[E-Lang] Promises, equality and trust

Mark Seaborn mrs35@cam.ac.uk
Thu, 26 Jul 2001 22:54:42 +0100


I have some questions about promises.

It seems that promises are given special treatment in E.  When they
resolve, promises *become* the reference they resolved to, rather than
just being proxies.  This has the effects that:

 * Immutable circular data structures can be created.  (Though I
   wonder if this is a hazard, since it means that when traversing a
   data structure you have to worry about whether it contains cycles.)

 * Once resolved to an object, a promise stays resolved to that
   object.  This is useful for efficiency in terms of cacheing, and in
   terms of reducing latency (if a resolved promise is passed to
   another vat, the other vat gets the object the promise resolved to,
   not a proxy).  It also seems useful from a correctness point of
   view -- the object a promise is resolved to can't change underneath
   you.  This advantage seems to be thrown away by using the Miranda
   method whenResolved for detecting resolution, since the object a
   promise resolved to may tell the observer that the promise resolved
   to something else.  eg.

     when(X) -> done(Y) { Z } ...

   When Z is executed, X will be resolved.  What, then, is the point
   of Y?  If promises are a primitive provided by the vat, why isn't
   there a per-vat whenResolved function instead of a Miranda method?

(Incidentally, what is the origin of the term `Miranda method'?
Presumably it doesn't come from the language Miranda.)

Does a holder of a promise always get told about the promise's
resolution, or does this information only come through the call to an
observer passed to a whenResolved message, with the local proxy for
the promise wrapping the observer passed in whenResolved so that it
detects the resolution too?  (Giving whenResolved special treatment in
this way does not seem very elegant.)

Presumably promise references are tagged as being promises when they
are sent in messages.  This would mean that promises cannot be
implemented in the E language.  Is that right?

If the invocation of observers passed in whenResolved messages is the
way promises get resolved to values, wouldn't that mean promises can
get resolved to different values in different vats?  A promise that
started out being equal to itself would end up splitting into
inconsistent values.


Another concern I have:  If Alice passes to Carol her reference to Bob,
Carol's vat will have to establish a connection to Bob's vat in order
to send messages to Bob (assuming all three live in different vats).
Assuming Bob and Bob's vat are in collusion, Bob will be able to
distinguish between messages from Alice and messages from Carol.

If Bob doesn't want Alice to delegate Bob's authority to Carol,
obviously Bob will not be able to stop this, but if Alice's default
behaviour is to leave Carol to establish a new connection with Bob,
Bob will be able to recognise this, and silently let Carol's reference
to Bob do something different to Alice's reference to Bob.

Should the default behaviour be to provide proxies to delegate
authority unless we explicitly trust vats to play nice and ensure that
a reference works the same regardless of what connection it is used
through?

I'm assuming the network is not anonymous, which I think is
reasonable, but even if that's not the case, the
connection-orientedness of E's protocol could lead to different
behaviours of the same reference over different connections.

-- 
         Mark Seaborn
   - mseaborn@bigfoot.com - http://www.srcf.ucam.org/~mrs35/ -

           Superconductor, n.  railroad employee of the month.