It's Time to Abandon Insecure Languages
Mark S. Miller
markm at caplet.com
Sat Jul 20 18:05:55 EDT 2002
At 01:59 PM 7/20/2002 Saturday, jamesd at echeque.com wrote:
> --
>On 20 Jul 2002 at 13:41, Ben Laurie wrote:
>> E is interesting for far more reasons that just buffer overflows
>> - in particular, it is capabilities from the ground up. Not to
>> mention highly cool for distributed applications.
>
>It seems like a really brilliant concept if it works, a solution
>to the presently unsolved problem of distributed computing.
Thank you. It's been working well for us. Most of the brilliant concepts
in E aren't ours, but are thirty years or so old. In particular, Hewitt's
Actors had both distributed lambda-based capability security and
deadlock-free event-loop concurrency. See
http://www.erights.org/history/overview.html for more on the history of
influences on E.
>However I have a suspicion that instead of the presently
>intolerable problem of bugs resulting in rare, non deterministic
>deadlocks, we will get the problem of bugs resulting in rare, non
>deterministic catch probs.
"catch probs"?
>With E, as with C, we get multithreaded code executed in non
>deterministic order. It appears to me that it still happen that a
>certain rare and unusual execution order can reveal a bug, the bug
>being of the form that if G is executed before Y is executed,
>which normally never happens, then the "when" clause for X can
>never be executed until the "when" clause for Y is executed, but
>the "when" clause for Y can never be executed until the "when"
>clause for X is executed -- the old familiar multithreading
>problem that has destroyed so many projects and careers. in a new
>and slightly different guise.
Correct, and very perceptive. We refer to this as Data Lock. However, the
different guise causes an importantly different effect.
>Is there some feature of the syntax or error handling of E that
>prevents one writing such code,
E does not enable one to fully avoid making Data Lock bugs, but does make
such bugs amazingly rare, as explained at
http://www.eros-os.org/pipermail/e-lang/2001-May/005287.html . See also
http://www.erights.org/elib/concurrency/event-loop.html . During the six
years of use of E and its ancestor Original-E (which used the same
paradigms), I can only recall one occurrence of an accidental Data Lock bug.
Although the explanations at those URLs helps explain why, I remain
mystified why there were so *many* fewer Data Locks than there would have
been DeadLocks.
>or reliably detects the error if one does write it?
Reliably? No. More reliably? Yes.
Since we've only had one genuine occurrence of a Data Lock, we have no
meaningful statistics. You are also correct that Data Locks can be
non-deterministic and so throw you into non-reproducible debugging hell.
However, in a non-deterministic system, all bugs may be non-reproducible,
because the computation can diverge before that point in the computation is
reached. Classic Deadlock bugs are more non-reproducible than that, because
they are inherently provoked by a race condition. In E, Data Locks are no
more non-reproducible than any other kind of bug in a non-deterministic
system. Further, E's non-determinism is very constrained (what we call
"loggable non-determinism"), leading to less non-reproducibility in general.
----------------------------------------
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list