Hermes: A Tutorial and Reference Manual - Researcher - IBM

DavidF.BaconArthurP.GoldbergAndyLowry Hermes:ATutorialandReferenceManual
IBMT.J.WatsonResearchCenter1 RobertE.Strom
June27,1990 DanielYellin
1POBox704,30SawMillRiverRoad,YorktownHeights,NY10598

1([Mor80]) theconductorofthedeadtoHades;identiedwiththeRoman godMercury.1 HermesGreekMythology.Thegodofcommerce,invention,cunning,andtheft,whoalsoservedasmessengerandheraldfortheothergods,aspatronoftravelersandrogues,andas
i

Preface Thisdocumentcontainsatutorial,areferencemanual,andsomeappendices.
thatyouhavesomeexperiencewritingapplicationprogramsinahigh-level importantinnovationinstaticchecking|typestateanalysis.Weassume tem.WethendiscussadditionalusefulfeaturesofHermes,includingan andcontinuethroughmorecomplexexamples,endingwithawindowsys-
examples.Webeginwithasimpleprogramwhichoutputs\Helloworld", procedurallanguage,suchasC,Pascal,orAda.WewillhighlightthedifferencesbetweenprogramminginHermesandprogrammingintheother
ThetutorialintroducesyoutoHermesbyguidingyouthroughasetof languages.Thiswayyouwillgetafeelingfor\idiomaticHermes".Atthe endofthetutorial,youwillknowthebasicvocabularyofHermes.Youwill beabletowritesomeHermesprogramsbyimitatingtheexamples.You
intabularform.Theyareproducedfromthesamemachine-readableles thepreciserulesofHermes|thesearecoveredinthereferencemanual. willbeabletocompareHermestootherlanguages.Butyouwillnotknow
thatareusedtoproducethecompileritself. programs. inthereferencemanualillustratethelanguagerules.Theyhighlightthedifferencebetweenlegalandillegalprogramsratherthanillustrate\typicalamplesinthereferencemanual,butwithadierentpurpose.Theexamples
ThisdocumentdoesnotdescribehowtouseanyoftheexistingHermes Theappendicesarethemostformal.TheycontaintherulesofHermes Thereferencemanualismoreformalthanthetutorial.Wealsogiveex-
sendelectronicmailtohermes-request@ibm.comorU.S.mailtooneofthe authorsattheaddresslistedonthetitlepage.Hermescurrently(March 1990)runsonSun3andSun4systemsrunningSunOS,andIBMRTs tation. runningBerkeley4.3Unix. istobefoundintheHermesUsersGuidedistributedwiththeimplemen-
implementations,nordoesitdescribetheiridiosyncrasies.Suchinformation ReaderswishingtoobtainanexperimentalworkingHermessystemshould

Contents
1IntroductiontoHermes Preface ITutorial 1.1Introduction:::::::::::::::::::::::::::3 1.2GettingStarted|ASimpleHermesProgram::::::::5 1.3ASecondProgram:::::::::::::::::::::::10 1ii
1.4PuttingProcessesTogether::::::::::::::::::12 1.5DeclarationsandDenitions::::::::::::::::::18 1.6ASimpleServer::::::::::::::::::::::::25 1.5.1Declarations:::::::::::::::::::::::18 1.5.2Denitions:::::::::::::::::::::::21 3
2AMiniatureSystem 2.6TokenizerProcedure::::::::::::::::::::::41 2.7TheWindowManager:::::::::::::::::::::43 2.4WindowSystemShell:::::::::::::::::::::36 2.5Front-endProcess:::::::::::::::::::::::37 2.3Interfaces::::::::::::::::::::::::::::33 2.2Design::::::::::::::::::::::::::::::32 2.1Requirements::::::::::::::::::::::::::31 2.7.1Denitions:::::::::::::::::::::::43
2.8CreatingaWindowApplication::::::::::::::::48 2.9Summary::::::::::::::::::::::::::::53 2.8.1ApplicationBuilder::::::::::::::::::49 2.8.2AdapterandQuitDispatcher:::::::::::::51 2.7.5CreatingandKillingWindows::::::::::::47 2.7.3RefocussingandWritingOutput:::::::::::45 2.7.4DispatchingLinestoaParticularWindow::::::45 2.7.2Skeleton:::::::::::::::::::::::::44

iv3TypeandTypestateChecking 5ResearchDirectionsinHermes 4AdditionalHermesConstructs 4.4Polymorphs:::::::::::::::::::::::::::64 4.3Variants:::::::::::::::::::::::::::::61 4.2Send:::::::::::::::::::::::::::::::60 4.1ExpressionBlocks:::::::::::::::::::::::59 67 55
IIHermesReferenceManual 8Resolution 6Introduction 7LexicalandSyntacticRules 69
8.2TypeNames:::::::::::::::::::::::::::77 8.1VariableNames:::::::::::::::::::::::::75 8.1.2ComponentNames:::::::::::::::::::77 8.1.1BaseVariables:::::::::::::::::::::76 73
71
10TypestateChecking 9TypeCheckingandInference 8.6ProcessNames:::::::::::::::::::::::::79 8.4ExceptionNames::::::::::::::::::::::::78 8.5ExitNames:::::::::::::::::::::::::::79 8.3AttributeNames::::::::::::::::::::::::78
10.3ValidTypestates::::::::::::::::::::::::86 10.6Constants::::::::::::::::::::::::::::88 10.4OrderingofTypestates:::::::::::::::::::::87 10.2FormalTypestates:::::::::::::::::::::::85 10.5Coercions::::::::::::::::::::::::::::87 10.1SyntaxofTypestates::::::::::::::::::::::84 80
10.7HowtoApplytheTypestateRules::::::::::::::88 10.8TheCheckingAlgorithm::::::::::::::::::::90
11HermesOperations 11.3ControlFlowOperations::::::::::::::::::::96 11.1UbiquitousOperations:::::::::::::::::::::93 11.4ScalarOperations::::::::::::::::::::::::101 10.9TypestateErrors::::::::::::::::::::::::91 11.2TheDepletionException:::::::::::::::::::95 11.5RecordOperations:::::::::::::::::::::::107

11.8ProcessCreationandCommunicationOperations::::::118 11.9PolymorphOperations:::::::::::::::::::::125 11.7VariantOperations:::::::::::::::::::::::115 11.11Constraints:::::::::::::::::::::::::::131 11.6TableOperations::::::::::::::::::::::::107 11.10ProgramOperations::::::::::::::::::::::128 v
BHermesOperations AHermesConcreteSyntax B.1OperationDescriptions:::::::::::::::::::::150 A.2SyntacticRules:::::::::::::::::::::::::138 A.1LexicalRules::::::::::::::::::::::::::135 B.1.1DescriptionHeader:::::::::::::::::::151 B.1.3Preconditions::::::::::::::::::::::152 B.1.2TypeRules:::::::::::::::::::::::151 150 134
B.4PreconditionFunctions:::::::::::::::::::::155 B.3InferenceFunctions:::::::::::::::::::::::155 B.2TypeClasses::::::::::::::::::::::::::153 B.4.1TypestatePreconditions::::::::::::::::155 B.4.3ConditionalExceptions::::::::::::::::158 B.4.2ContextPreconditions:::::::::::::::::157 B.1.6OperationSemantics::::::::::::::::::153 B.1.5SpecialRules::::::::::::::::::::::153 B.1.4Postconditions:::::::::::::::::::::152
CPredenedModule B.6OperationDescriptions:::::::::::::::::::::160 B.5PostconditionFunctions::::::::::::::::::::158 C.1References::::::::::::::::::::::::::::211 194

Tutorial PartI
1

HermesisanexperimentallanguagedevelopedattheIBMTJWatson 1.1Introduction 1IntroductiontoHermes
storedinthecomputerasanarray,alinkedlist,ahashtable,asplaytree, tableofname-addresspairs.Youdon'tworryaboutwhetherthistableis fromtheprogrammerandgiveittothecompilerimplementor.Hermesis asimplelanguageforexpressingcomputationandprogramcomposition. TheHermescompilerchoosestheimplementationinsteadofyou.Forexample,ifyouwishtobuildalistofnamesandaddresses,youjustdeclarea
ResearchCenter.Itreectsourresearchgroup'sopinionofhowcomplex
oradiskle|thatisthecompiler'sjob.Insteadoftheapproximately120 systemsshouldbeprogrammed([BS89,SY83,PS83,SYB87c]).
systemcallsinatypicalUNIX([KP84]),youhavejust10Hermesstatementswhichdealwithcreatingprograms,connectingthemtogether,and
canbuildarbitrarysystems,includingsomewhichinUNIXwouldrequire machinelanguageisevenleaner!Hermesalsostressestheabilitytobuild munication,orcopingwithfailures.Withjustthesetenstatements,you superuserprivilegetobuild.
ThebasicideabehindHermesistotakeasmuchworkaspossibleaway
communicatingbetweenthem.Youdon'tworryaboutdistribution,com-
requireprogrammerstowritemoredocumentation,e.g.declarationsand systemsoutofseparatelydeveloped,compiled,andtestedmodules.We mismatches.Inexchangeformodularityandcheckabilitywearewillingto checkingaspossibletodetectnonsensicalprogramsandtodetectinterface systemasitdidwhentestedinisolation.Wewantasmuchcompile-time shouldbehavethesamewhencombinedwithothermodulesintoalarger expectnon-interferencebetweenmodules|thismeansthatamodule Ofcourse,aleanlanguageisn'tallthat'srequired.Afterall,theTuring
interfacedenitions.
lelexecutionstatements(e.g.cobegin),semaphores,monitors,guardians, concurrentanddistributedenvironments,youdonotneedtowriteparaltialcontrolstructures.AlthoughHermesisexplicitlydesignedtorunieratingsystemlikeUNIX,MS-DOS,orVMS.Willyouhavetocompletelguage.Hermeshasvariables,assignmentstatements,andtheusualsequen-
changeyourconceptofprogramming areusedtoprogramminginalanguagelikeC,Pascal,orAda,underanop-
Notreally.Inmanyrespects,Hermesisatraditionalimperativelan-
Howdoesthisaectyou,theprogrammerWeareassumingthatyou

ortransactions.AHermesmoduleisastraightforwardsequentialprogram 41.1.Introduction ingseveralHermesmodulesandconnectingtheoutputofsomemodulesto theinputofothers. withinputs,outputs,andlocalmemory.AHermessystemisbuiltbytak-
systemsprogrammerisusedto: ButsomeaspectsofHermesareverydierentfromwhatatraditional Therearenopointers.Noaddressvariables,noaddressarithmetic,no Thereisnoshareddata.Notviapointers,sincetherearenopointers, suchdetailswhichmayvaryfrommachinetomachineareinvisible addressesperiod.Youhavenocontrolofhowdataisstoredinmemory.Thatmeansthatbitorder,byteorder,alignment,andallother
toyou. notvianestingofinnerprocedureswithinouterprocedures,notvia globalorexternaldeclarationsofanykind.Everyvariablebelongs toexactlyonemodule.Thereisnoaliasing|thatis,twodistinct Youwillusemanyprocesses.Hermesisaprocess-orientedlanguage. withthousandsofUNIXprocesses,butyoumaywellbuildasystem withthousandsofHermesprocesses.Mostofthetime,communicationbetweenHermesprocessesisatleastasfastasaprocedurecall.
Buteventhoughtherearemanyprocesses,thereisnoshareddata| onlyqueuedcommunication.Soyoucanstillanalyzeeachprocess inprocedurallanguages.Youwouldn'tdreamofbuildingasystem ThismeansthatHermesprocessestakeontherolethatmoduleshave variablenamesalwaysdenotetwodistinctvariables.
Thereisnolanguagevs.systemduality.WhenyouprograminC, duresusingCALLs.Intheoperatingsystemworld,dataisstoredin buersorinles,andpassedfromoneapplicationtoanotherusing pipes,sockets,orles.Dataisuntyped|itisinterpretedasstrings asscalars,arrays,structs,orpointers,andpassedbetweenproce-
VMSworld.IntheCworld,dataisstoredintypedvariablessuch independentlyandviewitasasequentialprogram.
ofbytes.Somedata(e.g.pointers,lehandles)cannotbepassedto youhavetothinkabouttheCworldandtheUNIX,MS-DOSor
Hermeshasmuchmorecompile-timechecking([SY86]).Muchmore newerlanguages.Thebenets:(1)moreerrorsarediscoveredearlier, thaninC,andsomewhatmoreeventhanAda,Modula-3,orother on.InHermes,thereisonlyoneworldtothinkabout|theHermes world. local,whatisremote,andoftenwhatkindofmachineyou'rerunning demarshalled.Indistributedprograms,youmustbeawareofwhatis otherprocessesorstoredinles.Thisdatamustbemarshalledand
and(2)dierentuserscansafelyruninthesameaddressspace,even

1.2GettingStarted|ASimpleHermesProgram another.Thereissomecost:youhavetowritemoredeclarations. thoughsomeprogramsmayhavebugsandtheusersdon'ttrustone 1.IntroductiontoHermes5
Let'sstartwithourrstHermesprogram. siblytypedenitions.We'llshowyouinalatersectionhowtowritethem. receiveParmsfromInit;
Pascal Let'sassumefornowthatyouhavealreadywrittenthemorthattheyhave alreadybeensuppliedforyou. doesitdierfromthecorrespondingprograminC,Ada([SYW85]),or Beforeyoucompilethisprogram,youhavetoadddeclarationsandpos-
ThisprogramcanbeusedtodisplaythemessageHello,World!.How callParms.PutLine("Hello,World!"); returnParms;
PutLine.InHermes,PutLineisaparameter;itscounterpartsintheother languagesareconstants. mesversionofthissimpleprogramandalltheothers|thelatebindingof syntax,thereisneverthelessanimportantdistinctionbetweentheHer-
Althoughatrstglancetheprogramsappeartodieronlyinsupercial write("Hello,World!")fAPascalprogramg printf("Hello,World!");/*aCprogramtodotheabove*/
IntheCprogram,printfhasaxedbinding|itdenotesalibraryprogramwhichwritesthecharacterstringtothestandardoutput.Theonly
Ifyoudothis,youwillalsochangethebindingofprintfforallthemod-
([KR78]),functionsarenotvariables.Ifyouwanttocontrolthebindingof ulesofyourprogram.TousetheterminologyoftheCreferencemanual afunctionwithaCprogram,youmustsimulatefunctionvariablesusing pointerstofunctions.(SimilarlyinPascal([Coo83])andAda,functionsare notvariables.Intheselanguagesthereisawaytoachievealimiteddegree ofdynamicbinding.) ofHermes:(1)nothingisglobal,and(2)everyfunctionorprocedurename referstoavariablewhosevalueisdeterminedatrun-time,notcompiletime.
asParms.PutLine.Hermesisdesignedthiswaybecauseitassumesyou receivetheparameterlistParmsandbecausewemustrefertothefunction SoeveninthistinyHermesprogram,youcanseetwoimportantfeatures
PUT("Hello,World!")--AnADAprogram
waytochangethebindingistolinkyourCprogramtoadierentlibrary.
WhydowedothisAfterall,theprogramislongerbecausewemust

61.2.GettingStarted|ASimpleHermesProgram
User address spaces
arewritingamulti-userormulti-applicationsystemratherthanasingle application. FIGURE1.1.Atraditionaloperatingsystemwithmanyapplications
Kernel
theaddressspace.Joe'sapplicationandJane'sapplicationcaneachhave dierentbindingstotheirrespectiveprintffunctions. plicationtohaveasingleglobalmeaning,because\global"meanswithin kernelmaintainsmultipleaddressspacesinwhichyourunyourapplicationprograms.YourCapplicationisaprogramrunninginasingleaddress
space.Resourcesoutsidetheaddressspace(e.g.terminalsandprinters) Lookatgure1.1,whichdepictsatraditionalsystemsuchasUNIX.A aremanagedbytheoperatingsystem,andassignedtotheaddressspace asawhole.Itmakessenseforalltheprintfstatementswithinanap-
application,Jane'sapplication,modulesavailabletobothusers,andmoduleswrittenbyoneuserbutaccessibletosomemodulesofanother.(See,
forexample,gure1.2.)Inthissituation,itisclearthatnofunctionname canbeglobaltothewholesystem.AlthoughJoe'sapplicationandJane's applicationmaybothbepartofasinglelarge\program",itdoesnotmake Butsupposemyapplicationisanentiresystem,whichmayincludeJoe's

1.IntroductiontoHermes7
FIGURE1.2.Amulti-applicationsystemviewedasasinglehigh-levellanguage \program"

81.2.GettingStarted|ASimpleHermesProgram senseforJoe'sprintfstatementtodenotethesameconsoleasJane's. 1.2,ratherthangure1.1.Thedierencesare:(1)thedistinctionbetween kernel. intra-userandinter-usercommunicationdisappears;(2)accesstoresources iscontrolledatthelevelofindividualmodules,ratherthanaddressspaces; and(3)accesscontroldecisionsaremadebyprograms,notbyaxed bindingdoneProgramHelloWorldillustratesthesimplestwayofdoing thebinding|makingthefunctionPutLineaparametertotheprogram. Hermesencouragesyoutothinkofsystemsfromtheviewpointofgure
codeforprogramHelloWorldiscalledaprocessmodule.Aprocessmodule canbeinstantiatedtocreateaprocess|anactiveentitywithstate,which executesthestatementsoftheprocessmodule.Parms,Parms.PutLine,and GiventhatHermesavoidsstaticbindingandglobalvariables,howisthe
operationstheyallow.Forexample,Parms.PutLineisoftypefamilyoutputport.Outputportssupporttheoperationcall.Thevalueofanoutput
thestatementcallParms.PutLine.Thecallparameters(inthiscase,the portisaconnectiontoaninputport,whichisamessagequeueinanother process. Everyvariablenamehasastaticallyknowntype.Avariable'stypedeter-
Initarevariablenames. operandsmusthave.Typesareorganizedintotypefamiliesbasedonthe mineswhatoperationsonthevariablearelegalandwhattypestheother ThisisagoodtimetobeginusingtheHermesterminology.Thesource
singleparameter"HelloWorld!")arebundledintoacallmessage,which isthenqueuedontheinputporttowhichtheoutportportisconnected. Thecallingprocesswaitsuntilthecallmessageisreturned. ProgramHelloWorldcommunicateswithitsoutputprocessbyexecuting
initializedvariableistheinputportnamedInit,whichwasdesignatedas timeasatypeerror.. connectto.Thetypeofaninputport,inturn,determinesthetypeof statement'sargumentlistmustcontainasinglecharacterstring.Acall withthewrongnumberortypesofargumentswillberejectedatcompile callmessagewhichcanbesenttoit.Inthisexample,theinputportexpectsacallmessagewithasinglecharacterstringparameter.Thecall
WhenprogramHelloWorldstartsupafterbeinginstantiated,theonly Thetypeofanoutputportdeterminesthetypeofinputportitcan
theinitializationport.Byconvention,thecreatorofaprocess|whichwe calltheparent|sendsthenewlycreatedprocess|thechild|acallmessageoveritsinitializationport.Thecallmessagecontainstheparametermunicatewiththeoutside.Inthisexample,weassumethatHelloWorld's
GetProgramareportstoservicestoobtaininputlinesandloadprograms, andParmStringisacommandstring.Theseotherparametersaren'tused thechildneedstogetstarted,includingwhateverportsitmayneedtocom-
namedPutLine,GetLine,GetProgram,andParmString.GetLineand parent|perhapsashellprocess|passesacallmessagewithparameters

It'seasytowriteashellinHermes.Inalatersection,wewillseehowto writeone. InitandstoresitinthecallmessagevariableParms.Nowtheparameters, andweareassumingacommoninterfacebetweentheshellanditschildren. bytheHelloWorldprogram,buttheywillbeusedinotherexampleslater, Thereceivestatementdequeuesthecallmessagefromtheinputport 1.IntroductiontoHermes9
withvalue\Hello,World!".Thismessageissenttotheinputportatthe later. callParms.Putlineislegalhere.ItwouldhavebeenillegaltocallParms. namedParms.PutLine,Parms.GetLine,etc.,areinitialized.Thestatement
otherendoftheconnectionParms.PutLine.WhichportisthatItdepends uponthevalueofparameterPutLinewhichwaspassedbytheparent Putlinebeforethereceivestatement,becauseParms.Putlineisuninitializedatthebeginningoftheprogram.Suchacallwouldberejectedat
process.Wedon'tknowwhichportitis,andwedon'tcare.Itmaybea servicewhichwritesthelineonanoutputdevice.Ortheportmaybelong ofstaticcheckingwhichisnewtoHermesandwillbediscussedindetail compiletimeasatypestateerror.Typestatechecking([SY86])isaform
toaHermesprocesswhichlterstheoutputandpassesitalongtoanother port.Whenwelookattheprograminisolation,wecareonlythatthe callerandreceiveragreeuponwhatissentandreturnedinthecall.Inthis Thecallstatementcreatesacallmessagewithasinglestringcomponent
Afterthereturnofthecallmessage,variableParmsbecomesuninitialized. processwhichoriginallymadethecall|inthiscase,theparentprocess. inParmsusingareturnstatement.Thecallmessageisreturnedtothe thatParms.PutLinewillbeboundonlytoinputportsexpectingtoreceive stringandtheparametertypestatemustbeinitialized.Hermesguarantees callmessagescontainingasingleinitializedcharacterstringparameter.. case,theinterfacewillsaythattheparametertypemustbeacharacter
statements,theprocessterminates. ifyouthinkofmakingacallandreturningacallassendingandreturning acallmessage,ratherthanastransferofcontrol.Thinkofboththecaller ItwouldbeillegaltocallParms.PutLinehere.Sincetherearenomore BecauseHermesisaprocess-orientedlanguage,itwillbelessconfusing Afterthecallcompletes,programHelloWorldreturnsthecallmessage
andreceiverasactiveprocesses.Thecallersendsacallmessageandwaits fortheanswer.Thereceiverreceivesthecallmessage,processesit,possibly storessomereturnvaluesintothecallmessage,andthenreturnsit.1 executesthereturnstatement.Inotherlanguages,whereareturnstatementcan procedure.ButaHermesprocessmaypossiblycontinueexecutionafterissuing beviewedasatransferofcontrol,executionofareturnstatementterminatesthe return.Wewillseesomeexamplesofthislater. ProgramHelloWorldistypicalofwhatwecallaclientprogram.A 1NotethataHermesprogramterminateswhenitreachestheend,notwhenit

101.2.GettingStarted|ASimpleHermesProgram
aserverandaclient.Clientsarethemostcommontypeofprocessand theeasiesttowrite.Inlatersections,we'llseehowtouseHermestowrite connectotherprocesses.Someprogramsmayplaymultipleroles,e.g.both them.Also,theyareusersofservices|notprovidersofservices.Roughly speaking,clientsmakecalls,serversreceivecalls,andshellscreateand parentprocess|typicallyashellorsystembuilder|dothebindingfor clientcorrespondstoanapplicationsprogramonconventionaloperating increatingprocesses,orbindingoutputports.Theyarecontenttolettheir shellsandservers. systems.Clientprogramshaveaspecicjobtodo|they'renotinterested
quenceofthefactthataHermesprogramisanentiredynamicsystem,not simplyyourapplication.YouhavelearnedthefollowingHermesnomenclature:processmodule,process,variable,type,typefamily,typestate,input
program:rstreceiveaparametercallmessagefromtheinitializationport; port,outputport,callmessage,initializationport,initialized,uninitialized, client,server,andshell.Youhaveseenthestructureofatypicalclient Summary:Inthissection,youhaveseenthatinHermes,thereisno ports)arevariables,notconstants.Youhaveseenthatthisisaconse-
globaldata,andinparticularfunctionnames(whichHermescallsoutput
return. 1.3ASecondProgram BeforemovingontothesystemsprogrammingconstructsinHermes,let's thenusetheoutportportspassedinthatcallmessagetoaccessservices.
lookatonemoreclientprogram,whichweshallcallEcho: YouhavelearnedthefollowingHermesstatements:receive,call,and
block receiveParmsfromInit; declare begin Line:Charstring;--linereadfromstandardinput while('true')repeat callParms.GetLine(Line);
type,togetherwithitsassociatedcallmessagetypeiscalledaninterface, programHelloWorld.Therefore,thevariableParmswillhavethesame componentnamesandtypesasinprogramHelloWorld.Aninputport WeassumethattheinitializationportInitisofthesametypeasin returnParms; on(GetLineInterface.EndStream) endblock; endwhile; callParms.PutLine(Line);

iswrittenoutinfullinsection1.5. sowecansaythatprogramEchoandprogramHelloWorldhavethesame initializationinterface.Thisinterfaceisshownpictoriallyingure1.3.It andthataninitializedresultispassedbackonreturn.PutLine,onthe ever,GetLineassumesthatitsargumentisuninitializedpriortothecall, GetLineandPutLinebothtakeasinglestring-valuedargument.How-
1.IntroductiontoHermes11
theseassumptionsarerecordedintheinterfacedenition.Bothclientsand serversarecheckedatcompile-timetomakesurethatthecodeagreeswith theinterfacewithrespecttobothtypeandtypestate.Typecheckingof interfacesmaybefamiliarfromotherlanguages,suchasAdaandPascal. Typestatecheckingisnew.Everycallinterfacehasapre-callandpost-call typestate.Thecompilerchecksthatacallerputseachargumentinthe correctpre-calltypestate.Thecompilerchecksthatareceiverputseach otherhand,assumesthatitsargumentisinitializedpriortothecall.All
withtheEndStreamexception.Foreachexception,theremaybeadierent parameterincorrectpost-calltypestatepriortoreturn.Inthisexample,
post-calltypestatespeciedintheinterface.Inthisexample,theinterface GetLine'sinterfacedenitionspeciesthatthecallargumentisuninitializedbeforecallandinitializedafterreturn.Ifthecompilercan'tdeduce
willspecifythattheargumenttoGetLinewillnotbeinitializedinthe endofthestreamhasbeenreached,theserverwillreturnthecallmessage theserveriscalledtogetalineandtherearenomorelinesbecausethe thataprogramreceivingacallwillalwaysinitializeitsparameter,itwill generateanerrormessageandrefusetocompiletheprogram. eventofanEndStreamexception. GetLine'sinterfacealsodenesanexceptionnamedEndStream.When
empty,sotheblocksimplyterminates,andthereturnfollows. statement.Aclauseissimplyasetofstatements|inthiscase,thesetis tothenearestmatchingexceptionhandlerclauseinanenclosingblock obtainastringandstoreitintovariableLine,andthencallingPutLineto putoutthestring.WhentheEndStreamexceptionisraised,controljumps tivestatementsmayraiseexceptions;user-denedoperationsimplemented viacallsmayraiseuser-denedexceptions.Insomelanguages,arun-time ExceptionhandlingisveryimportantinalanguagelikeHermes.Primi-
ThestructureofprogramEchoisaninniteloop,callingGetlineto
errorsuchasanoverowordivisionbyzerocausestheentireprogram
bereturneduninitializedwhentheEndStreamexceptionisreturned.This tohaltandanerrormessagetobeprinted.InHermesthisisobviously thatyoumightfailtotestthem.AHermesexceptioncan'tbeignored afteranexceptionreturn.ThecompilerwillknowthatLineisuninitializedbecauseGetLine'sinterfacedenitionspeciesthatitsargumentwill
becausecontroljumpstoanewlocation. unacceptable|remembertheprogramisn'tjustyourapplication,butthe wholesystem.ReturncodessuchasareusedinChavethedisadvantage Typestatecheckingguaranteesthatyoucan'tuseavariablelikeLine

121.4.PuttingProcessesTogether
thecallmayberewrittenusingthefamiliarfunctionnotation.Likeother availablelanguages(asof1989)oer. degreeofcheckinggoesbeyondwhateventhemostmoderncommercially Incidentally,thecalltoGetLinemayalsobewritten: Line:=Parms.GetLine(); Wheneveracallhasnarguments,andthelastargumentisareturnvalue, FIGURE1.3.Interfacetoourtypicalclient
expressions,functionsreturnanonymousvalueswhichmaythemselvesbe
Client
usedasoperands.Inthiscase,theresultissimplyassignedtothevariable
seenexamplesofthefollowingHermesstatements:assignment,function Line,sothereisnoparticularadvantagetothefunctionnotation.
call,while,block. terface,typestatechecking,exception,exceptionhandlerclause.Youhave aboutexceptions.YouhavelearnedthefollowingHermesterminology:in-
denitionsdenewhichparameterspassedascallargumentsfromthecaller andwhichparametersreturnedtothecallerareexpectedtobeinitialized. Theseexpectationsareenforcedbytypestatechecking.Youhavelearned callmessage.(Thisiscalledpassingparametersbyvalue-result.)Interface Summary:Youhavelearnedthatcallsareprocessedbyexchanginga
intheinitializationcallmessage.Nowyou'regoingtolearntodoyourown otherprocessesandbindtheoutputportofonetotheinputportofthe sumedthatallportswereboundbytheparentandpassedasparameters Sofar,wehavewrittensimpleone-processprograms.Theseprogramsas-
second. systemsprogramming.Wewillwriteaprocessthatwillinstantiatetwo 1.4PuttingProcessesTogether
PutLine,GetLine,andGetProgram,sotheyaredepictedasboxeswith threearrowsrepresentingthreeconnectionstotheenvironment. isdepictedingure1.3.Theseprogramsareinitiallypassedthreeports: willconsistofourclientprogram(eitherprogramHelloWorldorprogram Echo|itdoesn'tmatter),connectedtoalterprogram.Thelterhasone TheinterfacewehavebeenusingforprogramsHelloWorldandEcho We'regoingtobuildacompositeprogramtothesameinterface.It
GetProgram
GetLine
PutLine

1.IntroductiontoHermes13
FIGURE1.4.Interfacetothelter
FIGURE1.5.Twointerconnectedprocesses
PutLine
1.3.Itcreatestheoriginalclient,thelter,andconnectsthemtogether interfaceastheoriginalsingleclientprocess,itcanbefurthercomposed. initiallypasseditsoutputportandtheprexstring. asshownbelowingure1.5.Sincethecompositeprogramhasthesame inputportandoneoutputport,asshowningure1.4.Thelterprogram receivesacallasifitwereaPutLineservice.Eachtimeitiscalledon theoriginallineprecededbyacharacterstringcalledPrefix.Thelteris itsinputportwithalineasparameter,itcallsitsoutputportpassing Thecompositeprogramisaprogramwiththesameinterfaceasingure
thedataisnotrestrictedtobeingbytestreamsincontiguousbuers|it socket.Unlikethepipes,lesandsocketsoftraditionaloperatingsystems, typecheckingguaranteesthataroundplugisneverpluggedintoasquare tionsastherstbox.Theinterfacecorrespondstotheshapeoftheplugs; samethreeplugs,andcanthereforebepluggedintothesameconguranentswithplugsandsockets.Wecanthinkoftheprocessingure1.3
oneplugandonesocket.Thecombinationingure1.5isaboxwiththe asacomponentwith3plugs,andtheprocessingure1.4asaboxwith WemakeananalogybetweenHermesprocessesandelectricalcompo-
canbeanydatatypesupportedbythelanguage. Let'slookatthelterprogramrst: --initialization receiveParmsfromInit; Out:=Parms.PutLine; Prefix:=Parms.Prefix;
GetProgram
GetLine
PutLine
Client
Filter
PutLine
Filter
PutLine

141.4.PuttingProcessesTogether newIn; connectParms.ClientPutLinetoIn;
aftertheparentinstantiatesthelterandcallstheinitializationport.The returnParms;
secondsectionisexecutedrepeatedlyeverytimeacallmessagearriveson --mainloop
thelter'sIninputport|thiswillhappenwhentheclientmakesacallon endwhile; Thelterprocesshastwosections.Therstsectionisexecutedjustonce while('true')repeat
itsPutLineoutputport. receivePutLineCMfromIn;
Let'sbeginwiththeinitialization.Thelter'sinterfaceisdierentfrom returnPutLineCM; callOut(Prefix|":"|PutLineCM.Line);
outputport|theconnectiontothePutLineservices|asParms.PutLine, passedthreeoutputportsandastring.Thelter'sparentwillpassone theonewehaveseeninHelloWorldandEcho.Thoseprocesses'parents andaprexstringasParms.Prefix.Itexpectstoreceivebackanoutput
variableParms.ClientPutLineaconnectiontotheinputportIn,using In.Thisisdonewiththenewstatement.Itthenassignstheoutputport port,Parms.ClientPutLine,connectedtothelter'sinputportIn.
aconnectstatement.TheconnectstatementistheHermesprimitivefor examples,thelterhasrealworktodoafterreturningtheinitialization nolongerbeinitializedafterthereturnstatement.Unliketheprevious call|itmustservicePutLinecallsfromitsclient. intolocalvariables.ThisisnecessarybecausethecallmessageParmswill Aftersavingthetwovariablesitneeds,ittheninitializesitsinputport TheinitializationcoderstcopiesParms.PutLineandParms.Prefix
creatingconnectionsbetweenoutputportsandinputports.Itnowreturns connectedtothelter'sinputportIn. theinitializationcallmessage.Thiscallmessagewillcontainanoutputport control"asitwouldinalanguagewithoutmultipleprocesses.Thereturn thesecallswithtransformeddata.Wecodethisasaninnitewhileloop. statementmarkstheendoftheinitializationsectionofthelter,andthe beginningofitsmainsection. withanargumentcomputedbyprexingtheoriginalstringwithastring Ateachiterationoftheloop,wedequeueasinglecallmessageintovariable PutLineCM.Thenweservicethecallbycallingthe`real'PutLineservice Recallthatthereturnstatementreturnsamessage;itdoesnot\transfer
prexandacolon.Finally,wereturntheoriginalcallmessage.Thelterwill runindenitelyuntilitsconnectionissevered.We'llseeinalatersection howthisisdone. ThemainjobofthelteristoreceivecallsoninputportIn,andreissue Nowlet'slookatthecodeoftheparentprocess,Compound.Thisprocess

createstheclient,createsthelter,andconnectsthetwotogether.The clientmaybeanyprogramwithourstandard3-pluginterface,suchas HelloWorld,Echo,orevenCompounditself.We'llassumethattheinput clientprogram,anditsarguments,separatedbythedelimiter`/'. stringParms.ParmStringreceivedbyCompoundcontainsthenameofthe receiveParmsfromInit; 1.IntroductiontoHermes15
ofCMark); blockbegin ClientName:="filter"; Arguments:=everyofCinParms.ParmStringwhere(position ClientName:=everyofCinParms.ParmStringwhere(position Filter:=createofParms.GetProgram(ClientName);
on(NotFound) Client:=createofParms.GetProgram(ClientName); callFilter(Parms.PutLine,"TheFilter",CliToFil); callClient(Parms.GetLine,CliToFil,Parms.GetProgram,Arguments); Mark:=positionofCinParms.ParmStringwhere(C='/');
on(InterfaceMismatch) on(GetProgramInterface.NotFound)
callParms.PutLine("compound:SyntaxError."); callParms.PutLine("compound:"|ClientName|"notfound.");
assourcetext.Therearethreewaystoobtainvaluesoftypeprogram: statementsofaprocessmodulestoredasstructuredvaluesratherthan ofthepredenedHermesdatatypeprogram|asetofdeclarationsand TheresultreturnedbyGetProgramisaprogram.Aprogramisavalue characterstringnameofaprogramtobefetchedfromtheprogramlibrary. returnParms; TheprogrambeginsbycallingtheserviceGetProgram,passingitthe endblock; "interfacemismatch.");
value\on-the-y".Inthiscase,weareusingtherstapproach.Wehave (2)bywritinga\programliteral",and(3)bydirectlybuildingaprogram (1)bypassingthesourcetextofaHermesprocessthroughthecompiler, savingtheresultinaprogramlibrary,andretrievingitwithGetProgram, assumedthattheprogramnamed"filter"hasbeenpreviouslycompiled andthatthecompiledprogramhasbeenplacedinalibrarymanagedby theGetProgramservice. notsupporton-the-yprogramcreation.Someweaklytyped2languages andrun-timecheckingfortypeviolations. (Note:Stronglytypedlanguages,likeAlgol,Ada,Pascal,C,etc.,do 2Thetermsstrongly-typedandweakly-typeddenoterespectivelycompile-time

fullycheckedfortypeandtypestateerrorsbeforebeinginstantiatedas Algol-likelanguages.Hermesprograms,evenwhendynamicallybuilt,are likeLisp,Scheme,andAPL,allowprogramsasrst-classvalues.Hermes combinestheexibilityoftheselanguageswiththestaticcheckingofthe processes([SYB87a,SYB87b,SY86]). 161.4.PuttingProcessesTogether
oftypeprogram..(Note:thesyntaxcreateofexpressionisusedrather thancreate(expression)todistinguishprimitiveoperationsfromfunction calls.RememberthatfunctionnameslikeParms.GetProgramarevariables, whereascreateisnot.)Thecreateoperationinstantiatesanew(child) boundtotheinitializationportofthelterprocess. theprogramlibrarybyGetProgram.Theresultofcreateisanoutputport process.Thecodeofthechildprocessisgivenbythevalueoftheoperand tocreate.Inthiscase,thatwillbetheFilterprogram,obtainedfrom Tocreateanewprocess,youapplytheoperationcreateoftoavalue
toobtaintheprogramfromthelibrary,andthenweapplytheoperation createoftothisprogram.Theonlydierenceisthatthistime,theprogramnameisnotaconstant,butmustbeextractedfromParms.ParmString.
delimeter'/',asecondobtainsallcharacterstotheleftofthedelimiter, Wewillnotexplainthisextractionindetail|onestatementlocatesthe thethirdobtainsallcharacterstotherightofthedelimiter.Theoperationspositionofandeveryofareexplainedindetailinsection2.6.
Bothprocesses|clientandlter|havenowbeencreated. Wecreatetheclientprocessinthesameway:rstwecallGetProgram
ment,weneedtosupply3outputports,andastring.Fortwooftheoutput nowcalltheinitializationportsofthetwochildprocesses. string.Wewillreceivebackanoutputportconnectedtothelter'sinput programsyou'lleverwrite)beginwithreceiveParmsfromInit.Sowe port.WestorethisportasavariableCliToFil.InthecallClientstate-
initialized,andtheydependfortheirinitializationonreceivingacallfrom theirparent.Rememberthattheseprograms(andprobablymostofthe ForFilter,weneedtosupplythePutLineoutputport,andaprex Thenewlycreatedprocessescannotdoanythingyet.Theyneedtobe
ports|GetLineandGetProgram,wesupplytheportswhichweourselves sameservicewhichwecanaccess.Instead,wewanttogivetheclientthe portCliToFil|theoutputportwejustobtainedfromFilter,andwhich received.ButforPutLine,wedon'twanttogivetheclientaccesstothe isconnectedtoFilter'sinputport.Wealsohavetogivetheclientaparameterstring,sofornow,let'sjustsendanemptystring.Aftermaking
ofintheeventthereisnodelimiter.ThesecondclausehandlesanexceptionanticipatedbytheGetPrograminterface|namelythattherequestedlesaNotFoundexceptionwhichcanberaisedbytheoperationposition
programisnotfoundinthelibrary.Thethirdclausehandlesthebuiltinex- work. bothcalls,wearenished|thetwochildprocesseswillnowdoallthereal Wehavewrittenthreeexceptionhandlerclauses.Therstclausehan-

ceptionInterfaceMismatch,whichcanberaisedbythecreatestatement. InterfaceMismatchisoneofthefewtypecheckingerrorsthatcannotbe detectedatcompile-time,butonlyatrun-time.Forexample,thesecond createstatementinstantiatesachildprocess,andreturnsanoutputport boundtotheinitializationport.Itisknownstatically(thatis,atcompile time)thatthetypeofthisoutputportmustbecompatiblewiththeoutput 1.IntroductiontoHermes17
exceptionwillberaised. anarbitraryprogram.Ifthisprogramdoesn'thavetheproper3-pluginterface(as,forexample,Filterdoesnot),thentheInterfaceMismatch
portClient.Butitisnotknownstaticallywhethertheinitializationinput portoftheprogramisofamatchingtype,sinceGetProgrammayreturn
akernelhackerorasuperusertowriteaccesscontrolpolicies.Youcannot Anytypeofcallcanbereboundprovideditistoaserviceofmatchingtype. ThinkoftheexibilityofUNIXpipesextendedtoanykindofcalls. tionofports.Thetechniqueisveryexible.ProgramslikeCompoundcan containarbitrarypoliciesforbindingtheportsoftheprogramsitcreates, therebycontrollingtheiraccesstootherprocesses.Youdon'tneedtobe systemsprogrammingondynamicprocesscreationanddynamicconnec-
Becausemodulesaren'thard-wiredtospecicservices,theycanbereused.
accidentallyorintentionallycircumventsomeoneelse'saccesscontrol.You cannotaccessanotheruser'sglobalvariables,sincetherearenoglobalvariables.Youcannotaccessaservicebyguessingitsname,orbyusingsome
Althoughthisexampleisverysimple,itillustratestheeleganceofbasing
undenedvalueasaname.YoucanonlygetabindingtoaninputportP if(1)youownPyourselfandconnecttoit,(2)Pistheinitializationport primitivesintothelanguage.Type-checkingguaranteesthatyoucan'tcopy aninteger,string,orotherinappropriatedatatypeintoacapability(output ofaprocessyoucreate,or(3)someoneelsegivesyouabindingtoP. port)variable.Typestate-checkingguaranteesthatyoucan'tuseanuninitializedandpossiblygarbagevalueofacapability.Butyoumaycreate
oldideainoperatingsystems.Itisnotwidespread,becauseitspremise| thatcapabilities(accessrights)areeasytostoreandpassaround,but impossibletoforge|isoftendicultandexpensivetoimplement.Her-
Thisapproachtosystemcongurationiscalledcapability-based.Itisan messolvesthisprobleminexpensivelybyintegratingtheoperatingsystems
processes,andsettingupportconnectionsbetweenprocesses.Youhave learnedthatHermesisacapability-basedoperatingsystemencapsulated aserveristypicallydividedintoaninitializationpartwhichimportsand Youhavelearnedhowtoimplementthebasicfunctionsofashell|creating aprogramwhichwasbothaclientandaserver.Youhavelearnedthat exportsports,andaserviceloopwhichhandlesrequestsfromitsclients. sagesasmuchasyouplease. capabilitieswithconnect,andcopythemorpassthemaroundinmes-
withinaprogramminglanguage.YouhavelearnedthefollowingHermes Summary:WehavestudiedtheprogramFilter|ourrstexampleof

constructs:thenewinput-port,connectandcreatestatements,andthe InterfaceMismatchexception.Congratulations!Younowknowsixofthe 1.5DeclarationsandDenitions tenHermessystemprogrammingstatements! 181.4.PuttingProcessesTogether
morphic andhowmuchshouldbeinferredbythecompilerShouldtypesbepoly-
muchshouldtheprogrammerhavetowriteoutasexplicitdeclarations, averyimportantlooseendmentionedearlier|declarationsanddenitions. checking.Shouldtypecheckingbedoneatcompile-timeorrun-timeHow Let'stakeabreakfromlearningnewkindsofHermesstatements,andtieup Hermestakesthefollowingpositions: Thereismuchdebateanddierenceofopinionabouttheroleoftype Allprogramswillproducesemanticallywell-denedlocalizedeects| Programmingerrorswillbedetectedatcompiletimewhereverpossible.
Programmersmustdeclarethetypesofallvariablesexceptexpression Infact,aprocesscanaccessonlythedatabelongingtoit. eitheranormalresultoranexception.Thismeansprogrammingbugs
Therearenopolymorphictypes.They'renotneededasmuchwhen can'tcrashthesystem,orwriterandomgarbageintoanotherprocess.
itlyintroducingpolymorphism.(Hermeshasapolymorphtype,which samegoal|namely,reusablesourcecodepackages|withoutexplic-
insteadwritesatemplateandthencreatesspecicsortprogramsby substitutingspecictypesintothetemplate.Thisaccomplishesthe writingapolymorphicsortprogramwhichcansortanytype,one youhavetheabilitytocreateprogramobjectsonthey.Insteadof temporaries.Thecompilerinfersthetypesofexpressiontemporaries.
statementsweshowedyouearlier. 1.5.1Declarations Wewillnowshowyouthecompletetextoftheprogramswhoseexecutable HelloWorld:using(Standard)process(Init:StandardIn) allowsavariabletoholdavalueofanytype,therebydeferringtype
declare checkinguntilrun-time.)
begin Parms:StandardInterface;--callmessagereceivedfromparent receiveParmsfromInit;

typename.InHelloWorld,wedeclaretwoidentiers|Init(theinitializationport),andParms(thecallmessage).Atypenameiseitherapredened
calleddeclarations.Adeclarationconsistsofanidentier,acolon,anda ThestatementsInit:StandardInandParms:StandardInterfaceare endprocess callParms.PutLine("Hello,World!"); returnParms; 1.IntroductiontoHermes19
compileadenitionmoduleandplaceitintoalibrarybeforeyoucanimport thedenitionsofthetypesyounameinyoursourceprogram.Youmust denitionsmodules.Youmustimportthedenitionsmodulescontaining areuser-dened.Youmaygroupcollectionsofdenitionsintolescalled typename(suchasinteger,charstring,program,etc.),orauser-dened
andthepredenedtypesaresaidtobevisiblewithinthesourceprogram. introducedbythewordusing.Thetypesdenedintheimportedmodules, themodule. Youimportadenitionsmodulebyincludingitsnameonanimportslist Sometypes,likeCharstringarepredened.Others,likeStandardIn
!StandardInterface,andthiswouldhavebeennecessaryifStandardInterface dierentimportedmodules,orasapredenedtypeandinanimported nameStandardInterfacecouldoptionallyhavebeenwrittenasStandard module),thatnamemustbedisambiguatedbyprexingitwiththename ofthedenitionsmoduleorwithpredefined. othertypenames.Ifatypenameisdenedmorethanonce(e.g.intwo willcontaindenitionsforStandardInandStandardInterface.Thetype Noothertypesarevisible|thatis,thecompilerwillnotunderstandany
hadalsobeenthenameofapredenedtypeorifanotherimporteddenitionsmodulecontainedatypenamedStandardInterface.
Intheexample,thedenitionsmodulenamedStandardisimported.It
internal,andappearbetweenthekeywordsdeclareandbegin. anyprocesswishingtoinstantiatethisprocess.Theotherdeclarationsare parenthesesafterthewordprocess.That'sbecausetheinitializationport typeispartoftheinterfacetotheprocess|itneedstobeknownby Echo:using(Standard)process(Init:StandardIn) HereistheentireprogramEcho: Thedeclarationoftheinitializationportappearsinaspecialplace|in declare begin Parms:StandardInterface;--callmessagereceivedfromparent block receiveParmsfromInit; declare begin Line:Charstring;--linereadfromstandardinput

201.5.DeclarationsandDenitions while('true')repeat
twoareidenticaltoHelloWorld.Itwouldbeeasyforaneditororother Noticethatexceptfortheprogramname,therstvelinesandthelast endprocess returnParms; on(GetLineInterface.EndStream) endblock; endwhile; callParms.GetLine(Line);
tooltoinserttheselinesautomaticallyasboilerplatearoundanystandard callParms.PutLine(Line);
Hermesdoesn'tallowyoutohideanouterdeclarationbydeclaringanew intheregionofvisibilityofavariable.Thisruledoesnotexistinmost variablewiththesamenameinaninnerblock.Thisavoidshaving\holes" onlywithintheblock.Thisruleisfoundineveryblockstructuredlanguage. one-lineprogram,andHermesdoesn'tappearsoverbose. tion.Ifavariablenameisdeclaredwithinablock,thenthatnameisvisible clientprogram.Ifthisisdone,thenHelloWorldonceagainbecomesa
conictsifyoucopycodecontainingblocksfromoneprogramtoanother. otherblockstructuredlanguages.Youmayhavetowatchoutforname HerearetheprogramsFilterandCompound.Thistime,we'lljustshow Inthisexample,thereisaninnerblockstatementcontainingadeclara-
theheaderanddeclarationswithoutrepeatingthecode: Filter:using(Standard,Filter)process(Init:FilterIn) line begin declare
endprocess Prefix:Charstring;--stringtoprependtoeachoutputline --codeforprocessFilter PutLineCM:PutLineInterface;--callmessagecontainingthe Out:PutLineOut;--outputport:boundtoputlineservice Parms:FilterInterface;--initializationcallmessage In:PutLineIn;--inputport:requestsfromclient
Compound:using(Standard,Filter)process(Init:StandardIn) declare begin Client:StandardOut;--porttoinitializeclient Mark:integer;--positionof"/"delimitingname/parameters Filter:FilterOut;--porttoinitializefilter Parms:StandardInterface;--initializationcallmessage CliToFil:PutLineOut;--outputportconnectedtofilter ClientName:charstring;--nameofclientprogram Arguments:charstring;--argumentstoclientprogram

ecordsandcallmessages)containpartscalledcomponentswhicharenamed usingthedotnotationcommontomanyprocedurallanguages.Thetype names.Theseidentiersarecalledbasevariables.Structuredvariables(e.g. endprocess Youonlyneedtodeclarethetypeofsimpleidentiersusedasvariable --codeforprocesscompound1.IntroductiontoHermes21
ofacomponentlikeParms.GetLineisinferredfromthetypeofthebase variableParms.
writedownischeckedagainstthetypethatisinferred. maywriteboolean#'true'insteadof'true'.Inthatcase,thetypeyou maywriteatypespecierevenwhenitisnotnecessary|forexample,you usinginferencerules.Incertaincases,thetypeofanexpressioncannotbe inferred,andyoumustprecedetheexpressionwithatypespecier.You raryvariabletoholdtheresultofthatexpression.Examplesofexpressions arefunctioncalls(e.g.Parms.GetLine()),arithmeticoperations(e.g.A+B) andliterals(e.g.'true').Thecompilerinfersthetypeofanexpression Whenyouwriteanexpression,youareimplicitlydeclaringatempo-
denitionsdescribingwhatastandardclientispassedoninitialization,and theinterfacestothestandardservicesGetLine,PutLine,andGetProgram: 1.5.2Definitions Nowlet'slookatthedenitionsmodules.Let'sbeginwithStandard|the Standard:using()definitions PutLineInterface:callmessage( Line:Charstring) constant(Line)
GetLineIn:inportofGetLineInterfacefg; GetLineInterface:callmessage( PutLineOut:outportofPutLineIn; PutLineIn:inportofPutLineInterfaceffullg; Line:Charstring) exitfinit(Line)g exceptionEndStreamfg; exitffullg;
StandardInterface:callmessage( GetLineOut:outportofGetLineIn; PutLine:PutLineOut, GetProgram:GetProgramOut, ParmString:Charstring) constant(GetLine,PutLine,GetProgram,ParmString) GetLine:GetLineOut,

221.5.DeclarationsandDenitions StandardIn:inportofStandardInterfaceffullg; GetProgramInterface:callmessage( StandardOut:outportofStandardIn; exitffullg; Name:Charstring, TheProgram:Program)
onlyrefertotypesdenedwithinStandarditself,ortopredenedtypes. GetProgramOut:outportofGetProgramIn; enddefinitions ModuleStandarddoesnotimportanyotherdenitionsmodules.Itmay GetProgramIn:inportofGetProgramInterfacefinit(Name)g; exceptionNotFoundfinit(Name)g; constant(Name)
Thismoduledenesfourcallinterfaces.Inourpreviousanalogyofprocessesaselectricalcomponentswithplugsandsockets,interfacesdenitions
exitfinit(Name),full(TheProgram)g
informationthatcanbecommunicatedbetweentwoprocesses. describetheshapesoftheplugsandsockets.Acallinterfacedenesthe facesmustbedenedindefinitionsmodulesandprocessesinprocess modules.Thisseparationmakesaninterfaceavailabletoanyprocessthat wantstouseit.Thecompilerrequiresthataprocessmodulewhichuses evenmoreinformationonainterface. inoutparameters([Ada83]).Hermesallows(andrequires)youtospecify andtypeofaprocedure'sparameters.Pascalalsoletsaprogrammerdistinguishconstantandvarparameters;Adaletsyoudistinguishin,out,and
Youdeneaninterfaceseparatelyfromtheprocessesthatuseit;inter-
Mosthigh-levellanguagesprovideamechanismfordeningthenumber
conformtothesameinterfacecancommunicate. thecallerexpectstoreceiveuponreturn).Anycallerandreceiverwhich ilarlyitdeneswhatareceiverpromisestoreturn(andthereforewhat promisestosend(andthereforewhatthereceiverexpectstoreceive);sim-
aninterfaceconformtotheinterface.Theinterfacedeneswhatacaller sage,aninputport,andanoutputport. eachparameter.Inthecallingprocess,youmustsupplyalistofarguments selectedcomponentnotation,e.g.Parms.PutLine. ofmatchingtype.Inthecalledprocess,younametheparametersusing alistofthoseparameterswhosevaluesmustnotchangeduringthecall. EachinterfacetypicallyincludesthreeHermestypedenitions:acallmes-
calledprocess. Acallmessagedenitioncontainsadeclarationofthenameandtypeof
fortypestatechecking.Atypestateisasetofprogramattributesknown Youmayincludeaconstantslistinthecallmessagedenition.Thisis Younowneedtosupplytheadditionalinformationwhichisrequired Youmustsupplyalistoftheexceptionswhichmaybereturnedbythe

callydenedbytheprogrammer. taintypestateattributesarealwaystracked|suchaswhetheravariableis initializedoruninitialized.Otherattributesareonlytrackedwhenspeci-
knownstatically.Likestates,theyvaryfromstatementtostatement.Cer-
staticallytoholdataparticularprogrampoint.Liketypes,typestatesare Fornow,let'sjustlookatinitializationtypestates.Whentheattribute 1.IntroductiontoHermes23
tatetheparametersmusthaveifthecallcompleteswiththatexception. Linewillbereturned.Foreachexception,youmustsupplythetypesmalexitfromtheGetLineisinit(Line),whichmeansthataninitialized
init(X)appearsinatypestatethismeansthatthevariableXisinitialized. haveonnormal(non-exception)returnfromthecall.Forexample,thenor-
staticallyknowntobeinitializedoruninitialized;itisneverconditionally initialized.3 Wheninit(X)isabsent,itisuninitialized.AHermesvariableisalways
ceptionEndStreamisreturned,thenLinewillnotbeinitialized,because Thenormalandexceptiontypestatesmaybedierent.Forexample,ifex-
init(Line)isnotpresent. Aninputportdenitionspeciesthetypeofcallmessagewhichwillbe Youmustsupplytheexittypestate|thetypestatetheparametersmust
denesaninputporttypewhichwillholdcallmessagesoftypeGetProgramInterface. itissenttotheinputport(theentrytypestate).Forexample,GetProgramIn senttothatinputport,andthetypestatethatcallmessagewillhavewhen becausetheentrytypestateisinit(Name). TheProgram.AcallmessagearrivingataportoftypeGetProgramInisexpectedtohavecomponentNameinitialized,butnotcomponentTheProgramstatesatlength.Forexample,typeprogramisarecordwithcomponents
Thesecallmessageshavetwocomponentsorparameters,namedNameand intheinterfaceinsteadofthemuchlonger isfullyinitialized.SotheexittypestateofStandardInterfacecouldhave DefinitionsModules,MainProgram,andPrograms.Wewritefull(TheProgram) Theabbreviationfullisusedtoavoidwritingoutfullyinitializedtype-
beenwrittenas Wherefullappearsallbyitself,itmeansthattheentirecallmessage init(TheProgram),init(TheProgram.DefinitionsModules), init(TheProgram.MainProgram),init(TheProgram.Programs)
conditionalinitialization. tributecheckedappliestoaprogramvalueanditmeansthattheprogram isnotonlyfullyinitialized,butalsothatitisfreeofcompile-timeerrors. Uncheckedprogramsmustbecheckedbeforetheymaybeinstantiatedwith Thereareothertypestateattributesbesidesinit.Forexample,theat-
init(GetLine),init(PutLine),init(GetProgram),init(ParmString) 3Youcanuseavarianttype,describedinsection4.3,togettheeectof

whichtheoutputportconnects|calledthematchinginputporttype.The 241.5.DeclarationsandDenitions thecreateofstatement.ThedenitionGetProgramInterfacespecies thatprogramsreturnedbyGetProgramhavealreadybeenchecked. callmessagetypeandtypestaterequiredforsendingontheoutputportare determinedfromthatinputporttype. callingandcalledprogramsareseparatelycompiled.Whencompilingthe caller,thecompilerchecksthattheentrytypestateholdsbeforethecall, andcomputestheexitandexceptiontypestatesusingtheinterface.When Anoutputportdenitionsimplyspeciesthetypeoftheinputportto
theentrytypestate,andchecksthatthecorrectexittypestateholdsatthe pointofareturnstatement. mustlooklike.Thencheckyourselfagainstthedenitiongiven: compilingthecalledprogram,thecompilerusestheinterfacetodeduce Theinterfacedenitionsmaketypestatecheckingpossibleeventhough SeeifyoucanworkoutforyourselfwhatthedenitionsmoduleFilter Filter:using(Standard)definitions
FilterOut:outportofFilterIn; FilterInterface:callmessage(
enddefinitions FilterIn:inportofFilterInterfacefinit(PutLine),init(Prefix)g; Prefix:Charstring, ClientPutLine:PutLineOut) constant(PutLine,Prefix) exitffullg; PutLine:PutLineOut,
usedinthesamecontexts,besuretodeclarethemasthesametype. theyaretreatedastwodierenttypes.Ifyouintendtwovariablestobe havethesamestructure|samecomponenttypes,sameexceptions,etc.| denedinStandard.Standardrefersonlytopredenedtypesandtypes example,thatifyoudenetwodierentcallmessagetypeswhichhappento denedwithinitself. Summary:InHermes,allbasevariablesmustbedeclared.Alluserdenedtypesmustbedenedinseparatemodules.Onlythenamesof
visible.Youhavelearnedhowtowriteprocessheaders,declarations,and predenedtypesandoftypesdenedinimporteddenitionsmodulesare Note:Hermesusesnameequivalencefortypedenitions.Thismeans,for NoticethatFilterhastoimportStandard,sinceitusesatype(PutLineOut)
putports,andcallmessages.Youknowwhenyouneedtoputatypespec-
ieronanexpression.Youhavelearnedthefollowingterminology:type specier,denitionsmodule,import,visible,predened,entrytypestate, denitionsmodules,andthesyntaxfortypedenitionsofinputports,out-
theentireskeletonoftheHermeslanguageandcanwriteandexecuteHer- exittypestate,checkedattribute,nameequivalence.Younowunderstand

1.IntroductiontoHermes25
1.6ASimpleServer HermesdatatypesandHermesstatements. mesprograms.Theonlythingyoudonotknownowaresomeadditional FIGURE1.6.Aboundedbuerprocess
allykeepanylocalstate,butinsteadpassedallrequeststhroughtoanother service. typicalserver,sinceitmadeonlyasingleoperationavailable,anddidn'tre-
Wehaveseenoneexampleofaserver,namelytheFilter.Thiswasn'ta
operation,Quitwhichissimplyacommandtoterminate.Figure1.6shows theinterface. Ifthequeueisempty,callstoGetLinewillblockuntilthequeuebecomes orientedlanguages.Ourserverwillimplementabuer.Abuersupports rst-in,rst-outqueue;callstoGetLineremovethedatafromthequeue. theoperationsGetLineandPutLine.CallstoPutLineinsertdataintoa non-empty.Foraboundedbuer,callstoPutLinewillblockifthenumber oflinesinthequeueexceedssomecapacity.Wewillsupplyoneadditional Let'slookatamoretypicalserver|onemoreliketheobjectsofobject-
Hereisthesourcemodule: Naturally,weimplementaboundedbuerinHermeswithaprocess. BoundedBuffer:using(Standard,BBExternal,BBLocal,Quit) process(Init:BBIn) declare Put:PutLineIn;--PutLineservice Parms:BBInterface;--initializationcallmessage Get:GetLineIn;--GetLineservice Queue:Lines;--orderedsetoflines Quit:QuitIn;--Quitservice Capacity:integer;--maximumnumberofmessages
PutLine
Quit
Buffer
GetLine

261.6.ASimpleServer begin QuitCM:QuitInterface; newPut;connectParms.PuttoPut; --initialization receiveParmsfromInit; newGet;connectParms.GettoGet; PutCM:PutLineInterface; Running:boolean;--trueifprocesshasnotbeenshutdown
newQuit;connectParms.QuittoQuit; GetCM:GetLineInterface;
newQueue; returnParms; --serviceloop Running:='true'; while(Running)repeat Capacity:=Parms.Capacity; select
eventQuit eventGetandwhere(sizeofQueue>0) eventPutandwhere(sizeofQueue

Ifallalternativesaredisabled,thentheotherwiseclauseisexecuted.If oneormorealternativesareenabled,oneofthemischosen,andcontrol transferstothatalternative.However,analternativewithaneventguard canonlybechosenifthatinputporthasatleastonewaitingcallmessage. ports,theselectstatementblocksuntilamessagearrivesatoneofthese Ifalltheenabledalternativeshaveeventguardsreferringtoemptyinput 1.IntroductiontoHermes27
buer.JustleaveoutthequeuesizetestfromthePutservice. whichcontainsdenitionsfortypesusedinternallybyBoundedBuffer(in nativeisenabledprovidedthenumberoflinesinthequeueislessthan inthequeue.Theotherwiseclause,althoughsyntacticallymandatory, canneverbereached.Itiseasytomodifythisprogramintoanunbounded ports.
thiscase,thetypeLinesusedtoimplementthequeue),(2)BBExternal, Capacity,andtheGetalternativeisenabledprovidedthereareanylines Theboundedbuerprocessusesfourinterfaces:(1)BBLocal(notshown), Inthisexample,theQuitalternativeisalwaysenabled;thePutalter-
buer. languagefeatureswe'vealreadydescribed.Trytowriteityourselfandthen checkwiththedenitionhere: ules,becausetheywillbereusedinapplicationsotherthanthebounded whichdenesthePutLineandGetLine,and(4)Quit,whichdenesthe interfacefortheQuitoperation.StandardandQuitareinseparatemod-
whichdenestheinitializationinterfacefortheboundedbuer,(3)Standard, Theinterfacedenition,BBExternal,isstraightforward,andusesonly BBInterface:callmessage( BBExternal:using(Quit,Standard)definitions
BBIn:inportofBBInterfacefinit(Capacity)g; BBOut:outportofBBIn; Capacity:integer,--maximumnumberofmessagesallowed
enddefinitions Put:PutLineOut,--portforwriters
TheQuitdenitionisevensimpler: Get:GetLineOut,--portforreaders
Quit:using()definitions constant(Capacity) exitffullg; Quit:QuitOut)--portforshutdown
object-orientedlanguageslikeSmalltalkInbothcases,wehavetheability enddefinitions HowdoesHermesdierfromdataabstractionlanguageslikeAdaor QuitIn:inportofQuitInterfacefg; QuitInterface:callmessage()exitfg; QuitOut:outportofQuitIn;

281.6.ASimpleServer towritedataabstractionswhichexportaspecicsetofoperationswhile notexposingtheimplementationdetailstothecaller.Therearesomedifferences:
Hermesprocessesareactive.Iftherearemultiplecallers,thecalls arequeuedandprocessedserially.Theprocesscanchoosenotto
IcontrolaccessinHermesonaport-by-portbasis.InAdaorin IcanwritedierentHermesprocesseswiththesameinterfaceand ofthesameprivatetypewiththesamespecication(interface)and receivecertaincallsatcertaintimes.Thereisnoneedformonitors dierentprivateparts. orsemaphoresorothermutualexclusionmechanisms.
callGetLinecouldalsocallPutLineandQuit.Thisisundesirable, accesstoanobjectautomaticallygivesaccesstoallitsoperations.In thecaseofaboundedbuer,thiswouldmeanthatanyonewhocould object-orientedlanguages,Icontrolaccessonanobjectbasis.Having dierentinternals.InAda,forinstance,Ican'thavetwovariables
totallyordered|thatis,eachelementhasanassociatedposition.Positions thetable,thelastpositionisk1. anorderedtable.Atableissimplyacollectionofvaluesofthesametype aredenotedbyintegers.Therstpositionis0.Iftherearekelementsin (mathematically,abag).Anorderedtableisatablewhoseelementsare TheQueueisanexampleofatypefamilywehaven'tstudiedbefore| andinfactIdon'twantthereadersandwritersoftheboundedbuer
Youhavealreadyusedorderedtableswithoutknowingit,sincethepredenedtypeCharstringisanorderedtableofelementsoftypeChar.
toevenhavetoknowthattheQuitoperationexists.
whichisatablewhoseelementsareoftypeT.Inourexample,wewant todeneatypeLinesasanorderedtablewhoseelementsareoftype initionsmoduleBBLocal: Charstring.Thetypedenitionlookslikethisandwillappearinthedef-
InHermesyoucandenetablesofanytype|tablesofintegers,tablesof callmessages,etc.Youcanevendenearecursivetabletype|atypeT
fromthetablehavetypestateinit.Noticethatlikeothertypedenitions tablewithaparticularcontent,insertelementsintothetable,removeelementsfromthetable,mergeonetableintoanother,extractorcopyouta
inHermes,andunliketypedenitionsinmanyotherlanguages,tabletype aCharstring,andthatelementsinsertedinto,removedfrom,orcopied le),andnothingabouthowmuchstoragetoallocate. denitionssaynothingabouttherepresentation(e.g.array,linked-list,disk ThedenitionsaysthatLinesisanorderedtable,thateachelementis Lines:orderedtableofCharstringfinitg; Alltablessupportthefollowingoperations:inspectanelementinthe

inspectanelementormergeatableataparticularposition,locatethe subtablefromatable,ndthesizeofthetable,anditerate(repeataset ofstatementsonceforeachelementofthetable). positionofanelementwithparticularcontents,anditerateinorder. Orderedtablesadditionallysupporttheseoperations:insert,remove,or InBoundedBuffer,thesingleactionofthePutserviceconsistsofinsertingthedesignatedlineintotheendofthetableQueue.Theinsert
1.IntroductiontoHermes29
ifyouwish,bywriting: isordered.However,youmayinsertelementsatanypositioninthetable statementinsertsanelementintotheendofatablebydefaultifthetable
toinsertsomethingatposition3,theremustbeanelementatposition2, anelementpreviouslyatposition3,itmovestoposition4,andsimilarly orelseyouwillgetaRangeErrorexception. allelementsathigherpositionshavetheirpositionsincremented.Ifyoutry youspecifyposition3,thenewelementappearsatposition3.Iftherewas insertElementintoTableat(Position); Inthiscase,youmustsupplyaninteger-valuedposition.Forexample,if
thepositionsofalltheotherelementsmoveupbyone,sotheprevious wewrotetheexpressioncopyof. inGetCM.Line.Whenyouremovetherstelementfromanorderedtable, discardPutCM.Line|inthedenitionofPutLineInterface,parameter intothetable,ratherthancopyingit.Thismeansthatafterthestatement Lineisconstant|wemustmoveacopyofPutCM.Line.Thatexplainswhy isexecuted,thesourceoperandisdiscarded.Sincewe'renotallowedto TheGetserviceclauseremovestherstentryfromthetableandplacesit Onemoretechnicalpointaboutinsert:thestatementmovesitsoperand
meanssimplythrowingitaway.Callmessagesandportsaretreatedspecially:Whenacallmessage,oranyvaluewhichcancontaincallmessages
TheQuitservicecallterminatestheloop,andhenceterminatesthe nalized|thatis,theirvaluesarediscarded.InBoundedBuffer,thatwould bethequeue,thebooleanvariableRunning,thethreeserviceports,and secondelementnowbecomesrst. theinitializationport.FormostHermesdatatypes,discardingthevalue process. executingitslaststatement.Allvariableswhichremaininitializedare-
discarded,thecallmessagesarereturned.EachcallmessagetypehasadefaultDiscardedexception,e.g.GetLineInterface.Discarded.Whenan
Disconnectedexception.Anyprocesswhichbecomesisolatedbecauseall itsconnectionstotheoutsideworldarebrokenisequivalenttoaterminated inputportisdiscarded,connectionstothatportarebroken;attemptsto (e.g.aninputportwhichmayhaveseveralcallmessagesonitsqueue)is Let'slookmorecloselyatprocesstermination.Aprocessterminatesafter
processandcanbesafelygarbage-collectedbytheimplementation. sendmessagesoverthoseconnectionswillfailandthecallerwillreceivea

toaservice,whileretainingtheabilitytorevokeaccess,giveoutaconnectiontoalterprocesswhichalsosupportsaQuitservicethatyoucall
Summary:Wehaveshownthestructureofatypicalserver:anin-
Thishasthefollowingconsequences:Togiveaprocesstemporaryaccess whenyouwanttorevokeaccess.Ifyou'reprogrammingashellwhichis mightrunwild,makesurethatoninitialization,youonlypassrevocable 301.6.ASimpleServer
outputports.Thenifyourevokealltheports,theprocesswillbecome isolated,eectivelycancellingtheprocess. goingtocreateprocessesrunningarbitraryprogramswhichyou'reafraid putportperservice,somelocalstate,andaniteratedselectstatement. informationhidingofdataabstractionandobject-orientedlanguagesbut Booleanguardsmaybeusedtoprioritizethecallsortoconditionallydisablecertainservices.Wehaveclaimedthatserverprocessesachievethe
withadditionaladvantages.Youhavelearnedaboutthetableandordered tabletypefamilies.Youhavelearnedwhathappenswhenprocessesterminate,andthatyoucanusetheabilitytoterminateltersasameans
foraccessrevocationandterminationofchildprocesses.Youhavelearned booleanguard,eventguard,Discardedexception,Disconnectedexception,RangeErrorexception,processtermination,theselect,insertand
thefollowingHermesconcepts:alternativeclauses,enableanddisable, removestatements,thecopyofandsizeofoperations.

2AMiniatureSystem Sincetherealpurposeofthissectionistoillustratesystemsprogramming withHermesandnottodesigntheidealwindowsystem,wewilleliminate thehairydetailsofgraphics,tiling,etc.,andstriptheproblemtothebare bones. Ournalexamplewillbeadynamicsystem|asimpliedwindowsystem.
SupposeIhaveaterminaldevice.Let'sassumethatitusesthesameoversimpliedterminalinterfacewehavebeenusinginthepreviousexamples:
MostoftheHermesconstructsusedinthisexamplearealreadyfamiliar; howeverwewillintroduceandexplainafewnewconstructsaswegoalong. 2.1Requirements GetLineandPutLine.Inowwouldliketomultiplexthisterminalsothat
withtheapplicationrunninginit. startupanewapplicationinanewwindow,or(3)killawindowtogether window.Inputfromtheterminalwillbedirectedtothewindowcurrently infocus.Fromtheterminal,Icanalso(1)changethecurrentfocus,(2) initsownwindow.Outputfromanapplicationwillbedirectedtoits writtentousetheterminaldevice,sotheyusetheGetLineandPutLine Icanrunseveralclientapplications.Eachclientapplicationwasoriginally
line-at-a-timeinterface,asfollows:Everywindowwillhaveacharacter interfaces,too.
stringname.Whenalineiswrittenoutbyanapplication,itwillappear Inthisexample,wewillimplementthesefunctions,usingourlimited, Iwanttodividemyterminalintologicalwindows.Eachapplicationruns
areveescapesequences: byanescapecharacteristreatedspeciallybythewindowmanager.There (!)isassumedtobetypedintothecurrentwindow.Everyinputlineheaded ontheterminalintheform:.Toremindtheuser typedoutasaprompt.Everyinputlinenotheadedbyanescapecharacter whichwindowisinfocus,thenameofwindowcurrentlyinfocuswillbe !Cwindownameapplicationparms-createawindowwindowname !Fwindowname-changefocustowindowname !!line-dispatch!linetothewindowcurrentlyinfocus.Thisis howyousenddatawhichbeginswithanescapecharacter. runningapplication

322.1.Requirements
PutLine
PutLine
GetLine
GetProgram
frontend
Kill
Create
Dispatch
Refocus
windowmanager
InputToWindow
WriteToWindow InputToWindow Quit
Window Application
Window Application
quitdispatcher
quitdispatcher
beusedasaguidetobuildingsomethingmorepractical.Itwouldn'tbe hardtomodifythecodetouseagraphicalscreen,andtousemouseclicks FIGURE2.1.Structureofthewindowsystem
ratherthanescapesequencestochangethefocusandtocreateanddestroy windows.Thebasicstructureofthesystemremainsthesame. Thisisobviouslynotarealisticwindowmanager,butitsstructurecan !Q-quitwindowsystem !Kwindowname-killwindowname
Buffer Client Adapter
Buffer Client Adapter
2.2Design Thestructureofthesystemisshowningure2.1.

2.AMiniatureSystem33
FIGURE2.2.StructureofaWindowSystemApplication
GetProgram
vokesoneoftheservices:Refocus,Kill,Create,orDispatch.Thefront-
endalsokeepstrackofwhichwindow(ifany)iscurrentlyinfocus. applicationrunninginthatwindow,and(2)Quittoshutdownthewindow. managerhasapairofports:(1)InputToWindow,fordirectingdatatothe frontend.ThewindowmanagerprocessservicesWriteToWindowcallsfrom applicationssendinglinestotheirwindow.Foreachwindow,thewindow Thewindowmanagerprocesssupportsthesefourservicescalledbythe Afront-endprocessreadslinesfromtheterminal,parsesthem,andin-
thewindow.WhenaQuitcallisreceived,theunboundedbuerandthe passesGetProgramcalls.Boththeunboundedbuerandtheadapterare preparedtoreceiveQuitcallswhenthewindowmanagerdecidestokill ItconvertsPutLinecallsintotheappropriateWriteToWindowcalls,and linestypedaheadtotheclient,and(3)anadapterprocess,Adapter.These processesareshownindetailingure2.2,TheadapterissimilartoFilter. buerprocess,similartotheBoundedBufferdescribedabovewhichstores thesamestandardinterfacefamiliarfromHelloWorld,(2)anunbounded Eachapplicationconsistsofthreeprocesses:(1)theclientitself,with
modules.Herearetheinterfacedenitionsforthewindowmanager: Oncewehavedesignedthemodulestructure,wecanwritethedenitions 2.3Interfaces adaptershutdown,isolatingtheclientandthusterminatingit. WMExternal:using(Standard)definitions
InputToWindow
Quit
Quit
quitdispatcher
WriteToWindow
Quit
Buffer GetLine Client PutLine Adapter
GetProgram

342.3.Interfaces WMInterface:callmessage( --initializationinterfaceforwindowmanager
GetProgram:GetProgramOut,--serviceforloadingprograms PutLine:PutLineOut,--writealinetothephysicalterminal Dispatch:DispatchOut,--dispatchalinetotheappropriate Refocus:WindowOut,--changethecurrentfocus
DispatchInterface:callmessage( constant(GetProgram,PutLine) Kill:WindowOut,--killthespecifiedwindow
WindowName:Charstring,---windowtowhichtextisbeingsent --interfacetooperationDisptach WMOut:outportofWMIn; WMIn:inportofWMInterfacefinit(GetProgram),init(PutLine)g; exitffullg; Create:CreateOut)--makeanewwindow
WindowInterface:callmessage( --interfacetooperationsRefocus,Kill DispatchOut:outportofDispatchIn; DispatchIn:inportofDispatchInterfaceffullg; Line:Charstring)--texttodispatch
WindowName:Charstring)--nameofwindowoperand constant(Line)
constant(WindowName) exitffullg
exitffullg exceptionNotFoundffullg;--nosuchwindow
CreateInterface:callmessage( WindowOut:outportofWindowIn; --interfacetooperationCreate WindowIn:inportofWindowInterfaceffullg; ParmString:Charstring)--parameterstoclientprogram ProgramName:Charstring,--nameofclientprogramtorun WindowName:Charstring,--nameofwindowbeingcreated exceptionNotFoundffullg;
WriteToWindowInterface:callmessage( CreateOut:outportofCreateIn; --interfacetooperationWriteToWindow CreateIn:inportofCreateInterfaceffullg; constant(WindowName,ProgramName,ParmString) exceptionCreateFailureffullg; exitffullg exceptionDuplicateffullg

WriteToWindowOut:outportofWriteToWindowIn; WriteToWindowIn:inportofWriteToWindowInterfaceffullg; constant(WindowName,Line) Line:Charstring)--outputstring WindowName:Charstring,--nameofwindowbeingoutputto exitffullg; 2.AMiniatureSystem35
accesstotheWriteToWindowandGetProgramservices,andthenameof tothebuerprocessandtothequitservice.Soherearethedenitionsfor theinitializationofanapplication: thewindow(neededbythelter).Theapplicationmustexportconnections (neededbytheapplicationbuilder)andparameters(neededbytheclient), enddefinitions
Quit) StartWindowApplication:using(Standard,BBExternal,WMExternal, Eachwindowapplicationneedstobeinitializedwithaprogramname
definitions WindowApplicationInterface:callmessage( window ProgramName:Charstring,--nameofclientprogramtorun
WindowName) InputToWindow:PutLineOut,--forwritingintoinputbuffer GetProgram:GetProgramOut,--serviceforloadingprograms constant(ProgramName,ParmString,GetProgram,WriteToWindow, WindowName:Charstring,--nameofwindow ParmString:Charstring,--parameterstoclientprogram WriteToWindow:WriteToWindowOut,--forwritinglinestoa
WindowApplicationIn:inportofWindowApplicationInterface
exitffullg exceptionNotCreated
Quit:QuitOut)--forkillingtheapplication
gramwhichhadbeenwrittentocommunicatewiththeterminalcanrun lowsfromtheoriginalproblemstatementwhichspeciedthatanypro-
buer,andtheadapter.TheclientwillhaveinterfaceStandard.Thisfol-
Thethreeprocessescomprisinganapplicationare:theclient,thebounded WindowApplicationOut:outportofWindowApplicationIn; enddefinitions init(GetProgram),init(WriteToWindow),init(WindowName)g; finit(ProgramName),init(ParmString),
Sincetheadapterislikethelter,wewilldesignitsinterfacebymaking theadapterhasinterfaceAdapter.WehavealreadydesignedBBExternal. withinasinglewindow.TheboundedbuerhasinterfaceBBExternal,and

asmallchangetotheinterfaceFilter.Recallthattheadapterexportsa 362.3.Interfaces porttoitsQuitserviceaswellasaClientPutLineport: AdapterInterface:callmessage( Adapter:using(Standard,WMExternal,Quit)definitions ClientPutLine:PutLineOut,--portfromclienttoadapter ClientGetProgram:GetProgramOut)--portfromclienttoadapter Quit:QuitOut,--porttoshutdownadapter AdapterToWindow:WriteToWindowOut,--porttowindowmanager WindowName:Charstring,--windownamefordirectingoutput GetProgram:GetProgramOut,--porttoGetProgramService
GetProgramports,andtheportstothefourfront-endaccessibleservices AdapterIn:inportofAdapterInterface constant(AdapterToWindow,WindowName,GetProgram)
ofthewindowmanager.Itsinterfaceis: AdapterOut:outportofAdapterIn; enddefinitions Finally,thefrontendprocessmustbegiventheGetLine,PutLine,and exitffullg;
FEPExternal:using(Standard,WMExternal)definitions finit(AdapterToWindow),init(WindowName),init(GetProgram)g;
window FEPInterface:callmessage( Refocus:WindowOut, Kill:WindowOut, Create:CreateOut) constant(GetLine,PutLine,GetProgram,Dispatch,Refocus,Kill, PutLine:PutLineOut, GetProgram:GetProgramOut, Dispatch:DispatchOut,--dispatchalinetotheappropriate GetLine:GetLineOut,
2.4WindowSystemShell Create) FEPIn:inportofFEPInterfaceffullg; FEPOut:outportofFEPIn; enddefinitions exitffullg;
processandthewindowmanager.Theoutershellissimilartotheprogram Let'sbeginwiththeoutershellofthesystem.Itsimplycreatesthefrontend Nowthattheinterfacesareallwritten,theprogramsarefairlyeasytowrite.

GetProgramandPutLine,whereuponitreceivesbackportstofourofthe initializesthefrontendprocess,passingGetLine,GetProgram,andthe Compoundwhichwewroteearlier.Itcreatesthewindowmanagerprocess. Itcallstheinitializationportofthewindowmanager,givingitaccessto vewindowmanagerservices.(Thefthservice,WriteToWindow,isonly availabletocreatedapplicationsandnonehavebeencreatedyet.)Itthen 2.AMiniatureSystem37
fourservices: WMSystem:using(Standard,WMExternal,FEPExternal) process(Init:StandardIn) begin declare Dispatch:DispatchOut;--dispatchserviceinWM call(WMOut#(createofParms.GetProgram("windowmanager"))) receiveParmsfromInit; Refocus:WindowOut;--refocusserviceinWM Kill:WindowOut;--killserviceinWM Create:CreateOut;--createserviceinWM Parms:StandardInterface;--initializationcallmessage
call(FEPOut#(createofParms.GetProgram("frontend"))) (Parms.GetProgram,Parms.PutLine,Dispatch,Refocus,Kill,
2.5Front-endProcess endprocess returnParms; Refocus, (Parms.GetLine,Parms.PutLine,Parms.GetProgram,Dispatch,
Thefront-endprocessisasimpleloopinwhichalineisread,andadecision Kill,Create);
treeisfollowedtooneofthedecisionsDispatch,Refocus,Kill,Create, orerror.Hereistheprogram.Weleaveittoyoutollinthedeclarations. tokenizer:=procedureofParms.GetProgram("tokenizer"); running:='true'; receiveParmsfromInit; blockbegin WindowName:="";--nowindowinfocus while(running)repeat blockdeclare Line:Charstring;--linereadbyfrontend begin Escape:Char;--escapecharacterremovedfromline callParms.PutLine(WindowName|">");--promptuser

382.5.Front-endProcess callParms.GetLine(Line); ifsizeofLine=0
elseifLine[0]'!' then
blockdeclare removeEscapefromLine[0]; begin callParms.Dispatch(WindowName,Line);
Cmd:Charstring;--commandnamefollowing! ifLine[0]='!' then else callParms.Dispatch(WindowName,Line); extractcmdfromLine[0]; select(cmd) where("F") blockdeclare begin FParm:Charstring;--parameterto!F FParm:=tokenizer(Line); callParms.Refocus(FParm);
where("K") to"|FParm|"."); awindow."); endblock; on(WindowInterface.NotFound) callParms.PutLine("!wfe:"|FParm|"not WindowName:=FParm; callParms.PutLine("!wfe:Focuschanged
blockdeclare begin KParm:Charstring;--parameterto!K
where("Q") on(WindowInterface.NotFound) awindow."); endblock; callParms.PutLine("!wfe:"|Kparm|"not callParms.PutLine(Kparm|"killed."); KParm:=tokenizer(Line);
running:='false'; callParms.Kill(Kparm);

where("C") callParms.PutLine("Quittingwindowmanager."); blockdeclare !CPName:Charstring;--programname CParm:Charstring;--windowparameterto 2.AMiniatureSystem39
begin CParm:=tokenizer(Line); PName:=tokenizer(Line); blockbegin on(TokenizeInterface.noToken) Parm:Charstring;--programparameters
on(CreateInterface.CreateFailure) create"|CParm| on(CreateInterface.Duplicate) "sinceitalreadyexists."); callParms.PutLine("!wfe:Cannotwindow endblock; callParms.Create(Cparm,Pname,Parm); WindowName:=CParm; Parm:="";
applicationprocess" callParms.PutLine("!wfe:Unabletocreate
"|cmd); endselect; otherwise endblock; --error:notF,Q,KorC callParms.PutLine("!wfe:Illegalcommand: |PName|".");
on(TokenizeInterface.noToken) --error
endwhile; doesnotexist"); endblock; on(DispatchInterface.NotFound) callParms.PutLine("!wfe:Window"|WindowName|" endif;endif; endblock; callParms.PutLine("!wfe:Missingargument.");
on(others)

402.5.Front-endProcess paringavalueagainstasetofvalues.Itisequivalentto: Temp:=Line[ColonPosition+1]; Theselectstatementintheexampleistheusualabbreviationforcom-
returnParms; where(Temp='F')... endblock; callParms.PutLine("!wfe:othersexception");
Hermes'abilitytoplugandunplugmodulesindierentcongurations.(2) e.g.onebaseduponpointing,ordialog,ormenu-selection.Thisexploits vantages:(1)Itiseasytousethecommandswithanalternativefront-end, thecodewhichobeysthecommands.Thisstyleofwritinghasseveralad-
endselect; Noticethatwehaveseparatedthecodewhichparsesthecommandfrom otherwise... where(Temp='C')... where(Temp='K')...
frontendfromasimpledescriptionofthecommandsyntax. Therearetoolswhichautomaticallygenerateprogramssuchastheabove
havetoissueacreateoperationbeforeeachprocedurecall. afteritreturns. procedureoftomakeiteasytoinvokeprocedures.Withoutit,youwould aprocesswhichiscreatedjustforasinglecall,andwhichterminatesright token(stringofcontiguousnon-blankcharacters)fromastring.Procedures tverynicelyintotheprocessparadigmofHermes.Aprocedureissimply Hereishowprocedureofworks:Youcodeprocedureofwithaprogramoperand,justlikecreateof.Theresultisanoutputportconnectetionportofthenewprocess.
toaninitializationport.However,eachtimeyoumakeacallonthatoutput port,anewprocessisinstantiated,andyourcallisgiventotheinitializa-
Sinceproceduresaresocommon,Hermesprovidesaspecialoperation, Thefront-endprocessusesaprocedurenamedTokenizertoextracta
automatically. of,thesecondcallwillnotblockbecauseanewinstancewillbecreated mentedwithcreateof,thesecondcallwillblock;ifyouusedprocedure thereexistsonlyoneactivationatatime,thenitdoesn'tmatterwhether youcreatearegularprocesswithcreateora\process-generator"with beingprocessed,thenitdoesmakeadierence:ifyourprocedurewasimple-
procedure.Butifyouevermakeasecondcallwhiletherstcallisstill ProcessescreatedautomaticallywithprocedureofarestilllikeHermes Ifyouarenotusingaprocedurere-entrantlyorrecursively|thatis,
statement,unlessthereturnisthelaststatement.IfyouwanttheequivalentofAlgolprocedures,besuretouseprocedureofandbegineach
processesineveryotherway.Inparticular,theystillpersistafterareturn

procedureprocesswithareceiveandenditwithareturn. 2.6TokenizerProcedure HereisthecodeoftheTokenizerprocedure: 2.AMiniatureSystem41
pNB); blockbegin receiveParmsfromInit; pNB:=positionofCinparms.stringwhere(C''); extractblanksfromBinparms.stringwhere(positionofB<
on(NotFound) C

ationtable[expr].Wehaveencounteredthisabbreviationintheprogram positioninthetableisexpr."Thisformofselectorworksexactlylikearray indexing.ItissocommonthatHermesallowsyoutousetheabbrevi-
where(positionofelement=expr)means\selecttheelementwhose BoundedBuffer.ThestatementremovecmdfromLine[0]isashorthand 422.6.TokenizerProcedure
\removetherstcharacterfromLineandstoreitincmd." theelementbeingtestedbytheselector.Forexample,elementintable
aspartofanotheroperator:e.g.remove,every,extract,position: forremovecmdfromCinLinewhere(positionofC=0),anditmeans Aselectorcanappeareitherbyitselfasanexpression,oritcanappear Aselectorallbyitselfinanexpressionreturnsacopyoftheselected thentheearliestoneischosenifthetableisordered,andanarbitrary oneischosenifthetableisunordered.ANotFoundexceptionisraised ifthereisnoselectedelement.Example:Line[0]evaluatestotherst characterofLine,ifLineisnon-empty,otherwiseitraisesaNotFound thenamethe-element.Ifthereismorethanoneselectedelement, exception.ItcanalsobewrittenCinLinewhere(positionofC =0). element.Youcanlookthisoperationupinthereferencemanualunder
Theeveryofoperationgeneratesanewtableconsistingofevery Theremovestatementremovesasingleelement.Ifnoelementis selected,therstselectedelementischosenifthetableisordered, selected,aNotFoundexceptionisraised.Ifmorethanoneelementis otherwiseanarbitrarychoiceismade.
Theextractstatementissimilartoeveryof,exceptthatitremoves wherethisoperationwasusedtoselectthosecharactersbeforeand computesubsetsorsubstrings.(ReferbacktotheprogramCompound, elementswillhavethesamerelativeorder.Thisoperationisusedto selectedelement.Iftheoriginaltablewasordered,thetableofselected afterthe'/'.
ble,andthepositionofoperatordiscussedabove,whichisappliedwithin Notethedierencebetweenpositionofselector,whichsearchesata-
Thepositionofoperationwithaselector(e.g.positionofCin aNotFoundexceptionisgenerated. Linewhere(C=':'))returnsthepositionoftherstselectedelementwithintheorderedtable.Ifnoelementinthetableisselected,
theelements. theselectedelementsfromitssourceoperand,ratherthancopying
=':').ThisexpressionsearchesfortherstcoloninLineafterposition P,andreturnsthepositionofthatcolon. aselectorpredicate.Thefollowingexpressionusesbothkindsofposition ofoperators:positionofCinLinewhere(positionofC>PandC

ports,anditsoutputport,whatstatedoesitneedThewindowmanagermustknowwhichwindowsexist,andhowtodispatchlinestothose
2.7TheWindowManager 2.7.1Definitions Nowlet'scodethewindowmanagerprocessitself.Besidesitsveinput 2.AMiniatureSystem43
ofinformation:thewindow'sname,theportoverwhichwedispatchlines windows.
type.HereiswhatweneedtowriteinWMInt,thedenitionsmodulefor thetableforeachcreatedwindow.Theelementwillconsistofthreepieces nameandthetwoports,andatablewhoseelementsarerecordsofthis we'veusedsofar,thistablewillbeunordered.Therewillbeoneelementin destinedfortheapplicationinthatwindow,andtheQuitportwhichwe needwhenwewanttokillthewindowandisolatetheclientprocess. ThenaturalHermeswaytodothisistodeneatable.Unlikethetables
typesusedinternallybythewindowmanager: Window:record( WMInt:using(Standard,Quit)definitions WeneedtodenetwoHermestypes:arecordcontainingthewindow
tableoftypeWindowsconsistsoffullyinitializedrecordsoftypeWindow. WindowName:Charstring,--thenameofthewindow
seethatWindowdenesatupleandWindowsarelation.Thenotation Ifyouarefamiliarwiththeterminologyofrelationaldatabases,youwill Windows:tableofWindowffullgkeys(WindowName); enddefinitions Therecorddenitionisstraightforward.Thetabledenitionsaysthata InputToWindow:PutLineOut,--portforwritingintoinputbuffer
keys(WindowName)saysthatnotwoelementsofthetablemayhavethe Quit:QuitOut);--portforkillingtheapplication
samevalueofcomponentWindowName.Inrelationaldatabaseterminology, thereisafunctionaldependencybetweenthecomponentWindowNameand theothercomponents.
youwouldnotbeabletousethisabbreviation,becauseitwouldinstead tableonitskeycomponents.IftheWindowstabletypehadbeenordered, arecordwhoseWindowNamecomponentduplicatestheWindowNamecomponentofarecordalreadyinthetablewillfail.TheexceptionDuplicateKey
T[N]isavailableasanabbreviationforEinTwhere(E.WindowName= Thereisalsoasyntacticeectofthekeysdeclaration:theshorthand Thesemanticeectofthekeysdeclarationisthis:anattempttoinsert willberaised. N).Thisabbreviationexistssimplybecauseit'sfairlycommontosearcha meanEinTwhere(positionofE=N).Theabbreviationforselecting

ishiddenandinnowayaectsthesemantics. 442.7.TheWindowManager
2.7.2Skeleton We'renowreadytowritetheskeletonofthewindowmanager: anelementbypositiontakesprecedenceovertheabbreviationforselecting sothefactthatNisnotanintegerwillnothelp. anelementbykey.Abbreviationsareexpandedbeforetypesarechecked, Onceagain,weremindyouthatthephysicalrepresentationofthetable WindowManager:using(Standard,WMExternal,WMInt,StartWindowApplication) process(Init:WMIn) declare RefocusCM:WindowInterface; WriteToWindow:WriteToWindowIn; WriteToWindowCM:WriteToWindowInterface; Refocus:WindowIn; Parms:WMInterface;--initializationparameters Dispatch:DispatchIn; DispatchCM:DispatchInterface; Create:CreateIn; CreateCM:CreateInterface; Kill:WindowIn;
begin CreatedWindows:Windows;--statusofallwindows CurrentFocus:Charstring;--nameofwindowinfocus WriteToWindowCapability:WriteToWindowOut; KillCM:WindowInterface; GetProgram:GetProgramOut; PutLine:PutLineOut;
GetProgram:=Parms.GetProgram; PutLine:=Parms.PutLine; receiveParmsfromInit; --initializationsection ApplicationBuilder:Program;
ApplicationBuilder:=Parms.GetProgram("applicationbuilder"); newWriteToWindow;connectWriteToWindowCapabilitytoWriteToWindow; newRefocus;connectParms.RefocustoRefocus; CurrentWindow:Window;--awindowbeinginsert/deleted/searched
newCreate;connectParms.CreatetoCreate; newKill;connectParms.KilltoKill; returnParms; newCreatedWindows; --servicesection newDispatch;connectParms.DispatchtoDispatch;

while('true')repeat --eventCreate... --eventDispatch... --eventWriteToWindow... select --eventRefocus... 2.AMiniatureSystem45
BoundedBuffer.Onedierenceisthatwedonotgivethewindowmanager'sparentaconnectiontotheWriteToWindowservice.Thisconnection
Sofar,thewindowmanagerhasthesamestructureasserverssuchas endprocess endwhile; endselect; --eventKill... willbegiveninsteadtothechildrenofthewindowmanager|thewindow applications. otherwise
TheRefocusandWriteToWindowservicesarestraightforward.Refocus 2.7.3RefocussingandWritingOutput simplycheckswhetherthewindowexists. eventRefocus receiveRefocusCMfromRefocus; ifexistsofCreatedWindows[RefocusCM.WindowName]
eventWriteToWindow WriteToWindowprependsthewindownametothetextline. else then
receiveWriteToWindowCMfromWriteToWindow; endif; --erroraction returnRefocusCMexceptionNotFound; returnRefocusCM;
tionifthedestinationwindowdoesnotexist. TheDispatchserviceinvolvesasimpletablelookup.Wereturnanexcep-
2.7.4DispatchingLinestoaParticularWindow eventDispatch returnWriteToWindowCM; callPutLine(WriteToWindowCM.WindowName|":"|WriteToWindowCM.Line);
blockbegin receiveDispatchCMfromDispatch; CurrentWindow:=CreatedWindows[DispatchCM.WindowName];

462.7.TheWindowManager callCurrentWindow.InputToWindow(DispatchCM.Line);
ofanyothertypecontainingthesetypes(suchasarecordcontainingan andcallmessagetypefamiliesarenotcopyable.Variablesofthesetypes,or selectorexpressiontocopyanelementfromthetableintoavariable.We shouldpointoutonesituationinwhichthisdoesnotwork.Theinputport Thisprogramillustratesonewaytolookupsomethinginatable|usea endblock; on(NotFound) returnDispatchCMexceptionNotFound; returnDispatchCM;
inputportoratablecontainingacallmessage)cannotbecopied.Todoa tablelookupwhenthetableelementscannotbecopied,usetheinspect statement.Hereisthesameprogramfragmentrewrittenwiththeinspect
blockbegin receiveDispatchCMfromDispatch; inspectWinCreatedWindows[DispatchCM.WindowName] begin
anobjectofanydatatype,becausetheproblematicoperationsareillegal elementoftableCreatedWindows.Hermesdoesnotallowmakingcopies returnwouldbecomecomplex.Howeverconstantcopiesmaybemadeof ofinputportsandcallmessages,becausethesemanticsofreceiveand TheinspectstatementassignsWfromaconstantcopyoftheselected on(NotFound) endblock; endinspect; callW.InputToWindow(DispatchCM.Line);
non-copyablecases. Thatway,youwillnothavetousetwodierentstylesforthecopyableand whenappliedtoconstants. fortablelookupallthetime,evenwhenthetableelementsarecopyable. declareCurrentWindow.Butintheversionusinginspect,youdon'twrite oftableCreatedWindows.Youmaywishtousetheinspectstatement newscopeinwhichWisdeclaredtohavetypeWindow|theelementtype aseparatedeclarationforthevariableW.Theinspectstatementdenesa Theinspectstatementselectsexactlyoneelement(orelseraisesan Intheprogramfragmentwrittenwithoutinspect,itisnecessaryto
eachelementofatablewhichsatisestheselectorpredicate.(Thismaybe forstatementiterativelyexecutesthestatementswithinitsbodyoncefor exception).Toselectallelements,iteratively,useaforstatement.The example,hereisapieceofcodewhichprintsthenamesofalltheactive zerotimesifthetableisemptyorifnoelementsatisestheselector.)For windows: forWindowinCreatedWindowswhere('true')

foreyoudonotdeclareWindowexplicitly.Withinthatscope,thevariable Windowcontainsaconstantcopyofoneoftheselectedelementsofthetable.Fororderedtables,theiterationsoccurintheorderthattheselected
elementsoccurinthetable.Forunorderedtables,theiterationsoccurin Liketheinspectstatement,theforstatementcreatesascope.There-
inspect endfor; callPutLine(Window.WindowName); 2.AMiniatureSystem47
anarbitraryorder.
InputToWindowandQuit.Wegettheseportsbycreatinganapplication Thenewwindowrecordcontainsthewindow'sname,andthetwoports we'regoingtobuildanewwindowrecord,andinsertitintothetable. viationisparticularlyusefulintheforstatement. Nowlet'sdocreationanddestructionofwindows.Tocreateawindow, 2.7.5CreatingandKillingWindows Theconstructwhere('true')maybeabbreviatedas[].Thisabbre-
processes,andreturnthetwodesiredports.Wehavetopasstheapplicationbuildertheseparameters:theprogramnameandparameterstring,
aconnectiontoGetProgram,andaconnectiontoWriteToWindow.The structuresdened: codeisverystraightforwardnowthatwehavealltheinterfacesanddata eventCreate else receiveCreateCMfromCreate; ifexistsofCreatedWindows[CreateCM.WindowName] then blockbegin returnCreateCMexceptionDuplicate; --erroractionbecausewindowalreadyexists newCurrentWindow; CurrentWindow.WindowName:=CreateCM.WindowName; call(WindowApplicationOut#(createofApplicationBuilder))
builderprocess.Theapplicationbuilderwillcreatethethreeapplication
endblock; on(WindowApplicationInterface.NotCreated) returnCreateCMexceptionCreateFailure; insertCurrentWindowintoCreatedWindows; returnCreateCM; --erroractionifunabletocreateprocess (CreateCM.ProgramName,CreateCM.ParmString, CurrentWindow.InputToWindow,CurrentWindow.Quit); GetProgram,WriteToWindowCapability,CurrentWindow.WindowName,

name.Ifwewaitedtobuildtheapplicationrstandthencheckfora DuplicateKeyexception,theillegalapplicationmayhavealreadystarted 482.7.TheWindowManager exceptionbycheckingrstfortheexistenceofawindowwithidentical runningandmayhavealreadyproducedoutput.Theexistsofoperator checksforthiscase.Thisoperationtakesaselectorandevaluatestotrue ifandonlyifoneormoreselectedelementsexist. TheonlytrickybitisthatwemustavoidthepossibilityofaDuplicateKey Todestroyawindow,wesimplyremovethewindowdescriptorfromthe endif;
application.ThisservicewillcallQuitonthebuerprocessandtheadapter process,withtheresultthattheclientprocesswillshutdown. tableofcreatedwindowsandthencalltheQuitportassociatedwiththat eventKill receiveKillCMfromKill;
endblock; on(NotFound) blockbegin callCurrentWindow.Quit(); returnKillCMexceptionNotFound; --erroraction discardCurrentWindow; returnKillCM; removeCurrentWindowfromCreatedWindows[KillCM.WindowName];
eventGetFocus receiveGetFocusCMfromGetFocus; then ifCurrentFocus""
portsfromprocesstoprocess. thiscodewhenyouhavetables,exceptionhandling,andtheabilitytopass Thisnishesthewindowmanager.Noticehowconvenientitistowrite endif; else returnGetFocusCMexceptionNotFound; returnGetFocusCM; GetFocusCM.Focus:=CurrentFocus;
isastraightforwardvariationofFilter. 2.8CreatingaWindowApplication orWMSystem,itshouldbeeasytobuildApplicationBuilder.AndAdapter Allthatisleftaretheapplicationbuilder,theadapter,andthequitdispatcher.Theseprogramsusenonewprinciples.IfyoucanbuildCompound

2.8.1ApplicationBuilder unboundedbuer,aninstanceoftheadapter,andaninstanceoftheclient. ItalsobuildsaprocesswhichinterpretstheQuitcallmessagebycalling theQuitserviceinboththebuerandtheadapter. HereisthecodeofApplicationBuilder.Itcreatesaninstanceofthe Hereistheonlytrickypart:ApplicationBuildertruststhebuer,the 2.AMiniatureSystem49
thismightbeanarbitrarymodule,whichmightnotevenreturnfromits initializationcall.SoApplicationBuildershouldbesuretocalltheclient adapter,andthequithandlerprocesses.Itdoesn'ttrusttheclient,since window.ThiswillcausethequitdispatcherprogramtocallQuitinthe thewindowmanagerwillstillberunning.Theendusercanthenkillthe last.Iftheclientgoesintoaloopordeadlocks,wearestillsafe,because clientandtheapplicationbuilderprocessesbecomeisolated,andtheywill begarbagecollected. buerandtheadapter.Whenthebuerandtheadapterterminate,the ApplicationBuilder: Quit,QuitDispatcher) using(Standard,StartWindowApplication,BBExternal,Adapter,
Adapter process(Init:WindowApplicationIn)
begin declare Parms:WindowApplicationInterface;--initializationcallmessage
block receiveParmsfromInit; Client:StandardOut;--clientprocess ClientGetLine:GetLineOut;--GetLinefromClienttoBuffer ClientGetPgm:GetProgramOut;--GetProgramfromClientto ClientPutLine:PutLineOut;--PutLinefromClienttoAdapter ParmString:Charstring;--parametertoclientprocess declare begin AdapterQuit:QuitOut;--adapter'squitport BufferQuit:QuitOut;--buffer'squitport
Client:=createofParms.GetProgram(Parms.ProgramName); call(BBout#(createofParms.GetProgram("unboundedbuffer"))) call(QuitDispOut#(createofParms.GetProgram("quitdispatcher"))) ParmString:=Parms.ParmString; call(AdapterOut#(createofParms.GetProgram("adapter"))) (Parms.WriteToWindow,Parms.WindowName,Parms.GetProgram, AdapterQuit,ClientPutLine,ClientGetPgm); (0,Parms.InputToWindow,ClientGetLine,BufferQuit); (AdapterQuit,BufferQuit,Parms.Quit);

502.8.CreatingaWindowApplication returnParms; blockbegin
Notetheon(others)exceptionhandler.Thisisashorthandnotation, endprocess on(others) endblock; ParmString);
returnParmsexceptionNotCreated; callClient(ClientGetLine,ClientPutLine,ClientGetPgm,
clientwithinaninnerblockwithanullon(others)handler. tocauseaNotCreatedexception.Therefore,weenclosethecalltothe theclientiscreated,wedon'twantexceptionsreturnedbytheclientitself tocreatetheclient.ThehandlerwillreturnaNotCreatedexception.Once Inthisexample,thishandlerwillbeenteredifanythinggoeswrongtrying signifying\handleallexceptionswhicharenotalreadyexplicitlyhandled".
guages,sowedidn'tbotherexplainingthem. process.Forexample,supposethatinsteadofloadingQuitDispatcher literals,like'true'.Theseliteralsarejustliketheliteralsoffamiliarlan-
stringliterals,like"Hello,World!",integerliterals,like0,andboolean compile-time,weneednotcallGetProgramtoloadtheseprogramsfrom theprogramlibraryatruntime.Wedothisusingaprogramliteral. Aprogramliteralisjustprogramtextdelimitedbyprocessandend Aliteralisanexpressionwithacompile-timeknownvalue.Wehaveused Sincethecodeofthequitdispatcher,adapter,andbuerareknownat
fromthelibrary,weusedaprogramliteralinstead.Hereistherelevant fragmentofmoduleApplicationBuilder: call(QuitDispOut#(createofprocess(Init:QuitDispIn) begin declare Quit1:QuitOut; Quit2:QuitOut; Quit:QuitIn; QuitCM:QuitInterface; newQuit;connectParms.QuittoQuit; receiveParmsfromInit; Quit1:=Parms.Quit1; Parms:QuitDispInterface;
Quit2:=Parms.Quit2; returnParms; receiveQuitCMfromQuit; callQuit1(); callQuit2();

printfhasaccesstothesameconsole.ButifyouandIeachhaveaprogramliteraldenotingtheQuitDispatcherprogram,wewillstillnothave
have.Aswestatedearlyinthetutorial,everyonewithastaticbindingto Don'tconfuseprogramliteralswithstaticbindings,whichHermesdoesn't endprocess)) (AdapterQuit,BufferQuit,Parms.Quit); returnQuitCM; 2.AMiniatureSystem51
literalisacompletelyseparateprogramwithacompletelyseparateset accesstothesameprocess.Ifweeachinstantiatetheprogram,we'llhave
asaseparatemodule.Itevaluatestoaninitialized,checkedvalueoftype ofdeclarations.Theprogramliteralistreatedasifithadbeencompiled turedlanguages.Inblockstructuredlanguages,nestedprocedurescanre-
fertovariablesintheouterprocedure.Thisisnottruehere.Aprogram twoseparateprocessesrunningthesamecode.Theonlywaywecanshare outputporttotheother. predefined!program. aprocessisifoneofusinstantiatestheprocess,andpassesacopyofthe Don'tconfuseprogramliteralswithnestedproceduresinblockstruc-
programtextappearsasaprogramliteralinseveralprograms.Youdon't wanttomaintainmultiplecopiesofthesameprogramliteral,incaseyou refertoitbynamewithinanotherprogram.Thisisconvenientifthesame wishtomodifytheprogram. Hereisthesamecodewiththeprogramliteraloutofline: linking(QuitDispatcher) ... Youmaywriteaprogramliteraloutofline,separatelycompileit,and
call(QuitDispOut#(createofprocessQuitDispatcher))
Testyourselftryingtowritetheadapterandquitdispatcherprocesses. 2.8.2AdapterandQuitDispatcher whichappearsrightaftertheimportslistatthebeginningofthesource writinglinking(QuitDispatcher). module.Inthisexample,wemakethenameQuitDispatchervisibleby Anout-of-lineprogramnameismadevisiblebymeansofalinkinglist, (AdapterQuit,BufferQuit,Parms.Quit);
Hereisthecode: process(Init:AdapterIn) Adapter:using(Standard,Adapter,WMExternal,Quit) declare Put:PutLineIn;--PutLineservice Parms:AdapterInterface;--initializationcallmessage Get:GetProgramIn;--GetProgramservice Quit:QuitIn;--Quitservice

522.8.CreatingaWindowApplication
begin QuitCM:QuitInterface; --initialization Running:boolean;--trueifprocesshasnotbeenshutdown WindowName:Charstring;--nameofwindow GetProgramCM:GetProgramInterface; PutCM:PutLineInterface; Window:WriteToWindowOut;--accesstowindow
receiveParmsfromInit; GetProgramOut:GetProgramOut;--accesstoGetProgramservice
newPut;connectParms.ClientPutLinetoPut; newGet;connectParms.ClientGetProgramtoGet; GetProgramOut:=Parms.GetProgram; WindowName:=Parms.WindowName; Running:='true'; returnParms; --serviceloop while(Running)repeat newQuit;connectParms.QuittoQuit; Window:=Parms.AdapterToWindow; select eventPut
eventQuit eventGet returnGetProgramCM; callWindow(WindowName,PutCM.Line); receivePutCMfromPut; receiveGetProgramCMfromGet; returnPutCM;
endselect; otherwise--shouldnotoccur receiveQuitCMfromQuit; Running:='false'; returnQuitCM; callGetProgramOut(GetProgramCM.Name,GetProgramCM.TheProgram);
QuitDispatcher:using(QuitDispatcher,Quit)process(Init:QuitDispIn) declare Quit1:QuitOut; Quit2:QuitOut; Parms:QuitDispInterface; endprocess endwhile;

egin Quit:QuitIn; QuitCM:QuitInterface; newQuit;connectParms.QuittoQuit; receiveParmsfromInit; Quit1:=Parms.Quit1; 2.AMiniatureSystem53
Quit2:=Parms.Quit2; returnParms; receiveQuitCMfromQuit; callQuit1(); callQuit2();
simplied,butitillustratesmanyfeaturesofrealsystems.Forexample, 2.9Summary Inthissection,wehavebuiltacompleteminiaturesystem.Thesystemis endprocess returnQuitCM;
itisafunctionalenhancement|windows|whichcanoperatewithclient programswhichweredesignedpriortotheenhancement.Itistransparent| thatis,theclientprogramsdonotneedtobechangedtousewindows. ItachievesthistransparencybyexploitingHermes'abilitytorebindany outputporttoaninputportofmatchinginterface.Furthermore,because windowsystemitselfwithinoneofitsownwindowstogetnestedwindows. thewindowsystemasawholelookslikeastandardclient,wecanrunthe
anddeleted. namically.Inthiscase,clientapplicationsandtheportstothemareadded terminatingtheadapter. clientcanbeconstrainedtowriteonlyintotheappropriatewindow.And outputporttoanadapterwhichcallsaparticularwindow|thereforethe thewindowmanagercanrevokeanerrantclient'saccesstothewindowby Thisexampleillustrateshowwedividetheresponsibilityandknowledge Thewindowmanagerillustrateshowsystemsaddordeleteservicesdy-
Theapplicationbuilderillustratesaccesscontrol.Theclientispassedan
convertbetweendierentinterfaces,andalsoallowaservicetobecut Thewindowmanagerhandlesthesetofwindowapplications|itprimarily dealswiththetableofactivewindows.Theadapterandbuerprocesses amongtheprocessesofasystem.Thefrontenddealswithinputfromthe enduser.Itdoesstringhandling,andconvertsstringcommandstocalls. o.Thewindowsystemandapplicationbuilderprocessesloadandlink togetherotherprocesses. standtheessentialconceptsandusesofHermes.Itshouldbeastraightfor- Ifyouunderstandhowthewindowmanagersystemisbuilt,youunder-

examplesillustratedhere. errorhandling.Youmaywishtotrywritingimprovementsonsomeofthe windowsfortheirchildprocessestorunin.Youmaywantmorerealistic styleofclients,whichhaveaccesstotheCreateserviceandcancreatenew 542.9.Summary wardexercisetowritemorecomplexsystemsbyapplyingthesameprinciples.Forexample,youmaywantthewindowsystemtosupportanew
beinstructivetoestimatehowmuchthinkingyouhavetodotoensure surenottoforgettofreeunuseddynamicallyallocatedstorage.Itwould gramsinyourfavoriteprogramminglanguage.Don'tforgetthatthepro-
system.Thesystemmayberunningforalongtime|soyoumustmake loopholes|likeopening/dev|whichmightcircumventthesecurityofthe beabletowriteonwindowstheydon'town.Youhavetocloseallthe gramsmustberobust|theremustbenocrashesduetoexceedingastor-
agelimit,forexample.Theprogramsmustalsobesafe|clientsmustnot Youalsomaywishtothinkofhowyouwouldhavewrittenthesepro-
Hermesexceptamorecompletelistofprimitiveoperations,andamorere- acorrectimplementationinanotherlanguageandcompareittowhatis
neddescriptionofwhathasbeendiscussedinformally.Goodluck! on(others)notation.Fromhereon,youhavenothingmoretolearnabout lectedelement),theinspectstatement,theDuplicateKeyexception,the tors,everyof,extract,positionof(withaselectorandwithase-
inprevioussectionstoamorepracticalproblem.Wehaveintroduceda fewnewconstructs:recordtypedenitions,unorderedtables,keys,selec-
involvedindoingthejobinHermes. Summary:Inthissection,wehavemostlyappliedwhatwe'velearned

Clothes",calleduponlanguagedesignerstoenforcewhathecalledsecurity 3TypeandTypestateChecking C.A.R.Hoare,inhis1981TuringAwardLecture,\TheEmperor'sOld inprogramminglanguages,andcriticizedtherecentlyadoptedAdadesign fornotmeetingthisrequirement.Bysecurity,Hoaremeant\[t]heprinciple pilerandthateverysyntacticallycorrectprogramshouldgivearesultor thateverysyntacticallyincorrectprogramshouldberejectedbythecom-
anerrormessagethatwaspredictableandcomprehensibleintermsofthe sourcelanguageprogramitself."Inasecurelanguage,abuginmoduleX shouldshowupasbadoutputfrommoduleX,notasacrash,orarandom
guagerules.(We'rethatthelanguagehassomeconceptofmodularityin andtheymustkeeponrunningthegoodprogramseventhoughsomebad programshavebeenallowedtoexecute. multipleusers,theymaydynamicallyloadarbitraryuntestedprograms, mes.Programsarelong-livedsystems,theyincludemoduleswrittenby implementation-dependentperturbationtoapossiblyinnocentmoduleY.
whichitisillegalforonemoduletoaccesstheprivatedataofanother.) erroneousexecutions.Erroneousexecutionsareuncheckedviolationsoflan-
Let'sadoptAda'sterminologyandcallexecutionswhichviolatesecurity SecurityinHoare'ssenseisextremelyimportantforalanguagelikeHer-
Inpractice,erroneousexecutionsaretheresultof:(1)accessingundened values,or(2)accessingdataofthewrongtype. afteranotherhasalreadycheckeditsdiscriminant.SinceHermeshasno formedvalueoftheappropriatetype.Oroneprocessmodiesavariant dataofthewrongtype.Theremainingsecurityproblemsinlanguageslike sharingandnoaliasing,thesepathologicalcasescannotarise. Adaaretheresultofaliasingandshareddata.Forexample,twoprocesses simultaneouslywriteintoasinglevariable,andtheresultisapossibly interleavedsuccessionofbytesfrombothvalues,whichmaynotbeawell-
Conventionaltypecheckingavoidsmostoftheproblemsofaccessing
fromthedeclaration.Everyoperationhasclassrules,whichlimitwhich familiesoftypestheoperandsmayhave|forexample,+mayonlybeused atypewhichisxedthroughoutitsscope,andwhichisdirectlyderived withintegerorrealtypes.Everyoperationhastypeinferencerules,which determinethetypeofoneoperandasafunctionofthetypeofanother|for insertCintoS,CmustbeoftypeChar.Thedeclaredtypesofvariables exampleifSisaCharstring,denedasorderedtableofChar,thenin andtheinferredtypesofexpressionsmust(1)determineauniquetypefor TheHermestypesystemisstraightforward.Everyvariablenamehas

563.TypeandTypestateChecking
anerroneousexecution. thereforemaynotbeinstantiated).AHermescompilerwillrejectaprogram whosePascalorAdacounterpartwouldcompilesuccessfullybutproduce therbereadnorwritten),andwhereaprogramvalueisunchecked(and everyexpressionand(2)beconsistentwiththetyperules. notberead),whereavariantisinthewrongcase(andthereforemayneiing|ageneralizationofdataowanalysis..Hermescompilersusetypestatecheckingtotrackwhereavariableisuninitialized(andthereforemay
Here'sanexampleoftypestatecheckingappliedtoasimple(andrather TheproblemofundenedvaluesissolvedinHermesbytypestatecheck-
meaningless)programfragment: begin block callParms.GetLine(L); declare L:Charstring; A:Char; B:Charstring; C:Charstring; ifsizeofL=0 then else callParms.PutLine(B); B:="EmptyLine"; A:='NUL';
on(GetLineInterface.EndStream) insertAintoL;
callParms.GetLine(L); endif; callParms.GetLine(C); A:=L[0];
endblock; Fornow,letuslookonlyatthesimplestapplicationoftypestate| callParms.PutLine(L); callParms.PutLine(C);
tributeinit(A)ispresentinthetypestate;otherwisetheattributeisab-
sent.Typestateanalysiscomputesatypestateforeachprogrampoint.This initializedoruninitialized.WedonotallowAtobeinitializedalongsome meansthatatagivenprogrampointvariableAmustbeknowntobeeither avariableisinitializedoruninitialized.IfvariableAisinitialized,theat-
asasetofattributesdescribingpropertiesofvariables,suchaswhether pathsandnotothers. keepingtrackofwhichvariablesareinitialized:Atypestateisrepresented

initialized.Attheendofthethenclause,aftertheassignmentstoAandB, thediscussion,wewilllookonlyattypestateattributesrelatingtothe initializedstateofvariablesA,B,C,andL. isempty.AfterthecalltoGetLine,thetypestateisfinit(L)g|onlyLis Letusfollowtheanalysisoftypestatesintheaboveexample.Tosimplify Onentrytotheblock,noneofthevariablesisinitialized,sothetypestate 3.TypeandTypestateChecking57
clause,thetypestateisfinit(L),init(A),init(C)g. thetypestateisfinit(L),init(A),init(B)g.Attheendoftheelse
toberun-timetestsofinitializedness|avariablemusteitherbeknownto werepossiblyinitialized,andpossiblynot.InHermes,wedonotwishthere entrytothemerge.SoallyouwouldknowaboutBandCwouldbethatthey analysis,youalwaysknowlessinformationatamergepointthanateither thiscase,thattypestateisfinit(L),init(A)g|variablesLandAwill atthemergepointiscomputedastheintersectionofthetypestates.1In beinitialized,BandCuninitialized. Attheendoftheifstatement,thetwopathsmerge.Thetypestate
beinitializedorknowntobeuninitialized.Theintersectionruleimplies andCareinfactuninitializedatthispointregardlessoftheexecutionpath taken,thecompilerinsertscoercionoperations.Inthiscase,thecompiler thatBandCwillbeuninitializedatthemergepoint.TomakesurethatB Hereiswheretypestateanalysisgoesbeyonddataowanalysis.Indataow
statementaftertheelseclause. willinsertadiscardBstatementafterthethenclauseandadiscardC issaidtobelower.Coercionoperationsalwaysconvertfromahighertypestatetoalowerone.
finit(L)g(thirdcall).Theintersectionisthetypestatefg.Thecompiler secondcalltoGetLinetothehandler,anditinsertsanoperationtodiscard automaticallyinsertsoperationstodiscardLandAintothepathfromthe Atypestatewithastrictsubsetoftheattributesofasecondtypestate Therearethreepathstothathandler|onefromeachcalltoGetLine.The threetypestatesarefg(rstcall),finit(L),init(A)g(secondcall),and Lintothepathfromthethirdcall. Asimilarsituationprevailsattheexceptionhandleron(GetLineInterface.Endstream).
Parms.GetLine(A),theGetLineIndenitionrequirestheargumenttobe ment,itischeckedthatbothLandAareinitialized.Inthestatementcall italsochecksforlegalityofprograms.Forinstance,attheinsertstate-
operationdiscardAisinsertedsothatAwillbeuninitializedasexpected uninitialized,yetAisinitialized.Here,thetypestateistoohigh.Acoercion Typestateanalysisnotonlytracksthetypestateandperformscoercions,
typestateislowerthantheotherifitisasubsetoftheother;themeetoftwo structurewheretheelements(typestatesinthiscase)arepartiallyordered,and typestatesistheirintersection. whereeverypairofelementshasameetorgreatestlowerbound.InHermes,one 1Mathematically,thesetoftypestatesisasemilattice|thatis,amathematical

583.TypeandTypestateChecking Thereisnocoerciontomakeatypestatehigher,sothisstatementmustbe beforethecall.InthestatementcallParms.PutLine(L)inthehandler, rejectedaserroneous.Thecompilerwillissueanerrormessagesayingthat attributeinit(L)wasrequiredbutnotpresent. Lisrequiredtobeinitialized,anditisnot,sothetypestateistoolow.
ciency.Whenprogramsarewritteninunsafelanguages,eachuserhasto denedLcouldproduceunpredictableresults|possiblyevenaprogram trap.(ImagineLimplementedasapointertoastringbuer.)Thiswould Second,wegetearlydetectionofnonsenseprograms.Third,wegete-
AllowingastatementlikecallParms.PutLine(L)toexecutewithanun-
beputinaseparateaddressspacesothatoneuser'serroneousprogram befatal,especiallyifourprogramisamulti-usersystem.Andifwedidn't detecttheerroratcompile-time,we'dhavetocheckforitatrun-time. WhatbenetsdowegetfromtypestatecheckingFirst,wegetsecurity.
maticallygenerateddiscardsofvalues.Forinstance,wesawthatwhenthe otherwisehave.Finally,wegetfreegarbagecollectionintheformofauto-
EndStreamexceptionwasraised,theappropriatevariableswerediscarded beforeenteringtheexceptionhandler. addressspace.Becausetheimplementationissecure,wegettheprotection ofaddressspacesattherun-timecostoflightweightprocesses.Andon can'thurtanotheruser.ButwecanrunmultipleHermesprocessesinone machineslackingmemorymapping,wegetprotectionwhichwewouldnot
youcankeeptheinterface\inyourhead",youmayconsiderwritingextra Ifyou'rewritingaprocedurewhichnoonebutyourselfisgoingtouseand systems,soitfavorstherstpointofviewoverthesecond. declarationsaburden.Hermesisdesignedprimarilyforlarge,long-lived someoneelse'smodules,theextradocumentationontheinterfaceisuseful. typestatesofcallparametersoninterfaces.Thiscanbeviewedaseithera burdenorabenetdependinguponyourpointofview.Ifyou'repickingup WhatpricedowepayYouhavetodeclarethepre-callandpost-call

4AdditionalHermesConstructs notyetbeendiscussed,sowewillbrieydiscussthemhere: Theexamplesinchapters1.1and2illustratemostofthenovelHermes constructs.However,therearesomeusefulHermesconstructswhichhave 4.1ExpressionBlocks
thisbyrewritingtheCreateserviceofthewindowmanager. ments.WesupportthisinHermeswithanexpressionblock.We'llillustrate astheoperandofanotherstatementorexpression.Alltheoperandsofan expressionexcepttheresultareunmodiedbytheexpression. seriesofoperationswhichcomputeasinglevaluewhichisimmediatelyused Hermesforthesakeofuniformsyntax.Anexpressionisanoperationor Hermesisastatement-orientedlanguage.However,expressionsaresoconvenientandsowidelyusedthatitwouldbefoolishtobarthemfrom
receiveCreateCMfromCreate; ifexistsofCreatedWindows[CreateCM.WindowName] Sometimesitisdesirableforanexpressiontoincludeembeddedstate-
else then blockbegin --erroractionifwindowalreadyexists insert (evaluateW:Windowfrom call(WindowApplicationOut#(createofApplicationBuilder)) newW; W.WindowName:=CreateCM.WindowName; GetProgram,WriteToWindowCapability,W.WindowName, (CreateCM.ProgramName,CreateCM.ParmString,
returnCreateCM; endif; endblock; --erroractionifunabletocreateprocess on(WindowApplicationInterface.NotCreated) intoCreatedWindows; end) W.InputToWindow,W.Quit);

604.1.ExpressionBlocks anexpressionblockifyouneedtowriteastatement. blockwasn'treallynecessary.Theoriginalversionwasjustasconvenient. builtwithintheexpressionblock.Inthisparticularcase,theexpression However,insomecontexts,suchasafterwhereinaselector,youmustuse statement.TheoperandofinsertistherecordCurrentWindowwhichis Inthisversionoftheprogram,theblockconsistsofasingleinsert
4.2Send Anothercommonidiomistosendsomedatatoanotherprocessandnot waitforareply.Youcandothisbydeninganinterfaceinwhichthedata youwishtosendisinitializedonentryanduninitializedonexit.However, thereisstilltheproblemthatthereceivingprocessmaychoosetowait
statementsendvariabletoportcausesthevaluecurrentlyinvariableto indenitelybeforereceivingyourdata.Itmayevenrunforeverandnever process,Hermesprovidesanasynchronouscommunicationmechanism.The beremovedandsenttothequeueattheinputportconnectedtoport. deadlocked,itisIwhoisblockedandnotS. andreturnstoS.ThenIcallstheeventualreceiverR.IfRisdelayedor receiveyourdata.
Becauseofthesendoperation,inputportscanbedenedtoholdany intermediateprocessI.ScallsI,whichimmediatelyreceivesthedata, Ratherthanrequiringtheprogrammertoexplicitlycodeanintermediate ApossibleHermessolutionisthis:thesendingprocess,Screatesan
datatype,notjustcallmessages. Herearetwopracticalusesofsend: Communicatingwithuntrustedprocesses:SupposeIwishtoloadand Ieithermustspawnaprocesstoinitializeandcalltheuntrusted willneverreturnmycallmessage,andIwillblockforever.Tobesafe, thisifIdonottrusttheprocessIamloading.Perhapstheprocess statement. process,orImustdelivertheinitializationparametersusingasend aswedidinearlierexamples.However,thereissomerisktodoing someports.Icouldpassthisinformationwithacallstatement,just executeaprocessandpassitsomeinitializationinformation|possibly
Forwardingcalls:SupposeIamwritingaprocesswhosejobitisto tuallyservicethecall.Ifmyprocessreceivesthecallmessageandthen receivecallsandroutethemtoanappropriateprocesswhichwillac-
callstheeventualdestination,itmustwaituntilthecallisserviced. originalcaller,andnottomyprocess. However,ifinsteadmyprocesstransfersthecallmessageusingsend, myprocessisfreetorouteothercalls.Whentheeventualdestination issuesareturnstatement,thecallmessagewillbereturnedtothe

compile-timeistooconstraining.Hermessupportsvariantsandpolymorphs Sometimestherequirementthatthetypeofeveryvaluebeknownat 4.3Variants toallowthisrequirementtobeweakened.Howeverwedonotgiveupthe fundamentalprinciplesthatmachine-levelimplementationdetailmustbe 4.AdditionalHermesConstructs61
forpurposesofthisexample,we'llassumetobejustacharacterstring ustalkaboutLISPobjects: hidden,andthatthelanguagemustbesecure. whohasprogrammedinLISP.ALISPobjectiseitheranatom(which printname),apair,ornothing(nil).HerearetheHermestypeswhichlet LispPair:record(Car:LispObject,Cdr:LispObject); LispKind:enumeration('atom','pair','nil'); Weillustratevariantswithanexamplewhichwillbefamiliartoanyone
LispObject:variantofLispKind(
nents:L.PrintNameoftypeCharstring,L.PairoftypeLispPair,and varianttype. whichisusedconventionallytorepresentanullvalue.We'llexplainthe languages.Emptyisapredenedtype|anenumerationwithnovalues| SupposeLisavariableoftypeLispObject.ThenLhasthreecompo-
Theenumerationandrecordtypesarejustlikesimilartypesinother 'pair'->Pair:LispPairffullg, 'nil'->Nil:Emptyfg); 'atom'->PrintName:Charstringffullg,
L.NiloftypeEmpty.Inthisrespect,avariantisjustlikearecord.But whereasaninitializedrecordmayhaveseveralcomponents,onlyonecomponentofavariantcanexistatanyonetime.Whichcomponentitisdependsuponthecaseofthevariant.Thecaseisanenumerationvalue|in
thisexample,either'atom','pair',or'nil'.Eachcomponentisassociatedwithoneofthecasesofthevariant.Sothevalueofaninitialized
whereintheprogramthevariantishidden,andwhereitisrevealed.When itisrevealed,thecompilertracksitscase.SoifLisaLispObject,the variantisacasevalueplusexactlyoneofthevariantcomponents. isatypestateproperty.Thatmeansthatthecompilerwillkeeptrackof possibletypestatesofLare: thatwedon'tknowthecaseatcompiletime.Revealedmeanswedo.This Aninitializedvariantcanbeeitherhiddenorrevealed.Hiddenmeans
initializedandrevealedincase'pair' uninitialized initializedandhidden initializedandrevealedincase'atom'

624.3.Variants
thevariantcomponents.Theunitestatementsimultaneously:(1)setsthe assignmentstatementtocopythevalueofanothervariableofthesame youbuildanewvariant,youmustdecidewhichcasetoputthevariant in.Youmaynotdirectlyassigntoacomponentofanuninitializedvariant. Youmustinsteadusetheunitestatementtomoveavalueintooneof typewhichisalreadyinitialized.Oryoucanbuildanewvariant.When Therearetwowaystoinitializeanuninitializedvariant.Youcanusean initializedandrevealedincase'nil'
caseofthevariant,(2)movesthevalueofitsoperandintothevariant component,(3)tellsthecompilerthatthevariantisnowinitializedand revealed. 1.HereisanexampleofastatementwhichinitializesLintocase'atom': 2.ThisstatementputsLintocase'nil': 3.ThisstatementputsLintocase'pair': (EmptyvalisavariableoftypeEmpty.Itdoesn'tneedtobeinitialized, uniteL.NilfromEmptyval; uniteL.Printnamefrom"Foo"; sinceinthedenition,componentNilisexpectedtobeuninitialized.)
example,whenvariantLisrevealedincase'atom',theattributecase(L, newPair; unitePair.Car.Printnamefrom"Foo";
atypestateforeachvariantcomponent.Thisisthetypestatethevariant L.PrintName)ispresent.ThismeansthatL.PrintNameisthecomponent whichisknowntoexist. Thetypestateattributecaseispresentwhenthevariantisrevealed.For Whenyouwritethedenitionofthevarianttype,youhavetosupply uniteL.PairfromPair; unitePair.Cdr.NilfromEmptyval;
timeitisrevealed|thatis,itmaybemademoreinitializedbutnotless. allwhenLisincase'nil'.` initializedwhenLisincase'pair',butL.Nilneednotbeinitializedat tively: isrevealed.Itisalsotheminimumtypestatethecomponentcanhaveany ThedenitionofLispObjectillustratedaboveshowsthatL.PrintName componentwillhave(1)justbeforeitbecomeshidden,and(2)justafterit mustbefullyinitializedwhenLisincase'atom',L.Pairmustbefully Thetypestateaftereachofthethreeunitestatementsaboveisrespec-
1.finit(L),case(L,L.PrintName),init(L.PrintName)g

Noticethatincase'pair',L.Pair.CarandL.Pair.Cdrarethemselves 3.finit(L),case(L,L.Pair),init(L.Pair),init(L.Pair.Car), 2.finit(L),case(L,L.Nil)g case(L.Pair.Car,L.Pair.Car.PrintName),init(L.Pair.Car.PrintName), init(L.Pair.Cdr),case(L.Pair.Cdr,L.Pair.Cdr.Nil)g 4.AdditionalHermesConstructs63
theexample,theyarebothinitializedandrevealed.Thisislegal,since fullyinitializedistheminimumtypestate,andinitializedandrevealedis revealed,bothL.Pair.CarandL.Pair.Cdrmustbefullyinitialized.In variantsoftypeLispObject.ThedenitionrequiresthatwhenL.Pairis ahighertypestate.Itwouldbeillegaltoperformanoperationtomake
thecomponents,becauseonlyoneofthemreallyexistsandyoudon'tknow hideavariantexplicitlywiththehidestatement.Butusuallyvariantsbecomehiddenbecauseofacoercion.Forexample,ifyouwroteaprogram
Whenthevariantisinitializedbuthidden,youmaynotaccessanyof Ifthecaseattributeisnotpresent,thenthevariantishidden.Youmay L.Pair.CaruninitializedwhileL.Pairisrevealed.
whichoneitis.Forexample,supposethetypestateisfinit(L)gandyou mentsmentionedabove,thenatthemergerofthepathsthetypestate whichtookthreedierentpaths,eachexecutingoneoftheunitestate-
wouldbefinit(L)g.
thevariantisinthewrongcase,youwillgetaCaseErrorexception.If youwanttoknowthecaseofavariantsoyouknowwhichcomponentitis thecomponentyouhopetoaccess.Ifthecomponentdoesnotexistbecause nentwithouttheappropriatecaseattribute. isimpossiblebecauseyoumaynothaveanyattributeofavariantcomposultinimpossibletypestate".Thetypestatefinit(L),init(L.PrintName)g
trytodotheassignmentL.Printname:="Foo".Thiswillgenerateatypestateerrormessagesaying\addingattributeinit(L.PrintName)wouldre-
CdrofaLispObjecttoarbitrarydepth: correcttoreveal,issuethecaseofoperation.Thisreturnstheenumeration valueofthecase.Here'safragmentofaprocedurewhichswapsCarand receiveParmsfrominit; Torevealavariant,usetherevealstatement.Theoperandofrevealis
blockbegin
attributeswhichthedenitionsaiditwassupposedtohave.Youmayraise Afterthereveal,thecomponentoftherevealedvarianthasthetypestate endblock; returnParms; on(CaseError)--it'snotapair SwapCM.L.Pair.Cdr:=Temp; SwapCM.L.Pair.Car:=Swap(SwapCM.L.Pair.Cdr); revealSwapCM.L.Pair; Temp:=Swap(SwapCM.L.Pair.Car);--it'sapair

thetypestate(i.e.addattributes),butyoumaynotloweranyattributes. 644.3.Variants
makesthetypestate ofLispObjectsaidthatincase'pair',componentPairisfull.This again,itwillhaveaknowntypestateregardlessofwhatyoudid.Sointhe aboveexample,Parms.L.Pairwillbefullyinitialized,sincethedenition Furthermore,anyattributesyouaddedwillbecoercedawaybeforethe variantishiddenagain.Thisguaranteesthatwhenthevariantisrevealed init(Parms.L.Pair),init(Parms.L.Pair.Car),init(Parms.L.Pair.Cdr)g finit(Parms.L),case(Parms.L,Parms.L.Pair),
4.4Polymorphs beloweredbackautomaticallyassoonasyoutrytohideParms.L. plebyissuingrevealParms.L.Pair.Car.PrintName,thetypestatewill wouldyieldanimpossibletypestate.Ifyouraisethetypestate,forexam-
wouldgetacompilererrormessagesayingthatattemptingtodropinit(Parms.L.Pair.Car) IfyouwrotediscardParms.L.Pair.Car,thiswouldbeillegal.You
avariant. setofalternatives.Insuchacase,youhavetouseapolymorphinsteadof Avariantisusefulwhenyouknowaheadoftimeaxedsetofalternative types(ortypestates)avaluewillhave.Sometimesthereisanopen-ended
typestateyouareexpectingmatchthetypeandtypestateappearingon mustbeunwrappedanditsvaluestoredbackintoavariableoftheappropriatetype.Atthistime,thereisarun-timecheckthatthetypeand
insertedintoatableofpolymorphs,etc.Butnoneoftheoperationsofthe originaltypeareallowed.Inordertoissuetheseoperations,thepolymorph isalwaysstoredtogetherwithitstypeandtypestate.Thinkofthevalue tate.Whenthevalueiswrapped,itcanbestoredinapolymorphvariable, asbeingwrappedinanopaquewrapperlabelledwiththetypeandtypes-
Apolymorphisavariablewhichcanholdanytypeofvalue.Thevalue
types.Youmayalsoinspectthewrappertoreadthetypeandtypestateof whichtheownerofaresource(e.g.aportintoaserver)maypostacopy thewrapper.
oftheresourceandaresourcename,andauthorizedusersmayretrieve thewrappedvalue. theexceptionUncopyableifthewrappedvalueisoneoftheuncopyable intoatable.Itissyntacticallylegaltocopyapolymorph,butyouwillget andunwrappingarethoseoperationsallowedonalltypes,suchasinserting Hereisasimpleapplicationofpolymorphs|aresourcerepositoryinto Theonlyoperationsyoumayperformonapolymorphbesideswrapping
Insteadwerequiretheownertowraptheresourceintoapolymorphbefore types,theinterfacetotherepositorycannotspecifyanyparticulartype. acopyofthatresourcebyname.Sincedierentresourcesareofdierent

usernameandtheresourceoriginallyposted,andtheneitherreturnsthe resourcebeinggrantedtotheuser,orreturnsaDeniedexception.1 gainaccess.Toprovideaccesscontrol,werequiretheownertoprovidea portintoanaccesscontrolfunction.Theaccesscontrolfunctionacceptsa postingtheresource.Therequestorofaresourcesuppliesaresourcename andreceivesbackapolymorph,whichtherequestormustthenunwrap. Theownerofaresourcemaynotwishtoallowanyarbitraryuserto 4.AdditionalHermesConstructs65
Hereistheinterface: RepositoryExternal:using()definitions Resource:polymorph;
PostOut:outportofPostIn; PostIn:inportofPostInterfaceffullg; PostInterface:callmessage( AccessFunction:AccessOut)--accesscontrolfunction constant(ResourceName,AccessFunction) exitffullg exceptionDuplicateNameffullg; PostedResource:Resource,--resourcebeingposted ResourceName:Charstring,--namebeinggiventoresource
AccessInterface:callmessage( AccessIn:inportofAccessInterfacefinit(UserName),init(PostedResource)g; AccessOut:outportofAccessIn; constant(UserName,PostedResource) exitffullg exceptionAccessDeniedfinit(UserName),init(PostedResource)g; ReturnedResource:Resource)--theresourcegranted UserName:Charstring,--nameoftherequestor
RequestInterface:callmessage( PostedResource:Resource,--resourceoriginallyposted
RequestOut:outportofRequestIn; RequestIn:inportofRequestInterfacefinit(ResourceName)g; constant(ResourceName) Resource:Resource)--theresourcegranted exitffullg exceptionNotFoundfinit(ResourceName)g exceptionAccessDeniedfinit(ResourceName)g; ResourceName:Charstring,--nameofresourcebeingrequested
ratherthantheportintotheresource. throughalter,forexample,inwhichcaseitwillreturnaportintothelter Theaccesscontrolfunctionmaydecidetograntlimitedaccesstotheresource 1Theresourcereturnedmayormaynotbethesameastheresourceposted.

accesscontrol{anyonecangetit. 664.4.Polymorphs Trivial:=procedureofprocess(Init:AccessIn) enddefinitions Here'saprogramfragmentwhichpoststheGetLineservicewithtrivial ...--otherinterfaces
wrapcopyofGetLineasResource; callPost("GetLine",Resource,Trivial); begin declare
Thewrapstatementremovesthevalueofitssourceoperandbeforewrappingit.IfyouwanttouseGetLineafterthewrapstatement,besureto
posted: wrapacopy. blockbegin HereisthecodetoobtaintheGetLineportwhichsomeoneelsehas callAccess("GetLine",Resource);
endprocess; returnParms; Parms.ReturnedResource:=Parms.PostedResource; receiveParmsfromInit; Parms:AccessInterface;
thanfinitg.Thesechecksarenecessarytopreservesecurity.Withoutthe mentifthetypeofthewrappedvalueofResourcedoesn'tmatchthe typeofvariableGetLine,orifthetypestateofthewrappedvalueislower ThePolymorphMismatchexceptionwillberaisedbytheunwrapstate-
on(PolymorphMismatch) on(others) endblock; ... unwrapGetLinefromResourcefinitg;
laterunwrapitandperformdierentoperations. checks,youcouldwrapavaluesupportingonesetofoperationsandthen

5ResearchDirectionsinHermes
buildotherprograms,butunlikeLISP,Hermeswillchecktheseprograms cesscontrol([NS88,Str86]).LikeLISP,Hermesallowsrunningprogramsto unlikeobject-orientedlanguages,thereissupportforconcurrencyandac-
languages,Hermessupportsinformationhidingandprogramreuse|but opment.Itcombinesexpressivepower,simplicity,portability,andsafety, inHermes. mergingthebestfeaturesofmanylanguageparadigms:Likeobject-oriented Ifyouhavefollowedtheexamplessofar,youshouldbereasonablyuent
fortypeerrorsbeforeexecution.LikeAdaandModula,Hermessupports modularityandinterfacespecication,butunliketheselanguages,Hermes WebelievethatHermesisanexcellenttechnologyforlargesystemdevel-
machine-independentsetofprimitivestodoit.AndHermesprovidesthe providescompletesecurityusingtypestatechecking.LikeC/UNIX,Hermessupportssystemsprogramming,butusesasimplerandcompletelplorenewerapproachestosimplifyingthedevelopmentofcomplexsystems:
Asof1990,theHermesprojectatIBMResearchisusingHermestoex-
Amorerenedsemilatticestructure,whichallowsprogrammersto familiarsequentialprogrammingparadigmoftheimperativelanguages.
Optimistictransformations,whichperformconcurrencycontrol([Jef85]), Transparentrecovery,whichmakesitunnecessaryforprogrammers FBSY87,SYB87d]). totreatprocessstateasvolatileanddotheirowncheckpointing andrestart([SY85,SY84,YSB87,SBY88,SBY87,SYB87c,SYB88, allowadditionalcoercions([SY89,SY90]). trackmoreinformationaboutthevalueofvariables,andwhichwould
implementationsonparallelanddistributedarchitectures. clientscodedasasingleserialprocess,aretransformedintoecient perciallyinecientprograms,suchasaserverwiththousandsof tocodethesecomplexprotocolsbyhand.Straightforwardbutsutiontransparently([SY87]).Suchoptimizationsmakeitunnecessary
processreplication([GJ87]),call-streaming([BS90]),andparalleliza-

685.ResearchDirectionsinHermes

HermesReference Manual PartII
69

6Introduction ThereferencemanualpresentstherulesofHermes.Mostoftherulesare programs,compilation,BNF,etc. denedinmachine-readabletables.Weexplainhowtoreadthetables. Weexplaintheotherrulesinformallybutrigorously.Themanualcontains minglanguage.Therefore,wewillnotexplainbasicconceptssuchasstored examplesofhowtoapplytherules,buttheseexamplesarenotnecessarily typicalorpreferredusesofHermes. torial.Wealsoassumethatyouhaveexperiencewithsomeotherprogram-
HerearethestagesofwritingandexecutingaHermesprogram. WeassumethatyouhavealreadyreadandunderstoodtheHermestu-
Youwritethecodeusingyourfavoriteeditor/programgenerator, TherststageofthecompilerconvertsyoursourceleintoaHermes producingasourcele.
Youstorethecheckedprogramintoaprogramlibrary. Youretrievethecheckedprogram,instantiateitasaprocess,and TheHermescompilercheckstheHermesprogram,producingachecked gramwillincludeitstranslationtomachinecode.Likeallinternal programvalue.TheinternalrepresentationofacheckedHermespro-
representations,thiswillbeinvisibletotheprogrammer.
program.Thisbypassesthersttwostepsmentionedabove. producethesourcele.Theremainingstepsarebrokendownasfollows: YoumayalsogenerateaHermesprogramvaluedirectlywithinaHermes Inthismanual,weignoretherststepbecausewedonotcarehowyou Lexicalanalysis:Thecharactersintheprogramaredividedintotokens.Spaceandcommenttokensarethrownaway,andtheother
writteninaformalgrammar.Lexicalanalysisisexplainedinchapter 7. tureoftheprogram.Thesyntaxrulesarewritteninaformalgrammar inAppendixA.
executeit.
Syntaxanalysis:Thestreamoftokensisparsed,revealingthestruc-
tokensarepassedasinputtosyntaxanalysis.Thelexicalrulesare

726.Introduction Conversionandresolution:Theparsedprogramisconvertedinto
Typecheckingandinference:Thetypeofeachvariablemustsatisfy deningoccurrence.Theresolutionrulesaredescribedinformallyin chapter8. rences.Resolutionmeansassociatingeachappliedoccurrencewitha adeningoccurrencewheretheidentierisassociatedwithitsdenition.Otherappearancesofoftheidentierarecalledappliedoccur-
names.Namesaremadeupofidentiers.Foreachidentierthereis aHermesprogramvalue.Thisrequiresthecompilertoresolveall
Typestatechecking:Thetypestateateachpointintheprogramis typecheckingandinferencealgorithmisexplainedinchapter9 operand.Forvariableswithoutdeclarations(expressiontemporaries), thecompilerappliestypeinferencetogenerateadeclaration.Itis checkedthatexactlyonetypecanbeinferredandthatthistype satisesthetyperules.Thetyperulesaregiveninanappendix.The thetyperulesfortheoperationwherethevariableappearsasan
Otherstaticrestrictions:Theseareconstraintsonthevalueofaprogramotherthanthosecapturedinthetable-drivenrules.Example:
appendix.Thetypestatecheckingalgorithmisexplainedinchapter Thenumberofargumentstocallmustmatchthenumberofcom-
aregeneratedwherenecessary.Thetypestaterulesaregiveninan sistentwiththetypestaterequirementsofthatoperation.Coercions computed.Itischeckedthatthetypestateateachoperationiscon-
10. Execution:Wedescribethesemanticsofeachoperationrigorously butinformallyinchapter11. formallynexttotheconstructstheyrestrict. ponentsinthecallmessagetype.Theserestrictionsaredescribedin-

7LexicalandSyntacticRules lectionsofcharactersthatconstitutetheelementarysyntacticunits.The Lexicalanalysisseparatesthesourceprogramintotokens.Tokensarecol-
dierentkindsoftokeninHermesare:spaces,comments,integerliterals,
asetofstatementlines,precedeeachlinewithadoubledash. thanalinetoseewhatisacommentandwhatisnot.To\commentout" multiplelines.Becauseofthisrule,youneednotlookatacontextbigger realliterals,namedliterals,stringliterals,punctuation,andwords. with\/".Commentsdelimitedwith\/"and\/"maynotextendacross umentation,buttothecomputertheyareequivalenttospaces.Thereare totheendoftheline.Commentswithinalinebeginwith\/"andend twocommentingstyles.Adoubledash\--"startsacommentthatruns Aliteraltokendenesacompile-timeknownvalue. Spacesareusedtoseparatetokens.Commentsareusedforhumandoc-
Arealliteralconsistsofanunsignedintegerpart,adecimalpoint,a Anintegerliteraltokenisadecimalrepresentationofanunsigned toanintegerliteral. integer.Someexamplesofintegerliteralsare0,112358,and000. fractionpart,an\e"(upperorlowercase),andanoptionallysigned Noticethat-2isnotatoken.Itisparsedasaunaryoperatorapplied
Anamedliteralisrepresentedbyanonemptystringofcharacters integerexponent.Theintegerpartmusthaveatleastonedigit,but raisedtothepowerof".Someexamplesare15.,0.,1.12358, thefractionpartcanbeempty.Thesymbol\e"means\timesten enclosedintwosinglequotessuchthat,insidethedelimitingquotes, 0.314159e+02and314.159e-02.
Astringliteralisrepresentedbya(possiblyempty)stringofcharactersenclosedintwodoublequotessuchthat,insidethedelimiting
ofconsecutivesinglequotesisregardedasonesinglequote.Thecase ofthecharactersissignicantinnamedliterals.Someexamplesof thestringofcharactersinsidethedelimitingquoteswhereeverypair singlequotesalwaysoccurinpairs.Thevalueofanamedliteralis namedliteralsare'true'and'Isn''t'.Anamedliteralcannot extendpastasingleline. everypairofconsecutivedoublequotesisregardedasonedouble literalisthestringofcharactersinsidethedelimitingquoteswhere quotes,doublequotesalwaysoccurinpairs.Thevalueofastring

Punctuationconsistofoneortwocharacters.Theyareusedforsomeoperatornamesandforgroupinganddelimitingsyntacticunits.Someexamplenotextendpastasingleline.
he",and"A""symbolbeginsaquotation".Astringliteralcan-
quote.Thecaseofthecharactersisalsosignicantinstringliterals. 747.LexicalandSyntacticRules
ationtokensarepresentedinTableA.2inAppendixA. areparentheses{(and){andthemoveoperator:

8Resolution name,attributename,exceptionname,exitname,andprocessname.Names ofanamemustberesolved. ingoccurrences,andrejectingundenedappliedoccurrencesorconicting deningoccurrences. Resolutionmeansmatchingappliedoccurrencesofnameswiththeirden-
consistofoneormoreidentiers.Eachidentierinanappliedoccurrence Foreachclassofname,therearerulesspecifying: ThefollowingclassesofnamesappearinHermes:variablename,type
theregionswhereeachnamespaceisvisible|thatis,wherethe thenamespaceinwhichthenameisdened.Anamespaceisanassociationbetweenidentiersandtheirdenitions.Withineachname
er.(Rememberthatcaseisignored,soxandXcannotappearinthe samenamespace.) spacetherecanbeonlyonedeninginstanceofaparticularidentidenitionandthereisnodeningoccurrence.Forexample,thetypestate
howtodisambiguateanameifthenamebeingresolvedisinmore identierscanbereferredtobyappliedoccurrences.
saidtobepredenedifitisdenedinthepredefinedmodule,whichis attributeinitandtheexceptionnameNotFoundarebuiltin.Anameis implicitlyimportedbyallHermesmodules.Forexample,thetypenames AnameissaidtobebuiltinifitsmeaningisgivenintheHermeslanguage thanonevisiblenamespace.Itisaresolutionerroreitherifthere isnovisibledenition,orifthereismorethanonevisibledenition
havetosupplydenitionsforeitherbuiltinorpredenednames. Charstring,integerandprogramarepredened.Programmersdonot andnodisambiguationispossible.
asoperands. Avariablenamedenotesacontainerforavalue.Variablenamesareused 8.1VariableNames variable{name ::=base{variable[.component{name]...

768.1.VariableNames 8.1.1BaseVariables Basevariablesaredenedwithinnamespacescalleddeclarationslists.The Examples:Foo,Foo.Bar,Foo.Bar.Baz. base{variable
pearonlywithinexecutablecode|eitherprocessmodulesorconstraint regionofvisibilityofadeclarationslistiscalleditsscope.Scopesap-
::=identier
theprogrammercandeclarebasevariables.Theselector,theinspect,the tializationportdeclarationandthebasevariablesdeclaredfollowingthe forstatement,andtheexpressionblockalsointroducescopescontaining constraintdenition. denitions.Theoutermostscopeinthiscaseisthedeclarationlistofthe declarekeyword.Theblockstatementdenesaninnerscope,inwhich asinglebasevariabledeclaration.Scopesalsoappearwithinconstraint denitions.Scopescanbenested.Inanexecutablemodule,theprocess bodyistheoutermostscope.Thedeclarationslistcomprisesthetheini-
declarationproducinga\hole"intheoutervariable'sscope.)Itispermissibleforthesameidentiertobedeclaredtwicewithinaprogramifthe
scopesdonotoverlap.Example: block Itisillegalforthesameidentiertobedenedwithintwooverlapping scopes.(Inotherlanguages,thisinnerdeclarationwould\hide"theouter
begin declare forXinT[]--illegalredeclarationofX X:integer; T:tableofintegers; inspect
withinitsscope.Becausebasevariablescannothaveoverlappingscopes, forTinZwhere(T>0)--legalredeclarationofT Theresolutionruleforbasevariablesistrivial:Abasevariableisvisible endblock; inspect endfor; callPutLine(IntToString(T)); endfor; callPutLine(IntToString(X));
variable. therecanbeamaximumofonevisibledeningoccurrenceofanybase

8.1.2ComponentNames eachhaveacomponentnamedX. havetwodierentcomponentsnamedX,buttwodierentrecordtypescan Componentnamesaredenedinrecord,variant,andcallmessagetype namespaceforcomponentnames.ThisimpliesthatarecordtypeRcannot denitions.Eachrecord,variant,orcallmessagetypedenitiondenesa 8.Resolution77
resolvedwithinthecomponentnamespaceassociatedwiththevariable's Firstthebasevariableisresolved.Thenthecomponentofavariableis typedenition.Forexample,inthenameX.Y.Z,IrstresolvethenameX. ThenIlookupX'stype.Ilookupthattype'sdenitiontondthename ofX.Ymightnotbevisible,becausethedenitionsmoduledidnotappear whenthetypenameitselfisnotvisible|e.g.intheabovecasethetype theprocesstoobtaintheresolutionofZ.Note:atypemaybeknowneven spacewithinwhichIcanresolveY.IcanthenlookupY'stype,andrepeat Variablenamescontainingcomponentsareresolvedfromlefttoright.
Typenamesareusedinvariabledeclarations,intypespeciers,andindefinitions.Typenamesarewritteneithersimpleidentiers(typeidentiers),
intheusinglist. 8.2TypeNames ortheyaretypeidentiersprecededbyadenitionsmodulename.
tionsmodulewrittenbytheuser,orthepredefinedmodule.Thesetof type{name::=denition{name
names. typedenitionswithinadenitionsmoduleformsanamespace|thatis, twotypedenitionswithinthesamedenitionsmodulemusthavedistinct Typeidentiersaredenedwithinadenitionsmodule|eitheradeni-
::=module{name!denition{name
thoseofthedenitionsmoduleitself,(2)thoseinpredefined,(3)thosein Withinadenitionsmodule,thefollowingtypedenitionsarevisible:(1) ::=identier
ofdenitionsmoduleswhosedenitionswillbemadevisible. denitionsappearingontheimportslist. denitionsofcategories(2)and(3)arevisible. isexactlyonevisibledenitionofthattype. Withinanexecutablemodule,therearenotypedenitions,soonlytype Theimportslistappearsattheheaderofeverymodule.Itliststhenames Atypenamenotprecededbyamodulenameislegalifandonlyifthere

788.2.TypeNames withinthespeciedmodule.Themodulenamemustbeeitherpredefined, Attributenamesareusedintypestates.Thesyntaxofattributenamesis oradenitionsmoduleontheimportslist. 8.3AttributeNames Ifamodulenameisspecied,thetypenamereferstothedenition
denitions,soitislegaltodeneatypeTandaconstraintTinthesame constraintattributesThatnamespaceisdierentfromthespaceoftype identicaltothesyntaxoftypenames.
module. namesarenamesofconstraintsdenedindenitionsmodules.Thesetof constraintdenitionsofeachdenitionsmoduleformsanamespace.of denotesabuiltinattributedescribedinsection11.10.Allotherattribute fullisabuiltinabbreviationforasetofinitattributes.Thename checkeddenotesabuiltinconstraintattribute.Thenamecheckeddefinitions Thenamesinitandcasearebuiltintypestateattributes.Thename
Exceptionnamesareusedinexceptionhandlers,andonthereturnstatement.Exceptionnamesareeitherbuiltin,oruser-dened.Thetwohave
primitiveoperations.Abuiltinexceptionnameiswrittenasasimpleidentier.Theidentiermustbeoneofthenamesinthepredenedtype
dierentsyntax. statements.Theyarewrittenas: predefined!builtinexception. BuiltinexceptionnamesdenotetheexceptionsassociatedwithHermes
rulesforattributenamesareidenticaltotheresolutionrulesfortypenames. 8.4ExceptionNames Exceptforthespecialtreatmentofthevebuiltinnames,theresolution
written.Thereisanamespaceofexceptionidentiersforeachcallmessage User-denedexceptionnamesdenotetheexceptionsreturnedfromcall
isresolvedsimplybyresolvingthetypename.Thetypenamemustbea asthetypeofthecallmessageoperand,soonlytheexceptionidentieris denition.Thatnamespacecontainstheuser-denedexceptions,plusthe automaticallydenedexceptiondiscarded.Auser-denedexceptionname Onthereturnstatement,thetypenameisunderstoodtobethesame exception{name
callmessagetype.Thisdeterminesasinglenamespacewhichisusedto ::=type{name.user{exception{name
resolvetheexceptionname.

onthehandlerandusedontheexitstatement. withoutraisingabuiltinexceptionorissuingacall.Exitnamesaredened 8.5ExitNames Theexitstatementallowstheprogrammertojumptoahandlerclause Thedeningoccurrenceofanexitnameisahandlerbeginningonexit. 8.Resolution79
Thenamespaceistheidentierlistappearingafterthewordexit.The visibilityforthesameexitname. nameisvisiblethroughoutthemainclauseoftheblockcontainingthe handler.Unlikebasevariables,therecanbeseveraloverlappingregionsof
Aprocessnameisusedonlyintheprogramliteralconstruct: exitname,theinnermostvisibledenitionisused. 8.6ProcessNames resolvinganexitname,ifthereareseveralvisibledenitionsofthesame Theappliedoccurrenceofanexitnameisonanexitstatement.When
Theidentierdenotestheprocessmoduleofthatname. programliteral:processidentifier Theidentiermustbepresentinthelinkinglistofthesourcemodule.

isconcerned.Allthe\noisewords",likeof,fromandinto,whichmakethe Hermesprogramvalue.Thisisamuchsimplerformasfarasthecomputer Afteramodulehasbeentokenized,parsed,andresolved,itisstoredasa 9TypeCheckingandInference programeasierforpeopletoreadbutlesssyntacticallyregular,aregone. Statementswithembeddedexpressionsareexpandedouttosequencesof statements.Names,likeX,whoseresolutionmaybecontext-sensitive,have beenremoved.Intheirplaceareuniqueidentiers. clauseisaseriesofstatements,andeachstatementisanoperator,alistof operands(variablenames),anda\qualier",whichiseverythingelse.By ofdeclarations,organizedinto\scopes";(3)acollectionofclauses.Each constraintdenitions,organizedintodenitionsmodules;(2)acollection declared. thistime,allbasevariablenamesexceptexpressiontemporarieshavebeen TheHermesprogramvalueis:(1)acollectionoftypedenitionsand
inferencerulesareusedforbothinferenceandchecking.Theclassrulesare rules.Therearetwofamiliesofrules:inferencerules,andclassrules.The typesoftheoperands. theexpressiontemporariessothateverybasevariablewillhaveaknown type;(2)typechecking:tocheckthattheoperationsarelegal,giventhe anextrasetofcheckswhichapplyaftertypeinferenceiscomplete. Bothtypeinferenceandtypecheckingaredrivenfromasingletableof Thejobofthenextphaseis:(1)typeinference:tosupplydeclarationsfor
thetypeoftheoperandontheleft. theleft.Thesecondkindofruleisredwhenthetypeoftheoperandon therightbecomesknown.Theruleprovidesafunctionwhichdetermines inferencerule:operand Therstkindofruleunconditionallyassignsatypetotheoperandon Therulesappearintheappendix.Thesyntaxofaninferenceruleis:
insertat(table,element,position)absent Thetyperulesinthetableentryforthisoperationlooklikethis:
rulename()
table2orderedtable rulename(operand)
tointherulesastable,element,andposition.Thereisnoqualier.The thattheoperationinsertathasthreeoperands,whichwillbereferred Forexample,let'slookattheoperationinsertat.Theheaderlinestates
element elementtypeof(table) predefinedinteger()

theelementwillalsobeknownbyapplyingthefunctionelementtypeof. Thethirdrulesaysthatifthetypeofthetableisknown,thenthetypeof headerlineisfollowedbythreetyperules.Therstruleisaclassrule,which unconditionallyinferredorcheckedtobeoftypepredefined!integer. statesthatthetypeoftablemustbeanorderedtabletype.Thesecondrule saysthattheoperandposition|thisistheoperandafterthewordat|is 9.TypeCheckingandInference81
sideoperandisknownarered.Eachtimeaninferenceruleisred,it infersthetypeoftheoperandonitsleftside.Ifthatoperandcurrentlyhas tion,theinferenceruleswithemptyright-handsides,orwhoseright-hand typeisassignedbygeneratinganinferreddeclarationfortheoperand.Now matchisanerror.Iftheoperandcurrentlyhasunknowntype,theinferred resultswhichwereexplicitlymarkedwithatypespecier.Foreachopera-
knowntype,theinferredtypeischeckedagainsttheknowntype.Amis-
typesofthoseoperandswhicharevariablenames,andofthoseexpression Thetypecheckingalgorithmbeginsbycomputingallknowntypes|the
thatthetypeofthisoperandisknown,thismaycauseotherrulestore.
example,thetestvariablesusedinif,while,select,andthepredicate unknowntypes,theprogramisinerrorandthecompilerwillageach arenottable-driven.Theyarenotedintheappendixascomments.For occurrenceofsuchvariables. allvariablesshouldhavebeenassignedtypes.Ifanyvariablesstillhave eredoperands,butareinsteadgroupedwiththequalier.Typeinference andtypecheckingarealsoperformedforthesevariables,butthosechecks Typecheckingcontinuesuntilnoadditionalringsarepossible.Bynow,
inaselector(theexpressionfollowingthekeywordwhere)areinferredas predefined!boolean.Becauseofthisinference,itislegaltowriteexpressionslikeif(a>b),whichotherwisewouldbeambiguoussincethe
operation>canreturnaresultofanybooleantype.Thisinferencecan Therearesomevariableswhich,fortechnicalreasons,arenotconsid-
messagethattheinteger-literaloperationcannotyieldaresultoftype
leadtodetectionoftypeerrorselsewhere,e.g.if(3)...willproducea
redundant. positionoperandisoftypepredefined!integer,aclassrulewouldbe itmaybeofanytype.Sinceaninferencerulealreadyguaranteesthatthe beanorderedtable.Thereisnoclassrulefortheelementoperand,since known.Forexample,thetableoperandoftheinsertatoperationmust isappliedregardlessofwhethertheoperand'stypewasinferredororiginally isaconstraintonthepossibletypesagivenoperandcanhave.Theclassrule Note:Typecheckingandinferencingisperformedafterresolution.Type Afteralltypeshavebeeninferred,theclassrulesareinvoked.Aclassrule
Charstring. correctnessisneverusedasacriterionfordisambiguatinganame. thattypeCharstringisatableofChar,andthatQueueisatableof Herearefourexamplesillustratingtypeinferenceandchecking.Assume

829.TypeCheckingandInference block declare begin newQ; X:Charstring; Q:Queue; I:Integer; insert"abc"|"cd"intoQ;--inferencefromtopdown X:="uvw";
typeofthetable,(4)concatenation|therearetwosourcesandaresult,all I:=sizeof(X|"abc");--inferencefrombottomup
ofthesametype,soifanyonetypeisknowntheothertwocanbeinferred. sourcetype;(3)insert|thetypeoftheelementcanbeinferredfromthe typemustbeastring,butthereisnoinferencerule;(2)sizeof|thereis aninferencerulefortheresulttype(predenedinteger),butnoneforthe Therelevantoperationsare:(1)stringliteral|theclassrulesaysthe endblock; I:=sizeof"abc";--noinference;illegal insertX|"abc"intoQ;--inferenceinbothdirections
areinferredtobeCharstringbecausetherulesforconcatenationcannow bered. becausethetypeofQisknowntobeQueue.Thetypeof"abc"and"de" isnoinferenceruletoinferthesourcetype.ButsincethetypeofXisknown tobeCharstring,theruleforconcatenationdeterminesthatthetypesof "abc"andoftheresult,X|"abc"mustbeCharstring,too. sizeof,becauseeventhoughtheresulttypeisknowntobeinteger,there Inthesecondstatement,thetypeofX|"abc"cannotbeinferredfrom Intherststatement,thetypeof"abc"|"cd"isinferredtobeCharstring
todeterminethetypeofX|"abc".Whicheverruleresrstwillsetthe type;whicheverruleressecondwillcheckthetype.Ifthetypesinferred X|"abc".BecausethetypeofXisknown,theruleforconcatenatecanre thetypeofQisknown,theruleforinsertcanretodeterminethetypeof inthetwodirectionshadbeendierent,anerrorwouldhaveresulted. Inthethirdstatement,theinferencecanworkinbothdirections.Because
specieristoexplicitlydeclareatypeforanexpressionoperand.Whena Charstring#"abc". to"abc",thestatementisillegal|itneedstoberewrittenI:=sizeof noinferenceruleforthesourceoperand.Sincethereisnotypeassignment whetheronlyonelegaltypeisvisible.)Thesizeofoperationlikewisehas Ada-likerulewhichtriestosearchthespaceofallvisibletypestosee operationdoesn'tinferthetype|itonlyhasaclassrule.(Hermeshasno Theprexcharstring#iscalledatypespecier.Theeectofatype Inthefourthstatement,notypeinferenceispossible.Thestringliteral
typespecierisused,thetemporaryvariableistreatedashavingknown typeratherthanunknowntype.Thisknowntypestillmustbeconsistent

documentationpurposesevenwheretheyarenotrequired. sometimesatypespecierisrequired.Typespeciersmayalsobeusedfor withtheinferencerulesandclassrules.Theexampleaboveshowsthat 9.TypeCheckingandInference83

Typestatecheckingassignsatypestatetoeachprogrampoint.Atypestate 10 TypestateChecking isamathematicalobjectwhichcanbeinterpretedintwoways:(1)asan assertionthatcertainpropertiesofprogramvariableswillbetruewheneverthatstatementisexecuted;(2)asapointinasemilattice1.Because
byHermes.Wewilldescribethetypestatecheckingalgorithmweuse.We dataowanalysiscanbeused. certainlanguagerulesexpressedintermsofthoseassertionsaresatised. Becausetypestatesformasemilattice,certainwell-knownalgorithmsfrom willtellyouhowtoreadthetablewhichdenestheparticulartypestate rulesforeachoperation. 10.1SyntaxofTypestates Inthissection,wewilldiscusstheparticulartypestatesemilatticeused typestatesareassertions,theycanbeusedtocheckatcompile-timethat
Typestatesareexplicitlywritteninthefollowingsituations:(1)ininterfacedenitions(inputports,callmessages,andconstraints),(2)intableand
variantdenitionstoindicatewhattypestateanelementorvariantcomponentmusthave,(3)intheunwrapstatement,toindicatewhattypestate
apolymorphmusthave. enclosedincurlybraces.Anattributeisanattributenamefollowedbya listofvariablenamescalledattributearguments. Atypestateiswrittenasasetofattributesseparatedbycommasand
dened. Y)Ṫhefollowingattributenamesarebuilt-in:init,case,checkedand checkeddefinitions.Constraintattributes,likegreaterthan,areuser-
Examplesofattributes:init(X.A),case(V,V.A),greaterthan(X, typestate::=f[attribute[,attribute]...]g
initmusthaveasingleargument,andcasemusthaveexactlytwoargu- Theargumentsofbuiltinattributesarecheckedasfollows:Attribute attribute::=attribute{nameattribute{arguments
tt1;tt2andforanyt0,(t0t1^t0t2))(t0t). ofelementst1andt2haveauniquegreatestlowerboundormeettsuchthat 1Asemilatticeisasetwithapartialorderrelationshipsuchthatanypair

ments.Therstargumenttocasemustbeavariantvariable,andthesecondmustbeacomponentofthesamevariantvariable.Attributechecked
musthaveasingleargumentoftypepredefined!program.Attribute definitionsmodule. checkeddefinitionsmusthaveasingleargumentoftypepredefined! Allotherattributenamesareconstraintattributes.Whenyoumention 10.TypestateChecking85
howmanyattributeargumentstheremustbeandwhatthetypeofeach aconstraintattribute,therewillbeaconstraintdenitionwhichspecies mustbe. Forexample,ifthereisaconstraintdenition greaterthan:constraint(a:integer,b:integer)IS
thisuseasanabbreviation,youmaynotdeneanattributenamedfull. X.AofX.Forothertypes,fullmeansthesameasinit.Fromnowon, we'llassumefullhasbeenexpandedoutwhereveritappears.Becauseof it'sthesameasifyouwroteinit(X)andfull(X.A)foreachcomponent abbreviation.Ifyouwritefull(X),andXisarecordorcallmessage,then argumentsoftypeinteger. thentheattributegreaterthanmustalwaysappearwithexactlytwo Thenamefullissyntacticallyanattributename,butitistreatedasan finit(a),init(b)ga>b;
Herearethemeaningsofthetypestateattributes: checked(P)meansthatprogramPhasbeencheckedandisfreeof case(V,V.X)meansthatvariantVisrevealed,andcomponentV.X init(X)meansthevariableXisinitialized;otherwiseitisuninitialized.
exists;theabsenceofcase(V,...)meansthatvariantVishidden. syntaxerrors,includingresolutionerrors,typeerrors,andtypestate checkedandassignedauniquename.(Seethediscussionofthecheckdefinitions errors. checkeddefinition(D)meansthatdenitionsmoduleDhasbeen
10.2FormalTypestates attributename(arguments)meansthatthenamedconstraintpredicateisknowntobetrueofitsarguments.
statement.)
Sometimesatypestatemustbewrittenwithoutthebasevariables.For example,hereisthedenitionofarecord,andatableoftheserecords: R:record(A:integer,B:Charstring);

eforebeinginsertedintoatableoftypeTmustbefinit(V),init(V.A), 8610.2.FormalTypestates
variablename.Ifthevariablenameisabasevariablewithnocomponents, V.Theresultingtypestateiscalledaformaltypestate.Aformaltypestate itisreplacedby*.Theargumentlist(*)canoptionallybeomitted. lookslikeatypestate,exceptthatweomitthebasevariablefromeach init(V.B)g.Whenwewritethedenition,weomitthearbitraryvariable argumentofeachattribute,turningitfromavariablenameintoaformal ThedenitionsaysthatthetypestateofanarbitraryvariableVoftypeR T:tableofRfinit(*),init(A),init(B)gkeys(A);
eachformalvariablenamewiththegivenvariablename. inwhichthetypeofthearbitraryvariableisknown. finit(X.Y),init(X.Y.A),init(X.Y.B)g.YoucansubstituteX.Yinto intotheformaltypestateinthedenitionabove,andobtainthetypestate ponentsofanarbitraryelementofatable. Tosubstituteavariablenameintoaformaltypestatemeanstoprex Aformalvariablenameorformaltypestateisalwayswritteninacontext Forexample,ifvariablenameX.YhastypeR,thenyoucansubstituteX.Y Formalvariablenamesarealsousedinkeylists,wheretheydenotecom-
attributes,noteverycombinationofattributesisvalid. BecauseofthemeaningoftheHermesdatatypesandthemeaningofthe 10.3ValidTypestates thekeyandobtainanactualkeyofX.Y.A.
tionsasinvalid: Herearetheattributecompatibilityruleswhichdenecertaincombina-
Ifinit(X)isnotpresent,nootherattributewithargumentXmay
Ifcase(V,V.A)ispresent,thennootherattributecase(V,V.B) IfXhascomponents,andinit(X)isnotpresent,thennootherattributewithanycomponentasargumentmaybepresent.Thisfollows
havevalues. fromthefactthatcomponentsofstructuredvaluesonlyexistwhen bepresent.Thisfollowsfromthefactthatonlyinitvariablescan thestructuredvalueitselfexists.
Ifcase(V,V.A)ispresent,thenV.A'scasetypestateattributesare Ifcase(V,V.A)isabsent,thennootherattributewithV.Aascomponentmaybepresent.Thisfollowsfromthefactthatyoucanaccess
componentsofavariantonlywhentheyarerevealed. variantexistsatatime. ispresent.Thisfollowsfromthefactthatonlyonecomponentofa present.ThesearetheattributesobtainedbysubstitutingV.Ainto

Ifinit(CM)ispresentandCMisacallmessage,thentheattributes theformaltypestatedenedforcomponentAinthetypedenitionfor aninitializedbuthiddenvariant. typestateofarevealedvariantmustbehigherthanthetypestateof variantV.Thisfollowsfromthefactthatwerequiretheseattributes tobepresentwhenwehidethevariant,andwerequirethatthe 10.TypestateChecking87
intheminimumtypestateofCMmustbepresent.Theseattributes
isitselfuninitialized. typestateareillegal|e.g.anassignmenttorecordcomponentR.AwhenR Otherwiselegaloperationswhoseeectwouldbetoproduceaninvalid areobtainedbysubstitutingCMintotheformaltypestatedenedor impliedastheminimumtypestate.(Seediscussionofcallmessages.) discardedbytheprocessreceivingthecall. thatcertaincallparametersmustremaininitializedandcannotbe Thisisbecausetheprogrammerisallowedtostateintheinterface
typestatewhenthesetofattributesoftherstisasubsetofthesetofattributesofthesecond.Themeetoftwotypestatesissimplytheintersection
Thesemilatticestructureissimple.Atypestateislowerthanasecond oftheattributesets. 10.4OrderingofTypestates
10.5Coercions Coercionsaretypestate-loweringoperationswhichareinsertedautomaticallybythecompiler.Therearethreecoercions:
hideVremovestheattributecase(V,V.X),alongwithanyother dropconstraint(P1,...,Pn)removestheattributeconstraint(P1, discardXremovestheattributeinit(X),aswellasanyotherat-
...,Pn). attributesofV.X.
init(V.B)gisfinit(V)g. finit(V),case(V,V.A),init(V.A)gandfinit(V),case(V,V.B), Example:finit(A)gislowerthanfinit(A),even(A)g.Themeetof
tributesofXorX'scomponents.

it.Avariableisconstantataparticularprogrampointif: 10.6Constants Althoughweusetheterm\variable"todenoteacellwhichcanholdavalue andappearasanoperand,sometimes\variables"are\constant"!Thatis, sometimesitisonlylegaltoaccessthevalueofavariablebutnottochange 8810.5.Coercions
Itisabasevariable,andanenclosingblockstatementliststhatbase Itisacomponentofaninitializedcallmessage,andthecallmessage Itisabasevariablewhichwasinitializedtoaconstantcopy.(See Theprogrampointisinsideanexpressionblockandthebasevariable typedenitionliststhatcomponentasaconstant. selector,inspect,forstatements.) variableasconstant.
typestatetoitssuccessorstatements: Herearethestepsincheckingasinglestatementandpropagatinganew 10.7HowtoApplytheTypestateRules Itisacomponentofaconstant. wasdeclaredoutsidethatexpressionblock.
2.Ifanyrequiredattributeismissing,thisisanerror. 3.Introducecoercionswhichdropattributeswhicharepresentbutare 1.Determinethepreconditionfortheoperation.Thereisatablegiving
forbidden.Ifwecannotaddcoercionswithoutalsodroppingrequired exceptions. asetofpreconditionrulesforeachoperation.Theserulesdetermine:
attributes,thenthisisanerror.Otherwise,wehavesucceededin (1)asetofrequiredattributes,(2)asetofforbiddenattributes,
generatingatypestatewhichisconsistentwiththepreconditions. (3)theoperandsmodiedbytheoperation,(4)possibleadditional
4.Generateanerrorifanyvariablesmodiedbytheoperationareconstantseral\exception"outcomes.Thetableentryforeachoperationdenemal"outcomeforalloperations(exceptexit),andtherecanbesev-
whichexceptionoutcomestheoperationhas.Thetablemaylistaddi-
5.Determinethesetofoutcomesoftheoperation.Thereisa\nortionalexceptionswhichtheoperationhasundercertaincircumstances

6.Determinethepostconditionsforeachpossibleoutcomeoftheoperation.Foreachoutcome,usetherulesgiveninthetabletodetermine
exceptionoutcomeprovideditsoperandisakeyedtable. |forexample,itmaysaythattheoperationhasaDuplicateKey 10.TypestateChecking89 whichattributestoaddtoordropfromthetypestate. 7.Checkthatafteraddinganddroppingtheappropriateattributesthe 8.Wheneachtypestateiscomputed,propagatethattypestatetothe resultingtypestateisvalid.
tions: NamedProgram:record(A:Charstring,B:Program); Let'sapplythesestepstoanexample.SupposeIhavethesetypedeniercionoperationstolowerthetypestatetothatmeettypestate.
youhavejustcomputedforthispathtothatdestination.Insertco-
destination.Ifthatdestinationalreadyhasatypestate,computethe
ProgramRepository:tableofRffullgkeys(A); meet(asdenedabove)ofitsprevioustypestateandthetypestate
init(R),init(P),init(P.A),init(P.B),checked(P.B)g.Supposethe oftypeProgramRepository.Supposethecurrenttypestateis:finit(I), therearethreerulesrelevanttotypestatechecking.Theseare:thepreconditionrules,thepostconditionrules,andtheexceptionlist.Forinsert,
statementbeingcheckedis: LookatthetableofoperationrulesinAppendixB.Aftertheclassrules, insertPintoR; NowsupposeIisoftypeinteger,PisoftypeNamedProgramandRis
thepreconditionrulesare (init(table),lowestelementstate(element,table),var(table), var(element),duplicatekey(table))
attributesareforbidden.SectionB.4explainshowtoapplyeachpreconditionfunctiontodeterminetherequiredandforbiddenattributes.
attributesarerequired:finit(R),init(P),init(P.A),init(P.B)g.This attributeisforbidden:checked(P.B).Sincealltherequiredattributes init(P.B)g.AnyattributesofPorofitscomponentsotherthantheabove Ruleinit(table)saysthatthetableoperandmustbeinitialized.Rule SubstitutingPintothisformaltypestateyieldsfinit(P),init(P.A), lowestelementstate(element,table)saysthattheelementoperandmust beinthelowesttypestateconsistentwiththeelementtypestateofthetable. isffullg,whichisanabbreviationoffinit(*),init(A),init(B)g. (Elementtypestateisdenedbelowinsection11.6.)Theelementtypestate Thersttwomembersofthelistaretypestatepreconditionfunctions.
Asaresultofapplyingthepreconditionrules,itisdeterminedthatthese

thecompilertoforgetthattheprogramvalueP.Bhasbeenchecked,becauseitisbeinginsertedintoatablecontainingprogramvalueswhicever,thereisan\extra"attribute|checked(P.B).Thecoerciondrop
9010.7.HowtoApplytheTypestateRules areinitializedbutnotchecked.Whenthevalueisremovedfromthetable,itwillbeassumedtobeunchecked.Thetypestateisnowfinit(I),
arepresentinthetypestate,thereisno\missingattribute"error.How-
init(R),init(P),init(P.A),init(P.B)g. iedbytheoperation.Fromthisrule,weinferthatPandRmustnotbe constant.Iftheyare,thecompileragsanerror. Therulesvar(table)andvar(element)tellsuswhichoperandsaremod-
checked(P.B)isinsertedtodropthechecked(P.B)attribute.Thiscauses
TheDepletionexceptionwasdeterminedfromtheexceptionlist,because ofexceptionswhichcouldberaised. everyinsertoperationcanraisethisexception.TheDuplicateKeywas tableRwasdenedaskeyed,andifso,toincludeDuplicateKeyintheset calreasons,itisincludedwiththepreconditionrulesandevaluatedwhen preconditionsareevaluated.Theeectoftheruleistocheckwhetherthe derivedbyevaluatingthepredicateduplicatekey(table),becauseonly Thepossibleoutcomesofinsertare:normal,Depletion,andDuplicateKey. The\rule"duplicatekey(table)isnotapreconditionrule.Fortechni-
insertionsintokeyedtablescanraisethisexception. rules.Forinsert,theserulesare: Thepostconditionfornormalexitisdeterminedbythepostcondition
Therulekillconstraints(table)dropsanyconstraintattributesofthe executed.Sothetypestateassociatedwiththetwoexceptionoutcomes isalsofinit(I),init(R),init(P),init(P.A),init(P.B)g.Forthis reason,exceptionpostconditionsarenotshowninthetable. changedvalueandanunchangedtypestate|asiftheoperationhadnot tributesofPanditscomponents|namelyfinit(P),init(P.A),init(P.B)g. Therulemakeuninit(element)makesPuninitializedbydroppingallat-
(makeuninit(element),killconstraints(table))
table|therewerenone.ThepostconditionfunctionsareexplainedinsectionB.5.
Exceptforthecallstatement,allexceptionoutcomesproduceanun-
Theinitialtypestateisoneinwhichtheinitializationportisinitializedand init(R)g. 10.8TheCheckingAlgorithm noothertypestateattributesarepresent. Sothetypestateassociatedwithnormalcompletionofinsertis:finit(I),
quiredandforbiddenattributespriortotheoperation,andtheaddedand Ateachstatement,therulesinthetableareusedtodeterminethere-

droppedattributesafternormalcompletionoperation. Threetypesofstatementsarehandledspecially: Thecompoundstatementshavemorecomplexpostconditionrules Thecallstatementisdierentbecausethenormalandexception postconditionscomefromtheinterfacedenition. 10.TypestateChecking91
Similarly,everystatementcontainingaselectorisanalyzedasifit owgraph. manualwedescribethetypestatepostconditionresultingfromthis weretwostatements:aselectorfollowedbyaprimitivestatement. Therulesinthetabledenethepreconditionandpostconditionrules booleanteststatementandtheembeddedclauses.Inthereference anifstatementbehavesasifitwerecomposedofamoreprimitive becausetheyareequivalenttominiatureowgraphs.Forinstance,
typestatepropagatedfromthestatementperformingtheforwardbranch. withinblock,ifandselectstatementstotheendofthestatementare betweentheprevioustypestateassociatedwiththedestinationandthe forwardbranches.Whenaforwardbranchisencountered,themeetistaken Exceptions,exitstatements,andthebranchesfromtheendofclauses Eachloopconstruct(while,for)performsasinglebackwardbranchfrom selectors. fortheprimitivestatement;theserulesareappliedaftertherulesfor
ofthelooparethenre-analyzed. typestatepreviouslyassociatedwiththetopoftheloop.Thestatements theendoftheloopislowerthanorincomparabletothetypestateatthe beginning,themeetistakenbetweenthetwotypestates.Thislowersthe isdoneexcepttointroduceanynecessarycoercion.Ifthetypestateat theendofthelooptothebeginning.Ifthetypestateattheendoftheloop isstrictlygreaterthanorequaltothetypestateatthebeginning,nothing
Thepossibletypestateerrormessagesare: tateandnoloopsneedtobere-analyzed.Inpractice,noloopwillneedto beanalyzedmorethantwice. 10.9TypestateErrors Analysiscontinuesuntilallprogrampointshavebeenassignedatypes-
Deadcode:Astatementcannotbereached.Rememberthattypestatecheckingignoresthevaluesofvariables,sothatevenastatemenception.Thiserrorariseswhenyouwriteastatementafteranexit
beginningif'false'then...doesnotgenerateadeadcodeex-
statementorafteracompoundstatementallofwhosealternatives

9210.9.TypestateErrors
Cannotcoerce:Theoperationrequiresanattributetobedropped, Attributenotpresent:Arequiredtypestateattributewasnotpresent. terminatewithexitstatements.Italsoarisesifyoucodeahandler whichcanneverbebranchedto. Forexample,youcodedaninsertoperationbutthetablewasnot
initializedandthesecondtobeuninitialized.SupposeParmsisa butthecoercionwhichdropstheattributewouldalsodropanother attributewhichisrequired.Example: callService(Parms.A,Parms.B); SupposetheinterfacetoServicerequirestherstargumenttobe initialized.
callmessagewhoseminimumtypestaterequiresbothParms.Aand Parms.Btobeinitialized.ThenthecallstatementrequiresParms.B
Cannotdrop:Thepostconditionrulemandatesdroppingthisattribute,buttodosowouldproduceaninvalidtypestate.Forexample,
Cannotadd:Thepostconditionrulemandatesaddingthisattribute, thismessage. tobemadeuninitialized,butthiscannotbedonewithoutdiscarding Parms,whichwouldthenmakeParms.Auninitialized. assignmenttoParms.AwithoutrstinitializingParmswouldproduce buttodosowouldproduceaninvalidtypestate.Forexample,an
dependenterrorswhicharedetectedduringtypestatechecking: Thefollowing,whilenottechnicallytypestateerrors,arestaticcontext-
Illegalposition:Youhavecodedthepositionofoperationina Illegalconstant:Youhavecodedastatementwhichmodiesoneof itsoperands,buttheoperandisconstant. droppingacallmessagebelowitsminimumtypestate. contextwhereitisnotlegal.Thisoperatorislegalonlywhenthe tableelementoperandisaconstantcopy.

11 HermesOperations Throughouttheremainderofthereferencemanual,syntacticruleswillbe includedintheexcerpts.Thegrammarispresentedinitsentirety,including Low-levelsyntacticelementsthatappearinrulebodiesgenerallywillnotbe excerptedfromAppendixAasspeciclanguageconstructsareintroduced.
Ubiquitousoperationsarethosewhichapplytoallornearlyalltypes. 11.1UbiquitousOperations theselow-levelelements,inAppendixA.
placesitinanother(thedestination).Ifthedestinationvariablehada Themovestatementremovesavaluefromonevariable1(thesource)and Move value,thatvalueisdiscarded.Thesourcevariablebecomesuninitialized. Example: simple{statement
uses\name-equivalence"fordecidingwhethertwotypesmatch;therefore, R.A

Copy 9411.1.UbiquitousOperations
Thecopyofstatementcopiesavaluefromonevariabletoanother.The thevalueandattributesofthesourcevariable.Thesourcevariablemay move,thedestinationvariablelosesitsoldvalueandattributes,butacquires sourcevariableretainsitsoriginalvalueandtypestateattributes.Aswith simple{statement
haveanytypestateexceptcompletelyuninitialized. secondary::=copyofsecondary ::=result{variable:=source{expression
copyofX,orinanassignmentstatementlikeY:=X.ThelatterisequivalenttoY

Thediscardstatementremovesthevaluefromthevariable.Discardingan initializedcallmessagereturnsthecallmessage;thecallerwillreceivethe simple{statement ::=discardvariable{name11.HermesOperations95
rstbeloweredtotheirminimumtypestate|thisconceptisdenedlater, callmessagetype.Discardedexception.Thecallmessagecomponentswill inthesectiononcallmessages.Discardingavaluecontainingcallmessages| forexampleaninputportholdingenqueuedcallmessages|discardsthe callmessages.Discardinganyothertypeofvaluejustthrowsthevalueaway.
limitedresources.TheDepletionexceptionisraisedwheneverduetoaresourcelimitationoranimplementationrestriction,thecorrectresultcannoitylimits,integeroverow.Implementationsareencouragedtoavoidgiv-
AnidealHermesmachinehasunlimitedresources.Realmachineshave 11.2TheDepletionException Mostoperationscanraisethisexception,soitisdescribedhereratherthan repeatedlyundereachoperation. becomputed. don'trequireallimplementationstobethissophisticated,sowereserve ingDepletionexceptionsratherthantorequireprogrammerstodevelop theirowncircumventions.Forexample,integerswhichdon'ttinahardwareregistercouldberepresentedbydynamic-precisionintegers.Butwe
Examplesinclude:runningoutofaddressspace,exceedingdiskcapac-
theDepletionexceptiontoinformtheuserthattheimplementationis inadequatetorunthisparticularexecution. Hermesimplementationsmustguaranteethatstoragedepletioncannotoccurwhilediscardingorhidingavalue.
Coercionoperations|e.g.discard|cannotfailwithanyexception.

9611.2.TheDepletionException 11.3ControlFlowOperations Block compound{statement
constant{section ::=block endblock [handler]... begin [declaration{section] [constant{section]
declaration{section ::=constant([base{variable[,base{variable]...]) ::=declare[declaration;]... [statement;]...
declarenewvariables,youcanspecifythatthevaluesofexistingvariables Ablockstatementintroducesanewscope.Withinthisscope,youcan handler::=on([exception{name[,exception{name]...]) ::=onexit([exit{name[,exit{name]...])
bythenamesoftheexitsorexceptionsithandles.Theabbreviationothers Theotherclausesarethehandlerclauses.Eachhandlerclauseispreceded mustremainconstant,andyoucanprovidehandlersforexceptionsorexits withinthemainbodyoftheblock. Thestatementseriesafterthewordbeginisthemainclauseoftheblock. [statement;]...
withinahandlerclausecannotcausecontroltotransfertoanotherhandler clauseofthesameblock. tothehandleroftheinnermostblock.Rememberthatexceptionsraised Twoclausesofthesameblockcannothandlethesameexitorexception. containinghandlersforthesameexceptionorexit,controlwilltransfer standsforallexceptionswhicharenotexplicitlyhandled.Restriction:
issuinganexitstatement,thentheclauseissaidtoexitnormally..Ifany Ifastatementiswithinthemainclausesoftwoormorenestedblocks controltotransfertotheclauseheadedbythatexceptionorexitname. Ifallstatementsofaclausecompletewithoutraisinganexceptionor Anexceptionorexitraisedwithinthemainclauseofablockcauses
wordsblockandendblockdonotappear.Asecondblockwithanempty clauseofablockexitsnormally,thentheblockitselfexitsnormally. on(others)handlerisimpliedaroundthisblock.Thisisnecessarysothat Thebodyofaprocessstatementisactuallyablock,althoughthe

Ifnoneoftheclausescanexitsnormally,theblockstatementcannotexit thetypestatesonnormalexitfromalltheclauseswhichcanexitnormally. normally.Theonlywayaclausecannotexitnormallyisifitendswith therewillalwaysexistatargetforexceptionsraisedwithinhandlersofthe processstatement. Thetypestateonnormalterminationofablockstatementisthemeetof 11.HermesOperations97
cannotexitnormally. Ifcompound{statement anexitstatementorifitendswithacompoundstatementwhichitself
thethenclauseisthenexecuted;ifthevalueis'false',theelseclause Theifstatementcontainsanexpression|thetest|andtwoclauses|the pressionisevaluatedtoaninitializedbooleanvalue.Ifthevalueis'true', thenandelseclauses. ::=iftest{expression
isexecuted.Anomittedelseclauseistreatedasanemptyelseclause. Itbehavesliketheifstatementofconventionallanguages:Thetestex-
endif [else[statement;]...] then[statement;]...
While statementcannotexitnormally. clausewhichcanexitnormally;ifnoclausecanexitnormally,thentheif onnormalexitoftheifstatementisthemeetofthetypestatesforeach sameasthetypestateafterexecutionofthetestexpression.Thetypestate musthavetypestateinit.Thetypestateonentrytoeitherclauseisthe isinferredtohavetypepredefined!boolean.Thetestexpressionresult Thetypeandtypestaterulesareasfollows:Thetestexpressionresult
Thewhilestatementcontainsanexpression|thetest|andaclause|the repeatclause. compound{statement
statementisre-executed.Ifitis'false',thewhilestatementterminates. expressionisrepeatedlyevaluatedtoaninitializedbooleanvalue.Ifthe valueis'true',thentherepeatclauseisexecuted,andthenthewhile Itbehaveslikethewhilestatementofconventionallanguages:Thetest ::=whiletest{expressionrepeat
Thetypeandtypestaterulesareasfollows:Thetestexpressionresultis endwhile [statement;]...
checkedtohavetypestateinit.Thetypestateonentrytothetestexpres- inferredtohavetypepredefined!boolean.Thetestexpressionresultis

sionisthemeetofthetypestatebeforeexecutionofthetestexpressionand thetypestateonnormalterminationoftherepeatclause.Thetypestate 9811.3.ControlFlowOperations asthetypestateafterexecutionofthetestexpression. Select onentrytotherepeatclauseisthetypestateafterexecutionofthetest expression.Thetypestateonterminationofthewhileclauseisthesame compound{statement select{clause ::=select[select{expression] endselect [select{clause]...
event{guard ::=boolean{guard[statement;]... ::=event{guardandboolean{guard[statement;]... ::=event{guard[statement;]... otherwise{clause
boolean{guard ::=eventinport{variable
Theselectstatementconsistsofanoptionalexpression,asetofselect clauses,andanotherwiseclause.Aselectclauseconsistsofaguardanda otherwise{clause select{expression ::=otherwise[statement;]... ::=where(test{expression)
clause.Aguardcanbe abooleanguard, aconjunctionofabooleanguardandaneventguardnaminganinput port,or ::=expression
eventinport1 Example: select where(x>0) aneventguardalone,whichistreatedasifabooleanguardof'true' y:=x+y; hadbeencoded.

Ifthereisanoptionalselectexpression,thenitisevaluatedandthe eventinport2andwhere(x

inport2,thethirdclausewillexecute;ifmessagesarriveatbothports, 10011.3.ControlFlowOperations
thestatementwillblock. atinport1,thesecondclausewillexecute;ifamessagearrivesonlyat secondclausemaybeexecuted.Ifx0,thenif nomessageeverarrivesatinport1therstclausemusteventuallybe
init.Thetypestateonentrytoanyclauseisthetypestateafterevaluatingallguards.Thetypestateonnormalterminationofthestatementis
checkedtobeoftypefamilyinputport. sionsareinferredtobeoftypepredefined!boolean.Eventguardsare twoclauses. averagesalary,thenanon-deterministicchoiceismadebetweentherst behaveslikethechoicestatementsofotherlanguages.Iflowsalary= Allbooleanguardsandalleventguardsmusthavetypestateattribute Herearethetypeandtypestatecheckingrules:Booleanguardexpres-
Inthesecondexample,therearenoeventguards,andthestatement
mally;ifnoneoftheclausescanexitnormally,thenneithercantheselect themeetofthetypestatesoncompletionofallclauseswhichcanexitnor-
statement. ExpressionBlock
able.Sinceexpressionsarenotsupposedtohavesideeects,allvariables clausecontainingstatementstocomputetheresultvariable. declaredoutsidetheexpressionblockareconstantwithintheblock. Anexpressionblock,orevaluateoperator,isawaytoembedstatements withinanexpression.Itcontainsadeclarationofaresultvariable,anda Theexpressionblockintroducesanewscopecontainingtheresultvari-
secondary::=evaluatedeclarationfrom[statement;]...end
normalexitfromtheblock.Itisa\deadcode"erroriftheclausedoesnot haveanormalexit.Theblockmustinitializetheresultvariable. Thetypestateafterexecutinganexpressionblockisthetypestateon forLispObjectinLispObjectswhere (evaluateStartsWithZ:booleanfrom blockbegin endblock; on(CaseError) revealLispObject.Pair; revealLispObject.Pair.Car.PrintName; StartsWithZ:=LispObject.Pair.Car.PrintName=Z; StartsWithZ:='false';

stmemberisanatomwithprintnamematchingZ.Thetestmustbe endfor; ThisprogramfragmentlooksuptheLispvariablewhichisapairwhose inspect end) callLispPrint(LispObject); 11.HermesOperations101
writtenasanexpressioninsidewhere().Toperformthetest,wemustwrite statementwithinanexpression. Exit arevealstatement,soweneedanexpressionblockinordertoenclosethis
hadbeenraised.Ineect,anexitisalocallydenedexceptioncondition. Example: Theexitstatementterminatesexecutionofablockasifanexception blockbegin simple{statement ifX>200000 then exitTooBig; ::=exitexit{name
inablockwhosemainclausecontainstheexitstatement.Ifthereismore thanonesuchhandler,theinnermostoneischosen.(Thisruleisrepeated branchestoahandlerforthatexitname.Thehandlerchosenmustbe Thestatementincludesanidentierwhichisanexitname.Control onexit(TooBig) endblock;
... endif;
Hermeshasvescalartypefamilies:nominal,enumeration,boolean,integer,andreal.Thescalartypesfamiliesaresimilartoscalartypesinother
11.4ScalarOperations inthediscussionoftheblockstatement.)
inthesefamilies,andthendiscussthescalaroperations. ScalarTypeDenitions Anominaldomainisasetofvalueswhichhavenorelationshipotherthan equality.Theyareusedtogeneratedistinctnames|hencethetermnominal.Youcangenerateanew,distinctnominalvaluewiththeuniqueop-
procedurallanguages.Inthissectionwerstdescribehowtodeclaretypes

10211.4.ScalarOperations eration.Youcancopynominalsandtestthemforequality.Youcannot uesareequaliftheyarecopiesofthesamegeneratedvalue,otherwisethey areunequal.Anominaltypedenitioncreatesanewnominaldomain. performorderedcomparisonsorconversionstointegers.Twonominalval-
anamedliteralwitheachvalue,e.g.'blue'.Thenamedliteralsofasingle enumerationtypedenitionmustbedistinct.Thisnamedliteralcanbe merationtypedenitiondenesanewenumerationdomain,andassociates Example:::=nominal TransactionId:nominal; Anenumerationdomainconsistsofanitenumberofvalues.Anenu-
type{construction
usedinexpressionstogeneratethevalueitnames.Enumerationvaluesof course,thevalue'blue'inoneenumerationdomainhasnothingtodo withthevalue'blue'inadierentenumerationdomain,sinceonlyvalues thesametypeareequaliftheyareequaltothesamenamedliteral.Of ofthesametypecanbecompared. type{construction
thekeywordorderedappearsinthedenition.Unorderedenumerations ::=[ordered]enumeration(
supportcomparisonsonlyforequalityandinequality,justlikenominals. Enumerationsareeitherorderedorunordered,dependingonwhether ::=variantofenumeration{type( )
[case{declaration[,case{declaration]...] [named{literal[,named{literal]...]
Orderedenumerationsalsosupporttheorderedcomparisons,=.Theyalsocanbeconvertedtointegers.Therstenumerationliteral Thefollowingaresomeexamples.
theother\false".Abooleantypedenitionassociatesthetrueandfalse valueswithdistinctnamedliterals. thatcontainsallthecharactersoftheASCIIcharactersetinsortedorder. Abooleandomainconsistsoftwovalues,onerepresenting\true"and option:enumeration('present','absent'); color:enumeration('red','blue','yellow','green'); ThereisapredenedorderedenumerationtypecalledPredefined!Character quality:orderedenumeration('poor','fair','good','excellent'); type{construction ::=boolean(boolean{association)

types.Additionally,theoperations\and",\or",and\not"aresupported. Booleantypessupportthesameoperationsasunorderedenumeration Thereisapredenedbooleantypecalledpredefined!booleanwhose boolean{association ::=false:named{literal,true:named{literal ::=true:named{literal,false:named{literal 11.HermesOperations103
namedliteralsare'true'and'false'.Youcandeneyourownboolean typeswithdierentliterals.Example: typedenitiondenesanewintegerdomain. bit:boolean(true:'0',false:'1'); Anintegerdomainconsistsofthemathematicalintegers.Eachinteger
orangesdomain.Butyoucanconvertbetweentwointegerdomainsusing Example:::=realofaccuracyinteger{literal/integer{literal apples:integer; oranges:integer; Asusual,5intheapplesintegerdomaincan'tbecomparedto5inthe type{construction
theconvertoperation. ::=integer
numberthatcantinawordofcomputermemory.Incontrast,Hermes usestheusualmathematicaldenitionofinteger.Theresultofaninteger operationisalwayseitherthemathematicallycorrectresult,orelseno discretesubsetofrealnumbersspacedsucientlyclosetogethertomeet asafenumbersuchthattherelativeerror(thedistancebetweenthesafe resultandaDepletionexception. auser-denedaccuracyrequirement.Foreveryrealnumber,thereexists Insomelanguages\integers"aredenedmodulothesizeofthelargest
numberandtherealnumberdividedbytherealnumber)islessthanor equaltotheaccuracyrequirement. Arealdomainconsistsofasetofsafenumbers.Safenumbersarea
isidenticaltothatshownforintegersabove.Approximaterealarithmetic tegerbetweenthemmusthaveasafeintegerbetweenthem. \preferred"assafenumbers,i.e.anypairofsafenon-integerswithaningrammersaresupported:(1)Zeroisasafenumber,and(2)integersare
Theusualrealarithmeticoperationsaresupported;theexpressionsyntax Twootherpropertiesofapproximatearithmeticoftenassumedbypro-
velocity:realofaccuracy1/1000000; Theaccuracyisexpressedasafraction,e.g.1/1000000.Example:
isperformedasfollows.Theresultiscomputedandasafenumbernearest theexactresultisusedastheresult.Ifthereismorethanonenearestsafe numbertoanumber,anondeterministicselectionismade.

10411.4.ScalarOperations Integer,Real,andNamedLiterals Literalsareexpressionswhichcomputearesultdenedatcompile-time.
getatypeerror.Thecompilerwillnotscanthroughthesetofallvisible Examples:23,'blue',"Hello,World!". whetheritisaninteger,real,string,ornamedliteral.Forexamplethe Theyaretreatedasnullaryoperationsforthepurposeoftype-checking.
typestoseeifthereisauniqueoneinwhichthisexpressionmakessense. rememberthatifyouwriteanexpressionlike'fair'

Less,Less-equal,Greater,Greater-equal relation::=concat=concat ::=concatconcat 11.HermesOperations105
Examples:X=2,Y3,A

10611.4.ScalarOperations For-enumerate
thevariableisassignedthatvalueandtheclauseisexecutedonce.Inside compound{statement
theclause,thevariableisrequiredtobeconstant.Theorderinwhichthe merationtype.Foreveryvalueinthedomainoftheenumerationtype, wherethedeclarationspeciesavariablebelongingtoanunorderedenu-
Theforenumeratestatementiteratesovertheelementsofanunordered enumerationtype.Thisstatementconsistsofadeclarationandaclause, ::=forenumeration{variable:enumeration{typerepeat
valuesarechosenisnondeterministic.Thefollowingisanexample. endfor [statement;]...
forthiscolor:colorrepeat
Theconvertofoperatorhasonlyoneoperand.Itconvertsvaluesfrom Convert endfor secondary::=convertofsecondary sendcolortooutport;
oneorderedtypetoanother.Anexampleofitsuseis: integerreal Thethreeordereddomainsarerelatedasfollows:orderedenumeration x

RecordTypeFamily 11.5RecordOperations type{construction ::=record( [component{declaration[,component{declaration] 11.HermesOperations107
Arecordisatupleofvaluescalledcomponents.Whenarecordisinitial-
...]
nentsareinitializedandallinitializedcomponentsareequal. ized,thecomponentvariablesexist.Thecomponentvariablesmaythem-
selvesbeeitherinitializedoruninitialized.Whenarecordisuninitialized, thecomponentvariablesdonotexist,areconsidereduninitialized,andcan-
Tworecordsareequalforcomparisonpurposeswhenthesamecompo-
) notbemadeinitialized. e.gċlause:record( Arecordtypedenitionspeciesthenameandtypeofeachcomponent,
uninitialized.Thepreviousvalueoftherecord,ifany,isdiscarded. New Thenewoperationcreatesaninitializedrecordwhosecomponentsare );statements:statements simple{statement id:clauseid,
uninitialized|issuethenewoperation,andtheninitializethecomponents, 11.6TableOperations orassignormoveapre-existingrecordvalue. Note:thetwowaystoinitializearecordvariablewhichiscurrently ::=newvariable{name
TableTypeFamily Atableisacollectionofvaluesofthesametypeandtypestate.Thevalues arecalledtheelementsofthetable,thetypetheelementtype,andthe key::=([formal{variable[,formal{variable]...]) type{construction ::=[ordered]tableofelement{typeelement{typestate [keys[key]...]

strings,arrays,lists,andrelations. representinganelementtypestate.Itcancontainthekeywordordered.A 10811.6.TableOperations
canbecompared. typestatetheelementtypestate.Tablescanbeusedtorepresentbags,sets, tabletypedenitioncanalsocontainasetofkeys.Eachkeyiswrittenasa restrictionsguaranteethattableelementscanbecompared,andthatkeys initialized,(2)theelementtypestatemustnotbefullyuninitialized.These listofformalvariables.Restrictions:(1)Thevariablesofakeymustbe Atabletypedenitioncontainsanelementtypeandaformaltypestate
order. ofallkeys.Twoelementsdierinakeyiftheydierinanyvariableofthat key. etcṪwoorderedtablesareequaliftheycontainequalelementsinthesame ments.Therstelementofthetableissaidtohaveposition0,thenext1, Twounorderedtablesareequaliftheirelementscanbeputinone-to-one Thevalueofanorderedtableisanordered(possiblyempty)setofele-
Ifatablehaskeys,anytwoelementsofthetablewillhavedierentvalues
someexamplesoftabletypedenitions. correspondenceandthecorrespondingelementsareequal.Thefollowingare stringset:tableofstringfinitgkeys(*); string:orderedtableofcharfinitg; intbag:tableofintegerfinitg; person:record(
inconventionallanguages:itisatotallyorderedbag.Typestringset multipleoccurrencesofthesameinteger.Typecharstringislikeastring );id:integer persontable:tableofpersonffullgkeys(name,address)(id); Typeintbagisabag|itcanholdanynumberofintegers,including name:string,
hastheadditionalspecicationthatnotwostringsmaybeequal|thus address:string,
elementscanhavethesamevalueofid.Thistypeactslikeatwo-way mappingbetweenidnumbersandname-addresspairs. Newsimple{statement elementscanhavethesamestringsforbothnameandaddress,andnotwo itbehaveslikeaset.Typepersontablehasthepropertythatnotwo ::=newvariable{name

valueofthetable,ifany,isdiscarded. Theoperationnewcreatesaninitializedbutemptytable.Theprevious literalisanorderedtableofenumerationorbooleanvalues.Eachcharacter StringLiteral Astringliteralisaself-deningcharacterstringvalue.Thetypeofastring 11.HermesOperations109
Concatenate denedasorderedtableofBit. stringofatypewhichincludesvaluesnamed'0'and'1'|e.g.atype theenumerationorbooleantype. inthestringliteralmustcorrespondtoasingle-characternamedliteralof Soif"0011010"isusedasastringliteral,itsresolvedtypemustbea
Thisoperationconcatenatestwoorderedtablestoproducearesultcontainingacopyoftheelementsoftheleftoperandfollowedbyacopyofthe
Selector elementsoftherightoperand.Theelementsmustbecopyable. concat::=term
selector::=base{variableintable{variable ::=concatjterm
simplyabbreviationsforlongselectors. threesyntacticformspermittedbythesyntax.Therstformiscalled Theselectorisasyntacticconstructusedinseveraloperations.Thereare alongselector,theothersmappingselectors.Themappingselectorsare ::=table{variable[[expression[,expression]...]]
where(selector{expression)
inaselectoriscalledanelementdeclaration.Itdenesanewvariablename Thevariablename(tablevariable)isthenameofatable.Thebasevariable
Thisvariablenameisvisiblewithinthewhereexpression.Theexpression iscalledtheselectorexpression.Itevaluatestoaresultwhichisinferred calledtheelementvariable,whosetypeistheelementtypeofthattable. table.Theelementvariableissetequaltoaconstantcopyoftheelement. Theelementsforwhichtheselectorexpressionaretruearesaidtobe tobeoftypepredefined!boolean. selected. selectors.Ifthemappinglistisempty,thenallelementsareselected|itis Atexecutiontime,theselectorisevaluatedonceforeachelementinthe Amappingselectorisashorthandrepresentingsomecommonusesof

11011.6.TableOperations ashorthandforwhere('true').Ifthemappinglisthasasingleexpression, andthetableisordered,thenexpressionisassumedtobeapositionandthe selectedelementistheelementatthatposition.Thust[n]isshorthandfor eintwhere(positionofe=n).Iftheaboveruledoesnotapply,and
toselectasingleelement;thepurposeofothersistoselectanentireset. elementsdependsupontheoperation.Thepurposeofsomeoperationsis illegal. =xande.address=y).Ifnoneoftheserulesapply,orifmorethanone keyhasthecorrectnumberofvariables,theuseofthemappingselectoris themappinglisthaskexpressions,andonekeyhaskvariables,thekexpressionsareassumedtobecomparisonvaluesforthosekeys.Thusifthas
typepersontable,thent[x,y]isshorthandforeintwhere(e.name
anarbitrarychoiceismade. Whenthepurposeistoselectasingleelement,andnoelementisselected, tableisordered,theearliestelementischosen.Ifthetableisunordered, exceptionNotFoundisraised.Ifmorethanoneelementisselected,andthe Theresultisacopyofthechosenselectedelement,orelseNotFoundis Aselectorbyitselfinanexpressionistheoperationcalledtheelement. Selectorsappearaspartofseveraloperations.Theuseoftheselected
raised.Theresulthastheelementtypeandelementtypestate.Theelement Every typemustbecopyable. Theeveryoperationreturnsatablecontainingacopyofalltheselected elements.Iftheoriginaltablewasordered,thecopiedelementsareinthe sameorder.Theresultofeverywillbeanemptytableifnoelementsare Exists,Forall selected.Theelementtypemustbecopyable. secondary::=everyofselector
selected;elseitreturnsfalse.Theforalloperationreturnsatrueboolean Theexistsoperationreturnsatruebooleanvalueifatleastoneelementis valueifallelementsareselected;elseitreturnsfalse. Insert,Insert-at secondary::=existsofselector
simple{statement ::=forallofselector ::=insertelement{expressionintotable{variable [atposition{expression]

thetableisordered,theelementisinsertedattheendofthetable.Ifthe tableiskeyed,theDuplicateKeyexceptionisraisediftheinsertionwould operationisillegal.Ifithasahighertypestate,thetypestateislowered.If Thevaluemusthavetheelementtypestate.Ifithasalowertypestate,the fromasourcevariable.Thesourcevariablemustbeoftheelementtype. Theinsertstatementaddsanewelementtoatablebymovinginavalue 11.HermesOperations111
actlylikeinsert,exceptithasanadditionaloperandoftypepredefined!integer haveviolatedtherequirementofuniquekeys. whichspecieswheretoinserttheelement.Ifthispositionisnegative,or greaterthanthenumberofelementsinthetable,theexceptionRangeError takesprecedence. mayberaisedexactlyasforinsert,exceptthataRangeErrorexception israised.Otherwise,theelementisinsertedatthedesignatedposition.The positionsofearlierelementsinthetableremainthesame.Thepositionsof laterelements(ifany)areincreasedbyone.TheexceptionDuplicateKey Theinsert-atstatementislegalonlyfororderedtables.Itbehavesex-
sinceitsvalueismovedandnotcopied. Remove Aftereitherinsertorinsert-at,theelementvariableisuninitialized,
noselectedelement,theexceptionNotFoundisraised.Thepreviousvalue, removedfromthetableandmovedintothedestinationvariable.Ifthereis Theremovestatementhastwooperands:adestinationelement,whichappearsafterthewordremove,andaselector.Thechosenselectedelementis
Examples: simple{statement ifany,ofthedestinationvariableisdiscarded. removeCharfromString[0]; ::=removeelement{variablefromselector
one.Ifthereisnone,anexceptionisraised.Thesecondstatementremoves thesmallestintegerfromIntbag|theintegerIsuchthatallintegersin empty. Extract IntbagareatleastaslargeasI.Itwillraiseanexceptionifthetableis removeMinfromIinIntBag Therststatementremovestherstcharacterfromthestring,ifthereis where(forallofJinIntbagwhere(J>=I));
appearsafterthewordextract,andaselector.Allchosenselectedele- Theextractstatementhastwooperands:adestinationtable,which simple{statement ::=extracttable{variablefromselector

isdiscarded. Merge,Merge-At 11211.6.TableOperations mentsareremovedfromthetablenamedintheselector,andmovedinto thedestinationtable.Ifnoelementsareselected,thedestinationtableis initializedtoanemptytable.Thepreviousvalue,ifany,ofthedestination
thesourcevariablewillbeuninitialized.Ifthetableisordered,theelements(ifany)fromthesourcetablewillbeinsertedattheendofthe
elementswillbeofthesametypeandtypestate.Onnormalcompletion, tinationtable.Thetwotablesareofthesametype|meaningthatthe Themergestatementmovesthecontentsofthesourcetableintothedes-
simple{statement
destinationtable,andtheirorderwillbepreserved.Ifthetableiskeyed, ::=mergetable{expressionintotable{variable
theDuplicateKeyexceptionisraisedifthemergewouldhaveviolatedthe [atposition{expression]
requirementofuniquekeys.
asformerge,exceptthataRangeErrorexceptiontakesprecedence. whichspecieswheretoinsertthesourcetableelements.Ifthisposition actlylikemerge,exceptithasanadditionaloperandoftypepredefined!integer ceptionRangeErrorisraised.Otherwisetheelementsareinsertedatthe designatedposition.Thepositionsofearlierelementsinthetableremain thesame.Thepositionsoflaterelements(ifany)areincreasedbythenumberofelementsmerged.TheexceptionDuplicateKeycanberaisedexactly
isnegative,orgreaterthanthenumberofelementsinthetable,theex-
Themerge-atstatementislegalonlyfororderedtables.Itbehavesex-
table.Thiscopyisstoredintoanewvariable{theinspectvariablehaving Inspect-table Thisstatementmakesaconstantcopyofthechosenselectedelementofa thesamenameastheelementvariableoftheselector.Theinspectvariable isautomaticallydeclaredtobeoftheelementtypeofthetable,andtohave compound{statement
ascopeincludingtheclausewithinthebodyoftheinspectstatement.If ::=inspectselectorbegin
thereisnoselectedelement,theNotFoundexceptionisraised. endinspect [statement;]...
be\dangerous"(receive,return)whenperformedonordinarycopiesare aconstantcopyofanyvalue.Thisisbecausetheoperationswhichwould sages,inputports,orvaluescontainingthem),itisalwayslegaltomake Whereasitisillegaltomakeordinarycopiesofcertainvalues(callmes-

notallowedonconstantcopies.Avariableholdingaconstantcopyisautomaticallymadeuninitializedwhencontrolleavesthescopeofthevariable.
Thefollowingisanexampleoftheinspectstatement. inspectcharinstring begin where(char='X'andpositionofchar>2) 11.HermesOperations113
tweentheinspectstatementandthesimilarstatementusingtheoperation the-element. mentasthevariableholdingtheconstantcopy.Notethedierencesbe-
sionastheelementvariableofaselector,and(2)withintheinsertstate-
c:=charinstringwhere(char='X'andpositionofchar>2); endinspect; Notethedoubleuseofthevariablechar|(1)withinthewhereexpres-
insertcopyofcharintostring2;
copy.Itisillegaltoapplyinsertdirectlytocharbecauseitisconstant, operationcanbeappliedtoconstantcopiesbutnottoordinarycopies. butitislegaltoapplyinsertdirectlytoc.Theposition-of-element mentproducesaconstantcopy,whereasthe-elementproducesanordinary whereasthe-elementworksonlywithcopyabletypes.Theinspectstate-
havebeenpreviouslydeclared.Theinspectstatementworksforalltypes, Thetypestateonentrytothemainclauseoftheinspectstatement Theinspectstatementintroducesadeclarationofchar,whereascmust insertcintostring2;
normally. For-Inspect mainclause,exceptthattheinspectvariablebecomesuninitialized.Ifthe mainclausecannotexitnormally,thentheinspectstatementcannotexit fromtheinspectstatementisthesameasthetypestateonexitfromthe theinspectvariableisintheelementtypestate.Thetypestateonexit isthesameasthetypestatepriortotheinspectstatementexceptthat
lectedsubsetofthetable.Thetablemustbeinitialized.Themainclause (theclausefollowinginspect)isexecutedonceforeachselectedelement. Avariablewiththesamenameastheelementvariableoftheselectorholds Thefor-inspectstatementiteratesovertheelementsofatableorase-
compound{statement
tothefor-inspectstatementisusedtodeterminetheselectedvalues; aconstantcopyoftheselectedelement.Thevalueofthetableonentry ::=forselectorinspect
anychangestothetablemadefromwithintheiteratedclausewillnotaffectwhichvaluesareselected.Ifthetableisordered,theelementswillbe
endfor [statement;]...

assumingitcanexitnormally.Thetypestateonexitfromthefor-inspect typestateandothertypestateattributesarethesameastheywerebefore themeetof(1)thetypestateinwhichtheinspectvariableisintheelement thefor-inspectstatement,(2)thetypestateattheendofthemainclause, 11411.6.TableOperations
statementisthemeetofthetypestateonentrytothemainclauseandthe selectedinthatorder.
unconditionalexit,sinceitispossibleforthemainclausetobeexecuted canalwaysterminatenormally,evenifthemainclauseterminatesinan typestatepriortothefor-inspectstatement.Afor-inspectstatement Thetypestateonentrytothemainclauseofafor-inspectstatementis
Theoperatorsizeofevaluatestoanintegercontainingthenumberof elementsinthetable.Thetablemustbeinitialized. zerotimes. Size Position-of-element secondary::=sizeofsecondary
Thisoperationcanbeappliedonlytoconstantcopiesofelementsselected fromanorderedtable.Theseconstantcopiesareproducedonlywithina whereexpressionofaselector,aninspect,orafor-inspectstatement. elementwhichwasusedtoproducetheconstantcopystoredintheelement variable.Positionsbeginat0. Theoperationevaluatestoanintegerwhichisthepositionoftheselected secondary::=positionofelement{variable
thestring. Example:
Position-of-selector string

thereisnoselectedelement,aNotFoundexceptionisraised. VariantTypeFamily 11.7VariantOperations 11.HermesOperations115
Avariantisavaluewhichwillhaveoneofaxed,pre-speciedsetof type{construction ::=variantofenumeration{type(
adierentcomponentnametodesignateeachdierenttypeofvalue.A types.SinceinHermes,everyvariablenamehasexactlyonetype,weuse case{declaration ::=named{literal!component{declaration component{typestate )[case{declaration[,case{declaration]...]
variantVcanbeeither initializedandrevealed:exactlyonecomponenthasavalue.Thepro-
initializedandhidden:exactlyonecomponentexists.Theprogram uninitialized:ithasnovalueandtherearenotypestateattributes
ponentandnoother.Thetypestateisinit(V),case(V,V.X).There gramknowswhichcomponenthasavalueandcanaccessthatcom-
ponentisaccessible.Thetypestateisinit(V). doesn'tknowwhichcomponentexistsandwhichdonot,sonocom-
involvingvariableV
componentsareequal. thecasesofthevariant,andtheenumerationtypeisthecasetype. thenamedliteralsofanenumerationtype.Thesenamedliteralsarecalled literalofthecasetype,acomponentname,componenttype,andaformal Twovariantsareequaliftheyhavethesamecaseandiftheirexisting Thecomponentsofavarianttypeareinone-to-onecorrespondencewith Avarianttypedenitionspecies:(1)thecasetype,(2)foreachnamed maybeothertypestateattributesinvolvingvariableV.X.
lower. casetypestate.Thecasetypestateisthetypestatethecomponentwillhave revealed,thetypestatemaybecomehigherthanthistypestate,butnever justbeforeitishiddenandjustafteritisrevealed.Whilethevariantis Thefollowingisanexampleofavarianttypedenition. id:charstring; lisptype:enumeration('nil','atom','pair');

11611.7.VariantOperations sexpression:variantoflisptype( );'pair'->pair:conscellffullg conscell:record( 'atom'->atom:idfinitg, 'nil'->null:emptyfg,
sexpressioncontaincomponentsoftypeconscell,whichinturncontaincomponentsoftypesexpression.
beenrevealedtobeincase'pair',thenthetypestatewillbe );cdr:sexpression Notethatthesetypedenitionsaremutuallyrecursive|variablesoftype Inthisexample,ifVisavariableoftypesexpression,andithasjust car:sexpression,
Unite untiltheyarerevealedinturn.ItisnotlegaltodiscardV.Pair.Car,leavingapartiallyinitializedpair.Itis,however,legaltoreplacethevalueof
init(V),case(V,V.Pair),init(V.Pair),init(V.Pair.Car),init(V.Pair.Cdr) Innercomponents,suchasV.Pair.Car.Pair.Cdr,willnotbeaccessible
Theunitestatementinitializesavarianttoaparticularoneofitscases. Itstwooperandsareavariablenamedesignatingavariantcomponent, component.Thetypestateoftheexpressionmustbeatleastashighasthe andanexpressionevaluatingtoavalueofthesametypeasthatvariant casetypestateofthevariantcomponent.Ifitishigher,itiscoerceduntil itisexactlyequaltothecasetypestate. simple{statement
Ifthevarianthadavalue,thatvalueisdiscarded.Thevalueofthe ::=unitevariant{componentfromsource{expression
thevariantwillberevealedandthevariantcomponentwillbeaccessible. Thedissolvestatementreversestheeectoftheunitestatement.The Dissolve expressionisthenmovedintothevariantcomponent.Aftertheoperation,
rstvariablenamedesignatesavariantcomponent.Thesecondvariable namedesignatesavariableofthesametypewhichwillreceivethevalueof thatvariantcomponent. destinationvariableisdiscarded.Thevalueofthevariantcomponentis Thevariantcomponentmustberevealed.Anypreviousvalueofthe simple{statement ::=dissolvevariant{componentintoresult{variable

willbeuninitialized,andthedestinationvariablewillhavethetypestate thenmovedintothedestinationvariable.Aftertheoperation,thevariant attributesofthevariantcomponent. Reveal 11.HermesOperations117
Therevealstatementrevealsahiddenvariantcomponent.Theoperand coercedbacktohidden. exists,thenthatcomponentisrevealed.Ifthecaseofthevariantissuch thatthecomponentbeingrevealeddoesnotexist,theexceptionCaseError isavariantcomponent.Thevariantmustbehidden|ifitisrevealed,itis Ifthecaseofthevariantissuchthatthecomponentbeingrevealed simple{statement
israised,andthevariantremainshidden. ::=revealvariant{component
usually)generatedautomaticallyasaresultofacoercionwhichdropsthe caseattribute. Thehideoperationisacoercion.Itcanbeexplicitlycoded,or(more Hide
Itmustbeinitialized.Afterexecutingthestatement,thevariantwillbe hidden. Thesingleoperandofahidestatementisavariableofvarianttype. simple{statement ::=hidevariant{variable
Thecaseofoperatortakesavariantasoperandandreturnsthecaseof Case thevariant.Theresultisavalueofthevariant'scasetype. secondary::=caseofsecondary

InputPort,OutputPort,CallmessageTypeFamilies 11811.7.VariantOperations 11.8ProcessCreationandCommunication type{construction
::=callmessage(
::=inportofcallmessage{typeentry{typestate ...] )[constant{parameters] exitexit{typestate [user{exception]... [minimum] [component{declaration[,component{declaration]
constant{parameters ::=constant([component{name[,component{name]... ::=outportofinport{type
Thetypefamiliesinputport,outputport,andcallmessageareusedin \programming-in-the-large"|thatis,thedivisionofsystemsintoprocesses, minimum::=minimumminimum{typestate user{exception ::=exceptionuser{exception{nameexception{typestate ])
thecreationofprocesses,thecreationofbindingsbetweenprocesses,and
type,and(2)aformaltypestate,calledtheentrytypestate. portsorentriesarenotvaluesofvariables. inportvaluesarestoredininportvariablesjustasintegerorstringvalues made.ItshouldbeemphasizedthatinHermesinportsarevalues,andthat arestoredinintegerorstringvariables.Thisiscompletelyconsistentwith therestofHermes,butmightappear\dierent"becauseinmanylanguages thecommunicationbetweenprocesses.
Usuallythemessagetypewillbeacallmessagetype.However,themessagetypecanbeanytype,sincesendcanbeusetotransmitanyvalueto
aninport. callmessage,sinceallcallstatementswillgenerateinitializedcallmessages, willhavewhensent.Youmayomitinit(*)fromtheformaltypestateofa andusingsendtodeliveranuninitializedcallmessageispointless. Aninporttypedenitionspecies(1)atypename,calledthemessage Aninputportorinportisamessagequeuetowhichconnectionscanbe
Theentrytypestateisthetypestatethatvaluesofthemessagetype

Itistheabilityforprogramstosendandreceiveoutputportsthatgives otherHermesvalue,andcanbestoredinvariablesandpassedinmessages. ports,itshouldbere-emphasizedthatoutputportsaretreatedlikeany copiesofthesameinport.comparisonof Twoinportscompareequalonlyiftheyarethesameinportorconstant Anoutputportoroutportisaconnectiontoaninputport.Aswithinput 11.HermesOperations119
Hermesthepowerofcapability-basedsystems. messagetypeandtypestateofthismatchinginputporttype. port.Eachinputportcreatedwiththenewoperationisconsideredadifferentinputport.Aconstantcopyofaninputportisconsideredthesame
thetypeoftheinputporttowhichtheoutputportcanbeconnected.The typeandtypestateofdatasentonanoutputportisdeterminedbythe Acallmessagetypedenitionconsistsof Anoutporttypedenitionspeciesamatchinginputporttype.Thisis Twooutportsareequalwhentheyareconnectionstothesameinput
asetofcomponentdeclarations,
thesedeclarationsisimportant,becausethecallargumentsarematched Thecomponentdeclarationsdenethecallparameters.Theorderof anoptionalsetofcallmessageexceptions. anoptionalminimumformaltypestate,and anexitformaltypestate, anoptionalsetofconstantparameters,
totheseparametersinthesameorder.Theconstantparametersstatewhich componentsarenotmodiablebythecalledprocess.Theexitformaltypestatespeciesthetypestateofthecallmessagewhenitisreturnedtothe
callerinanormaloutcome.Theminimumformaltypestatespeciesthe lowesttypestatethatthecomponentsofacallmessagemaybeloweredto. callmessageisdiscarded. Thisisthetypestatetowhichthecomponentswillbeloweredwhenthe typestate.Theformaltypestatespeciesthetypestatethatthecallmessagewillhavewhenitisreturnedwiththatexception.Donotincludethclaredandthetypestateforthisexceptionisthesameastheminimum
Thecallmessageexceptionsconsistofanexceptionnameandaformal oneinwhichallconstantsarefullyinitialized,andallotherparametersare uninitialized.
Discardedexceptioninthislist|thisexceptionisalwaysimplicitlyde-
Thefollowingisanexampleofacallmessageandtheassociatedports. sampleinterface:callmessage( Ifthereisnoexplicitminimumformaltypestate,thenitistakentobe

12011.8.ProcessCreationandCommunicationOperations first:integer, second:integer,
sampleinport:inportofsampleinterface )constant(first) exitfinit(first),init(second),init(fourth)g minimumfinit(first),init(second)g exceptionFailurefinit(first),init(second),init(third),negative(first)g; third:integer,
finit(first),init(second),init(third)g; fourth:integer
dierent|parametersfirst,second,andthirdwillbeinitialized,and andreturneduninitialized.ThetypestatesfortheexceptionFailureare initializedonnormalexit.Parameterthirdisatransferredparameter| entryandexit,andguaranteedconstant.Parametersecondisaninout ownedbythecallerbeforethecall,butretainedbythecalledprocess rameterfourthisanoutparameter|uninitializedonentry,butreturned parameter|initializedonentryandexit,butnotguaranteedconstant.Pa-
Inthisexample,parameterfirstisaninparameter|initializedon sampleoutport:outportofsampleinport;
acallmessagetospecifyatypestatewhichisnothigherthanorequalto parameterfirstwillbeknowntobenegative. theminimumtypestate.Similarlyallexitandexceptiontypestatemustbe higherthanorequaltotheminimumtypestate. Newsimple{statement Itisillegalfortheentrytypestateofaninportwhosemessagetypeis
Thenewoperationinitializesaninputportvariabletoanemptyqueuewith noconnections.Thepreviousvalueoftheinputportvariableisdiscarded. Empty secondary::=emptyofsecondary ::=newvariable{name
Theemptyofoperationreturnsatruebooleanvalueifthequeueisempty, ofoperationonlytondtheinportnolongerempty.However,sinceonly otherwiseitreturnsfalse.Theoperandmustbeaninitializedinport. emptyisnotastableproperty;aprocessmayrepeatasuccessfulempty theprocessowninganinputportcanreceivemessages,beingnon-emptyis astableproperty. Sinceotherprocessesmayenqueuemessagesatarbitrarytimes,being

Connect Theconnectstatementhastwooperands.Therstoperand(beforethe keywordto)isanoutportvariable.Thesecondisaninportvariable.The simple{statement ::=connectoutport{variabletoinport{variable 11.HermesOperations121
inportvariablemustbeofthematchinginporttypeoftheoutportvariable outportvariableisassignedtoaconnectiontotheinportwhichisthe type,andmustbeinitialized. currentvalueoftheinportvariable. Call Thepreviousvalueoftheoutportvariable,ifany,isdiscarded.The simple{statement function{reference ::=calloutport{variablecall{arguments ::=call(outport{expression)call{arguments
arguments.Theoutportmustbeinitialized.Thematchinginporttypemust haveanelementtypewhichisacallmessage.Theargumentsarematched guages.Theoperandsofthecallstatementareanoutportandalistof Thecallstatementcorrespondstoaprocedurecallinconventionallan-
association associated{pair ::=outport{primarycall{arguments
used,thenthereshouldbeonefewerargumentthanparameter,themissingparameterbeingtheresult,whichispassedasanunnamedvariable.If
uptothecallmessagecomponentseitherbyposition,ifpositionalnotation isused,orbyname,ifassociationnotationisused.Iffunctionnotationis positionalnotationisusedwithafunctioncall,thenthelastcallmessage componentistheresult.Ifassociationnotationisused,thentheomitted constantparameterswillbeloweredtoexactlymatchtheentrytypestate Eachargumentmusthaveatypestateatleastashighastheentrytypestate ofthecorrespondingparameter.Thetypestatesofargumentsmatching constantparameterswillremainunchanged. ofthecorrespondingparameter.Thetypestateofargumentsmatchingnon-
call.Twovariablesoverlapifoneoftheirnamesisaprexoftheotheror theyarethesame. Eachargumentmusthaveatypematchingitscorrespondingparameter. Overlappingvariablescannotbepassedastwoormoreargumentsofa

12211.8.ProcessCreationandCommunicationOperations
ingtheargumentsintothecallmessage,(3)sendingthecallmessageto theinputporttowhichtheoutputportisconnected,(4)waitingforthe nofunctioncallcanhaveanymodiableparameterexceptitsresult. arepartsofexpressions,andexpressionsmaynotmodifytheiroperands, procedurereturns4,youwillnotchangethevalueof3.)Sincefunctioncalls ables.Ifthesevariablesarepassedtomodiableparameters,themodica-
tionsarelost.(Forexample,ifyoupass3toaninoutparameter,andthe Thecallisexecutedby:(1)creatinganewcallmessagevalue;(2)mov-
Itshouldbenotedthatexpressionsareevaluatedintotemporaryvari-
callmessagetobereturned,(5)movingthecallmessagecomponentsback theneventuallythemessagewillbereceived. ismade,andthereceivingprocessrepeatedlyissuesreceivestatements, arereturnedinthesametypestatetheyweresent. ontheseoutputportsaremergedfairly.Thismeansthatifacallorsend intotheargumentvariables,(6)throwingawaythecallmessage. aportconnection,theDisconnectedexceptionisraised.Thearguments riedoutasinaregularcall,butadditionally,theexceptionisraisedinthe Ifthecallisreturnedwithanexception,thenalltheabovestepsarecar-
Ifseveraloutputportsareconnectedtothesameinputport,thencalls
caller.Thiscanonlyhappenifthereexistsadeclarationofthatexceptionin thecallmessagetypedenition.Thefullnamefortheexceptionincludesthe callmessagetypeandtheexceptionname|.. Iftheinputporthasbeenthrownaway,leavingtheoutputportwithout
parametersareaddedanddropped.Theseaddsanddropsareappliedto betweentheentryandreturntypestatesdeneswhichattributesofthe .Discardedisraisedinthecaller.Thecallmessageisreturned withtheparametersintheminimumtypestateasdenedinthecallmessage tatejustpriortothecall,fromtheentrytypestate,andfromthetypestate
denedforthenormalorexceptionalreturnbeingmade.Thedierence Thetypestateafterexecutingacallstatementisderivedfromthetypes-
Iftheprocessowningthecallmessagediscardsit,thentheexception
theargumentsmatchingtheparameters. Forexample
tionsampleinterface.Failure,thetypestatewillbefinit(p),init(a), constantparametersecond,itcannotretainitsattributeeven(b),which even(b),init(c)g.Sinceamatchestheconstantparameterfirst,it mayretainitsadditionalattributeeven(a).Sincebmatchesthenon-
isdroppedpriortothecall.Onnormalreturnfromthecall,thetypestate willbefinit(p),init(a),even(a),init(b),init(d)g.Onexcep-
typestatepriortothecallis:finit(p),init(a),even(a),init(b), callp(a,b,c,d);
even(a),negative(a),init(b),init(c)g. Supposethetypeofpissampleoutport,denedabove.Supposethe

possible,andstoresitinadestinationvariable.Theinputportmustbe Receive Thereceivestatementdequeuesamessagefromaninputport,ifthisis simple{statement ::=receivecallmessage{variablefrominport{variable 11.HermesOperations123
initialized.
thenthereceivestatementwillblockindenitely. beraised. toreceiveisnon-deterministic. Themessageismovedintothedestinationvariable.Thisvariablewillbein theentrytypestateassociatedwiththeinport.Thechoiceofwhichmessage port.Thepreviouscontentsofthedestinationvariable,ifany,arediscarded. Iftheinporthasconnections,butnomessageiseversenttotheinport, Iftheinporthasnoconnections,thentheDisconnectedexceptionwill Onnormalcompletionofreceive,amessageisdequeuedfromthein-
Return Thereturnstatementreturnsacallmessagetoitscallerandresumesexecutionofthecaller.Optionally,anexceptioncanbereturnedtothecaller.
simple{statement
qualier. inthedenition.Theexceptionnameiswrittenwithoutanytypename ceptionforthatcallmessagetype|eitherDiscarded,oranexceptionlisted Thereturnstatementmustspecifyeithernoexception,oralegalex-
::=returncallmessage{variable
Thecallmessagemusthavethetypestateattributesassociatedwiththe [exceptionuser{exception{name]
whichisexpectedbythecaller. appropriateexceptiontypestateforareturnwithanexception.Ifthetypestateishigher,coercionsareinsertedtolowerthetypestatetoexactlythat
kindofreturn|theexittypestateforareturnwithoutexceptions,orthe
theequivalenteectofprocedures,codethereturnstatementasthelast executablestatementoftheprocess,orfollowthereturnstatementwith anexitstatementjumpingtotheendoftheprocess. ment,aswouldbethecaseifprocesseswerepassiveprocedures.Toproduce continuesexecuting. execution.Ifanexceptionisspecied,thatexceptionisraisedinthecaller, notintheprocessissuingthereturnstatement.Theprocessissuingreturn Thereisnoautomaticterminationofaprocessexecutingareturnstate-
Afterthereturn,thecallmessageisuninitialized.Thecallerresumes

12411.8.ProcessCreationandCommunicationOperations Send
terminedfromthematchinginporttypeoftheoutport.Ifthetypestateis musthavetheentrytypestateorhigher.Thetypeandtypestatearede-
higherthantheentrytypestate,itiscoerceddowntotheentrytypestate. inputport.Itsoperandsareasourcevariableandanoutport. Thesendstatementmovesavalueoutofavariableandenqueuesitonan Thevariablewhosevalueistobesentmusthavethecorrecttype,and simple{statement
Theoutputportmustbeinitialized. ::=sendsource{expressiontooutport{expression
carded,thentheDisconnectedexceptionisraised. Create Iftheinputporttowhichtheoutputportwasconnectedhasbeendis-
compiledwithinthemainprogramorwithinotherprocessliterals.Amain setofprocesses.Oneisthemainprogram.Theothersareprocessliterals isavariableoftypepredefined!program.Theresultisanoutport. Thecreateofoperationinstantiatesanewprocess.Theoperandofcreate Theprogrammusthavethetypestatechecked. Theprogramvalueisdenedinthepredefinedmodule.Itconsistsofa secondary::=createofsecondary programistheresultofconvertingtheprocessmoduleproductionofa process.Thismustbeaninputporttype.Whencreateisexecuted,itis sourcemodule. outporttypewhichistheresultofthecreatestatement.Ifitisnot,the checkedthatthisinputporttypeisthematchinginputporttypeofthe exceptionInterfaceMismatchisraised. Theinitializationportisthevariabledeclaredfollowingthekeyword
Procedure initializationportwillbeinitialized.Aconnectiontotheinitializationport isreturnedasthevalueofcreate. willexecutetheprogramdenedbythemainprogramintheprogramvalue, beginningatthestatementfollowingthekeywordbegin.Initiallyonlythe Ifthereisnointerfacemismatch,anewprocessiscreated.Thisprocess
isacheckedprogram,andtheresultisanoutputport.Aswithcreate, anInterfaceMismatchexceptionisreturnediftheoutputporttypeis Theprocedureofoperationinstantiatesaprocessgenerator.Theoperand secondary::=procedureofsecondary

incompatiblewiththeinputporttypeoftheinitializationportofthenew
iscreatedisnotaprocessrunningthedesignatedprogram,butinsteadis ageneratorprocess. Theeectofprocedureisidenticaltothatofcreateexceptthatwhat Eachtimethegeneratorprocessiscalled,itconstructsanewinstanceof 11.HermesOperations125
exactlylikethesemanticsofproceduresinAlgol-likelanguages. iscalledprocedureofbecausethesemanticsofgeneratorprocessesis aprocessrunningthedesignatedprogram.Itthensendsthecallmessageit receivedtotheinitializationportofthenewprocess. ofthedesignatedprogram.Theoperationtocreateageneratorprocess callaninputportinthesameprocesswillproduceadeadlock.Acalltoa generatorprocesswillnotdeadlocksinceeachcallgeneratesanewinstance Ordinaryprocessesarenotrecursive,sinceanattemptbyaprocessto
11.9PolymorphOperations Apolymorphisavalueconsistingoftwoparts:(1)awrappedvalue,which PolymorphTypeFamily formaltypestateofthewrappedvalue. thepurposesofassignmentandcomparison.Forexample: canbeofanytypeandtypestate,(2)awrapperdescribingthetypeand Resource:polymorph; Apolymorphtypedenitiondenesadistinctdomainofpolymorphsfor type{construction
MailItem:polymorph; ::=polymorph
wrappedvaluesofanytype;however,avariableoftypeResourcecannot ifandonlyifbothwrappersandbothwrappedvaluesareequal. Wrap beassignedwithorcomparedtoavariableoftypeMailItem. VariablesoftypeResourceandvariablesoftypeMailItemcancontain Twopolymorphscanbecomparedforequality.Thepolymorphsareequal
containingthesourcevariable'stypeandformaltypestate,andmovesthe resultantpolymorphvalueintothepolymorphvariable.Thepolymorph ofthetypestateofthewrappedvalue.Thesourcevariable'stypestatewill Thewrapstatementremovesavaluefromasourcevariable,addsawrapper variableitselfwillhaveatypestateofinitaftertheoperation,regardless simple{statement ::=wrapsource{expressionaspolymorph{variable

12611.9.PolymorphOperations
positive(x.id),gt(x.id,y)g.Thenafterexecutingthestatement tateattributesincludingxare:finit(x),init(x.name),init(x.id), andavariablethatdoesnot. constraintwhichincludebothavariablethatoverlapsthesourcevariable thedestinationvariablewillbedropped. beuninitialized.Beforethewrapstatementtypestateanalysiswilldropany nordestinationcanbeconstant,andattributesotherthaninitinvolving Othertypestaterestrictionsapplyasforamovestatement:neithersource
inalvalueofx,andwhosewrappercontainsatypeofpersonanda formaltypestateoffinit(*),init(name),init(id),positive(id)g. Theconstraintfgt(x.id,y)gwillbedropped. wrapxasy; thevalueofywillbeapolymorphwhosewrappedvalueistheorig-
Forexample,supposethatvariablexisoftypeperson,andthetypes-
Unwrap Thenewtypestateforywillbesimplyfinit(y)g.
expectedbythedestinationvariable.Thesource(polymorph)variablemust thatthetypeandtypestateonthewrappermatchthetypeandtypestate andmovesthevalueintoadestinationvariable.Aruntimecheckinsures Theunwrapstatementremovesawrappedvaluefromapolymorphvariable simple{statement ::=unwrapresult{variable
expectedtypestateisspeciedbycodingaformaltypestatewithinthe beinitialized. Theexpectedtypeissimplythetypeofthedestinationvariable.The frompolymorph{expressionunwrapped{typestate
unwrapstatement. type,orifthetypestateonthewrapperisnotatleastashighastheformal typestatespeciedontheunwrapstatement,thenaPolymorphMismatch exceptionisraised. Ifthetypeonthewrapperdoesnotmatchthedestinationvariable's
attributesofthedestinationvariableotherthanthosedenedbytheformal typestatearedropped. above,wecodethestatement: nordestinationcanbeconstant,thesourcevariablebecomesuninitialized, movingthevalue.Thismayentaildiscardingsomeofthewrappedvalue. theunwrapstatement,thentheappropriateattributesaredroppedbefore Othertypestaterestrictionsapplyasforamovestatement:neithersource Forexample,assumethatimmediatelyafterthewrapstatementshown Ifthetypestateonthewrapperishigherthanthetypestatespeciedon
unwrapxfromyfinit(*),init(id),positive(id)g;

Inspect-polymorph willincludefinit(name)g.Componentnamewillbediscardedbeforemovingthewrappedvalueintox.Theresultingtypestatewillbefinit(x),
Thetypeswillmatch,buttheformaltypestateinthewrapperofy 11.HermesOperations127 init(x.id),positive(x.id)g. compound{statement ::=inspectdeclaration
morphisconstant. ceptthatinsteadofmovingthewrappedvalue,aconstantcopyismade. Theinspect-polymorphstatementbehaveslikeanunwrapstatementex-
Thisallowsthevalueofapolymorphtobeexamined,evenifthepoly-
endinspect begin [statement;]... frompolymorph{expressioninspect{typestate
whichwouldbelegalevenifthepolymorphywereconstant: Hereisanalternativeversionoftheunwrapstatementshownabove,
wouldnotbeaccessible,sincethetypestateinsidethestatementwouldbe thatcomponentwouldnotbediscardedintheconstantcopyx,butit inspectx:personfromyfinit(*),init(id),positive(id)g
operation. simplyfinit(y)init(x),init(x.id),positive(x.id)g. Assumingthatthewrappedvaluehadaninitializedcomponentname, TheexceptionPolymorphMismatchisraisedexactlyasforanunwrap endinspect; begin .../*statementsreferringtox*/
Type morphwrapper.Thisisaninitializedvalueoftypepredefined!typeofvalue. Thetypeofoperationevaluatestothetypeinformationstoredinthepoly-
Thevalueincludesthetypename,thedenitionsmoduledeningthetype name,andalltheimporteddenitionsmodules. Theoperandmustbeaninitializedpolymorph. secondary::=typeofsecondary Typestate secondary::=typestateofsecondary

12811.9.PolymorphOperations Thevalueincludesthetypestate,thedenitionsmoduledeningthetypestate,andalltheimporteddenitionsmodules.
Thetypestateofoperationevaluatestothetypestateinformationstored inthepolymorphwrapper.Thisisaninitializedvalueoftypepredefined!typestateofvalue.
intocheckedprogramvalues.Alternatively,youcancreateprogramvalues, linearsourceformandpassthemtotheHermescompilerforconversion 11.10ProgramOperations InHermes,youcancreateprogramsintwoways:Youcanwritethemin Theoperandmustbeaninitializedpolymorph.
either\fromscratch",orbycomposingormodifyingotherprogramvalues.
pilingitintomachinecodeforthemachineormachinesonwhichthepro-
statement ingacheckedprogramwillbemissingthepredefined!checkedattribute. Tocheckafullyinitializedinstanceofprogramvariablepgm,executethe tributepredefined!checked.Aprogrambuiltfromscratchorbymodify-
assertchecked(pgm); InmostimplementationsofHermes,checkingaprogramalsoentailscom-
Aprogramvalueobtainedfromthecompilerwillhavethetypestateat-
instantiateaprogramwhichisnotchecked. predefined!program. ProgramLiteral gramwillbeinstantiated.Thisisanoptionalandmachine-dependentop-
timization;theprogrammercannotdirectlymanipulatethemachinecode. Thechecking,however,isnotoptional.Itisatypestateerrortotryto Theoperationsinthissectionareusedtoconstructobjectsoftype Thepredefined!programdenitionisshownintheappendix. program{literal ::=process(declaration) begin [declaration{section] [pragma]
Thecompilerwillchecktheprogramliteralatthesametimethatitchecks Aprogramliteraloperationiscodedasaself-deningvalue.Thevalueof theliteralisthevalueoftheprogramaftertranslationbythecompiler. ::=processlink{name endprocess [handler]... [statement;]...

theprogramwhichembedsit.Thereforetheprogramliteralvaluewillhave thetypestateattributechecked. Example: doubler

13011.10.ProgramOperations where(parm.input=0) where(parm.input>0) parm.result

type).Ifthecheckfails,theexceptionDefinitionErrorisraised. ischeckedforresolutionerrorsandotherrestrictions(e.g.eachvariant denitionincludesacaseidforeachpossiblevalueoftheenumeration operandisafullyinitializeddenitionsmodule.Thedenitionsmodule Thisoperationcompletestheinitializationofadenitionsmodule.The Ifthechecksucceeds,theidcomponentofthedenitionsmoduleisre-
11.HermesOperations131
attributebehaveslikeaconstraint:anyattempttomodifythedenitions initionsmodulearereplacedbytheuniqueidentier.Thedenitionsmod-
uleacquirestheattributecheckeddefinitions.Thecheckeddefinitions placedbyauniqueidentier.Allreferencestothatidentierwithinthedef-
modulewilldiscardtheattributecheckeddefinitions.Unlikeaconstraint attribute,checkeddefinitionscannotbeusedinanassertstatement; anteedthatwhentwotypenamesorattributenamesareequal,theyalways mescanenforce\nameequivalence"oftypes.Noothercheckeddenitions modulecanpossiblyhavethesamemoduleidentier.Thereforeitisguar-
denotethesametypeorattributedenition. theattributecanonlybeassertedbyexecutingthecheckdefinitions statement.
11.11Constraints Becausecheckeddenitionsaregivenauniquemoduleidentier,Her-
attribute{construction
argumentbenon-negative.Aprogramlibrarymightbedenedasatable ::=constraint(
ofcheckedprograms. Forinstance,theinterfacetoasquare-rootfunctionmightrequirethatthe Constraintsareprogrammer-denedpredicatesonthevaluesofvariables.It isoftendesirabletoincludeconstraintsininterfacesorintypedenitions. )isconstraint{typestateconstraint{expression [declaration[,declaration]...]
betrackedastypestateattributes.Currently,Hermesisnotsophisticated enoughtounderstandthesemanticsofconstraintpredicateswellenough totrackhowtheyarepreservedunderalloperations.Forexample,the compilerwillnotdeterminethataddingonetoanon-negativenumberwill yieldanothernon-negativenumber.Whatitwilldoisthefollowing: InHermes,theprogrammercanspecifythatcertainconstraintsareto
addthetypestateattributeNonNegative(a)iftheoperationassert associateanamewithapredicate{e.g.NonNegative(x)withthe whichwilltestwhethera>=0andraiseanexceptionifitisnot. predicatex>=0.ThisdenesanoperationassertNonNegative(a)

13211.11.Constraints
ConstraintDenitions Thissimpletrackingofconstraintsisenoughformanypracticalpurposes. tracktheattributeNonNegative(a)throughsuccessorstatements NonNegative(a)isnotinthetypestate untileitheraismodied,orcontrolmergeswithapathinwhich NonNegative(a)succeeds.
Aconstraintdenitionincludes:adeningoccurrenceofanattributename, asetofformalparameters,thetypeandtypestateoftheseformalparametersportedexactlyasaretypedenitions
Example:
Assert NonNegative:constraint(x:integer)is Interval:constraint(x:integer,y:integer)is Constraintattributedenitionsoccurindenitionsmodulesandareim-
finit(x)gx>=0;
simple{statement finit(x),init(y)gx

isusuallygeneratedasacoercionwhenmergingtwopathsoneofwhich includesaconstraintattributeandtheotherofwhichdoesnot.However, itcanbecodedexplicitlybytheprogrammertoindicatethataconstraint isabouttobebroken: Thedropstatementexplicitlydropsaconstraintattribute.Thisoperation
11.HermesOperations133
while('true')repeat Rq

familiarBNF(Backus-NaurForm).Thefollowingnotationalconventions AppendixA HermesConcreteSyntax TheHermessyntaxispresentedinthisappendixinaformatsimilartothe apply: Namesofsyntacticcategories(nonterminalsymbols)arerenderedin Keywordsandothernon-terminals(e.g.punctuation)arerenderedin Optionalsyntaxisenclosedinsquarebrackets.Theindicatedconstructmayappearonceornotatall.
Example:compound{statement italic. caseisinsignicant)Ėxample:begin,,! boldface.Theyshouldappearinprogramsexactlyasshown(though Repeatingsyntaxisindicatedbyellipsis.Theimmediatelypreceding iftherepeatedconstructisnotshownasoptional,thenatleastone constructmayappearanynumberoftimesinsuccession.Notethat repetitionmustappear. Example:exit{name[,exit{name]... [declaration{section]

A.1LexicalRules Webeginwiththerulesthatdenethelexicaltokensofthelanguage, distinguishthemfromnormalidentiers.Additionallogicisrequiredto includingidentierandvarioustypesofliteral.Notethatkeywordsand reservedwordsarelexicallyequivalenttoidentiers.Atableisusedto AppendixA.HermesConcreteSyntax135
arelistedinTableA.1. determinewhenakeywordisactuallyusedasakeywordandwhenitis acter.Tokensmayneverspanlines,includingnamedliteralsandstring appearbetweentokens. tiontokens.PunctuationsequencesarelistedinTableA.2. usedasanormalidentier,sincemostkeywordsarenotreserved.Keywords literals.Arbitraryamountsofwhitespace(spaces,tabs,linebreaks)may named{literalandstring{literal,wheretheytreatedlikeanyotherchar-
Certaincharactersandtwo-charactercombinationsconstitutepunctua-
Spacesandtabsarenotallowedwithintokens,exceptinthecaseof Therearetwocommentingstyles: Commenttextmaybeembeddedwithinalinebydelimitingitwith Twoconsecutivehyphens(--)beginacommentthatextendstothe endoftheline.
integer{literal extendstotheendoftheline.Acommentistreatedasaspace. identier::=alpha[alphanum]... Acommentbeginswithtwoconsecutivehyphencharacters(--)and thecharacterpairs\/*"atthebeginningand\*/"attheend.
integer{part::=integer{literal real{literal::=[sign]initeger{part.[fraction{part][exponent] fraction{part::=integer{literal ::=[sign]digit[digit]...
exponent::=exponent{letter[sign]integer{literal named{literal otherthanthespacecharacterareimplicitlyexcludedinallcases. string{literal::="[string{literal{character]..." Characterclassesusedintheaboveareasfollows.Nonprintingcharacters ::='named{literal{character[named{literal{character]...'

136A.1.LexicalRules digitisanyofthedigits0through9. alphaisanyupperorlowercaseletter,ortheunderscorecharacter alphanumincludesallcharactersindigitanddigit. exponent{letterincludestheupperandlowercaseletter'E'. signincludestheplus(+)andminus(-)signs. ().
string{literal{characterincludesallcharactersexceptthedoublequote named{literal{characterincludesallprintingcharactersexceptthe singlequote(').Twoconsecutivesingle-quotecharacterswithina (").Twoconsecutivedouble-quotecharacterswithinastring{literal named{literalaretreatedasonesinglequotecharacterinthisclass. aretreatedasonedoublequotecharacterinthisclass.

accuracy against andy assert drop elsey AppendixA.HermesConcreteSyntax137
attributename beginy empty endy enumerationminimumreveal is keys linking merge block evaluatey remove
boolean eventy every moduleidsend new repeat
nominal return
callmessage case exception noty select
checkdenitionsfalse connect exists exit of ony size
constant extract table
constraint ordered theny
convert otherwiseytypestate to
copy forall outport true
create from hide if polymorphunite position pragmay print typename uniquey unwrap using
TABLEA.1.Hermeskeywords.Reservedwordsaremarkedwithadagger(y). Reservedwordscannotbeusedasidentiers. currentprogramyinport declare denitions discard dissolve insert inspect integer into procedurewherey processy real receive record variant while
({varioususes {{typestatedelimiter}typestatedelimiter )varioususesothersy
,{listseparator !{modulequalier .{componentselection{casedeclaration ={equal =greaterorequal *multiply -minus

follows. modules)otherprocessmodulestobestaticallylinked.Themodulebody allysupplieslistsofdenitionsmodulestobeimportedand(forprocess 138A.1.LexicalRules Amoduleisintroducedbyaheaderwhichnamesthemoduleandoption-
module::=module{name:[imports][linking] A.2SyntacticRules
process{module{body
whatthenfollowslooksalmostlikeablockbody:anoptionaldeclarations Aprocessmodulebodybeginswithadeclarationfortheinitport,and linking::=linking([link{name[,link{name]...]) imports::=using([module{name[,module{name]...]) section,followedbythestatementsformingtheprocessbody,optionally denitions{module{body
process{module{body followedbyoneormoreexceptionhandlerspecications ::=process(declaration)
nameofitstype.Apragmaisoptionalpriortothetypename. Adeclarationcontainsanidentier(thevariablebeingdeclared)andthe endprocess [handler]... begin [declaration{section] [pragma]
declaration{section ::=declare[declaration;]... [statement;]...
optionallybeprecededbyapragma. Statementscomeintwobasicvarieties:simpleandcompound.Eithermay statement::=[pragma]simple{statement declaration::=base{variable:[pragma]type{name ::=[pragma]compound{statement

Thesimplestatements: simple{statement ::=result{variable:=source{expression
AppendixA.HermesConcreteSyntax139
::=assertattribute ::=calloutport{variablecall{arguments ::=call(outport{expression)call{arguments ::=checkdenitionsdenitions{module{variable againstdenitions{library{variable source{expression
::=connectoutport{variabletoinport{variable ::=dropattribute ::=discardvariable{name ::=exitexit{name ::=dissolvevariant{componentintoresult{variable ::=extracttable{variablefromselector ::=insertelement{expressionintotable{variable ::=hidevariant{variable ::=mergetable{expressionintotable{variable ::=newvariable{name ::=printexpression ::=receivecallmessage{variablefrominport{variable ::=removeelement{variablefromselector
::=returncallmessage{variable [atposition{expression]
::=revealvariant{component ::=sendsource{expressiontooutport{expression ::=unitevariant{componentfromsource{expression ::=unwrapresult{variable [exceptionuser{exception{name]
Thecompoundstatements: ::=wrapsource{expressionaspolymorph{variable frompolymorph{expressionunwrapped{typestate

140A.2.SyntacticRules compound{statement ::=block begin [declaration{section] [constant{section]
::=forenumeration{variable:enumeration{typerepeat ::=forselectorinspect endfor
endblock [handler]...
[statement;]...
::=inspectdeclaration ::=inspectselectorbegin ::=iftest{expression
endif frompolymorph{expressioninspect{typestate
[else[statement;]...] then[statement;]...
::=select[select{expression] endinspect [statement;]...
Varioussyntacticelementsappearingincompoundstatements: ::=whiletest{expressionrepeat endselect [select{clause]...
constant{sectionendwhile
[statement;]... otherwise{clause
select{clause::=boolean{guard[statement;]... handler::=on([exception{name[,exception{name]...]) ::=constant([base{variable[,base{variable]...]) ::=onexit([exit{name[,exit{name]...])

oolean{guard event{guard::=eventinport{variable ::=event{guardandboolean{guard[statement;]... ::=event{guard[statement;]... AppendixA.HermesConcreteSyntax141
[...]). Threesyntaxesareavailableforselectors(usedintableoperations):along form(usingwhere),andtwoshorthandforms(usingsquarebrackets{ otherwise{clause ::=where(test{expression)
selector::=base{variableintable{variable ::=otherwise[statement;]...
TheHermesexpressionsyntaxfollows.AlltheHermesbinaryoperators ::=table{variable[[expression[,expression]...]]
where(selector{expression)
expression::=disjunction representthis. areleft-associative,thoughthegrammarshownheredoesnotexplicitly
disjunction::=conjunction relation::=concat conjunction::=relation ::=disjunctionorconjunction
::=concatconcat ::=concat=concat

142A.2.SyntacticRules term factor::=secondary ::=factor ::={factor ::=term+factor ::=term{factor
secondary::=primary ::=factorremsecondary ::=factormodsecondary ::=factor/secondary ::=factor*secondary ::=the{element ::=caseofsecondary ::=createofsecondary ::=convertofsecondary ::=copyofsecondary ::=emptyofsecondary ::=evaluatedeclarationfrom[statement;]...end ::=everyofselector ::=existsofselector ::=forallofselector ::=notsecondary
primary::=type{speciertyped{primary ::=positionofelement{variable ::=positionofselector ::=procedureofsecondary ::=sizeofsecondary ::=typeofsecondary ::=typestateofsecondary
typed{primary type{specier::=type{name# ::=variable{name ::=function{reference ::=typed{primary ::=literal

::=(expression)AppendixA.HermesConcreteSyntax143 ::=currentprogram
Literalsofvarioustypes: the{element::=selector function{reference ::=unique
literal::=integer{literal ::=real{literal ::=named{literal ::=string{literal ::=outport{primarycall{arguments
program{literal ::=program{literal ::=attributename{literal ::=typename{literal ::=process(declaration)
attributename{literal ::=processlink{name endprocess [handler]... begin [declaration{section] [pragma]
typename{literal ::=nattributenameattribute{namen [statement;]...
Adenitionsmodulecomprisesacollectionoftypeandconstraintdenitions.Atypedenitionassociatesanamewithatypeconstruction,while
aconstraintdeninitionassociatesanamewithanattributeconstruction. Apragmamayoptionallyappearwitheithertypeofdenition. ::=denitions ::=ntypenametype{namen denitions{module{body enddenitions [denition;]...

144A.2.SyntacticRules Typeconstructions: type{construction denition::=denition{name:[pragma]construction construction::=type{construction ::=callmessage( ::=boolean(boolean{association) ::=attribute{construction
::=[ordered]enumeration( ...] )[constant{parameters] exitexit{typestate [user{exception]... [minimum] [component{declaration[,component{declaration]
::=inportofcallmessage{typeentry{typestate ::=polymorph ::=nominal ::=outportofinport{type ::=integer
[named{literal[,named{literal]...]
::=realofaccuracyinteger{literal/integer{literal ::=[ordered]tableofelement{typeelement{typestate ::=record(
[component{declaration[,component{declaration]
Varioussyntacticelementsusedintypedenitions: boolean{association ::=true:named{literal,false:named{literal ::=variantofenumeration{type( )[case{declaration[,case{declaration]...]
[keys[key]...]
::=false:named{literal,true:named{literal

user{exception constant{parameters minimum::=minimumminimum{typestate ::=constant([component{name[,component{name]... ]) AppendixA.HermesConcreteSyntax145
key ::=exceptionuser{exception{nameexception{typestate
Attributeconstructions: case{declaration ::=([formal{variable[,formal{variable]...])
attribute{construction component{declaration ::=constraint( ::=named{literal!component{declaration ::=declaration component{typestate
(e.g.variants,tables,inports).Inaformaltypestatespecication,eachattributeargumentistakentobeacomponentofanassumedbasevariable
attribute::=attribute{nameattribute{arguments formal{typestate formal{attribute typestate::=f[attribute[,attribute]...]g specicationconsistsofacollectionofattributes,eachofwhichincludesan attributenameandalistofarguments.Formaltypestatesappearinthe unwrapandfor...inspectstatements,andinseveraltypeconstructions Typestatespecicationsappearinattributeconstructions.Atypestate )isconstraint{typestateconstraint{expression [declaration[,declaration]...]
whichdependsonthecontext.
Argumentlistsappearinvariouscontexts,includingcallstatementsand typestateattributes.Theymatchactualargumentstoparameters.Positionalmatchingisachievedwithacomma-separatedlistofarguments.A
keyword-basedargumentslistexplicitlyincludestheparameternamesso ::=f[formal{attribute[,formal{attribute]...]g
thatpositionisunimportant. allowedasanargument. Thevarioustypesofargumentlistsaredistinguishedonlybywhatis ::=attribute{nameformal{attribute{arguments

146A.2.SyntacticRules call{arguments labeled{expression attribute{arguments ::=([expression[,expression]...]) ::=(labeled{expression[,labeled{expression]...)
labeled{variable{name ::=identier:expression
formal{attribute{arguments ::=([variable{name[,variable{name]...]) ::=identier:variable{name ::=empty ::=([formal{variable[,formal{variable]...]) ::=(labeled{variable{name[,labeled{variable{name]...)
Names: attribute{name labeled{formal{variable ::=(labeled{formal{variable[,labeled{formal{variable]...
::=denition{name ::=identier:formal{variable )
component{name builtin{exception{name base{variable::=identier ::=module{name!denition{name
exception{name denition{name
::=type{name.user{exception{name
exit{name::=identier ::=builtin{exception{name

formal{variable module{name::=identier link{name::=identier ::=* ::=component{name[.component{name]... AppendixA.HermesConcreteSyntax147
type{name::=denition{name
Variablenamesappearinginparticularcontexts variable{name user{exception{name ::=module{name!denition{name
callmessage{variable
::=base{variable[.component{name]...
denitions{library{variable
enumeration{variable denitions{module{variable element{variable
inport{variable ::=base{variable
result{variable polymorph{variable outport{variable
table{variable ::=variable{name

148A.2.SyntacticRules variant{component variant{variable
element{expression Expressionsappearinginparticularcontexts: constraint{expression
::=variable{name
position{expression polymorph{expression outport{primary outport{expression
::=primary ::=expression
select{expression table{expression selector{expression source{expression
test{expression ::=expression
::=expression
Typesappearinginparticularcontexts:
inport{type::=type{name enumeration{type element{type::=type{name callmessage{type

Typestatesappearinginparticularcontexts: component{typestate constraint{typestate
AppendixA.HermesConcreteSyntax149
element{typestate entry{typestate exception{typestate
::=typestate
exit{typestate::=formal{typestate inspect{typestate
minimum{typestate
unwrapped{typestate
empty::= open-ended.Itmaybecomemorestructuredinthefuture. Variousoddsandends.Notethatthepragmasyntaxiscurrentlyvery pragma::=pragmastring{literal ::=formal{typestate

AppendixB HermesOperations Thischapterlistsallthehermesoperationsandprovidespreciserulesfor typechecking,typeinferencing,andtypestatecheckingeachoperation. AtypicaloperationdescriptionappearsinFigureB.1.Theexamplewillbe usedthroughoutthissection. B.1OperationDescriptions merge{at(destination,source,position)Exceptions:Depletion, TypeRules: Preconditions:
destination2orderedtable source2table destinationsource predefined!integer RangeError,
init(source) (DuplicateKey)
Description:Removealltableelementsfromsourceandinsertthem duplicatekey(destination) var(destination) init(destination) init(position) var(source) Postconditions:
intodestinationsothattheresultingpositionofthersttransferred makeuninit(source)
element,ifany,willbeequaltoposition.Allothertransferredelements killconstraints(destination)
Qualier:absent andfollowingthelasttransferredelement. Allelementsofdestinationthatformerlyoccupiedpositionsatposition willfollowconsecutively,inthesameorderastheyappearedinsource. orbeyondareshiftedsothattheyappearinthesamerelativeorder, FIGUREB.1.SampleoperationdescriptionSeex11.6,p.112

destination,source,andposition.Someoperationstakeavariablenumber ofoperands.Inthesecases,theoperandlistwillappearasanellipsis. B.1.1DescriptionHeader Theoperationnameappearsrst,inbold-face,followedbyanoperandlist. Ourexampledescribesthemergeatoperation,whichtakesthreeoperands: Onthefarrightoftheheaderlineisalistoftheexceptionsthatcan AppendixB.HermesOperations151
beraisedbytheoperation.OurexampleshowsthatDepletion,RangeError,andDuplicateKeymayallberaisedbythemergeatoperation.The
B.1.2TypeRules terminingthisarespeciedlaterintheoperationdescription.Inthiscase, DuplicateKeycanberaisedonlyifthedestinationisakeyedtable. Belowthedescriptionheaderarethetyperules,whichformthebasisfor parenthesessurroundingDuplicateKeyindicatethatinsomecasesitcan
bothtypechecking(ensuringthatoperandsareofthecorrecttype),and bestaticallydetermined,basedonthetypesoftheoperands,thatthe
typeinferencing(deducingthetypeofundeclaredoperandsfromtheircontext).Thetyperulescomeintwoforms:classrulesandinferencerules.
classcontainsmanytypes.Thefollowingclassruleappearsinthemergeat Aclassrulespeciesthatanoperandmustbeofatypethatfallsina
mergeatoperationcannotraiseDuplicateKey.Theexactconditionsde-
description: speciedclass.Aclassrulecanneverbeusedtoinferatype,sinceatype
ation.Anexampleinwhichnootheroperandappearscanbefoundinthe mergeatoperation:position typemayormaynotdependonthetypeofanotheroperandintheoper-
AlistofthetypeclassesandtheirmeaningsappearsinsectionB.2. Aninferenceruleconstrainsanoperandtobeofaparticulartype.That destination2orderedtable
insertinstruction:element \assignmentrule."Thesecondrulerequiresthatelementbeofthetype predefined!integer.Thistypeofinferenceruleissometimescalledan Therstrulerequiresthatthepositionoperandbeofthespecictype, Foranexampleinvolvingtwooperands,wehavethefollowingfromthe elementtypeof(table) predefined!integer
function"tothetypeofthetableoperand.Allinferencefunctionsand theirmeaningsarelistedinsectionB.3. thatisuniquelydeterminedbyapplyingtheelementtypeof\inference

152B.1.OperationDescriptions inferthetypeoftheleft-handoperand,ifeithertheruleisoftheassignment variety,orifthetypeoftheright-handoperandisalreadyknown. Aninferencerulecanbeusedfortypechecking.Itcanalsobeusedto
ofeitheroperandcanbeinferredfromthetypeoftheother. fromthemergeatoperation: tion,whichidentiestwooperandsthatmusthavethesametype.Allsuch rulesinanoperationdescriptionaredisplayedasinthefollowingexample Inthiscase,thenormalasymmetryofinferencerulesvanishes:thetype Aspecialnotationisusedforrulesinvolvingthesameasinferencefunc-
B.1.3Preconditions Preconditionandpostconditionrulesappearinside-by-sideboxesbelow thetyperules. destinationsource
timetheoperationistobeexecuted.Allpreconditionsmustbestatically veriablebythecompiler. Thepreconditionrulesspecifyvariousconditionsthatmustholdatthe
deneconditionsunderwhichanexceptionisknowntobepossible.Forexample,thefollowingpreconditionindicatesthatifthedestinationoperand
isakeyedtable,thentheoperationcanraiseDuplicateKey: init(source) operationcantakeplace. listofoperands.Anexamplefromthemergeatoperationis: Some\preconditions"donotcheckforanytypestateattributes.They Thisstatesthatthesourceoperandmustbeinitializedbeforethemergeat Apreconditiontakestheformofapreconditionfunctionfollowedbya
B.4. B.1.4Postconditions Thepostconditionrulescharacterizetheeectsofanormal(non-exception) executionoftheoperation.Eachruleisspeciedviaapostconditionfunctionfollowedbyalistofoperands.Anexamplefromthemergeatoperation
is: Allthepreconditionfunctionsandtheirmeaningsarelistedinsection duplicatekey(destination)
makeuninit(source)

operandwillnolongerbeinitialized. B.1.5SpecialRules Thisindicatesthatfollowingasuccessfulmergeatoperation,thesource ThepostconditionfunctionsandtheirmeaningsarelistedinsectionB.5. AppendixB.HermesOperations153
theoperandstoanoperationwithoutaxedoperandlist(likecallor assert)arespeciedinthismanner. treatmentismostlyrequiredwhenarulecannotbeexpressedsolelyin typeandtypestaterulesthatcouldnotbeencodedintheruletables.This termsofnamedoperands.Thus,rulesregardingdataencodedinthestatementqualier(describedbelow)appearasspecialrules.Also,rulesaboumediatelyfollowingthetypestatepre-andpost-conditionboxes,andlisttionsisaboxlabeled\SpecialRules".Thisfull-widthboxappearsim-
Absentfromthemergeatexamplebutpresentinsomeoperatordescrip-
Followingthepost-andpre-conditionboxesisabriefdescriptionofthe B.1.6OperationSemantics
operatororusingamechanismsuchasqualiers.InHermes,thisparticular semanticmeaningoftheoperation.Belowthis,attheverybottomofthe
situationishandledbytheintegerliteraloperation,whichrequiresthat anintegervariabletothevalue\1"withouthavingaspecial\set-to-one" panel,aretwoboxesshowingthestatementqualiertypeforthisoperation, uninitialized(exceptitsinitializationport),itwouldbeimpossibletoset itsoperands.Forexample,sinceaprocessbeginswithallitsvariables andapointertothesectionandpageinthereferencemanualthatdescribes theoperationindetail.
ment,sothequalieritselfisavariant.Itstypeispredefined!qualifier, anintegervaluebeencodedinthequalier. Theinformationthatappearsinqualiersvariesfromstatementtostate-
Astatementqualiercontainsallparametersofanoperationotherthan
theoperationdescriptionpanelidentieswhichcomponentofthisvariant andyoucannditsdenitioninappendixC.Thequaliertypeidentiedin typeappliestothisparticularoperation. B.2TypeClasses Followingarethetypeclassesappearinginclassrules: integer real

154B.2.TypeClasses boolean nominal enumeration variant table polymorph
orderedscalar:includesinteger,real,andanyenumerationde- inport outport callmessage numeric:includesintegerandreal. variantcomponent:Thisisnot,strictlyspeaking,atypeclass.Itis enumerationorboolean:includesenumerationandboolean. reallyavariableclass,comprisingvariablesthatarecomponentsof isinclassvariant. variableswhosetypesareinthevarianttypeclass.Thus,x.visin theclassvariantcomponentifandonlyifxisavariablewhosetype nedwiththeorderedkeywordpresent.
orderedtable:Allorderedtablestypes,i.e.,alltypesdenedwith
copyable:Alltypesotherthaninputports,callmessages,andtypes newable:Allinputport,table,andrecordtypes,i.e.,alltypesdened string:Allorderedtabletypeswhoseelementtypesareenumerations.Thatis,atypetisinclassstringifandonlyif:(1)tisinclass
thetabletypeconstructorandwiththeorderedkeywordpresent. witheithertheinport,table,orrecordtypeconstructor. orderedtable;and(2)theelementtypeoftisinclassenumeration. thatcancontainsuchobjects.Thisclassincludestheclassesinteger, real,nominal,enumeration,boolean,andoutport.Italsoincludes copyable. theclasspolymorphalthoughapolymorphobjectmaywrapanuncopyableobject(anyattempttocopysuchapolymorphwouldraise
tableisincopyableifandonlyiftheassociatedelementtypeisin typesofallthedenedcomponentsareincopyable.Atypeinclass therecordtypeconstructor)isinclasscopyableifandonlyifthe Uncopyable).Atypeinclassvariant,orarecordtype(denedwith

Followingaretheinferencefunctionsappearingininferencerules.Each B.3InferenceFunctionsAppendixB.HermesOperations155 typemustbethetypeinferredbythegiveninferencefunctionfromthe inferencefunctioninfersatypefromitsoperand.Aninferencerulerelates twooperands,asourceandatarget,byspecifyingthattargetoperand's sourceoperand'stype. casetypeof(operand):Thesourcetypeisinclassvariant.Thetar-
sameas(operand):Thetargetandsourceoperandsmusthavethe matchinginportof(operand):Thesourcetypeisinclassoutport. gettypeistheenumerationtypeappearinginthesourcetype'sde-
sametype.1
messagetypeof(operand):Thesourcetypeiseitherinclassinport
Thetargettypeistheinputporttypeappearinginthesourcetype's denition.
elementtypeof(operand):Thesourcetypeisinclasstable.The orinclassoutport.Intheformercase,thetargettypeisthecallmessagetypeappearinginthesourcetype'sdenition;inthelattercase,
iftypeipistheinputporttypeappearinginthesourcetype'sde-
type'sdenition. targettypeistheassociatedelementtypeappearinginthesource denitionofip. nition,thenthetargettypeisthecallmessagetypeappearinginthe
B.4.1TypestatePreconditions B.4PreconditionFunctions
(2)inserttheoperationoperand,andadot(`.')beforeallotherattribute toanyattributeintheformaltypestatewiththeoperationoperand;and tion.Thissubstitutionconsistsofthefollowing:(1)replaceany`*'operand operandintoaformaltypestatethatissomehowassociatedwiththeopera-
mustnotbepresent. programtypestatebeforeinvokingtheoperation,aswellasattributesthat Thefollowingpreconditionsensurepropertypestatepriortoanoperation. Eachpreconditioncanspecifytypestateattributesthatarerequiredinthe
op1op2...opntodenoteallrulesopi Inseveralcases,requiredattributesaredeterminedbysubstitutingan 1Intheoperatordescriptionpanels,weusethespecialnotation sameas(opj)fori6=j.

156B.4.PreconditionFunctions operands,derivingcomponentsoftheoperationoperand.Forstep(1),recallthatanyattributewithoutoperandsistreatedasanattributeapplied
toasingle`*'operand. Asanexample,wesubstitutexintotheformaltypestate: Theresultingtypestateis: full(operand):Theattributeinit(operand)isrequired.Inaddition, init(operand):Theattributeinit(operand)mustbepresent. ifoperandisavariant,record,orcallmessage,thentheprecondition full(operand.x)mustbe(recursively)satisedforeverycomponent finit(x),case(x,x.a)g finit,case(*,*.a)g
initwithoutcase(varcomp):Theattributeinit(variant)isrequired, casets(operand,varcomp):Therequiredattributesarefoundbysubstitutingoperandintothecasetypestateofthevariantcomponenbiddenattributesareallotherattributesinvolvingoperandorits
varcomp(asgivenintherelevantvarianttypedenition).Thefor-
subcomponents. xcontainedinoperand.
checked(operand):Theattributesinit(operand)andchecked(operand) subcomponentsareforbidden. nent.Allotherattributes(notably,casets)involvingvariantorits wherevariantisthevariantvariableofwhichvarcompisacompo-
callpreconditions():Thispreconditionappearsonlywiththecall lowestelementstate(element,table):Therequiredattributesare arerequired.Therearenoforbiddenattributes.
Thetypedenitionforipincludesaformaltypestateinwhichthe ingcalled,andletcmbethecallmessagetypeassociatedwithip. operation.Thefollowingnonstandardsubstitutionprocedureisused: Letipbetheinputporttypeassociatedwiththeoutputportbe-
attributesinvolvingelementoritssubcomponents. thedenitionoftable'stype.Theforbiddenattributesareallother foundbysubstitutingelementintotheelementtypestateprovidedin
componentsofcmappearasarguments.Substitute,foreachsuch argumentinthecalloperation.Theresultingtypestatecomprisesthe attributesrequiredbythisprecondition.Iftherearenon-constantparameters,thenallattributesinvolvinganyofthecorrespondingactual
parametersortheirsubcomponents,exceptrequiredcomponentsas componentnameinthisformaltypestate,thecorrespondingactual determinedabove,areforbidden.

lowestentrycondition(message,port):Thispreconditionappears intotheformaltypestateappearinginip'stypedenitiontoyield therequiredattributes.Allotherattributesinvolvingmessageorits subcomponents. onlyinthesendoperation.Letipbetheinputporttypeassociated withtheportoperand,whichisanoutputport.Substitutemessage AppendixB.HermesOperations157
lowestpostcondition(message):Thispreconditionappearsonlywith
polymorphprecondition(operand):Thispreconditionappearsonly maltypestateintoyieldtherequiredattributes.Allotherattributes involvingmessageoritscomponentsareforbidden. tionformessagedeterminesthepreconditions;inthelattercase,the typestateassociatedwiththeexceptionbeingreturneddetermines thepreconditions.Ineithercase,messageissubstitutedintothefor-
thereturnandreturn-exceptionoperations.Intheformercase,
withthewrapoperation.Ifaformaltypestateisspeciedinthe thenormalexittypestateappearinginthecallmessagetypedeni-
assertable():Thispreconditionappearsonlywiththeassertoperation.Iftheconstraintbeingassertedisalreadypresent,thenthis
substitutingoperandintotheformaltypestateandforbidallother operation,thenthepreconditionrequiretheattributesobtainedby stateisgiven,thispreconditionhasnoeect.2 attributesinvolvingoperandoritssubcomponents.Ifnoformaltype-
B.4.2ContextPreconditions variablesotherthantypestate. Thefollowingpreconditionfunctionstestcontext-dependentpropertiesof preconditionhasnoeect.Otherwise,substituteactualarguments forformalparametersinthetypestateappearingwiththeconstraint
var(operand):Thevalueofoperandvaluemaychangeasaresultof denitiontoyieldtherequiredattributes.Therearenoforbidden
theoperation.Itmustnotbeconstantinthecurrentscope(e.g.via
stateinawrapstatement,sothispreconditionneverhasanyeect. 2Notethatitisimpossible,withthecurrentsyntax,tospecifyaformaltype-
pos(operand):operandmustbetheselectorvariableinan\active" scopeincludesthecurrentoperation,orisassociatedwithaninspect inspectorfor...inspectstatement). theconstantlistinacallmessagedenition,orinthebodyofan selectorinvolvinganorderedtable.Anactiveselectorisonewhose

158B.4.PreconditionFunctions B.4.3ConditionalExceptions Thefollowingpreconditionstestwhethertheoperationiscapableofraising certainexceptionsinadditiontoitsstandardset. rangeerror(source,result):Thispreconditionappearsonlywith orfor...inspectstatementwhosebodyincludesthecurrentoperation.
uncopyable(operand):Atypeispotentiallyuncopyableifitisan duplicatekey(table):Ifthetablehaskeys,thenaDuplicateKey inputportorcallmessagetype(whichareactuallyuncopyable),a exceptionispossible. conversionofeveryvalueinthedomainofsource,thenaRangeError
theconvertoperation.Ifthedomainofresultdoesnotincludethe
B.5PostconditionFunctions ablecomponenttypes,oratabletypewithapotentiallyuncopyable elementtype.Ifoperandisofapotentiallyuncopyabletype,thenthe polymorphtype,arecordorvarianttypewithpotentiallyuncopy-
completionofanoperation.Eachfunctioncancauseattributestobeadded and/ordropped. Thefollowingfunctionsdeterminehowthetypestatechangesonnormal Uncopyableexceptionispossible.
makeinit(operand):Addtheattributeinit(operand). makeuninit(operand):Dropallattributesinvolvingoperandorits makefull(operand):Addtheattributeinit(operand).Inaddition, movets(source,destination):Foreachattributeinvolvingsourceora ifoperandisarecordorcallmessage,makeallitscomponentsrecursivelyfull.
subcomponents. allotherattributesinvolvingdestinationvariableorasubcomponent. subcomponent. source,andaddthesubstitutedattributeifnotalreadypresent.Drop subcomponent:(1)droptheattribute,(2)substitutedestinationfor Dropallconstraintattributesofvariablesofwhichdestinationisa

copy(source,destination):Foreachattributeinvolvingsourceora makecase(varcomp):Addtheattributecase(variant,varcomp),where subcomponent,substitutedestinationforsourceandaddtheresultingattribute.Dropanyotherattributeinvolvingdestinationorits
subcomponents.Dropallconstraintattributesofvariablesofwhich AppendixB.HermesOperations159 destinationisasubcomponent.
makechecked(operand):Ifoperand'stypeispredefined!program, killvariant(varcomp):Dropallattributesinvolvingthevariantof dropcomponents(variant):Dropanycaseattributeinvolvingvariant,andallattributesinvolvingacomponentofvariant.
whichvarcompisacomponent,aswellasallattributesinvolvingits subcomponents. variantisthevariableofwhichvarcompisacomponent.
moveelementts(table,element):Substituteelementintotheelement whichelementisasubcomponent. subcomponents.Dropallconstraintattributesinvolvingvariablesof sultingattributes.Dropallotherattributesinvolvingelementorits formaltypestateassociatedwiththetable'stype,andaddthere-
addtheattributecheckeddefinitions(operand). addtheattributechecked(operand);ifoperand'stypeispredefined!definitionsmodule,
polymorphts(operand):Thispostconditionappearsonlywiththe moveentryts(port,message):Substitutemessageintotheentryformaltypestateassociatedwithport's(inputport)type,andaddthe
unwrapoperation.Substituteoperandintotheformaltypestateap-
itssubcomponents.Dropallconstraintattributesinvolvingvariables pearingintheunwrapstatement,andaddtheresultingattributes. resultingattributes.Dropallotherattributesinvolvingmessageor ofwhichmessageisasubcomponent.
killconstraints(operand):Dropallconstraintattributesinvolving asserted():Thispostconditionappearsonlywiththeassertoperation.Addtheattributenamedintheassertstatement.
Dropallotherattributesinvolvingoperandoritssubcomponents. asubcomponent. operandoranyvariablesofwhichoperandisasubcomponent. Dropallconstraintattributesinvolvingvariablesofwhichoperandis

FollowingarethedetaileddescriptionsofalltheHermesoperations: 160B.5.PostconditionFunctions B.6OperationDescriptions add(result,source1,source2) TypeRules: Preconditions: source12numeric init(source2) init(source1) result2numeric resultsource1source2 source22numeric Exceptions:Depletion
Description:Storethesumofsource1andsource2inresult. Qualier:absent var(result) Postconditions:
and(result,source1,source2) makeinit(result)
TypeRules: Preconditions: source12boolean result2boolean resultsource1source2 source22boolean Exceptions:Depletion Seex11.4,p.104
Description:Ifbothsource1andsource2aretrue,thensetresultto Qualier:absent var(result) true.Otherwisesetresulttofalse. init(source2) init(source1) Postconditions: makeinit(result)
assert(...)Exceptions:Depletion,ConstraintError,ConstraintFailure TypeRules:SeeSpecialRules Preconditions: assertable() Postconditions: asserted() Seex11.4,p.105
SpecialRules:Thenumberofoperandsmustequalthenumberofparametersdeclaredinthedenitionoftheattributenamedinthestatement
attributeparameter. qualier.Eachoperandmustalsomatchthetypeofthecorresponding

assert(continued) Description:Evaluatetheconstraintidentiedintheinstructionqualier Qualier:constraintname withthegivenoperands.Iftheconstraintfails,raiseConstraintError. Ifitraisesanexception,raiseConstraintFailure. AppendixB.HermesOperations161
attributename(result) TypeRules: Preconditions: result var(result) predefined!attribute--name Postconditions: makeinit(result) Exceptions:Depletion Seex11.11,p.132
Description:Copytheattributenameobject(oftypepredefined!attributename) Qualier:attributename block() TypeRules:None Preconditions:None fromtheinstructionqualierintoresult.
SpecialRules:Theentrytypestatetothemainclauseisidenticalto Postconditions:SeeSpecialRules Exceptions:Depletion Seex11.10,p.130
theentrytypestateoftheblockstatement.Theentrytypestatefora
Description:Executetheinstructionsinthescopeidentiedbytheinstructionqualier.Ifanexceptionorexitoccursthatisnothandledby
acontainedblock,andifthereisanapplicablehandlerlistedinthis block'squalier,executethehandler.Notethatexceptionsandexits involvingvariablesdeclaredintheblockstatement. themeetofthenormalexittypestatesofallclauses(includingthemain clauseandallhandlers)thatcanexitnormally,minusanyattributes exception.Thetypestateonnormalterminationofablockstatementis thatbranchtothehandler,alongwiththeappropriateexceptionexit typestatesofanystatementsthatcanbranchtothehandlerduetoan handlerclauseisthemeetoftheentrytypestatesofallexitstatements
Qualier:block areonlyhandledwhentheyoccurintheblock'smainclause(orcontainedsubclauses);exceptionsorexitsoccuringwithinahandlerare
passedontotheoutercontainingblock. Seex11.3,p.96

162B.6.OperationDescriptions call(...) TypeRules:SeeSpecialRules Preconditions: SpecialRules:Therstoperandmustbeinclassoutport,anditsassociatedinporttypemusthaveamessagetypeinclasscallmessage.The
SeealsoSpecialRules callpreconditions() Exceptions:Depletion,Disconnected
remainingoperandsarethecallarguments.Thenumberofarguments mustequalthenumberofcomponentsinthedenitionofthemessage type,andeachargumenttypemustbethesameasthecorresponding Postconditions:SeeSpecialRules
intheinterface.Theexittypestatefornormalorexceptionalreturn rameterswillbecoerceddowniftheirtypestateishigherthanspecied includesinitoftherstoperand,plustypestatesforargumentsas inporttypedenition;argumentscorrespondingtonon-constantpa-
typestatespeciedforthecorrespondingparameterintheassociated (e.g.arecordmaynotappearinthesameargumentlistasoneofits components).Therstoperandmusthavetheinitattributeonentry.Eachargumentmusthaveatypestateatleastashighastheentry
messagecomponenttype.Theargumentsmustnotoverlapinstorage
Description:Therstoperandmustbeanoutputport.Formacallmessagebymovingallbuttherstoperandintosuccessivecallmessagtained,eveniftheydonotappearintheappropriateexittypestate.
involvingonlyargumentscorrespondingtoconstantparametersarere-
speciedinthecallmessagetypedenition.Additionally,attributes
Qualier:absent ponentsbackintotheoperandvariablesfromwhichtheyweretaken. returnofthecallmessage(includingexceptionreturns),moveitscom-
case(result,variant) components,andthensendthecallmessageontheoutputport.On
TypeRules: Preconditions: variant2variant
casetypeof(variant) Exceptions:Depletion Seex11.8,p.121
var(result) init(variant) Postconditions: makeinit(result)

case(continued) Description:Copytheenumerationvaluecorrespondingtothecurrent Qualier:absent caseofvariantintoresult. AppendixB.HermesOperations163
checkdenitions(module,library) TypeRules:
predefined!definitions--modules
Exceptions:Depletion, DenitionError Seex11.7,p.117
Preconditions: Description:Checkthatthedenitionscontainedinmodulearecorrect Qualier:absent var(module) init(library) full(module) andconsistent,bothinternallyandwithrespecttoallthedenitions modulesinlibrary. Postconditions: makechecked(module)
concatenate(result,source1,source2)Exceptions:Depletion, TypeRules: source12orderedtable source22orderedtable source12copyable source22copyable (DuplicateKey) (Uncopyable), Seex11.10,p.130
Preconditions: duplicatekey(result) uncopyable(source2) uncopyable(source1) var(result) init(source2) init(source1) result2orderedtable resultsource1source2 Postconditions: makeinit(result)

164B.6.OperationDescriptions concatenate(continued) Description:Createanewtableinresultthatcontainscopiesofallthe Qualier:absent connect(outport,inport) TypeRules: wereinthesourcetable. alltheelementsfromeithersourcetableareorderedinresultasthey elementsofsource1followedbyalltheelementsofsource2,suchthat
Preconditions: inport2inport matchinginportof(outport) outport2outport Exceptions:Depletion Seex11.6,p.109
Description:Createanoutputportconnectedtoinport,andstoreitin Qualier:absent init(inport) var(outport) outport. Postconditions:
convert(result,source) makeinit(outport)
TypeRules: Preconditions: source2orderedscalar init(source) Exceptions:Depletion,(RangeError) result2orderedscalar Seex11.8,p.121
Description:Convertthevalueofsourcetotheappropriatecorrespondingvalueinthedomainofresult,andstoretheconvertedvalueinresult
rangeerror(source,result) var(result) Postconditions: makeinit(result) Qualier:absent copy(result,source) TypeRules: source2copyable resultsource Exceptions:Depletion,(Uncopyable) result2copyableSeex11.4,p.106

copy(continued) Preconditions: uncopyable(source) var(result) init(source) AppendixB.HermesOperations165
Description:Makeacopyoftheobjectstoredinsource,andstorethe Qualier:absent copyinresult. Postconditions: copy(source,result)
create(result,program)Exceptions:Depletion,InterfaceMismatch TypeRules: Preconditions:
result2outport predefined!program Seex11.1,p.94
Description:Instantiateprogramasaprocess,andstoreanoutputport Qualier:absent var(result) checked(program) connectedtotheprocess'initializationportinresult. Postconditions:
currentprogram(result) makeinit(result)
TypeRules: Preconditions: result var(result) predefined!programPostconditions:
makechecked(result) Exceptions:Depletion Seex11.8,p.124
Description:Storeacopyoftheprogramobjectfromwhichtheexecuting Qualier:absent discard(variable) TypeRules:None Preconditions: processwasinstantiated,intoresult.
var(variable) Postconditions: makeuninit(variable) Seex11.10,p.129 Exceptions:|

166B.6.OperationDescriptions discard(continued) Description:Discardtheobjectstoredinvariable,leavingvariableuninitialized.
Qualier:absent dissolve(result,varcomp) TypeRules: Preconditions: resultvarcomp varcomp2variantcomponent Exceptions:Depletion Seex11.1,p.95
Description:Movetheobjectstoredinvariantcomponentvarcompinto Qualier:absent casets(varcomp,varcomp) result,leavingthevariantofwhichvarcompisacomponentuninitialized.
Postconditions: movets(varcomp,result) killvariant(varcomp) var(varcomp) var(result)
divide(result,source1,source2)Exceptions:Depletion,DivideByZero TypeRules: Preconditions: source12numeric result2numeric resultsource1source2 source22numericSeex11.7,p.116
Description:Storethequotientofsource1dividedbysource2inresult. Qualier:absent var(result) init(source2) init(source1) Postconditions:
drop(...) makeinit(result)
TypeRules:SeeSpecialRules Preconditions:None Postconditions:None Seex11.4,p.104 Exceptions:|

drop(continued) SpecialRules:Thenumberofoperandsmustequalthenumberofparametersdeclaredinthedenitionoftheattributenamedinthestatement
AppendixB.HermesOperations167 attributeparameter. qualier.Eachoperandmustalsomatchthetypeofthecorresponding Description:Removetheconstraintidentiedbytheinstructionquali- Qualier:constraintname empty(result,inport) TypeRules: er,appliedtothegivenoperands,fromthecurrentprogramtypestate.
Preconditions: result2boolean init(inport) inport2inport Exceptions:Depletion Seex11.11,p.132
Description:Iftherearemessagesqueuedforreceiptoninport,setresult Qualier:absent var(result) tofalse.Otherwisesetresulttotrue. Postconditions:
equal(result,source1,source2) makeinit(result)
TypeRules: Preconditions: result2boolean init(source1) source1source2 Exceptions:Depletion Seex11.8,p.120
Description:Ifsource1andsource2areindistinguishableobjects,set Qualier:absent var(result) resulttotrue.Otherwisesetresulttofalse. init(source2) Postconditions: makeinit(result)
every(result,table) TypeRules: result2table table2copyable SeealsoSpecialRules Exceptions:Depletion,(Uncopyable) table2table resulttableSeex11.1,p.94

168B.6.OperationDescriptions every(continued) Preconditions: SpecialRules:Thestatementqualierisaselector.Theresultvariable init(table) uncopyable(table) var(result) SeealsoSpecialRules Postconditions:
typeoftheelementvariableidentiedintheselectormustbetheelementtypeoftable.Theentrytypestatefortheselectoristheentry
theeverystatementiscomputedbyapplyingthepostconditionrules listedabovetothenormalexittypestateoftheselector,minusanyattributesinvolvingtheresultorelementvariable.SeeSectionfora
typestateoftheeverystatement.Thetypestateonnormalexitfrom identiedinthatselectormustbeoftypepredefined!booleanand musthavetheinitattributeonnormalexitfromtheselector.The SeealsoSpecialRules makeinit(result)
Description:Createanewtablecontainingacopyofeveryelementof Qualier:selector andstorethenewtableinresult.Iftableisordered,theelementsin tablethatsatisestheselectoridentiedintheinstructionqualier, resultappearinthesamerelativeorderastheydointable. discussionofhowtypestatesarecomputedforselectors.
exists(result,table) TypeRules: Preconditions: result2boolean table2table Exceptions:Depletion Seex11.6,p.110
init(table) SeealsoSpecialRules var(result) Postconditions: SeealsoSpecialRules makeinit(result)

exists(continued) SpecialRules:Thestatementqualierisaselector.Theresultvariable typeoftheelementvariableidentiedintheselectormustbetheelementtypeoftable.Theentrytypestatefortheselectoristheentry
typestateoftheforallstatement.Thetypestateonnormalexitfrom identiedinthatselectormustbeoftypepredefined!booleanand musthavetheinitattributeonnormalexitfromtheselector.The AppendixB.HermesOperations169
Description:Ifanyelementoftablesatisestheselectoridentiedin Qualier:selector false.Inparticular,iftableisempty,setresulttofalse. theinstructionqualier,thensetresulttotrue.Otherwisesetresultto theforallstatementiscomputedbyapplyingthepostconditionrules listedabovetothenormalexittypestateoftheselector,minusanyattributesinvolvingtheresultorelementvariable.SeeSectionfora
exit() discussionofhowtypestatesarecomputedforselectors.
TypeRules:None Preconditions:None SpecialRules:Theexitstatementcannotterminatenormallyandthereforehasnonormalterminationtypestate.
Exceptions:| Postconditions:SeeSpecialRules Seex11.6,p.110
Description:Raiseanexitconditionfortheexitidentiedintheinstructionqualier.Controltransferstoappropriatehandlerintheinnermost
Qualier:exit expression{block() TypeRules:None Preconditions:SeeSpecialRulesPostconditions:SeeSpecialRules containingblockthathandlesthisexitcondition.
SpecialRules:Thetypestateonentrytotheexpressionclauseisidentical toentrytypestatefortheexpressionblockstatement.Theresultvariablemusthavetheinitattributeonexitfromtheexpressionclause.
thenormalexittypestateoftheexpressionclause,minusanyattributes
Exceptions:Depletion Seex11.3,p.101
Thetypestateonnormalexitfromtheexpressionblockstatementis involvingvariablesdeclaredintheexpressionblockstatement.

170B.6.OperationDescriptions expression{block(continued) Description:Executetheinstructionscontainedinthescopeidentied Qualier:expressionblock extract(result,table) TypeRules: result2table computeavalueforaresultvariablealsoidentiedinthequalier. bytheinstructionqualier.Moduloexceptions,theeectwillbeto
resulttable
table2table Exceptions:Depletion Seex11.3,p.100
Preconditions: SpecialRules:Thestatementqualierisaselector.Theresultvariable SeealsoSpecialRules init(table) var(result) var(table) Postconditions:
typeoftheelementvariableidentiedintheselectormustbetheelementtypeoftable.Theentrytypestatefortheselectoristheentry
typestateoftheextractstatement.Thetypestateonnormalexitfrom listedabovetothenormalexittypestateoftheselector,minusanyat-
theextractstatementiscomputedbyapplyingthepostconditionrules identiedinthatselectormustbeoftypepredefined!booleanand musthavetheinitattributeonnormalexitfromtheselector.The SeealsoSpecialRules killconstraints(table) makeinit(result)
Description:Removealltheelementsfromtablethatsatisfytheselector Qualier:selector identiedintheinstructionqualier,assemblethemintoanewtable, resultwillappearinthesamerelativeorderasthedidintable. andstorethenewtableinresult.Iftableisordered,theelementsof tributesinvolvingtheresultorelementvariable.SeeSectionfora discussionofhowtypestatesarecomputedforselectors.
forall(result,table) TypeRules: Preconditions: result2boolean init(table) table2table Exceptions:Depletion Seex11.6,p.111
var(result) Postconditions: makeinit(result)

forall(continued) Description:Ifeveryelementoftablesatisestheselectoridentiedin Qualier:selector empty.Inparticular,iftableisempty,setresulttotrue. theinstructionqualier,thensetresulttotrue.Otherwisesetresultto AppendixB.HermesOperations171
for{enumerate() TypeRules:SeeSpecialRules Preconditions:SeeSpecialRulesPostconditions:SeeSpecialRules SpecialRules:Theenumeratorvariableidentiedinthestatementqualiermustbeinclassenumeration.Theentrytypestateforthebody
Exceptions:Depletion Seex11.6,p.110
clausecontainsalltheattributesinthemeetoftheentrytypestate
Description:Executethestatementscontainedinthescopeidentiedin onnormalterminationoftheforenumeratestatementcontainsallthe inthebody. bodyclause,aswellasinitoftheenumeratorvariable(aninterative attributesinthenormalexittypestateofthebodyclause,minusany solutionisrequiredforthis,asdescribedinSection).Thetypestate attributesinvolvingtheenumeratorvariableoranyvariablesdeclared fortheforenumeratestatementandthenormalexittypestateofthe
Qualier:forenumerate itsvaluesareiteratedoverinascendingorder. spondingtothecurrentiteration.Iftheenumerationtypeisordered, foreachenumerationvalueintheenumerationtypecorrespondingto cution,theenumeratorvariableissettotheenumerationvaluecorre-
enumeratorvariablealsoidentiedinthequalier.Duringeachexe-
theinstructionqualierrepeatedly.Thestatementsareexecutedonce
for{inspect(table) TypeRules: Preconditions: table2table
Exceptions:Depletion Seex11.4,p.106
init(table) SeealsoSpecialRules Postconditions:SeeSpecialRules

172B.6.OperationDescriptions for{inspect(continued) SpecialRules:Thestatementqualiercontainsaselector.Theresult andmusthavetheinitattributeonnormalexitfromtheselector.The oftheforinspectstatement.Theentrytypestateofthebodyclause typeoftheelementvariableidentiedintheselector,andthatofthe typeoftable.Theentrytypestatefortheselectoristheentrytypestate elementvariableidentieddirecltyinthequalier,mustbetheelement variableidentiedinthatselectormustbeoftypepredefined!boolean identiedinthequalierincludesinitoftheelementvariableidentied inthequalier,plusallattributesinthemeetof(1)theexittypestate oftheselector,minusanyattributesinvolvingtheselector'sresultor
Description:Executethestatementscontainedinthescopeidentiedby typestateonnormalterminationoftheforinspectstatementcontains elementvariable;and(2)theexittypestateofthebodyclause(an iterativesolutionisrequiredforthis,asdescribedinSection).The
ier.Duringexecutionofthebody,theinspectvariable(alsoidentied foreachelementoftablethatsatisestheselectoridentiedinthequal-
theinstructionqualierrepeatedly.Thestatementsareexecutedonce oranyvariabledeclaredinthebody.SeeSectionforadiscussionof howtypestatesarecomputedforselectors. alltheattributesinthenormalexittypestateofthebodyclause,minus
inthequalier)issettoaconstantcopyofthecurrentmatchingtableelement.Iftableisordered,matchingelementswillbeinspectedin
theordertheyappearintable.tableitselfisnotheldconstantduring executionsofthebody.
anyattributesinvolvingtheelementvariableidentiedinthequalier
Qualier:inspecttable greater(result,source1,source2) TypeRules: Preconditions: source12orderedscalar result2boolean source1source2 source22orderedscalar Exceptions:Depletion Seex11.6,p.113
var(result) init(source2) init(source1) Postconditions: makeinit(result)

greater(continued) Description:Ifsource1comparesgreaterthansource2(numericallyor Qualier:absent resulttofalse. viaanenumerationordering),thensetresulttotrue.Otherwiseset AppendixB.HermesOperations173
greater{equal(result,source1,source2) TypeRules: Preconditions: source12orderedscalar result2boolean source1source2 source22orderedscalar Exceptions:Depletion Seex11.4,p.105
Description:Ifsource1comparesgreaterthanorequaltosource2(nu-
Qualier:absent mericallyorviaanenumerationordering),thensetresulttotrue.Oth-
erwisesetresulttofalse. init(source2) init(source1) Postconditions: makeinit(result) var(result) hide(variant) TypeRules: Preconditions: variant2variant Seex11.4,p.105
Description:Removetypestateattributesasrequiredbythepostconditions.Runtimecoercionsmayresult,butotherwisethereisnoruntime
init(variant) Postconditions: dropcomponents(variant) Exceptions:|
Qualier:absent if() TypeRules:SeeSpecialRules Preconditions:SeeSpecialRulesPostconditions:SeeSpecialRules eect. Seex11.7,p.117 Exceptions:|

174B.6.OperationDescriptions if(continued) SpecialRules:Thetestvariableidentiedinthestatementqualiermust
Description:Executethestatementsinthetestclauseidentiedinthe onnormalexitfromtheifstatementisthemeetofthenormalexit isidenticaltotheexittypestatefromthetestclause.Thetypestate typestatesofthethenandelseclauses. beoftypepredefined!booleanandmusthavetypestateinitonnormalexitfromthetestclauseidentiedinthequalier.Thetypestateon
typestateonentrytothethenclauseand(ifpresent)theelseclause identiedinthequalier)istrue,thenexecutethestatementsinthe instructionqualier.Iftheresultingvalueinthetestvariable(also entrytothetestclauseistheentrytypestatefortheifstatement.The
Qualier:if insert(table,element) TypeRules: clauseisidentiedinthequalier,executethestatementsinthatclause. \then"clause(alsoidentiedinthequalier).Otherwise,ifan\else"
Preconditions: table2table
elementtypeof(table) Exceptions:Depletion,(DuplicateKey) Seex11.3,p.97
Description:Inserttheobjectstoredinelementintotable,leavingelementuninitialized.Iftableisordered,thenewelementwillfollowall
killconstraints(table) makeuninit(element) duplicatekey(table) var(element) var(table) init(table) lowestelementstate(element,table) Postconditions:
previouslyexistingelements. Qualier:absent Seex11.6,p.110

insert{at(table,element,position) TypeRules: AppendixB.HermesOperations175
Preconditions: table2orderedtable
element predefined!integer Exceptions:Depletion,
init(table) elementtypeof(table) RangeError,
lowestelementstate(element,table) (DuplicateKey)
Description:Inserttheobjectstoredinelementintotable,soastomake duplicatekey(table) var(element) init(position) var(table) Postconditions:
thepositionofthenewlyinsertedelementintheresultingtableequal killconstraints(table) makeuninit(element)
Qualier:absent inspect{polymorph(polymorph) positionhigherinthetable. ouslyoccupiedelementpositionsatorbeyondpositionareshiftedone toposition,andleavingelementuninitialized.Allelementsthatprevi-
TypeRules: Preconditions: polymorph2polymorph Exceptions:Depletion, PolymorphMismatch Seex11.6,p.110
SpecialRules:Theentrytypestateforthebodyclauseidentiedinthe istheexittypestateofthebodyclause,minusanyattributesinvolving statementqualieristheentrytypestatefortheinspectpolymorph variableidentiedinthequalierintotheformaltypestateappearingin init(polymorph) statement,plusallattributesresultingfromsubsitutionoftheelement thequalier.Theexittypestatefortheinspectpolymorphstatement Postconditions:SeeSpecialRules
theelementvariableoranyvariablesdeclaredinthebody.

176B.6.OperationDescriptions inspect{polymorph(continued) Description:Executethestatementscontainedinthescopeidentiedin Qualier:inspectpolymorph inspect{table(table) TypeRules: theinstructionqualier.Duringexecution,theinspectvariable(also identiedinthequalier)issettothevaluewrappedinpolymorphand isheldconstant.polymorphitselfisnotheldconstant.
Preconditions: table2table
Exceptions:Depletion,NotFound Seex11.9,p.127
SpecialRules:Thestatementqualiercontainsaselector.Theresult andmusthavetheinitattributeonnomralexitfromtheselector.The typeoftheelementvariableidentiedintheselector,andthatofthe elementvariableidentieddirectlyinthequalier,mustbetheelement variableidentiedinthatselectormustbeoftypepredefined!boolean init(table) SeealsoSpecialRules Postconditions:SeeSpecialRules
oftheinspecttablestatement.Theentrytypestateofthebodyclause typeoftable.Theentrytypestatefortheselectoristheentrytypestate identiedinthequalieristheexittypestateoftheselector,minusany
Description:Executethestatementscontainedinthescopeidentied attributesinthenormalexittypestateofthebodyclause,minusany attributesinvolvingtheelementvariableidentiedinthequalieror onnormalterminationoftheinspecttablestatementcontainsallthe attributeinvolvingtheselector'sresultorelementvariable,plusinit
bytheinstructionqualier.Duringexecutionofthebody,theinspect howtypestatesarecomputedforselectors. anyvariablesdeclaredinthebody.SeeSectionforadiscussionof oftheelementvariableidentieddirectlyinthequalier.Thetypestate
Qualier:inspecttable atableelementthatsatisestheselectoridentiedinthequalier.If variable(alsoidentiedinthequalier)issettoacontstantcopyof tableisordered,thersttableelementthatsatisestheselectorwill body. beinspected.tableitselfisnotheldconstantduringexecutionofthe Seex11.6,p.112

integer{literal(result) TypeRules: Preconditions: result2integer AppendixB.HermesOperations177
Description:Interpretthedigitstringstoredintheinstructionqualier asadecimalinteger,andstorevalueinresult. var(result) Postconditions: makeinit(result) Exceptions:Depletion
Qualier:literal less(result,source1,source2) TypeRules: Preconditions: source12orderedscalar result2boolean source1source2 source22orderedscalar Exceptions:Depletion Seex11.4,p.104
Description:Ifsource1compareslessthansource2(numericallyorvia Qualier:absent var(result) init(source2) init(source1) anenumerationordering),thensetresulttotrue.Otherwisesetresult tofalse. Postconditions: makeinit(result)
less{equal(result,source1,source2) TypeRules: Preconditions: source12orderedscalar result2boolean source1source2 source22orderedscalar Exceptions:Depletion Seex11.4,p.105
Description:Ifsource1compareslessthanorequaltosource2(numericallyorviaanenumerationordering),thensetresulttotrue.Otherwise
setresulttofalse. Postconditions: makeinit(result) Qualier:absent var(result) init(source2) init(source1) Seex11.4,p.105

178B.6.OperationDescriptions merge(destination,source)Exceptions:Depletion,(DuplicateKey) TypeRules: Preconditions: destinationsource duplicatekey(destination) var(destination) destination2table init(destination) var(source) init(source) source2table
Description:Removeallthetableelementsfromsourceandinsertthem Postconditions: makeuninit(source)
relativeorderastheyappearedinsource,andfollowingallpreviously thenthetransferredelementswillappearindestinationinthesame intodestination,leavingsourceuninitialized.Ifthetablesareordered, killconstraints(destination)
Qualier:absent merge{at(destination,source,position)Exceptions:Depletion, TypeRules: existingelementsofdestination.
destination2orderedtable source2table RangeError, (DuplicateKey) Seex11.6,p.112
Preconditions:
var(destination) destinationsource init(destination) init(position) var(source) init(source) predefined!integer
duplicatekey(destination) Postconditions: makeuninit(source) killconstraints(destination)

merge{at(continued) Description:Removealltableelementsfromsourceandinsertthem willfollowconsecutively,inthesameorderastheyappearedinsource. intodestinationsothattheresultingpositionofthersttransferred element,ifany,willbeequaltoposition.Allothertransferredelements AppendixB.HermesOperations179
Qualier:absent mod(result,source1,source2)Exceptions:Depletion,DivideByZero TypeRules: andfollowingthelasttransferredelement. Allelementsofdestinationthatformerlyoccupiedpositionsatposition orbeyondareshiftedsothattheyappearinthesamerelativeorder,
Preconditions: source12numeric result2numeric resultsource1source2 source22numericSeex11.6,p.112
Description:Letabethevalueofsource1,andbbethevalueofsource2. var(result) init(source2) init(source1) Postconditions:
Qualier:absent Thevaluechavingthesamesignasb,withabsolutevaluelessthan thatofb,andsatisfyingtheequationa=nb+cforsomeintegern, isstoredinresult. makeinit(result)
move(result,source) TypeRules: Preconditions: resultsource init(source) Exceptions:Depletion Seex11.4,p.104
Description:Movetheobjectstoredinsourcetoresult,leavingsource Qualier:absent var(result) uninitialized. var(source) Postconditions: movets(source,result) Seex11.1,p.93

180B.6.OperationDescriptions multiply(result,source1,source2) TypeRules: Preconditions: source12numeric init(source2) init(source1) result2numeric resultsource1source2 source22numeric Exceptions:Depletion
Description:Storetheproductofsource1andsource2inresult. Qualier:absent var(result) Postconditions:
named{literal(result) makeinit(result)
TypeRules: Preconditions: SeealsoSpecialRules result2enumerationorboolean Exceptions:Depletion Seex11.4,p.104
SpecialRules:Thecharacterstringappearinginthestatementqualier Description:Setresulttotheenumerationvaluebelongingtoitsenumerationtypeandnamedbytheinstructionqualier.
makeinit(result) mustequaloneofthenamesappearinginthedenitionofthetypeof result. var(result) Postconditions:
Qualier:literal new(result) TypeRules: Preconditions: result2newable var(result) Postconditions: makeinit(result) Exceptions:Depletion Seex11.4,p.104
Description:Createanewobjectoftheappropriatetypeandstoreit Qualier:absentSeex11.5,p.107;x11.6,p.108;andx11.8,p.120 inresult.Allcomponentsofanewlycreatedrecordareuninitialized. Anewlycreatedtableisempty.Anewlycreatedinputportisnot connectedtoanyoutputportandhasnoqueuedmessages.

not(result,source) TypeRules: AppendixB.HermesOperations181
Preconditions: source2boolean var(result) init(source) resultsource result2boolean Postconditions: makeinit(result) Exceptions:Depletion
Description:Ifsourceistrue,setresulttofalse.Otherwisesetresultto Qualier:absent not{equal(result,source1,source2) TypeRules: true.
Preconditions: result2boolean init(source1) source1source2 Exceptions:Depletion Seex11.4,p.105
Description:Ifsource1andsource2areindistinguishableobjects,then Qualier:absent setresulttofalse.Otherwisesetresulttotrue. var(result) init(source2) Postconditions: makeinit(result)
or(result,source1,source2) TypeRules: Preconditions: source12boolean result2boolean resultsource1source2 source22boolean Exceptions:Depletion Seex11.1,p.94
Description:Ifeithersource1istrueorsource2istrue(orbotharetrue), Qualier:absent var(result) thensetresulttotrue.Otherwisesetresulttofalse. init(source2) init(source1) Postconditions: makeinit(result) Seex11.4,p.105

182B.6.OperationDescriptions position{of{element(result,element) TypeRules: Preconditions: Description:Setresulttothepositionoccupiedbyelementinthetableonwhichthecorrespondingselectorisoperating.Ifthetablehas
var(result) pos(element) predefined!integerPostconditions:
makeinit(result) Exceptions:Depletion
Qualier:absent position{of{selector(result,table)Exceptions:Depletion,NotFound changedsincetheselectoroperationcommenced,thenthepositionof itscurrentposition. elementatthetimetheselectoroperationbeganisused,ratherthan TypeRules:
table2orderedtable result predefined!integer Seex11.6,p.114
Preconditions: SpecialRules:Thestatementqualierisaselector.Theresultvariable init(table) SeealsoSpecialRules var(result) Postconditions:
typeoftable.Theentrytypestatefortheselectoristheentrytypestate identiedinthatselectormustbeoftypepredefined!booleanand oftheelementvariableidentiedintheselectormustbetheelement musthavetheinitattributeonnormalexitfromtheselector.Thetype SeealsoSpecialRules makeinit(result)
Description:Setresulttothepositionofanelementfromtablethat selector,minusanyattributesinvolvingtheresultorelementvariable. SeeSectionforadiscussionofhowtypestatesarecomputedfor ofthepositionofselectorstatement.Thetypestateonnormalexit
ordered,usethepositionoftherstsuchelement. selectors. satisestheselectoridentiedintheinstructionqualier.Iftableis thepostconditionruleslistedabovetothenormalexittypestateofthe fromthepositionofselectorstatementiscomputedbyapplying
Qualier:selector Seex11.6,p.114

print(variable) TypeRules:None Preconditions:None Description:Produceaprintedrepresentationoftheobjectstoredin AppendixB.HermesOperations183
variable.Thisoperation,andthecorrespondingprintstatementin theconcretesyntax,areprovidedonlyforpurposesofHermescompiler debugging,andarenotmeantforusebyapplicationprograms.They Postconditions:None Exceptions:|
Qualier:absent procedure(outport,program) TypeRules: outport2outport maybecomeunavailablewithoutnotice.
predefined!program Exceptions:Depletion, InterfaceMismatch|
Preconditions: Description:Createaprocedurethatwillrepeatedlyinstantiateprogram var(outport) checked(program) Postconditions:
Qualier:absent intoprocesses,andstoreanoutputportmatchingthetypeofprogram's initializationportinoutport.Wheneveramessageissentonthisoutput port,anewprocesswillbeinstantiatedandthemessageforwardedto thenewprocess'initializationport. makeinit(outport)
program{literal(program) TypeRules: Preconditions:
var(program) predefined!programPostconditions:
makechecked(program) Exceptions:Depletion Seex11.8,p.124
Description:Makeacopyoftheprogramobjectidentiedintheinstructionqualierandstoreitinprogram.
Qualier:programliteral Seex11.10,p.128

184B.6.OperationDescriptions real{literal(result) TypeRules: Preconditions: Description:Interpretthecharacterstringstoredintheinstructionqualierasarealnumber,andstorethevalueinresult.
result2integer var(result) Postconditions: makeinit(result) Exceptions:Depletion
Qualier:literal rem(result,source1,source2)Exceptions:Depletion,DivideByZero TypeRules: Preconditions: source12numeric result2numeric resultsource1source2 source22numericSeex11.4,p.104
Description:Letabethevalueofsource1,andbbethevalueofsource2. var(result) init(source2) init(source1) Postconditions:
Qualier:absent thatofb,andsatisfyingtheequationa=nb+cforsomeintegern, Thevaluechavingthesamesignasa,withabsolutevaluelessthan isstoredinresult. makeinit(result)
receive(message,inport) TypeRules: Preconditions: inport2inport
messagetypeof(inport) Exceptions:Depletion,Disconnected Seex11.4,p.104
Description:Dequeuetherstavailablemessagefrominportandstore Qualier:absent var(message) init(inport) itinmessage.Ifnomessageisavailable,waitforonetoarrive. var(inport) Postconditions: moveentryts(inport,message) Seex11.8,p.123

emove(element,table) TypeRules: AppendixB.HermesOperations185
Preconditions: table2table
init(table)
elementtypeof(table) Exceptions:Depletion,NotFound
SpecialRules:Thestatementqualierisaselector.Theresultvariable SeealsoSpecialRules var(element) var(table) Postconditions:
typeoftheelementvariableidentiedintheselectormustbetheelementtypeoftable.Theentrytypestatefortheselectoristheentry
typestateoftheremovestatement.Thetypestateonnormalexitfrom identiedinthatselectormustbeoftypepredefined!booleanand musthavetheinitattributeonnormalexitfromtheselector.The SeealsoSpecialRules killconstraints(table) moveelementts(table,element)
Description:Removeanelementfromtablethatsatisestheselector Qualier:selector identiedintheinstructionqualier,andstoreitinelement.Iftableis ordered,removetherstsuchelement. theremovestatementiscomputedbyapplyingthepostconditionrules listedabovetothenormalexittypestateoftheselector,minusanyattributesinvolvingtheresultorelementvariable.SeeSectionfora
return(callmessage) discussionofhowtypestatesarecomputedforselectors.
TypeRules: Preconditions: callmessage2callmessage lowestpostcondition(callmessage) Exceptions:Depletion Seex11.6,p.111
Description:Returncallmessagetotheprocessthatoriginallysentit, Qualier:absent withoutraisingauserexception. var(callmessage) Postconditions: makeuninit(callmessage) Seex11.8,p.123

186B.6.OperationDescriptions return{exception(callmessage) TypeRules: Preconditions: Description:Returncallmessagetotheprocessthatoriginallysentit, callmessage2callmessage var(callmessage) lowestpostcondition(callmessage) Postconditions: makeuninit(callmessage) Exceptions:Depletion
Qualier:returnexception reveal(varcomp) TypeRules: raisingtheuserexceptionidentiedbytheinstructionqualierinthat process.
Preconditions: varcomp2variantcomponent initwithoutcase(varcomp) Postconditions: Exceptions:Depletion,CaseError makecase(varcomp) Seex11.8,p.123
Description:Addtypestateattributesasrequiredbythepostconditions. Qualier:absent select() TypeRules:SeeSpecialRules Preconditions:None Thereisnoruntimeeect. Exceptions:Depletion,Disconnected Postconditions:None Seex11.7,p.117

select(continued) SpecialRules:Allthevariablesidentiedintheeventguardsassociatedwiththeclauseslistedinthestatementqualiermustbeinclass
AppendixB.HermesOperations187 resultvariableidentiedineachbooleanguardassociatedwithaclause inport.Ifthereisanoperand,itstypemustbethesameasthatofthe onnormalexitfromtheirassociatedtestclauses.Theentrytypestate foreachbooleanguardclauseisidenticaltotheentrytypestateforthe ment.Allbooleanguardresultvariablesmusthavetheinitattribute theotherwiseclause,isthemeetofthenormalexittypestatefromall thebooleanguardtestclauses(ortheselectstatemententrytypestateiftherearenobooleanguards).Thenormalexittypestatefrom
mustbeoftypepredefined!boolean.Allvariablesassociatedwith selectstatement.Theentrytypestateforeachselectclause,including eventguardsmusthavetheinitattributeonentrytotheselectstate-
listedinthequalier.Otherwise,eachbooleanguardresultvariable
Description:Theinstructionqualiercontainsatableofselectclauses, eachofwhichspeciesoneorbothofaneventguardandaboolean astatementclause.Theselectoperationrstexecutesallthestatementsinclausesidentiedbybooleanguards,yieldingvaluesforallthe
guard,aswellasanassociatedstatementclause.Aneventguardis theselectstatementisthemeetofthenormalexittypestatesofall theselectclauses,includingtheotherwiseclause. aninputportvariable,whileabooleanguardidentiesavariableand
eventguardwhoseassociatedinputportisnonempty,isselected.The booleanguardvariables.Iftheselectoperationhasanoperand,itis statementsinthestatementclauseassociatedwiththeselectedclause arethenexecuted.Iftherearenoenabledselectclauses,thenthestatementsinthe\otherwise"clause(identiedintheinstructionqualier)
outport2outport
messagetypeof(outport) Exceptions:Depletion,Disconnected
selectclauseswithtruebooleanguardvaluesareenabled.Inaddition, selectclauseswithoutbooleanguardsareenabled.Ifanyselectclause erationhasnooperands,thebooleanguardvaluesmustbeboolean,and isenabled,oneenabledclausewitheithernoeventguard,orwithan clauseforwhichthetestsucceedsbecomes\enabled."Iftheselectop-
testedforequalitywitheachbooleanguardvariable,andeachselect
Qualier:select send(outport,message) TypeRules: areexecuted. Seex11.3,p.98

188B.6.OperationDescriptions send(continued) Preconditions: Description:Addmessagetothequeueassociatedwiththeinputport Qualier:absent var(message) init(outport) lowestentrycondition(message,outport) connectedtooutport,leavingmessageuninitialized. Postconditions: makeuninit(message)
size(result,table) TypeRules: Preconditions: table2table
predefined!integer Exceptions:Depletion Seex11.8,p.124
Description:Setresultequaltothenumberofelementsintable. Qualier:absent string{literal(result) init(table) var(result) Postconditions: makeinit(result)
TypeRules: Preconditions: SeealsoSpecialRules result2string Exceptions:Depletion,(DuplicateKey) Seex11.6,p.114
SpecialRules:Eachelementofthetableappearinginthestatement Description:Copythestringstoredintheinstructionqualierandstore duplicatekey(result) var(result) qualiermustcorrespondtooneoftheenumerationvaluesappearing inthedenitionoftheelementtypeofresult.Thatis,asingletontable containingtheelementmustequaloneoftheenumerationvalues. Postconditions:
thecopyinresult. makeinit(result)
Qualier:literal Seex11.6,p.109

subtract(result,source1,source2) TypeRules: AppendixB.HermesOperations189
Preconditions: source12numeric init(source2) init(source1) result2numeric resultsource1source2 source22numeric Exceptions:Depletion
Description:Subtractsource2fromsource1andstoretheresultinresult. Qualier:absent var(result) Postconditions: makeinit(result)
the{element(result,table) TypeRules:
table2table elementtypeof(table) table2copyable Exceptions:Depletion, NotFound,(Uncopyable) Seex11.4,p.104
Preconditions: SpecialRules:Thestatementqualierisaselector.Theresultvariable init(table) uncopyable(table) var(result) SeealsoSpecialRules Postconditions:
typeoftheelementvariableidentiedintheselectormustbetheelementtypeoftable.Theentrytypestatefortheselectoristheentry
identiedinthatselectormustbeoftypepredefined!booleanand musthavetheinitattributeonnormalexitfromtheselector.The SeealsoSpecialRules moveelementts(table,result)
Description:Copyanelementfromtablethatsatisestheselectoridentiedintheinstructionqualier,andstorethecopyinresult.
typestateofthetheelementstatement.Thetypestateonnormalexit tionforadiscussionofhowtypestatesarecomputedforselectors. minusanyattributesinvolvingtheresultandelementvariable.SeeSec-
fromthetheelementstatementiscomputedbyapplyingthepostconditionruleslistedabovetothenormalexittypestateoftheselector,
Qualier:selector Seex11.6,p.109

190B.6.OperationDescriptions type(result,polymorph) TypeRules: Preconditions: polymorph2polymorph
init(polymorph) var(result) predefined!typeof--value Postconditions: makefull(result) Exceptions:Depletion
Description:Storethetypeoftheobjectwrappedinsidepolymorphin Qualier:absent typename(result) TypeRules: result,alongwithanydenitionmodulesnecessarytoresolvethetype.
Preconditions:
var(result) predefined!typenamePostconditions:
makefull(result) Exceptions:Depletion Seex11.9,p.127
Description:Makeacopyofthetypenamefoundintheinstructionqualier,andstoreitinresult.
Qualier:typename typestate(result,polymorph) TypeRules: Preconditions: polymorph2polymorph
predefined!typestateof--valueExceptions:Depletion
Seex11.10,p.130
Description:Storethetypestateoftheobjectwrappedinsidepolymorph Qualier:absent init(polymorph) var(result) straintattributes. inresult,alongwithanydenitionmodulesnecessarytoresolvecon-
Postconditions: makeinit(result) Seex11.9,p.127

unary{minus(result,source) TypeRules: AppendixB.HermesOperations191
Preconditions: result2numeric var(result) init(source) resultsource source2numeric Postconditions: makeinit(result) Exceptions:Depletion
Description:Negatesourceandstoretheresultinresult. Qualier:absent unique(result) TypeRules: Preconditions: result2nominal var(result) Postconditions: makeinit(result) Exceptions:Depletion Seex11.4,p.104
Description:Createanewnominalvalue,distinguishablefromallother Qualier:absent unite(varcomp,source) TypeRules: nominalvaluesthathaveeverbeencreated,andstoreitinresult.
Preconditions: varcompsource varcomp2variantcomponent Exceptions:Depletion Seex11.4,p.105
Description:Putthevariantofwhichvarcompisacomponentintowhateverstatecorrespondstovarcomp,andthenmovethevaluestoredin
casets(source,varcomp) var(source) var(varcomp) Postconditions: movets(source,varcomp) makecase(varcomp) Qualier:absent sourcetovarcomp,leavingsourceuninitialized. Seex11.7,p.116

192B.6.OperationDescriptions unwrap(result,polymorph) TypeRules: Preconditions: polymorph2polymorph Exceptions:Depletion,
Description:Movethevaluewrappedinsidepolymorphtoresult,leaving init(polymorph) var(result) Postconditions: polymorphts(result) makeuninit(polymorph) PolymorphMismatch
Qualier:wrap while() TypeRules:None typestatetothatgivenbytheinstructionqualier. polymorphuninitializedandcoercingresultasrequiredtolowerits
Preconditions:None SpecialRules:Theresultvariableidentiedinthestatementqualier Postconditions:SeeSpecialRules Seex11.9,p.126
stateonentrytothetestclauseisthemeetoftheentrytypestateof onnormalexitfromthetestclauseidentiedinthequalier.Thetype-
mustbeoftypepredefined!booleanandmusthavetheinitattribute Exceptions:|
Description:Repeatedlyexecutethestatementsintheclauseidentied malexittypestateofthetestclause(aniterativesolutionisrequired forthis,asdescribedinSection). normalexittypestateforthewhilestatement,areidenticaltothenor-
repeatedclause.Thetypestateonentrytotherepeatedclause,andthe thewhilestatementandthetypestateonnormalterminationofthe
Qualier:while iseverfalse,terminateexecutionofthewhileoperationimmediately (withoutperformingthecurrentiteration). forthetestresultvariable(identiedinthequalier).Ifthetestresult mentsinthetestclause(alsoidentiedinthequalier)toyieldavalue intheinstructionqualier.Priortoeachiteration,executethestate-
wrap(polymorph,source) TypeRules: polymorph2polymorph Exceptions:Depletion Seex11.3,p.97

wrap(continued) Preconditions: var(source) var(polymorph) polymorphprecondition(source) AppendixB.HermesOperations193
Description:Coercesourceasnecessarytoloweritstypestatetothat Postconditions:
Qualier:wrap typestateandstoretheresultinpolymorph,leavingsourceuninitialized. givenintheinstructionqualier.Thenwrapitupwithitstypeand makeuninit(source) makeinit(polymorph) Seex11.9,p.125

AppendixC PredenedModule Thisappendixprovidesacompletelistingofthepredefined.ddenitions module.ThepredefinedmoduleisimplicitlyimportedbyallHermes enforceassignment-styletyperules.Forexample,theoperationdescription modules.Itcontainsallthetypedenitionsrequiredbythecompilerto
forthelatterisalsoincluded. thedenitionofprogrammakesuseofpredefined!processid,adenition causeitisreferencedinthetyperulesforcreateandprocedure.Since function.Manytypesaredenedinpredefinedbecausethemodulemust predefined!integer.Thustheremustbeatypenamedintegerdened becompletelyself-contained.Forexample,typeprogramisincludedbe-
inadenitionsmodulenamedpredefinedinorderforthecompilerto fortheinsert-atoperationrequiresthatthepositionargumentbeoftype
predefined. writeaHermesapplicationthatmakesnoexplicituseofanythingfrom chosenforinclusionistheonepresentedabove.Itisnotuncommonto provideacollectionoftypedenitionsthatpeoplewillndgenerallyuseful intheirprogramming.Theonlycriterionbywhichatypedenitionis whichisusedtorepresentabstractHermesprograms.Anyprogramthat intendstomanipulateHermesprogramobjectsasdatawillnecessarilydependheavilyonthedenitionsinpredefined.
Thevastmajorityofthemodulecentersaroundthetypepredefined!program, Itshouldbestressedthatthepredefinedmoduleisnotintendedto

definitions predefined:using() AppendixC.PredenedModule195
option:enumeration('present','absent'); empty:enumeration(); FundamentalTypes
boolean:boolean(true:'true',false:'false'); integer:integer; char:orderedenumeration( '(',')','*','+',',','-','.','/', '8','9',':',';','','', '0','1','2','3','4','5','6','7', '','!','"','#','$','%','&','''', 'DLE','DC1','DC2','DC3','DC4','NAK','SYN','ETB', 'CAN','EM','SUB','ESC','FS','GS','RS','US', 'NUL','SOH','STX','ETX','EOT','ENQ','ACK','BEL', 'BS','HT','NL','VT','NP','CR','SO','SI',
);'x','y','z','f','|','g','~','DEL' '@','A','B','C','D','E','F','G', 'H','I','J','K','L','M','N','O',
charstring:orderedtableofcharfinitg; '','a','b','c','d','e','f','g', 'h','i','j','k','l','m','n','o', 'p','q','r','s','t','u','v','w', 'P','Q','R','S','T','U','V','W', 'X','Y','Z','[','n',']','^','',
TheAbstractProgramObject

196AppendixC.PredenedModule program:pragma"program"record( definitionsmodules:definitionsmodules,{{importedmodules
definitionsmodule:record( );{{therecanbemultipleprogramsbecauseofprogramliterals definitionsmodules:tableofdefinitionsmodule programs:processes mainprogram:processid, ffull/*,checkeddefinitions*/gkeys(id); {{oneormoreprograms {{themainprogram
); typedefinitions:typedefinitions,{{typedenitions id:moduleid, attrdefinitions:attrdefinitions{{attributedenitions NamesandIDs{{uniqueidofmodule
processid:nominal; clauseid:nominal; rootid:nominal; typeid:nominal; exceptionid:nominal; statementid:nominal; {{identiesaprocessobject
attributeid:nominal; moduleid:nominal; scopeid:nominal; {{clauseidentiers
exitid:nominal; componentid:nominal; {{rootnameidentiers {{exceptionid {{typeidentiers
{{Thefollowingistoallow,inabsprog,variableswithundeclared {{statementidentier {{attributeidentier {{scopeidentier {{moduleid
{{types.Forexample,temporariesthatgetintroducedwhenexpanding {{expressionstoassignmentstatements.Theirtypesarenotknown {{idofexithandler {{componentidentier
optionaltypename:variantoftypenameoption( typenameoption:enumeration('named','unnamed'); {{untilthetypecheckingphasewhichcomesafterresolution. 'unnamed'->noname:emptyfg,

);'named'->typename:typenameffullg typename:record(
AppendixC.PredenedModule197
);attributeid:attributeid );typeid:typeid constraintname:record( moduleid:moduleid, {{timestampofmodule
{{anobject(variable)gives(i)thescopewhereitisdeclared,(ii) {{attributeidwithinmodule {{typeidwithinmodule
{{itsrootid,and(iii)ifitisacomponent,itscompoenentid. {{e.g.,ifinscopesthereisthedeclarationr:Q,whereQisa {{recordhavingacomponentz,thentheobjectr.zgetswouldhave {{theobjectname(s,r,z). rootname:record(
);components:componentlist objectname:record( scope:scopeid, root:rootid root:rootname, {{identiersofcomponents {{scopeofrootdeclaration {{rootidentierusedto {{rootobject {{refertothisobject
componentlist:orderedtableofcomponentidffullg;
typedefinitions:tableoftypedefinitionffullgkeys(id); objectnames:orderedtableofobjectnameffullg;
{{Eachtypehasaunique(withinitsdenitionsmodule)typeid,a TypeDenitions

typedefinition:record( {{callmessages),aspecicationconsistingofaprimitivetypeand {{associatedinformation,andapragmastring 198AppendixC.PredenedModule
);prag:charstring {{setoftypedcomponents(emptyexceptforrecords,variantsand
componentdeclarations:orderedtableofcomponentdeclarationffullg specification:specificationtype, id:typeid,
componentdeclaration:record( keys(id); componentdeclarations:componentdeclarations,
);type:typename primitivetypes:orderedenumeration( 'recordtype','varianttype','tabletype', 'inporttype','outporttype','callmessagetype', 'polymorphtype'); 'nominaltype','integertype','booleantype','enumerationtype','realtype', id:componentid, {{declaredtype {{uniquenameofcomponent
specificationtype:variantofprimitivetypes( 'booleantype'->boolean:booleaninfoffullg, 'varianttype'->variantinfo:variantinfoffullg, 'nominaltype'->nominalinfo:emptyfg, 'realtype'->accuracyinfo:accuracyinfoffullg, 'enumerationtype'->enumeration:enumerationinfoffullg, 'recordtype'->recordinfo:emptyfg, 'tabletype'->tableinfo:tableinfoffullg, 'integertype'->integerinfo:emptyfg,
);'polymorphtype'->polymorphinfo:emptyfg 'outporttype'->outportinfo:typenameffullg, 'callmessagetype'->callmessageinfo:callmessageinfoffullg, 'inporttype'->inportinfo:inportinfoffullg,

{{Specicinformationneededtocompletelyspecifyatypefallingin {{eachofthevariousprimitivetypecategories booleaninfo:record( AppendixC.PredenedModule199
);falsename:charstring enumerationinfo:record( truename:charstring,
);accuracydenominator:integer accuracyinfo:record( );values:enumerationvalues enumerationvalues:orderedtableofcharstringfinitgkeys(*); ordered:boolean, accuracynumerator:integer, {{isitanorderedenumeration {{components
variantinfo:record( casetype:typename, casemapping:partitionset {{theenumerationtaggingthevariant {{mapscasetags(fromcase-type {{enumeration)tocomponents {{forrealtypes
partitionset:tableofpartitioninfoffullgkeys(componentid); partitioninfo:record( );casetypestate:formaltypestate{{typestateofcomponent tableinfo:record( caseid:integer, orderedtable:boolean, componentid:componentid, {{componentofvariant
elementtype:typename, keys:keyset, {{allthekeys {{typeofeachtableelement {{isthetableordered {{correspondingenumerationvalue
);elementtypestate:formaltypestate{{typestateofeachtableelement

{{Anemptysetindicatestheentireelementobject {{Eachkeyconsistsofasetof(sub-)componentsoftheelementtype. 200AppendixC.PredenedModule
formalobjects:orderedtableofcomponentlistffullg; keyset:orderedtableofformalobjectsffullgkeys(*);
);messagetypestate:formaltypestate{{typestateofeachqueuedmessage callmessageinfo:record( inportinfo:record( constants:componentset, messagetype:typename, {{typeofeachqueuedmessage
);exceptionspecifications:exceptionspecifications {{typestateforthecallmessagetype. {{followingassociatesexittypestateswithexceptions minimum:exceptionid, {{callmessage.Theassociatedexittypestateistheminimum normal:formaltypestate, {{followingidentiestheDiscardedexceptionforthis {{exittypestatefornormalreturn {{whichcomponentsareheldconstant
componentset:tableofcomponentidfinitgkeys(*); exceptionspecifications:tableofexceptionffullgkeys(exceptionid); exception:record( posttypestate:formaltypestate{{typestateonthatoutcome exceptionid:exceptionid, AttributeDenitions {{uniquenameofexception
{{module)identier,thecodethatevaluatestheattribute, attrdefinitions:tableofattrdefinitionffullgkeys(attributeid); {{Anattributedenitionincludesaunique(withinadenitions {{parameters,andtherequiredentrytypestateoftheparameters. {{Theparametersexistintheouterscopeofthecode.

attrdefinition:record( attributeid:attributeid, AppendixC.PredenedModule201
); rootids:orderedtableofrootidfinitg; pretypestate:typestate, prag:charstring parameters:rootids, returnvalue:objectname, executionenvironment:executionenvironment,{{expressiontoevaluate {{pragma {{typestateonentry {{declaredintheouterscope {{booleanobject {{uniqueidofattribute
processes:tableofprocffullgkeys(id); {{typeexecutionenvironment,whichincludesthestatementsappearing {{Eachprocesshasauniqueidentier.Thecodeisanobjectof ProcessModules
{{theoutermostscope. proc:record( {{inthecode,aswellasdeclarationsforalltherootobjects {{introducedbyincludedscopes.Theinitportisalwaysanobjectin
{{acollectionofnestedscopes,withasinglemain,oroutermost {{moduleorfromanattributedenition.Thecodeisrepresentedas id:processid, executablepart:executionenvironment,{{dcls+statements
{{andisassociatedwithaclause.Aclauseisalistofstatements, {{scope.Eachscopeintroducesnewdeclarationsforrootobjects, ); {{Followingrecordrepresentsapieceofcode,eitherfromaprocess initport:rootid, prag:charstring {{pragma {{nameofinitializationport
{{alwaysbeginswiththeclauseassociatedwiththeoutermostscope. {{someofwhichintroducenestedscopes.Executionofthecode executionenvironment:record( scopes:scopes,

202AppendixC.PredenedModule );mainscope:scopeid scopes:tableofscopeffullgkeys(id); scope:record( clauses:clauses,
{{optionallyassociatesatypewiththeobject.Ifnotypeis {{context. );clause:clauseid {{Eachdeclarationidentiesthedeclaredrootobject,and {{suppliedinadeclaration,thetypemustbeinferrablefrom declarations:declarations, id:scopeid, {{declarationsintroducedbyscope {{statementstoexecuteinscope {{scopeidentier
declaration:record( declarations:tableofdeclarationffullgkeys(id);
{{listofthestatementsthatmakeuptheclause clauses:tableofclauseffullgkeys(id); );prag:charstring {{Eachclausehasaunique(withinanexecutionenvironment)idanda id:rootid, typename:optionaltypename, {{idusedforreference {{typeofobject
clause:record( {{pragma
);statements:statements {{Eachstatementhasaunique(withinanexecutionenvironment) {{identier,anoperatorandoperands,andpossiblyadditionaldata id:clauseid, {{identierofclause
{{qualier.Theprecisecontentsofthequalierdependsonthe {{viaaccessibleprogramobjectsatruntime,mustbeprovidedinthe {{speciedinisqualier.Anyinformationthatisneededforthe {{properexecutionofthestatementandcannotnotbemadeavailable {{statementsofclause
{{operator. statements:orderedtableofstatementffullgkeys(id);

statement:record( id:statementid, operator:operator, operands:objectnames, qualifier:qualifier, AppendixC.PredenedModule203
);prag:charstring {{HerearealltheHermesoperators operator:orderedenumeration( 'checkdefinitions','concatenate','connect','convert','copy', 'create','currentprogram','discard','dissolve','divide','drop', 'empty','equal','every','exists','exit','expressionblock', 'extract','forenumerate','forinspect','forall','greater', 'greaterequal','hide','if','insert','insertat', 'lessequal','merge','mergeat','mod','move','multiply', 'namedliteral','new','not','notequal','or', 'inspectpolymorph','inspecttable','integerliteral','less', 'add','and','assert','attributename','block','call','case',
'positionofelement','positionofselector',
); 'typename','typestate','unaryminus','unique','unite','unwrap', 'print', 'procedure','programliteral','realliteral','receive','rem', 'remove','return','returnexception','reveal','select','send', 'size','stringliteral','subtract','theelement','type', 'while','wrap' {{includedfordebuggingpurposesonly
{{Namesofallthequaliertypes...commentsidentifywhich {{operatorsuseeachqualiertype qualifiertypes:orderedenumeration( 'absent', OperationQualiers
'block', 'attributename', {{block {{attributenameliteral

204AppendixC.PredenedModule
'inspecttable', 'if', 'constraintname', 'forenumerate', 'exit', 'expressionblock', {{assert,drop {{exit
'returnexception', 'programliteral', 'literal', 'inspectpolymorph', {{forinspect,inspecttable {{programliteral {{if-then-else {{inspectpolymorph {{integerliteral, {{returnexception {{realliteral,namedliteral {{forenumerate {{expressionblock
);'wrap' 'select', 'selector', {{select
{{Followingisthevariantusedtorepresentallstatementqualiers 'typename', 'while', {{typenameliteral {{while {{wrap,unwrap {{every,exists,extract, {{forall,remove,
qualifier:variantofqualifiertypes( {{theelement,positionofselector
'attributename'->attributename:attributenameffullg, 'absent'->empty:emptyfg,{{noqualier 'exit'->exit:exitidffullg, 'forenumerate'->forenumerate:forenumeratequalifierffullg, 'if'->if:ifqualifierffullg, 'block'->block:blockqualifierffullg, 'expressionblock'->expression:expressionqualifierffullg, 'constraintname'->constraintname:constraintnameffullg, 'inspectpolymorph'->
'while'->while:whilequalifierffullg, 'returnexception'->exceptionid:exceptionidffullg, 'typename'->typename:typenameffullg, 'literal'->literal:charstringffullg, 'selector'->selector:selectorffullg, 'programliteral'->programliteral:processidffullg, 'select'->select:selectqualifierffullg, 'inspecttable'->inspecttable:inspecttablequalifierffullg, inspectpolymorph:inspectpolymorphqualifierffullg,
);'wrap'->formaltypestate:formaltypestateffullg

{{Ablockstatementqualieridentiesthescopeholdingthe {{constantwithintheblock,andallthehandlersassociatedwiththe {{declarationsandmainbodycodeoftheblock,therootobjectsheld {{block. AppendixC.PredenedModule205
);handlers:handlers rootnames:tableofrootnameffullgkeys(*); {{Eachhandlernamestheexceptionsorexitconditionsthatit blockqualifier:record(
{{handles,andsuppliesaclause(notascope)containingthebodyof constants:rootnames, scope:scopeid, {{exceptionandexithandlers {{newscopeintroducedbytheblock
{{thehandler. {{objectsnotchangedinthisscope
handlers:tableofhandlerffullgkeys(id); handler:record( );clause:clauseid {{Handlerscomeinfourvarieties... handlertype:orderedenumeration( 'builtin', id:handlername,
);'others' {{Eachhandlertyperequirestype-specicadditionalinformationto {{fullyspecifytheconditionhandled 'user', 'exit', {{builtinexceptions {{userexceptions(dened
handlername:variantofhandlertype( {{withcallmessages) {{exitconditions
'user'->user:userexceptionffullg, 'builtin'->builtin:builtinexceptionfinitg, {{exceptionsnototherwisehandled
'others'->others:emptyfg 'exit'->exit:exitidfinitg,

206AppendixC.PredenedModule ); {{Hereareallthebuiltinexceptions );'Uncopyable' {{Auserexceptionisspeciedbythecallmessagetypeandoneof builtinexception:orderedenumeration( {{theexceptionsdenedwiththattype 'CaseError','ConstraintError','ConstraintFailure','Depletion',
userexception:record( 'Disconnected','DivideByZero','DuplicateKey','InterfaceMismatch',
type:typename, 'NotFound','PolymorphMismatch','DefinitionError','RangeError',
{{executedandtherootvariablethatwillholdtheexpression {{result.Therootvariableistheonlyvariableoutsidethe {{expressionblockscopethatisnotheldconstantwithinthescope. expressionqualifier:record( );exceptionid:exceptionid {{Thequalierforanexpressionblockidentiesthescopetobe
{{scope. {{theenumeration.Theiterationvariableisdeclaredinthebody {{scope,aswellastherootvariablethatisusedtoiteratethrough );result:rootname {{Foraforenumeratestatement,thequalieridentiesthebody scope:scopeid,
forenumeratequalifier:record( );enumerator:rootid {{Thequalierforanifstatementidentiestheclausethatwill {{evaluatethetestexpression,theobjectthatwillholdthe {{expressionresult,andtheclausetobeexecutediftheexpression {{yieldsatrueresult.Inaddition,an'else'clausemayoptionally {{besupplied,identifyingtheclausetobeexecutedwhenthetest scope:scopeid,

{{expressionisfalse. ifqualifier:record( testclause:clauseid, testresult:objectname, thenclause:clauseid, AppendixC.PredenedModule207
);optelseclause:optionalclauseid
{{throughoutthebodyscope,andthetypestaterequiredforthe {{thebodyscope)thatwillholdtheunwrappedpolymorphvalue {{scopeformingthestatementbody,therootvariable(declaredin );'absent'->empty:emptyfg {{Thequalierforaninspectpolymorphstatementidentiesthe optionalclauseid:variantofoption(
{{unwrappedvalue. 'present'->clauseid:clauseidfinitg,
inspectpolymorphqualifier:record( );typestate:formaltypestate {{Followingqualierisusedforinspecttableandforinspect {{statements.Inadditiontothesamesortofselectorasthatused scope:scopeid,
{{throughoutthebodyscope.Theinspectingrootobjectiscontained {{theidoftherootobjectthatholdstheinspectedtableelement {{forothertableoperations,abodyscopeisincluded,aswellas element:rootid,
{{inthebodyscope.NotethatitISNOTthesameobjectasthe {{elementobjectintheselectoritself,astheydeclaredindisjoint );selector:selector {{Aselectstatementqualierincludesa"selectclause"foreach {{scopes.
{{guardedarmoftheselectstatement,identifyingtheguard inspecttablequalifier:record( {{conditionforthearmandtheclausetobeexecutedwhenthearm scope:scopeid, element:rootid, {{scopeofstatementbody {{inspectionvariable {{tableselector

selectqualifier:record( {{guardsaredisabledisspecied. 208AppendixC.PredenedModule
);otherwiseclause:clauseid {{isselected.Inaddition,aclausetobeexecutedwhenall clauses:selectclauses,
selectclauses:tableofselectclauseffullg; selectclause:record( clause:clauseid, info:clauseinfo {{otherwiseclauseismandatory
{{giveninport,orboth. guardtype:enumeration('boolean','event','both'); {{Eacharmcanbeguardedbyabooleancondition,an"events"ona
{{wheretheresultofthatexecutionwillbeplaced. clauseinfo:variantofguardtype( {{theclausetobeexecutedtoevaluatetheguard,andtheobject );'both'->both:bothguardffullg {{Abooleanguard(orthebooleanpartofa"both"guard)identies 'boolean'->boolean:boolguardffullg,
boolguard:record( 'event'->portname:objectnameffullg,
);portname:objectname );result:objectname bothguard:record( clause:clauseid,
{{Aselectorqualiesmanytable-relatedstatements,andencodesthe {{informationcontainedintheWHERE(...)clauseofsuchstatements. {{Theselectorintroducesascopewhichencodestheselector boolean:boolguard,

{{expression.The'element'rootvariableappearsinthatscopeand {{'result'objectholdstheresultofevaluatingtheselectorfora {{holdsatableelementwhenevertheselectorisexecuted.The {{thetableelement. selector:record( AppendixC.PredenedModule209
{{loopbody. {{willholdtheresultofthetest,andtheclausecontainingthe );result:objectname {{Thequalierforawhilestatementidentiestheclausethat {{evaluatestheentrytestatthetopoftheloop,thevariablethat element:rootid, scope:scopeid, {{theelementbeingselected {{booleanvalueofselectorexpression {{scopeintroducedbytheselector
whilequalifier:record( {{inpolymorphs );repeatedclause:clauseid {{Followingtypesdenitionsareforthevaluesresultingfrom {{TYPEOFandTYPESTATEOFexpressions,whichinspectvalueswrapped testclause:clauseid,
typeofvalue:record( result:objectname,
);definitions:definitionsmodules{{resolutionenvironmentforthattype typestateofvalue:record(
typename:typename, typestate:formaltypestate, {{nameofthetype {{typestateofwrappedvalue
TypestatesandFormalTypestate {{attributesappearingintypestate
{{Atypestateisasetofattributes,eachofwhichconstistofan

{{attribute. typestate:tableofattributeffullgkeys(*); 210AppendixC.PredenedModule {{attributenameandalistofobjectsthataretheparametersofthe attribute:record( {{canalsonameauser-denedattribute,orconstraint.The'full' );objects:objectnames {{Therearethreebuilt-inattributes:initandcase.Anattribute {{bedroppedfromthislistatsomefuturetime. {{attributeisanabbreviationforseveralinitattributes,andmay name:attributename,
attributetype:enumeration('initialized','case','constraint','full'); attributename:variantofattributetype(
{{tosomevariable(notnecessarilyarootobject)dependingon );'full'->full:emptyfg {{Aformaltypestateislikeatypestate,butnorootvariableis {{mentioned.Instead,thecomponentlistsareinterpretedrelative 'case'->case:emptyfg, 'initialized'->init:emptyfg,
{{itself,ratherthananyofits(sub-)components. {{context.Anemptycomponentlistindicatestheassociatedvariable 'constraint'->constraint:constraintnameffullg,
);parameters:formalobjectlist formalobjectlist:orderedtableofcomponentlistffullg; formalattribute:record( formaltypestate:tableofformalattributeffullgkeys(*);
enddefinitions attributename:attributename,

[ASU88]AlfredV.Aho,RaviSethi,andJereyD.Ullman.Compilers: C.1References [Ada83]Ada.ReferenceManualfortheAdaProgrammingLanguage. Principles,TechniquesandTools.Addison-Wesley,1988. UnitedStatesDepartmentofDefense,1983. AppendixC.PredenedModule211
[BS90]DavidF.BaconandRobertE.Strom.Optimisticparallelization [AU77]AlfredV.AhoandJereyD.Ullman.PrinciplesofCompiler [BS89]DavidF.BaconandRobertE.Strom.Implementingthehermes T.J.WatsonResearchCenter,1990. ofcommunicatingsequentialprocesses.ResearchNoteRC,IBM ResearchCenter,1989. processmodel.TechnicalReportRC14518,IBMT.J.Watson Design.Addison-Wesley,1977.
[GJ87]ArthurP.GoldbergandDavidJeerson.Transparentprocess [FBSY87]KeithFeibusch,DavidF.Bacon,RobertE.Strom,and [Coo83]DougCooper.StandardPascalUserReferenceManual.W.W. T.J.WatsonResearchCenter,1987. face:Optimisticrecoveryfordiskstorage.Technicalreport,IBM Norton,1983.
Processing,pages728{734,1987. cloning:Atoolforloadmanagementofdistributedprograms. InProceedingsofthe1987InternationalConferenceonParallel ShaulaAlexanderYemini.Checkpointmanagementdiskinter-
[Jef85]DavidJeerson.Virtualtime.ACMTransactionsonProgrammingLanguagesandSystems,7(3):404,July1985.
[KP84]BrianW.KernighanandRobPike.TheUNIXProgramming [KR78]BrianW.KernighanandDennisM.Ritchie.TheCProgrammingLanguage.Prentice-HallSoftwareSeries,1978.
232{247.ACM,August1988. glishLanguage.HoughtonMiinCompany,1980. [Mor80]WilliamMorris.TheAmericanHeritageDictionaryoftheEn-
[NS88]VanL.NguyenandRobertE.Strom.Processsemantics:global Environment.Prentice-HallSoftwareSeries,1984.
ACMSymposiumonPrinciplesofDistributedComputing,pages axioms,compositionalrules,andapplications.InProc.Seventh

212C.1.References
[SBY88]RobertE.Strom,DavidF.Bacon,andShaulaAlexanderYem-
[SBY87]RobertE.Strom,DavidF.Bacon,andShaulaAlexanderYem-
[PS83]FrancisN.ParrandRobertE.Strom.NIL:Ahigh-levellansearchNoteRC13373,IBMT.J.WatsonResearchCenter,1987ini.Volatilelogginginn-fault-tolerantdistributedsystems.Renal,22(1-2),1983guagefordistributedsystemsprogramming.IBMSystemsJour-
[SY83]RobertE.StromandShaulaAlexanderYemini.NIL:Anintegratedlanguageandsystemfordistributedprogramming.In
[Str86]RobertE.Strom.Acomparisonoftheobject-orientedand process-orientedparadigms.InIBM/BrownWorkshopon 1986. TolerantComputing:DigestofPapers,pages44{49,June1988. Object-OrientedProgramming.ACM,SIGPLANNotices,June InTheEighteenthAnnualInternationalSymposiumonFault-
[SY84]RobertE.StromandShaulaAlexanderYemini.Optimistic onFault-TolerantComputing.IEEEComputerSociety,1984. tributedsystems.InTheFourteenthInternationalSymposium recovery:Anasynchronousapproachtofault-toleranceindis-
SoftwareSystems,June1983. SIGPLAN'83SymposiumonProgrammingLanguageIssuesin
[SY86]RobertE.StromandShaulaAlexanderYemini.Typestate:A [SY85]RobertE.StromandShaulaAlexanderYemini.Optimisticrecoveryindistributedsystems.ACMTransactionsonComputer
Systems,3(3):204{226,August1985. ity.IEEETransactionsonSoftwareEngineering,SE-12(1):157{ programminglanguageconceptforenhancingsoftwarereliabil-
[SY89]RobertE.StromandDanielM.Yellin.Computationally [SY87]RobertE.StromandShaulaAlexanderYemini.Synthesizing 171,January1986.
tractablesemilatticesforglobaldataowanalysis.Technical puterSciencePress,1987. distributedandparallelprogramsthroughoptimistictransfor-
ReportRC14936,IBMT.J.WatsonResearchCenter,August mations.InYechiamYemini,editor,CurrentAdvancesinDis-
1989. tributedComputingandCommunications,pages234{256.Com-

[SYB87a]RobertE.Strom,ShaulaAlexanderYemini,andDavidF.Ba-
[SY90]RobertE.StromandDanielM.Yellin.Extendingtypestate con.Alinguistictreatmentofprogramsastypedobjects.Re-
searchNoteRC13325,IBMT.J.WatsonResearchCenter,1987. checkingusingconditionallivenessanalysis.TechnicalReport RC15398,IBMT.J.WatsonResearchCenter,January1990. AppendixC.PredenedModule213
[SYB87b]RobertE.Strom,ShaulaAlexanderYemini,andDavidF.Ba-
[SYB87d]RobertE.Strom,ShaulaAlexanderYemini,andDavidF.Bacon.Towardself-recoveringoperatingsystems.InHaroldLorincon.Towardself-recoveringoperatingsystems.InTheInternadivisionalTechnicalLiaison,IBMCorporation,February1987.
[SYB87c]RobertE.Strom,ShaulaAlexanderYemini,andDavidF.Bacon.Programsasobjects.InH.N.Cooper,editor,IBMProgrammingLanguageTechnologyITL,pages187{195.IBMInter-
editor,TheIBM/SRISymposiumonOperatingSystems:Trends tionalConferenceonParallelProcessing.North-Holland,1987.
[SYW85]RobertE.Strom,ShaulaA.Yemini,andPeterWegner.Viewing [SYB88]RobertE.Strom,ShaulaAlexanderYemini,andDavidF.Ba-
andIssuesinOperatingSystems,pages221{233.IBMSystems
ingsoftheInternationalAdaConference,Paris,France,1985. ferenceonSystemSciences.IEEECS,1988. Adafromaprocessmodelperspective.InAdainUse:Proceedcon.Arecoverableobjectstore.InHawaiiInternationalCon-
ResearchInstitute,IBMCorporation,1987.
[YSB87]ShaulaAlexanderYemini,RobertE.Strom,andDavidF.Bacon.Improvingdistributedprotocolsbydecouplingrecovery
WatsonResearchCenter,1987. fromconcurrencycontrol.ResearchNoteRC13326,IBMT.J.

Index
--,73
:=,94

AppendixC.PredenedModule215
coercion,88,89
coercionoperations,57
comment,73
comparison,94,125
ofrecords,107
ofvariants,115
componentname
resolutionof,77
components,107
concatenate,109
connect,14,121
constant,88
constant,22
constantcopy,88,112,113,119,
127
constraint,131
ConstraintErrorexception,132
ConstraintFailureexception,132
conversionandresolution,72
convertoperator,106
copyof,29
copyingavalue,94
create,124
createof,15,16,24
currentprogram,129
deadcode,91
declaration,18,19
hidingnotallowed,20
declarationslist,76
denition,18
denitionsmodule,21,77
denitionsmodules,19
Depletionexception,95
discard,57,95,95
Discardedexception,29,119,123
discardedexceptions,78
Disconnectedexception,29,99,
122,123
dissolve,116
DivideByZeroexception,104
DuplicateKeyexception,43,48,
111,112
element,107
elementtype,107
else,97
empty,61,120
enabledclause,99
entrytypestate,118
enumerationtypefamily,102
evaluate,seeexpressionblock
eventguard,26,98
every,110
everyof,42
exception,11,119,122
denition,22
handler,11,96
nameresolution,78
return,123
exists,110
existsof,48
exitnameresolution,79
exit,79,88,123
exit,101
exitformaltypestate,119
exittypestate,24
expressionblock,59,88,100{101
extract,42,111
fairness
inreceivestatement,122
inselectstatement,99
lterprogram,12
forenumerate,106
forstatement,46
for-inspect,113
forall,110
formaltypestate,86
full,23,78,85
function
call,121
functioncall,122
functionnotation,12
generator
process,125
generatorprocess,125
guard,98

216C.1.References
guardedselect,26
handlerclause,79,96
Hermes,3{5
researchdirections,67
typesystem,55
hide,117
hidestatement,63
Hoare,C.A.R.,55
identiers,74
if,97
importslist,19,78
inferencefunction
elementtypeof,151
sameas,152
inferencerule,151
inferencerules,21,80
inferreddeclaration,81
init,23,78,84{86
init(),56
initializationport,8,19
inport,118
inputport,8,22,94,118,119
aseventguard,98
denition,23,24
enabled,26
insert,29,111,111
insert-at,111
inspect,46,112
inspectvariable,112
integerliterals,50
integertypefamily,103
interface,11,22,60
denition,22,24
InterfaceMismatchexception,17,
124,124
key,108,110{112
keys(),43
keyword,74
latebinding,5
lexicalanalysis,71
linkinglist,51,79
literal
named,73
numeric,73
real,73
string,73
literals,104
long-livedsystems,55
mainclause,96
mainprogram,124
meet,89
merge,112
merge-at,112
messagetype,118
minimumformaltypestate,119
default,119
minimumtypestate,87
mod,104
module,4
move,93
movingavalue,93
movingversuscopying,29,93
nameequivalenceoftypedenitions,24
namespace,75,78
ofbasevariables,76
ofcomponentnames,77
oftypeidentiers,77
ofuser-denedexceptionnames,
78
namedliteral,73
new,14,107,119,120
nominaltypefamily,101,105
normalexit,96
not,105
notation
association,121
function,121
positional,121
NotFoundexception,42,110{112
numericliteral,73
object-orientedlanguages,27
occurrence
applied,72

AppendixC.PredenedModule217
dening,72
on(others),50
on(others),96
operatingsystem,4
or,105
ordered
tableoperations,29
ordered,108
orderedtable,28
orderedtable,28
others,96
otherwise,27
outcome,88
outport,119
outputport,8,22,119
denition,24
overlap,121
parent,8
passingparametersbyvalue-result,
12
pointers,prohibited,4
polymorph,94
polymorph,64
polymorphtypefamily,125
polymorphictypes,none,18
PolymorphMismatchexception,66,
126,127
position,41
positioninatable,28,110{112
position-of-element,92
position-of-element,113,114
position-of-selector,114
position-of-selector,42
postcondition,89
postconditionfunction,90
precondition,88
predened,19,75
charactertype,102
predefined,19,78
predenedexceptions
DivideByZero,104
predefined!boolean,97
predefined!program,51
procedure,40
procedure,125
procedureof,40
procedures,40
process,4
communication,12{17
module,8
name,79
termination,29
process,19
block,96
program,15
checked,23
program,15
programliteral,50
programvalue,71,80
punctuation,73,74
qualier,80,81
RangeErrorexception,29,106,111,
112
realliteral,73
typefamily,103
realarithmetic,103
receive,5,9,123
record,107
recorddenition,43
rem,104
remove,29,42,111
repeatclause,97
reservedwords,74
resolution,75
ofbasevariables,76
ofcomponentnames,77
oftypenames,77
resultvariable,100
return,5,9,24,123
exception,78
reveal,63,117
safenumber,103
safenumbers,103
scalartypefamilies,101
scope,76,80

218C.1.References
ofelementvariable,109
ofinspectvariable,112
security,55
selectnofairchoice,99
select,26
abbreviation,40
select,98{100
selector,41,91,109
expression,109
long,109
mapping,109
semilattice,57,84
meet,57
send,118,124
sendstatement,60
server,9
serverprocess,25
shareddata,prohibited,4
shell,9
sizeof,26,114
space,73
stringliteral,50,73,109
syntax
analysis,71
systemsprogramming,12
table,28
new,109
comparison,108
elementtypestate,108
insert,29
insertat,29
operations,28
representationindependent,28
typefamily,107
unordered,43
table[expr],42
table[key],43
the-element,42,110
tokens,73
typechecking,8,9,17,18,72,80{
82,150{153
denition,22,77
families,8
inference,72,80{82
inferencerules,55
inferencing,150{153
name,19
specier,21
type,127
typename,77
resolution,77
typespecier,81,82,83
o,104
typestate,22
caseattribute,62
attributes,23,56,78,84{85
checking,9,17,24,56,72,
84{92,150{153
checkingalgorithm,90
checkingexample,89
coercions,87
constraintattributes,85
entry,23,24
errors,91{92
exit,23
exitformal,119
formal,85{86
initialization,23
minimumformal,119
postcondition,90
postconditionrules,152
preconditionfunction,89
preconditionrules,152,155
semilattice,84
semilatticemeet,87
syntax,84{85
valid,86
typestate,127
Uncopyableexception,64,94
unique,105
unite,116
unitestatement,62
unwrap,66,126
unwrapstatement,84
usinglist,19

variablename discarded,29
variant,61 overlap,121 temporary,122 nalized,29
hidden,61 nameresolution,75{77
revealed,61 basevariable,75 componentname,75 formal,86 typefamily,115
windowsystem,31 while,97{98 while,10 where,109 whereexpression,41 where('true'),47 visibility,75 typestate,86
wrappedvalue,125 wrapper,125 word,73,74 wrap,66,125
AppendixC.PredenedModule219