One important point I have not made so far is that what Bill is pushing is
CnC causality, which I believe is not the intuitive definition of causality
he gave earlier. I claim that even my weakest SC- model obeys Bill's
intuitive definition of causality:
There does not exist an action X such that in reasoning why X occurred,
you have to assume that X occurred.
None of my models violate the above. And if the above isn't what you mean by
causality, then what do you mean and why is it better than the above?
About this whole critical systems thing, I will talk to my colleague who
works in this area to find out if CnC causality will really help him. I
suspect they need to do much more even if they have CnC causality to handle
the bad cases they need to handle.
Sarita
> -----Original Message-----
> From: owner-javamemorymodel@cs.umd.edu
> [mailto:owner-javamemorymodel@cs.umd.edu] On Behalf Of Bill Pugh
> Sent: Wednesday, July 30, 2003 12:42 AM
> To: sadve@cs.uiuc.edu; victor.luchangco@sun.com; 'Martin Trotter'
> Cc: javamemorymodel@cs.umd.edu
> Subject: RE: JavaMemoryModel: Why CnC
>
>
> At 12:04 AM -0500 7/30/03, Sarita Adve wrote:
> >
> >Do we really believe that having CnC type causality is going
> to increase the
> >likelihood of reliable behavior on data races, if we think
> data races are
> >signs of bugs?
>
> If I'm in charge of making sure that the ICBM's are not fired unless
> we are war, my life is simpler if I don't have to worry that a data
> race could allow the system could spontaneously decide that:
> * We should fire the missiles because we are at war
> * We are at war because we are firing the missiles
>
> Now, obviously I am setting up an unrealistic situation here. And
> Java is not certified for controlling ICBMs.
>
> But in critical systems, they try to do all kinds of fault analysis.
> Questions about what could lead to a critical failure, building fault
> trees, etc. People building critical systems build fault tolerant
> systems that are very safe even in the presence of errors. However, I
> don't think anyone doing this kind of analysis would be happy to be
> told that they would have to worry about circular fault trees and
> whether the system could fail because if it did fail then it would
> fail.
>
> This is my primary reason for pushing for causality.
>
> I also have a hunch that since causality gives us so many
> things we need:
> * correctly synchronized programs have SC behavior
> * no out-of-thin-air values, so secret data can remain secret
> there must be something important/essential about it. Just as
> physicists look at an equation and say "That's so simple and elegant
> is must be right", I think that causality, as a general principle of
> multithreaded semantics, is so simple and elegant that it must be
> right.
>
> Bill
> -------------------------------
> JavaMemoryModel mailing list -
> http://www.cs.umd.edu/~pugh/java/memoryModel
>
-------------------------------
JavaMemoryModel mailing list - http://www.cs.umd.edu/~pugh/java/memoryModel
This archive was generated by hypermail 2b29 : Thu Oct 13 2005 - 07:00:48 EDT