summaryrefslogtreecommitdiff
path: root/vere/doc/spec/u3.md
diff options
context:
space:
mode:
authorpolwex <polwex@sortug.com>2025-10-05 21:56:51 +0700
committerpolwex <polwex@sortug.com>2025-10-05 21:56:51 +0700
commitfcedfddf00b3f994e4f4e40332ac7fc192c63244 (patch)
tree51d38e62c7bdfcc5f9a5e9435fe820c93cfc9a3d /vere/doc/spec/u3.md
claude is gud
Diffstat (limited to 'vere/doc/spec/u3.md')
-rw-r--r--vere/doc/spec/u3.md1571
1 files changed, 1571 insertions, 0 deletions
diff --git a/vere/doc/spec/u3.md b/vere/doc/spec/u3.md
new file mode 100644
index 0000000..32ce9e8
--- /dev/null
+++ b/vere/doc/spec/u3.md
@@ -0,0 +1,1571 @@
+# u3: noun processing in C.
+
+`u3` is the C library that makes Urbit work. If it wasn't called
+`u3`, it might be called `libnoun` - it's a library for making
+and storing nouns.
+
+What's a noun? A noun is either a cell or an atom. A cell is an
+ordered pair of any two nouns. An atom is an unsigned integer of
+any size.
+
+To the C programmer, this is not a terribly complicated data
+structure, so why do you need a library for it?
+
+One: nouns have a well-defined computation kernel, Nock, whose
+spec fits on a page and gzips to 340 bytes. But the only
+arithmetic operation in Nock is increment. So it's nontrivial
+to compute both efficiently and correctly.
+
+Two: `u3` is designed to support "permanent computing," ie, a
+single-level store which is transparently snapshotted. This
+implies a specialized memory-management model, etc, etc.
+
+(Does `u3` depend on the higher levels of Urbit, Arvo and Hoon?
+Yes and no. `u3` expects you to load something shaped like an
+Arvo kernel, and use it as an event-processing function. But you
+don't need to use this feature if you don't want, and your kernel
+doesn't have to be Arvo proper - just Arvo-compatible. Think of
+`u3` as the BIOS and Arvo as the boot kernel. And there are no
+dependencies at all between Hoon the language and `u3`.)
+
+## c3: C in Urbit
+
+Under `u3` is the simple `c3` layer, which is just how we write C
+in Urbit.
+
+When writing C in u3, please of course follow the conventions of
+the code around you as regards indentation, etc. It's especially
+important that every function have a header comment, even if it
+says nothing interesting.
+
+But some of our idiosyncrasies go beyond convention. Yes, we've
+done awful things to C. Here's what we did and why we did.
+
+### c3: integer types
+
+First, it's generally acknowledged that underspecified integer
+types are C's worst disaster. C99 fixed this, but the `stdint`
+types are wordy and annoying. We've replaced them with:
+
+ /* Good integers.
+ */
+ typedef uint64_t c3_d; // double-word
+ typedef int64_t c3_ds; // signed double-word
+ typedef uint32_t c3_w; // word
+ typedef int32_t c3_ws; // signed word
+ typedef uint16_t c3_s; // short
+ typedef int16_t c3_ss; // signed short
+ typedef uint8_t c3_y; // byte
+ typedef int8_t c3_ys; // signed byte
+ typedef uint8_t c3_b; // bit
+
+ typedef uint8_t c3_t; // boolean
+ typedef uint8_t c3_o; // loobean
+ typedef uint8_t c3_g; // 5-bit atom for a 32-bit log.
+ typedef uint32_t c3_l; // little; 31-bit unsigned integer
+ typedef uint32_t c3_m; // mote; also c3_l; LSB first a-z 4-char string.
+
+ /* Bad integers.
+ */
+ typedef char c3_c; // does not match int8_t or uint8_t
+ typedef int c3_i; // int - really bad
+ typedef uintptr_t c3_p; // pointer-length uint - really really bad
+ typedef intptr_t c3_ps; // pointer-length int - really really bad
+
+Some of these need explanation. A loobean is a Nock boolean -
+Nock, for mysterious reasons, uses 0 as true (always say "yes")
+and 1 as false (always say "no").
+
+Nock and/or Hoon cannot tell the difference between a short atom
+and a long one, but at the `u3` level every atom under `2^31` is
+direct. The `c3_l` type is useful to annotate this. A `c3_m` is
+a *mote* - a string of up to 4 characters in a `c3_l`, least
+significant byte first. A `c3_g` should be a 5-bit atom. Of
+course, C cannot enforce these constraints, only document them.
+
+Use the "bad" - ie, poorly specified - integer types only when
+interfacing with external code that expects them.
+
+An enormous number of motes are defined in `i/c/motes.h`. There
+is no reason to delete motes that aren't being used, or even to
+modularize the definitions. Keep them alphabetical, though.
+
+### c3: variables and variable naming
+
+The C3 style uses Hoon style TLV variable names, with a quasi
+Hungarian syntax. This is weird, but works really well, as long
+as what you're doing isn't hideously complicated. (Then it works
+badly, but we shouldn't need anything hideous in u3.)
+
+A TLV variable name is a random pronounceable three-letter
+string, sometimes with some vague relationship to its meaning,
+but usually not. Usually CVC (consonant-vowel-consonant) is a
+good choice.
+
+You should use TLVs much the way math people use Greek letters.
+The same concept should in general get the same name across
+different contexts. When you're working in a given area, you'll
+tend to remember the binding from TLV to concept by sheer power
+of associative memory. When you come back to it, it's not that
+hard to relearn. And of course, when in doubt, comment it.
+
+Variables take pseudo-Hungarian suffixes, matching in general the
+suffix of the integer type:
+
+ c3_w wor_w; // 32-bit word
+
+Unlike in standard Hungarian, there is no change for pointer
+variables. C structure variables take a `_u` suffix.
+
+### c3: loobeans
+
+The code (from `defs.h`) tells the story:
+
+ # define c3y 0
+ # define c3n 1
+
+ # define _(x) (c3y == (x))
+ # define __(x) ((x) ? c3y : c3n)
+ # define c3a(x, y) __(_(x) && _(y))
+ # define c3o(x, y) __(_(x) || _(y))
+
+In short, use `_()` to turn a loobean into a boolean, `__` to go
+the other way. Use `!` as usual, `c3y` for yes and `c3n` for no,
+`c3a` for and and `c3o` for or.
+
+## u3: land of nouns
+
+The division between `c3` and `u3` is that you could theoretically
+imagine using `c3` as just a generic C environment. Anything to do
+with nouns is in `u3`.
+
+### u3: a map of the system
+
+There are two kinds of symbols in `u3`: regular and irregular.
+Regular symbols follow this pattern:
+
+ prefix purpose .h .c
+ -------------------------------------------------------
+ u3a_ allocation i/n/a.h n/a.c
+ u3e_ persistence i/n/e.h n/e.c
+ u3h_ hashtables i/n/h.h n/h.c
+ u3i_ noun construction i/n/i.h n/i.c
+ u3j_ jet control i/n/j.h n/j.c
+ u3m_ system management i/n/m.h n/m.c
+ u3n_ nock computation i/n/n.h n/n.c
+ u3r_ noun access (error returns) i/n/r.h n/r.c
+ u3t_ profiling i/n/t.h n/t.c
+ u3v_ arvo i/n/v.h n/v.c
+ u3x_ noun access (error crashes) i/n/x.h n/x.c
+ u3z_ memoization i/n/z.h n/z.c
+ u3k[a-g] jets (transfer, C args) i/j/k.h j/[a-g]/*.c
+ u3q[a-g] jets (retain, C args) i/j/q.h j/[a-g]/*.c
+ u3w[a-g] jets (retain, nock core) i/j/w.h j/[a-g]/*.c
+
+Irregular symbols always start with `u3` and obey no other rules.
+They're defined in `i/n/aliases.h`. Finally, `i/all.h` includes
+all these headers (fast compilers, yay) and is all you need to
+program in `u3`.
+
+### u3: noun internals
+
+A noun is a `u3_noun` - currently defined as a 32-bit `c3_w`.
+
+If your `u3_noun` is less than `(1 << 31)`, it's a direct atom.
+Every unsigned integer between `0` and `0x7fffffff` inclusive is
+its own noun.
+
+If bit `31` is set in a `u3_noun` and bit `30` is `1` the noun
+is an indirect cell. If bit `31` is set and bit `30` is `0` the
+noun is an indirect atom. Bits `29` through `0` are a word
+pointer into the loom - see below. The structures are:
+
+ typedef struct {
+ c3_w mug_w;
+ c3_w len_w;
+ c3_w buf_w[0]; // actually [len_w]
+ } u3a_atom;
+
+ typedef struct {
+ c3_w mug_w;
+ u3_noun hed;
+ u3_noun tel;
+ } u3a_cell;
+
+The only thing that should be mysterious here is `mug_w`, which
+is a 31-bit lazily computed nonzero short hash (FNV currently,
+soon Murmur3). If `mug_w` is 0, the hash is not yet computed.
+We also hijack this field for various hacks, such as saving the
+new address of a noun when copying over.
+
+Also, the value `0xffffffff` is `u3_none`, which is never a valid
+noun. Use the type `u3_weak` to express that a noun variable may
+be `u3_none`.
+
+### u3: reference counts
+
+The only really essential thing you need to know about `u3` is
+how to handle reference counts. Everything else, you can skip
+and just get to work.
+
+u3 deals with reference-counted, immutable, acyclic nouns.
+Unfortunately, we are not Apple and can't build reference
+counting into your C compiler, so you need to count by hand.
+
+Every allocated noun (or any allocation object, because our
+allocator is general-purpose) contains a counter which counts the
+number of references to it - typically variables with type
+`u3_noun`. When this counter goes to 0, the noun is freed.
+
+To tell `u3` that you've added a reference to a noun, call the
+function `u3a_gain()` or its shorthand `u3k()`. (For your
+convenience, this function returns its argument.) To tell `u3`
+that you've destroyed a reference, call `u3a_lose()` or `u3z()`.
+
+(If you screw up by decrementing the counter too much, `u3` will
+dump core in horrible ways. If you screw up by incrementing it
+too much, `u3` will leak memory. To check for memory leaks,
+set the `bug_o` flag in `u3e_boot()` - eg, run `vere` with `-g`.
+Memory leaks are difficult to debug - the best way to handle
+leaks is just to revert to a version that didn't have them, and
+look over your code again.)
+
+(You can gain or lose a direct atom. It does nothing.)
+
+### u3: reference protocols
+
+*THIS IS THE MOST CRITICAL SECTION IN THE `u3` DOCUMENTATION.*
+
+The key question when calling a C function in a refcounted world
+is what the function will do to the noun refcounts - and, if the
+function returns a noun, what it does to the return.
+
+There are two semantic patterns, `transfer` and `retain`. In
+`transfer` semantics, the caller "gives" a use count to the
+callee, which "gives back" any return. For instance, if I have
+
+ {
+ u3_noun foo = u3i_string("foobar");
+ u3_noun bar;
+
+ bar = u3f_futz(foo);
+ [...]
+ u3z(bar);
+ }
+
+Suppose `u3f_futz()` has `transfer` semantics. At `[...]`, my
+code holds one reference to `bar` and zero references to `foo` -
+which has been freed, unless it's part of `bar`. My code now
+owns `bar` and gets to work with it until it's done, at which
+point a `u3z()` is required.
+
+On the other hand, if `u3f_futz()` has `retain` semantics, we
+need to write
+
+ {
+ u3_noun foo = u3i_string("foobar");
+ u3_noun bar;
+
+ bar = u3f_futz(foo);
+ [...]
+ u3z(foo);
+ }
+
+because calling `u3f_futz()` does not release our ownership of
+`foo`, which we have to free ourselves.
+
+But if we free `bar`, we are making a great mistake, because our
+reference to it is not in any way registered in the memory
+manager (which cannot track references in C variables, of
+course). It is normal and healthy to have these uncounted
+C references, but they must be treated with care.
+
+The bottom line is that it's essential for the caller to know
+the refcount semantics of any function which takes or returns a
+noun. (In some unusual circumstances, different arguments or
+returns in one function may be handled differently.)
+
+Broadly speaking, as a design question, retain semantics are more
+appropriate for functions which inspect or query nouns. For
+instance, `u3h()` (which takes the head of a noun) retains, so
+that we can traverse a noun tree without constantly incrementing
+and decrementing.
+
+Transfer semantics are more appropriate for functions which make
+nouns, which is obviously what most functions do.
+
+In general, though, in most places it's not worth thinking about
+what your function does. There is a convention for it, which
+depends on where it is, not what it does. Follow the convention.
+
+### u3: reference conventions
+
+The `u3` convention is that, unless otherwise specified, *all
+functions have transfer semantics* - with the exception of the
+prefixes: `u3r`, `u3x`, `u3z`, `u3q` and `u3w`. Also, within
+jet directories `a` through `f` (but not `g`), internal functions
+retain (for historical reasons).
+
+If functions outside this set have retain semantics, they need to
+be commented, both in the `.h` and `.c` file, with `RETAIN` in
+all caps. Yes, it's this important.
+
+### u3: system architecture
+
+If you just want to tinker with some existing code, it might be
+enough to understand the above. If not, it's probably worth
+taking the time to look at `u3` as a whole.
+
+`u3` is designed to work as a persistent event processor.
+Logically, it computes a function of the form
+
+ f(event, old state) -> (actions, new state)
+
+Obviously almost any computing model - including, but not limited
+to, Urbit - can be defined in this form. To create the illusion
+of a computer that never loses state and never fails, we:
+
+- log every event externally before it goes into u3
+- keep a single reference to a permanent state noun.
+- can abort any event without damaging the permanent state.
+- snapshot the permanent state periodically, and/or prune logs.
+
+### u3: the road model
+
+`u3` uses a memory design which I'm sure someone has invented
+somewhere before, because it's not very clever, but I've never
+seen it anywhere in particular.
+
+Every allocation starts with a solid block of memory, which `u3`
+calls the `loom`. How do we allocate on the loom? You're
+probably familiar with the Unix heap-stack design, in which the
+stack grows downward and the heap (malloc arena) grows upward:
+
+ 0 brk ffff
+ | heap | stack |
+ |------------#################################+++++++++++++|
+ | | |
+ 0 sp ffff
+
+A road is a normal heap-stack system, except that the heap
+and stack can point in *either direction*. Therefore, inside
+a road, we can nest another road in the *opposite direction*.
+
+When the opposite road completes, its heap is left on top of
+the opposite heap's stack. It's no more than the normal
+behavior of a stack machine for all subcomputations to push
+their results on the stack.
+
+The performance tradeoff of "leaping" - reversing directions in
+the road - is that if the outer computation wants to preserve the
+results of the inner one, not just use them for temporary
+purposes, it has to *copy them*.
+
+This is a trivial cost in some cases, a prohibitive cost in
+others. The upside, of course, is that all garbage accrued
+in the inner computation is discarded at zero cost.
+
+The goal of the road system is the ability to *layer* memory
+models. If you are allocating on a road, you have no idea
+how deep within a nested road system you are - in other words,
+you have no idea exactly how durable your result may be.
+But free space is never fragmented within a road.
+
+Roads do not reduce the generality or performance of a memory
+system, since even the most complex GC system can be nested
+within a road at no particular loss of performance - a road
+is just a block of memory.
+
+Each road (`u3a_road` to be exact) uses four pointers: `rut` is
+the bottom of the arena, `hat` the top of the arena, `mat` the
+bottom of the stack, `cap` the top of the stack. (Bear in mind
+that the road "stack" is not actually used as the C function-call
+stack, though it probably should be.)
+
+A "north" road has the stack high and the heap low:
+
+ 0 rut hat ffff
+ | | | |
+ |~~~~~~~~~~~~-------##########################+++++++$~~~~~|
+ | | | |
+ 0 cap mat ffff
+
+A "south" road is the other way around:
+
+ 0 mat cap ffff
+ | | | |
+ |~~~~~~~~~~~~$++++++##########################--------~~~~~|
+ | | | |
+ 0 hat rut ffff
+
+Legend: `-` is durable storage (heap); `+` is temporary storage
+(stack); `~` is deep storage (immutable); `$` is the allocation
+frame; `#` is free memory.
+
+Pointer restrictions: pointers stored in `+` can point anywhere.
+Of course, pointing to `#` (free memory) would be a bug.
+Pointers in `-` can only point to `-` or `~`; pointers in `~`
+only point to `~`.
+
+To "leap" is to create a new inner road in the `###` free space.
+but in the reverse direction, so that when the inner road
+"falls" (terminates), its durable storage is left on the
+temporary storage of the outer road.
+
+`u3` keeps a global variable, `u3_Road` or its alias `u3R`, which
+points to the current road. (If we ever run threads in inner
+roads - see below - this will become a thread-local variable.)
+Relative to `u3R`, `+` memory is called `junior` memory; `-`
+memory is `normal` memory; `~` is `senior` memory.
+
+### u3: explaining the road model
+
+But... why?
+
+We're now ready to understand why the road system works so
+logically with the event and persistence model.
+
+The key is that *we don't update refcounts in senior memory.*
+A pointer from an inner road to an outer road is not counted.
+Also, the outmost, or `surface` road, is the only part of the
+image that gets checkpointed.
+
+So the surface road contains the entire durable state of `u3`.
+When we process an event, or perform any kind of complicated or
+interesting calculation, *we process it in an inner road*. If
+its results are saved, they need to be copied.
+
+Since processing in an inner road does not touch surface memory,
+(a) we can leave the surface road in a read-only state and not
+mark its pages dirty; (b) we can abort an inner calculation
+without screwing up the surface; and (c) because inner results
+are copied onto the surface, the surface doesn't get fragmented.
+
+All of (a), (b) and (c) are needed for checkpointing to be easy.
+It might be tractable otherwise, but easy is even better.
+
+Moreover, while the surface is most definitely single-threaded,
+we could easily run multiple threads in multiple inner roads
+(as long as the threads don't have pointers into each others'
+memory, which they obviously shouldn't).
+
+Moreover, in future, we'll experiment more with adding road
+control hints to the programmer's toolbox. Reference counting is
+expensive. We hypothesize that in many - if not most - cases,
+the programmer can identify procedural structures whose garbage
+should be discarded in one step by copying the results. Then,
+within the procedure, we can switch the allocator into `sand`
+mode, and stop tracking references at all.
+
+### u3: rules for C programming
+
+There are two levels at which we program in C: (1) above the
+interpreter; (2) within the interpreter or jets. These have
+separate rules which need to be respected.
+
+### u3: rules above the interpreter
+
+In its relations with Unix, Urbit follows a strict rule of "call
+me, I won't call you." We do of course call Unix system calls,
+but only for the purpose of actually computing.
+
+Above Urbit, you are in a normal C/Unix programming environment
+and can call anything in or out of Urbit. Note that when using
+`u3`, you're always on the surface road, which is not thread-safe
+by default. Generally speaking, `u3` is designed to support
+event-oriented, single-threaded programming.
+
+If you need threads which create nouns, you could use
+`u3m_hate()` and `u3m_love()` to run these threads in subroads.
+You'd need to make the global road pointer, `u3R`, a thread-local
+variable instead. This seems perfectly practical, but we haven't
+done it because we haven't needed to.
+
+### u3: rules within the interpreter
+
+Within the interpreter, your code can run either in the surface
+road or in a deep road. You can test this by testing
+
+ (&u3H->rod_u == u3R)
+
+ie: does the pier's home road equal the current road pointer?
+
+Normally in this context you assume you're obeying the rules of
+running on an inner road, ie, "deep memory." Remember, however,
+that the interpreter *can* run on surface memory - but anything
+you can do deep, you can do on the surface. The converse is by
+no means the case.
+
+In deep memory, think of yourself as if in a signal handler.
+Your execution context is extremely fragile and may be terminated
+without warning or cleanup at any time (for instance, by ^C).
+
+For instance, you can't call `malloc` (or C++ `new`) in your C
+code, because you don't have the right to modify data structures
+at the global level, and will leave them in an inconsistent state
+if your inner road gets terminated. (Instead, use our drop-in
+replacements, `u3a_malloc()`, `u3a_free()`, `u3a_realloc()`.)
+
+A good example is the different meaning of `u3_assert()` inside
+and outside the interpreter. At either layer, you can use
+regular assert(), which will just kill your process. On the
+surface, `u3_assert()` will just... kill your process.
+
+In deep execution, `u3_assert()` will issue an exception that
+queues an error event, complete with trace stack, on the Arvo
+event queue. Let's see how this happens.
+
+### u3: exceptions
+
+You produce an exception with
+
+ /* u3m_bail(): bail out. Does not return.
+ **
+ ** Bail motes:
+ **
+ ** %exit :: semantic failure
+ ** %evil :: bad crypto
+ ** %intr :: interrupt
+ ** %fail :: execution failure
+ ** %foul :: assert failure
+ ** %need :: network block
+ ** %meme :: out of memory
+ ** %time :: timed out
+ ** %oops :: assertion failure
+ */
+ c3_i
+ u3m_bail(c3_m how_m);
+
+Broadly speaking, there are two classes of exception: internal
+and external. An external exception begins in a Unix signal
+handler. An internal exception begins with a call to longjmp()
+on the main thread.
+
+There are also two kinds of exception: mild and severe. An
+external exception is always severe. An internal exception is
+normally mild, but some (like `c3__oops`, generated by
+`u3_assert()`) are severe.
+
+Either way, exceptions come with a stack trace. The `u3` nock
+interpreter is instrumented to retain stack trace hints and
+produce them as a printable `(list tank)`.
+
+Mild exceptions are caught by the first virtualization layer and
+returned to the caller, following the behavior of the Nock
+virtualizer `++mock` (in `hoon.hoon`)
+
+Severe exceptions, or mild exceptions at the surface, terminate
+the entire execution stack at any depth and send the cumulative
+trace back to the `u3` caller.
+
+For instance, `vere` uses this trace to construct a `%crud`
+event, which conveys our trace back toward the Arvo context where
+it crashed. This lets any UI component anywhere, even on a
+remote node, render the stacktrace as a consequence of the user's
+action - even if its its direct cause was (for instance) a Unix
+SIGINT or SIGALRM.
+
+### u3: C structures on the loom
+
+Normally, all data on the loom is nouns. Sometimes we break this
+rule just a little, though - eg, in the `u3h` hashtables.
+
+To point to non-noun C structs on the loom, we use a `u3_post`,
+which is just a loom word offset. A macro lets us declare this
+as if it was a pointer:
+
+ typedef c3_w u3_post;
+ #define u3p(type) u3_post
+
+Some may regard this as clever, others as pointless. Anyway, use
+`u3to()` and `u3of()` to convert to and from pointers.
+
+When using C structs on the loom - generally a bad idea - make
+sure anything which could be on the surface road is structurally
+portable, eg, won't change size when the pointer size changes.
+(Note also: we consider little-endian, rightly or wrongly, to
+have won the endian wars.)
+
+## u3: API overview by prefix
+
+Let's run through the `u3` modules one by one. All public
+functions are commented, but the comments may be cryptic.
+
+### u3m: main control
+
+To start `u3`, run
+
+ /* u3m_boot(): start the u3 system.
+ */
+ void
+ u3m_boot(c3_o nuu_o, c3_o bug_o, c3_c* dir_c);
+
+`nuu_o` is `c3y` (yes, `0`) if you're creating a new pier,
+`c3n` (no, `1`) if you're loading an existing one. `bug_o`
+is `c3y` if you want to test the garbage-collector, `c3n`
+otherwise. `dir_c` is the directory for the pier files.
+
+`u3m_boot()` expects an `urbit.pill` file to load the kernel
+from. This is specified with the -B commandline option.
+
+Any significant computation with nouns, certainly anything Turing
+complete, should be run (a) virtualized and (b) in an inner road.
+These are slightly different things, but at the highest level we
+bundle them together for your convenience, in `u3m_soft()`:
+
+ /* u3m_soft(): system soft wrapper. unifies unix and nock errors.
+ **
+ ** Produces [%$ result] or [%error (list tank)].
+ */
+ u3_noun
+ u3m_soft(c3_w sec_w, u3_funk fun_f, u3_noun arg);
+
+`sec_w` is the number of seconds to time out the computation.
+`fun_f` is a C function accepting `arg`.
+
+The result of `u3m_soft()` is a cell whose head is an atom. If
+the head is `%$` - ie, `0` - the tail is the result of
+`fun_f(arg)`. Otherwise, the head is a `term` (an atom which is
+an LSB first string), and the tail is a `(list tank)` (a list of
+`tank` printables - see `++tank` in `hoon.hoon`). Error terms
+should be the same as the exception terms above.
+
+If you're confident that your computation won't fail, you can
+use `u3m_soft_sure()`, `u3m_soft_slam()`, or `u3m_soft_nock()`
+for C functions, Hoon function calls, and Nock invocations.
+Caution - this returns just the result, and asserts globally.
+
+All the `u3m_soft` functions above work *only on the surface*.
+Within the surface, virtualize with `u3m_soft_run()`. Note that
+this takes a `fly` (a namespace gate), thus activating the `11`
+super-operator in the nock virtualizer, `++mock`. When actually
+using the `fly`, call `u3m_soft_esc()`. Don't do either unless
+you know what you're doing!
+
+For descending into a subroad *without* Nock virtualization,
+use `u3m_hate()` and `u3m_love` respectively. Hating enters
+a subroad; loving leaves it, copying out a product noun.
+
+Other miscellaneous tools in `u3m`: `u3m_file()` loads a Unix
+file as a Nock atom; `u3m_water()` measures the boundaries of
+the loom in current use (ie, watermarks); and a variety of
+prettyprinting routines, none perfect, are available, mainly for
+debugging printfs: `u3m_pretty()`, `u3m_p()`, `u3m_tape()` and
+`u3m_wall()`.
+
+It's sometimes nice to run a mark-and-sweep garbage collector,
+`u3m_grab()`, which collects the world from a list of roots,
+and asserts if it finds any leaks or incorrect refcounts. This
+tool is for debugging and long-term maintenance only; refcounts
+should never err.
+
+### u3j: jets
+
+The jet system, `u3j`, is what makes `u3` and `nock` in any sense
+a useful computing environment. Except perhaps `u3a` (there is
+really no such thing as a trivial allocator, though `u3a` is
+dumber than most) - `u3j` is the most interesting code in `u3`.
+
+Let's consider the minor miracle of driver-to-battery binding
+which lets `u3j` work - and decrement not be `O(n)` - without
+violating the precisely defined semantics of pure Nock, *ever*.
+
+It's easy to assume that jets represent an architectural coupling
+between Hoon language semantics and Nock interpreter internals.
+Indeed such a coupling would be wholly wrongtious and un-Urbit.
+But the jet system is not Hoon-specific. It is specific to nock
+runtime systems that use a design pattern we call a `core`.
+
+#### u3j: core structure
+
+A core is no more than a cell `[code data]`, in which a `code` is
+either a Nock formula or a cell of `code`s, and `data` is anything.
+In a proper core, the subject each formula expects is the core
+itself.
+
+Except for the arbitrary decision to make a core `[code data]`,
+(or as we sometimes say, `[battery payload]`), instead of `[data
+code]`, any high-level language transforming itself to Nock would
+use this design.
+
+So jets are in fact fully general. Broadly speaking, the jet
+system works by matching a C *driver* to a battery. When the
+battery is invoked with Nock operator `9`, it must be found in
+associative memory and linked to its driver. Then we link the
+formula axis of the operation (`a` in `[9 a b]`) to a specific
+function in the driver.
+
+To validate this jet binding, we need to know two things. One,
+we need to know the C function actually is a perfect semantic
+match for the Nock formula. This can be developed with driver
+test flags, which work, and locked down with a secure formula
+hash in the driver, which we haven't bothered with just yet.
+(You could also try to develop a formal method for verifying
+that C functions and Nock formulas are equivalent, but this is
+a research problem for the future.)
+
+Two, we need to validate that the payload is appropriate for the
+battery. We should note that jets are a Nock feature and have no
+reference to Hoon. A driver which relies on the Hoon type system
+to only pair it with valid payloads is a broken driver, and
+breaks the Nock compliance of the system as a whole. So don't.
+
+Now, a casual observer might look at `[battery payload]` and
+expect the simplest case of it to be `[formula subject]`. That
+is: to execute a simple core whose battery is a single formula,
+we compute
+
+ nock(+.a -.a)
+
+Then, naturally, when we go from Hoon or a high-level language
+containing functions down to Nock, `[function arguments]` turns
+into `[formula subject]`. This seems like an obvious design, and
+we mention it only because it is *completely wrong*.
+
+Rather, to execute a one-armed core like the above, we run
+
+ nock(a -.a)
+
+and the normal structure of a `gate`, which is simply Urbitese
+for "function," is:
+
+ [formula [sample context]]
+
+where `sample` is Urbitese for "arguments" - and `context`, any
+Lisper will at once recognize, is Urbitese for "environment."
+
+To `slam` or call the gate, we simply replace the default sample
+with the caller's data, then nock the formula on the entire gate.
+
+What's in the context? Unlike in most dynamic languages, it is
+not some secret system-level bag of tricks. Almost always it is
+another core. This onion continues until at the bottom, there is
+an atomic constant, conventionally is the kernel version number.
+
+Thus a (highly desirable) `static` core is one of the form
+
+ [battery constant]
+ [battery static-core]
+
+ie, a solid stack of nested libraries without any dynamic data.
+The typical gate will thus be, for example,
+
+ [formula [sample [battery battery battery constant]]]
+
+but we would be most foolish to restrict the jet mechanism to
+cores of this particular structure. We cannot constrain a
+payload to be `[sample static-core]`, or even `[sample core]`.
+Any such constraint would not be rich enough to handle Hoon,
+let alone other languages.
+
+#### u3j: jet state
+
+There are two fundamental rules of computer science: (1) every
+system is best understood through its state; (2) less state is
+better than more state. Sadly, a pier has three different jet
+state systems: `cold`, `warm` and `hot`. It needs all of them.
+
+Hot state is associated with this particular Unix process. The
+persistent pier is portable not just between process and process,
+but machine and machine or OS and OS. The set of jets loaded
+into a pier may itself change (in theory, though not in the
+present implementation) during the lifetime of the process. Hot
+state is a pure C data structure.
+
+Cold state is associated with the logical execution history of
+the pier. It consists entirely of nouns and ignores restarts.
+
+Warm state contains all dependencies between cold and hot
+state. It consists of C structures allocated on the loom.
+
+Warm state is purely a function of cold and hot states, and
+we can wipe and regenerate it at any time. On any restart where
+the hot state might have changed, we clear the warm state
+with `u3j_ream()`.
+
+There is only one hot state, the global jet dashboard
+`u3j_Dash` or `u3D` for short. In the present implementation,
+u3D is a static structure not modified at runtime, except for
+numbering itself on process initialization. This structure -
+which embeds function pointers to all the jets - is defined
+in `j/tree.c`. The data structures:
+
+ /* u3j_harm: driver arm.
+ */
+ typedef struct _u3j_harm {
+ c3_c* fcs_c; // `.axe` or name
+ u3_noun (*fun_f)(u3_noun); // compute or 0 / semitransfer
+ c3_o ice; // perfect (don't test)
+ c3_o tot; // total (never punts)
+ c3_o liv; // live (enabled)
+ } u3j_harm;
+
+ /* u3j_core: C core driver.
+ */
+ typedef struct _u3j_core {
+ c3_c* cos_c; // control string
+ struct _u3j_harm* arm_u; // blank-terminated static list
+ struct _u3j_core* dev_u; // blank-terminated static list
+ struct _u3j_core* par_u; // dynamic parent pointer
+ c3_l jax_l; // dynamic jet index
+ } u3j_core;
+
+ /* u3e_dash, u3_Dash, u3D: jet dashboard singleton
+ */
+ typedef struct _u3e_dash {
+ u3j_core* dev_u; // null-terminated static list
+ c3_l len_l; // ray_u filled length
+ c3_l all_l; // ray_u allocated length
+ u3j_core* ray_u; // dynamic driver array
+ } u3j_dash;
+
+Warm and cold state is *per road*. In other words, as we nest
+roads, we also nest jet state. The jet state in the road is:
+
+ struct { // jet dashboard
+ u3p(u3h_root) har_p; // warm state
+ u3_noun das; // cold state
+ } jed;
+
+In case you understand Hoon, `das` (cold state) is a `++dash`,
+and `har_p` (warm state) is a map from battery to `++calx`:
+
+ ++ bane ,@tas :: battery name
+ ++ bash ,@uvH :: label hash
+ ++ bosh ,@uvH :: local battery hash
+ ++ batt ,* :: battery
+ ++ calf ::
+ $: jax=,@ud :: hot core index
+ hap=(map ,@ud ,@ud) :: axis/hot arm index
+ lab=path :: label as path
+ jit=* :: arbitrary data
+ == ::
+ ++ calx (trel calf (pair bash cope) club) :: cached by battery
+ ++ clog (pair cope (map batt club)) :: identity record
+ ++ club (pair corp (map term nock)) :: battery pattern
+ ++ cope (trel bane axis (each bash noun)) :: core pattern
+ ++ core ,* :: core
+ ++ corp (each core batt) :: parent or static
+ ++ dash (map bash clog) :: jet system
+
+The driver index `jax` in a `++calx` is an index into `ray_u` in the
+dashboard - ie, a pointer into hot state. This is why the warm
+state has to be reset when we reload the pier in a new process.
+
+Why is jet state nested? Nock of course is a functional system,
+so as we compute we don't explicitly create state. Jet state is
+an exception to this principle (which works only because it can't
+be semantically detected from Nock/Hoon) - but it can't violate
+the fundamental rules of the allocation system.
+
+For instance, when we're on an inner road, we can't allocate on
+an outer road, or point from an outer road to an inner. So if we
+learn something - like a mapping from battery to jet - in the
+inner road, we have to keep it in the inner road.
+
+Mitigating this problem, when we leave an inner road (with
+`u3m_love()`), we call `u3j_reap()` to promote jet information in
+the dying road. Reaping promotes anything we've learned about
+any battery that either (a) already existed in the outer road, or
+(b) is being saved to the outer road.
+
+#### u3j: jet binding
+
+Jet binding starts with a `%fast` hint. (In Hoon, this is
+produced by the runes `~%`, for the general case, or `~/`
+for simple functions.) To bind a jet, execute a formula of the
+form:
+
+ [10 [%fast clue-formula] core-formula]
+
+`core-formula` assembles the core to be jet-propelled.
+`clue-formula` produces the hint information, or `++clue`
+above, which we want to annotate it with.
+
+A clue is a triple of name, parent, and hooks:
+
+ ++ clue (trel chum nock (list (pair term nock)))
+
+The name, or `++chum`, has a bunch of historical structure which
+we don't need (cleaning these things up is tricky), but just gets
+flattened into a term.
+
+The parent axis is a nock formula, but always reduces to a simple
+axis, which is the address of this core's *parent*. Consider
+again an ordinary gate
+
+ [formula [sample context]]
+
+Typically the `context` is itself a library core, which itself
+has a jet binding. If so, the parent axis of this gate is `7`.
+
+If the parent is already bound - and the parent *must* be already
+bound, in this road or a road containing it - we can hook this core
+bottom-up into a tree hierarchy. Normally the child core is
+produced by an arm of the parent core, so this is not a problem -
+we wouldn't have the child if we hadn't already made the parent.
+
+The clue also contains a list of *hooks*, named nock formulas on
+the core. Usually these are arms, but they need not be. The
+point is that we often want to call a core from C, in a situation
+where we have no type or other source information. A common case
+of this is a complex system in which we're mixing functions which
+are jet-propelled with functions that aren't.
+
+In any case, all the information in the `%fast` hint goes to
+`u3j_mine()`, which registers the battery in cold state (`das` in
+`jed` in `u3R`), then warm state (`har_p` in `jed`).
+
+It's essential to understand that the `%fast` hint has to be,
+well, fast - because we apply it whenever we build a core. For
+instance, if the core is a Hoon gate - a function - we will call
+`u3j_mine` every time the function is called.
+
+### u3j: the cold jet dashboard
+
+For even more fun, the jet tree is not actually a tree of
+batteries. It's a tree of battery *labels*, where a label is
+an [axis term] path from the root of the tree. (At the root,
+if the core pattern is always followed properly, is a core whose
+payload is an atomic constant, conventionally the Hoon version.)
+
+Under each of these labels, it's normal to have an arbitrary
+number of different Nock batteries (not just multiple copies
+of the same noun, a situation we *do* strive to avoid). For
+instance, one might be compiled with debugging hints, one not.
+
+We might even have changed the semantics of the battery without
+changing the label - so long as those semantics don't invalidate
+any attached driver.
+
+et tree. For instance, it's normal to have
+two equivalent Nock batteries at the same time in one pier: one
+battery compiled with debugging hints, one not.
+
+Rather, the jet tree is a semantic hierarchy. The root of the
+hierarchy is a constant, by convention the Hoon kernel version
+because any normal jet-propelled core has, at the bottom of its
+onion of libraries, the standard kernel. Thus if the core is
+
+ [foo-battery [bar-battery [moo-battery 164]]]
+
+we can reverse the nesting to construct a hierarchical core
+path. The static core
+
+ 164/moo/bar/foo
+
+extends the static core `164/moo/bar` by wrapping the `foo`
+battery (ie, in Hoon, `|%`) around it. With the core above,
+you can compute `foo` stuff, `bar` stuff, and `moo` stuff.
+Rocket science, not.
+
+Not all cores are static, of course - they may contain live data,
+like the sample in a gate (ie, argument to a function). Once
+again, it's important to remember that we track jet bindings not
+by the core, which may not be static, but by the battery, which
+is always static.
+
+(And if you're wondering how we can use a deep noun like a Nock
+formula or battery as a key in a key-value table, remember
+`mug_w`, the lazily computed short hash, in all boxed nouns.)
+
+In any case, `das`, the dashboard, is a map from `bash` to jet
+location record (`++clog`). A `clog` in turn contains two kinds
+of information: the `++cope`, or per-location noun; and a map of
+batteries to a per-battery `++club`.
+
+The `cope` is a triple of `++bane` (battery name, right now just
+a `term`); `++axis`, the axis, within *this* core, of the parent;
+and `(each bash noun)`, which is either `[0 bash]` if the parent
+is another core, or `[1 noun]`, for the constant noun (like
+`164`) if there is no parent core.
+
+A `bash` is just the noun hash (`++sham`) of a `cope`, which
+uniquely expresses the battery's hierarchical location without
+depending on the actual formulas.
+
+The `club` contains a `++corp`, which we use to actually validate
+the core. Obviously jet execution has to be perfectly compatible
+with Nock. We search on the battery, but getting the battery
+right is not enough - a typical battery is dependent on its
+context. For example, your jet-propelled library function is
+very likely to call `++dec` or other advanced kernel technology.
+If you've replaced the kernel in your context with something
+else, we need to detect this and not run the jet.
+
+There are two cases for a jet-propelled core - either the entire
+core is a static constant, or it isn't. Hence the definition
+of `corp`:
+
+ ++ corp (each core batt) :: parent or static
+
+Ie, a `corp` is `[0 core]` or `[1 batt]`. If it's static -
+meaning that the jet only works with one specific core, ie, the
+parent axis of each location in the hierarchy is `3` - we can
+validate with a single comparison. Otherwise, we have to recurse
+upward by checking the parent.
+
+Note that there is at present no way to force a jet to depend on
+static *data*.
+
+### u3j: the warm jet dashboard
+
+We don't use the cold state to match jets as we call them. We
+use the cold state to register jets as we find them, and also to
+rebuild the warm state after the hot state is reset.
+
+What we actually use at runtime is the warm state, `jed->har_p`,
+which is a `u3h` (built-in hashtable), allocated on the loom,
+from battery to `++calx`.
+
+A `calx` is a triple of a `++calf`, a `[bash cope]` cell, and a
+`club`. The latter two are all straight from cold state.
+
+The `calf` contains warm data dependent on hot state. It's a
+quadruple: of `jax`, the hot driver index (in `ray_u` in
+`u3j_dash`); `hap`, a table from arm axis (ie, the axis of each
+formula within the battery) to driver arm index (into `arm_u` in
+`u3j_core`); `lab`, the complete label path; and `jit`, any
+other dynamic data that may speed up execution.
+
+We construct `hap`, when we create the calx, by iterating through
+the arms registered in the `u3j_core`. Note the way a `u3j_harm`
+declares itself, with the string `fcs_c` which can contain either
+an axis or a name. Most jetted cores are of course gates, which
+have one formula at one axis within the core: `fcs_c` is `".3"`.
+
+But we do often have fast cores with more complex arm structure,
+and it would be sad to have to manage their axes by hand. To use
+an `fcs_c` with a named arm, it's sufficient to make sure the
+name is bound to a formula `[0 axis]` in the hook table.
+
+`jit`, as its name suggests, is a stub where any sort of
+optimization data computed on battery registration might go. To
+use it, fill in the `_cj_jit()` function.
+
+### u3j: the hot dashboard
+
+Now it should be easy to see how we actually invoke jets. Every
+time we run a nock `9` instruction (pretty often, obviously), we
+have a core and an axis. We pass these to `u3j_kick()`, which
+will try to execute them.
+
+Because nouns with a reference count of 1 are precious,
+`u3j_kick()` has a tricky reference control definition. It
+reserves the right to return `u3_none` in the case where there is
+no driver, or the driver does not apply for this case; in this
+case, it retains argument `cor`. If it succeeds, though, it
+transfers `cor`.
+
+`u3j_kick()` searches for the battery (always the head of the
+core, of course) in the hot dashboard. If the battery is
+registered, it searches for the axis in `hap` in the `calx`.
+If it exists, the core matches a driver and the driver jets this
+arm. If not, we return `u3_none`.
+
+Otherwise, we call `fun_f` in our `u3j_harm`. This obeys the
+same protocol as `u3j_kick()`; it can refuse to function by
+returning `u3_none`, or consume the noun.
+
+Besides the actual function pointer `fun_f`, we have some flags
+in the `u3j_harm` which tell us how to call the arm function.
+
+If `ice` is yes (`&`, `0`), the jet is known to be perfect and we
+can just trust the product of `fun_f`. Otherwise, we need to run
+*both* the Nock arm and `fun_f`, and compare their results.
+
+(Note that while executing the C side of this test, we have to
+set `ice` to yes; on the Nock side, we have to set `liv` to no.
+Otherwise, many non-exponential functions become exponential.
+When auto-testing jets in this way, the principle is that the
+test is on the outermost layer of recursion.)
+
+(Note also that anyone who multi-threads this execution
+environment has a slight locking problem with these flags if arm
+testing is multi-threaded.)
+
+If `tot` is yes, (`&`, `0`), the arm function is *total* and has
+to return properly (though it can still return *u3_none*).
+Otherwise, it is *partial* and can `u3_cm_bail()` out with
+c3__punt. This feature has a cost: the jet runs in a subroad.
+
+Finally, if `liv` is no (`|`, 1), the jet is off and doesn't run.
+
+It should be easy to see how the tree of cores gets declared -
+precisely, in `j/dash.c`. We declare the hierarchy as a tree
+of `u3j_core` structures, each of which comes with a static list
+of arms `arm_u` and sub-cores `dev_u`.
+
+In `u3j_boot()`, we traverse the hierarchy, fill in parent
+pointers `par_u`, and enumerate all `u3j_core` structures
+into a single flat array `u3j_dash.ray_u`. Our hot state
+then appears ready for action.
+
+### u3j: jet functions
+
+At present, all drivers are compiled statically into `u3`. This is
+not a long-term permanent solution or anything. However, it will
+always be the case with a certain amount of core functionality.
+
+For instance, there are some jet functions that we need to call
+as part of loading the Arvo kernel - like `++cue` to unpack a
+noun from an atom. And obviously it makes sense, when jets are
+significant enough to compile into `u3`, to export their symbols
+in headers and the linker.
+
+There are three interface prefixes for standard jet functions:
+`u3k`, `u3q`, and `u3w`. All jets have `u3w` interfaces; most
+have `u3q`; some have `u3k`. Of course the actual logic is
+shared.
+
+`u3w` interfaces use the same protocol as `fun_f` above: the
+caller passes the entire core, which is retained if the function
+returns `u3_none`, transferred otherwise. Why? Again, use
+counts of 1 are special and precious for performance hackers.
+
+`u3q` interfaces break the core into C arguments, *retain* noun
+arguments, and *transfer* noun returns. `u3k` interfaces are the
+same, except with more use of `u3_none` and other simple C
+variations on the Hoon original, but *transfer* both arguments
+and returns. Generally, `u3k` are most convenient for new code.
+
+Following `u3k/q/w` is `[a-f]`, corresponding to the 6 logical
+tiers of the kernel, or `g` for user-level jets. Another letter
+is added for functions within subcores. The filename, under
+`j/`, follows the tier and the function name.
+
+For instance, `++add` is `u3wa_add(cor)`, `u3qa_add(a, b)`, or
+`u3ka_add(a, b)`, in `j/a/add.c`. `++get` in `++by` is
+`u3wdb_get(cor)`, `u3kdb_get(a, b)`, etc, in `j/d/by_get.c`.
+
+For historical reasons, all internal jet code in `j/[a-f]`
+*retains* noun arguments, and *transfers* noun results. Please
+do not do this in new `g` jets! The new standard protocol is to
+transfer both arguments and results.
+
+### u3a: allocation functions
+
+`u3a` allocates on the current road (u3R). Its internal
+structures are uninteresting and typical of a naive allocator.
+
+The two most-used `u3a` functions are `u3a_gain()` to add a
+reference count, and `u3a_lose()` to release one (and free the
+noun, if the use count is zero). For convenience, `u3a_gain()`
+returns its argument. The pair are generally abbreviated with
+the macros `u3k()` and `u3z()` respectively.
+
+Normally we create nouns through `u3i` functions, and don't call
+the `u3a` allocators directly. But if you do:
+
+One, there are *two* sets of allocators: the word-aligned
+allocators and the fully-aligned (ie, malloc compatible)
+allocators. For instance, on a typical OS X setup, malloc
+produces 16-byte aligned results - needed for some SSE
+instructions.
+
+These allocators are *not compatible*. For 32-bit alignment
+as used in nouns, call
+
+ /* u3a_walloc(): allocate storage measured in words.
+ */
+ void*
+ u3a_walloc(c3_w len_w);
+
+ /* u3a_wfree(): free storage.
+ */
+ void
+ u3a_wfree(void* lag_v);
+
+ /* u3a_wealloc(): word realloc.
+ */
+ void*
+ u3a_wealloc(void* lag_v, c3_w len_w);
+
+For full alignment, call:
+
+ /* u3a_malloc(): aligned storage measured in bytes.
+ */
+ void*
+ u3a_malloc(size_t len_i);
+
+ /* u3a_realloc(): aligned realloc in bytes.
+ */
+ void*
+ u3a_realloc(void* lag_v, size_t len_i);
+
+ /* u3a_realloc2(): gmp-shaped realloc.
+ */
+ void*
+ u3a_realloc2(void* lag_v, size_t old_i, size_t new_i);
+
+ /* u3a_free(): free for aligned malloc.
+ */
+ void
+ u3a_free(void* tox_v);
+
+ /* u3a_free2(): gmp-shaped free.
+ */
+ void
+ u3a_free2(void* tox_v, size_t siz_i);
+
+There are also a set of special-purpose allocators for building
+atoms. When building atoms, please remember that it's incorrect
+to have a high 0 word - the word length in the atom structure
+must be strictly correct.
+
+Of course, we don't always know how large our atom will be.
+Therefore, the standard way of building large atoms is to
+allocate a block of raw space with `u3a_slab()`, then chop off
+the end with `u3a_malt()` (which does the measuring itself)
+or `u3a_mint()` in case you've measured it yourself.
+
+Once again, *do not call `malloc()`* (or C++ `new`) within any
+code that may be run within a jet. This will cause rare sporadic
+corruption when we interrupt execution within a `malloc()`. We'd
+just override the symbol, but `libuv` uses `malloc()` across
+threads within its own synchronization primitives - for this to
+work with `u3a_malloc()`, we'd have to introduce our own locks on
+the surface-level road (which might be a viable solution).
+
+### u3n: nock execution
+
+The `u3n` routines execute Nock itself. On the inside, they have
+a surprising resemblance to the spec proper (the only interesting
+detail is how we handle tail-call elimination) and are, as one
+would expect, quite slow. (There is no such thing as a fast tree
+interpreter.)
+
+There is only one Nock, but there are lots of ways to call it.
+(Remember that all `u3n` functions *transfer* C arguments and
+returns.)
+
+The simplest interpreter, `u3n_nock_on(u3_noun bus, u3_noun fol)`
+invokes Nock on `bus` (the subject) and `fol` (the formula).
+(Why is it`[subject formula]`, not `[formula subject]`? The same
+reason `0` is true and `1` is false.)
+
+A close relative is `u3n_slam_on(u3_noun gat, u3_noun sam)`,
+which slams a *gate* (`gat`) on a sample (`sam`). (In a normal
+programming language which didn't talk funny and was retarded,
+`u3n_slam_on()` would call a function on an argument.) We could
+write it most simply as:
+
+ u3_noun
+ u3n_slam_on(u3_noun gat, u3_noun sam)
+ {
+ u3_noun pro = u3n_nock_on
+ (u3nc(u3k(u3h(gat)),
+ u3nc(sam, u3k(u3t(u3t(gat))))),
+ u3k(u3h(gat)));
+ u3z(gat);
+ return pro;
+ }
+
+Simpler is `u3n_kick_on(u3_noun gat)`, which slams a gate (or,
+more generally, a *trap* - because sample structure is not even
+needed here) without changing its sample:
+
+ u3_noun
+ u3n_kick_on(u3_noun gat, u3_noun sam)
+ {
+ return u3n_nock_on(gat, u3k(u3h(gat)));
+ }
+
+The `_on` functions in `u3n` are all defined as pure Nock. But
+actually, even though we say we don't extend Nock, we do. But we
+don't. But we do.
+
+Note that `u3` has a well-developed error handling system -
+`u3m_bail()` to throw an exception, `u3m_soft_*` to catch one.
+But Nock has no exception model at all. That's okay - all it
+means if that if an `_on` function bails, the exception is an
+exception in the caller.
+
+However, `u3`'s exception handling happens to match a convenient
+virtual super-Nock in `hoon.hoon`, the infamous `++mock`. Of
+course, Nock is slow, and `mock` is Nock in Nock, so it is
+(logically) super-slow. Then again, so is decrement.
+
+With the power of `u3`, we nest arbitrary layers of `mock`
+without any particular performance cost. Moreover, we simply
+treat Nock proper as a special case of `mock`. (More precisely,
+the internal VM loop is `++mink` and the error compiler is
+`++mook`. But we call the whole sandbox system `mock`.)
+
+The nice thing about `mock` functions is that (by executing
+within `u3m_soft_run()`, which as you may recall uses a nested
+road) they provide both exceptions and the namespace operator -
+`.^` in Hoon, which becomes operator `11` in `mock`.
+
+`11` requires a namespace function, or `fly`, which produces a
+`++unit` - `~` (`0`) for no binding, or `[0 value]`. The sample
+to a `fly` is a `++path`, just a list of text `span`.
+
+`mock` functions produce a `++toon`. Fully elaborated:
+
+ ++ noun ,* :: any noun
+ ++ path (list ,@ta) :: namespace path
+ ++ span ,@ta :: text-atom (ASCII)
+ ++ toon $% [%0 p=noun] :: success
+ [%1 p=(list path)] :: blocking paths
+ [%2 p=(list tank)] :: stack trace
+ == ::
+ ++ tank :: printable
+ $% [%leaf p=tape] :: flat text
+ $: %palm :: backstep list
+ p=[p=tape q=tape r=tape s=tape] :: mid cap open close
+ q=(list tank) :: contents
+ == ::
+ $: %rose :: straight list
+ p=[p=tape q=tape r=tape] :: mid open close
+ q=(list tank) :: contents
+ == ::
+ ==
+
+(Note that `tank` is overdesigned and due for replacement.)
+
+What does a `toon` mean? Either your computation succeded (`[0
+noun]`, or could not finish because it blocked on one or more
+global paths (`[1 (list path)]`), or it exited with a stack trace
+(`[2 (list tank)]`).
+
+Note that of all the `u3` exceptions, only `%exit` is produced
+deterministically by the Nock definition. Therefore, only
+`%exit` produces a `2` result. Any other argument to
+`u3m_bail()` will unwind the virtualization stack all the way to
+the top - or to be more exact, to `u3m_soft_top()`.
+
+In any case, the simplest `mock` functions are `u3n_nock_un()`
+and `u3n_slam_un()`. These provide exception control without
+any namespace change, as you can see by the code:
+
+ /* u3n_nock_un(): produce .*(bus fol), as ++toon.
+ */
+ u3_noun
+ u3n_nock_un(u3_noun bus, u3_noun fol)
+ {
+ u3_noun fly = u3nt(u3nt(11, 0, 6), 0, 0); // |=(a=* .^(a))
+
+ return u3n_nock_in(fly, bus, fol);
+ }
+
+ /* u3n_slam_un(): produce (gat sam), as ++toon.
+ */
+ u3_noun
+ u3n_slam_un(u3_noun gat, u3_noun sam)
+ {
+ u3_noun fly = u3nt(u3nt(11, 0, 6), 0, 0); // |=(a=* .^(a))
+
+ return u3n_slam_in(fly, gat, sam);
+ }
+
+The `fly` is added as the first argument to `u3n_nock_in()` and
+`u3n_slam_in()`. Of course, logically, `fly` executes in the
+caller's exception layer. (Maintaining this illusion is slightly
+nontrivial.) Finally, `u3n_nock_an()` is a sandbox with a null
+namespace.
+
+### u3e: persistence
+
+The only `u3e` function you should need to call is `u3e_save()`,
+which saves the loom. As it can be restored on any platform,
+please make sure you don't have any state in the loom that is
+bound to your process or architecture - except for exceptions
+like the warm jet state, which is actively purged on reboot.
+
+### u3r: reading nouns (weak)
+
+As befits accessors they don't make anything, `u3r` noun reading
+functions always retain their arguments and their returns. They
+never bail; rather, when they don't work, they return a `u3_weak`
+result.
+
+Most of these functions are straightforward and do only what
+their comments say. A few are interesting enough to discuss.
+
+`u3r_at()` is the familiar tree fragment function, `/` from the
+Nock spec. For taking complex nouns apart, `u3r_mean()` is a
+relatively funky way of deconstructing nouns with a varargs list
+of `axis`, `u3_noun *`. For cells, triples, etc, decompose with
+`u3r_cell()`, `u3r_trel()`, etc. For the tagged equivalents, use
+`u3r_pq()` and friends.
+
+`u3r_sing(u3_noun a, u3_noun b)` (true if `a` and `b` are a
+*single* noun) are interesting because it uses mugs to help it
+out. Clearly, different nouns may have the same mug, but the
+same nouns cannot have a different mug. It's important to
+understand the performance characteristics of `u3r_sing()`:
+the worst possible case is a comparison of duplicate nouns,
+which have the same value but were created separately. In this
+case, the tree is traversed
+
+`u3r_sung()` is a deeply funky and frightening version of
+`u3r_sing()` that unifies pointers to the duplicate nouns it
+finds, freeing the second copy. Obviously, do not use
+`u3r_sung()` when you have live, but not reference counted, noun
+references from C - if they match a noun with a refcount of 1
+that gets freed, bad things happen.
+
+It's important to remember that `u3r_mug()`, which produces a
+31-bit, nonzero insecure hash, uses the `mug_w` slot in any boxed
+noun as a lazy cache. There are a number of variants of
+`u3r_mug()` that can get you out of building unneeded nouns.
+
+### u3x: reading nouns (bail)
+
+`u3x` functions are like `u3r` functions, but instead of
+returning `u3_none` when (for instance) we try to take the head
+of an atom, they bail with `%exit`. In other words, they do what
+the same operation would do in Nock.
+
+### u3h: hash tables.
+
+We can of course use the Hoon `map` structure as an associative
+array. This is a balanced treap and reasonably fast. However,
+it's considerably inferior to a custom structure like an HAMT
+(hash array-mapped trie). We use `u3_post` to allocate HAMT
+structures on the loom.
+
+(Our HAMT implements the classic Bagwell algorithm which depends
+on the `gcc` standard directive `__builtin_popcount()`. On a CPU
+which doesn't support popcount or an equivalent instruction, some
+other design would probably be preferable.)
+
+There's no particular rocket science in the API. `u3h_new()`
+creates a hashtable; `u3h_free()` destroys one; `u3h_put()`
+inserts, `u3h_get()` retrieves. You can transform values in a
+hashtable with `u3h_walk()`.
+
+The only funky function is `u3h_gut()`, which unifies keys with
+`u3r_sung()`. As with all cases of `u3r_sung()`, this must be
+used with extreme caution.
+
+### u3z: memoization
+
+Connected to the `~+` rune in Hoon, via the Nock `%memo` hint,
+the memoization facility is a general-purpose cache.
+
+(It's also used for partial memoization - a feature that'll
+probably be removed, in which conservative worklist algorithms
+(which would otherwise be exponential) memoize everything in the
+subject *except* the worklist. This is used heavily in the Hoon
+compiler jets (j/f/*.c). Unfortunately, it's probably not
+possible to make this work perfectly in that it can't be abused
+to violate Nock, so we'll probably remove it at a later date,
+instead making `++ut` keep its own monadic cache.)
+
+Each `u3z` function comes with a `c3_m` mote which disambiguates
+the function mapping key to value. For Nock itself, use 0. For
+extra speed, small tuples are split out in C; thus, find with
+
+ u3_weak u3z_find(c3_m, u3_noun);
+ u3_weak u3z_find_2(c3_m, u3_noun, u3_noun);
+ u3_weak u3z_find_3(c3_m, u3_noun, u3_noun, u3_noun);
+ u3_weak u3z_find_4(c3_m, u3_noun, u3_noun, u3_noun, u3_noun);
+
+and save with
+
+ u3_noun u3z_save(c3_m, u3_noun, u3_noun);
+ u3_noun u3z_save_2(c3_m, u3_noun, u3_noun, u3_noun);
+ u3_noun u3z_save_3(c3_m, u3_noun, u3_noun, u3_noun, u3_noun);
+ u3_noun u3z_save_4(c3_m, u3_noun, u3_noun, u3_noun, u3_noun, u3_noun);
+
+where the value is the last argument. To eliminate duplicate
+nouns, there is also
+
+ u3_noun
+ u3z_uniq(u3_noun);
+
+`u3z` functions retain keys and transfer values.
+
+The `u3z` cache, built on `u3h` hashes, is part of the current
+road, and goes away when it goes away. (In future, we may wish
+to promote keys/values which outlive the road, as we do with jet
+state.) There is no cache reclamation at present, so be careful.
+
+### u3t: tracing and profiling.
+
+TBD.
+
+### u3v: the Arvo kernel
+
+An Arvo kernel - or at least, a core that compiles with the Arvo
+interface - is part of the global `u3` state. What is an Arvo
+core? Slightly pseudocoded:
+
+ ++ arvo
+ |%
+ ++ come |= [yen=@ ova=(list ovum) nyf=pone] :: 11
+ ^- [(list ovum) _+>]
+ !!
+ ++ keep |= [now=@da hap=path] :: 4
+ ^- (unit ,@da)
+ !!
+ ++ load |= [yen=@ ova=(list ovum) nyf=pane] :: 86
+ ^- [(list ovum) _+>]
+ !!
+ ++ peek |= [now=@da path] :: 87
+ ^- (unit)
+ !!
+ ++ poke |= [now=@da ovo=ovum] :: 42
+ ^- [(list ovum) _+>]
+ !!
+ ++ wish |= txt=@ta :: 20
+ ^- *
+ !!
+ --
+ ++ card ,[p=@tas q=*] :: typeless card
+ ++ ovum ,[p=wire q=card] :: Arvo event
+ ++ wire path :: event cause
+
+This is the Arvo ABI in a very real sense. Arvo is a core with
+these six arms. To use these arms, we hardcode the axis of the
+formula (`11`, `4`, `86`, etc) into the C code that calls Arvo,
+because otherwise we'd need type metadata - which we can get, by
+calling Arvo.
+
+It's important to understand the Arvo event/action structure, or
+`++ovum`. An `ovum` is a `card`, which is any `[term noun]`
+cell, and a `++wire`, a `path` which indicates the location of
+the event. At the Unix level, the `wire` corresponds to a system
+module or context. For input events, this is the module that
+caused the event; for output actions, it's the module that
+performs the action.
+
+`++poke` sends Arvo an event `ovum`, producing a cell of action
+ova and a new Arvo core.
+
+`++peek` dereferences the Arvo namespace. It takes a date and a
+key, and produces `~` (`0`) or `[~ value]`.
+
+`++keep` asks Arvo the next time it wants to be woken up, for the
+given `wire`. (This input will probably be eliminated in favor
+of a single global timer.)
+
+`++wish` compiles a string of Hoon source. While just a
+convenience, it's a very convenient convenience.
+
+`++come` and `++load` are used by Arvo to reset itself (more
+precisely, to shift the Arvo state from an old kernel to a new
+one); there is no need to call them from C.
+
+Now that we understand the Arvo kernel interface, let's look at
+the `u3v` API. As usual, all the functions in `u3v` are
+commented, but unfortunately it's hard to describe this API as
+clean at present. The problem is that `u3v` remains design
+coupled to the old `vere` event handling code written for `u2`.
+But let's describe the functions you should be calling, assuming
+you're not writing the next event system. There are only two.
+
+`u3v_wish(str_c)` wraps the `++wish` functionality in a cache
+(which is read-only unless you're on the surface road).
+
+`u3v_do()` uses `wish` to provide a convenient interface for
+calling Hoon kernel functions by name. Even more conveniently,
+we tend to call `u3v_do()` with these convenient aliases:
+
+ #define u3do(txt_c, arg) u3v_do(txt_c, arg)
+ #define u3dc(txt_c, a, b) u3v_do(txt_c, u3nc(a, b))
+ #define u3dt(txt_c, a, b, c) u3v_do(txt_c, u3nt(a, b, c))
+ #define u3dq(txt_c, a, b, c, d) u3v_do(txt_c, u3nt(a, b, c, d))
+
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-16 21:18:34 +0000