[e-lang] [Caja] Functional auditor for Cajita

David Wagner daw at cs.berkeley.edu
Tue Dec 8 00:26:44 PST 2009 

David-Sarah Hopwood  wrote:
>First let's decide what property we want from a purely functional auditing
>system. I think the property we want is:
>
>  If all values directly referred to by an expression in language L
>  (that is, all captured values and literals, including function literals)
>  pass some auditor, then I know that evaluating the expression in L will
>  have no side effects, and the resulting value or exception will be a
>  deterministic function of those values.

Hmm.  I wonder if this is overly strict.  Maybe what we care about
is observational side-effect-freedom: i.e., it's OK if the function
internally performs some side-effect on an object it allocated itself
as long as that side effect is not externally visible.  Does that
sound right?

e.g., this is all fine, even though it internally performs
some side-effecting operations:

    /* functional */ function f() {
        var n = 0;
        n++;  // OK
        var o = {};
        o.x = 5; // OK
        return o; // OK
    }

Does Cajita have the equivalent of Java's OutOfMemoryError,
which can be thrown under effectively non-deterministic conditions?
(The condition under which it is thrown is a deeply non-local
condition.)

Are we guaranteed in Cajita that whether an exception is thrown at
any point is a deterministic function of the local state of named
values involved in a specified computation (not the global state
of the interpreter; not as a function of values not named explicitly
in the code)?

>To dodge this issue, let's provisionally call a function *instance*
>"copacetic" [*] if:
> - that instance has only captured copacetic values, and
> - it has no side effects and is deterministic whenever it is
>   only called with copacetic argument values, and
> - it uses no side-effecting or nondeterministic primitives.

If I understand correctly, this seems overly strict.  It should
be safe for a functionally pure function to capture and invoke a
reference to a non-copacetic function, shouldn't it?

e.g., this should be fine, even though it captures a reference to
the non-functional function sort():

    /* functional */ function g() {
        var l = [1, 5, 3];
        sort(l); // OK, even though sort() side-effects its argument
        return l;
    }

Is it enough to know that all captured values and all arguments
are transitively immutable, and that the function body uses no
side-effecting or deterministic language primitives (whatever they
may be)?

I may not be thinking about this clearly, so there may well be
numerous errors in what I wrote above!

More information about the e-lang mailing list