On Deny Capabilities for Safe, Fast Actors

Slide 1

Slide 1 text

On Deny Capabilities for Safe, Fast Actors 1/39

Slide 2

Slide 2 text

Sean T. Allen Member of the Pony core team @SeanTAllen www.seantallen.com 2/39

Slide 3

Slide 3 text

This is a talk about concurrency. 3/39

Slide 4

Slide 4 text

This is a talk about going fast. 4/39

Slide 5

Slide 5 text

This talk is about Pony and Deny Capabilities. 5/39

Slide 6

Slide 6 text

About the paper 6/39

Slide 7

Slide 7 text

Actor model 7/39

Slide 8

Slide 8 text

Actor model basics 8/39

Slide 9

Slide 9 text

Actor model basics Actors communicate with other actors via messaging 8/39

Slide 10

Slide 10 text

Actor model basics Actors communicate with other actors via messaging Actors process messages 8/39

Slide 11

Slide 11 text

Actor model basics Actors communicate with other actors via messaging Actors process messages Actors "protect resources" 8/39

Slide 12

Slide 12 text

Safe 9/39

Slide 13

Slide 13 text

Data race freedom 10/39

Slide 14

Slide 14 text

Data race Two memory accesses attempts where both: 11/39

Slide 15

Slide 15 text

Data race Two memory accesses attempts where both: Target the same location 11/39

Slide 16

Slide 16 text

Data race Two memory accesses attempts where both: Target the same location Are performed concurrently by two threads 11/39

Slide 17

Slide 17 text

Data race Two memory accesses attempts where both: Target the same location Are performed concurrently by two threads Are not reads 11/39

Slide 18

Slide 18 text

Data race Two memory accesses attempts where both: Target the same location Are performed concurrently by two threads Are not reads Are not synchronization operations 11/39

Slide 19

Slide 19 text

The actor model can help prevent data races 12/39

Slide 20

Slide 20 text

The actor model can help prevent data races All variables are "protected" by an actor - no global variables 12/39

Slide 21

Slide 21 text

The actor model can help prevent data races All variables are "protected" by an actor - no global variables Actors are processed sequentially 1 message a time by a single thread 12/39

Slide 22

Slide 22 text

The actor model can help prevent data races All variables are "protected" by an actor - no global variables Actors are processed sequentially 1 message a time by a single thread Actors are "synchronization operations" 12/39

Slide 23

Slide 23 text

The actor model can help prevent data races All variables are "protected" by an actor - no global variables Actors are processed sequentially 1 message a time by a single thread But sending data from one actor to another can cause problems... 12/39

Slide 24

Slide 24 text

Fast 13/39

Slide 25

Slide 25 text

How to go fast 14/39

Slide 26

Slide 26 text

How to go fast Avoid coordination 14/39

Slide 27

Slide 27 text

How to go fast Avoid coordination Avoid contention 14/39

Slide 28

Slide 28 text

How to go fast Avoid coordination Avoid contention Measure it 14/39

Slide 29

Slide 29 text

How actors can help with fast 15/39

Slide 30

Slide 30 text

How actors can help with fast make coordination explicit 15/39

Slide 31

Slide 31 text

How actors can help with fast make coordination explicit make contention explicit 15/39

Slide 32

Slide 32 text

How actors can hurt fast 16/39

Slide 33

Slide 33 text

How actors can hurt fast naive implementations can be very slow 16/39

Slide 34

Slide 34 text

How actors can hurt fast naive implementations can be very slow message queues are points of contention 16/39

Slide 35

Slide 35 text

How actors can hurt fast naive implementations can be very slow message queues are points of contention locks are usually faster than a large memory copy 16/39

Slide 36

Slide 36 text

Deny capabilities for safe, fast actors 17/39

Slide 37

Slide 37 text

Deny capabilities doing unsafe fast things safely 18/39

Slide 38

Slide 38 text

Deny capabilities statically con rm you aren't doing something unsafe 19/39

Slide 39

Slide 39 text

Alias control 20/39

Slide 40

Slide 40 text

What is an alias? 21/39

Slide 41

Slide 41 text

What is an alias? Aliases are "names" for things in memory 21/39

Slide 42

Slide 42 text

What is an alias? Aliases are "names" for things in memory Aliases allow you to access a thing at a location 21/39

Slide 43

Slide 43 text

Aliases in Pony 22/39

Slide 44

Slide 44 text

Aliases in Pony When you assign a value to a variable or a eld. 22/39

Slide 45

Slide 45 text

Aliases in Pony When you assign a value to a variable or a eld. When you pass a value as an argument to a method. 22/39

Slide 46

Slide 46 text

Aliases in Pony When you assign a value to a variable or a eld. When you pass a value as an argument to a method. When you call a method, an alias of the receiver of the call is created. It is accessible as this within the method body. 22/39

Slide 47

Slide 47 text

Count the aliases primitive Say fun say(msg: String, out: OutStream) => let x = "We say '" + msg + "'" out.print(x) 23/39

Slide 48

Slide 48 text

Count the aliases fun say(msg: String, out: OutStream) => primitive Say let x = "We say '" + msg + "'" out.print(x) msg and out are aliases 23/39

Slide 49

Slide 49 text

Count the aliases let x = "We say '" + msg + "'" primitive Say fun say(msg: String, out: OutStream) => out.print(x) x is an alias 23/39

Slide 50

Slide 50 text

Count the aliases out.print(x) primitive Say fun say(msg: String, out: OutStream) => let x = "We say '" + msg + "'" x is aliased when passed to print 23/39

Slide 51

Slide 51 text

Count the aliases primitive Say fun say(msg: String, out: OutStream) => let x = "We say '" + msg + "'" out.print(x) 23/39

Slide 52

Slide 52 text

Capabilities Annotations on code that can be used to statically con rm some property 24/39

Slide 53

Slide 53 text

actor Main new create(env: Env) => let msg: String val = "Hello World!" env.out.print(msg) 25/39

Slide 54

Slide 54 text

let msg: String val = "Hello World!" actor Main new create(env: Env) => env.out.print(msg) val is a capability 25/39

Slide 55

Slide 55 text

let msg: String val = "Hello World!" actor Main new create(env: Env) => env.out.print(msg) val is part of the type at compile-time 25/39

Slide 56

Slide 56 text

let msg: String val = "Hello World!" actor Main new create(env: Env) => env.out.print(msg) val says "the alias msg to the String Hello World is immutable" 25/39

Slide 57

Slide 57 text

What can you deny? 26/39

Slide 58

Slide 58 text

What can you deny? Reading 26/39

Slide 59

Slide 59 text

What can you deny? Reading Mutating 26/39

Slide 60

Slide 60 text

What can you deny? Reading Mutating Aliasing 26/39

Slide 61

Slide 61 text

What can you deny? Reading Mutating Aliasing Sending 26/39

Slide 62

Slide 62 text

What can you deny? Reading Mutating Aliasing Sending Sharing 26/39

Slide 63

Slide 63 text

Some capabilities 27/39

Slide 64

Slide 64 text

Some capabilities ref 27/39

Slide 65

Slide 65 text

Some capabilities ref val 27/39

Slide 66

Slide 66 text

Some capabilities ref val iso 27/39

Slide 67

Slide 67 text

Some capabilities ref val iso tag 27/39

Slide 68

Slide 68 text

ref 28/39

Slide 69

Slide 69 text

ref allows reading 28/39

Slide 70

Slide 70 text

ref allows reading allows mutation 28/39

Slide 71

Slide 71 text

ref allows reading allows mutation denies sending 28/39

Slide 72

Slide 72 text

ref allows reading allows mutation denies sending allows unlimited aliases 28/39

Slide 73

Slide 73 text

ref allows reading allows mutation denies sending allows unlimited aliases denies sharing 28/39

Slide 74

Slide 74 text

iso 29/39

Slide 75

Slide 75 text

iso allows reading 29/39

Slide 76

Slide 76 text

iso allows reading allows mutation 29/39

Slide 77

Slide 77 text

iso allows reading allows mutation allows sending 29/39

Slide 78

Slide 78 text

iso allows reading allows mutation allows sending denies aliasing 29/39

Slide 79

Slide 79 text

iso allows reading allows mutation allows sending denies aliasing denies sharing 29/39

Slide 80

Slide 80 text

val 30/39

Slide 81

Slide 81 text

val allows reading 30/39

Slide 82

Slide 82 text

val allows reading denies mutation 30/39

Slide 83

Slide 83 text

val allows reading denies mutation allows sending 30/39

Slide 84

Slide 84 text

val allows reading denies mutation allows sending allows unlimited aliases 30/39

Slide 85

Slide 85 text

val allows reading denies mutation allows sending allows unlimited aliases allows sharing 30/39

Slide 86

Slide 86 text

tag 31/39

Slide 87

Slide 87 text

tag denies reading 31/39

Slide 88

Slide 88 text

tag denies reading denies mutation 31/39

Slide 89

Slide 89 text

tag denies reading denies mutation allows aliasing 31/39

Slide 90

Slide 90 text

tag denies reading denies mutation allows aliasing allows sharing 31/39

Slide 91

Slide 91 text

tag denies reading denies mutation allows aliasing allows sharing allows sending 31/39

Slide 92

Slide 92 text

Readable 32/39

Slide 93

Slide 93 text

Readable ref 32/39

Slide 94

Slide 94 text

Readable ref iso 32/39

Slide 95

Slide 95 text

Readable ref iso val 32/39

Slide 96

Slide 96 text

Readable ref iso val Mutable 32/39

Slide 97

Slide 97 text

Readable ref iso val Mutable ref 32/39

Slide 98

Slide 98 text

Readable ref iso val Mutable ref iso 32/39

Slide 99

Slide 99 text

Readable ref iso val Mutable ref iso Aliasable 32/39

Slide 100

Slide 100 text

Readable ref iso val Mutable ref iso Aliasable ref 32/39

Slide 101

Slide 101 text

Readable ref iso val Mutable ref iso Aliasable ref val 32/39

Slide 102

Slide 102 text

Readable ref iso val Mutable ref iso Aliasable ref val tag 32/39

Slide 103

Slide 103 text

Readable ref iso val Mutable ref iso Aliasable ref val tag Sendable 32/39

Slide 104

Slide 104 text

Readable ref iso val Mutable ref iso Aliasable ref val tag Sendable val 32/39

Slide 105

Slide 105 text

Readable ref iso val Mutable ref iso Aliasable ref val tag Sendable val tag 32/39

Slide 106

Slide 106 text

Readable ref iso val Mutable ref iso Aliasable ref val tag Sendable val tag iso 32/39

Slide 107

Slide 107 text

Readable ref iso val Mutable ref iso Aliasable ref val tag Sendable val tag iso Shareable 32/39

Slide 108

Slide 108 text

Readable ref iso val Mutable ref iso Aliasable ref val tag Sendable val tag iso Shareable val 32/39

Slide 109

Slide 109 text

Readable ref iso val Mutable ref iso Aliasable ref val tag Sendable val tag iso Shareable val tag 32/39

Slide 110

Slide 110 text

There's no platonic ideal for deny capabilities. 33/39

Slide 111

Slide 111 text

Code (and errors!) 34/39

Slide 112

Slide 112 text

actor Main new create(env: Env) => let msg: String ref = "Hello World!".clone() env.out.print(msg) 35/39

Slide 113

Slide 113 text

let msg: String ref = "Hello World!".clone() actor Main new create(env: Env) => env.out.print(msg) Hello World String is mutable 35/39

Slide 114

Slide 114 text

env.out.print(msg) actor Main new create(env: Env) => let msg: String ref = "Hello World!".clone() send msg to actor out 35/39

Slide 115

Slide 115 text

let msg: String ref = "Hello World!".clone() actor Main new create(env: Env) => env.out.print(msg) ref isn't sendable 35/39

Slide 116

Slide 116 text

env.out.print(msg) actor Main new create(env: Env) => let msg: String ref = "Hello World!".clone() which will result in an error here 35/39

Slide 117

Slide 117 text

Error: main.pony:4:19: argument not a subtype of parameter env.out.print(msg) ^ Info: main.pony:4:19: argument type is String ref env.out.print(msg) ^ (...):13:12: parameter type is (String val | Array[U8 val] val) be print(data: ByteSeq) ^ main.pony:3:14: String ref is not a subtype of String val: ref is not a subcap of val let msg: String ref = "Hello World!".clone() ^ main.pony:3:14: String ref is not a subtype of Array[U8 val] val 36/39

Slide 118

Slide 118 text

main.pony:4:19: argument not a subtype of paramete env.out.print(msg) Error: ^ Info: main.pony:4:19: argument type is String ref env.out.print(msg) ^ (...):13:12: parameter type is (String val | Array[U8 val] val) be print(data: ByteSeq) ^ main.pony:3:14: String ref is not a subtype of String val: ref is not a subcap of val let msg: String ref = "Hello World!".clone() ^ msg isn't the correct type 36/39

Slide 119

Slide 119 text

main.pony:4:19: argument type is String ref env.out.print(msg) Error: main.pony:4:19: argument not a subtype of parameter env.out.print(msg) ^ Info: ^ (...):13:12: parameter type is (String val | Array[U8 val] val) be print(data: ByteSeq) ^ main.pony:3:14: String ref is not a subtype of String val: ref is not a subcap of val let msg: String ref = "Hello World!".clone() ^ msg is String ref 36/39

Slide 120

Slide 120 text

(...):13:12: parameter type is (String val | Array[U8 val] val) be print(data: ByteSeq) main.pony:4:19: argument not a subtype of parameter env.out.print(msg) ^ Info: main.pony:4:19: argument type is String ref env.out.print(msg) ^ ^ main.pony:3:14: String ref is not a subtype of String val: ref is not a subcap of val let msg: String ref = "Hello World!".clone() ^ main.pony:3:14: String ref is not a subtype of Array[U8 val] val l S i f "H ll W ld!" l () print requires String val or Array[U8] val 36/39

Slide 121

Slide 121 text

The compiler just statically checked our data sharing. 37/39

Slide 122

Slide 122 text

The compiler just statically checked our data sharing. Let's x it 37/39

Slide 123

Slide 123 text

actor Main new create(env: Env) => let msg: String val = "Hello World!" env.out.print(msg) 38/39

Slide 124

Slide 124 text

let msg: String val = "Hello World!" actor Main new create(env: Env) => env.out.print(msg) Hello World String is immutable 38/39

Slide 125

Slide 125 text

env.out.print(msg) actor Main new create(env: Env) => let msg: String val = "Hello World!" send msg to actor out 38/39

Slide 126

Slide 126 text

let msg: String val = "Hello World!" actor Main new create(env: Env) => env.out.print(msg) val is sendable 38/39

Slide 127

Slide 127 text

env.out.print(msg) actor Main new create(env: Env) => let msg: String val = "Hello World!" no error here 38/39

Slide 128

Slide 128 text

Learn more https:/ /www.seantallen.com/talks/deny- capabilities/ 39/39