...
There is a general problem with vague documentation of thread safety.
This is a bit strange, because Sun decided to fix that for its Solaris
documentation several years ago. Each library function man page is
required to specify its "MT-Level". See, for example,
http://docs.sun.com/app/docs/doc/816-5168/memcpy-3c?a=view.
The permitted values and their meanings are specified, see
http://docs.sun.com/app/docs/doc/816-5175/attributes-5?a=view.
I've also seen MT-hot, which i believe means that a function that is
MT-safe and can have multiple invocations executing concurrently - that's
stronger than MT-safe, which could involve a lock which only lets one
thread run it at once.
Here is an idea I am thinking of proposing:
1. Add to Javadoc a facility for specifying thread safety. There should
be a limited set of values, but not necessarily the same as the ones for
Sun's Solaris documentation.
How about an annotation rather than a javadoc thing?
2. Add an option to Javadoc to treat absence of a thread safety
specification for any public method or constructor as an error.
With an annotation, you could then get the compiler to complain instead of
javadoc.
The trouble with this mechanism is that it adds a burden when you're not
writing threaded code. I guess the idea is that you'd only use it when you
were.
How about being able to annotate a method as being threaded, then
requiring that all methods called by threaded methods be marked as
threadsafe? I can see lots of ways that wouldn't work, sadly.
3. Encourage API developers, especially Sun's Java developers, to use
the option.
What do people think?
I think it's a very good idea, and long overdue.
Are the Sun Solaris MT-Level values a good starting point?
To a point. We don't need Async-Signal-Safe, Fork-Safe or Cancel-Safety,
so really, we're looking at Safe, Unsafe and MT-Safe. I'm hazy on the
difference between Safe and MT-Safe - it seems to just be some wishy-washy
promises about concurrency. So basically, it comes down to Safe and Unsafe
- which is absolutely fine, but not something you can really say is
specifically taken from the Solaris levels!
I then worry about whether this terminology is rich enough for an OO
language. If there's a method which isn't safe to call in parallel on a
single object, but is fine to call in parallel on different objects (so
a.foo() and b.foo() is fine, but a.foo() and a.foo() is not), is that safe
or not? Presumably not. But then what do i call a method where it's not
safe to call it on separate objects at the same time? What if i have a
method which doesn't do anything unsafe to the object it's called on, but
does do so to its parameters? What if there are relationships between
objects, so a.foo() is only safe to call from the thread that is currently
executing b.bar()?
What would be great is if there was some solid computer-science foundation
for making statements about thread safety, so that each level had a really
well-defined meaning. I don't know enough to know if that's possible.
tom