Because propositions in such a logic may no longer be freely copied - - PowerPoint PPT Presentation

because propositions
SMART_READER_LITE
LIVE PREVIEW

Because propositions in such a logic may no longer be freely copied - - PowerPoint PPT Presentation

May 12, 2023 161 likes •2.12k views

Because propositions in such a logic may no longer be freely copied or ig- standing propositions in sub- structural logics as repre- senting resources rather than truth. nored, this suggests under- Programming with Affine Types CS 51 &

slide-1
SLIDE 1

Because propositions

in such a logic may no

longer be freely copied or ig- nored, this suggests under- standing propositions in sub- structural logics as repre- senting resources rather than truth.

slide-2
SLIDE 2

Programming with Affine Types

CS 51 & CSCI E-51 April 17, 2014

slide-3
SLIDE 3

Programming Is Hard

let deposit (arr: int array) (acct: int) (amt: int) = Array.set arr acct (Array.get arr acct + amt)

  • 1. get balance from array
  • 1. get balance from array
  • 2. add deposit amount
  • 2. add deposit amount
  • 3. store new balance in array
  • 3. store new balance in array

3

slide-4
SLIDE 4

Programming Is Hard

let deposit (arr: int array) (acct: int) (amt: int) = Array.set arr acct (Array.get arr acct + amt)

  • 1. get balance from array
  • 1. get balance from array
  • 2. add deposit amount
  • 2. add deposit amount
  • 3. store new balance in array
  • 3. store new balance in array

3

slide-5
SLIDE 5

Concurrent Programming Is Hard

let deposit (arr: int array) (acct: int) (amt: int) = Array.set arr acct (Array.get arr acct + amt)

  • 1. get balance from array
  • 1. get balance from array
  • 2. add deposit amount
  • 2. add deposit amount
  • 3. store new balance in array
  • 3. store new balance in array

3

slide-6
SLIDE 6

Concurrent Programming Is Hard

let deposit (l: lock) (arr: int array) (acct: int) (amt: int) = Lock.acquire l; Array.set arr acct (Array.get arr acct + amt); Lock.release l

  • 1. get balance from array
  • 2. add deposit amount
  • 3. store new balance in array
  • 1. get balance from array
  • 2. add deposit amount
  • 3. store new balance in array

4

slide-7
SLIDE 7

Concurrent Programming Is Hard

let deposit (l: lock) (arr: int array) (acct: int) (amt: int) = Lock.acquire l; Array.set arr acct (Array.get arr acct + amt); Lock.release l

  • 1. get balance from array
  • 2. add deposit amount
  • 3. store new balance in array
  • 1. get balance from array
  • 2. add deposit amount
  • 3. store new balance in array

4

slide-8
SLIDE 8

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } lock_sock(sk); ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

5

slide-9
SLIDE 9

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } lock_sock(sk); ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

5

slide-10
SLIDE 10

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } lock_sock(sk); ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

5

slide-11
SLIDE 11

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } lock_sock(sk); ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

5

slide-12
SLIDE 12

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } lock_sock(sk); ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

5

slide-13
SLIDE 13

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } lock_sock(sk); ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

5

slide-14
SLIDE 14

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } lock_sock(sk); ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

5

slide-15
SLIDE 15

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . lock_sock(sk); if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

5

slide-16
SLIDE 16

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . lock_sock(sk); if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ release_sock(sk); LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

5

slide-17
SLIDE 17

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . lock_sock(sk); if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ release_sock(sk); LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

5

slide-18
SLIDE 18

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . lock_sock(sk); if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ release_sock(sk); LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

Problem: Advisory locking Solution: Mandatory locking Better solution: Static mandatory locking It’s a language feature in Chalice

(Leino et al. 2009)

5

slide-19
SLIDE 19

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . lock_sock(sk); if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ release_sock(sk); LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

Problem: Advisory locking Solution: Mandatory locking Better solution: Static mandatory locking It’s a language feature in Chalice

(Leino et al. 2009)

5

slide-20
SLIDE 20

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . lock_sock(sk); if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ release_sock(sk); LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

Problem: Advisory locking Solution: Mandatory locking Better solution: Static mandatory locking It’s a language feature in Chalice

(Leino et al. 2009)

5

slide-21
SLIDE 21

int udp_sendmsg(struct sock *sk, struct msghdr *msg, …) { . . . lock_sock(sk); if (unlikely(sk→pending)) { /* Socket is already corked while preparing it */ /* … which is an evident application bug. –ANK */ release_sock(sk); LIMIT_NETDEBUG(KERN_DEBUG “udp cork app bug 2”); return -EINVAL; } ret = ip_append_data(sk, msg→msg_iov, ulen, …); . . . release_sock(sk); return ret; }

Problem: Advisory locking Solution: Mandatory locking Better solution: Static mandatory locking It’s a language feature in Chalice

(Leino et al. 2009)

5

slide-22
SLIDE 22

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with None send Reject ch Some (r, price) send (Offer price) ch; match recv ch with Accept send (Resource r) ch Reject () let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with Reject None Offer price if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-23
SLIDE 23

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with Reject None Offer price if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-24
SLIDE 24

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with Reject None Offer price if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-25
SLIDE 25

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with Reject None Offer price if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-26
SLIDE 26

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with Reject None Offer price if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-27
SLIDE 27

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with Reject None Offer price if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-28
SLIDE 28

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with Reject None Offer price if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-29
SLIDE 29

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with Reject None Offer price if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-30
SLIDE 30

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with Reject None Offer price if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-31
SLIDE 31

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-32
SLIDE 32

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-33
SLIDE 33

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-34
SLIDE 34

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-35
SLIDE 35

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-36
SLIDE 36

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-37
SLIDE 37

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () Pattern match failure 6

slide-38
SLIDE 38

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop () 6

slide-39
SLIDE 39

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop ()

Problem: Simple channel is too permissive Solution: Session types It’s a language feature in Sing#

(Fähndrich et al. 2006)

6

slide-40
SLIDE 40

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop ()

Problem: Simple channel is too permissive Solution: Session types It’s a language feature in Sing#

(Fähndrich et al. 2006)

6

slide-41
SLIDE 41

type bid_msg = Request of string

| Offer of int | Reject | Accept | Resource of resource

type bid_chan = bid_msg chan let seller ch = let Request name = recv ch in match lookup name with

| None →

send Reject ch

| Some (r, price) →

send (Offer price) ch; match recv ch with

| Accept →

send (Resource r) ch

| Reject → ()

let buyer name limit ch = send (Request name) ch; let rec loop () = match recv ch with

| Reject → None | Offer price →

if price ≤ limit then send Accept ch; let Resource r = recv ch in Some r else send (Offer limit) ch; loop () in loop ()

Problem: Simple channel is too permissive Solution: Session types It’s a language feature in Sing#

(Fähndrich et al. 2006)

6

slide-42
SLIDE 42

What’s It Gonna Be?

Problem: Locking Message passing Both Solution: Static permissions Session types ? in Chalice in Sing#

7

slide-43
SLIDE 43

What’s It Gonna Be?

Problem: Locking Message passing Both Solution: Static permissions Session types ? in Chalice in Sing#

7

slide-44
SLIDE 44

Special Purpose General Purpose Theoretical Practical

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F

URAL

ILL LNL

8

slide-45
SLIDE 45

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F

URAL

ILL LNL

8

slide-46
SLIDE 46

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F

URAL

ILL LNL

8

slide-47
SLIDE 47

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F◦

λURAL

ILL LNL

8

slide-48
SLIDE 48

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F◦

λURAL

ILL LNL

8

slide-49
SLIDE 49

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F◦

λURAL

ILL LNL

8

slide-50
SLIDE 50

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F◦

λURAL

ILL LNL

8

slide-51
SLIDE 51

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F◦

λURAL

ILL LNL

8

slide-52
SLIDE 52

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F◦

λURAL

ILL LNL

8

slide-53
SLIDE 53

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F◦

λURAL

ILL LNL

8

slide-54
SLIDE 54

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F◦

λURAL

ILL LNL

8

slide-55
SLIDE 55

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F◦

λURAL

ILL LNL

?

8

slide-56
SLIDE 56

Special Purpose General Purpose Theoretical Practical

m e m

  • r

y r e g i

  • n

s

Cyclone

p e r m i s s i

  • n

s

Chalice

s e s s i

  • n

t y p e s

Sing#, Moose

t y p e s t a t e

Vault, Plaid

f r a c t i

  • n

a l p e r m i s s i

  • n

s

Boyland 2003

s e s s i

  • n

t y p e s

Honda 1998, Vasconcelos 2004

u n i q u e c a p a b i l i t i e s

Capability Calculus

Use types

F◦

λURAL

ILL LNL

?

Alms

8

slide-57
SLIDE 57

Goal

A practical and expressive programming language with general-purpose affine types

9

slide-58
SLIDE 58

Goal

A practical and expressive programming language with general-purpose affine types

U Affine

nlimited

9

slide-59
SLIDE 59

Goal

A practical and expressive programming language with general-purpose affine types

U A

nlimited

≤ 1

9

slide-60
SLIDE 60

Goal

A practical and expressive programming language with general-purpose affine types

U A ≤ 1

9

slide-61
SLIDE 61

Goal

A practical and expressive programming language with general-purpose affine types

U A

9

slide-62
SLIDE 62

Goal

A practical and expressive programming language with general-purpose affine types

U A

9

slide-63
SLIDE 63

Goal

A practical and expressive programming language with general-purpose affine types

U A

think ML pay-as-you-go

9

slide-64
SLIDE 64

Goal

A practical and expressive programming language with general-purpose affine types

U A

think ML pay-as-you-go stateful type systems as libraries

9

slide-65
SLIDE 65

Goal

A practical and expressive programming language with general-purpose affine types

U A

think ML pay-as-you-go stateful type systems as libraries Alms

9

slide-66
SLIDE 66

Goal

A practical and expressive programming language with general-purpose affine types

U A

think ML pay-as-you-go stateful type systems as libraries Alms

language design core model prototype implementation

9

slide-67
SLIDE 67

Goal

A practical and expressive programming language with general-purpose affine types

U A

think ML pay-as-you-go stateful type systems as libraries Alms

language design core model prototype implementation

9

slide-68
SLIDE 68

Alms by Example

  • r Your Language Is a Library in My Language
slide-69
SLIDE 69

Alms by Example

  • r Your Language Is a Library in My Language
slide-70
SLIDE 70

Alms vs. OCaml

OCaml Alms Affine types No Yes First-class polymorphism Awkward Yes Type inference Yes Yes Modules Yes Yes Opaque signatures Yes Yes Algebraic data types Yes Yes Pattern matching Yes Yes Concurrency Yes Yes Exceptions Yes Yes Functors, classes, … Yes No

11

slide-71
SLIDE 71

ML Polymorphism

val nth : int → ’a list → ’a option #- let second = nth 1 in (second [1,3,5], second [2,4,6]) it : int option × int option = (Some 3, Some 4) #- let second = nth 1 in (second [1,3,5], second [’a’,’b’,’c’]) Error: This expression has type char but an expression was expected of type int #- (nth 1 [1,3,5], nth 1 [’a’,’b’,’c’]) it : int option × char option = (Some 3, Some ’b’)

12

slide-72
SLIDE 72

ML Polymorphism

val nth : int → ’a list → ’a option #- let second = nth 1 in (second [1,3,5], second [2,4,6]) it : int option × int option = (Some 3, Some 4) #- let second = nth 1 in (second [1,3,5], second [’a’,’b’,’c’]) Error: This expression has type char but an expression was expected of type int #- (nth 1 [1,3,5], nth 1 [’a’,’b’,’c’]) it : int option × char option = (Some 3, Some ’b’)

12

slide-73
SLIDE 73

ML Polymorphism

val nth : int → ’a list → ’a option #- let second = nth 1 in (second [1,3,5], second [2,4,6]) it : int option × int option = (Some 3, Some 4) #- let second = nth 1 in (second [1,3,5], second [’a’,’b’,’c’]) Error: This expression has type char but an expression was expected of type int #- (nth 1 [1,3,5], nth 1 [’a’,’b’,’c’]) it : int option × char option = (Some 3, Some ’b’)

12

slide-74
SLIDE 74

ML Polymorphism

val nth : int → ’a list → ’a option #- let second = nth 1 in (second [1,3,5], second [2,4,6]) it : int option × int option = (Some 3, Some 4) #- let second = nth 1 in (second [1,3,5], second [’a’,’b’,’c’]) Error: This expression has type char but an expression was expected of type int #- (nth 1 [1,3,5], nth 1 [’a’,’b’,’c’]) it : int option × char option = (Some 3, Some ’b’)

12

slide-75
SLIDE 75

ML Polymorphism

val nth : int → ’a list → ’a option #- let second = nth 1 in (second [1,3,5], second [2,4,6]) it : int option × int option = (Some 3, Some 4) #- let second = nth 1 in (second [1,3,5], second [’a’,’b’,’c’]) Error: This expression has type char but an expression was expected of type int #- (nth 1 [1,3,5], nth 1 [’a’,’b’,’c’]) it : int option × char option = (Some 3, Some ’b’)

12

slide-76
SLIDE 76

ML Polymorphism

val nth : ∀

∀ ∀ ’a. int → ’a list → ’a option

#- let second = nth 1 in (second [1,3,5], second [2,4,6]) it : int option × int option = (Some 3, Some 4) #- let second = nth 1 in (second [1,3,5], second [’a’,’b’,’c’]) Error: This expression has type char but an expression was expected of type int #- (nth 1 [1,3,5], nth 1 [’a’,’b’,’c’]) it : int option × char option = (Some 3, Some ’b’)

12

slide-77
SLIDE 77

First-Class Polymorphism

val nth : int → ∀

∀ ∀ ’a. ’a list → ’a option

#- let second = nth 1 in (second [1,3,5], second [2,4,6]) it : int option × int option = (Some 3, Some 4) #- let second = nth 1 in (second [1,3,5], second [’a’,’b’,’c’]) it : int option × char option = (Some 3, Some ’b’)

13

slide-78
SLIDE 78

Existential Quantification

#- let one = (1, string_of_int) : ∃

∃ ∃ ’a. ’a × (’a → string)

  • ne : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let bee = (’b’, string_of_char) : ’a. ’a × (’a string) bee : ’a. ’a × (’a string) #- let both = [one, bee] both : ( ’a. ’a × (’a string)) list #- let show ((x, f) : ’a. ’a × (’a string)) = f x show : ( ’a. ’a × (’a string)) string #- map show both it : string list = [”1”, ”b”] #- let (x, f) = one in let (y, g) = bee in f y Error: This expression has type ’_a2 but an expression was expected of type ’_a6

14

slide-79
SLIDE 79

Existential Quantification

#- let one = (1, string_of_int) : ∃

∃ ∃ ’a. ’a × (’a → string)

  • ne : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let bee = (’b’, string_of_char) : ∃

∃ ∃ ’a. ’a × (’a → string)

bee : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let both = [one, bee] both : ( ’a. ’a × (’a string)) list #- let show ((x, f) : ’a. ’a × (’a string)) = f x show : ( ’a. ’a × (’a string)) string #- map show both it : string list = [”1”, ”b”] #- let (x, f) = one in let (y, g) = bee in f y Error: This expression has type ’_a2 but an expression was expected of type ’_a6

14

slide-80
SLIDE 80

Existential Quantification

#- let one = (1, string_of_int) : ∃

∃ ∃ ’a. ’a × (’a → string)

  • ne : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let bee = (’b’, string_of_char) : ∃

∃ ∃ ’a. ’a × (’a → string)

bee : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let both = [one, bee] both : (∃

∃ ∃ ’a. ’a × (’a → string)) list

#- let show ((x, f) : ’a. ’a × (’a string)) = f x show : ( ’a. ’a × (’a string)) string #- map show both it : string list = [”1”, ”b”] #- let (x, f) = one in let (y, g) = bee in f y Error: This expression has type ’_a2 but an expression was expected of type ’_a6

14

slide-81
SLIDE 81

Existential Quantification

#- let one = (1, string_of_int) : ∃

∃ ∃ ’a. ’a × (’a → string)

  • ne : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let bee = (’b’, string_of_char) : ∃

∃ ∃ ’a. ’a × (’a → string)

bee : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let both = [one, bee] both : (∃

∃ ∃ ’a. ’a × (’a → string)) list

#- let show ((x, f) : ∃

∃ ∃ ’a. ’a × (’a → string)) = f x

show : (∃

∃ ∃ ’a. ’a × (’a → string)) → string

#- map show both it : string list = [”1”, ”b”] #- let (x, f) = one in let (y, g) = bee in f y Error: This expression has type ’_a2 but an expression was expected of type ’_a6

14

slide-82
SLIDE 82

Existential Quantification

#- let one = (1, string_of_int) : ∃

∃ ∃ ’a. ’a × (’a → string)

  • ne : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let bee = (’b’, string_of_char) : ∃

∃ ∃ ’a. ’a × (’a → string)

bee : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let both = [one, bee] both : (∃

∃ ∃ ’a. ’a × (’a → string)) list

#- let show ((x, f) : ∃

∃ ∃ ’a. ’a × (’a → string)) = f x

show : (∃

∃ ∃ ’a. ’a × (’a → string)) → string

#- map show both it : string list = [”1”, ”b”] #- let (x, f) = one in let (y, g) = bee in f y Error: This expression has type ’_a2 but an expression was expected of type ’_a6

14

slide-83
SLIDE 83

Existential Quantification

#- let one = (1, string_of_int) : ∃

∃ ∃ ’a. ’a × (’a → string)

  • ne : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let bee = (’b’, string_of_char) : ∃

∃ ∃ ’a. ’a × (’a → string)

bee : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let both = [one, bee] both : (∃

∃ ∃ ’a. ’a × (’a → string)) list

#- let show ((x, f) : ∃

∃ ∃ ’a. ’a × (’a → string)) = f x

show : (∃

∃ ∃ ’a. ’a × (’a → string)) → string

#- map show both it : string list = [”1”, ”b”] #- let (x, f) = one in let (y, g) = bee in f y Error: This expression has type ’_a2 but an expression was expected of type ’_a6

14

slide-84
SLIDE 84

Existential Quantification

#- let one = (1, string_of_int) : ∃

∃ ∃ ’a. ’a × (’a → string)

  • ne : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let bee = (’b’, string_of_char) : ∃

∃ ∃ ’a. ’a × (’a → string)

bee : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let both = [one, bee] both : (∃

∃ ∃ ’a. ’a × (’a → string)) list

#- let show ((x, f) : ∃

∃ ∃ ’a. ’a × (’a → string)) = f x

show : (∃

∃ ∃ ’a. ’a × (’a → string)) → string

#- map show both it : string list = [”1”, ”b”] #- let (x, f) = one in let (y, g) = bee in f y Error: This expression has type ’_a2 but an expression was expected of type ’_a6

14

slide-85
SLIDE 85

Existential Quantification

#- let one = (1, string_of_int) : ∃

∃ ∃ ’a. ’a × (’a → string)

  • ne : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let bee = (’b’, string_of_char) : ∃

∃ ∃ ’a. ’a × (’a → string)

bee : ∃

∃ ∃ ’a. ’a × (’a → string)

#- let both = [one, bee] both : (∃

∃ ∃ ’a. ’a × (’a → string)) list

#- let show ((x, f) : ∃

∃ ∃ ’a. ’a × (’a → string)) = f x

show : (∃

∃ ∃ ’a. ’a × (’a → string)) → string

#- map show both it : string list = [”1”, ”b”] #- let (x, f) = one in let (y, g) = one in f y Error: This expression has type ’_a2 but an expression was expected of type ’_a6

14

slide-86
SLIDE 86

Example: Mutual Exclusion

let deposit (arr: int array) (acct: int) (amt: int) = Array.set arr acct (Array.get arr acct + amt)

15

slide-87
SLIDE 87

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int ’a ’a array val set : ’a array int ’a ’a array val get : ’a array int ’a × ’a array end

16

slide-88
SLIDE 88

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int ’a ’a array val set : ’a array int ’a ’a array val get : ’a array int ’a × ’a array end

16

slide-89
SLIDE 89

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int → ’a → ’a array val set : ’a array → int → ’a → ’a array val get : ’a array → int → ’a × ’a array end

16

slide-90
SLIDE 90

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int → ’a → ’a array val set : ’a array → int → ’a → ’a array val get : ’a array → int → ’a × ’a array end

16

slide-91
SLIDE 91

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int → ’a → ’a array val set : ’a array → int → ’a → ’a array val get : ’a array → int → ’a × ’a array end

16

slide-92
SLIDE 92

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int → ’a → ’a array val set : ’a array → int → ’a → ’a array val get : ’a array → int → ’a × ’a array end

16

slide-93
SLIDE 93

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int → ’a → ’a array val set : ’a array → int → ’a → ’a array val get : ’a array → int → ’a × ’a array end

module AfArray : AF_ARRAY = struct type ’a array = ’a Array.array (* U A *) let new = Array.new let set arr ix v = Array.set arr ix v; arr let get arr ix = (Array.get arr ix, arr) end

16

slide-94
SLIDE 94

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int → ’a → ’a array val set : ’a array → int → ’a → ’a array val get : ’a array → int → ’a × ’a array end

module AfArray : AF_ARRAY = struct type ’a array = ’a Array.array (* U ⊑ A *) let new = Array.new let set arr ix v = Array.set arr ix v; arr let get arr ix = (Array.get arr ix, arr) end

16

slide-95
SLIDE 95

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int → ’a → ’a array val set : ’a array → int → ’a → ’a array val get : ’a array → int → ’a × ’a array end

module AfArray : AF_ARRAY = struct type ’a array = ’a Array.array (* U A *) let new = Array.new let set arr ix v = Array.set arr ix v; arr let get arr ix = (Array.get arr ix, arr) end

16

slide-96
SLIDE 96

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int → ’a → ’a array val set : ’a array → int → ’a → ’a array val get : ’a array → int → ’a × ’a array end

module AfArray : AF_ARRAY = struct type ’a array = ’a Array.array (* U A *) let new = Array.new let set arr ix v = Array.set arr ix v; arr let get arr ix = (Array.get arr ix, arr) end

16

slide-97
SLIDE 97

Unlimited Arrays to Affine Arrays

module Array : sig type ’a array : U val new : int → ’a → ’a array val set : ’a array → int → ’a → unit val get : ’a array → int → ’a end module type AF_ARRAY = sig type ’a array : A val new : int → ’a → ’a array val set : ’a array → int → ’a → ’a array val get : ’a array → int → ’a × ’a array end

module AfArray : AF_ARRAY = struct type ’a array = ’a Array.array (* U A *) let new = Array.new let set arr ix v = Array.set arr ix v; arr let get arr ix = (Array.get arr ix, arr) end

16

slide-98
SLIDE 98

Using Affine Arrays

let deposit arr acct amt = let (balance, arr) = AfArray.get arr acct in AfArray.set arr acct (balance + amt)

17

slide-99
SLIDE 99

Using Affine Arrays

let deposit arr acct amt = let (balance, arr) = AfArray.get arr acct in AfArray.set arr acct (balance + amt)

17

slide-100
SLIDE 100

Using Affine Arrays

let deposit arr acct amt = let (balance, arr) = AfArray.get arr acct in r := arr; AfArray.set arr acct (balance + amt)

17

slide-101
SLIDE 101

Using Affine Arrays

let deposit arr acct amt = let (balance, arr) = AfArray.get arr acct in r := arr; AfArray.set arr acct (balance + amt)

17

slide-102
SLIDE 102

Using Affine Arrays

let deposit arr acct amt = let (balance, arr) = AfArray.get arr acct in r := arr; AfArray.set arr acct (balance + amt) Type error at afarray_test.alms:2:17-20: Qualifier inequality unsatisfiable: Attempted to use an affine type where only an unlimited type is permitted.

17

slide-103
SLIDE 103

Affine Capabilities

module type CAP_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array × ’t cap

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap end

18

slide-104
SLIDE 104

Affine Capabilities

module type CAP_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array × ’t cap

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap end

18

slide-105
SLIDE 105

Affine Capabilities

module type CAP_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array × ’t cap

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap end

18

slide-106
SLIDE 106

Affine Capabilities

module type CAP_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array × ’t cap

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap end

18

slide-107
SLIDE 107

Affine Capabilities

module type CAP_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array × ’t cap

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap end

18

slide-108
SLIDE 108

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let arrcap = acquire arr in let (balance, arrcap) = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-109
SLIDE 109

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let arrcap = acquire arr in let (balance, arrcap) = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-110
SLIDE 110

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let arrcap = acquire arr in let (balance, arrcap) = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-111
SLIDE 111

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let arrcap = acquire arr in let (balance, arrcap) = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-112
SLIDE 112

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let arrcap = acquire arr in let (balance, arrcap) = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-113
SLIDE 113

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let arrcap = acquire arr in let (balance, arrcap) = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-114
SLIDE 114

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let arrcap = acquire arr in let (balance, arrcap) = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-115
SLIDE 115

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let !arrcap = acquire arr in let (balance, arrcap) = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-116
SLIDE 116

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let !arrcap = acquire arr in let (balance, arrcap) = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-117
SLIDE 117

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let !arrcap = acquire arr in let balance = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-118
SLIDE 118

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let !arrcap = acquire arr in let balance = get arr acc arrcap in let arrcap = set arr acct (balance + amt) arrcap in release arrcap

19

slide-119
SLIDE 119

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let !arrcap = acquire arr in let balance = get arr acc arrcap in set arr acct (balance + amt) arrcap; release arrcap

19

slide-120
SLIDE 120

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let !arrcap = acquire arr in set arr acct (get arr acc arrcap + amt) arrcap; release arrcap

19

slide-121
SLIDE 121

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let !arrcap = acquire arr in set arr acct (get arr acc arrcap + amt) arrcap; release arrcap

19

slide-122
SLIDE 122

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let !arrcap = acquire arr in set arr acct (get arr acc arrcap + amt) arrcap; release arrcap

Problem: Advisory locking Better solution: Static mandatory locking It’s a library in Alms

(and it’s not far to read/write locks, fractional permissions, …)

19

slide-123
SLIDE 123

Static Mandatory Locking

module type LOCK_ARRAY = sig type (’a,’t) array : U type ’t cap : A val new : int → ’a → ∃

∃ ∃ ’t. (’a,’t) array

val set : (’a,’t) array → int → ’a → ’t cap → ’t cap val get : (’a,’t) array → int → ’t cap → ’a × ’t cap val acquire : (’a,’t) array → ’t cap val release : (’a,’t) array → ’t cap → unit end let deposit arr acct amt = let !arrcap = acquire arr in set arr acct (get arr acc arrcap + amt) arrcap; release arrcap

Problem: Advisory locking Better solution: Static mandatory locking It’s a library in Alms

(and it’s not far to read/write locks, fractional permissions, …)

19

slide-124
SLIDE 124

Example: Session Types

S B

B: string reject

  • ffer

S: int accept S: resource counter B: int

type done type ’a send (* send an ’a *) type ’a recv (* receive an ’a *) type (’a,’s) seq (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-125
SLIDE 125

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ’a send (* send an ’a *) type ’a recv (* receive an ’a *) type (’a,’s) seq (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-126
SLIDE 126

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ’a send (* send an ’a *) type ’a recv (* receive an ’a *) type (’a,’s) seq (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-127
SLIDE 127

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ’a send (* send an ’a *) type ’a recv (* receive an ’a *) type (’a,’s) seq (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-128
SLIDE 128

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ’a send (* send an ’a *) type ’a recv (* receive an ’a *) type (’a,’s) seq (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-129
SLIDE 129

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ’a send (* send an ’a *) type ’a recv (* receive an ’a *) type (’a,’s) seq (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-130
SLIDE 130

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ’a send (* send an ’a *) type ’a recv (* receive an ’a *) type (’a,’s) seq (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-131
SLIDE 131

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ’a send (* send an ’a *) type ’a recv (* receive an ’a *) type (’a,’s) seq (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) (* Examples: * (string recv, done) seq * (int send, (string recv, done) seq) seq

20

slide-132
SLIDE 132

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ’a (!) (* send an ’a *) type ’a (?) (* receive an ’a *) type (’a,’s) (;) (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) (* Examples: * (string (?), done) (;) * (int (?), (string (?), done) (;)) (;)

20

slide-133
SLIDE 133

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) (* Examples: * ?string; done * !int; ?string; done

20

slide-134
SLIDE 134

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-135
SLIDE 135

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-136
SLIDE 136

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-137
SLIDE 137

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) (* Examples: * (?string; done) + done * !string; (done & (?int; done))

20

slide-138
SLIDE 138

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *)

20

slide-139
SLIDE 139

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) type prot = !string; offer and

  • ffer

= done & (?int; respond) and respond = (?resource; done) + (!int; offer)

20

slide-140
SLIDE 140

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer)

20

slide-141
SLIDE 141

Example: Session Types

S B

B: string 1 2 S: int 1 S: resource 2 B: int

type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer)

20

slide-142
SLIDE 142

Session Type Operations

module type SESSION_TYPES = sig type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) type ’s chan : A val send : ’a (!’a; ’s) chan ’s chan val recv : (?’a; ’s) chan ’a × ’s chan val sel1 : (’s + ’t) chan ’s chan val sel2 : (’s + ’t) chan ’t chan val follow : (’s & ’t) chan (’s chan, ’t chan) either . . . end

21

slide-143
SLIDE 143

Session Type Operations

module type SESSION_TYPES = sig type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) type ’s chan : A val send : ’a (!’a; ’s) chan ’s chan val recv : (?’a; ’s) chan ’a × ’s chan val sel1 : (’s + ’t) chan ’s chan val sel2 : (’s + ’t) chan ’t chan val follow : (’s & ’t) chan (’s chan, ’t chan) either . . . end

21

slide-144
SLIDE 144

Session Type Operations

module type SESSION_TYPES = sig type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) type ’s chan : A val send : ’a → (!’a; ’s) chan → ’s chan val recv : (?’a; ’s) chan → ’a × ’s chan val sel1 : (’s + ’t) chan ’s chan val sel2 : (’s + ’t) chan ’t chan val follow : (’s & ’t) chan (’s chan, ’t chan) either . . . end

21

slide-145
SLIDE 145

Session Type Operations

module type SESSION_TYPES = sig type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) type ’s chan : A val send : ’a → (!’a; ’s) chan → ’s chan val recv : (?’a; ’s) chan → ’a × ’s chan val sel1 : (’s + ’t) chan → ’s chan val sel2 : (’s + ’t) chan → ’t chan val follow : (’s & ’t) chan (’s chan, ’t chan) either . . . end

21

slide-146
SLIDE 146

Session Type Operations

module type SESSION_TYPES = sig type done type ! ’a (* send an ’a *) type ? ’a (* receive an ’a *) type ’a ; ’s (* do ’a , then ’s *) type ’r + ’s (* choose between ’r and ’s *) type ’r & ’s (* other side chooses *) type ’s chan : A val send : ’a → (!’a; ’s) chan → ’s chan val recv : (?’a; ’s) chan → ’a × ’s chan val sel1 : (’s + ’t) chan → ’s chan val sel2 : (’s + ’t) chan → ’t chan val follow : (’s & ’t) chan → (’s chan, ’t chan) either . . . end

21

slide-147
SLIDE 147

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-148
SLIDE 148

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-149
SLIDE 149

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-150
SLIDE 150

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-151
SLIDE 151

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-152
SLIDE 152

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-153
SLIDE 153

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-154
SLIDE 154

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-155
SLIDE 155

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-156
SLIDE 156

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-157
SLIDE 157

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !ch = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-158
SLIDE 158

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !(ch: prot chan) = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-159
SLIDE 159

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !(ch: prot chan) = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel2 ch; Some (recv ch) else sel1 ch; send limit ch; loop () in loop ()

22

slide-160
SLIDE 160

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !(ch: prot chan) = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel2 ch; Some (recv ch) else sel1 ch; send limit ch; loop () in loop () Type error at buyer.alms:12:31-33: Cannot subtype: actual: !int; offer expected: ?’_a; ’_b

22

slide-161
SLIDE 161

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !(ch: prot chan) = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

22

slide-162
SLIDE 162

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !(ch: prot chan) = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

Problem: Weak channels Better solution: Session types There are two libraries to choose from in Alms

(or you can roll your own)

22

slide-163
SLIDE 163

Buyer, Take 2

type prot = !string; offer and offer = done & (?int; respond) and respond = (?resource; done) + (!int; offer) let buyer name limit !(ch: prot chan) = send name ch; let rec loop () = match follow ch with

| Left ch → None | Right ch →

if recv ch ≤ limit then sel1 ch; Some (recv ch) else sel2 ch; send limit ch; loop () in loop ()

Problem: Weak channels Better solution: Session types There are two libraries to choose from in Alms

(or you can roll your own)

22

slide-164
SLIDE 164

Design Pragmatics

  • r How to Be Affine without Being Awkward
slide-165
SLIDE 165

Design Pragmatics

  • r How to Be Affine without Being Awkward
slide-166
SLIDE 166

The Problem

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurry in ILL (Bierman 1993):

f promote ( p let (x, y) = derelict p in derelict (derelict f x) y) : !(’a !(’b ’c)) !(!(’a ’b) ’c) f p let (x, y) = derelict p in derelict (f x) y : (’a !(’b ’c)) !(’a ’b) ’c

Uncurry in Alms:

f (x,y) f x y : (‘a

‘d

‘b ‘c) ‘a × ‘b

‘d

‘c

24

slide-167
SLIDE 167

The Problem

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurry in ILL (Bierman 1993):

f promote ( p let (x, y) = derelict p in derelict (derelict f x) y) : !(’a !(’b ’c)) !(!(’a ’b) ’c) f p let (x, y) = derelict p in derelict (f x) y : (’a !(’b ’c)) !(’a ’b) ’c

Uncurry in Alms:

f (x,y) f x y : (‘a

‘d

‘b ‘c) ‘a × ‘b

‘d

‘c

24

slide-168
SLIDE 168

The Problem

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurry in ILL (Bierman 1993):

λ λ λ f → promote (λ λ λ p →

let (x, y) = derelict p in derelict (derelict f x) y) : !(’a ⊸ !(’b ⊸ ’c)) ⊸ !(!(’a ⊗ ’b) ⊸ ’c) f p let (x, y) = derelict p in derelict (f x) y : (’a !(’b ’c)) !(’a ’b) ’c

Uncurry in Alms:

f (x,y) f x y : (‘a

‘d

‘b ‘c) ‘a × ‘b

‘d

‘c

24

slide-169
SLIDE 169

The Problem

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurries in ILL (Bierman 1993):

λ λ λ f → promote (λ λ λ p →

let (x, y) = derelict p in derelict (derelict f x) y) : !(’a ⊸ !(’b ⊸ ’c)) ⊸ !(!(’a ⊗ ’b) ⊸ ’c)

λ λ λ f p → let (x, y) = derelict p in

derelict (f x) y : (’a ⊸ !(’b ⊸ ’c)) ⊸ !(’a ⊗ ’b) ⊸ ’c

Uncurry in Alms:

f (x,y) f x y : (‘a

‘d

‘b ‘c) ‘a × ‘b

‘d

‘c

24

slide-170
SLIDE 170

The Problem

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurries in ILL (Bierman 1993):

λ λ λ f → promote (λ λ λ p →

let (x, y) = derelict p in derelict (derelict f x) y) : !(’a ⊸ !(’b ⊸ ’c)) ⊸ !(!(’a ⊗ ’b) ⊸ ’c)

λ λ λ f p → let (x, y) = derelict p in

derelict (f x) y : (’a ⊸ !(’b ⊸ ’c)) ⊸ !(’a ⊗ ’b) ⊸ ’c

Wrong defaults

Uncurry in Alms:

f (x,y) f x y : (‘a

‘d

‘b ‘c) ‘a × ‘b

‘d

‘c

24

slide-171
SLIDE 171

The Problem

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurries in ILL (Bierman 1993):

λ λ λ f → promote (λ λ λ p →

let (x, y) = derelict p in derelict (derelict f x) y) : !(’a ⊸ !(’b ⊸ ’c)) ⊸ !(!(’a ⊗ ’b) ⊸ ’c)

λ λ λ f p → let (x, y) = derelict p in

derelict (f x) y : (’a ⊸ !(’b ⊸ ’c)) ⊸ !(’a ⊗ ’b) ⊸ ’c

Wrong defaults Frightening types

Uncurry in Alms:

f (x,y) f x y : (‘a

‘d

‘b ‘c) ‘a × ‘b

‘d

‘c

24

slide-172
SLIDE 172

The Problem

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurries in ILL (Bierman 1993):

λ λ λ f → promote (λ λ λ p →

let (x, y) = derelict p in derelict (derelict f x) y) : !(’a ⊸ !(’b ⊸ ’c)) ⊸ !(!(’a ⊗ ’b) ⊸ ’c)

λ λ λ f p → let (x, y) = derelict p in

derelict (f x) y : (’a ⊸ !(’b ⊸ ’c)) ⊸ !(’a ⊗ ’b) ⊸ ’c

Wrong defaults Frightening types Derelict & promote

Uncurry in Alms:

f (x,y) f x y : (‘a

‘d

‘b ‘c) ‘a × ‘b

‘d

‘c

24

slide-173
SLIDE 173

The Problem

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurries in ILL (Bierman 1993):

λ λ λ f → promote (λ λ λ p →

let (x, y) = derelict p in derelict (derelict f x) y) : !(’a ⊸ !(’b ⊸ ’c)) ⊸ !(!(’a ⊗ ’b) ⊸ ’c)

λ λ λ f p → let (x, y) = derelict p in

derelict (f x) y : (’a ⊸ !(’b ⊸ ’c)) ⊸ !(’a ⊗ ’b) ⊸ ’c

Wrong defaults Frightening types Derelict & promote Too much repetition

Uncurry in Alms:

f (x,y) f x y : (‘a

‘d

‘b ‘c) ‘a × ‘b

‘d

‘c

24

slide-174
SLIDE 174

The Solution

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurries in ILL (Bierman 1993):

λ λ λ f → promote (λ λ λ p →

let (x, y) = derelict p in derelict (derelict f x) y) : !(’a ⊸ !(’b ⊸ ’c)) ⊸ !(!(’a ⊗ ’b) ⊸ ’c)

λ λ λ f p → let (x, y) = derelict p in

derelict (f x) y : (’a ⊸ !(’b ⊸ ’c)) ⊸ !(’a ⊗ ’b) ⊸ ’c

Wrong defaults Frightening types Derelict & promote Too much repetition Usage kinds Dependent kinds Dereliction subtyping Principal promotion Type inference

Uncurry in Alms:

f (x,y) f x y : (‘a

‘d

‘b ‘c) ‘a × ‘b

‘d

‘c

24

slide-175
SLIDE 175

The Solution

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurries in ILL (Bierman 1993):

λ λ λ f → promote (λ λ λ p →

let (x, y) = derelict p in derelict (derelict f x) y) : !(’a ⊸ !(’b ⊸ ’c)) ⊸ !(!(’a ⊗ ’b) ⊸ ’c)

λ λ λ f p → let (x, y) = derelict p in

derelict (f x) y : (’a ⊸ !(’b ⊸ ’c)) ⊸ !(’a ⊗ ’b) ⊸ ’c

Wrong defaults Frightening types Derelict & promote Too much repetition Usage kinds Dependent kinds Dereliction subtyping Principal promotion Type inference

Uncurry in Alms:

f (x,y) f x y : (‘a

‘d

‘b ‘c) ‘a × ‘b

‘d

‘c

24

slide-176
SLIDE 176

The Solution

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurries in ILL (Bierman 1993):

λ λ λ f → promote (λ λ λ p →

let (x, y) = derelict p in derelict (derelict f x) y) : !(’a ⊸ !(’b ⊸ ’c)) ⊸ !(!(’a ⊗ ’b) ⊸ ’c)

λ λ λ f p → let (x, y) = derelict p in

derelict (f x) y : (’a ⊸ !(’b ⊸ ’c)) ⊸ !(’a ⊗ ’b) ⊸ ’c

Uncurry in Alms:

λ λ λ f (x,y) → f x y

: (‘a

‘d

− → ‘b → ‘c) → ‘a × ‘b

‘d

− → ‘c

24

slide-177
SLIDE 177

The Solution

Uncurry in ML:

λ λ λ f (x,y) → f x y

: (’a → ’b → ’c) → ’a × ’b → ’c

Uncurries in ILL (Bierman 1993):

λ λ λ f → promote (λ λ λ p →

let (x, y) = derelict p in derelict (derelict f x) y) : !(’a ⊸ !(’b ⊸ ’c)) ⊸ !(!(’a ⊗ ’b) ⊸ ’c)

λ λ λ f p → let (x, y) = derelict p in

derelict (f x) y : (’a ⊸ !(’b ⊸ ’c)) ⊸ !(’a ⊗ ’b) ⊸ ’c

Uncurry in Alms:

λ λ λ f (x,y) → f x y

: (‘a

‘d

− → ‘b → ‘c) → ‘a × ‘b

‘d

− → ‘c

24

slide-178
SLIDE 178

Type Inference

#- λ

λ λ x → x

it : ‘a ‘a #- x (x, x) it : ’a ’a × ’a #- (x, y) (y, x) it : ‘a × ‘b ‘b × ‘a

25

slide-179
SLIDE 179

Type Inference

#- λ

λ λ x → x

it : ‘a → ‘a #- x (x, x) it : ’a ’a × ’a #- (x, y) (y, x) it : ‘a × ‘b ‘b × ‘a

25

slide-180
SLIDE 180

Type Inference

#- λ

λ λ x → x

it : ‘a → ‘a #- λ

λ λ x → (x, x)

it : ’a ’a × ’a #- (x, y) (y, x) it : ‘a × ‘b ‘b × ‘a

25

slide-181
SLIDE 181

Type Inference

#- λ

λ λ x → x

it : ‘a → ‘a #- λ

λ λ x → (x, x)

it : ’a → ’a × ’a #- (x, y) (y, x) it : ‘a × ‘b ‘b × ‘a

25

slide-182
SLIDE 182

Type Inference

#- λ

λ λ x → x

it : ‘a → ‘a #- λ

λ λ x → (x, x)

it : ’a → ’a × ’a #- λ

λ λ (x, y) → (y, x)

it : ‘a × ‘b ‘b × ‘a

25

slide-183
SLIDE 183

Type Inference

#- λ

λ λ x → x

it : ‘a → ‘a #- λ

λ λ x → (x, x)

it : ’a → ’a × ’a #- λ

λ λ (x, y) → (y, x)

it : ‘a × ‘b → ‘b × ‘a

25

slide-184
SLIDE 184

Type Inference

#- λ

λ λ f x → f x

it : (‘a

‘c

‘b) ‘a

‘c

‘b #- f x f (f x) it : (‘a ‘a) ‘a ‘a #- f x f (x, x) it : (’a × ’a

‘c

‘b) ’a

‘c

‘b #- f x let y = f x in (y, y) it : (‘a

‘c

’b) ‘a

‘c

’b × ’b #- f x (f x, f x) it : (’a ‘b) ’a ‘b × ‘b

26

slide-185
SLIDE 185

Type Inference

#- λ

λ λ f x → f x

it : (‘a

‘c

− → ‘b) → ‘a

‘c

− → ‘b

#- f x f (f x) it : (‘a ‘a) ‘a ‘a #- f x f (x, x) it : (’a × ’a

‘c

‘b) ’a

‘c

‘b #- f x let y = f x in (y, y) it : (‘a

‘c

’b) ‘a

‘c

’b × ’b #- f x (f x, f x) it : (’a ‘b) ’a ‘b × ‘b

26

slide-186
SLIDE 186

Type Inference

#- λ

λ λ f x → f x

it : (‘a

‘c

− → ‘b) → ‘a

‘c

− → ‘b

#- λ

λ λ f x → f (f x)

it : (‘a → ‘a) → ‘a → ‘a #- λ

λ λ f x → f (x, x)

it : (’a × ’a

‘c

− → ‘b) → ’a

‘c

− → ‘b

#- λ

λ λ f x → let y = f x in (y, y)

it : (‘a

‘c

− → ’b) → ‘a

‘c

− → ’b × ’b

#- λ

λ λ f x → (f x, f x)

it : (’a ‘b) ’a ‘b × ‘b

26

slide-187
SLIDE 187

Type Inference

#- λ

λ λ f x → f x

it : (‘a

‘c

− → ‘b) → ‘a

‘c

− → ‘b

#- λ

λ λ f x → f (f x)

it : (‘a → ‘a) → ‘a → ‘a #- λ

λ λ f x → f (x, x)

it : (’a × ’a

‘c

− → ‘b) → ’a

‘c

− → ‘b

#- λ

λ λ f x → let y = f x in (y, y)

it : (‘a

‘c

− → ’b) → ‘a

‘c

− → ’b × ’b

#- λ

λ λ f x → (f x, f x)

it : (’a → ‘b) → ’a → ‘b × ‘b

26

slide-188
SLIDE 188

Type Inference

#- let rec fold_right f z xs = match xs with #=

| [] → []

#=

| x::xs’ → f x (fold_right f z xs)

fold_right : (’a → ‘b list

A

− → ‘b list) →

‘c → ’a list → ‘b list #- let rec fold_right f z xs = match xs with #= [] [] #= x::xs’ f x (fold_right f z xs’) fold_right : (‘a ‘b list

A

‘b list) ‘c ‘a list ‘b list

27

slide-189
SLIDE 189

Type Inference

#- let rec fold_right f z xs = match xs with #=

| [] → []

#=

| x::xs’ → f x (fold_right f z xs)

fold_right : (’a → ‘b list

A

− → ‘b list) →

‘c → ’a list → ‘b list #- let rec fold_right f z xs = match xs with #= [] [] #= x::xs’ f x (fold_right f z xs’) fold_right : (‘a ‘b list

A

‘b list) ‘c ‘a list ‘b list

27

slide-190
SLIDE 190

Type Inference

#- let rec fold_right f z xs = match xs with #=

| [] → []

#=

| x::xs’ → f x (fold_right f z xs)

fold_right : (’a → ‘b list

A

− → ‘b list) →

‘c → ’a list → ‘b list #- let rec fold_right f z xs = match xs with #=

| [] → []

#=

| x::xs’ → f x (fold_right f z xs’)

fold_right : (‘a → ‘b list

A

− → ‘b list) →

‘c → ‘a list → ‘b list

27

slide-191
SLIDE 191

Conclusion

slide-192
SLIDE 192

Ongoing & Future Work

Edward Gan (’13) added type classes for his senior thesis

(should support user-defined duplication)

Improve the run-time story

(exploit affine types for efficiency?)

29

slide-193
SLIDE 193

The Take-Away

Affine types are for revocation Affine types generalize other resource aware type systems Affine types don’t have to be weird or difficult

30

slide-194
SLIDE 194

The Take-Away

Affine types are for revocation Affine types generalize other resource aware type systems Affine types don’t have to be weird or difficult

Thank Y

  • u

30