
Marco ServettoVictoria University of Wellington · School of Engineering and Computer Science
Marco Servetto
Ph.D. Computer Science
About
49
Publications
3,248
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
218
Citations
Introduction
Publications
Publications (49)
Security-critical software applications contain confidential information which has to be protected from leaking to unauthorized systems. With language-based techniques, the confidentiality of applications can be enforced. Such techniques are for example type systems that enforce an information flow policy through typing rules. The precision of such...
In type-and-coeffect systems , contexts are enriched by coeffects modeling how they are actually used, typically through annotations on single variables. Coeffects are computed bottom-up, combining, for each term, the coeffects of its subterms, through a fixed set of algebraic operators. We show that this principled approach can be adopted to track...
In type-and-coeffect systems, contexts are enriched by coeffects modeling how they are actually used, typically through annotations on single variables. Coeffects are computed bottom-up, combining, for each term, the coeffects of its subterms, through a fixed set of algebraic operators. We show that this principled approach can be adopted to track...
In security-critical software applications, confidential information must be prevented from leaking to unauthorized sinks. Static analysis techniques are widespread to enforce a secure information flow by checking a program after construction. A drawback of these systems is that incomplete programs during construction cannot be checked properly. Th...
In this paper we use pre-existing language support for both reference and object capabilities to enable sound runtime verification of representation invariants. Our invariant protocol is stricter than the other protocols, since it guarantees that invariants hold for all objects involved in execution. Any language already offering appropriate suppor...
In security-critical software applications, confidential information must be prevented from leaking to unauthorized sinks. Static analysis techniques are widespread to enforce a secure information flow by checking a program after construction. A drawback of these systems is that incomplete programs during construction cannot be checked properly. Th...
I'm starting to make you tube videos presenting the L42 tutorial.
Follow me on https://www.youtube.com/MarcoServetto
Tutorial here:
https://www.youtube.com/playlist?list=PLWsQqjANQic8c5wG3LfSe-mMiBKfOtBFJ
We formally define an elegant multi-paradigm unification of Functional Reactive Programming, Actor Systems, and Object-Oriented Programming. This enables an intuitive form of declarative programming, harvesting the power of concurrency while maintaining safety. We use object and reference capabilities to highlight and tame imperative features: refe...
Effect systems are used to statically reason about the effects an expression may have when evaluated. In the literature, such effects include various behaviours as diverse as memory accesses and exception throwing. Here we present CallƐ, an object-oriented language that takes a flexible approach where effects are just method calls: this works well...
Multi-methods are a straightforward extension of traditional (single) dynamic dispatch, which is the core of most object oriented languages. With multi-methods, a method call will select an appropriate implementation based on the values of multiple arguments, and not just the first/receiver. Language support for both single and multiple dispatch is...
Static verification relying on an automated theorem prover can be very slow and brittle: since static verification is undecidable, correct code may not pass a particular static verifier. In this work we use metaprogramming to generate code that is correct by construction. A theorem prover is used only to verify initial "traits": units of code that...
Effect systems are used to statically reason about the effects an expression may have when evaluated. In the literature, such effects include various behaviours as diverse as memory accesses and exception throwing. Here we present CallE, an object-oriented language that takes a flexible approach where effects are just method calls: this works well...
Traditionally, semantic models of imperative languages use an auxiliary structure which mimics memory. In this way, ownership and other encapsulation properties need to be reconstructed from the graph structure of such global memory. We present an alternative "syntactic" model where memory is encoded as part of the program rather than as a separate...
Traditionally, semantic models of imperative languages use an auxiliary structure which mimics memory. In this way, ownership and other encapsulation properties need to be reconstructed from the graph structure of such global memory. We present an alternative "syntactic" model where memory is encoded as part of the program rather than as a separate...
We present an imperative object calculus where types are annotated with qualifiers for aliasing and mutation control. There are two key novelties with respect to similar proposals. First, the type system is very expressive. Notably, it adopts the recovery approach, that is, using the type context to justify strengthening types, greatly improving it...
In this paper we use pre existing language support for type modifiers and object capabilities to enable a system for sound runtime verification of invariants. Our system guarantees that class invariants hold for all objects involved in execution. Invariants are specified simply as methods whose execution is statically guaranteed to be deterministic...
Metaprogramming is often used to programmatically generate faster specialised code when some parameters are known in advance. To use metaprogramming and SV together, we could generate code containing contracts, and such code could be checked after metaprogramming has been completed. SV could then be applied to the code resulting from the metaprogra...
Context: Trait composition has inspired new research in the area of code reuse for object oriented (OO) languages. One of the main advantages of this kind of composition is that it makes possible to separate subtyping from subclassing; which is good for code-reuse, design and reasoning. However, handling of state within traits is difficult, verbose...
Context: Trait composition has inspired new research in the area of code reuse for object oriented (OO) languages. One of the main advantages of this kind of composition is that it makes possible to separate subtyping from subclassing; which is good for code-reuse, design and reasoning. However, handling of state within traits is difficult, verbose...
We present an imperative object calculus where types are annotated with qualifiers for aliasing and mutation control. There are two key novelties with respect to similar proposals. First, the type system is very expressive. Notably, it adopts the "recovery" approach, that is, using the type context to justify strengthening types, greatly improving...
We present a type and effect system for expressing uniqueness and immutability properties in imperative languages. The distinguishing feature is that typechecking infers sharing possibly introduced by the evaluation of an expression. In this way, expressions get very expressive types: notably, uniqueness and immutability properties can be detected...
We introduce a type and effect system, for an imperative object calculus, which infers "sharing" possibly introduced by the evaluation of an expression, represented as an equivalence relation among its free variables. This direct representation of sharing effects at the syntactic level allows us to express in a natural way, and to generalize, widel...
We introduce a type and effect system, for an imperative object calculus, which infers "sharing" possibly introduced by the evaluation of an expression, represented as an equivalence relation among its free variables. This direct representation of sharing effects at the syntactic level allows us to express in a natural way, and to generalize, widel...
We introduce a type and effect system, for an imperative object calculus, which infers sharing possibly introduced by the evaluation of an expression. Sharing is directly represented at the syntactic level as a relation among free variables, thanks to the fact that the calculus is pure. That is, imperative features are modeled by just rewriting sou...
We outline a type and effect system which infers sharing possibly introduced by the evaluation of an expression. In this way, expressions get very expressive types, which generalize notions enforced in literature by type modifiers. Sharing is directly represented at the syntactic level as a relation among free variables, thanks to the fact that the...
This paper presents an OO style without classes, which we call interface-based object-oriented programming (IB). IB is a natural extension of closely related ideas such as traits. Abstract state operations provide a new way to deal with state, which allows for flexibility not available in class-based languages. In IB state can be type-refined in su...
This paper presents an OO style without classes, which we call interface-based object-oriented programming (IB). IB is a natural extension of closely related ideas such as traits. Abstract state operations provide a new way to deal with state, which allows for flexibility not available in class-based languages. In IB state can be type-refined in su...
We propose an alternative to the usual try-catch construct, where catch clauses are coupled with the declaration of a local variable, rather than with an arbitrary expression. That is, in case initialization of the local variable fails, they provide an alternative computation which does not depend on such variable. This alternative mechanism subsum...
In this extended abstract we propose to enhance declaration of local variables with a catching mechanism. This provides a more powerful and methodologically more appropriate mechanism of catching exceptions than the usual try/catch construct. The advantages are highlighted by presenting some paradigmatic examples. The proposal is formalized as an e...
We present a simple calculus where imperative features are modeled by just rewriting source code terms, rather than by modifying an auxiliary structure which mimics physical memory. Formally, this is achieved by the block construct, introducing local variable declarations, which also plays the role of store when such declarations have been evaluate...
We present an imperative object calculus where types are annotated with two modifiers for aliasing control. The \({\mathtt{lent}}\) modifier prevents objects to be aliased, whereas the \({\mathtt{capsule}}\) modifier characterizes expressions that will reduce to isolated portions of store. There are two key novelties w.r.t. similar proposals. First...
Traditionally, formal semantic models of Java-like languages use an explicit model of the store which mimics pointers and ram. These low level models hamper understanding of the semantics, and development of proofs about ownerships and other encapsulation properties, since the real (graph) structure of the data is obscured by the encoding. Such mod...
Programmers often need to initialise circular structures of objects. Initialisation should be safe (so that programs can never suffer null pointer exceptions or otherwise observe uninitialised values) and modular (so that each part of the circular structure can be written and compiled separately). Unfortunately, existing languages do not support mo...
We present a new Java-like language design coupling disciplined meta-programming features with a composition language. That is, programmers can write meta expressions that combine class definitions, on top of a small set of composition operators, inspired by the seminal Bracha's Jigsaw framework. Moreover, such operators are deep, that is, they all...
Safe parallelisation of object-oriented programs requires static
guarantees about the shape and/or intended usage of reachable
objects. For example, transitively immutable objects lend themselves
naturally to concurrent access. However, parallelising tasks which
potentially mutate reachable objects is more challenging. One
approach to avoiding race...
Automatically detecting when it is safe to execute program expres-sions in parallel is hard. In this paper we take a step towards this ul-timate goal by extending the original Almeida's [1] balloons system with immutability and we utilise this information to figure out when the execution order of some expressions does not influence the re-sult. Our...
We present FJig, a simple calculus where basic building blocks are classes in the style of Featherweight Java, declaring fields, methods and one constructor. However, inheritance has been generalized to the much more flexible notion originally proposed in Brachaʼs Jigsaw framework. That is, classes play also the role of modules, that can be compose...
We present a new language design coupling disciplined meta-programming features with a composition language, in the context of Java-like classes. That is, programmers can write meta-expressions that combine class definitions, on top of a small set of composition operators. This approach implies compile-time execution, as in template meta-programmin...
"Exception-safety strong guarantee: The operation has either completed successfully or thrown an exception, leaving the program state exactly as it was before the operation started." David Abrahams [Abr00] The above definition of strong exception-safety comes from the world of C++, but it can be applied to any language. Because the exception-safety...
We propose a Java-like language where class definitions are first class values and new classes can be derived from existing ones by exploiting the full power of the language itself, used on top of a small set of primitive composition operators, instead of using a fixed mechanism like inheritance.
Hence, compilation requires to perform (meta-)reduct...
We propose a formal framework for extending a class-based language, equipped with a given class composition mechanism, to allow programmers to define their own derived composition operators. These definitions can exploit the full expressive power of the underlying computational language.The extension is obtained by adding meta-expressions, that is,...
We present FJig, a simple calculus where basic building blocks are classes in the style of Featherweight Java, declaring fields, methods and one constructor. However, inheritance has been generalized to the much more flexible notion originally proposed in Bracha’s Jigsaw framework. That is, classes play also the role of modules, that can be compose...
Inheritance in object-oriented languages allows, roughly, to obtain the same effect one would get by duplicating the methods of the parent class in the heir. However, the key advantage is that source code duplication is avoided, and the code of the parent is, instead, found on demand, through a runtime procedure called method look-up. In other word...
"Exception-safety strong guarantee: The operation has either completed successfully or thrown an exception, leaving the program state exactly as it was before the operation started." David Abrahams [1] The above definition of strong exception-safety comes from the world of C++, but it can be applied to any language. Because the exception-safety str...
We present a new language design which smoothly integrates modular composition and nesting of Java-like classes. That is, inheritance has been replaced by an expressive set of composition operators, inspired by Bracha's Jigsaw framework, and these operators allow to manipulate (e.g., rename or duplicate) a nested class at any level of depth. Typing...
The introduction of null references was my billion-dollar mis-take." Tony Hoare The above sentence remarks the well-known problem of null references. How-ever, to simply remove null from the language is too restrictive, since it would forbid any type of circular initialization pattern. In the years many approaches have tried to address the problem....