Here is a simple programming task.
Write a procedure to transfer money from one bank account to another. To keep things simple, both accounts are held in memory: no interaction with databases is required. The procedure must operate correctly in a concurrent program, in which many threads may call transfer simultaneously. No thread should be able to observe a state in which the money has left one account, but not arrived in the other (or vice versa).
This example is somewhat unrealistic, but its simplicity allows us to focus on what is new: the language Haskell (Section 3.1), and transactional memory (Sections 3.2 onwards). But first let us briefly look at the conventional approach.
2.1 Bank accounts using locks
The dominant technology for coordinating concurrent programs today is the use of locks and condition variables. In an object-oriented language, every object has an implicit lock and the locking is done by synchronised methods, but the idea is the same. So one might define a class for bank accounts something like this:
class Account {
Int balance;
synchronized void withdraw( int n ) {
balance = balance - n; }
void deposit( int n ) {
withdraw( -n ); }
}
We must be careful to use a synchronized method for withdraw
, so that we do
not get any missed decrements if two threads call withdraw
at the same time.
The effect of synchronized
is to take a lock on the account, run withdraw
, and
then release the lock.
Now, here is how we might write the code for transfer:
void transfer( Account from, Account to, Int amount ) {
from.withdraw( amount );
to.deposit( amount ); }
This code is fine for a sequential program, but in a concurrent program another
thread could observe an intermediate state in which the money has left account
from
, but not arrived in to
. The fact that both methods are synchronized
does not help us at all. Account from
is first locked and then unlocked by the
call to method withdraw
, and then to is locked and unlocked by deposit
. In
between the two calls, the money is (visibly) absent from both accounts.
In a finance program, that might be unacceptable. How do we fix it? The usual solution would be to add explicit locking code thus:
void transfer( Account from, Account to, Int amount ) {
from.lock(); to.lock();
from.withdraw( amount );
to.deposit( amount );
from.unlock(); to.unlock(); }
But this program is fatally prone to deadlock. In particular, consider the (unlikely) situation in which another thread is transferring money in the opposite direction between the same two accounts. Then each thread might get one lock and then block indefinitely waiting for the other.
Once recognised – and the problem is not always so obvious – the standard fix is to put an arbitrary global order on the locks, and to acquire them in increasing order. The locking code would then become
if from < to
then { from.lock(); to.lock(); }
else { to.lock(); from.lock(); }
That works fine when the full set of required locks can be predicted in advance,
but that is not always the case. For example, suppose from.withdraw
is implemented by transferring money out of account from2
if from
does not have
enough funds. We don’t know whether to acquire from2
’s lock until we have
read from, and by then it is too late to acquire the locks in the “right” order.
Furthermore, the very existence of from2
may be a private matter that should
be known by from
, but not by transfer
. And even if transfer
did know about
from2
, the locking code must now take three locks, presumably by sorting them
into the right order.
Matters become even more complicated when we want to block. For example,
suppose that transfer
should block if from
has insufficient funds. This is
usually done by waiting on a condition variable, while simultaneously releasing
from
’s lock. It gets much trickier if we want to block until there are sufficient
funds in from
and from2
considered together.
2.2 Locks are bad
To make a long story short, today’s dominant technology for concurrent programming – locks and condition variables – is fundamentally flawed. Here are some standard difficulties, some of which we have seen above:
Taking too few locks. It is easy to forget to take a lock and thereby end up with two threads that modify the same variable simultaneously.
Taking too many locks. It is easy to take too many locks and thereby inhibit concurrency (at best) or cause deadlock (at worst).
Taking the wrong locks. In lock-based programming, the connection between a lock and the data it protects often exists only in the mind of the programmer, and is not explicit in the program. As a result, it is all too easy to take or hold the wrong locks.
Taking locks in the wrong order. In lock-based programming, one must be careful to take locks in the “right” order. Avoiding the deadlock that can otherwise occur is always tiresome and error-prone, and sometimes extremely difficult.
Error recovery can be very hard, because the programmer must guarantee that no error can leave the system in a state that is inconsistent, or in which locks are held indefinitely.
Lost wake-ups and erroneous retries. It is easy to forget to signal a condition variable on which a thread is waiting; or to re-test a condition after a wake-up.
But the fundamental shortcoming of lock-based programming is that locks and
condition variables do not support modular programming. By “modular programming” I mean the process of building large programs by gluing together
smaller programs. Locks make this impossible. For example, we could not use
our (correct) implementations of withdraw
and deposit
unchanged to implement transfer; instead we had to expose the locking protocol. Blocking and
choice are even less modular. For example suppose we had a version of withdraw
that blocks if the source account has insufficient funds. Then we would not be
able to use withdraw
directly to withdraw money from A or B (depending on
which has sufficient funds), without exposing the blocking condition — and even
then it’s not easy. This critique is elaborated elsewhere [7, 8, 4].
» Next: Software Transactional Memory.
[4] Tim Harris, Simon Marlow, Simon Peyton Jones, and Maurice Herlihy. Composable memory transactions. In ACM Symposium on Principles and Practice of Parallel Programming (PPoPP’05), June 2005.
[7] Edward A. Lee. The problem with threads. IEEE Computer, 39(5):33–42, May 2006.
[8] J. K. Ousterhout. Why threads are a bad idea (for most purposes), January 1996. Invited Talk, USENIX Technical Conference.