Comments (2)
Example problem (found by AFL and simplified):
There are two vats, Client and Server, each of which starts with a reference to the other's bootstrap service. All calls either return a single capability (x
) or Void.
- Client makes a call, q1, on the server's bootstrap object, getting a promise a=q1.x
- Client makes another call, q2, on the same target, getting promise b=q2.x.
- Server asks one question, q3 (c=q3.x)
- Client responds to q3 with a (the unresolved promised cap from its q1)
- Server responds to q1 with client_bs (the client's bootstrap service, resolved)
- Server responds to q2 with c (q3.x, still unresolved)
- Client makes call m1 on b (sent to q2)
- Client receives response a=client_bs (no embargo needed)
- Client receives response b=q3.x, which is a.
This was q1.x at the time q3 returned, but client_bs now. Which should it use?
If client_bs, it embargoes the target due to m1.
If not, b now points at the returned q1, which seems odd. - Client makes call m2 on b (which is then held at the embargo).
- Server receives response that c=q1.x (which is client_bs).
- Server receives m1 and forwards it to q3.x.
- Server sends disembargo response back to client.
- Client receives m1 and forwards it to q1 (the resolution it gave for q3).
- Client disembargoes b and sends m2 to client_bs.
With b set to the embargoed client_bs in step 9, m2 arrives before m1 (which is now on its way back to the server again). Perhaps a second disembargo is needed?
Alternatively, if b was set to point at q1.x, I think the messages will arrive in the correct order.
But then b ends up pointing to the answered q1, rather than directly at client_bs.
As a third alternative, if messages are sent to their current, more resolved destination (ignoring the spec) then this case works, but can be made to break by sending another message down q3 before m1 arrives at c. Then the server embargoes m1, and m2 arrives first again.
from capnp-rpc.
From https://groups.google.com/forum/#!msg/capnproto/_1kBtRSC51s/GfDTdkLpAgAJ:
Nice example!
It looks like the C++ implementation today will decide b = q1.x, and never allow it to further resolve to client_bs. This "works" but is clearly suboptimal.
For a correct solution, we need to recognize that Disembargo messages can "bounce" multiple times:
The disembargo sent in step 9 has a final destination of client_bs.
In order to get there, it has to bounce back and forth between the client and server twice:
- The client sends it towards q2.x.
- The server, recognizing that it resolved q2.x to q3.x, reflects the embargo towards q3.x.
- The client, recognizing that it resolved q3.x to q1.x, reflects back to the server again.
- The server, recognizing that q1.x resolved to client_bs, finally reflects back to client_bs.
This gives m1 enough time to arrive before the disembargo.
It looks like this is not implemented correctly in C++ currently. It appears the C++ implementation ignores disembargo.messageTarget in the case that the Disembargo has type
receiverLoopback
. This is incorrect -- it needs to verify that the embargo has reached its final destination, not an intermediate promise. (However, it is "saved" by the suboptimal behavior mentioned above.)
from capnp-rpc.
Related Issues (20)
- Connecting to self-hosted sturdy refs
- When not using TLS, use address as ID
- Limit queue sizes
- capnp-rpc via TLS: authentication? HOT 5
- Creating one Vat for a service that requires a client capability for the initialisation of the server HOT 5
- Error compiling persistent.capnp when installing HOT 2
- Async version? HOT 1
- [lwt, unix] Release supporting OCaml 4.06 HOT 2
- Noise protocol support HOT 2
- Tests fail if opam switch name is too long
- Exercise Help: Callback.log question HOT 1
- lwt backend without a dep on `tls`? HOT 2
- synchronous backend? HOT 3
- Level 3 HOT 2
- Error: This vat only supports a bootstrap interface, not the old Cap'n-Proto-0.4-style named exports HOT 4
- Race conditions in test suite.
- [Question] dec_ref on an interface HOT 5
- `Invalid capability index!` when trying to return a capability reference from the server to the client. HOT 2
- Capnp build error on 32bit x86: Value too large for defined data type. HOT 5
- Examples: alternative roadmaps? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from capnp-rpc.