1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
|
// Copyright 2015 The Bazel Authors. All rights reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package com.google.devtools.build.lib.syntax;
import com.google.common.base.Preconditions;
import com.google.common.collect.Iterables;
import com.google.devtools.build.lib.events.Location;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Formattable;
import java.util.IdentityHashMap;
import java.util.List;
/**
* An object that manages the capability to mutate Skylark objects and their {@link Environment}s.
* Collectively, the managed objects are called {@link Freezable}s.
*
* <p>Each {@code Environment}, and each of the mutable Skylark values (i.e., {@link
* SkylarkMutable}s) that are created in that {@code Environment}, holds a pointer to the same
* {@code Mutability} instance. Once the {@code Environment} is done evaluating, its {@code
* Mutability} is irreversibly closed ("frozen"). At that point, it is no longer possible to change
* either the bindings in that {@code Environment} or the state of its objects. This protects each
* {@code Environment} from unintentional and unsafe modification.
*
* <p>{@code Mutability}s enforce isolation between {@code Environment}s; it is illegal for an
* evaluation in one {@code Environment} to affect the bindings or values of another. In particular,
* the {@code Environment} for any Skylark module is frozen before its symbols can be imported for
* use by another module. Each individual {@code Environment}'s evaluation is single-threaded, so
* this isolation also translates to thread safety. Any number of threads may simultaneously access
* frozen data. (The {@code Mutability} itself is also thread-safe if and only if it is frozen.}
*
* <p>Although the mutability pointer of a {@code Freezable} contains some debugging information
* about its context, this should not affect the {@code Freezable}'s semantics. From a behavioral
* point of view, the only thing that matters is whether the {@code Mutability} is frozen, not what
* particular {@code Mutability} object is pointed to.
*
* <p>A {@code Mutability} also tracks which {@code Freezable} objects in its {@code Environment}
* are temporarily locked from mutation. This is used to prevent modification of iterables during
* loops. A {@code Freezable} may be locked multiple times (e.g., nested loops over the same
* iterable). Locking an object does not prohibit mutating its deeply contained values, such as in
* the case of a list of lists.
*
* <p>We follow two disciplines to ensure safety. First, all mutation methods of a {@code Freezable}
* must take in a {@code Mutability} as a parameter, and confirm that
* <ol>
* <li>the {@code Freezable} is not yet frozen,
* <li>the given {@code Mutability} matches the one referred to by the {@code Freezable}, and
* <li>the {@code Freezable} is not locked.
* </ol>
* It is a high-level error ({@link MutabilityException}, which gets translated to {@link
* EvalException}) to attempt to modify a frozen or locked value. But it is a low-level error
* ({@link IllegalArgumentException}) to attempt to modify a value using the wrong {@link
* Mutability} instance, since the user shouldn't be able to trigger this situation under normal
* circumstances.
*
* <p>Second, {@code Mutability}s are created using the try-with-resource style:
* <pre>{@code
* try (Mutability mutability = Mutability.create(fmt, ...)) { ... }
* }</pre>
* The general pattern is to create a {@code Mutability}, build an {@code Environment}, mutate that
* {@code Environment} and its objects, and possibly return the result from within the {@code try}
* block, relying on the try-with-resource construct to ensure that everything gets frozen before
* the result is used. The only code that should create a {@code Mutability} without using
* try-with-resource is test code that is not part of the Bazel jar.
*
* <p>We keep some (unchecked) invariants regarding where {@code Mutability} objects may appear
* within a compound value.
* <ol>
* <li>A compound value can never contain an unfrozen {@code Mutability} for any {@code
* Environment} except the one currently being evaluated.
* <li>If a value has the special {@link #IMMUTABLE} {@code Mutability}, all of its contents are
* themselves deeply immutable too (i.e. have frozen {@code Mutability}s).
* <li>If a value has the special {@link #SHALLOW_IMMUTABLE} {@code Mutability}, its contents may
* or may not be mutable.
* </ol>
* It follows that, if these invariants hold, an unfrozen value cannot appear as the child of a
* value whose {@code Mutability} is already frozen, unless this {@code Mutability} is the special
* {@code #SHALLOW_IMMUTABLE} instance. This knowledge is used by {@link SkylarkMutable#isImmutable}
* to prune traversals of a compound value.
*
* <p>There is a special API for freezing individual values rather than whole {@code Environment}s.
* Because this API makes it easier to violate the above invariants, you should avoid using it if at
* all possible; at the moment it is only used for serialization. Under this API, you may call
* {@link Freezable#unsafeShallowFreeze} to reset a value's {@code Mutability} pointer to be {@link
* #IMMUTABLE}. This operation has no effect on the {@code Mutability} itself. It is up to the
* caller to preserve or restore the above invariants by ensuring that any deeply contained values
* are also frozen. For safety and explicitness, this operation is disallowed unless the {@code
* Mutability}'s {@link #allowsUnsafeShallowFreeze} method returns true.
*/
public final class Mutability implements AutoCloseable, Serializable {
/**
* If true, mutation of any {@link Freezable} associated with this {@code Mutability} is
* disallowed.
*/
private boolean isFrozen;
/**
* For each locked {@link Freezable}, stores all {@link Location}s where it is locked.
*
* This field is set null once the {@code Mutability} is closed. This saves some space, and avoids
* a concurrency bug from multiple Skylark modules accessing the same {@code Mutability} at once.
*/
private IdentityHashMap<Freezable, List<Location>> lockedItems;
/** For error reporting; a name for the context in which this {@code Mutability} is used. */
private final Formattable annotation;
/** Controls access to {@link Freezable#unsafeShallowFreeze}. */
private final boolean allowsUnsafeShallowFreeze;
private Mutability(Formattable annotation, boolean allowsUnsafeShallowFreeze) {
this.isFrozen = false;
// Seems unlikely that we'll often lock more than 10 things at once.
this.lockedItems = new IdentityHashMap<>(10);
this.annotation = Preconditions.checkNotNull(annotation);
this.allowsUnsafeShallowFreeze = allowsUnsafeShallowFreeze;
}
/**
* Creates a {@code Mutability}.
*
* @param pattern is a {@link Printer#format} pattern used to lazily produce a string name
* for error reporting
* @param arguments are the optional {@link Printer#format} arguments to produce that string
*/
public static Mutability create(String pattern, Object... arguments) {
return new Mutability(
Printer.formattable(pattern, arguments),
/*allowsUnsafeShallowFreeze=*/ false);
}
/**
* Creates a {@code Mutability} whose objects can be individually frozen; see docstrings for
* {@link Mutability} and {@link Freezable#unsafeShallowFreeze}.
*/
public static Mutability createAllowingShallowFreeze(String pattern, Object... arguments) {
return new Mutability(
Printer.formattable(pattern, arguments),
/*allowsUnsafeShallowFreeze=*/ true);
}
public String getAnnotation() {
return annotation.toString();
}
@Override
public String toString() {
return String.format(isFrozen ? "(%s)" : "[%s]", annotation);
}
public boolean isFrozen() {
return isFrozen;
}
/**
* Return whether a {@link Freezable} belonging to this {@code Mutability} is currently locked.
* Frozen objects are not considered locked, though they are of course immutable nonetheless.
*
* @throws IllegalArgumentException if the {@code Freezable} does not belong to this {@code
* Mutability}
*/
public boolean isLocked(Freezable object) {
Preconditions.checkArgument(object.mutability().equals(this),
"trying to check the lock of an object from a different context");
if (isFrozen) {
return false;
}
return lockedItems.containsKey(object);
}
/**
* For a locked {@link Freezable} that belongs to this {@code Mutability}, return a List of the
* {@link Location}s corresponding to its current locks.
*
* @throws IllegalArgumentException if the {@code Freezable} does not belong to this {@code
* Mutability}
*/
public List<Location> getLockLocations(Freezable object) {
Preconditions.checkArgument(isLocked(object),
"trying to get lock locations for an object that is not locked");
return lockedItems.get(object);
}
/**
* Add a lock on a {@link Freezable} belonging to this {@code Mutability}. The object cannot be
* mutated until all locks on it are gone. For error reporting purposes each lock is
* associated with its originating {@link Location}.
*
* @throws IllegalArgumentException if the {@code Freezable} does not belong to this {@code
* Mutability}
*/
public void lock(Freezable object, Location loc) {
Preconditions.checkArgument(object.mutability().equals(this),
"trying to lock an object from a different context");
if (isFrozen) {
return;
}
List<Location> locList;
if (!lockedItems.containsKey(object)) {
locList = new ArrayList<>();
lockedItems.put(object, locList);
} else {
locList = lockedItems.get(object);
}
locList.add(loc);
}
/**
* Remove the lock for a given {@link Freezable} that is associated with the given {@link
* Location}.
*
* @throws IllegalArgumentException if the object does not belong to this {@code Mutability}, or
* if the object has no lock corresponding to {@code loc}
*/
public void unlock(Freezable object, Location loc) {
Preconditions.checkArgument(object.mutability().equals(this),
"trying to unlock an object from a different context");
if (isFrozen) {
// It's okay if we somehow got frozen while there were still locked objects.
return;
}
Preconditions.checkArgument(lockedItems.containsKey(object),
"trying to unlock an object that is not locked");
List<Location> locList = lockedItems.get(object);
if (!locList.remove(loc)) {
throw new IllegalArgumentException(
Printer.format(
"trying to unlock an object for a location at which it was not locked (%r)", loc));
}
if (locList.isEmpty()) {
lockedItems.remove(object);
}
}
/**
* Freezes this {@code Mutability}, rendering all {@link Freezable} objects that refer to it
* immutable.
*
* Note that freezing does not directly touch all the {@code Freezables}, so this operation is
* constant-time.
*
* @return this object, in the fluent style
*/
public Mutability freeze() {
// No need to track per-Freezable info since everything is immutable now.
lockedItems = null;
isFrozen = true;
return this;
}
@Override
public void close() {
freeze();
}
/**
* Returns whether {@link Freezable}s having this {@code Mutability} allow the {@link
* #unsafeShallowFreeze} operation.
*/
public boolean allowsUnsafeShallowFreeze() {
return allowsUnsafeShallowFreeze;
}
/** Indicates an illegal attempt to mutate a frozen or locked {@link Freezable}. */
static class MutabilityException extends Exception {
MutabilityException(String message) {
super(message);
}
}
/**
* An object that refers to a {@link Mutability} to decide whether to allow mutation. All
* {@link Freezable} Skylark objects created within a given {@link Environment} will share the
* same {@code Mutability} as that {@code Environment}.
*/
public interface Freezable {
/**
* Returns the {@link Mutability} associated with this {@code Freezable}. This should not change
* over the lifetime of the object, except by calling {@link #shallowFreeze} if applicable.
*/
Mutability mutability();
/**
* Freezes this object (and not its contents). Use with care.
*
* <p>This method is optional (i.e. may throw {@link NotImplementedException}).
*
* <p>If this object's {@link Mutability} is 1) not frozen, and 2) has {@link
* #allowUnsafeShallowFreeze} return true, then the object's {@code Mutability} reference is
* updated to point to {@link #IMMUTABLE}. Otherwise, this method throws {@link
* IllegalArgumentException}.
*
* <p>It is up to the caller to ensure that any contents of this {@code Freezable} are also
* frozen in order to preserve/restore the invariant that an immutable value cannot contain a
* mutable one unless the immutable value's {@code Mutability} is {@link #SHALLOW_IMMUTABLE}.
* Note that {@link SkylarkMutable#isImmutable} correctness and thread-safety are not guaranteed
* otherwise.
*/
default void unsafeShallowFreeze() {
throw new UnsupportedOperationException();
}
/**
* Throws {@link IllegalArgumentException} if the precondition for {@link #unsafeShallowFreeze}
* is violated. To be used by implementors of {@link #unsafeShallowFreeze}.
*/
static void checkUnsafeShallowFreezePrecondition(
Freezable freezable) {
Mutability mutability = freezable.mutability();
if (mutability.isFrozen()) {
// It's not safe to rewrite the Mutability pointer if this is already frozen, because we
// could be accessed by multiple threads.
throw new IllegalArgumentException(
"cannot call unsafeShallowFreeze() on an object whose Mutability is already frozen");
}
if (!mutability.allowsUnsafeShallowFreeze()) {
throw new IllegalArgumentException(
"cannot call unsafeShallowFreeze() on a mutable object whose Mutability's "
+ "allowsUnsafeShallowFreeze() == false");
}
}
}
/**
* Checks that the given {@code Freezable} can be mutated using the given {@code Mutability}, and
* throws an exception if it cannot.
*
* @throws MutabilityException if the object is either frozen or locked
* @throws IllegalArgumentException if the given {@code Mutability} is not the same as the one
* the {@code Freezable} is associated with
*/
public static void checkMutable(Freezable object, Mutability mutability)
throws MutabilityException {
if (object.mutability().isFrozen()) {
// Throw MutabilityException, not IllegalArgumentException, even if the object was from
// another context.
throw new MutabilityException("trying to mutate a frozen object");
}
// Consider an {@link Environment} e1, in which is created {@link UserDefinedFunction} f1, that
// closes over some variable v1 bound to list l1. If somehow, via the magic of callbacks, f1 or
// l1 is passed as an argument to some function f2 evaluated in {@link Environment} e2 while e1
// is still mutable, then e2, being a different {@link Environment}, should not be allowed to
// mutate objects from e1. It's a bug, that shouldn't happen in our current code base, so we
// throw an IllegalArgumentException. If in the future such situations are allowed to happen,
// then we should throw a MutabilityException instead.
if (!object.mutability().equals(mutability)) {
throw new IllegalArgumentException("trying to mutate an object from a different context");
}
if (mutability.isLocked(object)) {
Iterable<String> locs =
Iterables.transform(mutability.getLockLocations(object), Location::print);
throw new MutabilityException(
"trying to mutate a locked object (is it currently being iterated over by a for loop "
+ "or comprehension?)\n"
+ "Object locked at the following location(s): "
+ String.join(", ", locs));
}
}
/**
* A {@code Mutability} indicating that a value is deeply immutable.
*
* <p>It is not associated with any particular {@link Environment}.
*/
public static final Mutability IMMUTABLE = create("IMMUTABLE").freeze();
/**
* A {@code Mutability} indicating that a value is shallowly immutable.
*
* <p>Under the invariants for this class, this is the only frozen {@code Mutability} whose values
* are permitted to directly or indirectly contain mutable values.
*
* <p>In practice, this instance is used as the {@code Mutability} for tuples.
*/
// TODO(bazel-team): We might be able to remove this instance, and instead have tuples and other
// immutable types store the same Mutability as other values in that environment. Then we can
// simplify the Mutability invariant, and implement deep-immutability checking in constant time
// for values whose Environments have been frozen.
//
// This would also affect structs (SkylarkInfo). Maybe they would implement an interface similar
// to SkylarkMutable, or the relevant methods could be worked into SkylarkValue.
public static final Mutability SHALLOW_IMMUTABLE = create("SHALLOW_IMMUTABLE").freeze();
}
|
