitor in a state incompatible with the signalled thread re-entry) or inefficiency (if repeated evaluation of preconditions is used to ensure safe re-entry). A concise implementation of priority nonblocking monitors in Java is presented. Curiously, our monitors are implemented on top of the standard no-priority implementation. In order to verify the correctness of our solution, a formal transition model (that includes a formalisation of Java locks and conditions) has been defined and checked using Uppaal. This model has been adapted to PlusCal in order to obtain a formal proof in TLA independent of the number of threads.
KeywordsMonitors Java model checking priority nonblocking TLA PlusCal
- 9.Lamport, L.: Specifying Systems. AddisonWesley (2004)Google Scholar
- 11.Norvell, T.S.: Better monitors for Java. Javaworld, (October 2007), http://www.javaworld.com/javaworld/jw-10-2007/jw-10-monitors.html
- 12.TLA+. The Way to Specify, http://www.tlaplus.net/