LaCasa: Lightweight Affinity and Object Capabilities in Scala

LaCasa:
Lightweight Aﬃnity and Object
Capabilities in Scala
1
Philipp Haller1 and Alex Loiko2*
OOPSLA 2016
Amsterdam, Netherlands
November 2nd, 2016
1 KTH Royal Institute of Technology, Sweden
2 Google Stockholm, Sweden
* Work done while at KTH

View Slide

Context: Concurrent
Programming in Scala
• Scala = “Scalable Language”
• cf. Guy Steele. Growing a Language. OOPSLA ’98 keynote
• Concurrency models as libraries
• Flexible extension and adaptation
• Reuse of compilers, debuggers, and IDEs
2

View Slide

Context: Concurrent
Programming in Scala
• Scala = “Scalable Language”
• cf. Guy Steele. Growing a Language. OOPSLA ’98 keynote
• Concurrency models as libraries
• Flexible extension and adaptation
• Reuse of compilers, debuggers, and IDEs
2
Do not have to guess the answer to the question:
Which concurrency model is going to “win”?

View Slide

Background
• Authored or co-authored:
• Scala Actors (2006)
• Scala Joins (2008)
• Scala futures (2012)
• FlowPools (2012)
• Scala Async (2013)
• Contributions to Akka, Akka.js projects at Typesafe
3
Haller and Sommers
Artima Press, 2012

View Slide

Background
3
Haller and Sommers
Artima Press, 2012
Production use
at Twitter, The Guardian
and others

View Slide

Background
3
Haller and Sommers
Artima Press, 2012
Production use
and others
Production use at
LinkedIn, The Hufﬁngton Post
and others

View Slide

Background
3
Haller and Sommers
Artima Press, 2012
Production use
and others
Production use
at Morgan Stanley,
Gawker and others
Production use at
and others

View Slide

Background
3
Haller and Sommers
Artima Press, 2012
Production use
and others
Production use
at Morgan Stanley,
Gawker and others
Production use at
and others
The programming-models-as-libraries
approach has been successful in Scala!

View Slide

Problem
• Problem:
Scala cannot ensure concurrency safety for
library-based concurrency abstractions
• This also applies to Java, C++, and most other
widely-used programming languages
4

View Slide

Goal
5

View Slide

Goal
Static prevention of data races
5

View Slide

Goal
• using a lightweight type system
5

View Slide

Goal
• that minimizes the eﬀort to reuse existing code
5

View Slide

Goal
Focus:
5

View Slide

Goal
Focus:
• Existing, full-featured languages like Scala
5

View Slide

Goal
Focus:
• Existing, full-featured languages like Scala
5
In contrast to new
language designs like Rust

View Slide

Isn’t it a Solved Problem?
6

View Slide

• A lot of progress in type systems for safe concurrency
(linear and aﬃne types, static capabilities, uniqueness
types, ownership types, region inference, etc.)
6

View Slide

• Challenges:
6

View Slide

• Challenges:
• Sound integration with advanced type system
features
6

View Slide

• Challenges:
features
6
Example: local type
inference

View Slide

• Challenges:
features
• Adoption on large scale
6
Example: local type
inference

View Slide

• Challenges:
features
• Adoption on large scale
• Key: reuse of existing code
6
Example: local type
inference

View Slide

Example
Image
data
7

View Slide

Example
Image
data
apply ﬁlter
7

View Slide

Example
Image
data
apply filter
Image processing pipeline:
filter 1 filter 2
7

View Slide

Example
Image
data
apply filter
Image processing pipeline:
filter 1 filter 2
7
Pipeline stages
run concurrently

View Slide

Example: Implementation
8

View Slide

• Assumptions:
• Main memory expensive (image data large)
8

View Slide

• Assumptions:
• Main memory expensive (image data large)
• Approach for high performance:
• In-place update of image buﬀers
• Pass mutable buﬀers by-reference
8

View Slide

Example: Problem
Easy to produce data races:
1. Stage 1 sends a reference to a buffer to stage 2
2. Following the send, both stages have a reference
to the same buffer
3. Stages can concurrently access the buffer
9

View Slide

Preventing Data Races
10

View Slide

• Approach: safe transfer of ownership
• Sending stage loses ownership
• Type system prevents sender from accessing
transferred objects
10

View Slide

• Approach: safe transfer of ownership
• Sending stage loses ownership
• Type system prevents sender from accessing
transferred objects
• Advantages:
• No run-time overhead
• Errors caught at compile time
10

View Slide

Ownership Transfer in Scala
11

View Slide

• Enter LaCasa: Aﬃne references for Scala
11

View Slide

• “Transferable” references
11

View Slide

• At most one owner per transferable reference
11

View Slide

• LaCasa combines two concepts:
11

View Slide

• Access permissions
11

View Slide

• Access permissions
• Encapsulated boxes
11

View Slide

Access Permissions
12

View Slide

Access Permissions
• Permissions control access to transferable objects
12

View Slide

Access Permissions
CanAccess { type C }
12

View Slide

Access Permissions
• Type member C uniquely identiﬁes box
12

View Slide

Access Permissions
• Type member C uniquely identiﬁes box
Box[T] { type C }
12

View Slide

Matching Boxes and
Permissions
• Type members match permissions and boxes
• Via path-dependent types
• Example:
def method[T](box: Box[T])
(implicit p: CanAccess { type C = box.C }): Unit
13

View Slide

Creating Boxes and
Permissions
14

View Slide

Creating Boxes and
Permissions
class Message {
var arr: Array[Int] = _
}
14

View Slide

Creating Boxes and
Permissions
mkBox[Message] { packed =>
}
class Message {
}
14

View Slide

Creating Boxes and
Permissions
}
class Message {
}
14
LaCasa
library

View Slide

Creating Boxes and
Permissions
}
class Message {
}
14

View Slide

Creating Boxes and
Permissions
}
class Message {
}
sealed trait Packed[+T] {
val box: Box[T]
val access: CanAccess { type C = box.C }
}
14

View Slide

Creating Boxes and
Permissions
}
class Message {
}
14

View Slide

Creating Boxes and
Permissions
}
class Message {
}
implicit val access = packed.access
val box = packed.box
…
14

View Slide

Accessing Boxes
• Boxes are encapsulated
• Boxes must be opened for access
15

View Slide

Accessing Boxes
box open { msg =>
msg.arr = Array(1, 2, 3, 4)
}
}
15

View Slide

Accessing Boxes
box open { msg =>
}
}
Requires implicit
access permission
15

View Slide

Accessing Boxes
box open { msg =>
}
}
15

View Slide

Consuming Permissions
Example: transfering a box from one actor to
another consumes its access permission
16

View Slide

…
someActor.send(box)
// illegal to access `box` here!
}
16

View Slide

…
someActor.send(box)
// illegal to access `box` here!
}
16
How to
enforce this?

View Slide

Permissions and
Continuations
17

View Slide

Permissions and
Continuations
• Make implicit permission unavailable in
continuation of permission-consuming call
17

View Slide

Permissions and
Continuations
• Scala’s type system is ﬂow-insensitive => use
continuation passing
17

View Slide

Permissions and
Continuations
• Scala’s type system is ﬂow-insensitive => use
continuation passing
• Restrict continuation to exclude consumed
permission
17

View Slide

Continuation-Passing Style
…
someActor.send(box) {
// make `access` unavailable
…
}
}
18

View Slide

Restricting Continuations
19

View Slide

• Continuation disallows capturing variables of
the type of access
19

View Slide

the type of access
• Leverage spores [1]
19
[1] Miller, Haller, and Odersky. Spores: A type-based foundation for closures
in the age of concurrency and distribution. ECOOP ’14

View Slide

the type of access
def send(msg: Box[T])
(cont: NullarySpore[Unit] {
type Excluded = msg.C
})
(implicit p: CanAccess { type C = msg.C }): Nothing
19

View Slide

the type of access
def send(msg: Box[T])
(cont: NullarySpore[Unit] {
type Excluded = msg.C
})
(implicit p: CanAccess { type C = msg.C }): Nothing
19
“May not occur in
captured types”

View Slide

Stack Locality
20

View Slide

Stack Locality
• Permissions are restricted to be stack local  
(or “stack conﬁned”)
20

View Slide

Stack Locality
• This prevents problematic “indirect capturing”:
20
(implicit p: CanAccess { type C = box.C }) = {
val fun = () => p
implicit val forbidden = fun()
// could still access `box`
…
}
}

View Slide

Stack Locality
• This prevents problematic “indirect capturing”:
20
(implicit p: CanAccess { type C = box.C }) = {
val fun = () => p
implicit val forbidden = fun()
// could still access `box`
…
}
}
“error: p stack local”

View Slide

Recall Example
…
// `access` unavailable
…
}
}
21

View Slide

Encapsulation
Problem: not all types safe to transfer!
22

View Slide

Encapsulation
Problem: not all types safe to transfer!
22
class Message {
def leak(): Unit = {
SomeObject.fld = arr
}
}
object SomeObject {
var fld: Array[Int] = _
}

View Slide

Encapsulation
• Ensuring absence of data races (“concurrency
safety”) requires restricting types put into boxes
• Requirements for “safe” classes:*
• Methods only access parameters and this
• Methods only instantiate “safe” classes
• Types of ﬁelds are “safe”
23
* simpliﬁed

View Slide

Encapsulation
• Ensuring absence of data races (“concurrency
safety”) requires restricting types put into boxes
• Requirements for “safe” classes:*
• Methods only access parameters and this
• Methods only instantiate “safe” classes
• Types of fields are “safe”
23
“Safe” = conforms to object capability model [2]
* simplified
[2] Mark S. Miller. Robust Composition: Towards a Unified Approach to
Access Control and Concurrency Control. PhD thesis, 2006

View Slide

Object Capabilities in Scala
• How common is object-capability safe code in Scala?
• Empirical study of over 75,000 SLOC of open-source
Scala code:
24
Project Version SLOC GitHub stats
Scala stdlib 2.11.7 33,107 ✭5,795 257
Signal/Collect 8.0.6 10,159 ✭123 11
GeoTrellis 0.10.0-RC2 35,351 ✭400 38
-engine 3,868
-raster 22,291
-spark 9,192

View Slide

Results of empirical study:
25
Project #classes/traits #ocap (%) #dir. insec. (%)
Scala stdlib 1,505 644 (43%) 212/861 (25%)
Signal/Collect 236 159 (67%) 60/77 (78%)
GeoTrellis
-engine 190 40 (21%) 124/150 (83%)
-raster 670 233 (35%) 325/437 (74%)
-spark 326 101 (31%) 167/225 (74%)
Total 2,927 1,177 (40%) 888/1,750 (51%)

View Slide

Results of empirical study:
25
Project #classes/traits #ocap (%) #dir. insec. (%)
Scala stdlib 1,505 644 (43%) 212/861 (25%)
Signal/Collect 236 159 (67%) 60/77 (78%)
GeoTrellis
-engine 190 40 (21%) 124/150 (83%)
-raster 670 233 (35%) 325/437 (74%)
-spark 326 101 (31%) 167/225 (74%)
Total 2,927 1,177 (40%) 888/1,750 (51%)
Paper: immutability increases these percentages!

View Slide

In the Paper
26

View Slide

In the Paper
• Implementation:
• Compiler plugin for Scala 2.11.x and integration with actors
• Enforcement of continuation-passing style
• Formalization: object-oriented core languages
• CLC1: type-based notion of object capabilities
• CLC2: uniqueness via ﬂow-insensitive permissions
• CLC3: concurrent extension
• Soundness proof
• Isolation theorem for processes with shared heap
26
Formal model in Coq

View Slide

Conclusion
27

View Slide

Conclusion
• Type-based notion of the object capability discipline
is possible and beneﬁtial
27

View Slide

Conclusion
• Safe ownership transfer is possible for objects
conforming to the object capability discipline
27

View Slide

Conclusion
• Binary check whether a class is reusable unchanged
27

View Slide

Conclusion
features of Scala
27

View Slide

Conclusion
features of Scala
• In medium to large open-source Scala projects, 21-67%
of all classes conform to the object capability discipline
27

View Slide

Conclusion
features of Scala
27
Open-source implementation:
https://github.com/phaller/lacasa

View Slide

Conclusion
features of Scala
27
Thank you!
Open-source implementation:
https://github.com/phaller/lacasa

View Slide

LaCasa: Lightweight Affinity and Object Capabilities in Scala

LaCasa: Lightweight Affinity and Object Capabilities in Scala

Philipp Haller

More Decks by Philipp Haller

Featured

Transcript