[e-lang] [Caja] Functional auditor for Cajita

[David Wagner]

David-Sarah Hopwood  wrote:
>The definitions of the relevant E auditors on that page are:
>
>  Functional:
>    Check that the object passes the DeepFrozen auditor and that the
>    return value for each method is guarded by DeepFrozen.
>
>  DeepFrozen:
>    Check that all names accessed in the object expression are method
>    arguments or declared final with def, and guarded by the DeepFrozen
>    guard or by the guard for a primitive immutable type (such as int or
>    char).
>
>The first difference is the check that the return value for each
>method of a Functional object is guarded by DeepFrozen. This should
>correspond to a check that the return value of a copacetic function is
>copacetic, which I forgot. Otherwise, a function like this:
>
>  function() { return {}; }
>
>would be audited as copacetic and run without throwing an exception,
>which is wrong because each instance of {} is mutable.

In Joe-E, we do consider this function a pure function, and we do allow
pure functions to return mutable objects.  So maybe it's worth thinking
about whether there is a compelling reason to forbid mutable return
values from pure functions.

I imagine I've plugged our paper on functionality purity in Joe-E before,
but just in case I haven't mentioned it recently:

http://www.cs.berkeley.edu/~daw/papers/pure-ccs08.pdf 

P.S. Does Cajita's taming make it a design goal to tame away all access
to non-determinism?  If not, that's something else you'll have to tackle.

P.P.S. Does Cajita expose object identity?  If it does, what notion of
determinism do you want to use?  Suppose o1,o2 are two objects such that
o1 !== o2, but o1 and o2 are "equivalent" in some sense (say, o1[s] ===
o2[s] for all s).  If I know that f is purely functional and I call f(o1)
and f(o2), do you want to be able to infer that f(o1) is "equivalent"
to f(o2), or are you OK with the possibility that f(o1) might be totally
unrelated to f(o2)?