2006 Scheme and Functional Programming Papers, University of

More documents

Recommendations

Info

Figure 3: Regular Expressions and Names datatype Regexp = Alpha | AlphaNum | Kleene of Regexp | Concat of Regexp * Regexp | Or of Regexp * Regexp | Empty; let match (r:Regexp) (s:String) : Bool = ... let Name = {s:String | match (Kleene AlphaNum) s}; “[a-zA-Z0-9]*” would be represented in our datatype as (Kleene AlphaNum). The code then uses match to define the type Name, which refines the type String to allow only alphanumeric strings. We use the type Name to enforce an important, securityrelated interface specification for the following function authenticate. This function performs authentication by querying a SQL database (where ‘^’ denotes string concatenation): let authenticate (user:Name) (pass:Name) : Bool = let query : String = ("SELECT count(*) FROM client WHERE name =" ^ user ^ " and pwd=" ^ pass) in executeSQLquery(query) > 0; This code is prone to security attacks if given speciallycrafted non-alphanumeric strings. For example, calling authenticate "admin --" "" breaks the authentication mechanism because “--” starts a comment in SQL and consequently “comments out” the password part of the query. To prohibit this vulnerability, the type: authenticate : Name → Name → Bool specifies that authenticate should be applied only to alphanumeric strings. Next, consider the following user-interface code: let username : String = readString() in let password : String = readString() in authenticate username password; This code is ill-typed, since it passes arbitrary user input of type String to authenticate. However, proving that this code is ill-typed is quite difficult, since it depends on complex reasoning showing that the user-defined function match is not a tautology, and hence that not all Strings are Names. In fact, Sage cannot statically verify or refute this code. Instead, it inserts the following casts at the call site to enforce the specification for authenticate dynamically: authenticate (〈Name〉 username) (〈Name〉 password); At run time, these casts check that username and password are alphanumeric strings satisfying the predicate match (Kleene AlphaNum). If the username “admin --” is ever entered, the cast (〈Name〉 username) will fail and halt program execution. 2.3 Counter-Example Database Somewhat surprisingly, a dynamic cast failure actually strengthens Sage’s ability to detect type errors statically. In particular, the string “admin --” is a witness proving that not all Strings are Names, i.e., E ⊬ String (Printf Args format) where the user-defined function Printf Args : String -> * returns the printf argument types for the given format string. For example, (Printf Args "%d%d") evaluates to the type Int → Int → Unit. Calls to printf are assigned precise types, such as: printf "%d%d" : Int -> Int -> Unit since this term has type (Printf Args "%d%d"), which in turn evaluates to Int → Int → Unit. Thus, the Sage language is sufficiently expressive to need no special support for accommodating printf and catching errors in printf clients statically. In contrast, other language implementations require special rules in the compiler or run time to ensure the type safety of calls to printf. For example, Scheme [40] and GHC [19, 38] leave all type checking of arguments to the run time. OCaml [27], on the other hand, performs static checking, but it requires the format string to be constant. Sage can statically check many uses of printf with non-constant format strings, as illustrated by the following example: let repeat (s:String) (n:Int) : String = if (n = 0) then "" else (s ^ (repeat s (n-1))); // checked statically: printf (repeat "%d" 2) 1 2; The Sage compiler infers that printf (repeat "%d" 2) has type Printf Args (repeat "%d" 2), which evaluates (at compile-time) to Int → Int → Unit, and hence this call is well-typed. Conversely, the compiler would statically reject the following ill-typed call: // compile-time error: printf (repeat "%d" 2) 1 false; For efficiency, and to avoid non-termination, the compiler performs only a bounded number of evaluation steps before resorting to dynamic checking. Thus, the following call requires a run-time check: 96 Scheme and Functional Programming, 2006
Figure 4: Syntax, Constants, and Shorthands Syntax: Constants: s, t, S, T ::= Terms: x variable c constant let x = t : S in t binding λx:S. t abstraction t t application x:S → T function type * : * Unit : * Bool : * Int : * Dynamic : * Refine : X :* → (X → Bool) → * unit : Unit true : {b:Bool | b} false : {b:Bool | not b} not : b:Bool → {b ′ :Bool | b ′ = not b} n : {m:Int | m = n} + : n:Int → m:Int → {z :Int | z = n + m} = : x:Dynamic → y :Dynamic → {b:Bool | b = (x = y)} if : X :* → p:Bool → ({d:Unit | p} → X) → ({d:Unit | not p} → X) → X fix : X :* → (X → X) → X cast : X :* → Dynamic → X Shorthands: S → T = x:S → T x ∉ FV (T ) 〈T 〉 = cast T {x:T | t} = Refine T (λx:T. t) if T t 1 then t 2 else t 3 = if T t 1 (λx:{d:Unit | t}. t 2) (λx:{d:Unit | not t}. t 3) // run-time error: printf (repeat "%d" 20) 1 2 ... 19 false; As expected, the inserted dynamic cast catches the error. Our current Sage implementation is not yet able to statically verify that the implementation of printf matches its specification (format:String → (Printf Args format)). As a result, the compiler inserts a single dynamic type cast into the printf implementation. This example illustrates the flexibility of hybrid checking — the printf specification is enforced dynamically on the printf implementation, but also enforced (primarily) statically on client code. We revisit this example in Section 5.3 to illustrate Sage’s compilation algorithm. 3. Language 3.1 Syntax and Informal Semantics Sage programs are desugared into a small core language, whose syntax and semantics are described in this section. Since types are first class, Sage merges the syntactic categories of terms and types [5]. The syntax of the resulting type/term language is summarized in Figure 4. We use the following naming convention to distinguish the intended use of meta-variables: x, y, z range over regular program variables; X, Y , Z range over type variables; s, t range over regular program terms; and S, T range over types. The core Sage language includes variables, constants, functions, function applications, and let expressions. The language also includes dependent function types, for which we use Cayenne’s [4] syntax x : S → T (in preference over the equivalent notation Πx : S. T ). Here, S specifies the function’s domain, and the formal parameter x can occur free in the range type T . We use the shorthand S → T when x does not occur free in T . The Sage type system assigns a type to each well-formed term. Since each type is simply a particular kind of term, it is also assigned a type, specifically the type “*”, which is the type of types [9]. Thus, Int, Bool, and Unit all have type *. Also, * itself has type *. The unification of types and terms allows us to pass types to and from functions. For example, the following function UnaryOp is a type operator that, given a type such as Int, returns the type of functions from Int to Int. UnaryOp def = λX :*. (X → X) Type-valued arguments also support the definition of polymorphic functions, such as applyTwice, where the application applyTwice Int add1 returns a function that adds two to any integer. Thus, polymorphic instantiation is explicit in Sage. applyTwice def = λX :*. λf :(UnaryOp X). λx:X. f(f(x)) The constant Refine enables precise refinements of existing types. Suppose f : T → Bool is some arbitrary predicate over type T . Then the type Refine T f denotes the refinement of T containing all values of type T that satisfy the predicate f. Following Ou et al. [35], we use the shorthand {x:T | t} to abbreviate Refine T (λx:T. t). Thus, {x:Int | x ≥ 0} denotes the type of natural numbers. We use refinement types to assign precise types to constants. For example, as shown in Figure 4, an integer n has the precise type {m:Int | m = n} denoting the singleton set {n}. Similarly, the type of the operation + specifies that its result is the sum of its arguments: n:Int → m:Int → {z :Int | z = n + m} The apparent circularity where the type of + is defined in terms of + itself does not cause any difficulties in our technical development, since the semantics of refinement types is defined in terms of the operational semantics. The type of the primitive if is also described via refinements. In particular, the “then” parameter to if is a thunk of type ({d:Unit | p} → X). That thunk can be invoked only if the domain {d:Unit | p} is inhabited, i.e., only if the test expression p evaluates to true. Thus the type of if precisely specifies its behavior. The constant fix enables the definition of recursive functions and recursive types. For example, the type of integer lists is defined via the least fixpoint operation: fix * (λL:*. Sum Unit (Pair Int L)) which (roughly speaking) returns a type L satisfying the equation: L = Sum Unit (Pair Int L) Scheme and Functional Programming, 2006 97
Page 1:
Scheme and Functional Programming 2
Page 4 and 5:
4 Scheme and Functional Programming
Page 6 and 7:
6 Scheme and Functional Programming
Page 8 and 9:
• A web browser that plays the ro
Page 10 and 11:
and requests. When a client request
Page 12 and 13:
above prevents pages from these dom
Page 14 and 15:
14 Scheme and Functional Programmin
Page 16 and 17:
2. Explaining Macros Macro expansio
Page 18 and 19:
For completeness, here is the macro
Page 20 and 21:
onment is extended in the original
Page 22 and 23:
expand-term(term, env, phase) = emi
Page 24 and 25:
Derivation ::= (make-mrule Syntax S
Page 26 and 27:
True derivation (before macro hidin
Page 28 and 29:
We assume that the reader has basic
Page 30 and 31:
the value of the %eax register by 4
Page 32 and 33:
Code generation for the new forms i
Page 34 and 35:
we introduced in 3.11. The only dif
Page 36 and 37:
the user code from interfering with
Page 38 and 39:
38 Scheme and Functional Programmin
Page 40 and 41:
mization and on creating efficient
Page 42 and 43:
(a) stage (b) fifo (c) split (d) me
Page 44 and 45:
This tagging is used later in the c
Page 46 and 47: (let ((clo_25 (%closure (lambda (y)
Page 48 and 49: nb. cycles per element 1400 1200 10
Page 50 and 51: 50 Scheme and Functional Programmin
Page 52 and 53: a ∗ ❅ left right · b ❅ a S
Page 54 and 55: T ([spec], w) = { {w}, if w ∈ L([
Page 56 and 57: A([spec]): ✓✏ (where L([spec])
Page 58 and 59: construction commands. It is possib
Page 60 and 61: ; Regular expression for Scheme num
Page 62 and 63: References [1] A. V. Aho, R. Sethi,
Page 64 and 65: (let ((n (cond ((char? var0) ) ((sy
Page 66 and 67: 3. Survey An incomplete survey of a
Page 68 and 69: case monster 10 literals 100 litera
Page 70 and 71: 70 Scheme and Functional Programmin
Page 72 and 73: modest programming requirements, an
Page 74 and 75: development of incomplete subsystem
Page 76 and 77: the previous request. This method a
Page 78 and 79: could be run indefinitely. This fun
Page 80 and 81: programmers reject Scheme without r
Page 82 and 83: (define interp (λ (env e) (case e
Page 84 and 85: Before describing the run-time sema
Page 86 and 87: Figure 5. Cast Insertion Figure 6.
Page 88 and 89: Figure 7. Evaluation Figure 8. Eval
Page 90 and 91: catching type errors, as we do here
Page 92 and 93: [34] J. C. Reynolds. Types, abstrac
Page 94 and 95: let id (T:*) (x:T) : T = x; The tra
Page 98 and 99: Figure 5: Evaluation Rules Evaluati
Page 100 and 101: 5. Exact Substitution: E, (x = v :
Page 102 and 103: Figure 9: Subtyping Algorithm Algor
Page 104 and 105: for most type variables, and that m
Page 106 and 107: 2. miniKanren Overview This section
Page 108 and 109: 3. Pseudo-Variadic Relations Just a
Page 110 and 111: Replacing run 10 with run ∗ cause
Page 112 and 113: As might be expected, we could use
Page 114 and 115: Of course there are still infinitel
Page 116 and 117: To ensure that streams produced by
Page 118 and 119: 118 Scheme and Functional Programmi
Page 120 and 121: On the other hand, we can use a hig
Page 122 and 123: (ev* (Q (lambda (x) (+ x 1)))) # >
Page 124 and 125: (term ’lam (lambda (x) (if (equal
Page 126 and 127: a message: there is no guarantee th
Page 128 and 129: (! (self) 3) (?) =⇒ 1 (?? odd?) =
Page 130 and 131: (define new-server (spawn (lambda (
Page 132 and 133: The abstraction shown in this secti
Page 134 and 135: Erlang Termite List length (µs) (
Page 136 and 137: 136 Scheme and Functional Programmi
Page 138 and 139: page of j contains the URL of the p
Page 140 and 141: 4. Solution The failed attempts abo
Page 142 and 143: · ; · ; · :: Store × Frame Stac
Page 144 and 145: logically creates a sub-session of
Page 146 and 147:
on this work, including Ryan Culpep
Page 148 and 149:
ing application operation. 1 As a r
Page 150 and 151:
such as image glyphs corresponding
Page 152 and 153:
Phone For clarity, this code pr
Page 154 and 155:
A. Porting TinyScheme to Qualcomm B
Page 156 and 157:
156 Scheme and Functional Programmi
Page 158 and 159:
ware installers have to install any
Page 160 and 161:
defines a module named circle-lib i
Page 162 and 163:
Figure 2. Sometimes special cases a
Page 164 and 165:
Considering all of these issues tog
show all

2006 Scheme and Functional Programming Papers, University of

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?