The use of monads to structure functional programs is described. Monads provide a convenient framework for simulating e ects found in other languages, such as global state, exception handling, output, or non-determinism. Three case studies are looked at in detail: how monads ease the modi cation of a simple evaluator; how monads act as the basis of a datatype of arrays subject to in-place update; and how monads can be used to build parsers.

Informal arguments that cryptographic protocols are secure can be made rigorous using inductive definitions. The approach is based on ordinary predicate calculus and copes with infinite-state systems. Proofs are generated using Isabelle/HOL. The human effort required to analyze a protocol can be as little as a week or two, yielding a proof script that takes a few minutes to run. Protocols are inductively defined as sets of traces. A trace is a list of communication events, perhaps comprising many interleaved protocol runs. Protocol descriptions incorporate attacks and accidental losses. The model spy knows some private keys and can forge messages using components decrypted from previous traffic. Three protocols are analyzed below: Otway-Rees (which uses shared-key encryption), Needham-Schroeder (which uses public-key encryption), and a recursive protocol [9] (which is of variable length). One can prove that event ev always precedes event ev ′ or that property

Ensuring secure information ow within programs in the context of multiple sensitivity levels has been widely studied. Especially noteworthy is Denning's work in secure ow analysis and the lattice model [6][7]. Until now, however, the soundness of Denning's analysis has not been established satisfactorily. Weformulate Denning's approach as a type system and present a notion of soundness for the system that can be viewed as a form of noninterference. Soundness is established by proving, with respect to a standard programming language semantics, that all well-typed programs have this noninterference property.

ion. ACM Transactions on Programming Languages and Systems, 16(5):1512--1542, September 1994. Bibliography 401 [Che80] B. F. Chellas. Modal Logic -- an Introduction. Cambridge University Press, 1980. [Dam96] D. R. Dams. Abstract Interpretation and Partition Refinement for Model Checking. PhD thesis, Institute for Programming research and Algorithmics. Eindhoven University of Technology, July 1996. [Dij76] E. W. Dijkstra. A Discipline of Programming. Prentice Hall, 1976. [DP96] R. Davies and F. Pfenning. A Modal Analysis of Staged Computation. In 23rd Annual ACM Symposium on Principles of Programming Languages. ACM Press, January 1996. [EN94] R. Elmasri and S. B. Navathe. Fundamentals of Database Systems. Benjamin/Cummings, 1994. [FHMV95] Ronald Fagin, Joseph Y. Halpern, Yoram Moses, and Moshe Y. Vardi. Reasoning about Knowledge. MIT Press, Cambridge, 1995. [Fit93] M. Fitting. Basic modal logic. In D. Gabbay, C. Hogger, and J. Robinson, editors, Handbook of Logic in Artificial In...

Standard ML is one of a number of new programming languages developed in the 1980s that are seen as suitable vehicles for serious systems and applications programming. It offers an excellent ratio of expressiveness to language complexity, and provides competitive efficiency. Because of its type and module system, Standard ML manages to combine safety, security, and robustness with much of the flexibility of dynamically typed languages like Lisp. It is also has the most well-developed scientific foundation of any major language. Here I review the strengths and weaknesses of Standard ML and describe some of what we have learned through the design, implementation, and use of the language.

This paper presents the design and implementation of a "quasi real-time" garbage collector for Concurrent Caml Light, an implementation of ML with threads. This two-generation system combines a fast, asynchronous copying collector on the young generation with a nondisruptive concurrent marking collector on the old generation. This design crucially relies on the ML compiletime distinction between mutable and immutable objects. 1 Introduction This paper presents the design and implementation of a garbage collector for Concurrent Caml Light, an implementation of the ML language that provides multiple threads of control executing concurrently in a shared address space. Garbage collection --- the automatic reclamation of unused memory space --- is one of the most problematic components of run-time systems for multi-threaded languages. The naive "stop-the-world" approach, where all threads synchronously stop executing the user's program to perform garbage collection, is clearly inadequate,...

Some algorithms make critical internal use of updatable state, even though their external specification is purely functional. Based on earlier work on monads, we present a way of securely encapsulating stateful computations that manipulate multiple, named, mutable objects, in the context of a non-strict, purely-functional language. The security of the encapsulation is assured by the type system, using parametricity. Intriguingly, this parametricity requires the provision of a (single) constant with a rank-2 polymorphic type. 1

MLJ compiles SML'97 into verifier-compliant Java bytecodes. Its features include type-checked interlanguage working extensions which allow ML and Java code to call each other, automatic recompilation management, compact compiled code and runtime performance which, using a `just in time' compiling Java virtual machine, usually exceeds that of existing specialised bytecode interpreters for ML. Notable features of the compiler itself include whole-program optimisation based on rewriting, compilation of polymorphism by specialisation, a novel monadic intermediate...

Abstract not found

Two major obstacles hindering the wider acceptance of multi-methods are concerns over the lack of encapsulation and modularity and the absence of static typechecking in existing multi-method-based languages. This paper addresses both of these problems. We present a polynomial-time static typechecking algorithm that checks the conformance, completeness, and consistency of a group of method implementations with respect to declared message signatures. This algorithm improves on previous algorithms by handling separate type and inheritance hierarchies, abstract classes, and graph-based method lookup semantics. We also present a module system that enables independently-developed code to be fully encapsulated and statically typechecked on a per-module basis. To guarantee that potential conflicts between independently-developed modules have been resolved, a simple well-formedness condition on the modules comprising a program is checked at link-time. The typechecking algorithm and module system are applicable to a range of multi-method-based languages, but the paper uses the Cecil language as a concrete example of how they can be applied.