Identity et al (was Re: [E-Lang] Authority -- what is its dual?)

Mark S. Miller markm@caplet.com
Mon, 22 Oct 2001 09:51:16 -0700 

At 08:41 AM 10/22/2001 Monday, Jonathan A Rees wrote:
>In the meantime, please try to answer my question of which AYCDISAM
>language / framework to use as a basis of discussion - one that is
>simple, formal, and can be used a launching pad for explorations of
>the important issues - i.e. needn't be replaced when new issues need
>to be addressed.
>[...] Let's pick a particular semantics (satisfying
>AYCDISAM) for the concurrent case so that we're not talking past one
>another.  I was going to propose an operational semantics of CBV
>lambda-calculus plus asynchronous message passing and state (maybe the
>actors "become" primitive), but hadn't worked out the details.  Act I?
>FCP?  Toontalk?  Pi-calculus?

Dean may find it awkward to do so, so I suggest Kernel-Joule with Energetic 
Secrets.  Joule has done a better job than any of these other that I've 
grokked at arriving at principled answers to the questions we're currently 
wrestling with.

About the above qualifier, the systems above that I've grokked:

lambda calculus itself
Act-1
FCP
Toontalk

I don't know what CBV is.

I don't grok the Pi calculus, and it's not based on message passing anyway, 
but on rendezvous.  Rendezvous is probably necessary to deal with resource 
use explicitly, although the Pi calculus does not.  Which brings us to:

The *only* general purpose systems I know that deal with resources in a 
principled way http://www.agorics.com/Library/agoricpapers/aos/aos.4.html 
are KeyKOS and EROS.  (In these, "message passing" is indeed rendezvous.)  
EROS's may be more principled (KeyKOS can't really allocate specific cpu 
time, although there's a story), but KeyKOS is the only one whose semantics 
of resource allocation I believe I fully understand. But if there's a reason 
to switch to EROS, I can handle it.

The way Joule and E have always planned to bring in principled handling of 
resources (budgets, throttling, eviction, extensible exhaustion policies 
(keepers), etc) is to imagine running a Joule Tank / E Vat inside a KeyKOS / 
EROS Domain.  Resource use within a Tank/Vat/Domain is a commons, and 
therefore entities within can freely deny service to other cohabitants by 
exhausting resources.  But such a unit as a whole only consumes explicitly 
allocated resources, where the right to allocate and use follows strict 
capability discipline.  Therefore, *within* this formal system, these
entities cannot successfully mount resource exhaustion attacks on each 
other.  (Ping attacks and such have to be solved elsewhere, like DSR 
http://www.agorics.com/Library/dsr.html, but let's leave that for another day.)

In any case, let's see how far we can get talking just about Kernel Joule with 
Energetic Secrets before we need to imagine Joule embedded in KeyKOS / EROS.


Just to reiterate how all this is relevant to E: In my head, E is a 
compromised form of Joule, and I understand E's semantics by derivation from 
my understanding of Joule's.  The issues raised here are as important for E 
as for Joule, but can only be understood well by understanding them first in 
a simpler system -- such as Joule.


        Cheers,
        --MarkM