Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Interaction between session-typed communication and effects is broken #544

Closed
dhil opened this issue Mar 29, 2019 · 3 comments
Closed

Interaction between session-typed communication and effects is broken #544

dhil opened this issue Mar 29, 2019 · 3 comments
Labels
bug
Projects
Effect handlers

Comments

@dhil
Copy link
Member

dhil commented Mar 29, 2019
edited

It is possible to break Links by using a combination of session-typed communication, multi-shot continuations, and exceptions. The gist is that with multi-shot continuations is possible subvert the linear type system by duplicating a linear channel. The program below illustrates two problems:

  • Session fidelity is broken in the presence of multi-shot continuations. It is possible to deadlock session-typed concurrency.
  • Type-safety is broken in the presence of multi-shot continuations and exceptions, giving rise to the slogan "Well-typed Links program can go wrong!"
# Breaking Links
# D. Hillerström, S. Lindley, and L. White

# Breaking session fidelity.
# Invoke the resumption twice to inadvertently perform two receives
# over a session-typed channel !Int.end.
fun deadlock() {
  var ch = fork(fun(ch) {
     var ch = send(42, ch);
     ignore(ch)
  });

  handle({
    # Nondeterministic choice.
    ignore(do Flip);
    var (i, ch) = receive(ch);
    println("Int: " ^^ intToString(i));
    ignore(ch)
  }) {
    case Return(_) -> ()
    case Flip(resume) ->
      resume(true); resume(false)
  }
}

# Breaking type safety.
# Inadvertently send two integers over a session-typed channel
# !Int.!String.end by using multi-shot continuations and exceptions.
fun unsound() {
  var ch = fork(fun(ch) {
     var (i, ch) = receive(ch);
     var (s, ch) = receive(ch);
     println("Int: " ^^ intToString(i));
     println("String: " ^^ s);
     ignore(ch)
  });

  handle({
    # Nondeterministic choice.
    var msg = if (do Flip) 42 else 84;
    var ch = send(msg, ch);
    # Throws an exception
    ignore(do Fail);
    var ch = send("foo", ch);
    ignore(ch)
  }) {
    case Return(_) -> ()
    case Fail(_) -> ()
    case Flip(resume) ->
      resume(true); resume(false)
  }
}

It is an open research question how to reconcile linear resources and first-class control effects. Thus it is hardly surprising that our implementation is broken.
@dhil dhil added the bug label Mar 29, 2019
@SimonJF
Copy link
Member

SimonJF commented Mar 29, 2019
edited

This makes me very sad, but well-spotted. The fact that it's an open research question makes it slightly better, but it's still a shame.

At a high level, I suppose what we'd want to do is mark a resumption as linear if any invocation of its associated operation appears in a linear context.

A conservative fix would be to ensure that operations can only be invoked in an unrestricted context. This would break session exceptions; the translation relies on cancelling the endpoints in a continuation.

@dhil
Copy link
Member Author

dhil commented Mar 29, 2019

This makes me very sad [...]

Don't be. These two bugs are great news; there is research to done!

At a high level, I suppose what we'd want to do is mark a resumption as linear if any invocation of its associated operation appears in a linear context.

I am inclined to believe that operations should be annotated as to whether they admit an affine, linear, or unrestricted interpretation.

@SimonJF
Copy link
Member

SimonJF commented Mar 29, 2019

I am inclined to believe that operations should be annotated as to whether they admit an affine, linear, or unrestricted interpretation.

A (checked) annotation certainly sounds like a sensible solution.

@jamescheney jamescheney added this to To do in Effect handlers Aug 8, 2019
@dhil dhil mentioned this issue Aug 26, 2019
Closed
@thwfhk thwfhk mentioned this issue Nov 1, 2022
Closed
@thwfhk thwfhk mentioned this issue Apr 20, 2023
Merged
dhil added a commit that referenced this issue Sep 25, 2023
@thwfhk @dhil
Tracking control-flow linearity for effect handlers (#1173)
f3a17f9 
This patch adds control-flow linearity tracking for effect handlers. This addition solves a long standing soundness bug (see issue #544) with the interaction between exceptions, multi-shot effect handlers and session-typed channels (more generally any linear resource).


Co-authored-by: Daniel Hillerström <daniel.hillerstrom@ed.ac.uk>
frank-emrich added a commit to frank-emrich/opam-repository that referenced this issue Nov 16, 2023
@frank-emrich
[new release] links, links-postgresql, links-sqlite3 and links-mysql …
51d1c00 
…(0.9.8)

CHANGES:

This release includes minor bug fixes, improvements, and a breaking change regarding the syntax of handlers.

## Queries mixing set and bag semantics
Links now provides experimental support for SQL queries with grouping and
aggregation. These require the _mixing_ normaliser (`mixing_norm=on` in the
configuration file).

The result of grouping over a relation is represented as a finite map, which in
Links is treated as a list of (grouping key, associated subrelation) pairs.
Aggregation can then be applied groupwise to a finite map to obtain again a
relation. Such Links queries are translated to SQL queries using `group by` and
aggregates.

Further information on this feature is provided in the [Links GitHub
wiki](https://github.com/links-lang/links/wiki/Grouping-and-aggregation).

## New syntax for handlers

The syntax for handlers has changed. Instead of
```
handle (...) {
  case Op(params, resumption) -> ...
  case Return(x) -> x
}
```
we write
```
handle (...) {
  case <Op(params) => resumption> -> ...
  case x -> x
}
```

We can also write `case <Op(params) -> resumption> -> ...`.
For now, the semantics for `->` and `=>` are the same.

## Control-flow linearity
Links now tracks control-flow linearity when the flag `--control-flow-linearity`
is enabled. This extension fixes a long-standing soundness bug (see issue
[links-lang/links#544](links-lang/links#544)) with the interaction
between exceptions, multi-shot effect handlers and session-typed channels. More
details about this extension can be found in the [wiki
page](https://github.com/links-lang/links/wiki/Control-flow-linearity).

## Other changes and fixes
* The package `links-mysql` now relies on the `mysql8` package as its underlying
  database driver.
* Links now supports OCaml 5.
* The `SessionFail` effect can now be supressed by disabling the
  `expose_session_fail` setting. When doing so, the `SessionFail` effect
  is included in the `wild` effect instead.
* The (incomplete) support for distributed session delegation has been removed.
* The standard library now provides functions for issuing SPARQL queries.
@frank-emrich frank-emrich mentioned this issue Nov 16, 2023
Merged
@thwfhk thwfhk closed this as completed Jan 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Effect handlers
  
To do
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dhil @SimonJF @thwfhk