WEBVTT 00:00.000 --> 00:11.000 We'll get that one. 00:11.000 --> 00:12.000 Yeah? 00:12.000 --> 00:15.000 We'll sit. 00:15.000 --> 00:17.000 You can clear your mind. 00:17.000 --> 00:18.000 Antation. 00:18.000 --> 00:20.000 No. 00:20.000 --> 00:24.000 We'll register allocation in this talk. 00:24.000 --> 00:28.000 We're just going to talk about what programming is like and why we're doing it. 00:28.000 --> 00:33.000 And whether we're doing it the right way, because there's a good chance we're not. 00:33.000 --> 00:40.000 I came up with this idea for this talk because you might know there's a lot of work going on 00:40.000 --> 00:43.000 and what they call safe languages these days. 00:43.000 --> 00:47.000 Probably some of you are working on some of those languages. 00:47.000 --> 00:57.000 And I began to wonder whether this was all as well whether we were going about this the right way. 00:58.000 --> 01:07.000 The, the, the entities for a safe, safe programming languages is is connected to security. 01:07.000 --> 01:09.000 And I'll tell you a little story. 01:09.000 --> 01:13.000 Person I know 30 years ago. 01:13.000 --> 01:18.000 She had become a unix administrator and she came out of a meeting. 01:18.000 --> 01:24.000 And at the end of that meeting, one of the senior people in the organization said, 01:24.000 --> 01:28.000 I want you to make sure when we're done with this operation that it's secure. 01:28.000 --> 01:32.000 But she went home that night and I, time she got to work in the morning. 01:32.000 --> 01:35.000 And there's the places that complete disaster. 01:35.000 --> 01:38.000 The major systems were not working correctly. 01:38.000 --> 01:40.000 That she was responsible for. 01:40.000 --> 01:45.000 She was supposed to be secure because then I'd be for when she went home. 01:45.000 --> 01:47.000 She used the command, 01:47.000 --> 01:51.000 and capital R minus W. 01:51.000 --> 01:57.000 Flash. 01:57.000 --> 02:02.000 So security is, 02:02.000 --> 02:05.000 it has a lot of components. 02:05.000 --> 02:08.000 And language, the language we program is just one of them. 02:08.000 --> 02:11.000 If you have control of the machine as our dreamcast person will say, 02:11.000 --> 02:13.000 you have control of the machine. 02:13.000 --> 02:16.000 You own the security that thing. 02:16.000 --> 02:20.000 If you are mistrusting the people who are responsible for that machine, 02:20.000 --> 02:25.000 you could wind up with a read-only main drive. 02:25.000 --> 02:29.000 You have policies, you have enforcement of those policies. 02:29.000 --> 02:32.000 So all that stuff goes into the security. 02:32.000 --> 02:39.000 Programming language that we're using is just one small piece of it. 02:39.000 --> 02:42.000 And the definition that I think, 02:42.000 --> 02:46.000 isn't even all great. 02:46.000 --> 02:53.000 Let's accept that you can crash your program with the simplest possible program 02:53.000 --> 02:54.000 language. 02:54.000 --> 02:55.000 It doesn't take much. 02:55.000 --> 02:59.000 And you'd like to think that a compiler would help me with this problem. 02:59.000 --> 03:00.000 I didn't. 03:00.000 --> 03:01.000 I'd like to think that. 03:01.000 --> 03:05.000 But often it does not. 03:05.000 --> 03:09.000 You yourself can look at those few lines and see exactly what's wrong. 03:09.000 --> 03:17.000 But somehow the static analysis and all of its intelligence came up with nothing. 03:17.000 --> 03:20.000 So the purpose of this talk, the definition of safe languages, 03:20.000 --> 03:23.000 the one I'm taking from what I read from those C++ guys, 03:23.000 --> 03:28.000 actually wrote to Bjorn Stralstrup to ask him whether it was possible to use the cobalt 03:28.000 --> 03:34.000 front-end in GCC as an example of safe programming practices in C++. 03:34.000 --> 03:37.000 And he directed me to a lot of his papers. 03:37.000 --> 03:41.000 I think that was no. 03:41.000 --> 03:45.000 But we could still talk about it. 03:45.000 --> 03:52.000 In any case, if you go, so herb-sutter went through proposals that the thing you'd like to tackle first, 03:52.000 --> 03:57.000 the lowest tank, are these four items from the common weakness and 03:57.000 --> 04:00.000 humeration database. 04:00.000 --> 04:03.000 And you'll notice that they're all runtime errors. 04:04.000 --> 04:06.000 And they're pretty simple. 04:06.000 --> 04:10.000 You used an array outside of where it was supposed to be or used a pointer that wasn't yours, 04:10.000 --> 04:12.000 or didn't apply to the thing was supposed to. 04:12.000 --> 04:13.000 That's it. 04:13.000 --> 04:15.000 That's all they're really trying to accomplish. 04:15.000 --> 04:21.000 And they've got a lot of people working on it. 04:21.000 --> 04:23.000 In cobalt. 04:23.000 --> 04:26.000 Well, I want to make sure I did this in the right order. 04:26.000 --> 04:28.000 I don't know if it's skip anything. 04:28.000 --> 04:29.000 Yep. 04:29.000 --> 04:34.000 So cobalt has a whole runtime exception system built into it. 04:34.000 --> 04:38.000 In a way that I've never seen another language do. 04:38.000 --> 04:41.000 You've got, I want to point out something before I go any further in this. 04:41.000 --> 04:44.000 Everything I'm going to talk about is something you could write. 04:44.000 --> 04:48.000 These are things that are built into the system you're writing it with. 04:48.000 --> 04:52.000 You could write a copy constructor in C++ and create certain things. 04:52.000 --> 04:53.000 But that logic's on you. 04:53.000 --> 04:56.000 The things I'm talking about are things that built into the language that you're using. 04:59.000 --> 05:04.000 But in cobalt, it was originally designed. 05:04.000 --> 05:07.000 Back where Bocca's now our form was. 05:07.000 --> 05:08.000 That's not it. 05:08.000 --> 05:11.000 That's a low question. 05:11.000 --> 05:14.000 I would say that's a low figure, right? 05:14.000 --> 05:17.000 So our cobalt system today. 05:17.000 --> 05:28.000 ISO cobalt 2,023 has a 120 runtime exception conditions. 05:28.000 --> 05:32.000 What you're doing in cobalt is you set up at the beginning of your program. 05:32.000 --> 05:34.000 Any of these things you want to handle. 05:34.000 --> 05:37.000 You can handle them individually each 120 at a time or by class. 05:37.000 --> 05:39.000 All of the ones that are boundary errors. 05:39.000 --> 05:42.000 And you say, what do I want to do about that? 05:42.000 --> 05:50.000 And then when you finish with that declarative section runs as a result of that, 05:50.000 --> 05:54.000 of the exception handling, logic returns to where it came from. 05:54.000 --> 05:55.000 Or it doesn't. 05:55.000 --> 05:58.000 It depends on whether you tell it to. 05:58.000 --> 06:01.000 So you don't have it at the function level or anything like that. 06:01.000 --> 06:15.000 It's generally speaking, it's a global thing. 06:15.000 --> 06:16.000 Yes. 06:16.000 --> 06:19.000 So it can be handled exceptionally or by category. 06:19.000 --> 06:26.000 The each of those 120 exception conditions is to find to be either fatal or non-fail. 06:26.000 --> 06:30.000 Non-fail errors, exceptions return, flown immediately. 06:30.000 --> 06:33.000 Fatal ones by default, stop the program. 06:33.000 --> 06:35.000 And if it is, but you can continue it. 06:35.000 --> 06:40.000 If you can figure out what to do about it, you can, there's a statement you can use to return 06:40.000 --> 06:44.000 the control flow back to your program. 06:44.000 --> 06:48.000 Most statements in cobalt themselves, cobalt has very high level language. 06:48.000 --> 06:50.000 It has a very high level statement. 06:50.000 --> 06:55.000 So it almost all statements have an exception feature built into them. 06:55.000 --> 06:57.000 Again, the compiler knows what you're talking about. 06:57.000 --> 06:59.000 So it says, I'm going to add these two numbers together. 06:59.000 --> 07:06.000 If that thing, the result is too big to fit into the thing where it doesn't fit 07:06.000 --> 07:09.000 where it's going, you can say, oh, there's an error. 07:09.000 --> 07:10.000 So what do I do about that? 07:10.000 --> 07:11.000 Do I round it off? 07:11.000 --> 07:12.000 Do I report it? 07:12.000 --> 07:13.000 Whatever I'm going to do. 07:13.000 --> 07:16.000 But that's feature of the statement itself. 07:18.000 --> 07:28.000 The advantage of that is you don't have to think about what kind of exception this thing 07:28.000 --> 07:29.000 will raise. 07:29.000 --> 07:30.000 Right? 07:30.000 --> 07:34.000 If you're going to do something and it's going to throw an exception today, you go to the side, 07:34.000 --> 07:38.000 but you're going to put in your catch function, whatever it's called. 07:38.000 --> 07:46.000 But here, the on error aspect of the verb has decided already, which thing, it's handling, 07:46.000 --> 07:49.000 whatever that thing can do, whatever that's already. 07:49.000 --> 07:54.000 You're going to have to think about those things. 07:54.000 --> 07:55.000 So what's different? 07:55.000 --> 07:57.000 So those are the one time aspects. 07:57.000 --> 08:00.000 We've already said we've taken care of null pointers. 08:00.000 --> 08:02.000 We've taken care of out of bound accesses. 08:02.000 --> 08:06.000 But there's a lot more that the language could do for you. 08:06.000 --> 08:08.000 The compiler could do for you. 08:08.000 --> 08:13.000 And the way we've been building compilers and languages for decades now is preventing 08:13.000 --> 08:17.000 us from taking care of some of the, from taking advantage of something that could do. 08:17.000 --> 08:22.000 I remember reading, because anyone read coders at work, the book from a few years ago, 08:22.000 --> 08:28.000 where a Fran Allen was at, oh, gee, it might have been phased in 1968 when 08:28.000 --> 08:30.000 Contamson, kidding, of course. 08:30.000 --> 08:36.000 When Ken Thompson and Dennis Ritchie presented C as a new language, 08:36.000 --> 08:39.000 so you could use to write programs with. 08:40.000 --> 08:41.000 And she was horrified. 08:41.000 --> 08:44.000 Fran Allen from, from IBM was perfectly, 08:44.000 --> 08:49.000 horrified because all the work they've been doing at IBM to build a gigantic language, 08:49.000 --> 08:51.000 that would encompass all the things that you need to do. 08:51.000 --> 08:55.000 So you have one program that would be an end-to-end application for the whole problem. 08:55.000 --> 08:58.000 The AT&T guys have done the other direction entirely, 08:58.000 --> 09:00.000 and built a tiny little language with the while it all. 09:04.000 --> 09:05.000 Yeah. 09:05.000 --> 09:08.000 So, so if you make your problem small, if you can easily accomplish it, 09:08.000 --> 09:11.000 but then, of course, that leaves to everything up. 09:11.000 --> 09:15.000 So, now I'm going to, the next part of this talk is about the compile time features of cobalt 09:15.000 --> 09:20.000 that are, that we, that most, and I haven't encountered any language that's 09:20.000 --> 09:25.000 having anything like that, and I think that it's worth your time to think about 09:25.000 --> 09:28.000 whether they should be. 09:28.000 --> 09:35.000 So, cobalt, you can define exactly how big your numbers are, where the decimal point 09:35.000 --> 09:40.000 goes, how many what the fractional component is, when you compute every element of that 09:40.000 --> 09:44.000 computation, you can, you can control the rounding of it. 09:44.000 --> 09:49.000 It knows whether or not the results fits in the, in the, in the, in the, in the variable 09:49.000 --> 09:53.000 you're putting it into, and whether you, and you decide what you're going to do about that. 09:53.000 --> 09:56.000 If you're going to do anything at all, you don't have to turn that on, but you can. 09:56.000 --> 10:01.000 When you move things between you copy memory from one place to another in cobalt, 10:01.000 --> 10:03.000 there's no men copy. 10:03.000 --> 10:05.000 You're not relying on a standard library. 10:05.000 --> 10:09.000 You're asked, you're saying, this thing goes in that thing, and if it's going to be converted, 10:09.000 --> 10:13.000 it's going to be converted by the language itself. 10:13.000 --> 10:16.000 File operations, cobalt most about the kind of a file. 10:16.000 --> 10:21.000 It knows about the file as it's determined to be inside the file catalog, 10:21.000 --> 10:25.000 and it knows what kind of operations can take place on which kinds of files. 10:25.000 --> 10:27.000 We do character output. 10:27.000 --> 10:30.000 I heard something about print after today, and I was thinking, 10:30.000 --> 10:33.000 I'll tell you how you put things on the screen in cobalt. 10:33.000 --> 10:34.000 You say display. 10:34.000 --> 10:37.000 Whatever it is, that's where it goes. 10:37.000 --> 10:39.000 So there's no name copy. 10:39.000 --> 10:40.000 There's no standard layout. 10:40.000 --> 10:42.000 There's no men set. 10:42.000 --> 10:43.000 There's no aeronaut. 10:43.000 --> 10:46.000 All the stuff's handled by the language. 10:46.000 --> 10:49.000 You never are out there talking to some library asking it. 10:49.000 --> 10:53.000 This is important because you're checking systems. 10:53.000 --> 10:56.000 You're static analysis uses the function call as a boundary. 10:56.000 --> 10:59.000 It doesn't go into your standard library to ask whether that thing is doing 10:59.000 --> 11:00.000 something correctly. 11:00.000 --> 11:02.000 It stops there. 11:02.000 --> 11:05.000 Here, we're handing the entire program, the entire problem, 11:05.000 --> 11:07.000 to the compiler. 11:07.000 --> 11:14.000 All of the IO, as you'll see in a moment, is entirely defined within the application. 11:14.000 --> 11:21.000 So here we have, here we have a signed fixed point number, 11:21.000 --> 11:24.000 with three decimal point precision. 11:24.000 --> 11:27.000 The decimal point itself doesn't take up any space. 11:28.000 --> 11:31.000 You do fixed point arithmetic on this thing. 11:31.000 --> 11:35.000 You can assign values at the beginning. 11:35.000 --> 11:37.000 If you don't assign a value, they have values too. 11:37.000 --> 11:41.000 Everything has a value, but we know what it is. 11:41.000 --> 11:45.000 All of this is declared before the first instructions executed. 11:45.000 --> 11:48.000 It's all static memory. 11:48.000 --> 12:00.000 All the RIO operations are defined by the program, by the by the language. 12:00.000 --> 12:09.000 This is a cheap amount of how many months that we put into this part of the problem. 12:09.000 --> 12:15.000 Instead of libraries, a couple systems usually use a module system. 12:15.000 --> 12:20.000 And pre-processors that bring the external information into the system. 12:20.000 --> 12:29.000 So we use embedded SQL to operate on, you know, to turn rows in the database into records 12:29.000 --> 12:31.000 in the application. 12:31.000 --> 12:36.000 Again, the compiler knows what the structure of that thing is. 12:36.000 --> 12:40.000 And to contract that, again, before it ever starts, we know how many fields 12:40.000 --> 12:44.000 are going to be in the record and what their names and types are. 12:44.000 --> 12:47.000 That's sort of thing. 12:47.000 --> 12:57.000 Again, with CSS, those things are all predefined. 12:57.000 --> 13:02.000 I haven't worked with the CSS system since 1988. 13:02.000 --> 13:09.000 So I would say, that was the last time I had one language to control the whole end 13:09.000 --> 13:16.000 and functionality of the application, where the entire system was defined by the one in one way. 13:16.000 --> 13:25.000 The opposite of the way we build systems now, where we've got a whole cloud of systems that we're talking to. 13:25.000 --> 13:30.000 So my intention is, this is how you build the safe language. 13:30.000 --> 13:36.000 If that's what we're after, it's not clear to me that it needs to be what we're after. 13:36.000 --> 13:39.000 It could be that we're going after good things for the wrong reasons. 13:39.000 --> 13:46.000 But if you bring everything into the system, if the language defines the entire problem, 13:46.000 --> 13:51.000 if all of the operations are fully defined by the language and by the compiler, 13:51.000 --> 13:58.000 then the compiler has the chance to tell you, prevent you from doing things you're not supposed to do, 13:58.000 --> 14:04.000 and tell you what you've done wrong. 14:04.000 --> 14:10.000 Preventing those runtime errors that we're trying to capture to create a safe language. 14:10.000 --> 14:14.000 I'm not slagging C++ here. Please don't tell me I am. 14:14.000 --> 14:17.000 I'm not. I'm not. I wrote. 14:17.000 --> 14:24.000 I was just telling someone in lunch today that the Cobalt front end is a written in C++ and not just that, 14:24.000 --> 14:27.000 but C++ 17. I hope that's allowed. 14:27.000 --> 14:43.000 And so yeah, I don't see++ fan to it, but let's not confuse ourselves about what the language that I'm using does and can do and defines and doesn't define. 14:43.000 --> 14:49.000 Your values are always defined. If you didn't give it an initial value, you got one. 14:49.000 --> 14:55.000 You got a zero for numbers. You got blanks for everything else. 14:55.000 --> 14:59.000 The iterators are attached to the array definition. 14:59.000 --> 15:09.000 When you bump it up or down, the compiler is watching you. If you manage to get it out of bounds, you have a place to handle that exception. 15:09.000 --> 15:14.000 Computation checks to make sure that the thing you don't have overflow opportunities. 15:14.000 --> 15:19.000 If you didn't manage to create one, that gets caught at runtime. 15:19.000 --> 15:25.000 The system understands about the IO, so you can't operate on the file incorrectly. 15:25.000 --> 15:37.000 In fact, before the thing gets launched, the system that does that is going to see whether the catalog definition matches the Cobalt definition for this file. 15:37.000 --> 15:50.000 And we do have per statement of exception handling, but generally it's a centralized declarative system for determining what you're going to do with your errors. 15:50.000 --> 15:57.000 You yourself, as a programmer, don't have to care about the kind of exception that gets raised by a particular statement because we know what we do with that problem. 15:57.000 --> 16:05.000 It's handled up there in the declarative. 16:05.000 --> 16:11.000 So because you control the whole thing, I think that's a different sort of a problem. 16:11.000 --> 16:21.000 And my observation is that Cobalt is the last time anybody tried to design a language that would handle the application problem domain from front to end. 16:21.000 --> 16:35.000 That all modern systems are all built on the C model where we're going to have libraries that are going to talk to each other and we're going to make the problem that we're talking about smaller and your static checker won't find errors. 16:35.000 --> 16:48.000 And maybe we should think about ways to bring some of those ideas into the languages that we're building now because I don't see this any other way for the compiler to check where it can't see. 16:48.000 --> 16:54.000 And that is, I think, the last slide. 16:54.000 --> 16:55.000 Time's up.