LaCasa: Lightweight Affinity and Object Capabilities in Scala

LaCasa:
Lightweight Aﬃnity and Object
Capabilities in Scala
1
Philipp Haller
Northeastern University, USA
September 29, 2016
KTH Royal Institute of Technology, Sweden

View Slide

Concurrency is Diﬃcult
2

View Slide

Hazards:
• Race conditions
• Deadlocks
• Livelocks
• etc.
2

View Slide

Hazards:
• Race conditions
• Deadlocks
• Livelocks
• etc.
2
Remedies?

View Slide

Hazards:
• Race conditions
• Deadlocks
• Livelocks
• etc.
2
Monitors
Futures, promises
Actors
CSP
Join-calculus
STM
Async/await
Reactive streams
…
Remedies?

View Slide

Concurrency in Scala
• Scala = “Scalable Language”
• cf. Guy Steele. Growing a Language. OOPSLA ’98 keynote
• Concurrency models as libraries
• Reuse of compilers, debuggers, and IDEs
• Flexible extension and adaptation
3

View Slide

Concurrency in Scala
• Scala = “Scalable Language”
• cf. Guy Steele. Growing a Language. OOPSLA ’98 keynote
• Concurrency models as libraries
• Reuse of compilers, debuggers, and IDEs
• Flexible extension and adaptation
3
Do not have to guess the answer to the question:
Which concurrency model is going to “win”?

View Slide

Background
• Authored or co-authored:
• Scala Actors (2006)
• Scala Joins (2008)
• Scala futures/promises (2012)
• FlowPools (2012)
• Scala Async (2013)
• Contributions to Akka, Akka.js projects at Typesafe
4
Haller and Sommers
Artima Press, 2012

View Slide

Background
4
Haller and Sommers
Artima Press, 2012
Production use
at Twitter, The Guardian
and others

View Slide

Background
4
Haller and Sommers
Artima Press, 2012
Production use
and others
Production use
at Morgan Stanley,
Gawker and others

View Slide

Background
4
Haller and Sommers
Artima Press, 2012
Production use
and others
Production use
at Morgan Stanley,
Gawker and others
The programming-models-as-libraries
approach has been successful in Scala!

View Slide

Problem:
Programming-models-as-libraries typically cannot
prevent common concurrency hazards statically!
5

View Slide

Example
Image
data
6

View Slide

Example
Image
data
apply ﬁlter
6

View Slide

Example
Image
data
apply filter
Image processing pipeline:
filter 1 filter 2
6

View Slide

Example
Image
data
apply filter
Image processing pipeline:
filter 1 filter 2
6
Pipeline stages
run concurrently

View Slide

Example: Implementation
7

View Slide

• Assumptions:
• Image data large
• Main memory expensive
7

View Slide

• Assumptions:
• Image data large
• Main memory expensive
• Approach for high performance:
• In-place update of image buﬀers
• Pass mutable buﬀers by-reference
7

View Slide

Example: Problem
Easy to produce data races:
1. Stage 1 sends a reference to a buffer to stage 2
2. Following the send, both stages have a reference
to the same buffer
3. Stages can concurrently access the buffer
8

View Slide

Preventing Data Races
9

View Slide

• Approach: safe transfer of ownership
9

View Slide

• Sending stage loses ownership
9

View Slide

• Compiler prevents sender from accessing objects
that have been transferred
9

View Slide

• Advantages:
9

View Slide

• Advantages:
• No run-time overhead
9

View Slide

• Advantages:
• Safety does not compromise performance
9

View Slide

• Advantages:
• Safety does not compromise performance
• Errors caught at compile time
9

View Slide

Ownership Transfer in Scala
10

View Slide

• Enter LaCasa
10

View Slide

• Enter LaCasa
• LaCasa: Scala extension for aﬃne references
10

View Slide

• Enter LaCasa
• “Transferable” references
10

View Slide

• Enter LaCasa
• “Transferable” references
• At most one owner per transferable reference
10

View Slide

Motivation
11

View Slide

Motivation
• Interesting applications of linearity/aﬃnity/
ownership transfer
11

View Slide

Motivation
ownership transfer
• Data-race safety
11

View Slide

Motivation
ownership transfer
• Safe memory management without GC
11

View Slide

Motivation
ownership transfer
• Session types (with extensions)
11

View Slide

Motivation
ownership transfer
• Scala for embedded real-time systems?
11

View Slide

Motivation
ownership transfer
• Scala for embedded real-time systems?
• No GC/run-time system
11

View Slide

Isn’t it a Solved Problem?
12

View Slide

• Adoption surprisingly challenging
12

View Slide

• Ownership not available in mainstream languages
12

View Slide

• Contender: Rust
12

View Slide

• Contender: Rust
12
What about
existing languages?

View Slide

• Contender: Rust
• Own system [1] inﬂuential, but:
12
[1] Haller and Odersky. Capabilities for uniqueness and borrowing. ECOOP ’10
What about
existing languages?

View Slide

• Contender: Rust
12
[2] Gordon et al. Uniqueness and reference immutability for safe parallelism.
OOPSLA ’12
What about
existing languages?
Inﬂuenced M#
language [2] of Microsoft’s
Midori project

View Slide

• Contender: Rust
• Interaction with type inference unclear
12
OOPSLA ’12
What about
existing languages?
Inﬂuenced M#
Midori project

View Slide

• Contender: Rust
• Interaction with type inference unclear
• Midori project not continued
12
OOPSLA ’12
What about
existing languages?
Inﬂuenced M#
Midori project

View Slide

Aﬃne References in Scala
13

View Slide

• LaCasa provides aﬃne references by
combining two concepts:
13

View Slide

• Access permissions
13

View Slide

• Access permissions
• Encapsulated boxes
13

View Slide

Access Permissions
14

View Slide

Access Permissions
• Access to transferable objects controlled by
implicit permissions
14

View Slide

Access Permissions
CanAccess { type C }
14

View Slide

Access Permissions
• Type member C uniquely identiﬁes box
14

View Slide

Access Permissions
• Type member C uniquely identiﬁes box
Box[T] { type C }
14

View Slide

Matching Boxes and
Permissions
• Type members match permissions and boxes
• Via path-dependent types
• Example:
def method(box: Box[T])
(implicit p: CanAccess { type C = box.C }): Unit
15

View Slide

Creating Boxes and
Permissions
16

View Slide

Creating Boxes and
Permissions
class Message {
var arr: Array[Int] = _
}
16

View Slide

Creating Boxes and
Permissions
mkBox[Message] { packed =>
}
class Message {
}
16

View Slide

Creating Boxes and
Permissions
}
class Message {
}
16
LaCasa
library

View Slide

Creating Boxes and
Permissions
}
class Message {
}
16

View Slide

Creating Boxes and
Permissions
}
class Message {
}
implicit val access = packed.access
val theBox = packed.box
…
16

View Slide

Creating Boxes and
Permissions
}
class Message {
}
sealed trait Packed[+T] {
val box: Box[T]
val access: CanAccess { type C = box.C }
}
…
16

View Slide

Accessing Boxes
• Boxes are encapsulated
• Boxes must be opened for access
17

View Slide

Accessing Boxes
theBox open { msg =>
msg.arr = Array(1, 2, 3, 4)
}
}
17

View Slide

Accessing Boxes
theBox open { msg =>
msg.arr = Array(1, 2, 3, 4)
}
}
Requires implicit
access permission
17

View Slide

Consuming Permissions
Example: transfering a box from one actor to
another consumes its access permission
18

View Slide

…
someActor.send(theBox)
// illegal to access `theBox` here!
}
18

View Slide

…
someActor.send(theBox)
// illegal to access `theBox` here!
}
18
How to
enforce this?

View Slide

Permissions and
Continuations
19

View Slide

Permissions and
Continuations
• Make implicit permission unavailable in
continuation of permission-consuming call
19

View Slide

Permissions and
Continuations
• Scala’s type system is ﬂow-insensitive => use
continuation passing
19

View Slide

Permissions and
Continuations
• Scala’s type system is ﬂow-insensitive => use
continuation passing
• Restrict continuation to exclude consumed
permission
19

View Slide

Continuation-Passing Style
…
someActor.send(theBox) {
// make `access` unavailable
…
}
}
20

View Slide

Restricting Continuations
• Continuation disallows capturing variables of
the type of access
• Leverage spores
21

View Slide

Restricting Continuations
• Continuation disallows capturing variables of
the type of access
• Leverage spores
def send(msg: Box[T])
(cont: NullarySpore[Unit] {
type Excluded = msg.C
})
(implicit p: CanAccess { type C = msg.C }): Nothing
21

View Slide

Intermezzo: Spores
Spore [3] = closure
• with explicit environment
• with function type reﬁned by captured types
val msg = "hello"
val num = 5
spore {
val s = msg
val x = num
(p: Int) =>
s”Captured vars and param: $s, $x, $p”
}
22
[3] Miller, Haller and Odersky. Spores: a type-based foundation for closures
in the age of concurrency and distribution. ECOOP ’14

View Slide

Intermezzo: Spores
Spore [3] = closure
• with explicit environment
• with function type reﬁned by captured types
val msg = "hello"
val num = 5
spore {
val s = msg
val x = num
(p: Int) =>
s”Captured vars and param: $s, $x, $p”
}
Spore[Int, String] {
type Captured = (String, Int)
}
22
[3] Miller, Haller and Odersky. Spores: a type-based foundation for closures
in the age of concurrency and distribution. ECOOP ’14

View Slide

Spore Trait
trait Spore[-T, +R] extends Function1[T, R] {
type Captured
type Excluded
}
23

View Slide

Implicit Conversions
• Goal: 
Implicitly convert function literals to spores
• Enables more lightweight syntax
• Enables checking excluded types
• Example:
24
type SafeSpore[A, B] = Spore[A, B] {
type Excluded = SomeExcludedType
}
val s: SafeSpore[A, B] = (x: A) => { … }

View Slide

Recall Example
…
someActor.send(theBox) {
// `access` unavailable
…
}
}
25

View Slide

Encapsulation
Problem: not all types safe to transfer!
26

View Slide

Encapsulation
Problem: not all types safe to transfer!
26
class Message {
def leak(): Unit = {
SomeObject.fld = arr
}
}
object SomeObject {
var fld: Array[Int] = _
}

View Slide

Encapsulation
• Ensuring absence of data races (“concurrency
safety”) requires restricting types put into boxes
• Requirements for “safe” classes:*
• Methods only access parameters and this
• Methods only instantiate “safe” classes
• Types of ﬁelds are “safe”
27
* simpliﬁed

View Slide

Encapsulation
27
“Safe” = conforms to object capability model [3]
* simpliﬁed

View Slide

Encapsulation
27
“Safe” = conforms to object capability model [3]
* simpliﬁed
[3] Mark S. Miller. Robust Composition: Towards a Uniﬁed Approach to
Access Control and Concurrency Control. PhD dissertation, 2006

View Slide

Object Capabilities in Scala
• How common are object-capability safe classes
in Scala?
• Results from empirical study:
28

View Slide

LaCasa: Summary
• Encapsulated boxes
• Alias protection via object capability model
• Reusing a class requires only a single bit of information
• Access permissions via implicits + path-dependent types
• Can statically prevent data races
• Sound integration with Scala’s local type inference
• Not shown: unique ﬁelds
29

View Slide

LaCasa: Lightweight Affinity and Object Capabilities in Scala

LaCasa: Lightweight Affinity and Object Capabilities in Scala

Philipp Haller

More Decks by Philipp Haller

Featured

Transcript