[PPT] - Constraining Delimited Control with Contracts Asumu Takikawa T. PowerPoint Presentation

SLIDE 1

Constraining Delimited Control with Contracts

Asumu Takikawa

T. Stephen Strickland*

Sam Tobin-Hochstadt Northeastern University University of Maryland, College Park*

1

SLIDE 2

Experienced programmers divide up all significant programs into separate components

2

SLIDE 3

web server

request? (-> request? response?)

servlet

3

SLIDE 4

web server

request? (-> request? response?)

servlet Import/export is a communication channel between components Executable specifications can protect these channels

4

SLIDE 5

Powerful control operators are available in virtually every significant language

Lua Python JavaScript Racket Ruby SML Scala Coroutines Generators Generators Continuations Fibers Continuations Continuations

5

SLIDE 6

web server servlet

6

SLIDE 7

web server servlet

7

SLIDE 8

web server servlet Control establishes a new communication channel No mechanism exists to protect these channels

8

SLIDE 9

Problem: Most languages cannot offer expressive interfaces for components that use control operators

9

SLIDE 10

Our contribution

Contracts to protect control-based

communication channels in Racket

Gradual typing for delimited control

in Typed Racket

10

SLIDE 11

Our contribution

∅ Types Contracts Gradual typing wcm ccm call/comp abort prompt

11

SLIDE 12

Our contribution

∅ Types Contracts Gradual typing wcm ccm call/comp abort prompt

12

SLIDE 13

Our contribution

∅ Types Contracts Gradual typing wcm ccm call/comp abort prompt

talk

13

SLIDE 14

Contracts in a nutshell

14

SLIDE 15

Contracts - agreements between two components Basic form: (contract "::1" ipv6? P N) P provides a value "::1" with contract ipv6? to N Value violates contract ⇒ P is blamed (contract "127.0.0.1" ipv6? P N) "Contract violation. Blaming: P"

15

SLIDE 16

Generalizes to higher-order cases

[Findler & Felleisen ICFP 2002]

f = (contract (λ (addr) (ipv4-to-ipv6 addr)) (→ ipv4? ipv6?) P N) Contract on f's domain violated ⇒ N is blamed (f "2a00:1450:400a:804::1012") "Contract violation. Blaming: N"

16

SLIDE 17

f = (contract (λ (addr) (ipv4-to-ipv6 addr)) (→ ipv4? ipv6?) P N)

"2a00:1450:400a:804::1012"

λ

17

SLIDE 18

g = (contract f (→ ipv4? ipv6?) N P)

"2a00:1450:400a:804::1012"

λ

18

SLIDE 19

Control operators

19

SLIDE 20

Continuations ~ high-level stack API

Elements of delimited control [Dybvig et. al JFP 2007]

(1) make a delimiter (2) delimit a continuation (3) capture a continuation (4) abort a continuation (5) install a continuation

~

(1) create a tag (2) mark stack segment with tag (3) store segment in a variable (4) delete part of stack (5) append segments onto stack Continuation marks [Clements et al. ESOP 2001] (6) store data in continuation (6) store data in stack

20

SLIDE 21

Continuations ~ high-level stack API

Elements of delimited control [Dybvig et. al JFP 2007]

(1) make a delimiter (2) delimit a continuation (3) capture a continuation (4) abort a continuation (5) install a continuation

~

(1) create a tag (2) mark stack segment with tag (3) store segment in a variable (4) delete part of stack (5) append segments onto stack Continuation marks [Clements et al. ESOP 2001] (6) store data in continuation (6) store data in stack

21

SLIDE 22

% delimit abort delete

% ☆ h

22

SLIDE 23

% delimit abort delete

% ☆ h ...

23

SLIDE 24

% delimit abort delete

% ☆ h ... ...

24

SLIDE 25

% delimit abort delete

% ☆ h ... ... ...

25

SLIDE 26

% delimit abort delete

% ☆ h ... ... ... abort ☆ 5

☆ is a prompt tag that allows communication between stack frames

26

SLIDE 27

% delimit abort delete

(h 5)

27

SLIDE 28

Interaction of Control & Contracts

28

SLIDE 29

Design principles

A correct contract system should:

offer opportunities to mediate the exchange of values

along channels between components

blame a component for contract violations only if

it affects the flow of values [Dimoulas Dissertation 2012] [Dimouas et al. ESOP 2012]

29

SLIDE 30

component A component B prime? protected channel

Contracts checked on boundary crossings

30

SLIDE 31

component A component B

% ☆ h

unprotected channel prime?

abort ☆ 4

abort bypasses usual protection by jumping Same mechanism does not work

31

SLIDE 32

Key idea

Principle 1:

offer opportunities to mediate the exchange of values

along channels between components

Operations that skip the contract boundary need extra contract mechanism

32

SLIDE 33

Key idea

Principle 1:

offer opportunities to mediate the exchange of values

along channels between components

Operations that skip the contract boundary need extra contract mechanism Question: how to plug the hole?

33

SLIDE 34

★ = (contract ☆ (prompt-tag/c prime?) B A) component A component B

% ★ h

★ ☆

abort ☆ 4

34

SLIDE 35

★ = (contract ☆ (prompt-tag/c prime?) B A) component A component B

% ★ h

★ ☆

abort ☆ 4

35

SLIDE 36

★ = (contract ☆ (prompt-tag/c prime?) B A) Blame B component A component B

% ★ h

★ ☆

abort ☆ 4

prompt has positive party as B

36

SLIDE 37

★ = (contract ☆ (prompt-tag/c prime?) B A) Blame B component A component B

% ★ h

★ ☆

abort ☆ 4

prompt has positive party as B

The contract on the tag triggers a contract check

The missing mechanism

37

SLIDE 38

★ = (contract ☆ (prompt-tag/c prime?) A B) component A component B

% ☆ h

☆ ★

abort ★ 4

38

SLIDE 39

★ = (contract ☆ (prompt-tag/c prime?) A B) component A component B

% ☆ h

☆ ★

abort ★ 4

39

SLIDE 40

★ = (contract ☆ (prompt-tag/c prime?) A B) Blame B component A component B

% ☆ h

☆ ★

abort ★ 4

abort swaps positive, negative parties

40

SLIDE 41

★ = (contract ☆ (prompt-tag/c prime?) A B) Blame B component A component B

% ☆ h

☆ ★

abort ★ 4

abort swaps positive, negative parties

Principle 2:

blame a component for contract violations only if

it affects the flow of values

The abort provides the value but it's the client

f a contract. Thus it swaps blame parties

Correct blame

41

SLIDE 42

h = (λ (f) (f 4)) f = (λ (x) (prime-after x))

★ = (contract ☆ (prompt-tag/c (-> prime? prime?)) A B) component A component B

% ☆ h

☆ ★

abort ★ f

42

SLIDE 43

h = (λ (f) (f 4)) f = (λ (x) (prime-after x))

★ = (contract ☆ (prompt-tag/c (-> prime? prime?)) A B) component A component B

% ☆ h

☆ ★

abort ★ f

43

SLIDE 44

h = (λ (f) (f 4)) f = (λ (x) (prime-after x))

★ = (contract ☆ (prompt-tag/c (-> prime? prime?)) A B) Blame A component A component B

% ☆ h

☆ ★

abort ★ f

Delayed contract means blame raised at prompt

44

SLIDE 45

ctc

B A

f

ctc = (-> prime? prime?)

45

SLIDE 46

ctc

B A

f

ctc = (-> prime? prime?)

56

SLIDE 47

ctc

B A

f

ctc = (-> prime? prime?)

67

SLIDE 48

ctc

B A

f

ctc = (-> prime? prime?)

78

SLIDE 49

ctc

B A

Blame A

ctc = (-> prime? prime?)

89

SLIDE 50

h = (λ (f) (f 7)) f = (λ (x) 4)

★ = (contract ☆ (prompt-tag/c (-> prime? prime?)) C A,B) component A component B

% ★ h

★ ★

C C

abort ★ f

Contract triggered from both sides

100

SLIDE 51

h = (λ (f) (f 7)) f = (λ (x) 4)

★ = (contract ☆ (prompt-tag/c (-> prime? prime?)) C A,B) component A component B

% ★ h

★ ★

C C

abort ★ f

Contract triggered from both sides

101

SLIDE 52

h = (λ (f) (f 7)) f = (λ (x) 4)

★ = (contract ☆ (prompt-tag/c (-> prime? prime?)) C A,B) Blame B component A component B

% ★ h

★ ★

C C

abort ★ f

Contract triggered from both sides

102

SLIDE 53

ctc ctc

B C A

f

ctc = (-> prime? prime?)

103

SLIDE 54

ctc ctc

B C A

f

ctc = (-> prime? prime?)

114

SLIDE 55

ctc ctc

B C A

f

ctc = (-> prime? prime?)

125

SLIDE 56

ctc ctc

B C A

f

ctc = (-> prime? prime?)

136

SLIDE 57

ctc ctc

B C A

f

ctc = (-> prime? prime?)

147

SLIDE 58

ctc ctc

B C A

f

ctc = (-> prime? prime?)

158

SLIDE 59

ctc ctc

B C A

Blame B

ctc = (-> prime? prime?)

169

SLIDE 60

Summary

A correct contract system should:

offer opportunities to mediate the exchange of values

along channels between components

blame a component for contract violations only if

it affects the flow of values

1. Trigger contracts via tags to mediate communication
2. Swap blame labels as appropriate for correct blame

180

SLIDE 61

Conclusion

181

SLIDE 62

Our contribution

∅ Types Contracts Gradual typing wcm ccm call/comp abort prompt

talk

182

SLIDE 63

Our contribution

∅ Types Contracts Gradual typing wcm ccm call/comp abort prompt

183

SLIDE 64

Gradual typing requires contracts

[Tobin-Hochstadt & Felleisen DLS 2006] [Siek & Taha, Scheme 2006] Gradual typing = Type system + Dynamic checking

typed untyped

contract check

τ → contract

184

SLIDE 65

☆ : (Prompt Integer Float) typed untyped

% ☆ h

☆ ★

abort ★ "a"

★ = (contract ☆ (prompt-tag/c int?) typed untyped)

185

SLIDE 66

☆ : (Prompt Integer Float) Blame untyped typed untyped

% ☆ h

☆ ★

abort ★ "a"

★ = (contract ☆ (prompt-tag/c int?) typed untyped)

186

SLIDE 67

Further coverage

call/cc fits into this model
operators like shift/reset via macros
could adapt to operators like coroutines

187

SLIDE 68

Our control contracts are available in Racket and Typed Racket now http://www.racket-lang.org

188

SLIDE 69

Our control contracts are available in Racket and Typed Racket now http://www.racket-lang.org

Thank you

189