Fix EventLoopFuture and EventLoopPromise under strict concurrency checking
#2654
Conversation
FranzBusch
force-pushed
the
fb-event-loop-future-sendable
branch
2 times, most recently
from
d95beaf to
b438afd
Compare
| public func succeed(eventLoopBoundValue: Value) { | ||
| self._resolve(eventLoopBoundResult: .success(eventLoopBoundValue)) | ||
| } |
There was a problem hiding this comment.
I'm not sure this is the right spelling; the pattern we have for functions which must be called on the right EL with runtime assertions are synchronous views (e.g. ChannelPipeline.SynchronousOperations and Channel.syncOptions).
It also skirts around the slight oddity with this API in that you could call this function with a Sendable i.e. not EL bound value with no ill side effect.
There was a problem hiding this comment.
I agree. I removed those loopBound APIs from this PR since they are really part of the AssumeIsolated PR
… checking # Motivation We need to tackle the remaining strict concurrency checking related `Sendable` warnings in NIO. The first place to start is making sure that `EventLoopFuture` and `EventLoopPromise` are properly annotated. # Modification In a previous apple#2496, @weissi changed the `@unchecked Sendable` conformances of `EventLoopFuture/Promise` to be conditional on the sendability of the generic `Value` type. After having looked at all the APIs on the future and promise types as well as reading the latest Concurrency evolution proposals, specifically the [Region based Isolation](https://github.com/apple/swift-evolution/blob/main/proposals/0414-region-based-isolation.md), I came to the conclusion that the previous `@unchecked Sendable` annotations were correct. The reasoning for this is: 1. An `EventLoopPromise` and `EventLoopFuture` pair are tied to a specific `EventLoop` 2. An `EventLoop` represents an isolation region and values tied to its isolation are not allowed to be shared outside of it unless they are disconnected from the region 3. The `value` used to succeed a promise often come from outside the isolation domain of the `EventLoop` hence they must be transferred into the promise. 4. The isolation region of the event loop is enforced through `@Sendable` annotations on all closures that receive the value in some kind of transformation e.g. `map()` 5. Any method on `EventLoopFuture` that combines itself with another future must require `Sendable` of the other futures `Value` since we cannot statically enforce that futures are bound to the same event loop i.e. to the same isolation domain Due to the above rules, this PR adds back the `@unchecked Sendable` conformances to both types. Furthermore, this PR revisits every single method on `EventLoopPromise/Future` and adds missing `Sendable` and `@Sendable` annotation where necessary to uphold the above rules. A few important things to call out: - Since `transferring` is currently not available this PR requires a `Sendable` conformance for some methods on `EventLoopPromise/Future` that should rather take a `transffering` argument - To enable the common case where a value from the same event loop is used to succeed a promise I added two additional methods that take a `eventLoopBoundResult` and enforce dynamic isolation checking. We might have to do this for more methods once we adopt those changes in other targets/packages. # Result After this PR has landed our lowest level building block should be inline with what the rest of the language enforces in Concurrency. The `EventLoopFuture.swift` produces no more warnings under strict concurrency checking on the latest 5.10 snapshots.
FranzBusch
force-pushed
the
fb-event-loop-future-sendable
branch
from
b438afd to
a5c83a4
Compare
FranzBusch
force-pushed
the
fb-event-loop-future-sendable
branch
from
a5c83a4 to
5d20621
Compare
| // transfer the value to the promise. This ensures that the value is now isolated to the event loops | ||
| // isolation domain. Note: Sendable values can always be transferred | ||
|
|
||
| extension EventLoopPromise: @unchecked Sendable { } |
There was a problem hiding this comment.
No need for unchecked. EventLoopFuture is already Sendable and that is the only store property.
| extension EventLoopPromise: @unchecked Sendable { } | |
| extension EventLoopPromise: Sendable { } |
There was a problem hiding this comment.
I think this still applies.
|
I've modified this further, and also added some narrative documentation explaining the thinking behind the type. Please re-review. |
| are `@Sendable`. This is not a long-term position, but reflects the need to continue | ||
| to support Swift 5 code which requires this stricter standard. In a future release of | ||
| SwiftNIO we expect to relax this constraint: if you need this relaxed constraint | ||
| then please file an issue. |
There was a problem hiding this comment.
Not sure the repeated exact Note as above here isn't too confusing, maybe explicitly call out what "these" are or shorten the repeated notes?
| and ``EventLoopFuture/get()``. These APIs can only safely be called when the ``EventLoopFuture`` | ||
| is carrying a `Sendable` value. This is because ``EventLoopFuture``s hold on to their value and | ||
| can give it to other closures or other callers of `get` and `wait`. Thus, `sending` is not | ||
| sufficient. |
| @@ -457,10 +457,10 @@ public final class ChannelPipeline: ChannelInvoker { | |||
| let promise = self.eventLoop.makePromise(of: ChannelHandlerContext.self) | |||
|
|
|||
| if self.eventLoop.inEventLoop { | |||
| promise.completeWith(self.contextSync(handler: handler)) | |||
| promise.assumeIsolated().completeWith(self.contextSync(handler: handler)) | |||
There was a problem hiding this comment.
assumeIsolated() is a noop in release, right?
There was a problem hiding this comment.
Right now it is but it needs to change. It uses asserts to check but we need to upgrade this preconditions since check at creation time is not enough similar to loop bound. Here is an example where just a precondition on creation of the assumeIsolated would fail
// On the EL
let assumeIsolated = someFuture.assumeIsolated()
assumeIsolated.wait() // Fine without a compiler error since it is no longer required to be Sendable. Also no runtime crash
await withTaskExecutorPreference(someRandomExec) {
assumeIsolated.wait() // No compiler error but runtime crash now
}
There was a problem hiding this comment.
@FranzBusch the line above is if self.eventLoop.inEventLoop(), so the assumeIsolated() is duplicated.
There was a problem hiding this comment.
Ah sorry, I thought you were asking in a more general term. In this particular case I don't know if the compiler is able to optimise the precondition away.
There was a problem hiding this comment.
No, it doesn't do that sort of thing. If we're not sure that this is a noop, we should remove it here. Already not super cheap to check it
There was a problem hiding this comment.
Or do assertIsolated not preconditionIsolated
|
|
||
| A related concept to an "isolation domain" is an "executor". Again, useful reading can be found in | ||
| [SE-0392 (Custom actor executors)](https://github.com/swiftlang/swift-evolution/blob/main/proposals/0392-custom-actor-executors.md). | ||
| At a high level, an executor is simply an object that is capable of executing Swift `Task`s. Executors can be |
There was a problem hiding this comment.
Probably a nit but I'm not sure if Task is 100% correct here. Like there's no way to retrieve a let theTask: Task from a child task. But then, child tasks still ask Task.isCancelled so maybe it is correct :).
I would've said that they can run Jobs but then that's not really terminology that's actually used. Probably fine
There was a problem hiding this comment.
I tried for a while to rewrite this and couldn't come up with anything I liked. If we think of anything better we can change it.
Lukasa
added
semver/minor
Motivation
We need to tackle the remaining strict concurrency checking related
Sendablewarnings in NIO. The first place to start is making sure thatEventLoopFutureandEventLoopPromiseare properly annotated.Modification
In a previous #2496, @weissi changed the
@unchecked Sendableconformances ofEventLoopFuture/Promiseto be conditional on the sendability of the genericValuetype. After having looked at all the APIs on the future and promise types as well as reading the latest Concurrency evolution proposals, specifically the Region based Isolation, I came to the conclusion that the previous@unchecked Sendableannotations were correct. The reasoning for this is:EventLoopPromiseandEventLoopFuturepair are tied to a specificEventLoopEventLooprepresents an isolation region and values tied to its isolation are not allowed to be shared outside of it unless they are disconnected from the regionvalueused to succeed a promise often come from outside the isolation domain of theEventLoophence they must be transferred into the promise.@Sendableannotations on all closures that receive the value in some kind of transformation e.g.map()orwhenComplete()EventLoopFuturethat combines itself with another future must requireSendableof the other futuresValuesince we cannot statically enforce that futures are bound to the same event loop i.e. to the same isolation domainDue to the above rules, this PR adds back the
@unchecked Sendableconformances to both types. Furthermore, this PR revisits every single method onEventLoopPromise/Futureand adds missingSendableand@Sendableannotation where necessary to uphold the above rules. A few important things to call out:transferringis currently not available this PR requires aSendableconformance for some methods onEventLoopPromise/Futurethat should rather take atransfferingargumenteventLoopBoundResultand enforce dynamic isolation checking. We might have to do this for more methods once we adopt those changes in other targets/packages.Result
After this PR has landed our lowest level building block should be inline with what the rest of the language enforces in Concurrency. The
EventLoopFuture.swiftproduces no more warnings under strict concurrency checking on the latest 5.10 snapshots.