GUI ThreadingExplained and Verified

Michael Ernst

U. of Washington, Seattle, USAIMDEA Software Institute, Madrid, Spain

joint work with Colin Gordon, Sai Zhang, Werner Dietl, and othershttp://checkerframework.org/

2

Hello from method1void method1() { mylabel.setText("Hello from method1");}

void method2() { mylabel.setText("Hello from method2");}

// Corrected method2void method2() { Display.syncExec(new Runnable { void run() { mylabel.setText("Hello from method2()"); } });}

Making the same change to method1 is unnecessary and dangerous (new concurrency errors)

Invalid UI updates

http://www.myeclipseide.com/PNphpBB2-printview-t-26285-start-0.html

3

GUI threading errors are common

• One of the top 3 SWT exceptions• Tens of thousands of search results• >2700 Eclipse bug reports• Possibly long-lived• One >10 years old in Eclipse!

SwingAndroid

Accept user inputUpdate the displayLong-running computations

A single-threaded GUI program

Single-threaded program

Problem: unresponsive UI

Accept user inputUpdate the display

A multi-threaded GUI program

GUI threadLong-running computationsBackground worker thread

Must not access the UI

Simultaneous access to UI from 2 threads: Race condition• Data corruption (lost & partial updates)• Crashes

GUI thread discipline

Only the UI thread may access UI objects• Most GUI methods must run only on the UI thread• E.g. JLabel.setText()

Other threads should use:syncExec(new Runnable{ run(){ … } })

Advantages:• Simple specification• Responsive UI• Atomic updates without explicit synchronization

Problem: It’s easy to make mistakes

Programmer must remember calling context

For each method:• Can I access the UI in the body of this method?• When is it safe to call this method?• UI libraries may not document this behavior well

public void updateView() { setupTitle(this.title);}

Idea:Automated program analysisto find and prevent UI threading errors

Two analyses to detect GUI threading errors

• Heuristic analysis• Requires no programmer effort• Finds many bugs in practice• GUI Error Detector: https://guierrordetector.googlecode.com/

• Type system• Sound; gives a guarantee• Requires modest programmer effort• Yields machine-checked documentation• GUI Effect Checker: http://checkerframework.org/

Thistalk

Colin Gordon

Sai Zhang

Where may a method be called?

• Only called from UI thread@UIEffect

• Safe to be called from any thread@SafeEffect

“Effect” because this is an effect system• A type system approximates values (e.g., Integer)• An effect system approximates side effects or behavior

(Java’s checked exceptions are also an effect system.)

@UIEffect

@SafeEffect

@UIEffect

@SafeEffect

Relationship between them:

10

Annotated codeclass JLabel { …

@UIEffect public void setText(String s);

}

class Client { …

@SafeEffect public void updateView() {

myJlabel.setText("New Title"); // ERROR

}

@UIEffect public void refreshView() {

myJlabel.setText("New Title"); // OK

}

}

Polymorphic effects

Runnable:• Sometimes used for the UI thread• Sometimes used for background threads

Should it be annotated as @UIEffect or @SafeEffect?

Solution: polymorphismAnalogy: List<String> vs. List<Integer>Similarly, Runnable<@UIEffect> vs. Runnable<@SafeEffect>

(Actual syntax: @PolyUI Runnable)

Preserves backward compatibility with the JDK

interface Runnable { @??Effect public void run();}

12

Using the GUI Effect Checker• Run javac with GUI Effect Checker plug-in

javac --processor GuiEffectChecker MyFile.java• IDEs are also supported

• Examine error reports• Add annotations to clarify program• Repeat until you can’t fix more errors

One-time process! Low incremental cost.

*.javadeveloperjavac +

GUI Effect Checker

code

annotations

error reports

UI-correct program

Case studiesProgram Defects

foundFalse positive

warningsAnnos/KLOC

EclipseRunner 1 0 10HudsonEclipse 3 2 4S3dropbox 2 0 21SudokuSolver 2 0 8Eclipse Color Theme 0 0 3LogViewer 0 1 17JVMMonitor 0 9 7Subclipse 1 13 8

Modest annotation burden:• 7 annotations / 1000 LOC• 4300 LOC / hour

Few false positives• Usually code smells• Would be avoided

if starting with GUI Effect Checker

Type qualifiers

• In Java 8: annotations on types

@Untainted String query;List<@NonNull String> strings;myGraph = (@Immutable Graph) tmpGraph;class UnmodifiableList<T> implements @Readonly List<@Readonly T> {}

• Backward-compatible: compile with any Java compilerList</*@NonNull*/ String> strings;

Benefits of type qualifiers

• Find bugs in programs• Guarantee the absence of errors

• Improve documentation• Improve code structure & maintainability

• Aid compilers, optimizers, and analysis tools• Reduce number of assertions and run-time checks

• Possible negatives:• Must write the types (or use type inference)• False positives are possible (can be suppressed)

What bugs can you detect & prevent?

• Null dereferences • Mutation and side-effects• Concurrency: locking• Security: encryption,

tainting• Aliasing• Equality tests • Strings: localization,

regular expression syntax,signature representation,format string syntax

• Enumeractions• Typestate (e.g., open/closed files)

Users can write their own checkers

• @NonNull• @Immutable• @GuardedBy• @Encrypted@OsTrusted, @Untainted…

• @Linear• @Interned• @Localized@Regex@FullyQualified@Format

• @Fenum• @State

The annotation you write:The property you care about:

What a checker guarantees

• The program satisfies the type property. There are:• no bugs (of particular varieties)• no wrong annotations

• Caveat 1: only for code that is checked• Native methods• Reflection• Code compiled without the pluggable type checker• Suppressed warnings

• Indicates what code a human should analyze• Checking part of a program is still useful

• Caveat 2: The checker itself might contain an error

19

Pluggable type-checkingfor bug detection and verification• GUI Effect Checker:• Polymorphic effect system for UI threading• Simple & effective• Finds bugs• Modest annotation burden

• Additional checkers exist for dozens of other bugs• Distributed with the Checker Framework

• Try it today! http://checkerframework.org