At 12:04 AM -0500 7/30/03, Sarita Adve wrote:
>
>Do we really believe that having CnC type causality is going to increase the
>likelihood of reliable behavior on data races, if we think data races are
>signs of bugs?
If I'm in charge of making sure that the ICBM's are not fired unless
we are war, my life is simpler if I don't have to worry that a data
race could allow the system could spontaneously decide that:
* We should fire the missiles because we are at war
* We are at war because we are firing the missiles
Now, obviously I am setting up an unrealistic situation here. And
Java is not certified for controlling ICBMs.
But in critical systems, they try to do all kinds of fault analysis.
Questions about what could lead to a critical failure, building fault
trees, etc. People building critical systems build fault tolerant
systems that are very safe even in the presence of errors. However, I
don't think anyone doing this kind of analysis would be happy to be
told that they would have to worry about circular fault trees and
whether the system could fail because if it did fail then it would
fail.
This is my primary reason for pushing for causality.
I also have a hunch that since causality gives us so many things we need:
* correctly synchronized programs have SC behavior
* no out-of-thin-air values, so secret data can remain secret
there must be something important/essential about it. Just as
physicists look at an equation and say "That's so simple and elegant
is must be right", I think that causality, as a general principle of
multithreaded semantics, is so simple and elegant that it must be
right.
Bill
-------------------------------
JavaMemoryModel mailing list - http://www.cs.umd.edu/~pugh/java/memoryModel
This archive was generated by hypermail 2b29 : Thu Oct 13 2005 - 07:00:48 EDT