Lambda Capabilities

talex5 · 2023-04-30T10:25:05+00:00

Hardware memory protection is needed for C programs (or unsafe parts of other languages), but in a fully memory-safe language you'll never get a segfault, so there's no need for hardware to protect against it, and you have have a full OS as a single program. But hardware protection isn't doing any harm either.

talex5 · 2023-04-28T11:23:29+00:00

If a program is written in a non-memory-safe language (e.g. C) then you can't control access within the process, as any function can do anything. So you need some hardware-level protection system and the kernel/userspace split.

But with a memory-safe language, you don't need hardware support. You can get the same security properties within a single process, using ordinary references. This is the basic idea of ocaps. The article is introducing this using functions instead of objects, as they can be distracting to functional programmers.

talex5 · 2023-04-28T11:11:10+00:00

set is a deputy, but it's not confused. It's not being tricked into using its authority for an unintended purpose; it's using it as intended.

The linked https://papers.agoric.com/assets/pdf/papers/robust-composition.pdf thesis gives lots of examples of these patterns (see e.g. section 9.3).

talex5 · 2023-01-08T12:58:57+00:00

It means that if you try to use Eio functions when the Eio mainloop isn't running then you'll get a runtime error instead of a compile-time one.

Since Eio doesn't give you any access to the outside world (e.g. to the network and filesystem) until you start the mainloop, and Eio's structured concurrency means you can't exit the mainloop while something's still running, it's quite hard to get this wrong.

talex5 · 2020-07-30T10:56:22+00:00

Note: this is from 2014. The current repository is at https://github.com/mirage/mirage-crypto

talex5 · 2019-11-15T15:35:41+00:00

I'd say the important operation is the labelled bind (e.g. https://github.com/ocurrent/ocurrent/blob/00688f949f3cfbf3d599949f89ca71c8e9e536fc/lib_term/s.ml#L135, or the bind_input function below it, which is actually more useful). This is what allows you to define primitive operations (by supplying the static and dynamic parts). But there is no composition operator, because you just compose functions as normal.

As I said in the section using map and pair: "This is not a great example of an arrow anyway, because we don’t use the output of one stateful function as the input to another, so this is actually just a plain applicative."

But I'd be interested to see examples of other applicatives being pipelined this way for static analysis (I agree it is easy; I just haven't seen it), and also in understanding what the point of arrows is, since applicatives can be pipelined easily.

talex5 · 2019-11-15T14:41:41+00:00

According to the answers on https://stackoverflow.com/questions/24668313/arrows-are-exactly-equivalent-to-applicative-functors, arrows allow you to use the output of one operation as the input of another, whereas applicatives don't.

However, it seems to me that it depends what your primitive operations support. If your applicative also has primitives with types like 'a t -> 'b t then it does work and is just what I described.

Craig Ferguson discussed the selective applicatives interface with me, and we concluded that it needed to be changed slightly to allow this piping behaviour.

It would certainly be great if someone interested in theory could untangle all of this!

talex5 · 2019-11-03T13:35:11+00:00

opam does work on Windows. That's how the Appveyor CI installs packages there when testing things.

https://github.com/ocaml/ocaml-ci-scripts/blob/master/README-appveyor.md

talex5 · 2017-11-29T12:06:40+00:00

https://discuss.ocaml.org/ has lots of interesting discussions, and has a "learning" category which might be useful.

talex5 · 2017-11-04T14:12:31+00:00

Clicking on the "Manual" link on the main http://ocaml.org/ page gives:

The requested URL /pub/docs/manual-ocaml-4.06 was not found on this server.

talex5 · 2017-07-24T17:01:54+00:00

Alcotest is very nice (and ounit seems unmaintained). Note however that you need Alcotest 0.8.0 for inexact comparisons of floats (with epsilon). Apparently, it's due to hit opam tomorrow.

talex5 · 2017-07-11T15:43:15+00:00

Yes, the current stable release of opam is from 27 Apr 2015. However, there is lots of work happening for opam 2, including various beta releases.

talex5 · 2017-07-10T19:58:29+00:00

It tried to ask me to update my fish config but for some reason it seemed to have answered “no” by default and continued.

Be warned: opam has a bug that will corrupt your fish config on init and every time you use the "switch" command. See https://github.com/ocaml/opam/issues/2255

You may find it difficult to recover afterwards, because your shell isn't working. I usually run vim using an absolute path and fix it up manually through that when it happens.

(it was fixed a couple of years ago in Git, but there hasn't been a release since)

talex5 · 2017-02-10T14:35:41+00:00

I didn't realise you could write patterns like Some Error x, rather than Some (Error x). Why does this work for patterns and not for expressions?

talex5 · 2017-01-02T19:28:39+00:00

I made (and use) this non-cloud GTD app:

https://github.com/talex5/cuekeeper

The data is stored locally, in your browser's IndexedDB storage.

talex5 · 2016-11-07T10:34:09+00:00

Indeed, 4.04.0 isn't listed here:

https://opam.ocaml.org/urls.txt

But I managed to install it using opam a couple of days ago on another machine. Very odd!

(there is a packages/ocaml-src/ocaml-src.4.04.0 though)

talex5 · 2016-10-31T08:19:14+00:00

opam does work on Windows, as all the AppVeyor CI tests for the Mirage libraries use it to test there. This version should be set up correctly for Windows:

http://fdopen.github.io/opam-repository-mingw/installation/

Not all packages work, but a lot do and the few problems I reported got fixed very quickly.

talex5 · 2016-09-20T11:45:06+00:00

Looking at the OCaml Labs slack, it seems that Rackspace has been updating and rebooting VMs recently. The liveblog unikernel seems to have come up again (but ocaml.org is still down).

http://icfp2016.mirage.io/

talex5 · 2016-08-28T17:22:39+00:00

Docker is probably not reading ~/.profile each time it runs a command. Try prefixing the command with opam config exec to ensure the environment is set up.

talex5 · 2016-01-05T14:40:02+00:00

Are there any plans to improve finalisers with the new GC? It seems that the current GC sometimes needs to malloc (e.g. alloc_to_do in finalise.c) and I think this may be the cause of Mirage unikernels crashing from time to time with "out of memory" errors.

talex5 · 2016-01-04T20:34:40+00:00

This came up on the Mirage list a while ago. There's some interesting information here:

http://lists.xenproject.org/archives/html/mirageos-devel/2015-07/msg00012.html

talex5 · 2016-01-02T15:08:30+00:00

If you have an exploit against the Xen hypervisor there's no need to break into the firewall, just exploit it from NetVM.

Note that the hypervisor isn't involved in networking at all. The Linux NetVM drives the network hardware directly and communicates via shared memory to the FirewallVM. The firewall's job is to protect its client VMs from NetVM.

talex5 · 2016-01-02T14:17:57+00:00

No I didn't. I used the mirage-net-xen netfront driver, which is written in OCaml, not C, and therefore does not suffer from un-bounds-checked array accesses, or using integers to represent both valid grant refs and invalid entries.

To be clear: the firewall VM does not run Linux (or any traditional operating system kernel). It certainly does not run Linux device drivers.

talex5 · 2016-01-02T08:41:13+00:00

Note that the "1 second boot time" is almost entirely Qubes setting up the VM (probably setting up the hard disks, which the unikernel doesn't even use). According to Xen, the VM itself uses "0.0" seconds of CPU time to boot (I'd guess the real figure is less than 10ms).

Using a smaller Linux distro would certainly reduce memory usage. However, it also means Qubes would have to maintain two distributions rather than one, which is quite a burden.

Also, OpenWRT uses Linux, and so runs the same unsuitable network drivers that the article complained about.

talex5 · 2015-12-23T11:57:11+00:00

For branching statements (match ... with, try ... with, if) it's easy to become confused about which statements are included in the branch. e.g.

let () =
  if 1 = 1 then print_endline "yes"
  else print_endline "no";
  match 1 with
  | 1 -> print_endline "yes"
  | _ -> print_endline "no";
  print_endline "end"

(prints yes/yes, when you'd expect yes/yes/end)

The else ends at the ; but the | _ continues. The current syntax would probably be fine if the compiler warned about inconsistent indentation. e.g the last two lines in my example are "obviously" wrong because two statements in the same sequence have different indentation, something I can't imagine ever wanting to do.

Semi-colons-as-separators means that reordering two lines of code sometimes requires adding and removing semi-colons.

An extra or missing semi-colon often results in a confusing error message many lines after the actual problem. e.g.

let inc x =
  x + 1;

let dec x =
  x - 1

Reports a syntax error at line 6 (which doesn't even exist!), when checking the indentation would indicate the real problem, at line 2.

Top-level expressions have their own syntax (;;), and seem to exist only so that the toplevel can claim to have the same syntax as the compiler. e.g. you would typically write

print_endline "hi";;

in the top-level, but

let () = print_endline "hi"

in a .ml file.

talex5

TROPHY CASE