[FEATURE] Ensure thread safety of sdk

[skyerus]

Requirements

Inspired by open-feature/dotnet-sdk#56

The global singletons (e.g. provider, evaluationContext, logger) all share a mutex to ensure thread safety, however a client doesn't use a mutex so there's a concern if two processes want to set an evaluation context for example.

The EvaluationContext type has the field Attributes of type map[string]interface{}. In go, maps are always passed by reference, this means that in theory one could pass an EvaluationContext to a client's flag evaluation call and continue to alter the Attributes' map in another process.
This could be avoided by making the Attributes field unexported with an exported constructor for EvaluationContext, this would mean that an application author couldn't change the field once constructed. However, an author could still alter the map they passed as a parameter to the constructor, which is the same map used in struct (passed by reference). In order to avoid this the constructor would need to initialise a new map and copy the map passed as a parameter.

Is this overkill? Is there a better solution we can come up with?

cc @beeme1mr @toddbaert @james-milligan

[toddbaert]

The global singletons (e.g. provider, evaluationContext, logger) all share a mutex to ensure thread safety, however a client doesn't use a mutex so there's a concern if two processes want to set an evaluation context for example.

This was my main concern (and still a concern in the Java SDK I think).

As for the evaluation context:

I think that a user mutating a map in multiple threads should be aware of the consequences of that. If we want to protect users from themselves, one other way could perhaps encapsulate the Attribues field and make the evaluation context a more robust struct with methods for adding values - this is similar to how the EvaluationContext works in Java. These methods could allow value addition in a threadsafe manner, using a mutex or some other threadsafe primitives behind the scenes.

I'm not sure if this solution is any better than yours. It does allow it to be modified after construction, but there's more code to maintain with my proposal I think.

This would of course be a breaking change. cc @beeme1mr

[james-milligan]

i personally lean more towards @toddbaert's approach, it feels cleaner to have an EvaluationContext type with a SetAttribute / SetAttributes method(s)

[beeme1mr]

If this is the approach, it must be a priority. To stay on schedule, this change would need to be made available tomorrow.

open-feature/spec#146

[toddbaert]

i personally lean more towards @toddbaert's approach, it feels cleaner to have an EvaluationContext type with a SetAttribute / SetAttributes method(s)

I kinda hate my approach but I worry that it might be the best one.

Although, I hadn't considered setAttribues (plural) as @james-milligan mentions where we could take an entire map. That's not really as simple in Java but doable in go I think. I think that would be quite convenient.

[skyerus]

Would allowing the the map to be modified after construction violate this spec requirement?

Requirement 4.1.4
The evaluation context MUST be mutable only within the before hook.

[toddbaert]

Would allowing the the map to be modified after construction violate this spec requirement?

Requirement 4.1.4
The evaluation context MUST be mutable only within the before hook.

That point is probably a bit misleading. We should improve the wording.

The actual point here is that only before hooks should return an evaluation context (one that's merged with the ambient context). The other hooks do not return the evaluation context. Whether mutating them is possible or not is more of a language and implementation concern.

[toddbaert]

I think you've just found another reason why we should think about thread safety though @skyerus 😅

[skyerus]

If other hooks have as much control over mutating the EvaluationContext as the Before hook does then it raises the question as to whether it remains a property specific to the Before hook 🤔

[toddbaert]

If other hooks have as much control over mutating the EvaluationContext as the Before hook does then it raises the question as to whether it remains a property specific to the Before hook thinking

I get your point, and you're right. The point should be changed to say something that indicates that only the before hook will merge a RETURNED context. Side effects mutating the referenced context in any hook are probably beyond the ability of the spec to dictate. I think there's too many variables across languages for us to reasonably police that. The fact before hooks allow authors to return a context makes it very explicit that using the before hooks to change context is safe and valid, since the SDK will carefully merge it for you.

[skyerus]

If this is the approach, it must be a priority. To stay on schedule, this change would need to be made available tomorrow.

open-feature/spec#146

I'm happy to drop what I'm currently working on and to pick this up now if we're happy with this approach.

[toddbaert]

I would love to have @kinyoklion 's opinion, since he was the genesis of this discussion... unfortunately he is on the West Coast, I think. I suppose if you start with a basic POC of the idea it would at least give us some data on if it feels right and solves our issues.

I vote you at start on that with an "experimental" mindset for now, until we get feedback from @kinyoklion and perhaps @justinabrahms .

cc @beeme1mr @benjiro

[skyerus]

type EvaluationContext struct {
   mx *sync.Mutex
   targetingKey string
   attributes map[string]interface{}
}

func (e *EvaluationContext) SetAttribute(key string, value interface{}) {
   e.mx.Lock()
   ...
}

func (e *EvaluationContext) SetAttributes(attrs map[string]interface{}) {
   e.mx.Lock()
   ...
}

func (e *EvaluationContext) SetTargetingKey(key string) {
   e.mx.Lock()
   ...
}

func NewEvaluationContext(targetingKey string, attributes map[string]interface{}) EvaluationContext {
     // copy attributes to new map to avoid reference being externally available
}

Loosely I'm thinking of something like this, does this align with what you had in mind?

[toddbaert]

yep! I just hope I haven't missed anything silly.

[james-milligan]

looks good to me