Test di codice multi-thread in Java

1. Introduzione

In questo tutorial, tratteremo alcune delle basi per testare un programma concorrente. Ci concentreremo principalmente sulla concorrenza basata su thread e sui problemi che presenta durante i test.

Capiremo anche come possiamo risolvere alcuni di questi problemi e testare efficacemente il codice multi-thread in Java.

2. Programmazione simultanea

La programmazione concorrente si riferisce alla programmazione in cui suddividiamo un grande pezzo di calcolo in calcoli più piccoli e relativamente indipendenti .

Lo scopo di questo esercizio è di eseguire questi calcoli più piccoli contemporaneamente, possibilmente anche in parallelo. Sebbene ci siano diversi modi per ottenere questo risultato, l'obiettivo è sempre quello di eseguire il programma più velocemente.

2.1. Thread e programmazione concorrente

Con i processori che racchiudono più core che mai, la programmazione simultanea è in prima linea per sfruttarli in modo efficiente. Tuttavia, resta il fatto che i programmi simultanei sono molto più difficili da progettare, scrivere, testare e mantenere . Quindi, se possiamo, dopotutto, scrivere casi di test efficaci e automatizzati per programmi concorrenti, possiamo risolvere una buona parte di questi problemi.

Allora, cosa rende così difficile scrivere test per codice simultaneo? Per capirlo, dobbiamo capire come otteniamo la concorrenza nei nostri programmi. Una delle tecniche di programmazione simultanea più popolari prevede l'utilizzo di thread.

Ora, i thread possono essere nativi, nel qual caso vengono pianificati dai sistemi operativi sottostanti. Possiamo anche usare i cosiddetti thread verdi, pianificati direttamente da un runtime.

2.2. Difficoltà nel testare programmi concorrenti

Indipendentemente dal tipo di thread che utilizziamo, ciò che li rende difficili da usare è la comunicazione con i thread. Se riusciamo davvero a scrivere un programma che coinvolge thread ma nessuna comunicazione tra thread, non c'è niente di meglio! Più realisticamente, i thread di solito dovranno comunicare. Ci sono due modi per ottenere questo risultato: memoria condivisa e trasmissione di messaggi.

La maggior parte del problema associato alla programmazione concorrente deriva dall'utilizzo di thread nativi con memoria condivisa . Testare tali programmi è difficile per gli stessi motivi. Più thread con accesso alla memoria condivisa generalmente richiedono l'esclusione reciproca. In genere otteniamo questo risultato attraverso un meccanismo di protezione che utilizza blocchi.

Ma questo può ancora portare a una serie di problemi come race condition, live lock, deadlock e thread starvation, per citarne alcuni. Inoltre, questi problemi sono intermittenti, poiché la pianificazione dei thread nel caso di thread nativi è completamente non deterministica.

Quindi, scrivere test efficaci per programmi concorrenti in grado di rilevare questi problemi in modo deterministico è davvero una sfida!

2.3. Anatomia dell'interleaving dei fili

Sappiamo che i thread nativi possono essere pianificati dai sistemi operativi in ​​modo imprevedibile. Nel caso in cui questi thread accedano e modificano i dati condivisi, dà luogo a un interessante interleaving dei thread . Mentre alcuni di questi intrecci possono essere completamente accettabili, altri possono lasciare i dati finali in uno stato indesiderabile.

Facciamo un esempio. Supponiamo di avere un contatore globale che viene incrementato da ogni thread. Alla fine dell'elaborazione, vorremmo che lo stato di questo contatore fosse esattamente lo stesso del numero di thread che sono stati eseguiti:

private int counter; public void increment() { counter++; }

Ora, incrementare un numero intero primitivo in Java non è un'operazione atomica . Consiste nel leggere il valore, aumentarlo e infine salvarlo. Sebbene più thread stiano eseguendo la stessa operazione, potrebbe dare origine a molti possibili intrecci:

Mentre questo particolare interleaving produce risultati completamente accettabili, che ne dici di questo:

Questo non è quello che ci aspettavamo. Ora, immagina centinaia di thread che eseguono codice molto più complesso di questo. Ciò darà origine a modi inimmaginabili in cui i fili si alterneranno.

Esistono diversi modi per scrivere codice che eviti questo problema, ma non è questo l'argomento di questo tutorial. La sincronizzazione tramite lucchetto è una di quelle comuni, ma ha i suoi problemi legati alle condizioni di gara.

3. Test del codice multi-thread

Ora che abbiamo compreso le sfide di base nel testare il codice multi-thread, vedremo come superarle. Creeremo un semplice caso d'uso e proveremo a simulare il maggior numero possibile di problemi relativi alla concorrenza.

Cominciamo definendo una semplice classe che tiene il conteggio di qualsiasi cosa:

public class MyCounter { private int count; public void increment() { int temp = count; count = temp + 1; } // Getter for count }

Questo è un pezzo di codice apparentemente innocuo, ma non è difficile capire che non è thread-safe . Se ci capita di scrivere un programma simultaneo con questa classe, è destinato ad essere difettoso. Lo scopo del test qui è identificare tali difetti.

3.1. Test di parti non concorrenti

Come regola generale, è sempre consigliabile testare il codice isolandolo da qualsiasi comportamento concorrente . Questo per accertare ragionevolmente che non ci siano altri difetti nel codice che non siano correlati alla concorrenza. Vediamo come possiamo farlo:

@Test public void testCounter() { MyCounter counter = new MyCounter(); for (int i = 0; i < 500; i++) { counter.increment(); } assertEquals(500, counter.getCount()); }

Anche se non c'è molto da fare qui, questo test ci dà la certezza che funzioni almeno in assenza di concorrenza.

3.2. Primo tentativo di test con concorrenza

Passiamo a testare di nuovo lo stesso codice, questa volta in una configurazione simultanea. Proveremo ad accedere alla stessa istanza di questa classe con più thread e vedremo come si comporta:

@Test public void testCounterWithConcurrency() throws InterruptedException { int numberOfThreads = 10; ExecutorService service = Executors.newFixedThreadPool(10); CountDownLatch latch = new CountDownLatch(numberOfThreads); MyCounter counter = new MyCounter(); for (int i = 0; i  { counter.increment(); latch.countDown(); }); } latch.await(); assertEquals(numberOfThreads, counter.getCount()); }

This test is reasonable, as we're trying to operate on shared data with several threads. As we keep the number of threads low, like 10, we will notice that it passes almost all the time. Interestingly, if we start increasing the number of threads, say to 100, we will see that the test starts to fail most of the time.

3.3. A Better Attempt at Testing With Concurrency

While the previous test did reveal that our code isn't thread-safe, there's a problem with this teat. This test isn't deterministic because the underlying threads interleave in a non-deterministic manner. We really can't rely on this test for our program.

What we need is a way to control the interleaving of threads so that we can reveal concurrency issues in a deterministic manner with much fewer threads. We'll begin by tweaking the code we are testing a little bit:

public synchronized void increment() throws InterruptedException { int temp = count; wait(100); count = temp + 1; }

Here, we've made the method synchronized and introduced a wait between the two steps within the method. The synchronized keyword ensures that only one thread can modify the count variable at a time, and the wait introduces a delay between each thread execution.

Please note that we don't necessarily have to modify the code we intend to test. However, since there aren't many ways we can affect thread scheduling, we're resorting to this.

In a later section, we'll see how we can do this without altering the code.

Now, let's similarly test this code as we did earlier:

@Test public void testSummationWithConcurrency() throws InterruptedException { int numberOfThreads = 2; ExecutorService service = Executors.newFixedThreadPool(10); CountDownLatch latch = new CountDownLatch(numberOfThreads); MyCounter counter = new MyCounter(); for (int i = 0; i  { try { counter.increment(); } catch (InterruptedException e) { // Handle exception } latch.countDown(); }); } latch.await(); assertEquals(numberOfThreads, counter.getCount()); }

Here, we're running this just with just two threads, and the chances are that we'll be able to get the defect we've been missing. What we've done here is to try achieving a specific thread interleaving, which we know can affect us. While good for the demonstration, we may not find this useful for practical purposes.

4. Testing Tools Available

As the number of threads grows, the possible number of ways they may interleave grows exponentially. It's just not possible to figure out all such interleavings and test for them. We have to rely on tools to undertake the same or similar effort for us. Fortunately, there are a couple of them available to make our lives easier.

There are two broad categories of tools available to us for testing concurrent code. The first enables us to produce reasonably high stress on the concurrent code with many threads. Stress increases the likelihood of rare interleaving and, thus, increases our chances of finding defects.

The second enables us to simulate specific thread interleaving, thereby helping us find defects with more certainty.

4.1. tempus-fugit

The tempus-fugit Java library helps us to write and test concurrent code with ease. We'll just focus on the test part of this library here. We saw earlier that producing stress on code with multiple threads increases the chances of finding defects related to concurrency.

While we can write utilities to produce the stress ourselves, tempus-fugit provides convenient ways to achieve the same.

Let's revisit the same code we tried to produce stress for earlier and understand how can we achieve the same using tempus-fugit:

public class MyCounterTests { @Rule public ConcurrentRule concurrently = new ConcurrentRule(); @Rule public RepeatingRule rule = new RepeatingRule(); private static MyCounter counter = new MyCounter(); @Test @Concurrent(count = 10) @Repeating(repetition = 10) public void runsMultipleTimes() { counter.increment(); } @AfterClass public static void annotatedTestRunsMultipleTimes() throws InterruptedException { assertEquals(counter.getCount(), 100); } }

Here, we are using two of the Rules available to us from tempus-fugit. These rules intercept the tests and help us apply the desired behaviors, like repetition and concurrency. So, effectively, we are repeating the operation under test ten times each from ten different threads.

As we increase the repetition and concurrency, our chances of detecting defects related to concurrency will increase.

4.2. Thread Weaver

Thread Weaver is essentially a Java framework for testing multi-threaded code. We've seen previously that thread interleaving is quite unpredictable, and hence, we may never find certain defects through regular tests. What we effectively need is a way to control the interleaves and test all possible interleaving. This has proven to be quite a complex task in our previous attempt.

Let's see how Thread Weaver can help us here. Thread Weaver allows us to interleave the execution of two separate threads in a large number of ways, without having to worry about how. It also gives us the possibility of having fine-grained control over how we want the threads to interleave.

Let's see how can we improve upon our previous, naive attempt:

public class MyCounterTests { private MyCounter counter; @ThreadedBefore public void before() { counter = new MyCounter(); } @ThreadedMain public void mainThread() { counter.increment(); } @ThreadedSecondary public void secondThread() { counter.increment(); } @ThreadedAfter public void after() { assertEquals(2, counter.getCount()); } @Test public void testCounter() { new AnnotatedTestRunner().runTests(this.getClass(), MyCounter.class); } }

Here, we've defined two threads that try to increment our counter. Thread Weaver will try to run this test with these threads in all possible interleaving scenarios. Possibly in one of the interleaves, we will get the defect, which is quite obvious in our code.

4.3. MultithreadedTC

MultithreadedTC is yet another framework for testing concurrent applications. It features a metronome that is used to provide fine control over the sequence of activities in multiple threads. It supports test cases that exercise a specific interleaving of threads. Hence, we should ideally be able to test every significant interleaving in a separate thread deterministically.

Now, a complete introduction to this feature-rich library is beyond the scope of this tutorial. But, we can certainly see how to quickly set up tests that provide us the possible interleavings between executing threads.

Let's see how can we test our code more deterministically with MultithreadedTC:

public class MyTests extends MultithreadedTestCase { private MyCounter counter; @Override public void initialize() { counter = new MyCounter(); } public void thread1() throws InterruptedException { counter.increment(); } public void thread2() throws InterruptedException { counter.increment(); } @Override public void finish() { assertEquals(2, counter.getCount()); } @Test public void testCounter() throws Throwable { TestFramework.runManyTimes(new MyTests(), 1000); } }

Here, we are setting up two threads to operate on the shared counter and increment it. We've configured MultithreadedTC to execute this test with these threads for up to a thousand different interleavings until it detects one which fails.

4.4. Java jcstress

OpenJDK maintains Code Tool Project to provide developer tools for working on the OpenJDK projects. There are several useful tools under this project, including the Java Concurrency Stress Tests (jcstress). This is being developed as an experimental harness and suite of tests to investigate the correctness of concurrency support in Java.

Although this is an experimental tool, we can still leverage this to analyze concurrent code and write tests to fund defects related to it. Let's see how we can test the code that we've been using so far in this tutorial. The concept is pretty similar from a usage perspective:

@JCStressTest @Outcome(id = "1", expect = ACCEPTABLE_INTERESTING, desc = "One update lost.") @Outcome(id = "2", expect = ACCEPTABLE, desc = "Both updates.") @State public class MyCounterTests { private MyCounter counter; @Actor public void actor1() { counter.increment(); } @Actor public void actor2() { counter.increment(); } @Arbiter public void arbiter(I_Result r) { r.r1 = counter.getCount(); } }

Here, we've marked the class with an annotation State, which indicates that it holds data that is mutated by multiple threads. Also, we're using an annotation Actor, which marks the methods that hold the actions done by different threads.

Finally, we have a method marked with an annotation Arbiter, which essentially only visits the state once all Actors have visited it. We have also used annotation Outcome to define our expectations.

Overall, the setup is quite simple and intuitive to follow. We can run this using a test harness, given by the framework, that finds all classes annotated with JCStressTest and executes them in several iterations to obtain all possible interleavings.

5. Other Ways to Detect Concurrency Issues

Writing tests for concurrent code is difficult but possible. We've seen the challenges and some of the popular ways to overcome them. However, we may not be able to identify all possible concurrency issues through tests alone — especially when the incremental costs of writing more tests start to outweigh their benefits.

Hence, together with a reasonable number of automated tests, we can employ other techniques to identify concurrency issues. This will boost our chances of finding concurrency issues without getting too much deeper into the complexity of automated tests. We'll cover some of these in this section.

5.1. Static Analysis

Static analysis refers to the analysis of a program without actually executing it. Now, what good can such an analysis do? We will come to that, but let's first understand how it contrasts with dynamic analysis. The unit tests we've written so far need to be run with actual execution of the program they test. This is the reason they are part of what we largely refer to as dynamic analysis.

Please note that static analysis is in no way any replacement for dynamic analysis. However, it provides an invaluable tool to examine the code structure and identify possible defects long before we even execute the code. The static analysis makes use of a host of templates that are curated with experience and understanding.

While it's quite possible to just look through the code and compare against the best practices and rules we've curated, we must admit that it's not plausible for larger programs. There are, however, several tools available to perform this analysis for us. They are fairly mature, with a vast chest of rules for most of the popular programming languages.

A prevalent static analysis tool for Java is FindBugs. FindBugs looks for instances of “bug patterns”. A bug pattern is a code idiom that is quite often an error. This may arise due to several reasons like difficult language features, misunderstood methods, and misunderstood invariants.

FindBugs inspects the Java bytecode for occurrences of bug patterns without actually executing the bytecode. This is quite convenient to use and fast to run. FindBugs reports bugs belonging to many categories like conditions, design, and duplicated code.

It also includes defects related to concurrency. It must, however, be noted that FindBugs can report false positives. These are fewer in practice but must be correlated with manual analysis.

5.2. Model Checking

Model Checking is a method of checking whether a finite-state model of a system meets a given specification. Now, this definition may sound too academic, but bear with it for a while!

We can typically represent a computational problem as a finite-state machine. Although this is a vast area in itself, it gives us a model with a finite set of states and rules of transition between them with clearly defined start and end states.

Now, the specification defines how a model should behave for it to be considered as correct. Essentially, this specification holds all the requirements of the system that the model represents. One of the ways to capture specifications is using the temporal logic formula, developed by Amir Pnueli.

While it's logically possible to perform model checking manually, it's quite impractical. Fortunately, there are many tools available to help us here. One such tool available for Java is Java PathFinder (JPF). JPF was developed with years of experience and research at NASA.

Specifically, JPF is a model checker for Java bytecode. It runs a program in all possible ways, thereby checking for property violations like deadlock and unhandled exceptions along all possible execution paths. It can, therefore, prove to be quite useful in finding defects related to concurrency in any program.

6. Afterthoughts

By now, it shouldn't be a surprise to us that it's best to avoid complexities related to multi-threaded code as much as possible. Developing programs with simpler designs, which are easier to test and maintain, should be our prime objective. We have to agree that concurrent programming is often necessary for modern-day applications.

However, we can adopt several best practices and principles while developing concurrent programs that can make our life easier. In this section, we will go through some of these best practices, but we should keep in mind that this list is far from complete!

6.1. Reduce Complexity

Complexity is a factor that can make testing a program difficult even without any concurrent elements. This just compounds in the face of concurrency. It's not difficult to understand why simpler and smaller programs are easier to reason about and, hence, to test effectively. There are several best patterns that can help us here, like SRP (Single Responsibility Pattern) and KISS (Keep It Stupid Simple), to just name a few.

Now, while these do not address the issue of writing tests for concurrent code directly, they make the job easier to attempt.

6.2. Consider Atomic Operations

Atomic operations are operations that run completely independently of each other. Hence, the difficulties of predicting and testing interleaving can be simply avoided. Compare-and-swap is one such widely-used atomic instruction. Simply put, it compares the contents of a memory location with a given value and, only if they are the same, modifies the contents of that memory location.

Most modern microprocessors offer some variant of this instruction. Java offers a range of atomic classes like AtomicInteger and AtomicBoolean, offering the benefits of compare-and-swap instructions underneath.

6.3. Embrace Immutability

In multi-threaded programming, shared data that can be altered always leaves room for errors. Immutability refers to the condition where a data structure cannot be modified after instantiation. This is a match made in heaven for concurrent programs. If the state of an object can't be altered after its creation, competing threads do not have to apply for mutual exclusion on them. This greatly simplifies writing and testing concurrent programs.

However, please note that we may not always have the liberty to choose immutability, but we must opt for it when it's possible.

6.4. Avoid Shared Memory

Most of the issues related to multi-threaded programming can be attributed to the fact that we have shared memory between competing threads. What if we could just get rid of them! Well, we still need some mechanism for threads to communicate.

There are alternate design patterns for concurrent applications that offer us this possibility. One of the popular ones is the Actor Model, which prescribes the actor as the basic unit of concurrency. In this model, actors interact with each other by sending messages.

Akka is a framework written in Scala that leverages the Actor Model to offer better concurrency primitives.

7. Conclusion

In questo tutorial, abbiamo coperto alcune delle nozioni di base relative alla programmazione concorrente. Abbiamo discusso in dettaglio la concorrenza multi-thread in Java. Abbiamo affrontato le sfide che ci presenta durante il test di tale codice, soprattutto con i dati condivisi. Inoltre, abbiamo esaminato alcuni degli strumenti e delle tecniche disponibili per testare il codice concorrente.

Abbiamo anche discusso di altri modi per evitare problemi di concorrenza, inclusi strumenti e tecniche oltre ai test automatizzati. Infine, abbiamo esaminato alcune delle migliori pratiche di programmazione relative alla programmazione concorrente.

Il codice sorgente di questo articolo può essere trovato su GitHub.