Cover photo
Gilad Bracha
Works at Google


Gilad Bracha

Shared publicly  - 
Why capabilities? Short statement for SOSP History Day.

SOSP History Day was a superb event. It was all recorded and the recordings will be made public. Capabilities were repeatedly mentioned in the presentations much more often than I expected, and mostly positively.

I was on a panel at the end of the day whose topic was 
"Is Security a Hopeless Quest?"
Each panelist opened with a 5 minute statement. I tried to boil down the case for capabilities into the shortest clearest statement I could for an informed audience. Here is what I said. Feel free to forward. 

In the ‘70s, there were two main access control models:
the identity-centric model of access-control lists
and the authorization-centric model of capabilities.
For various reasons the world went down the identity-centric path,
resulting in the situation we are now in.
On the identity-centric path, why is security likely a hopeless quest?

When we build systems, we compose software written by different people.
These composed components may cooperate as we intend,
or they may destructively interfere.
We have gotten very good at avoiding accidental interference
by using abstraction mechanisms and designing good abstraction boundaries.
By composition, we have delivered astonishing functionality to the world.

Today, when we secure systems, we assign authority to identities.
When I run a program, it runs as me.
The square root function in my math library can delete my files.
Although it does not abuse this excess authority,
if it has a flaw enabling an attacker to subvert it,
then anything it may do, the attacker can do.
It is this excess authority that invites most of the attacks we see in the world today.

By contrast, when we secure systems with capabilities,
we work with the grain of how we organize software for functionality.
At every level of composition,
from programming language to operating systems to distributed services,
we design abstraction boundaries so that a component’s interface
only requires arguments that are somehow relevant to its task.
If such argument passing were the only source of authority,
we would have already taken a huge step towards least authority.
If most programs only ran with the least authority they need to do their jobs,
most abuses would be minor.

I do not imagine a world with fewer exploitable bugs.
I imagine a world in which much less is at risk to most bugs.
2 comments on original post
Michael Haubenwallner's profile photo
Add a comment...

Gilad Bracha

Shared publicly  - 
At ECOOP, I'll be participating in a discussion about optional types: where they came from,   what they are, where they're going.
In a typeless world, our discussants have spent two decade trying to bring order, and perhaps even soundness, by democratizing types and pushing them where, according to many, they didn't belong. Matthias Felleisen worked on soft typing for Scheme, semantic contracts, and Typed Racket.
Thomas Schranz's profile photoManu Sridharan's profile photoMichael Weber's profile photoDanilo Domínguez's profile photo
Debate's over, +James Noble!
Add a comment...

Gilad Bracha

Shared publicly  - 
In context of Fletch, we're experimenting with making it easier to write parallel code in Dart. The experiment builds on the ability to stop execution in one process (read: isolate) while waiting for n sub-processes to run their code in parallel. For now, we're calling the primitive that takes care of this Process.divide and we imagine building all sorts of interesting functionality on top of it.

Process.divide allows passing down deeply immutable data structures without copying them -- and we allow the sub-processes to return mutable data structures as the result of their computation. Sometimes you can get away with passing down integers and returning them like this:

int fib(int x) {
  if (x <= 1) return x;
  return[x - 1, x - 2]).reduce((a, b) => a + b);

but in a lot of cases, it's really quite powerful to be able to send large immutable structures down to sub-processes that in return construct mutable object graphs and send them back. Wouldn't it be nice to be able to decode lots of JSON strings in parallel?

To construct a deeply immutable object, you call a 'const' constructor and pass other deeply immutable objects as the only arguments. You are free to call the constructor using 'new' so you're not bound by the very restricting limitations we have for compile-time constants. Even closures can be deeply immutable if all they capture is other deeply immutable objects by value.

As always, we welcome and appreciate feedback!

12 comments on original post
Sean McDirmid's profile photoFlorian Loitsch's profile photo
How about speculative parallelism rather than waiting all the time? I guess I'm just too impatient. 
Add a comment...

Gilad Bracha

Shared publicly  - 
For all of you who didn't get Newspeak and Hopscotch the first time.
Alessandro Warth's profile photoOsvaldo Doederlein's profile photoMark Miller's profile photo
LOL. :)
Add a comment...

Gilad Bracha

Shared publicly  - 
Incremental Compiler Update


As you probably know, I'm working on incrementally compiling Dart to JavaScript. This is based on dart2js.

By incremental compilation, I mean that after an initial full compile (which is slow), the compiler will continue running and quickly compile patches to the result of the full compilation. The time it takes to perform a full compilation scales in the size of the entire program (including all imported libraries, including the SDK). The time it takes to incrementally compile should be proportional to the size of the change (and how much code is affected by that change).

For example, if it takes 30 seconds to compile a program with 10000 methods, it should take 0.003 seconds to incrementally compile a change to a single method body.

There some additional effects that can impact compile times, for example, if you change a large file, the time it takes to compute a difference may become significant (in extreme cases, I've seen 0.3 seconds used on analyzing a 2.5MB source file). Likewise, if you add a method to a class C, the compiler may have to examine all methods in subclasses of C. For example, as a thought example, let's consider what could happen if you could add a method to Object (in practice, you can't). But for the sake of an example, if a method was added to Object, the incremental compiler might decide to compile all methods in all classes.

But in practice, these caveats shouldn't matter. Most of the time, the compiler should be faster than you can notice, and rarely feel sluggish.

And now to the update. I'm currently working towards turning this into a product you can use in your daily development. This is the list of things that needs to be implemented before I feel it is ready for users:

* Better error recovery. Sometimes, dart2js will give up and abort compilation by throwing an exception if it detects a compile-time error. In this case, the compiler is left in an inconsistent state and we have to restart the process by performing a full compilation. That's really bad as the compiler is supposed to help the developer detect errors, not punishing them for making mistakes.

* Native classes.

* File watching compiler server.

I'm currently focusing on error recovery.
Sean McDirmid's profile photo
I did the exact same thing to scalac 7 years ago; going through all the steps (better error recovery, rollback and repair of trees at some granular < a file unit). This is a dark art that everyone refuses to talk about (or at least document in a paper :) ). 
Add a comment...

Gilad Bracha

Shared publicly  - 
A DSL with a View
In a previous post, I promised to explain how one might define UIs using an internal DSL. Using an internal DSL would allow us to capitalize on the full power of a general purpose programming language and avoid having to reinvent everything from if-statemen...
Dzenan Ridjanovic's profile photoVadim Nasardinov's profile photo
Add a comment...

Gilad Bracha

Shared publicly  - 
Ignore the adversarial hype; we basically agree.  In any case, after a few decades, the world has caught up, and optional/gradual types are going mainstream. Live programming is next, and Newspeak style modularity will get there in time.  
Types for an untyped world... 
2 comments on original post
george oloo's profile photoFabian Willke's profile photoAnton Arhipov's profile photoHeikki Lappalainen's profile photo
I think people really do want types for some tasks, like code completion and documentation, but the whole types as proofs of correctness aspect just isn't valued as much. Gradual typing, hybrid typing, and other new approaches to typing, are really aiming at that new sweet spot. That debate is truly going on in the community today, but mostly passive aggressively since it is still a bit hard for many to swallow. 
Add a comment...

Gilad Bracha

Shared publicly  - 
Do you have an idea to improve programming? Do you want constructive criticism? Submit to the Future Programming Workshop! The Future Programming Workshop (FPW) invites ambitious visions, new approaches, and early-stage work of all kinds seeking to improve software development.
View original post
Michael Haubenwallner's profile photoBroc Seib's profile photo
Add a comment...

Gilad Bracha

Shared publicly  - 
Pony being discussed on Hacker News,

The language described at
Actor Model, Low Latency, High Performance, Programming, Capabilities, Data-race free
1 comment on original post
Lex Spoon's profile photo
Add a comment...

Gilad Bracha

Shared publicly  - 
Calling all Dartisans - Propose your session or case study for the Dart Developer Summit.

The Dart Developer Summit is your forum for meeting the Dart engineering team, Googlers using Dart, and your fellow Dartisans.  Our community has told us they want to hear how you are using Dart. What is your cool new pub package? How did you use Dart on the client or server? What are you tips and tricks?

Our sessions are live streamed and recorded to help you get the word out. The summit is April 28th-29th in San Francisco, California. Call for Proposals closes on Jan 30th!

See you there!
Dart Summit - Call for ProposalsPlease submit your Call for Proposal before Jan 30th 2015. We will review all sessions in February and send confirmation emails beginning/mid March 2015. If you have any questions, email Keep yourself updated on the Dart Summit at
Gilad Bracha's profile photoSean McDirmid's profile photo
Cool, I just saw the dates were close (I treat G+ too much like Facebook).
Add a comment...

Gilad Bracha

Shared publicly  - 
Claudio Omar Biale's profile photo
Add a comment...

Gilad Bracha

Shared publicly  - 
Yet another update on incremental compilation

On Monday, I shared some information about incremental compilation (

Since then, the following was implemented:

* Changing supertypes of a class.

* Adding or removing a class.

* Adding instance fields.

I'm currently focusing on:

* Changing and removing instance fields.

The following is still missing:

* Changing, adding, and removing static and top-level fields.

* Libraries with more than one part.

* Runtime type support (how “is” and “as” tests are implemented).

* Mirror support.

* Native classes support (how dart:html is implemented).

The last two items are still unknowns, but we think we know how to do runtime type support.

Add a comment...
Basic Information
  • Google
    software engineer, 2011 - present
It's been almost 30 years since I did my undergraduate studies in computer science at BGU, but I had a great time and got an education that has served me well. BGU was small enough to be pleasant and intimate - probably still is, if a little less so. It's great to see it on street view. I always loved the unusual architecture.
Public - 3 years ago
reviewed 3 years ago
1 review