[swift-evolution] [Concurrency] async/await + actors

Matthew Johnson matthew at anandabits.com
Sat Aug 19 16:07:55 CDT 2017



Sent from my iPad

> On Aug 19, 2017, at 3:29 PM, Michel Fortin <michel.fortin at michelf.ca> wrote:
> 
> 
>> Le 19 août 2017 à 11:38, Matthew Johnson <matthew at anandabits.com> a écrit :
>> 
>> 
>> 
>> Sent from my iPad
>> 
>> On Aug 19, 2017, at 8:16 AM, Michel Fortin via swift-evolution <swift-evolution at swift.org> wrote:
>> 
>>>>> For instance, has Array<UIView> value semantics? 
>>>> 
>>>> By the commonly accepted definition, Array<UIView> does not provide value semantics.
>>>> 
>>>>> You might be tempted to say that it does not because it contains class references, but in reality that depends on what you do with those UIViews.
>>>> 
>>>> An aspect of the type (“does it have value semantics or not”) should not depend on the clients.  By your definition, every type has value semantics if none of the mutating operations are called :-)
>>> 
>>> No, not mutating operations. Access to mutable memory shared by multiple "values" is what breaks value semantics. You can get into this situation using pointers, object references, or global variables. It's all the same thing in the end: shared memory that can mutate.
>>> 
>>> For demonstration's sake, here's a silly example of how you can give Array<Int> literally the same semantics as Array<UIView>:
>>> 
>>> 	// shared UIView instances in global memory
>>> 	var instances: [UIView] = []
>>> 
>>> 	extension Array where Element == Int {
>>> 
>>> 		// append a new integer to the array pointing to our UIView instance
>>> 		func append(view: UIView) {
>>> 			self.append(instances.count)
>>> 			instances.append(newValue)
>>> 		}
>>> 
>>> 		// access views pointed to by the integers in the array
>>> 		subscript(viewAt index: Int) -> UIView {
>>> 			get {
>>> 				return instances[self[index]]
>>> 			}
>>> 			set {
>>> 				self[index] = instances.count
>>> 				instances.append(newValue)
>>> 			}
>>> 		}
>>> 	}
>>> 
>>> And now you need to worry about passing Array<Int> to other thread. ;-)
>>> 
>>> It does not really matter whether the array contains pointers or wether it contains indices into a global table: in both cases access to the same mutable memory is accessible through multiple copies of an array, and this is what breaks value semantics.
>>> 
>>> Types cannot enforce value semantics. Its the functions you choose to call that matters. This is especially important to realize in a language with extensions where you can't restrict what functions gets attached to a type.
>> 
>> This gets deeper into the territory of the conversation Dave A and I had a while ago.  I think this conflates value semantics with pure functions, which I think is a mistake.  
>> 
>> I agree that if you assume away reference counting a function that takes Array<UIView> but never dereferences the pointers can still be a pure function.  However, I disagree that Array<UIView> has value semantics.
>> 
> 
>> The relationship of value semantics to purity is that value semantics can be defined in terms of the purity of the "salient operations" of the type - those which represent the meaning of the value represented by the type.  The purity of these operations is what gives the value independence from copies in terms of its meaning.  If somebody chooses to add a new impure operation in an extension of a type with value semantics it does not mean that the type itself no longer has value semantics.  The operation in the extension is not "salient".
>> 
>> This still begs the question: what operations are "salient"?  I think everyone can agree that those used in the definition of equality absolutely must be included.  If two values don't compare equal they clearly do not have the same meaning.  Thread safety is also usually implied for practical reasons as is the case in Chris's manifesto.  These properties are generally considered necessary for value semantics.
>> 
>> While these conditions are *necessary* for value semantics I do not believe they are *sufficient* for value semantics.  Independence of the value is also required.  When a reference type defines equality in terms of object identity copies of the reference are not truly independent.  
>> 
>> This is especially true in a language like Swift where dereference is implicit.  I argue that when equality is defined in terms of object identity copies of the reference are *not* independent.  The meaning of the reference is inherently tied up with the resource it references.  The resource has to be considered "salient" for the independence to be a useful property.  On the other hand, if all you really care about is the identity and not the resource, ObjectIdentifier is available and does have value semantics.  There is a very good reason this type exists.
> 
> The reason we're discussing value semantics here is because they are useful making concurrency safer. If we define the meaning of value semantics as "a type where a subset of the member functions (the important ones) can be used with concurrency" then that definition of value semantics lose quite a bit of its value for solving the problem at hand. It's too vague.
> 
> I'm not actually that interested in the meaning of value semantics here. I'm debating the appropriateness of determining whether something can be done in another thread based on the type a function is attached to. Because that's what the ValueSemantical protocol wants to do. ValueSemantical, as a protocol, is whitelisting the whole type while in reality it should only vouch for a specific set of safe functions on that type.

This is making some assumptions about the semantics of `ValueSemantical` and the compiler verification behind it, but I see what you're saying.  It sounds to me like you're looking for a level of safety beyond what Chris is trying to tackle in his manifesto.  My impression is that his goal is to make a pragmatic set of tradeoffs.

As an example to consider, we could write an extension method on `Int` that accesses some global state.  It may use the value of the `Int` as an index into a global array.  The existence and use of this method is completely orthogonal to whether or not it is safe to pass the `Int` as part of a message to an actor.  The danger is in the use of the operation, not the source of the `Int`.

As I understand it, the intent of `ValueSemantical` is to avoid passing *access* to shared mutable state as part of a message to an actor.  Passing an `Int` value does not give the actor any access it didn't already have.  On the other hand, passing a `UIView` gives it access to shared mutable state it did not have before receiving the message.

Achieving the kind of safety you're looking for would require verification that an actor has exclusive access to all mutable state it uses (including state that is used by all functions it calls).  This would be wonderful, but would also preclude a lot of very useful things, most importantly C-interop.  Here is the relevant portion of Chris's manifesto regarding global mutable state and the tradeoffs he believes will be pragmatic and effective in practice:

Since we're friends, I'll be straight with you: there are no great answers here. Swift and C already support global mutable state, so the best we can do is discourage the use of it. We cannot automatically detect a problem because actors need to be able to transitively use random code that isn't defined on the actor. For example:

func calculate(thing : Int) -> Int { ... }

actor Foo {
  actor func exampleOperation() {
     let x = calculate(thing: 42)
     ...
  }
}
There is no practical way to know whether 'calculate' is thread-safe or not. The only solution is to scatter tons of annotations everywhere, including in headers for C code. I think that would be a non-starter.

In practice, this isn't as bad as it sounds, because the most common operations that people use (e.g. print) are already internally synchronizing, largely because people are already writing multithreaded code. While it would be nice to magically solve this long standing problem with legacy systems, I think it is better to just completely ignore it and tell developers not to define or use global variables (global lets are safe).

All hope is not lost though: Perhaps we could consider deprecating global vars from Swift to further nudge people away from them. Also, any accesses to unsafe global global mutable state from an actor context can and should be warned about. Taking some steps like this should eliminate the most obvious bugs.


> 
> 
> -- 
> Michel Fortin
> https://michelf.ca
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.swift.org/pipermail/swift-evolution/attachments/20170819/b349175b/attachment.html>


More information about the swift-evolution mailing list