[go-nuts] Go channel race condition safety

On Fri, Jan 18, 2013 at 7:25 PM, John Nagle wrote:
How did that happen?

On 1/18/2013 10:37 AM, Jan Mercl wrote:
The example you are dissecting (shown here:
http://golang.org/doc/effective_go.html#channels) is not an example of
any concurrent access to `list`.

func sorttask(inchan chan []string, outchan chan []string) {
list := <- inchan // data received from sending task
sort.Strings(list) // sort
outchan <- list // results returnd to sending task
}

func dosort(in []string) []string {
inchan := make(chan []string)
outchan := make(chan []string)
go sorttask(inchan, outchan)
inchan <- in // data sent to sort task, sort starts
result := <- outchan // wait for data from sort task
return result
}

On 19 January 2013 00:24, Donovan Hide wrote:


func sorttask(inchan chan []string, outchan chan []string) {

Even in this example the invoker of dosort would have access to in
[]string while sorttask was executing, eg:

http://play.golang.org/p/FtChIu0JuR

Besides which the sort is in place, so you are just duplicating references
to the same array backing the slice in three separate places!

You are fighting against the language based on your experience of other
languages. Try out some of the widely discussed patterns, they are truly
useful :-)

On 19 January 2013 00:27, Donovan Hide wrote:

Correction: The line:

inchan <- in

does ensure in is locked, but then the invoker is blocked, so you lose all
advantage of using a goroutine in dosort!

Even in this example the invoker of dosort would have access to in []string
while sorttask was executing,

On Jan 19, 2013 3:13 PM, "John Nagle" wrote:
The "do not communicate by sharing memory; instead, share memory by
communicating” line in "Effective Go" is misleading. Erlang has that
property. Go doesn't.

On Fri, Jan 18, 2013 at 10:18 PM, Jesse McNelis wrote:

Erlang doesn't share memory. Go allows you to share memory by
communicating. Erlang only lets you share values by communicating. Each has
trade offs.

--

On Fri, Jan 18, 2013 at 8:29 PM, Patrick Mylund Nielsen wrote:

You just have a huge increase in memory allocations and gc pauses to worry
about.

On 1/18/2013 8:50 PM, Ziad Hatahet wrote:
On Fri, Jan 18, 2013 at 8:29 PM, Patrick Mylund Nielsen <
[email protected]> wrote:

What about an intermediate approach? Something like being able to prove at
compile time that only a single reference owns the data at a time, such as
via unique pointers (
http://pcwalton.github.com/blog/2012/10/03/unique-pointers-arent-just-about-memory-management
).

On Fri, Jan 18, 2013 at 9:02 PM, John Nagle wrote:
The three big questions in C/C++:
How big is it? (the cause of buffer overflows)
Who owns it? (the cause of dangling pointers)
Who locks it? (the cause of race conditions.)
C and C++ require the programmer to obsess on those issues but
provide little help in dealing with them.

Go fixes the first two, but not the third. In a language with
garbage collection, you don't need to be so explicit about ownership
for allocation purposes. Ownership for locking purposes, though,
remains an open question in Go. Monitors, as with the Ada rendezvous,
explicitly address "who has this data locked right now". Go
doesn't have that.

On Fri, Jan 18, 2013 at 10:43 PM, Ian Lance Taylor wrote:

But given that perfection has not yet been
shown to be feasible, Go is not bad.

Ian

On Saturday, January 19, 2013 12:06:15 PM UTC-7, Ziad Hatahet wrote:

On Fri, Jan 18, 2013 at 10:43 PM, Ian Lance Taylor <[email protected]<javascript:>
Wouldn't you consider using unique pointers, or immutable types to be
"closer to perfection" than the status quo that Go employs?

--
Ziad

On Sat, Jan 19, 2013 at 11:16 AM, Kevin Gillette wrote:

Those sacrifice control, and can be emulated through voluntary use of
other techniques already available in Go. Self-discipline is an excellent
substitute for manacles; if a programmer is incapable of exercising
self-discipline, then use of other languages may be a far better choice.

On Sat, Jan 19, 2013 at 8:57 PM, Ziad Hatahet wrote:
I agree that self discipline is very important; however, things do tend to
get messy in large code bases (which Go seems to target by described as
being "scalable"). Otherwise, why is it okay for the compiler/language to
disallow unused variables, but not provide any mechanism for disallowing
calls to mutation methods?

On Sat, Jan 19, 2013 at 11:59 AM, Jan Mercl wrote:

Because the later is equivalent to the halting problem?

-j

On Saturday, January 19, 2013 1:14:00 PM UTC-7, Ziad Hatahet wrote:


On Sat, Jan 19, 2013 at 11:59 AM, Jan Mercl <[email protected]<javascript:>
See C++'s const, D's const/immutable, and Rust's immutable references.

--
Ziad

On Sat, Jan 19, 2013 at 9:14 PM, Ziad Hatahet wrote:
See C++'s const, D's const/immutable, and Rust's immutable references.
Let me re-quote the context:
... but not provide any mechanism for disallowing
calls to mutation methods?

On Sun, Jan 20, 2013 at 4:14 AM, Ziad Hatahet wrote:
See C++'s const, D's const/immutable, and Rust's immutable references.

On Sat, Jan 19, 2013 at 12:31 PM, minux wrote:

But do they solve the whole problem of writing concurrent software?

If not, why does Go have to adopt these incomplete solutions?
Maybe there are better solutions in the future, why not wait and see?

On Sunday, 20 January 2013, Ziad Hatahet wrote:

Unless the systems programming language does away with null pointers in
the first place ;) Rust is taking this approach.

On Sat, Jan 19, 2013 at 9:05 PM, John Nagle wrote:
Go is being promoted as something as easy to use as Javascript,
Perl, or Python. But it's not yet as safe. This is a problem.

On Saturday, January 19, 2013 1:05:44 PM UTC-7, John Nagle wrote:

On 1/19/2013 11:16 AM, Kevin Gillette wrote:> Those sacrifice control,
and can be emulated through voluntary use of other
That's a classic view. Hoare and Dijkstra are the leaders of the
"Programming is hard" (and Programmers should Suffer for their Art)
school. Contrast "Programming is hard, let's go scripting", which
is a quote from Larry Wall, of Perl fame.

Too much code to be written to have much of it written by people
with the theoretical background to get it right from basic principles.
The language has to keep them out of trouble. The consequences of
mistakes must be obvious, rather than subtle.

Go is being promoted as something as easy to use as Javascript,
Perl, or Python. But it's not yet as safe. This is a problem.

John Nagle

On Sun, Jan 20, 2013 at 4:05 AM, John Nagle wrote:

Go is being promoted as something as easy to use as Javascript,
Perl, or Python. But it's not yet as safe. This is a problem.

On Saturday, January 19, 2013 1:22:05 PM UTC-7, minux wrote:


On Sun, Jan 20, 2013 at 4:05 AM, John Nagle <[email protected]<javascript:>
That's the price to pay for a practical system programming language.
If a system language has pointers, then you can always shoot yourself
in the foot by dereference the null pointer, and thus you can say it's
not a safe programming language as Javascript, Perl or Python are.
Yet, pointers are essential for a system programming language.

Nobody is saying Go is safe language in this regard (in fact, more than one
people have already pointed this out in this thread), so what's your point?

One more point, where did you get the illusion that "Go is being promoted
as
something as easy to use Javascript, Perl, or Python."?
In fact, golang.org/doc says:
"It's a fast, statically typed, compiled language that *feels like* a
dynamically
typed, interpreted language."
I don't believe any official Go documents claim that.

On 1/19/2013 1:18 PM, Kevin Gillette wrote:
Since Go is memory safe,

On Sun, Jan 20, 2013 at 8:41 PM, John Nagle wrote:
It's not, when there is concurrency. See

http://research.swtch.com/gorace

for a detailed discussion of the failure of memory safety in
concurrent Go programs. There's an example program you can run.

On Sunday, January 20, 2013 12:57:58 PM UTC-7, Jan Mercl wrote:
False statement. The Go language _is_ memory safe. The specific
implementation discussed _is not_ and it is very clearly written in
the article _you_ referenced. Actually as soon as in the _third_
sentence:

[Q]
Go is defined to be a safe language. Indices into array or string
references must be in bounds; there is no way to reinterpret the bits
of one type as another, no way to conjure a pointer out of thin air;
and there is no way to release memory, so no chance of “dangling
pointer” errors and the associated memory corruption and instability.

[B]In the current Go implementations, though, there are two ways to
break through these safety mechanisms.[/B] The first and more direct
way is to use package unsafe, specifically unsafe.Pointer. The second,
less direct way is to use a data race in a multithreaded program.
[/Q]

("emphasizes" mine)

I wonder how you could have missed that.

-j

I think it's still easy to miss a lot of these semantics when learning Go.
When I first looked into Go just over a year ago, after a few hours of
browsing through golang.org documents and linked articles, it wasn't even
clear that gccgo was separate from gc. Also, the wider realm of Go does
have some aspects that are without spec and implementation defined, such as
gofmt, and I had to do quite a big of digging to figure out how GOPATH
worked. We've certainly improved, but we've still got a ways to go in terms
of consolidating and organizing documentation before these concerns can be
fully approachable to newcomers.
--

On Sat, Jan 19, 2013 at 11:06 AM, Ziad Hatahet wrote:

Wouldn't you consider using unique pointers, or immutable types to be
"closer to perfection" than the status quo that Go employs?

On Fri, Jan 18, 2013 at 10:50 PM, Ziad Hatahet wrote:

On Fri, Jan 18, 2013 at 8:29 PM, Patrick Mylund Nielsen <
[email protected]> wrote:

What about an intermediate approach? Something like being able to prove at
compile time that only a single reference owns the data at a time, such as
via unique pointers (
http://pcwalton.github.com/blog/2012/10/03/unique-pointers-arent-just-about-memory-management
).

--
Ziad

On 1/18/2013 8:29 PM, Patrick Mylund Nielsen wrote:
To be fair, sharing values by communicating in most languages with
immutability isn't the same as sharing by communicating in languages with
mutability. The former can just share the memory since it is guaranteed to
not be modified--so it _is_ actually sharing memory because there's no
risk.

On Fri, Jan 18, 2013 at 8:13 PM, John Nagle wrote:
The "do not communicate by sharing memory; instead, share memory by
communicating” line in "Effective Go" is misleading. Erlang has that
property. Go doesn't.

On 1/18/2013 10:45 PM, Rob Pike wrote:
We don't claim Go has that property. Instead, we assert that the
language works best if your programs have that property. It's a motto,
not a feature.

On Jan 19, 2013 7:56 AM, "John Nagle" wrote:
This is what "Effective Go" says:

"Concurrent programming in many environments is made difficult by the
subtleties required to implement correct access to shared variables. Go
encourages a different approach in which shared values are passed around
on channels and, in fact, never actively shared by separate threads of
execution. Only one goroutine has access to the value at any given time.
Data races cannot occur, by design. To encourage this way of thinking we
have reduced it to a slogan:

Do not communicate by sharing memory; instead, share memory by
communicating."

Again, this is what is claimed for Go:

"ONLY ONE GOROUTINE HAS ACCESS TO THE VALUE AT ANY GIVEN TIME. DATA
RACES CANNOT OCCUR, BY DESIGN."

That statement is false.

The author of Effective Go has a bright future writing advertising
copy.

On 1/19/2013 9:37 PM, Ian Lance Taylor wrote:
We've thought quite a bit about how we could avoid race conditions.
We have not thought of a way to do it without sacrificing other
essential aspects of the language. If you have suggestions, let us
know. ...
"Do not communicate by sharing memory; instead, share memory by

On Tue, Jan 22, 2013 at 2:45 AM, John Nagle wrote:

Now we have soundness, but it's cost us some copying.
Can those copies be optimized out? Yes.

The optimization needed here is like tail recursion.
If the last access to a reference before it goes out of
scope is a send, then it need not be copied. In
the example above, both deep copies can be optimized out.

From the programmer perspective, this optimization is
invisible. As with tail recursion, it's valuable for
programmers to know this is going on, and it should
be guaranteed to the programmer that this happens in the
simple cases.

On Tue, Jan 22, 2013 at 4:24 AM, John Nagle wrote:
...
The Scheme specification does mandate tail recursion. See

http://people.csail.mit.edu/jaffer/r5rs_5.html#SEC23

On 21 January 2013 18:45, John Nagle wrote:
communicating" is presented (as) a slogan...

OK. Let's take it seriously, as an enforced feature, and see
where that takes us.

There are two main reasons sharing memory across concurrency
boundaries are considered useful - for performance, and for
explicit shared state. Let's look at the performance issue
first.

If you don't need shared state, copying all the data being
sent across concurrency boundaries works fine. The Python
multiprocessing system does that, even on the same CPU.
The overhead is high, but the functionality is usable.

That could be done in Go. Just do a deep copy of
anything sent on a channel, or passed into a goroutine.
This would break some programs, especially ones based
on the examples in "Effective Go". A slightly different
style is required, but it's not harder, just different.
Like this, for the sort example:

//
// Sort array of strings in background
//
func sorttask(inchan chan []string, outchan chan []string) {
list := <- inchan
sort.Strings(list)
outchan <- list // This would be a deep copy
}

func dosort() []string {
inchan := make(chan []string)
outchan := make(chan []string)
strs := make([]string, 0) // build up a string locally
strs = append(strs,"Hello")
strs = append(strs,"to")
strs = append(strs,"the")
strs = append(strs,"World")
go sorttask(inchan, outchan)
inchan <- in // This would be a deep copy.
result := <- outchan
return result
}

Now we have soundness, but it's cost us some copying.
Can those copies be optimized out? Yes.

The optimization needed here is like tail recursion.
If the last access to a reference before it goes out of
scope is a send, then it need not be copied. In
the example above, both deep copies can be optimized out.

From the programmer perspective, this optimization is
invisible. As with tail recursion, it's valuable for
programmers to know this is going on, and it should
be guaranteed to the programmer that this happens in the
simple cases.

This covers one of the major use cases in server-side
programming - a program makes multiple requests to
other servers and databases to collect data to build
up a reply page. Making those requests in parallel is necessary
for performance. The reply is usually much bigger than the
query, so copying it is undesirable.

The concurrent code which services the requests has no further need of
the data once it's been passed back to the requester. So
the last act of each service goroutine should be to send the
big result on the reply channel. It won't have to be copied.
There's no performance penalty for the safe approach.

So that's a way of addressing the performance issue.

Accessing shared state is tougher. But Go gives us some
tools for that. Channels are explicitly concurrency-safe,
and it's permitted to pass a channel over a channel.
So you can do proxy-type operations, where a concurrent
operation is passed channels by which it can communicate
with some some central state. This is kind of clunky,
but sound. Perhaps it could be packaged in some way
that makes it look more like a function call. Take
a look at the Python multiprocessing module


http://docs.python.org/2/library/multiprocessing.html#module-multiprocessing

"16.6.1.4. Sharing state between processes".

That provides two mechanisms - proxy objects, and atomic maps.

Some programmer-friendly way to do proxy objects, where there
are really two channels but it looks like a function call,
could substitute for shared state and mutexes.

Atomic maps are worth having available. Not all maps need to
be atomic, but atomic map types don't have to be deep-copied and
can be shared. So atomic maps become the preferred mechanism
for storing shared state. (However, data put into an atomic
map may have to be deep-copied. This prevents leaking a
reference over a concurrency boundary).

This is a true "share memory by communicating" approach.
One with less overhead, no race conditions, and no need
for user mutexes.

Comments?

John Nagle

--

On 1/21/2013 11:19 AM, Donovan Hide wrote:
I've used the Python multiprocessing package a lot for web-scraping and
found it to be very clunky indeed :-)

On Mon, Jan 21, 2013 at 3:02 PM, John Nagle wrote:
Agreed. The performance is awful. It's interesting from a
functionality standpoint that they made it work at all.
It's a technical solution to a political problem in the Python
community. Python needs the GIL so that you can change anything at
any time from any thread. In Python, you can monkey-patch running
code from another thread. Supporting this makes concurrency very
difficult. Not supporting it upsets Python's little tin god.
After about twenty programming languages, and watching the mistakes
go by, I'm disappointed with Go. Go is touted as having a safe
solution to efficient concurrency. It doesn't. We need such
a language. We have more concurrent hardware out there now than
concurrent software that can use it. But it's very easy to screw
up concurrent code, and it's very difficult to debug.

Erlang is interesting because it's used to run big real-world
telephone switches. That's a high-reliability application that's
very parallel and is mostly control and I/O, not computation.
It's not just an academic language. But it's functional, and
that's a hard transition for many programmers.

Go is a good sequential language, but the concurrency is
not well designed. It's good old Hoare bounded buffers,
mutexes the programmer can sprinkle around, and a freeze-the
world garbage collector. That's adequate, but no more error
resistant than Java or C#. Go needs to offer a big win
over those alternatives.

John Nagle

--

On 1/21/2013 12:19 PM, Patrick Mylund Nielsen wrote:
Go makes it easier to play it safe, but it does not guarantee it. I don't
know that you could do what you're asking and keep the language familiar to
people who know traditional "imperative" languages.

On Mon, Jan 21, 2013 at 4:19 PM, John Nagle wrote:
That's the problem I'm trying to solve. Having solved some tougher
problems in the past, it doesn't look impossible. Just hard.

We don't have to go to something exotic like a functional language
or single assignment or single ownership pointers to fix this.

Javascript programmers are already used to Java's pseudo-concurrency
model based on callbacks. That works out surprisingly well, even though
the Javascript crowd tends to use global variables to communicate with
callbacks when they should be using closures. It might be helpful to
have a way to to turn the "send on channel, wait for reply on another
channel" idiom into something that looks like a Javascript callback.
That may be unnecessary, but it's an option if the idiom is too
complex for most users.

Screwups on language safety in a new design are unacceptable. We
already have a collection of bad languages, and the CERT security
advisories that come from them. When you really blow it, it
looks like this:


http://bits.blogs.nytimes.com/2013/01/14/department-of-homeland-security-disable-java-unless-it-is-absolutely-necessary/

“Unless it is absolutely necessary to run Java in Web browsers, disable
it (Java). This will help mitigate other Java vulnerabilities that may
be discovered in the future.” - Department of Homeland Security
“Too often we enjoy the comfort of opinion without the discomfort of
thought.”

John Nagle

--

Javascript programmers are already used to Java's pseudo-concurrency
model based on callbacks. That works out surprisingly well, even though
the Javascript crowd tends to use global variables to communicate with
callbacks when they should be using closures. It might be helpful to
have a way to to turn the "send on channel, wait for reply on another
channel" idiom into something that looks like a Javascript callback.
That may be unnecessary, but it's an option if the idiom is too
complex for most users.

It might be helpful to

http://play.golang.org/p/cfdqgzpBWX

:-)