The Fortress Language Specification - CiteSeerX

More documents

Recommendations

Info

Fortress.IO Fortress.Crypto Fortress.Security CoolCryptoApp.2.0 Fortress.IO Fortress.Crypto Fortress.Security IronLink Fortress.IO Fortress.Crypto CoolSecurity IronIO IronCrypto Fortress.IO Fortress.Security Fortress.Security Figure 22.4: An upgraded component Developers can define their own versions of this component to restrict how their components can be upgraded. For example, they can prevent upgrades with older versions of a component, or with a matching component from an untrusted vendor. The Upgradable API presents a problem for our model. Its implementation by the various constituent components in a compound component must be accessed during an upgrade operation. However, because the exported APIs of the constituent components must be disjoint, they cannot all export Upgradable after linking. We solve this problem by introducing an additional step during linking. In a link operation, a special component, called a restriction component, is constructed automatically, based on the provided constituents. This component exports the Upgradable API; its implementation is a function of all the constituents provided to the link operation. The provided constituents are then used to construct a new set of constituents that are identical to the provided constituents except that they do not export Upgradable. These new constituents are then combined, along with the restriction component, to form the constituents of a new compound component. In addition to the constraints imposed by a component’s isValidUpgrade function, there are several other conditions that must be met in order for an upgrade to be valid. These conditions are necessary to ensure that the resulting component is well-formed and imports and exports the same APIs as the target: 4 1. Every API imported by the replacement must be either imported or exported by the target. 2. The APIs exported by the replacement must be a subset of those exported by the target. 4 These conditions are sufficient provided there are no hidden or constrained APIs, which are discussed in Section 22.8. 172
3. If the replacement does not export all the APIs that a constituent exports then either the replacement and constituent do not export any APIs in common or the constituent can be upgraded with the replacement. The rationale for the first two conditions is straightforward: If an API is imported by the replacement but not imported or exported by the target, then references to that API cannot be resolved in the result (unless we also import that API in the result). If an API is exported by the replacement but not the target, then the result will export an API not exported by the target. The third condition says that the constituents of the target can be partitioned into three sets: those that are subsumed by the replacement, those that are unaffected by the upgrade, and all the rest, which can be upgraded with the replacement. This condition enables recursive propagation of upgrades. That is, an upgrade not only replaces constituents at the top level of the component, but is also propagated into any constituents with which it exports some APIs in common. Thus, in the example above, we could have upgraded CoolCryptoApp with a component that exports Fortress.IO. However, we could not have upgraded CoolCryptoApp with a component that exports both Fortress.Security and Fortress.IO because IronLink exports Fortress.IO but not Fortress.Security. In Section 22.8, we show how hiding and constraining APIs can help us get around many of the limitations that this condition imposes. Recall that in our system, unlike with dynamic linking, components are encapsulated so that an upgrade to one component does not affect any other component on the system. We can imagine that all operations on components copy the components that they operate on rather than share them. Because components are immutable, these two interpretations are semantically indistinguishable. Convenience operations that support mass upgrades are provided on fortresses (e.g., an upgradeAll operation that takes a component and upgrades all components in the fortress that can be upgraded with its argument). Extract and Install A component installed on a fortress may be extracted by calling an extract operation on the fortress, passing the name of the component as an argument, along with an argument prereqs, denoting the names of all APIs that must be installed on any fortress before this component can be installed. extract(componentName:String, prereqs:Set[\String\] = {}):() Furthermore, the destination fortress must have a component that exports these APIs and is a valid upgrade of the extracted component. Intuitively, a prereqs argument allows a component to be serialized without having to include all of its libraries; new libraries can be provided when the component is installed at a destination fortress. The prereqs argument is optional; if omitted, the extracted component can be installed on any fortress. Any component can be extracted; however only compound components can be extracted with a prereqs argument: because extracted components must be upgradable with respect to a component exporting their prereqs, no prereqs argument makes sense for a simple component. The APIs included in a prereqs argument must be the APIs exported by some subset of the extracted component’s constituents (or a subset of the constituents of one of its constituents, and so on, due to recursive updating). The extracted component is serialized to a file, including all the APIs it refers to (and, transitively, all APIs they refer to) and all constituent components, except those that export the prereqs. This operation does not remove the extracted component from the fortress; there is a separate uninstall operation for that. When the component is extracted, if no prereqs were passed to the extract operation, then the contents of the file can be deserialized by any fortress into the extracted component, which can be installed on the fortress. However, if prereqs were passed to extract, then the file must be deserialized into a component that exports only the Installable API: api Installable import Component from Components reconstitute(candidate : Component) :Component end 173
Page 1 and 2:
The Fortress Language Specification
Page 3 and 4:
4 Evaluation 36 4.1 Values . . . .
Page 5 and 6:
12 Functions 85 12.1 Function Decla
Page 7 and 8:
17.7 Coercions for Tuple and Arrow
Page 9 and 10:
IV Fortress for Library Writers 214
Page 11 and 12:
40.10The Trait Fortress.Core.Binary
Page 13 and 14:
Chapter 1 Introduction The Fortress
Page 15 and 16:
A note on the presented libraries i
Page 17 and 18:
component HelloWorld export Executa
Page 19 and 20:
foo:String → () baz: String → S
Page 21 and 22:
fortress upgrade Gary with Ralph No
Page 23 and 24:
halve(x : R64) : R64 = x/2 Predicta
Page 25 and 26:
while x < 10 do print x x += 1 end
Page 27 and 28:
It is also possible to convert a me
Page 29 and 30:
factorial(n) = ∏ i←1:n i This f
Page 31 and 32:
In both methods cons and append , t
Page 33 and 34:
default distributions will provide
Page 35 and 36:
Chapter 3 Programs A program consis
Page 37 and 38:
Chapter 10), a literal (see Section
Page 39 and 40:
(discussed in Section 13.13) to a s
Page 41 and 42:
Chapter 5 Lexical Structure A Fortr
Page 43 and 44:
U+0021 EXCLAMATION MARK ! U+0023 NU
Page 45 and 46:
If a character (or any other syntac
Page 47 and 48:
BIG SI unit absorbs abstract also a
Page 49 and 50:
escape sequences are useful for ASC
Page 51 and 52:
5.14.1 Multicharacter Enclosing Ope
Page 53 and 54:
Note: the elegant way to write Avog
Page 55 and 56:
• top-level variable declarations
Page 57 and 58:
declares id to be a mutable variabl
Page 59 and 60:
several new variables. This syntax
Page 61 and 62:
Chapter 7 Names Names are used to r
Page 63 and 64:
7.3 Qualified Names Fortress provid
Page 65 and 66:
Fortress also allows coercion betwe
Page 67 and 68:
• element types of a tuple type c
Page 69 and 70:
TypeAlias ::= type Id [StaticParams
Page 71 and 72:
‘}’. If such a clause contains
Page 73 and 74:
Note that a trait declaration inher
Page 75 and 76:
the parametric trait WrappedDiction
Page 77 and 78:
Chapter 10 Objects An object is a v
Page 79 and 80:
FldDef ::= FldMod ∗ Id [IsType] (
Page 81 and 82:
Chapter 11 Static Parameters Trait,
Page 83 and 84:
11.5 Operator and Identifier Parame
Page 85 and 86:
Chapter 12 Functions Functions are
Page 87 and 88:
swap(x :Object, y : Object) = (y, x
Page 89 and 90:
A function declaration may be separ
Page 91 and 92:
Chapter 13 Expressions Fortress is
Page 93 and 94:
Negating the literal 0 produces a s
Page 95 and 96:
the function is evaluated with the
Page 97 and 98:
13.10 Assignments Syntax: Expr ::=
Page 99 and 100:
treeSum(t : TreeLeaf) = 0 treeSum(t
Page 101 and 102:
Several common mathematical operato
Page 103 and 104:
The body of each iteration is run i
Page 105 and 106:
to the value of the condition expre
Page 107 and 108:
An atomic expression consists of th
Page 109 and 110:
13.26 Try Expressions Syntax: Flow
Page 111 and 112:
13.27.2 Static Expressions and Valu
Page 113 and 114:
A = [1 2 3; 4 5 6; 7 8 9] then A 1,
Page 115 and 116:
evaluates to the set {0, 4, 16} Map
Page 117 and 118:
ignore(f x) is equivalent to: f x;
Page 119 and 120:
trait CheckedException extends { Ex
Page 121 and 122: Chapter 15 Overloading and Multiple
Page 123 and 124: e called with. In other words, we e
Page 125 and 126: Chapter 16 Operators Operators are
Page 127 and 128: • “ordinary” operators: + −
Page 129 and 130: left context whitespace operator fi
Page 131 and 132: The rules below are designed to for
Page 133 and 134: 16.8.3 Enclosing Operators When use
Page 135 and 136: 16.8.9 Intersection, Union, and Set
Page 137 and 138: Chapter 17 Conversions and Coercion
Page 139 and 140: 17.3 Coercion Invocations One may i
Page 141 and 142: arguments nor with variable number
Page 143 and 144: trait B extends A end trait C exten
Page 145 and 146: a new coercion in a subexpression
Page 147 and 148: for tokens. For readability, plural
Page 149 and 150: Chapter 19 Tests and Properties For
Page 151 and 152: 19.5 Test Suites In order to allow
Page 153 and 154: Chapter 20 Type Inference Type infe
Page 155 and 156: 3. If a i is a functional applicati
Page 157 and 158: 21.2 Programming Discipline If Fort
Page 159 and 160: Here the call f(a, a) ends up setti
Page 161 and 162: 2. Ancestors, dynamically ordered b
Page 163 and 164: The ways in which fortresses are ac
Page 165 and 166: Component equivalence is determined
Page 167 and 168: 22.5 Type Inference for Components
Page 169 and 170: Fortress.IO Fortress.Crypto IronLin
Page 171: execute(componentName:String, args:
Page 175 and 176: This method runs all test functions
Page 177 and 178: Fortress.IO Fortress.Crypto Fortres
Page 179 and 180: Part III Fortress APIs and Document
Page 181 and 182: 23.1.3 hash(maxval: N64): N64 23.1.
Page 183 and 184: opr =(self,other: Boolean):Boolean
Page 185 and 186: 24.1.20 getter hashCode(): N64 24.1
Page 187 and 188: False: BooleanInterval Uncertain: B
Page 189 and 190: 24.2.11 opr ∧(self,other: Boolean
Page 191 and 192: 24.2.19 possibly(self): Boolean 24.
Page 193 and 194: Chapter 25 Numbers 25.1 Rational Nu
Page 195 and 196: opr ⌈self ⌉: N realpart(self):
Page 197 and 198: 25.1.11 opr (self,other: Q):Boolean
Page 199 and 200: 25.1.26 floor(self): Z 25.1.27 opr
Page 201 and 202: Chapter 26 Negated Relational Opera
Page 203 and 204: 26.1.26 opr ⊀T extends BinaryPred
Page 205 and 206: 27.3 The Trait Fortress.Standard.Un
Page 207 and 208: Chapter 29 Dimensions and Units 29.
Page 209 and 210: unit secondOfAngle secondsOfAngle:
Page 211 and 212: Chapter 30 Tests 30.1 The Object Fo
Page 213 and 214: 31.2 Convenience Types An optional
Page 215 and 216: Chapter 32 Parallelism and Locality
Page 217 and 218: y evaluating the two elements of th
Page 219 and 220: There is a DefaultDistribution whic
Page 221 and 222: v = spawn at a.region(i) do a i end
Page 223 and 224:
expr ∑ type wrapper ∑ body R,
Page 225 and 226:
32.8.3 Using Overloading to Adapt G
Page 227 and 228:
Chapter 33 Overloaded Functional De
Page 229 and 230:
coercions: T U ⇐⇒ T ♦ U ∧
Page 231 and 232:
The More Specific Rule for Function
Page 233 and 234:
An infix/multifix operator declarat
Page 235 and 236:
may be so defined except ordinary p
Page 237 and 238:
and here some of these computed dim
Page 239 and 240:
unit name 1 name 2 name 3 : . . . u
Page 241 and 242:
Chapter 36 Support for Domain-Speci
Page 243 and 244:
Because syntax expanders are define
Page 245 and 246:
Part V Fortress APIs and Documentat
Page 247 and 248:
property ∀(a:T) ¬(a ∼ a) end A
Page 249 and 250:
trait PartialOrderOperatorsT extend
Page 251 and 252:
The HasMinimalElement trait specifi
Page 253 and 254:
The trait Commutative requires the
Page 255 and 256:
A value e is a left identity for a
Page 257 and 258:
trait ApproximatelyHasInverses T ex
Page 259 and 260:
end extends { ApproximateCommutativ
Page 261 and 262:
A default definition is provided fo
Page 263 and 264:
trait RationalQuantityunit U absorb
Page 265 and 266:
(self,other:RationalQuantityU,ninf
Page 267 and 268:
38.2.4 getter hashCode(): Z64 38.2.
Page 269 and 270:
Chapter 39 Components and APIs We d
Page 271 and 272:
Chapter 40 Memory Sequences and Bin
Page 273 and 274:
updatenat k(j: IntegerStatick, v: T
Page 275 and 276:
40.1.12 update(j:IndexInt, v: T): L
Page 277 and 278:
40.3.2 opr nat m[r:RangeOfStaticSiz
Page 279 and 280:
40.5 The Trait Fortress.Core.Binary
Page 281 and 282:
40.5.5 bit(m:IndexInt): Bit The res
Page 283 and 284:
40.6 The Trait Fortress.Core.Binary
Page 285 and 286:
40.6.4 opr nat m[r:RangeOfStaticSiz
Page 287 and 288:
40.6.16 opr ‖ nat m,bool bigEndia
Page 289 and 290:
countLeadingZeroBits():IndexInt cou
Page 291 and 292:
40.7.41 signedShift(j:IndexInt):T 4
Page 293 and 294:
40.8.6 signedDivide(other: T,overfl
Page 295 and 296:
littleEndian():BinaryEndianLinearEn
Page 297 and 298:
40.9.16 opr ‖ nat m,nat radix,nat
Page 299 and 300:
v: BinaryEndianWordb,bigEndianBytes
Page 301 and 302:
40.10.9 opr nat m[r:RangeOfStaticSi
Page 303 and 304:
40.10.24 splitnat b ′ () : Binary
Page 305 and 306:
itAnd(selfStart: IndexInt,source:T,
Page 307 and 308:
40.13.2 wrappingAdd(selfStart: Inde
Page 309 and 310:
40.13.30 unsignedMax(selfStart: Ind
Page 311 and 312:
40.13.55 gatherBits(selfStart:Index
Page 313 and 314:
Appendix A Fortress Calculi A.1 Bas
Page 315 and 316:
Values, evaluation contexts, redexe
Page 317 and 318:
Expression typing: p; ∆; Γ ⊢ e
Page 319 and 320:
α, β type variables f method name
Page 321 and 322:
Function/method name lookup: Fname(
Page 323 and 324:
One owner for all the visible metho
Page 325 and 326:
Traits defining a method: defining
Page 327 and 328:
Values, evaluation contexts, and re
Page 329 and 330:
Valid function declarations: p ⊢
Page 331 and 332:
Method definition lookup: visible p
Page 333 and 334:
Values, intermediate expressions, e
Page 335 and 336:
Field typing: p; ∆; Γ ⊢ vd ok
Page 337 and 338:
Appendix B Overloaded Functional De
Page 339 and 340:
Proof. We prove this for δ, but th
Page 341 and 342:
Upgrade A predicate upg? takes two
Page 343 and 344:
a is rendered as a foobar is render
Page 345 and 346:
• If a portion is sub and another
Page 347 and 348:
supercalifragilisticexpialidocious
Page 349 and 350:
any alternative names, with undersc
Page 351 and 352:
Appendix F Operator Precedence, Cha
Page 353 and 354:
U+007C VERTICAL LINE | | U+2016 DOU
Page 355 and 356:
The following two operators have th
Page 357 and 358:
U+003D EQUALS SIGN = = EQ U+2243 AS
Page 359 and 360:
U+22DD EQUAL TO OR GREATER-THAN U+2
Page 361 and 362:
U+2289 NEITHER A SUPERSET OF NOR EQ
Page 363 and 364:
F.4.8 Miscellaneous Relational Oper
Page 365 and 366:
U+21A5 UPWARDS ARROW FROM BAR U+21A
Page 367 and 368:
U+2224 DOES NOT DIVIDE ∤ U+2225 P
Page 369 and 370:
U+27F8 LONG LEFTWARDS DOUBLE ARROW
Page 371 and 372:
U+2960 UPWARDS HARPOON WITH BARB LE
Page 373 and 374:
U+29ED BLACK CIRCLE WITH DOWN ARROW
Page 375 and 376:
Appendix G Concrete Syntax In this
Page 377 and 378:
Extends ::= extends TraitTypes Excl
Page 379 and 380:
StaticParam ::= Id [Extends] [absor
Page 381 and 382:
Value ::= Literal | fn ValParam [Is
Page 383 and 384:
Appendix H Generated Concrete Synta
Page 385 and 386:
-> fn_decl -> object_decl -> var_de
Page 387 and 388:
-> id extends_opt absorbs_opt -> "n
Page 389 and 390:
-> w "excludes" w type_ref_list com
Page 391 and 392:
-> obj_decl_body_elem br obj_decl_b
Page 393 and 394:
-> op wr op_follows_op_w -> op wr e
Page 395 and 396:
-> no_space_op_expr_result no_space
Page 397 and 398:
id_opt -> -> w id with_opt -> -> w
Page 399 and 400:
-> unpasting_elem rect_separator un
Page 401 and 402:
-> "}" comprehension -> set_compreh
Page 403:
-> do_expr -> for_expr -> spawn_exp
Page 406 and 407:
-> type_ref -> "(" w type_ref w ","
Page 408 and 409:
enc -> enc_literal op_or_enc -> op
Page 410 and 411:
Bibliography [1] O. Agesen, L. Bak,
show all

The Fortress Language Specification - CiteSeerX

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?