Strict MVars with invariant checking

Author: jorisdral

.github/workflows/cabal.project.local

@@ -8,7 +8,7 @@ package io-classes
 
 package strict-mvar
   ghc-options: -Werror
-  flags: +asserts
+  flags: +asserts +checkmvarinvariant
 
 package strict-stm
   ghc-options: -Werror

.github/workflows/haskell.yml

@@ -127,6 +127,9 @@ jobs:
     - name: si-timers [test]
       run: cabal run si-timers:test
 
+    - name: strict-mvar [test]
+      run: cabal run strict-mvar:test
+
   stylish-haskell:
     runs-on: ubuntu-22.04
 

strict-mvar/src/Control/Concurrent/Class/MonadMVar/Strict/Checked.hs

@@ -0,0 +1,188 @@
+{-# LANGUAGE BangPatterns  #-}
+{-# LANGUAGE CPP           #-}
+{-# LANGUAGE TupleSections #-}
+{-# LANGUAGE TypeFamilies  #-}
+{-# LANGUAGE TypeOperators #-}
+
+-- | This module corresponds to 'Control.Concurrent.MVar' in "base" package
+--
+module Control.Concurrent.Class.MonadMVar.Strict.Checked
+  ( -- * StrictMVar
+    StrictMVar
+  , castStrictMVar
+  , toLazyMVar
+  , fromLazyMVar
+  , newEmptyMVar
+  , newEmptyMVarWithInvariant
+  , newMVar
+  , newMVarWithInvariant
+  , takeMVar
+  , putMVar
+  , readMVar
+  , swapMVar
+  , tryTakeMVar
+  , tryPutMVar
+  , isEmptyMVar
+  , withMVar
+  , withMVarMasked
+  , modifyMVar_
+  , modifyMVar
+  , modifyMVarMasked_
+  , modifyMVarMasked
+  , tryReadMVar
+    -- * Re-exports
+  , MonadMVar
+  ) where
+
+import           Control.Concurrent.Class.MonadMVar (MonadMVar)
+import qualified Control.Concurrent.Class.MonadMVar as Lazy
+import           GHC.Stack (HasCallStack)
+
+--
+-- StrictMVar
+--
+
+type LazyMVar m = Lazy.MVar m
+
+-- | A strict MVar with invariant checking.
+--
+-- There is a weaker invariant for a 'StrictMVar' than for a 'StrictTVar' (see
+-- the @strict-stm@ package): although all functions that modify the
+-- 'StrictMVar' check the invariant, we do /not/ guarantee that the value inside
+-- the 'StrictMVar' always satisfies the invariant. Instead, we /do/ guarantee
+-- that if the 'StrictMVar' is updated with a value that does not satisfy the
+-- invariant, an exception is thrown. The reason for this weaker guarantee is
+-- that leaving an 'MVar' empty can lead to very hard to debug "blocked
+-- indefinitely" problems.
+data StrictMVar m a = StrictMVar {
+    -- | The invariant that is checked whenever the 'StrictMVar' is updated.
+    invariant :: !(a -> Maybe String)
+  , mvar      :: !(LazyMVar m a)
+  }
+
+castStrictMVar :: LazyMVar m ~ LazyMVar n
+               => StrictMVar m a -> StrictMVar n a
+castStrictMVar v = StrictMVar (invariant v) (mvar v)
+
+-- | Get the underlying @MVar@
+--
+-- Since we obviously can not guarantee that updates to this 'LazyMVar' will be
+-- strict, this should be used with caution.
+--
+-- Similarly, we can not guarantee that updates to this 'LazyMVar' do not break
+-- the original invariant that the 'StrictMVar' held.
+toLazyMVar :: StrictMVar m a -> LazyMVar m a
+toLazyMVar = mvar
+
+-- | Create a 'StrictMVar' from a 'LazyMVar'
+--
+-- It is not guaranteed that the 'LazyMVar' contains a value that is in WHNF, so
+-- there is no guarantee that the resulting 'StrictMVar' contains a value that
+-- is in WHNF. This should be used with caution.
+--
+-- The resulting 'StrictMVar' has a trivial invariant.
+fromLazyMVar :: Lazy.MVar m a -> StrictMVar m a
+fromLazyMVar = StrictMVar (const Nothing)
+
+newEmptyMVar :: MonadMVar m => m (StrictMVar m a)
+newEmptyMVar = fromLazyMVar <$> Lazy.newEmptyMVar
+
+newEmptyMVarWithInvariant ::
+     MonadMVar m
+  => (a -> Maybe String) -> m (StrictMVar m a)
+newEmptyMVarWithInvariant inv = StrictMVar inv <$> Lazy.newEmptyMVar
+
+newMVar :: MonadMVar m => a -> m (StrictMVar m a)
+newMVar !a = fromLazyMVar <$> Lazy.newMVar a
+
+newMVarWithInvariant ::
+     MonadMVar m
+  => (a -> Maybe String) -> a -> m (StrictMVar m a)
+newMVarWithInvariant inv !a =
+  checkInvariant (inv a) $
+  StrictMVar inv <$> Lazy.newMVar a
+
+takeMVar :: MonadMVar m => StrictMVar m a -> m a
+takeMVar = Lazy.takeMVar . mvar
+
+putMVar :: MonadMVar m => StrictMVar m a -> a -> m ()
+putMVar v !a = do
+  Lazy.putMVar (mvar v) a
+  checkInvariant (invariant v a) $ pure ()
+
+readMVar :: MonadMVar m => StrictMVar m a -> m a
+readMVar v = Lazy.readMVar (mvar v)
+
+swapMVar :: MonadMVar m => StrictMVar m a -> a -> m a
+swapMVar v !a = do
+  oldValue <- Lazy.swapMVar (mvar v) a
+  checkInvariant (invariant v a) $ pure oldValue
+
+tryTakeMVar :: MonadMVar m => StrictMVar m a -> m (Maybe a)
+tryTakeMVar v = Lazy.tryTakeMVar (mvar v)
+
+tryPutMVar :: MonadMVar m => StrictMVar m a -> a -> m Bool
+tryPutMVar v !a = do
+  didPut <- Lazy.tryPutMVar (mvar v) a
+  checkInvariant (invariant v a) $ pure didPut
+
+isEmptyMVar :: MonadMVar m => StrictMVar m a -> m Bool
+isEmptyMVar v = Lazy.isEmptyMVar (mvar v)
+
+withMVar :: MonadMVar m => StrictMVar m a -> (a -> m b) -> m b
+withMVar v = Lazy.withMVar (mvar v)
+
+withMVarMasked :: MonadMVar m => StrictMVar m a -> (a -> m b) -> m b
+withMVarMasked v = Lazy.withMVarMasked (mvar v)
+
+-- | 'modifyMVar_' is defined in terms of 'modifyMVar'.
+modifyMVar_ :: MonadMVar m => StrictMVar m a -> (a -> m a) -> m ()
+modifyMVar_ v io = modifyMVar v io'
+  where io' a = (,()) <$> io a
+
+modifyMVar :: MonadMVar m => StrictMVar m a -> (a -> m (a,b)) -> m b
+modifyMVar v io = do
+    (a', b) <- Lazy.modifyMVar (mvar v) io'
+    checkInvariant (invariant v a') $ pure b
+  where
+    io' a = do
+      (!a', b) <- io a
+      -- Returning @a'@ along with @b@ allows us to check the invariant /after/
+      -- filling in the MVar.
+      pure (a' , (a', b))
+
+-- | 'modifyMVarMasked_' is defined in terms of 'modifyMVarMasked'.
+modifyMVarMasked_ :: MonadMVar m => StrictMVar m a -> (a -> m a) -> m ()
+modifyMVarMasked_ v io = modifyMVar v io'
+  where io' a = (,()) <$> io a
+
+modifyMVarMasked :: MonadMVar m => StrictMVar m a -> (a -> m (a,b)) -> m b
+modifyMVarMasked v io = do
+    (a', b) <- Lazy.modifyMVar (mvar v) io'
+    checkInvariant (invariant v a') $ pure b
+  where
+    io' a = do
+      (!a', b) <- io a
+      -- Returning @a'@ along with @b@ allows us to check the invariant /after/
+      -- filling in the MVar.
+      pure (a', (a', b))
+
+tryReadMVar :: MonadMVar m => StrictMVar m a -> m (Maybe a)
+tryReadMVar v = Lazy.tryReadMVar (mvar v)
+
+--
+-- Dealing with invariants
+--
+
+-- | Check invariant (if enabled)
+--
+-- @checkInvariant mErr x@ is equal to @x@ if @mErr == Nothing@, and throws an
+-- error @err@ if @mErr == Just err@.
+checkInvariant :: HasCallStack => Maybe String -> a -> a
+
+#if CHECK_MVAR_INVARIANT
+checkInvariant Nothing    k = k
+checkInvariant (Just err) _ = error $ "Invariant violation: " ++ err
+#else
+checkInvariant _err       k = k
+#endif

strict-mvar/strict-mvar.cabal

@@ -24,6 +24,11 @@ source-repository head
   location: https://github.com/input-output-hk/io-sim
   subdir:   strict-mvar
 
+flag checkmvarinvariant
+  Description: Enable runtime invariant checks on StrictMVar
+  Manual: True
+  Default: False
+
 flag asserts
   description: Enable assertions
   manual:      False
@@ -33,6 +38,7 @@ library
   hs-source-dirs:      src
 
   exposed-modules:     Control.Concurrent.Class.MonadMVar.Strict
+                     , Control.Concurrent.Class.MonadMVar.Strict.Checked
   default-language:    Haskell2010
   build-depends:       base        >= 4.9 && <4.19,
                        io-classes  >= 1.0 && <1.2
@@ -46,3 +52,28 @@ library
 
   if flag(asserts)
     ghc-options: -fno-ignore-asserts
+
+  if flag(checkmvarinvariant)
+    cpp-options: -DCHECK_MVAR_INVARIANT
+
+test-suite test
+  type:                exitcode-stdio-1.0
+  hs-source-dirs:      test
+  main-is:             Main.hs
+
+  other-modules:       Test.Control.Concurrent.Class.MonadMVar.Strict.Checked
+  default-language:    Haskell2010
+  build-depends:       base >=4.9 && <4.18,
+                       QuickCheck,
+                       tasty,
+                       tasty-quickcheck,
+                       strict-mvar,
+
+  ghc-options:         -Wall
+                       -Wno-unticked-promoted-constructors
+                       -Wcompat
+                       -Wincomplete-uni-patterns
+                       -Wincomplete-record-updates
+                       -Wpartial-fields
+                       -Widentities
+                       -fno-ignore-asserts

strict-mvar/test/Main.hs

@@ -0,0 +1,22 @@
+module Main where
+
+import qualified Test.Control.Concurrent.Class.MonadMVar.Strict.Checked as Checked
+import           Test.Tasty
+
+main :: IO ()
+main = defaultMain $
+    testGroup "Test" [
+        testGroup "Control" [
+            testGroup "Concurrent" [
+                testGroup "Class" [
+                    testGroup "MonadMVar" [
+                        testGroup "Strict" [
+                            testGroup "Checked" [
+                                Checked.tests
+                              ]
+                          ]
+                      ]
+                  ]
+              ]
+          ]
+      ]

strict-mvar/test/Test/Control/Concurrent/Class/MonadMVar/Strict/Checked.hs

@@ -0,0 +1,32 @@
+-- | Tests in this module depend on the @+checkmvarinvariant@ flag being
+-- enabled.
+module Test.Control.Concurrent.Class.MonadMVar.Strict.Checked where
+
+import           Control.Concurrent.Class.MonadMVar.Strict.Checked
+import           Test.QuickCheck.Monadic
+import           Test.Tasty
+import           Test.Tasty.QuickCheck
+
+tests :: TestTree
+tests = testGroup "Checked" [
+    testProperty "prop_invariantShouldFail" prop_invariantShouldFail
+  , testProperty "prop_invariantShouldNotFail" prop_invariantShouldNotFail
+  ]
+
+-- | Invariant that checks whether an @Int@ is positive.
+invPositiveInt :: Int -> Maybe String
+invPositiveInt x
+  | x >= 0    = Nothing
+  | otherwise = Just $ "x<0 for x=" <> show x
+
+prop_invariantShouldFail :: Property
+prop_invariantShouldFail = once $ expectFailure $ monadicIO $ run $ do
+    v <- newMVarWithInvariant invPositiveInt 0
+    modifyMVar_ v (\x -> pure $ x - 1)
+    pure ()
+
+prop_invariantShouldNotFail :: Property
+prop_invariantShouldNotFail = monadicIO $ run $ do
+    v <- newMVarWithInvariant invPositiveInt 0
+    modifyMVar_ v (\x -> pure $ x + 1)
+    pure ()