[erlang-questions] Keeping massive concurrency when interfacing with C

Joe Armstrong erlang@REDACTED
Wed Oct 5 10:26:10 CEST 2011

On Wed, Oct 5, 2011 at 12:38 AM, Richard O'Keefe <ok@REDACTED> wrote:
> A further clarification on what Joe wrote about hot loading:
>  Whatever the current Erlang system actually does, the overhead of remote
>  calls need in principle be no more than the overhead of dynamic dispatch
>  in a language like C++.
>  That overhead is actually surprisingly high (and yet people *willingly*
>  write Java, go figure).  There is an indirect cost to the indirection,
>  namely that dynamic calls can't be inlined.  For C++ there is an answer:
>  link-time analysis can find calls (often lots and lots of them) that
>  don't actually need to be polymorphic (e.g., because the declared class
>  turns out not to have any subclasses that override the method in question)
>  and those calls can be inlined after all.  In languages which allow new
>  code to be added at run time (like Java and Erlang) it's not that easy.
> Some years ago I proposed that Erlang could distinguish between
> "detachable" and "non-detachable" parts, so that a group of modules could
> be bound together in such a way that they would have to be replaced _as a
> unit_.  The idea has not been taken up because it's very far from being
> Erlang's most pressing problem.
> To John Smith, what on earth does "shocking the yield curve" mean?
> One thing about architecture.  Joe raised an interesting question.
> "Now suppose you discover a fault in your software that causes to you
> buy or sell shares at a catastrophically bad rate - what do you do -
> wait for everything to stop before changing the code?"
> My question is, "how could you structure your system so that if it
> TRIES to buy or sell at a catastrophically bad rate it CAN'T?"  A couple
> of years ago I came up with an idea for a potential PhD candidate who
> ended up going somewhere else.  That was inspired by a true event here,
> where an electricity company cut off supply to a house where there was
> an extremely sick woman who depended on some machine to keep her alive
> (I forget what kind).  Needless to say, she died.  And of course it was
> one of those stories where the computer noticed the bill hadn't been
> paid recently and sent out a notice to a technician who dutifully went
> out and turned the power off without asking any awkward questions.  So
> what can we do to stop that?  (The customer had informed the company of
> their special needs.)  The answer I came up with turns out to be
> quite similar in spirit to Joe's UBF.
>        You have a GENERATOR of actions,
>        a CRITIC of actions, and
>        an EFFECTOR of actions.
> (Come to think of it, there's a link here to Dorothy L. Sayers' "The
> Mind of the Maker.")  The generator of actions receives inputs and
> decides on things to do, but doesn't actually do them.  It passes
> its proposals on to the critic, which watches out for bad stuff.
> Things that the critic is happy with are passed on to the effector to
> be carried out.
> In the electricity case, the critic would use rules like
>        "If the proposal is to disconnect supply
>         and the customer has registered a special need
>         and there is no record of a court order
>         REJECT"
> In the trading case, the critic's rules would say something about the
> amount of money.

Absolutely - move compliance into the software - If traders expose a
bank to too much risk the
trades should be stopped automatically. This might have prevented
(say) the collapse
of Baring bank. There is a trade of between security - (we have to
spend a few CPUs cycles
checking for illegality) and speed here.

If a bank collapses due to trading violations that could have been
detected by software and no
such software was in place I imagine legal action could be taken. So
there should be a strong argument for such software.


> The generator should not rely on the critic; if everything is working
> well you won't be able to tell if the critic is there or not.
> A rejection by the critic indicates an error in the generator
> requiring corrective programming.  This is where it gets similar
> to UBF:  UBF contract checking isn't there to make good things
> happen normally, it's there to stop bad things happening and make
> sure they're noticed.
> This is one way to use multicore: spend some of the extra cores doing
> more checking.

More information about the erlang-questions mailing list